Regularly evolving compliance requirements, increased globalization, and the constant pressure to improve operating efficiency are only some of the factors that place huge pressure on businesses to adopt advanced information technology (IT) in order to streamline their activities. As businesses continue to utilize more sophisticated technology, it is vital that, in performing their audit of a company's internal controls, external auditors understand the risks of material misstatement, internal control concerns, required technical skills, and potential benefits associated with those technologies.
According to the Internal Audit 2012, a large-scale interview project conducted by PricewaterhouseCoopers, 79 percent of survey participants believe "technology risks will pose a higher degree of risk to their organizations between now and 2012. â€¦ Some audit leaders plan to acquire more sophisticated technology tools to address these risks while others plan to integrate auditors with IT skills into a core internal-audit function." [i] These trends further cement the importance for external auditors to have the technical know-how and understandings in order to conduct a successful audit.
Understanding IT-Related Inherent Risks
Get your grade
or your money back
using our Essay Writing Service!
Both the AICPA Statements on Auditing Standards (SAS) 104-111, and the Public Company Accounting Board (PCAOB) Auditing Standard 5 (AS 5) indicate that IT can carry significant inherent audit risk. [ii] As a result, when IT does play a big role in determining a company's financial statements, external auditors must take the time to clearly understand the IT systems in place and the risks of material misstatement associated with those applications.
While the use of IT to provide more people with access to data can positively increase workflow efficiency, there is the related risk that the increased number of people with access will also make it easier to improperly disclose or accidentally modify sensitive information. The 2011 Top Technology Initiatives Survey by the American Institute of Certified Public Accountants (AICPA) found that the use of mobile technology, such as smart phones and tablet computers, to send sensitive data was a number one business technology concern for CPAs. [iii] Ron Box, CPA/CITP, CFF notes that,Â "The technology is advancing so rapidly that the capabilities for controlling and protecting the information on mobile devices is lagging behind." [iv]
In regards to another type of newer technology called "cloud computing," the accounting industry is attempting to keep up with the related risks. Cloud computing can be defined as a delivery of information technology services that is based completely online. "Worldwide, cloud services revenue is forecast to reach $68.3 billion in 2010, a 16.6% increase from 2009 revenue of $58.6 billion, according to analyst firm Gartner Inc." [v] Â As more companies store and share information through cloud computing, the AICPA has begun offering Service Organization Controls Reports (what used to be SAS 70 reports) on a variety of cloud computing vendors. These reports provide stringent evaluations of the internal controls of these vendors.
The risks associated with the use of IT also extend to the applications used within a firm to store, calculate, and record information. For example, in considering inventory and cost of goods sold accounts, it is quite possible that when IT plays a significant role in the calculation of account balances, there is the risk that these calculations be accidentally modified to produce errors and lead to material misstatements in the financial statements. Because information can be so interconnected within each IT application and throughout an organization's financial recording system, a simple change to a spreadsheet calculation can have far-reaching effects.
Understanding IT Internal Controls
A couple factors contribute to the need for external auditors to not only understanding a company's information technology and the risks associated, but also go further to also properly consider the company's IT controls.
Always on Time
Marked to Standard
First, in considering the enormous amounts of data being collected, stored, and managed throughout an organization's IT system, it is obvious that the accuracy of an organization's financial statements could easily be affected should their IT systems be compromised.Â It is therefore vital that external auditors consider and test controls to be sure that they are sufficient to prevent and detect material errors or fraudulent activities.
In addition, despite the fact that since the passage of Sarbanes-Oxley, many public companies have increased their internal audit budgets, [vi] there still exists the likely possibility that a company not have access to the specialized technical knowledge needed to design and implement effective IT controls. Even should the company have in-house technical expertise, Deloitte notes that the initial collaboration efforts between a company's CEO and Chief Information Officers (CIOs) "almost always prove to be more challenging than anticipated. This is often due to the CFO â€¦ underestimating the importance and the role of IT controls in the organization's overall internal control framework." [vii] As a result, external auditors should be cognizant of these potential challenges and be able to ask the right questions in order to assess the company's IT controls.
Questions that external auditors should ask are related to whether the internal controls are "suitably designed to mitigate the inherent risks ... [and are] placed in operation..." [viii] A suitably designed control provides reasonable assurance that it will either prevent or detect errors or fraud as it is designed to do.
In large part, internal controls related to information technology include both application controls and general controls. Application controls are created to prevent or detect transaction processing errors related to the different applications a company might use. These IT controls include controls that prevent unauthorized access,Â require proper authorization controls in order to prevent fraud, controls to detect and handle errors, and more.Â General computer controls are not specific to any application and include controls that protect the system from any unauthorized modifications, access controls, and even the proper backing up of the system should information be lost.
Ultimately, given the speed of technology advancement, external audit professionals face the task of continuing to educate themselves about the potential risks and internal controls associated with sophisticated IT systems or need to understand how and when to bring in specialized IT audit professionals.
