Instructor Manual

Introduction to Auditing IT Processes. Most businesses rely upon computerized systems to assist in the accounting function. Advancements in technology have brought huge increases in the amount of information that is readily available for decision-makers. Accountants play an important role in the business world because they are called upon to improve the quality of information. Accountants provide assurance services, which help to verify the accuracy and completeness of financial information, thereby improving the quality and lending credibility to this information.
An audit is the most common type of assurance service.
 Types of Audits and Auditors. The main purpose of an audit is to assure users of financial information about the accuracy and completeness of the information by evaluating evidence supporting the underlying procedures, transactions, and/or account balances. This evidence is compared to established criteria. There are three primary types of audits, including (1) compliance audits, (2) operational audits, and (3) financial statement audits. Although each type of audit involves an investigation of supporting evidence, each type has a different objective.
○ Compliance audits determine whether the client has complied with regulations and policies established by contractual agreements, governmental agencies, company management, or other high authority.
○ Operational audits assess operating policies and procedures for efficiency and effectiveness.
○ Financial statement audits determine whether the company has prepared and presented its financial statements fairly, and in accordance with generallyaccepted accounting principles (GAAP) or some other financial accounting criteria.
Internal auditors, IT auditors, and governmental auditors typically conduct compliance audits and operational audits. Certified public accountants (CPAs) may conduct any type of audit, but CPA firms tend to concentrate on financial statement audits and other financial assurance services. It is important that CPAs be independent, or objective and neutral, with respect to their audit clients and the financial information being audited. Because many companies use sophisticated IT accounting systems to support their financial statements, it is increasingly important for auditors to understand the impact of information technology on their clients’ accounting systems and internal controls. The IT environment plays a key role in how auditors conduct their work related to the consideration of risk in the audit, understanding the underlying systems, and the related design and performance of audit tests.
1


Information Risk and IT-Enhanced Internal Control. Information risk is the chance that information used by decision-makers may be inaccurate. Information risk may be caused by:

The remoteness of information, or the extent to which the source of the information is removed from the decision-maker.

The volume and complexity of the underlying data.

The motive, goals, or viewpoint of the preparer of the information.
The most common way to reduce information risk is to rely upon information that has been audited by an independent party. This is why a chapter on information-based processing and the related audit function is included in the study of accounting information systems.
IT-based processes generally provide high quality information to management, which aids in effective decision-making. Information is high quality when it is provided in a timely manner and administered effectively. IT systems are also advantageous because they often include computerized controls to enhance the company’s internal controls, and they eliminate the risk of human errors such as mathematical or classification mistakes. On the other hand, IT systems present various risks, including loss of audit trail visibility, lost/destroyed data, system failures, and unauthorized access.
 Authoritative Literature Used in Auditing. The work of an auditor must be conducted in accordance with several sources of authoritative literature, including:
○ Generally accepted auditing standards (GAAS), which are broad guidelines for an auditor’s professional responsibilities in the areas of general qualifications and conduct (general standards), performance of the audit (standards of fieldwork), and written communication of results (standards of reporting). Exhibit 7-1 presents the ten generally accepted auditing standards.
○ The Public Company Accounting Oversight Board (PCAOB) establishes auditing standards (AS) for public companies. Prior to the PCAOB, accounting standards were established by the Auditing Standards Board (ASB) of the American
Institute of CPAs (AICPA) through the issuance of Statements on Auditing
Standards (SASs). The ASB is still serves as the standard-setting body for nonpublic companies.
○ The International Audit Practices Committee (IAPC) issues international standards on auditing (ISAs) and contributes to the uniform application of auditing practices on a worldwide basis.
○ The Information Systems Audit and Control Association (ISACA) issues information systems auditing standards (ISASs) that address control and security issues and provide relevant guidelines for conducting and IT audit.
Although SASs, ISAs, and ISASs each provide detailed guidance that supports
GAAS, they still do not furnish auditors with detailed directions regarding the types of audit tests to use and the manner in which conclusions should be drawn. Industry guidelines and other resources such as CPA firm’s own policies and procedures are needed for such specific guidelines.
2


