There are certain IT areas, IT general controls (ITGC), that systemically affect almost all financial audits because of their ubiquity and significance. They present potential risks to the financial statements associated with IT; that is, they inherently may introduce the risk of material misstatement (RMM) because of some potential, or actual, control deficiency and their relationship to financial reporting data or processing. Therefore, these areas could apply to any financial audit client and should be assessed as to their level of applicable risk to the audit objectives in all financial audits. It could be that all would apply to an audit, or just some, or possibly none (e.g., control risk is assessed at the maximum). But even then, these areas should be reviewed to make the determination that control risk is at the maximum (i.e., evidence it is at the max). Therefore, these areas are probably suitable for some type of review in all financial audits.
A major consideration of this risk process is related to scoping these key issues of ITGC. Because of the inherent broad scope of IT, and because of the inevitable fact that there are many potential weaknesses related to IT in even a well-controlled organization, and because there are always many things an IT auditor could judge as potential problems, it becomes difficult for some to properly scope the IT in a financial audit, especially if the IT auditor has only IT audit experience or education in the IT world (i.e., audits of IT for IT’s sake; internal audits or consulting where the audit objective is to identify all of the deficiencies in a certain element of the IT space/portfolio). Thus, those who are relatively new to IT audit have to resist the natural inclination to include all of the IT “problems” as control objectives or deficiencies, when some of those problems probably lack the necessary prerequisite for a financial audit to have the potential to affect RMM on the financial statements. In any financial audit, the fact is, there will probably be some, maybe many, IT weaknesses or risks that are not relevant to the RMM of financial reports and should not lead to further audit procedures.
In a previous article, a discussion was provided on scoping the IT audit portion of a financial audit in compliance with the risk-based standards of the American Institute of Certified Public Accountants (AICPA) (SAS No. 104-111).1 This two-part article follows up on that concept by providing a discussion on the actual thought process and activities an IT auditor would go through in properly scoping the IT audit procedures in a financial audit. First, there is a discussion of assessing the overall IT sophistication of a client in order to provide a general scope of the IT audit procedures needed. Second, five categories are suggested as the minimum areas to cover when assessing the RMM in a financial audit as it relates to the IT space of the auditee and the specific IT procedures (e.g., tests of controls) that should be performed in a particular financial audit.
The Role of the Level of IT Sophistication
Throughout this two-part article, reference will be made to the “level of IT sophistication.”2 This concept is related to SAS No. 94, “The Effect of IT on the Auditor’s Consideration of Internal Control in a Financial Statement Audit,” where the guidance suggests the effect of IT is not necessarily related to the size of the entity but rather the level of sophistication of its IT. It is possible for a small company to rely heavily on IT for delivering its products or services and on IT controls in financial reporting processes. Thus, such an entity would likely be considered at a medium to high level of IT sophistication.
For example, a flexible spending account provider could use electronic funds transfer (EFT) to transfer employee deposits into its bank and debit cards for medical expenditures, and provide online access to manage all of the events. Although the entity might have fewer than 50 employees and a relatively small office space, it probably would be considered medium or high in its level of IT sophistication. Likewise, a manufacturer with hundreds of employees might use commercial off-the-shelf (COTS) applications, have a single server for financial reporting and, thus, be considered on the lower end of the spectrum of IT sophistication.
For simplicity’s sake, the level of IT sophistication will be measured as low, medium or high; it may also be referred to as level 1, level 2 and level 3, respectively. Obviously, entities do not neatly and easily fall into one of these “buckets,” and these levels are not discrete but rather a continuum or spectrum. Still, it is possible to rate the level of sophistication of IT and relevance of IT controls for an entity, as they relate to RMM and financial reporting, using this model. In the end, it takes some professional judgment to determine the actual level of IT sophistication, what specific IT issues are relevant (i.e., affect RMM) and, for those that are, the necessary IT audit procedures.
Generally speaking, the level of sophistication is directly related to the proper quantity and power of IT audit procedures. That is, a low level would use rather simple procedures (low-level strength such as inquiry3 and observation) and would be rather limited as to the number of procedures. Likewise, the high end would require a relatively larger number of IT procedures, and some of the risks (RMM) would be high and, thus, require high-powered procedures and the use of stronger procedures such as reperformance and examination, rather than observation and inquiry.
While all of that may be intuitively obvious to any IT auditor, the issue is one of properly including all of the low-level auditees at the lower end of the spectrum and properly scoping (rating) auditees along the spectrum (i.e., eliminating IT weaknesses and problems that do not represent an RMM and including those that do). As mentioned earlier, it is tempting to include too many IT weaknesses as part of the financial audit’s further audit procedures without taking into account a thorough thought process to ensure that the IT weakness can lead to a material misstatement where no compensating control exists. So the IT auditor must be careful to assess each IT weakness for its impact on RMM.
To assist IT auditors new to the field, a model for assessing the level of sophistication is presented here. This model could also be used to determine if a subject matter expert (SME)— an IT auditor (e.g., a CISA)—will be necessary to perform the IT procedures in a financial audit or if the “regular” financial auditors can perform the necessary procedures effectively. By default, that statement implies that at the lower end of the spectrum, it is possible for the IT procedures to be of such a nature that an SME is not always necessary.
