Search:

Using IT Experts to Meet Risk Assessment Standards

California CPA magazine: October 2008

You’ve no doubt kept up with the AICPA Risk Assessment Standards issued in 2006. You may have already conducted an audit using the new internal controls-oriented guidelines, SAS 104-111.
But when it comes to incorporating information technology into auditing—specifically outlined in SAS 108—you may have hit a wall.

That’s understandable. After all, valid reasons exist against blindly jumping in and wrangling with IT control issues, experts, processes and terminology. Especially when you’re already up to your neck adding the new procedures to your existing audit methods, which have been painstakingly crafted after years in the profession.

There also may be reluctance to bringing in the IT audit experts because they bring with them new practices and terminology you must learn (and who has the time to do that, right?); you may consider IT auditing unnecessary because you would not rely on the systems, anyway; or you believe the adverse impact IT audit experts may have on your client relationships is too high a risk to take.

This article will hopefully give you some tools to start navigating through that wall.

Getting Started
The process can be broken down into four steps, much of it delineated in SAS 108.

Step 1—Determine if an IT expert is needed.
SAS 108 guidelines suggest IT audit experts be engaged, or at least considered, when the client:
•    Uses complex financial systems and IT controls, or uses IT extensively in business operations.
•    Makes significant changes to existing information systems or has brought in a new information system.
•    Has multiple systems that share data.
•    Engages in electronic commerce.
•    Has adopted emerging technologies.
•    Retains significant amounts of audit evidence available only in electronic form.

Step 2—Make sure your IT audit expert has appropriate knowledge.
Information systems competency has now become reliant on industry- and technology-specific knowledge and expertise. Similarly, IT audit experts are very specialized in their skills.

Several credentials can be used to vet people who can help provide IT audit expertise.

Within the accounting industry, for example, IT experts can include CITPs (Certified Information Technology Professionals). Credentialed by the AICPA, CITPs are CPAs with varying degrees of information systems and IT expertise.

Further, consider the use of a Certified Information Systems Auditor (CISA), a credentialed professional designated by the Information Systems Audit and Control Association.

The IT auditor should be familiar with the following types of controls for testing purposes:

•    User access controls over financial information systems.
•    Financial software program changes.
•    Segregation of duties in/among system processes.
•    Integration of spreadsheets into the financial reporting process.

As a general rule, confirm that your IT expert has professional experience in areas such as financial accounting and reporting software, security practices and data management.

Step 3 –Plan your audit with your IT expert.
SAS 108 addresses how to use the assistance of skilled professionals during the planning and execution stage of the audit, and that IT audit experts should be seen as just one of many players on your audit team.

The IT auditor can bring the following skills to the table, among others:
•    Knowledge leadership regarding trends in IT processes and the IT industry.
•    Awareness of specific risks involved with various software and hardware products, as well as network architecture. Relevant knowledge about an operating system’s control structures, or various network and remote network configurations, can be key to understanding how, financial information actually “moves” within the computing environment.
•    A deeper understanding of information systems security controls that can manage access to financial information. For example, an IT auditor would be familiar with best practices regarding security surrounding specific database programs and financial accounting programs, as well as any “backdoor” access control risks.
•    Ability to analyze the mix of manual processing controls with an eye to streamline and suggest more automated controls, based on the specific financial accounting systems. For instance, the IT auditor may have expertise in Microsoft Dynamics GP (Great Plains) or SAP, and be able to make efficiency-oriented recommenations to improve the client’s existing control processes.

Step 4—Implement.
As part of your auditing process, make sure your IT audit expert is included in all relevant meetings and participates in many of the promulgated audit procedures, depending on your planned reliance on the information systems. For instance, you might want to rely on the processes surrounding the approval of AP invoices. If so, the IT auditor could assist by assessing and testing access controls over the approval of transactions, and confirming that payment limit values in the system are instituted by those authorized by the appropriate parties, etc.

Also, with IT auditor involvement, you can be more assured of uncovering significant or potentially material weaknesses that might otherwise not be found because of deliberate, manual system overrides, etc. This will impact how you plan your audit approach. IT audit experts can help you add to your professional knowledge as they engage in their processes and uncover risks of a technological nature that could result in material misstatements.

What Harm Can Occur?
Failing to integrate IT auditing in your audits can actually embarrass you and your clients, in part, because of the new risk assessment standards.

Your firm’s competitive advantage may be lost by not using IT audit techniques, as well as by not taking advantage of auditing through the system. Clients are already price conscious about audit fees, and the market for audit services is very competitive. The bottom line: if IT audit is used, and reliance on systems becomes a part of the audit approach for a given client, it’s likely that fees saved for the client can range from 5 percent to 20 percent, in comparison to auditing “around” the system (and thereby ignoring reliable IT control strengths).

You also risk not being able to demonstrate a reasonable understanding of the client’s business, which increases the risk for you and the client. Ask yourself this: if you fail to evaluate and learn the functions of the business information systems used by your client, how can you be sure your financial audit takes into account all pertinent risks and business processes that support your client’s financial reporting? By not using IT audit techniques did you expose yourself and your client to unnecessary risks? If this happens, your reputation can suffer.

 

Troy Snyder and Robert Green, CPA, CITP are partners in SingerLewak’s Enterprise Risk Management Services group, specializing in IT audit, controls and strategic IT advisory services. You can reach them at TSnyder@Singerlewak.com or BGreen@Singerlewak.com.