Management Assertions and Audit Objectives. Management assertions are claims regarding the financial condition of a company and its results of operations.
Management assertions relate to existence/occurrence, valuation and allocation, accuracy, classification, cutoff, completeness, rights and obligations, and presentation and disclosure. These assertions and related audit objectives are presented in Exhibit 7-2. Auditors recognize that management of the company is primarily responsible for the preparation and presentation of the financial statements. Accordingly, auditors analyze information supporting the financial statements in order to determine whether management’s assertions are valid. Audit tests should be documented in an audit program and should be uniquely developed for each audit client to address management’s assertions.
 Phases of an IT Audit. Exhibit 7-4 provides an overview of the four primary phases of the audit: planning, tests of controls, substantive tests, and audit completion/reporting. Through each phase of the audit, evidence is accumulated as a basis for supporting the conclusions reached by the auditors. Auditors use combinations of various techniques to collect evidence, including physically examining and inspecting assets or supporting documentation, obtaining written confirmation from an independent source, rechecking or recalculating information, observing activities, making inquiries of client personnel, and analyzing financial relationships and trends. o Audit Planning. A uditors must gain a thorough understanding of the client’s business and financial reporting systems during the planning phase of the audit.
In doing so, auditors review and assess the risks and controls related to the business, establish materiality guidelines, and develop relevant tests addressing the objectives. Risk assessment involves careful consideration of the likelihood that errors or fraud may occur. Risk may be inherent in the business or it may be caused by weak internal controls. Accordingly, a big part of the audit planning process involves gaining an understanding of internal controls. In determining materiality, auditors estimate the monetary amounts that are large enough to make a difference in decision making. Materiality estimates are then assigned to account balances so that auditors can decide how much evidence in needed in the testing phases of the audit.
Use of Computers in Audits.
The audit planning tasks of evaluating internal controls and designing meaningful audit tests is more complex for automated accounting systems than for manual systems. SAS 94, “The Effect of Information
Technology on the Auditor’s Consideration of Internal Control in a Financial
Statement Audit”, describes the importance of understanding both automated and manual systems and considers how misstatements may occur through the data entry and processing functions of the system. Auditors must consider the effects of such computer processing on the audit. Three options may exist for the auditor in deciding upon a t esting approach for a client’s automated process, including auditing around the computer, auditing through the computer, and auditing with the computer.
3

 Auditing around the computer is commonly known as the “black box” approach because auditors are not required to gain detailed knowledge about the company’s computer system; rather, documents used to input data into the system can be compared with reports generated from the system.
Computer controls are not considered.

Auditing through the computer is common ly known as the “white box” approach because it involves directly testing the internal controls within the IT system. It requires the auditors to understand the computer system logic and related IT controls. Auditing through the computer is necessary when the auditor wants to rely upon computer controls as a basis for reducing the amount of audit testing required, and when supporting documents are available only in electronic form.
 Auditing with the computer involves the auditors’ use of their own computer systems and audit software to perform audit testing. A variety of computer assisted audit techniques (CAATs) are available for auditing with the computer. o Tests of Controls. After auditors have learned about the types of controls that exist within thei r client’s IT environment, they may then test those controls to determine whether they are reliable as a means of reducing risk. Test of controls are sometimes referred to as “compliance tests”, because they are designed to determine whether the controls are functioning in compliance with management’s intentions. Both general controls and application controls must be considered.
General Controls.
The effectiveness of general controls is the foundation of the
IT control environment because general controls affect all computer applications.
There are two broad categories of general controls that relate to IT systems: IT administration and the related operating systems development and maintenance processes, and security controls and related access issues.

IT administration.
IT departments should be organized so that an effective and efficient workplace is created and supported. The important aspects of administrative control include personal accountability and segregation of incompatible responsibilities, job descriptions and clear lines of authority, computer security and virus protection, and thorough documentation about the internal logic of computer systems and surrounding controls.