Hiring a Specialist
The risk of material misstatement depends ultimately on the effectiveness of the internal controls in place, but ultimately, without the ability to truly understand those risks and controls, external auditors would fall short in providing a qualified opinion. As companies continue to implement more complex IT applications for use in financial reporting, there is an ever increasing need for specialized and in-depth knowledge of how information technologies function, the risks associated with those technologies, and the internal controls that should be in place. [ix] As a result, in planning their audit, auditors should consider the need to bring in an IT audit specialist. Auditing Understanding 311 states that "The use of professionals possessing information technology (IT) skills ... is a significant aspect of many audit engagements." [x]
As a reflection of the strong need for specialized knowledge, the accounting profession currently offers three well-known designations that demonstrate one's ability to conduct financial statement and internal information technology audits. The Certified Information Technology Professional (CITP) is recognized by the AICPA, the Certified Information Systems Auditor (CISA) is recognized by the Information Systems Audit and Control Association and Foundation (ISACA), and the Certified Information Systems Security Professional (CISSP) is recognized by the International Information Systems Security Certification Consortium. [xi]
This Essay is
a Student's Work
This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.Examples of our work
While being able to establish technical expertise based on certification is beneficial to auditors, the variety in certifications can lead to confusion. One potential issue in having such a variety of designations is that there are differences in areas of expertise, amount of training required to attain the certification, and requirements for ongoing training among those certifications. Atkinson, Professor of Accounting at Central Washington University writes that also confounding mattes is the fact that "The nature of the IT field allows many individuals with no training or experience to call themselves "IT consultants" or "security specialists." [xii] Therefore, in choosing the right IT Audit professional to join an audit team, the audit team leader should clearly understand the various designations and the qualifications they require.
Potential Benefits of Internal Control Testing
Despite the challenges and extra considerations associated with auditing complex information technology systems, IT internal controls when successfully designed and effectively in operation, can be valuable lessening the time and labor in the audit.
During the IT risk assessment, external auditors may identify IT controls that, once tested to be operating effectively, can successfully reduce audit risk and thereby reduce the need for extensive substantive testing. Substantive testing often requires much more time, labor, and increased audit costs; [xiii] and decreasing the amount of necessary substantive testing can therefore reduce the amount of audit work required. As a result of the potential to save time, labor, and audit costs, external auditors should, therefore, understand how to leverage the testing of internal controls in order to can efficiently lower audit risk and simplify their audit.
While the IT risk assessment and testing of IT controls can be beneficial to the overall audit, external auditors should keep in mind a couple important considerations. First, in order for auditors to take advantage of this opportunity to efficiently reduce the need for substantive testing, the IT risk assessment must be produced early on enough to be considered during the audit planning process. With proper awareness and planning, this is more likely to be achieved. Also, the external auditor should know that regardless of the IT risk assessment, whenever the audit procedures to be performed rely on computer-generated data, external auditors will always need to conduct tests of controls to ensure that the data generated is accurate and reliable (who quote??). [xiv]
Benefits of Technology and Reliance on Internal Auditors
According to the Internal Audit 2012 survey conducted by PWC, survey participants believe that technology will affect the internal audit function more than any other business trend. All survey respondents predict that their use of technology will increase over current levels, with 46 percent expecting the increase to be dramatic and 43 percent projecting a moderate increase. Moreover, respondents foresee a sharp surge in the importance of technology in continuous monitoring and fraud detection.
Overall, the increased use of technology, such as computer-assisted audit techniques and improved information technology, serves to increase the efficiency of the internal audit function. This frees up manpower, which allows internal auditors and external auditors to focus more on high-risk areas. In Protiviti's 2008 Internal Audit Capabilities and Needs survey, computer-assisted audit techniques, continuous auditing, and data analysis are listed as the greatest technology areas in need of improvement. [xv]
Also, with the passage of AS 5, external auditors could rely on the work of others, and as companies have begun to invest in and grow their internal audit departments, this reliance on others has equated to an increased reliance on the work of internal auditors. The increased capability and scope of internal audit work due to the increased use of more advanced technology has enabled external auditors to rely increasingly on internal audit's work in conducting their external audits. A 2005 survey found that in 88% of 117 companies chief internal audit executives reported that external auditors relied to some extent on the work of their internal auditors (Kaplan & Schultz, 2006). [xvi]
Relying on the work of internal auditors also benefits external auditors because internal auditors have are more likely to have a more in-depth understanding about the company's current business environment, operations, and policies. Specifically, one area that likely merits more reliance on internal auditors is the area of fraud risk assessment. Because internal auditors have better knowledge about a company's procedures, they could be very uniquely qualified to help with fraud risk assessment. KPMG studies support this idea when revealing that internal auditors are more likely to discover fraud than external auditors (KPMG, 2003). For instance, while 65% of frauds were discovered in 2003 by internal auditors, only 12% were discovered by external auditors (KPMG, 2003). So, it would behoove external auditors to rely on internal audit work relating to fraud risk assessment.
However, external auditors must weigh the benefits of relying on the work of internal auditors with the need to maintain both professional skepticism and auditor independence. In 2002, The Panel on Audit Effectiveness noted that in its review of 126 public company audits, reviewers were satisfied overall with how external auditors assessed and reviewed the work of internal auditors, and when external auditors relied in the internal auditors' work, the external auditors seemed to have a good basis for their reliance. On the other hand, there were some reviewers who questioned if there was adequate retesting of the work that internal auditors did as assistants to the external auditor. For example, in some cases, "the external auditors may not have tested, supervised, and reviewed the internal auditors' work as thoroughly as would have been desirable (Panel on Audit Effectiveness, 2002, p. 63)." [xvii] The reviewers noted that there were times when the external auditors did not show as much professional skepticism as would have been ideal. In the end, it is important that external auditors take care to adequately corroborate the work of internal auditors regardless of how confident they are in the abilities of those internal auditors.
Client fee pressures watch out for. !!
As the use of ever more complex technology proliferates throughout companies, external auditors are faced with the challenge of
Analyze Findings (compare, contrasts, shows where there is agreement, disagreement, unanswered issues, etc.)
Summary -- Synthesizes your research (connects the dots) to conclude what you found, what still remains to be answered, etc.