Many small audit practitioners in the Caribbean typically question the merits of using an IT Auditor on their engagements. As a result of constantly having to convince small audit practitioners of the importance of information systems audits; I decided to write this post.
Before I go any further it is necessary to define what an IT audit is. An IT audit is an independent examination of the design and operating effectiveness of information system controls. The IT audit evaluates whether these controls maintain the confidentiality, integrity and availability of an organisation’s data and information systems.
The following are some key reasons why IT audits are critical to financial statement audits:
- It is actually a requirement in some instances. SAS (Statement of Auditing Standards) 108 (AU § 311.23) ‘Planning and Supervision’ implies that the auditor should engage an IT auditor to determine the effect of IT on the audit, gain an understanding of controls and design and perform tests of IT controls where the entity utilises complex IT systems, implements a new system, utilises emerging technologies or where significant audit evidence is only available in electronic form. ISA (International Standards on Auditing) 300, ‘Planning an Audit of Financial Statements’ is not as extensive as SAS 108 but it states that the auditor should consider the effect of information technology on the audit procedures, including the availability of data and the expected use of computer-assisted audit techniques (CAATs).
- Assist the auditor in assessing the entity’s risk of material misstatement. The auditor is required to identify and assess the risk of material misstatement through understanding the entity and its environment. Both SAS 109 (AU§ 314.83) and ISA 315 section 18 require the auditor to obtain an understanding of the entity’s information system and the related business processes relevant to financial reporting. The IT Auditor is the most suitable person to perform such tasks. An IT Auditor is even more critical when the auditee utilises complex information systems and business processes or emerging technologies.
- Increasing audit efficiency and effectiveness. If controls are operating effectively, the auditor can reduce the extent of substantive testing (i.e. test of details). Since IT processing is inherently consistent, an automated control should function consistently unless the underlying program is changed. As such, an IT auditor can limit testing to one or a few instances of the automated control. Consequently, a test of automated controls performed by an IT auditor can increase audit comfort and reduce the extent of substantive testing the auditor needs to perform. This is covered under SAS 110 (AU § 318) and ISA 330.
- Journal Entry Testing. Under SAS 99, and ISA 240 it is necessary for the auditor to test the appropriateness of journal entries recorded in the general ledger. As long as journal entries are stored electronically an IT auditor should employ the use of CAATs to test these entries. In order to effectively test journal entries, the auditor should gain comfort over the completeness of the entries received. It is practically impossible to perform this task manually, especially with millions of entries. An experienced IT auditor with a good knowledge of CAATs would be necessary in this instance.
- Add value by detecting internal control weaknesses. The IT Auditor can add significant value to the external audit by highlighting existing information system control weaknesses, such as weak password controls, default passwords, dormant accounts and inappropriate user access to name a few. Failure to identify and address the above-mentioned controls can result in losses due to fraud.
In summary, an information systems audit is critical to a financial statement audit. This is especially true when the entity utilises complex systems, processes a large volume of transactions or uses emerging technologies. As such, external auditors should use IT auditors when auditing financial services entities such as banks, investment management and insurance companies etc. or entities which utilise enterprise resource planning (ERP) systems such as SAP, Oracle or Microsoft Dynamics GP.