Security controls.
Auditors must be concerned about whether a company’s computer system has controls in place to prevent unauthorized access that may result in the destruction or alteration of information within the accounting information systems. Unauthorized access may be from an internal or external source, and can be controlled internally through the use of various access controls, including authenticity tests, passwords and security tokens, and other techniques that were described in Chapter 4. External access controls may include authenticity tests, penetration tests, vulnerability assessments, and monitoring of access logs and other security reports.
Physical controls such as locks, security alarms, etc. are also used to protect and limit access to a company’s computer resources. In addition, a disaster
4

recovery plan, backup procedures, virus protection, and adequate insurance coverage should all be in place in order to protect the company’s computer systems and data.
Application Controls.
Since companies tend to use many different computer programs in their day-to-day business, there may be different types of application controls to consider in an audit. However, application controls are considered only if general controls have already been tested and found to be operating effectively. It would not be worthwhile to test application controls if the auditor already knew that the underlying general controls were weak.
The three main functions of computer applications include input, processing, and output. Each of these functions should be tested by the auditor.

Auditors are concerned about whether errors are being prevented or detected during the input of data into a computerized system. The most widely used tests of input controls include financial totals, hash totals, completeness or redundancy tests, limit tests, validation checks, and field checks. Companies may implement these tests as internal control measures, and auditors may perform the same type of test to determine their effectiveness.

Data accuracy tests are typically performed to evaluate the processing integrit y of a company’s computer systems. Limit tests, balancing tests, runto-run totals, mathematical accuracy tests, and completeness or redundancy tests can each be performed to test for the possibility of lost, altered, or unprocessed data. Exhibit 7-8 presents a comparison of several CAATs for testing applications controls, including the test data method, program tracing, an integrated test facility, parallel simulation, and embedded audit modules.

Audit tests that evaluate general controls over access and backup procedures may also be used in the testing of specific computer application outputs.
Regardless of whether the outputs are printed or retained electronically, auditors may perform reasonableness tests, audit trail tests, and/or rounding errors tests to verify the accuracy of system outputs.
At the conclusion of the controls testing phase of the audit, auditors must determine the overall reliability of the company’s internal controls. Auditors may rely on internal controls as a way to reduce the amount of evidence needed in the remaining phases of the audit. They can be reasonably sure that financial information is accurate when it comes from a system that is proven to have strong controls. o Tests of Transactions and Tests of Balances. When auditors test the accuracy of monetary amounts of transactions and account balances, this is known as substantive testing. Substantive testing therefore determines whether financial information is accurate , whereas control tests determine whether the financial information is managed under a system that promotes accuracy . Some level of substantive testing is required on all financial statement audits, however, the results of the tests of controls will determine the extent of substantive testing.
5

There is an inverse relationship between the two: the stronger the internal controls, the less substantive testing is required, and vice versa.
Some testing strategies used to test controls can also be used to perform substantive testing. For instance, parallel simulations, the test data method, the embedded audit module, and the integrated test facility can be used for both controls and substantive testing. Because of the growth in real-time financial reporting, continuing audit techniques are also becoming more popular for substantive testing. With continuous auditing, auditors constantly analyze audit evidence and provide assurance on the related financial statement information as soon as it occurs or shortly thereafter. This generally requires that the auditors have online access to the company’s systems so that data can be obtained on an ongoing basis. Then the data are downloaded and tested by auditors within a very short timeframe. Most CPA firms used generalized audit software (GAS) or data analysis software (DAS) to perform audit tests on electronic files taken from commonly used database systems. These computerized audit tools assist auditors in the performance of mathematical and statistical computations, data queries, identification of missing information in a sequence, stratification and comparison of data items, selection of items of interest from the data files, and summarization of testing results into a useful format for decision-making.
○ Audit Completion/Reporting.
The final phase of the audit involves overall evidence accumulation and drawing final conclusions. The auditors must determine whether the financial statements are presented fairly and whether all of the evidence supports the financial information presented. The auditors must also consider whether the extent of testing has been adequate in light of the risks and controls identified during the planning phase versus the results of procedures performed in the testing phases.
A letter of representations must be obtained during the final phase of the audit.
This is often considered the single most important piece of audit evidence because it includes management’s acknowledgment of responsibility for the fair presentation of the financial statements.
Auditors have four choices from which to select a report that communicates the final conclusions of the audit. The four types of reports include an unqualified opinion, which states that the financial statements are fairly stated; a qualified opinion, which sets forth limited exceptions; an adverse opinion, which warns that the financial statements are not fairly stated; or a disclaimer, which explains that an opinion cannot be formed.
 Other Audit Considerations. o Different IT Environments. Auditors are responsible for understanding how information is managed so that it is reliable. A company’s computer systems may include mainframe and client-server systems, microcomputers and personal computers (PCs), networks, database management systems, and/or e-
6

