|GLENN L. HELMS, CPA, PhD, is associate professor, Texas A&M University, Corpus Christi, Texas, and a member of the AICPA computer auditing subcommittee. JANE MANCINO, CPA, is a techical manager in the AICPA audit and attest division. Ms. Mancino is an employee of the American Istitute of CPA's and her views, as expressed in this article, do not necessarily reflect the views of the AICPA. Official positions are determined through certain specific committee procedures, dues process and deliberation.|
New technologies are out there—you may even have heard of most of them. But how will they affect the audits you perform? To help you sort through advances, the computer auditing subcommittee of the AICPA ASB identified 11 key technologies practitioners should be aware of when planning financial statement audits. The technologies fall into three broad categories. The first contains one component-security. The second group consists of communications technologies that allow transmission of financial and other data without a paper audit trail. The other highly ranked technologies are independent of the rest and include the year 2000 (Y2K) issue and outsourcing. The technologies are listed below from the most to the least significant.
MAJOR ISSUES, MAJOR CONCERNS
Security. This area includes the policies and procedures for ensuring that access to equipment, software and data is restricted to authorized users. Both software and physical resources require controls to prevent intentional or unintentional modifications or destruction of any resources. If controls are not in place, fictitious or erroneous transactions may find their way into the financial accounting system. This can ultimately result in material errors in the financial statements.
Web Guide for Auditors
Electronic commerce. This is actually a group of technologies including EDI, electronic funds transfers (EFTs) and automated teller machines (ATMs). The major audit concerns are that only authorized transactions are transmitted and received and that they are not duplicated, lost or modified during processing. For example, consumers have been reluctant to conduct transactions using electronic commerce, fearing electronic thieves would easily steal their credit card numbers. The secure electronic transactions (SET) standard, which provides for encryption of data, may help alleviate this concern. Developed by Mastercard, Visa, Microsoft and Netscape, it protects financial transactions during transmission. That is, it helps assure that hackers will not steal credit card numbers during transmission.
Another control is the use of a digital signature, which allows a sender to attach additional data to a message to form a unique and unforgeable sender identifier. Batch control totals help ensure that data are not lost or altered during transmission. (Users establish independent batch totals of documents that are later reconciled against totals the data processing department generates. There are three common types of batch totals: (1) control total-which consists of a meaningful total such as total cash sales, (2) hash total-which does not have any meaning other than as a batch total such as the sum of customer account numbers and (3) record count-which is the number of documents processed). Other controls common to the use of EDI and Internet transactions are described below. In addition, the AICPA recently rolled out the new CPA WebTrust assurance service with the goal of ensuring the security of electronic commerce. (See " In CPAs We Trust, " JofA, Dec.97, page 62.)
Continuous Auditing. The auditor may consider employing continuous auditing when most information exists only in electronic form, such as in a paperless airline reservation system. For example, auditors can use software to detect auditor-specified exception items from among all transactions processed. If an approved current sale to a customer pushes the account's line of credit beyond its limit, a computer log can capture that information for the auditor's subsequent testing. The sales processing application could contain an embedded audit module with the auditor's selection criteria. Such modules allow continuous monitoring and analysis of transaction processing. The auditor generally is involved in systems design to provide assurance that the application includes his or her criteria.
To prevent unauthorized modification to the embedded audit module, the auditor also might investigate controls such as the use of passwords to restrict access to source codes and procedures to ensure the entity's compliance with adequate application software maintenance procedures. Additionally, only approved employees should know the specified criteria for transaction selection.
Internet. Security issues such as those mentioned in electronic commerce are important to the auditor as an increasing number of financial transactions are conducted online. The auditor also has to consider control issues such as those associated with electronic commerce. ("Security" is concerned with methods and procedures to protect corporate resources. "Controls" are methods and procedures to provide assurance that adequate security exists.) Perpetrators have compromised systems by gaining unauthorized access to a particular Web site. For example, hackers may attack a system to obtain access to confidential data (such as a customer database) or to impersonate a legitimate customer and have goods shipped to a temporary address. A commonly used safeguard is a "firewall"-a software and hardware application that separates a network segment (such as a Web site) from the main network.
EDI. is a component of electronic commerce. It requires that two or more trading partners agree to use a specific standard data format to conduct routine business transactions. A key feature is EDI's freedom from paper: Traditional source documents in a vendor-client relationship, such as purchase orders and invoices, do not exist in paper form. Another feature is that the business cycle often is compressed, resulting in lower yearend account balances for inventory, receivables and payables. Many times accounting transactions and other data are passed between trading partners by a value-added network (VAN), a third-party provider of communications services.
EDI presents numerous audit and control implications. The auditor needs to understand how the entity conducts business using EDI and to adjust audit procedures accordingly. EDI creates a dependence on the trading partner's computer system, so its errors and security breaches might affect the client's system. For example, the auditor's client might be a supplier to a trading partner. The client ships raw materials to the trading partner based on an electronic inquiry of the trading partner's inventory system. This system might contain errors and compute an incorrect optimum order amount, leading to a dispute if the client ships too few or too many raw materials. (This could happen in a traditional system, but auditors would have a paper trail to check.) The auditor should be concerned that accounts receivable and revenue could be overstated if too many goods were shipped or that a contingent liability might exist if too few goods were shipped.
Controls, such as firewalls, encryption and authentication, associated with communications technologies also apply to EDI. The auditor might wish to review trading partner agreements since traditional revenue and expense recognition concepts might be modified because of new business practices. For example, the agreement might state that a purchaser pays for goods when they are placed into production instead of on receipt. The supplier then becomes dependent on the purchaser's system to determine when to recognize revenue.
