Since its inception, information technology (IT) audit has been an enigma to many auditors, CPAs and business professionals. IT has sometimes been seen as more of a simple business tool than a business risk. Auditors and management have trouble separating the nature of IT problems (i.e. every entity has IT that is "broken" and needs some level of attention) and the risk of material misstatement in financial reporting. Professional standards (e.g., AS5, SAS No. 104-111) have gradually increased the need for IT audit tools, techniques and professionals in audits and attest engagements. The time has come or passed when every audit needs to consider IT-related risks.
Exactly how does an auditor determine what IT needs to be audited? How does an IT auditor make judgments about something as nebulous as IT? When is IT relevant in an engagement? How can IT risk lead to the risk of material misstatement, or can it even do so? These are some of the questions many CPAs and business professionals have had, and the answers are attainable and fairly concrete.
What Is an IT Audit?
IT audit is about identifying the risks that IT presents in an engagement, and/or IT-related risks that can lead to the risk of material misstatement (RMM). For example, suppose an entity uses a commercial off-the-shelf accounting software package, and at the end of the fiscal period transfers the financial reporting data to an electronic spreadsheet. Then some accountant makes journal entries, closing entries, creates a trial balance, and completes the financial reports using the spreadsheet. In this case, IT (i.e. the electronic spreadsheet) presents risks that could possibly lead to the RMM. For instance, it is possible a formula could be created with an error, or data could be entered in error (something easy to do because it is a spreadsheet), and the resulting misstatement could become large enough to become material (especially absent sufficient compensating controls). That risk is not about the original source documents, audit trail, accounting transactions or original source entries, but rather that risk is related strictly to the IT involved (the nature of a spreadsheet). The possibilities of IT-related risk such as this one are abundant.
What Does an IT Auditor Do?
The IT auditor assesses the inherent risk (i.e. ignoring momentarily mitigating controls involved) of these IT risks and focuses on those with a relatively high rating. That assessment must scope the relevance of the IT risk and how that specific IT-related risk can result in the RMM.
If some IT problem comes to the attention of the auditor, the first thing the auditor should do is determine scope. That is, how does this IT problem related directly to the RMM? Sometimes the IT problem is simply out of scope. For IT to be in scope in a financial audit, three things must be true:
- The IT in question MUST be part of the financial reporting systems and/or processes;
- The IT in question MUST be assessed as a relatively high risk; and
- That risk MUST lead to the RMM.
For example, if the perimeter of the entity's network has security gaps in which outsiders can make malicious attacks on the entity, and the problem is fairly extensive (i.e. fairly easy to break through the perimeter), the initial response is to assess the risk high (it is) and to include it as part of the audit. However, if the Internet connection is not tied to the financial systems server, there is no RMM. Often, IT problems simply do not realistically lead to the RMM and should be considered out of scope. This fact is particularly true about information-security problems. In fact, many IT audit professionals believe that management and auditors currently over audit because of the lack of appropriate scoping of IT.
What Is the Solution?
Once the IT-related inherent risk has been identified properly, control risk (CR) has to be assessed to determine the RMM. In this step, the IT auditor assesses the mitigating power of controls operating with the objective of reducing that particular risk. That assessment does not necessarily involve a lot of technical activities or technical knowledge. For instance, using the same scenario as above, assume the Internet connection is tied to a network that includes the financial-reporting server. Suppose the IT auditor determines that application access controls are strong (including strong logical segregation of duties), and that the network has strong access controls. Then the auditor might conclude that the network interface to Internet is out of scope because of mitigating controls (those closer to the financial reporting data and more important).
To learn more, check out How to Identify and Manage IT Risk in Assurance Services and
How to Perform Tests of IT Controls in Assurance Services
|Like this article? Get more! Subscribe to the FREE Corporate Finance Insider through the Preference Center. If you have any questions for our Editor, click here.
Tommie Singleton, Ph.D., CPA (inactive), CISA, CITP, CFF, CGEIT, is associate professor of Accounting at the University of Alabama at Birmingham, where he is also director of the Forensic Accounting Program and Marshall Scholar and serves as the program chair for AICPA IT Audit Training School in 2011.