commerce systems. PCs may face a greater risk of loss and therefore require strong controls such as locked hard drives, password protection, separation of operating and programming functions, backup procedures, and virus protection.
All of the risks and audit procedures that apply to PCs are also likely to exist in networks, but the potential for loss is much greater because of the larger number of computers, users, and information involved in network operations. For database operations, it is especially important that a database administrator monitors acces s to the company’s data on a regular basis. In addition, since many users and many applications will share information in the database, the data must be organized and controlled consistently. Finally, companies that use e-commerce depend upon the reliabil ity of other companies’ systems; external access controls are critical in such systems.
An increasing number of companies use IT outsourcing, which places reliance upon an external, independent computer service center to handle all or part of the IT needs. Auditors must still gain an understanding of the internal controls surrounding such computer applications, which can be accomplished by testing controls at the service center or by testing around the computer. o Changes in a Client’s IT Environment. When a company changes the type of hardware or software used or otherwise modifies its IT environment, auditors should consider applying tests of controls at multiple times throughout the period in order to determine the effectiveness of controls under each of the systems.
Auditors must evaluate a client’s procedures for developing, implementing, and maintaining new systems or changes in existing systems.
o Sampling. Auditors must rely on sampling to test a limited number of items and then use these limited tests to draw conclusions about the overall control effectiveness and accuracy of transactions and account balances. There is always some risk that a sample may not represent the population as a whole.
 Ethical Issues Related To Auditing.
The AICPA has established a Code of Professional Conduct to provide the foundation for ethical behavior expected of CPAs. The six principles of the Code include:

Responsibilities

The Public Interest

Integrity

Objectivity and Independence

Due Care

Scope and Nature of Services
It is most important that auditors maintain objectivity and independence with respect to their client companies. Accordingly, they should not become too friendly with their clients or develop any financial relationships with them that could create bias.
7

The Sarbanes-Oxley Act places restrictions on CPAs by limiting the types of services they can provide for their audit clients. This is intended to promote objectivity in the conduct of their work by prohibiting the types of services that involve accounting work that is subject to an audit and other services that put auditors in a role of managerial decision making. The Sarbanes-Oxley Act also increased public companies ’ responsibilities regarding the fair presentation of financial statements by requiring the following:
 reporting on the effectiveness of internal controls.
 management’s written verification of the fair presentation of the financial statements.
 establishment of an audit committee to promote independence of the audit function.
Compliance with a code of conduct depends upon the voluntary actions of its members. Certified Information Systems Auditors and Certified Internal Auditors also have codes of professional ethics. In fulfilling their ethical responsibilities, auditors must practice professional skepticism, which means that they should maintain a questioning attitude and persistent approach to evaluating evidence.
This is important in order to increase the chances of detecting fraud, which may be especially difficult to find if perpetrated by managers who can override internal controls. Forensic audit testing performed by certified fraud examiners (CFEs) may be used in cases where fraud is suspected or is known to exist.
Also in practicing professional skepticism, auditors should be careful about balancing the mix of audit procedures between tests of controls and substantive tests. Emphasis on computer processes and internal controls may lead to an over-reliance on the accounting system, which could be circumvented by management. Therefore, it is important to also perform substantive procedures that focus on the actual transactions and account balances that make up the financial statements.
8