IT Auditing and Application Controls for Small and Mid-Sized Enterprises - Revenue, Expenditure, Inventory, Payroll, and More

CHAPTER ONE

Why Is IT Auditing Important to the Financial Auditor and the Financial Statement Audit?

MANY FINANCIAL AUDITORS BELIEVE THAT complex IT environments require a technically trained professional to fully comprehend the technologies employed in the environment. Other financial auditors may decide to rescope the audit (if a non-Sarbanes-Oxley [SOx] engagement) in order to avoid looking at internal controls, or at least the IT controls, while yet others may perform a superficial, high-level review of the IT controls and hope no one notices that it was not very detailed.

Anything that a client provides that is not manually created relies on IT for the accounting process, and you must understand how to test the IT systems and whether to rely on it. By appropriately assessing the IT controls, you may be able to reduce the overall effort of the audit, and bring new observations to your client about the IT environment.

An effective assessment of IT controls may actually increase the amount of time required to perform an audit. However, consistent with Auditing Standards (SASs) Nos. 104–111, if you have an adequate understanding of the entity, its internal control and processes, and its environment and other factors, the cost increase will likely be less because the auditor will have a reduced learning curve. The cost to make audit methodology changes could be significant in the first year, but is likely to increase the efficiency with which you conduct your future audits, minimizing audit fee increases to the less complex clients.

It is common in academic curricula and continuing professional education to describe audits by one of four categories:

Following graduation from an accounting or equivalent program and certification as a Certified Public Accountant (CPA) or in another area (e.g., Certified Internal Auditor [CIA]), the practitioner keeps those definitions in mind. As a practical matter, these “silos” are helpful to delineate the differences between the audits, but they overwhelmingly ignore one common reality: All financial audits require the auditor to understand where the information comes from and what processes ensure its reliability. A second reality is that information technology is becoming increasing pervasive and more sophisticated.

Our philosophy of IT auditing embraces the answer to a question you may have asked: Where does IT auditing fit into the financial auditing process? We believe that it should fit in throughout the entire engagement. At any step in the process, when we are retrieving information for any cycle, we need to ask—and to be able to answer—questions about where the information came from and what processes ensure its reliability. In virtually all phases of the audit, the auditor must understand the answers to those questions, including the IT controls that cover a particular system or process and knowing how to test these controls in order to provide evidence that they are working properly.

MANAGEMENT'S ASSERTIONS AND THE IT AUDIT

Auditors are familiar with the concept of management assertions, the idea that the financial statements imply a set of claims concerning the reported amounts and balances. Each of these assertions can be associated with potential misstatements and in turn with audit procedures. In the following paragraphs we review the principal assertions and briefly expand the financial-auditing discussion to encompass related IT-auditing issues.

Existence

Many account balances purport to describe quantities that actually exist (e.g., stocks of inventory or amounts owed to the company for past sales). Over- or understatements of these balances may result in material errors, and audit procedures typically rely on a combination of process analysis and physical counts or sampling approaches to evaluate the plausibility of a reported balance. The financial auditor ties information in the system back to transaction (source) documents (which may be paper or another electronic file), and, accordingly, he or she needs to understand the system's overall design, the flow of information, and the nature and location of files.

The IT audit process goes beyond a merely conceptual understanding of these issues in order to focus on specific features of the accounting system. The IT audit must evaluate the likelihood that problems or defects in design or operation could lead to misstatements. Thus there is an IT corollary to the financial statement assertion of existence, namely that the application controls that support processing integrity exist. These include such IT-based items as access controls, proper segregation, and appropriate configurations. For instance, when an IT auditor tests for access control, we would expect the existence of signed forms with management approval that specify the access needed. When an IT auditor tests change management, we would expect to see change control forms with the requested changes that are approved for each change that is captured in the system. In smaller organizations, this type of existence assertion can be challenging to achieve due to lack of supporting documentation.

In later chapters we examine these types of issues in specific detail for each of the major transaction cycles.

Completeness

The completeness assertion refers to the integrity of the recording process and the ability of the company's accounting system to ensure that the effects of all transactions, balances, accounts, estimates, and so on have been included in the financial statements. Traditional audit techniques such as cross-footing and internal validity checks of totals and subtotals can help to ensure that financial information flows correctly (as missing values may cause the statements and supporting schedules not to tie). At the IT level, the auditor is concerned with how the system ensures completeness—for instance, does the report writer pull all the items from the chart of accounts?

There is also an IT corollary to the completeness assertion, namely that all necessary and required controls exist. This completeness assertion differs slightly from the existence assertion: While the latter requires the IT auditor to verify that claimed controls actually exist, the former requires that he critically evaluate the overall system design and perhaps recommend additional controls or procedures. Note also that in smaller organizations it may be challenging to achieve completeness due to lack of understanding of how to determine how the accounting system pulls its data.

Rights and Obligations

This assertion addresses the legal status of a company's assets and liabilities and it can create exposures and areas of interest from an IT perspective. As an example, consider a company that ships merchandise on both a free-on-board (FOB) destination and FOB shipping point basis. The accounting system should be configured so as to properly classify these transactions and support accurate reporting of inventory, receivables, and sales.

There is also an IT corollary to the rights and obligations assertion, namely ownership of and responsibility for information resources controlled within the company's accounting system. Thus, from this perspective, adequate control over segregation of duties becomes an important part of the overall structure of rights and obligations as they affect accounting information. In some organizations, a person may have certain responsibilities that are well-controlled outside the system, but the system itself may not coordinate the necessary data access rights for employees to function effectively. Additionally, the company will usually have an obligation to protect data privacy.

Valuation

The area of valuation can range from the accuracy of original costs to complex and esoteric calculations relating to financial instruments. In order to ensure that account balances, transactions, fair value estimates, and other amounts are reported appropriately, the IT auditor may need to examine things such as links to pricing tables and lookup tables, the design and accuracy of spreadsheet models, and the integrity of proprietary data sources. The widespread use of spreadsheet models for a variety of valuation-related activities creates many exposures related to data transfer and change management.

IT and valuation intersect when the auditor needs to estimate the potential cost exposure from an IT audit issue. For example, if an auditor determines that inappropriate individuals have access to make adjusting journal entries, the auditor should then determine if any unauthorized journal entries were actually made by examining the general ledger entries. If any are identified, then the auditor would need to value the exposure to the financial statements.

Accounting Procedures

The realm of accounting procedures includes classification and aggregation procedures, proper cutoffs at the end of each accounting period, the preparation and posting of adjusting entries, the preparation of disclosure and supporting schedules, and the final presentation of the financial statements. It also presumes the fundamental accuracy of arithmetic processes and conformity with appropriate accounting standards.

At the general financial level, the auditor may review personnel records in order to evaluate the suitability of individuals who perform these various tasks. The IT analog would include an analysis of access rights and log-on records. For instance, the IT auditor might run all the adjusting entries, check to see who posted them, and...