he explosive growth in information technology (IT) capabilities and the desire of businesses of all sizes to obtain competitive advantage have led to a dramatic increase in the use of IT systems to originate, process, store and communicate information. Today, employees at all levels use IT systems in their daily activities. Electronic records have replaced traditional paper documents. In fact, there are few companies that don’t rely on IT to at least some extent to achieve their financial reporting, operating and compliance objectives.
As a result, it’s rare to find an entity whose IT use does not also affect its independent audit. Over the past several years the AICPA Auditing Standards Board (ASB) has given considerable attention to how IT affects audits. In April 2001 it issued SAS no. 94, The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit, which amends SAS no. 55, Consideration of Internal Control in a Financial Statement Audit. SAS no. 94 provides guidance on the effect of IT on internal control and on the auditor’s understanding of internal control and assessment of control risk. The SAS is effective for audits of financial statements for periods beginning on or after June 1, 2001, with earlier application permissible.
ENTITIES OF ALL SIZES
SAS no. 94 is not intended to apply to the audits of only very large organizations with sophisticated IT systems since such technology may affect the audit of any size business, and its impact on internal control is related more to the nature and complexity of the systems in use than to the entity’s size.
Some of the significant aspects of the new guidance that are discussed individually below are
How IT affects internal control.
The auditor’s consideration of IT.
Types of IT controls that are important to the audit.
The auditor’s use of individuals with specialized skills.
The auditor’s understanding of the financial reporting process.
IT AND INTERNAL CONTROL
SAS no. 94 says an organization’s IT use may affect any of the five internal control components—the control environment, risk assessment, control activities, information and communication and monitoring—as well as how businesses initiate, record, process and report transactions. The SAS offers auditors some direction by pointing out these key aspects of the systems and controls on which organizations today rely.
Businesses employ IT systems in various ways, including using discrete systems that support only particular business units or complex, highly integrated systems that share data and support all of an entity’s financial reporting, operations and compliance objectives.
An entity now may use IT to initiate transactions, as well as to record, process and report them.
An organization’s procedures may have changed as a result of the shift from using paper documents and records to using automated procedures and records in electronic format.
The internal controls in most IT systems are a combination of both automated and manual. The manual controls may be independent of the IT system, use information from it or only monitor the system’s effective functioning.
SAS no. 94 also looks at the benefits IT provides as well as the risks to an entity’s internal control and gives examples of each. The overall picture it presents is that the auditor’s clients use IT to achieve their objectives, their use of IT affects internal control and the auditor should expect to encounter IT systems and electronic records rather than paper-based documents.
THE AUDITOR’S CONSIDERATION OF IT
SAS no. 94 does not change SAS no. 55’s requirement that the auditor obtain a sufficient understanding of internal control to plan the audit. However, it raises the bar by requiring the auditor to consider how an organization’s IT use affects his or her audit strategy. A key aspect of this strategy is the auditor’s decision on whether to design and perform tests of controls or to assess control risk at a maximum level and perform only substantive tests. The new SAS says an auditor who plans to perform only substantive tests needs to be satisfied such an approach will be effective.
Where a significant amount of information supporting one or more financial statement assertions is electronic, the auditor may decide it is not practical or possible to limit detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions. In such cases, the auditor should gather evidence about the effectiveness of both the design and operation of controls intended to reduce the assessed level of control risk.
The guidance recognizes that an entity’s reliance on IT may be so significant that the quality of the audit evidence available will depend on the controls the business maintains over its accuracy and completeness. The statement provides two examples in which substantive tests alone generally would not be sufficient. The growing use of IT to perform all aspects of a transaction results in organizations’ relying more on IT systems and the controls over such transactions. It also means that auditors should consider, in conducting an audit, whether the controls are operating effectively to provide reasonable assurance that the related assertions (for example, that the transactions actually occurred and were properly recorded and valued) are not materially misstated.
IMPORTANT IT CONTROLS
SAS no. 94 says that when a business uses IT to initiate, record, process or report transactions or other financial data, the systems and programs may include controls related to assertions for significant accounts or they may be critical to the effective functioning of manual controls. The SAS also recognizes the distinction between application controls and general controls auditors have commonly used for many years and describes aspects of these controls that are relevant to the audit.
In designing tests of automated controls, auditors may need to obtain evidence that controls directly related to the assertions, and indirect controls on which they depend (such as the entity’s general IT controls), are functioning effectively. The inherent consistency of IT processing may allow the auditor to reduce the extent of testing. Once the auditor has determined that an automated control is functioning as intended, he or she should consider performing tests to make sure it continues to do so.
As companies rely more and more on IT systems and controls, auditors will need to adopt new testing strategies to obtain evidence that controls are effective. Although the specific controls organizations will use and the specific tests auditors will perform are likely to change as technology evolves, the framework in SAS no. 94 should provide auditors with a basis for developing approaches that fit into the existing audit risk model.
SAS no. 94 says an auditor might need specialized skills to determine the effect of IT on the audit, to understand IT controls or to design and perform tests of IT controls and substantive tests. In some instances he or she might have to get help from someone who has such skills. The statement includes a number of factors the auditor might use to determine whether such skills are required, as well as the specific procedures someone with those skills might perform. An auditor who uses someone with IT skills should follow the guidance in AU section 311.10, “Planning and Supervision.” As a member of the audit engagement team, that individual requires the same degree of supervision and review as any assistant.
THE FINANCIAL REPORTING PROCESS
One area in which IT has had a major influence on companies and their auditors is in preparing financial statements. Few organizations today do not use IT at least to maintain the general ledger, and most entities have automated the process of entering transaction totals and adjustments (including journal entries) into the general ledger and preparing financial statements. Gone are the days when auditors could examine manually prepared cash-receipt journals and check registers, trace monthly totals to handwritten entries in the general ledger (noting erasures or changes) and examine manually prepared worksheets combining general ledger accounts for the first pencil draft of the financial statements.
Before this statement was issued, SAS no. 55 had required the auditor to “obtain sufficient knowledge of the information system” to understand “the financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures.” However, the professional standards did not specify which aspects of the financial reporting process the auditor should understand.
SAS no. 94 clarifies what the auditor needs to know to understand the automated and manual procedures an entity uses to prepare its financial statements and related disclosures. Included are the procedures an entity uses to
The ASB has several projects under way to amend auditing standards to address recommendations from the Panel on Audit Effectiveness. (For more information, see “Panel Finds Audits Are Sound, But Need Improvement,” JofA, Sep.00, page 21. ) Ultimately, the AICPA audit guide, Consideration of Internal Control in a Financial Statement Audit, will need to reflect the changes represented by SAS no. 94 and future projects. SAS no. 94 clearly moves the professional literature forward by recognizing the types of systems, controls and evidence auditors encounter today. It is an important step in a process to acknowledge IT in auditing standards.