Image processing. This technology, ranked in importance with EDI, involves the conversion of paper documents into electronic form through scanning and the subsequent storage and retrieval of the electronic image. In many instances, the authorization for a given transaction exists only in electronic form. (Paper documents might have existed at one point, but the clients had discarded them after scanning them into the computer system.) A key issue in image processing is document authenticity: Is the electronic image actually what it purports to be-or has it been subtly altered so it no longer is correct? The auditor should test controls that provide assurance that only valid and authorized documents (such as insurance claims that result in cash disbursements) are scanned into the system. For example, the auditor could review an image of a purchase order when someone had used a desktop publishing program to alter the quantities, prices and other relevant data, creating an image that could be substantially different from the now-discarded original paper document. A quality control function is needed to ensure that the scanned image is captured without errors before the paper document is destroyed. The auditor should test controls, such as the use of passwords, that prevent unauthorized changes to the stored electronic image.
Auditors should refer to SAS no. 80, Amendment to Statement on Auditing Standard no. 31, Evidential Matter , for guidance on image processing issues. SAS no. 80 addresses the implications of electronic evidence on the audit and suggests that auditors use information technology to obtain evidence supporting electronic transactions. SAS no. 80 further counsels that the auditor might not be able to reduce detection risk to an acceptable level by performing only substantive tests for these advanced systems. The auditor might want to test the controls in systems that have primarily electronic evidence, as it might not be possible to rely solely on the results of substantive tests. An Auditing Procedure Study (APS), Implementing SAS No. 70, Reports on the Processing of Transactions by Service Organizations , also provides helpful guidance.
Another issue—common to EDI and image processing—is longevity: Electronic data might not be retained for the entire year under audit. In this type of environment, the auditor might consider employing continuous auditing techniques.
Communications technology. This group of technologies—used to transmit data, voice and video information—includes modems, satellites, protocols and fiber-optic cable. Such technologies permit the use of electronic commerce, EDI, image processing and ATMs. Security and control issues associated with electronic commerce, image processing and EDI also are applicable here.
Y2K issues. The Y2K presents a problem for many systems whose year field was designed with only two digits. Thus, 1997 would be recorded as 97. Many application programs interpret a "00" in the last two digits of a four-digit year field to mean the year 1900. As the Y2K approaches, many calculations, such as interest calculations in financial institutions and pension annuity computations in insurance companies, will be incorrect because the software will incorporate the wrong year in its formula. The auditor may want to inquire about the client's plans to address the Y2K issue and include recommendations about it in the management letter to the client. The issue may have larger operational implications. (For more details, see JofA, Dec.97 page 33 , for a series of articles on the Y2k issue.)
Outsourcing. This topic involves external consultants that perform data processing services including development, operations, programming and systems analysis. (A VAN is one example of a data processing consultant.) There is a risk that they might not subject financial and other applications and overall data center operations to controls as stringent as those used in-house. For example, without proper controls, a data center's employees could access a client's confidential information, such as a pharmaceutical's research findings, and sell it to competitors.
The auditor should follow the guidance in SAS no. 70, Reports on the Processing of Transactions by Service Organizations, as well as the APS on implementing SAS no. 70, and consider relying on a service auditor's report. The auditor should use it as a source of information in obtaining an understanding of the service organization's controls. Additionally, the auditor may want to perform tests of controls at the user organization and at the service organization.
Cooperative client/server environment. A common example of this technology, which refers to the distribution of processing functions between two or more computers, is the local area network (LAN). The auditor should consider reviewing controls that provide assurance there is consistency among the various databases and that only authorized users have access to data and equipment.
Another example of a client/server environment is end-user computing. In this situation, the end-user is responsible for developing and implementing an application he or she uses. The end-user can access data that reside solely on his or her own personal computer as well as other data maintained on another networked computer. In this type of environment, auditors need to emphasize the need for end-user controls.
For example, end-users might not back up data and applications, such as a spreadsheet template that calculates depreciation expenses that affect the financial statements. Or they could develop and install applications that were not adequately tested and lacked proper documentation. End-users might not implement password and other control features available on their PCs. In many businesses, for example, payroll is processed on a PC under the control of a trusted employee. If proper physical (such as locks) and logical (such as passwords) access controls are not in place, a perpetrator might change the pay rate field and pay a "bonus" to selected employees.
The auditor should obtain an understanding of the significant applications performed by end-users, if any, and consider this in planning the audit.
Paperless auditing. An electronic, rather than paper, trail of evidence is the hallmark of this technology. Paperless auditing includes EDI, imaging systems and similar technologies where source documents are in electronic form.
AUDITS OF THE FUTURE
In the near future, auditors can expect most accounting transactions to be in electronic form without any paper documentation because electronic storage is more efficient. Such key technologies as EDI, image processing and EFTs use little, if any, paper. Taken together, these technologies greatly change the nature of audits, which have so long relied on paper documents.
Auditors performing attest services for clients that process financial transactions on these advanced systems should be technically competent to perform such services. They can become involved during systems development to provide assurance that appropriate audit routines are incorporated into these systems. Traditionally, auditors' schedules included discrete phases of planning, interim, yearend and final work. But in today's continuously moving technology-driven world of financial statements, auditors might have to revise their traditional audit time schedules and perform tests on a continuous basis.
|For Further Information...
The following AICPA resources will help CPAs explore technology and auditing issues. To order them, call the Institute at 800-862-4272. Order numbers are followed by member prices.