How IT Relates to The Audit

Moore-Together-Graphic.jpgMoore Stephens North America is comprised of 43 member firms that provide key services across a wide variety of industries and niches. This month’s “Moore Together” is a collaboration between Brad Atkin with Doeren Mayhew and Greg Smith with Brown Smith Wallace.

 

The Pervasiveness of IT in Financial Reporting
IT General Controls (ITGC) affect almost all financial audits by virtue of their reach and significance. Due to their nature, the ultimate risk of material misstatement is often affected when a potential control deficiency around financial data or processing changes the inherent risk of multiple areas. As auditors, we tend to think of inherent and control risks related to expertise, outside forces, reconciliations, board oversight and many mitigating controls. Often auditors fail to notice this information is controlled, processed and reported through various applications and databases. What becomes difficult is knowing what controls should apply to an audit. As a result, ITGCs require some type of review in all financial audits.

As the risk-based audit has taken form and the inherent scope of IT keeps getting broader, a major consideration of risk is related to scoping the ITGCs. It is common that even in the most sophisticated organizations, there are many IT-related weaknesses. The key is identifying the control weaknesses influencing the risk of material misstatement of audited financial statements. The AICPA SAS numbers 104 through 111 are filled with references related to the effect of IT controls on the audit and help to provide the framework needed. The two-step process relates to the level of IT sophistication and the five minimum categories to test.

The Level of IT Sophistication
A common mistake in reading SAS No.94 is the auditor’s focus on the size of the company rather than the complexity or sophistication of their IT environment. The $1 billion manufacturer with commercial off-the-shelf software and manual orders is less sophisticated than the $50 million card processing startup with a customized ERP application and online transactions.

By addressing this area, you can properly evaluate the scope and nature of IT procedures to include in further audit procedures and whether a subject-matter expert, such as a Certified Information Systems Auditor (CISA), is needed. It is key to address both the extent (more sophistication may equate to more procedures) and nature (sophistication determines whether inquiry, observation and/or testing are needed).

The Five Minimum Areas to Address
The five main areas that should be addressed, at a minimum, are as follows:

  1. IT Entity Level Controls – This is in reference to “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement” that most of us are used to compiling or reviewing. SAS No. 109 refers to understanding the controls management provides over the IT function. Regardless of complexity, management should provide governance over IT. This area also includes IT policies and procedures, IT management, planning, strategy, human resources and IT risk management. For entities with a very low level of sophistication, these risks may be deemed inconsequential. Higher risk organizations should be tested for proper controls.
  2. Change Management – Also known as SDLC, change management has been a hot button topic. In basic terms, these are the controls that ensure changes to IT are properly authorized and securely implemented. Is technology acquired with forethought and tested adequately before going live? This relates to audits because of software used for financial reporting. Think of automated functions and processing of data. The auditor should know if there is access to source code and whether corresponding tests should be done. In middle-market companies, it is common to not have this access. When the access is determined, there are risks to the financial statements that should be addressed.
  3. Information Security –Unauthorized access to financial applications could result in misstatements of data. This could be an employee with improper access, a former employee that did not have access revoked or an outside hacker that enjoys creating havoc. The two main areas that should be verified for your financial audit are physical and logical access. The computer center and key technologies should be physically protected from those outside of IT and applications should have proper access controls to protect data from internal and external threats. Can an accounts payable clerk make manual journal entries in the system? Can a former employee still log into their email or your VPN? Look for items such as remote access, servers in an open space or numerous employees with administrative access. In less sophisticated entities, there are more than likely compensating controls, such as management review or financial closing procedures, that would reduce the risk of material misstatements. In larger, more sophisticated entities, there may be some additional risks created that could have an impact on your audit and need additional testing.
  4. Backup and Recovery – It is important to capture an entity’s ability to recover from a critical event. This could be as simple as a backup or as complex as restoring systems and hardware. For less sophisticated entities, this is probably more of a concern for management than an auditor. For more sophisticated entities, such as entities that process online data, this could lead to the need for testing data backups or business continuity plans.
  5. Third-Party IT Providers – Lately, third-party IT providers have gained a lot of steam due to large breaches. However, for an auditor, there may be certain controls over financial reporting that are at a third-party service organization. The auditor may need to obtain a SOC 1 report from an organization whose controls impact the controls over financial reporting at your client. This is commonly seen in audits of 401k plans as the custodian of funds reports on the balances and transactions. This activity would be significant enough to need to obtain a SOC 1 examination that those controls over financial reporting have been tested.

Now What
What happens when control issues are identified during the performance of IT audit procedures? The audit team, including the IT auditor, should discuss or evaluate the issues to understand the impact on the overall audit approach and procedures. Not including the IT auditor in the issues analysis may result in not completely understanding the root cause of the issues.

The audit team should look for mitigating controls to reduce the impact of the noted issues. If mitigating controls are identified, they may provide the audit team with some comfort that adjustments to the audit approach or procedures are limited. If mitigating controls are not identified, the audit team should adjust the approach and procedures to reduce the risk of the identified issues. This could include an increase in sample sizes for a specific area under audit. For example, the IT Auditor may find issues related to user access or segregation of duties within their accounting applications.  This has potential to create material misstatements or fraudulent activity.  However, proper mitigating controls such as management review and accounting close procedures may be deemed as mitigating controls that reduce the audit risk.  Without an open conversation between teams, you may not understand the effect on risk or if the risks have been mitigated to an acceptable level.  If the IT auditors find issues related to change controls or the ability to deploy code into a live environment without proper controls, you may not be able to fully rely on system run reports and have to perform additional procedures within your audit.

During the audit, communicating with the client is critically important as you want the client to be made aware of identified issues as soon as possible. You also want the client to address the root cause of the issues so that similar issues are not identified in the future.  Items such as password parameters or physical and environmental findings related to the server room may not change the audit risk but could help significantly reduce risks of your client.  Many times these finding should still be reported as management comments if found.

An IT environment that is not well controlled may significantly impact the audit procedures being performed. The audit team should be prepared to adjust their audit procedures when IT issues are identified.  This increases the need for these procedures to be performed the audit planning procedures rather than in conjunction or afterwards due to the potential effect and having to also review other potential mitigating controls.

To learn more about the effect of IT on audits, please contact Brad Atkin with Doeren Mayhew and Greg Smith with Brown Smith Wallace.

We’re great alone, but we’re “Moore Together!” If you would like to collaborate with other members, or if you have a topic you would like to address, please contact Laura Metz.