A Model for Assessing the Level of IT Sophistication
To describe some of the factors that classify an entity into one of the three levels, a model is presented that includes some quantitative IT factors (see figure 1). Each of these criteria is limited to those associated with the financial reporting systems, technologies and processes. Those IT elements not directly associated with financial reporting and the RMM are ignored in the assessment of relevant IT.
Level 1 is the lower end of the spectrum on IT sophistication and relevance. Generally speaking, there would be one server associated with financial reporting, a limited number of workstations (generally, fewer than 15 or so), no remote locations (associated with financial reporting), COTS applications and infrastructure, very few emerging or advanced technologies, and very few to no online transactions. Internal controls over financial reporting (ICFR) would not be overly reliant on IT or would be embedded in the COTS applications or limited to very few manual processes and controls. Many small to medium-sized entities would fit this description. Due to the scope of the minimum IT procedures for this level, limited in number and nature (inquiry and observation types), it is possible that these IT procedures could be performed by the “regular” financial auditors, albeit they may need a little training first.
Level 2 is the middle of the spectrum. Generally speaking, these entities would have more than one server associated with financial reporting, more than one network operating system (O/S) or a nonstandard one, more workstations than level 1 but fewer than about 30 in total, possibly some customizing of the application software (or relatively complex configuration of COTS, e.g., mid-size enterprise resource planning [ERP]), medium reliance on IT for ICFR or several manual controls, few to moderate number of emerging or advanced technologies, and few online transactions. This level would require an SME (i.e., a CISA or equivalent) to design and/or perform the necessary IT procedures.
Level 3 is the high end of the spectrum. This entity would have more than two servers associated with financial reporting, have remote locations, have generally more than 30 workstations associated with financial reporting, use ERP or write custom software, employ a large number of emerging or advanced technologies, and have possibly a large number of online transactions. The entity would also rely heavily on IT for ICFR. This entity will need one or more SMEs to perform the proper IT audit procedures.
In this first part of the two-part article that addresses the minimum IT controls areas to consider in every financial audit, the discussion has focused on making a determination of the level of IT sophistication in the entity, which concomitantly measures the extent (scope) and nature of the IT procedures to include in the further audit procedures. That is, the level of IT sophistication helps to determine the nature, extent and scope of IT procedures. The more sophisticated the entity’s IT, the more likely there will be more IT procedures (extent) and those procedures will be the stronger type (nature). There is also a necessary thought process to make sure any specific IT weakness identified represents RMM and not just a risk to the IT itself.
In the second part of the article (which will publish in volume 2, 2010), the next step is described, in which the IT auditor would use five areas of ITGC as the minimum areas of IT controls to examine in all financial audits, and use the concepts noted in this article in making the determination of nature, extent and timing of the proper IT audit procedures for an entity, especially identifying properly those IT risks that should be considered irrelevant and those that are relevant because they represent RMM. The end result is a proper scoping of the IT procedures to be included in a particular audit.
1 Singleton, Tommie; “What Every IT Auditor Should Know About Scoping an IT Audit,” ISACA Journal, vol. 4, 2009
2 The use of the term “IT sophistication” implies that, as the IT portfolio becomes more sophisticated, there is more likelihood of RMM related to IT. Thus, occasionally, for clarification of reading, the term will be stated as “IT sophistication and relevance.” That relevance is the back end of the IT sophistication process, where eventually the IT auditor in a financial statement audit must eliminate IT-related controls, problems and risks that do not represent RMM and cannot be directly linked to RMM. That is, only those IT issues that could lead to a material misstatement are relevant to the financial audit and are included in the IT audit procedures. But, that level of risk is invariably directly associated with the level of IT sophistication of the entity.
3 The risk-based standards state that inquiry alone is not sufficient to gain adequate assurance over some control in the further audit procedures. Thus, some other type (“nature”) of procedure would be needed to complement inquiry, and the lowest level “nature” procedure other than inquiry is observation. Thus, for a “low” level of risk where some procedure is being designed, something other than simple inquiry would need to be included. Examination and reperformance are considered “stronger” types (“nature”) of procedures in a financial audit.
Tommie W. Singleton, Ph.D., CISA, CITP, CMA, CPA
is an associate professor of information systems (IS) at the University of Alabama at Birmingham (USA), a Marshall IS Scholar and a director of the Forensic Accounting Program. Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995, Singleton was president of a small, value-added dealer of accounting IS using microcomputers. Singleton is also a scholar-in- residence for IT audit and forensic accounting at Carr Riggs Ingram, a large regional public accounting firm in the southeastern US. In 1999, the Alabama Society of CPAs awarded Singleton the 1998-1999 Innovative User of Technology Award. Singleton is the ISACA academic advocate at the University of Alabama at Birmingham. His articles on fraud, IT/IS, IT auditing and IT governance have appeared in numerous publications, including the ISACA Journal.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.