Catherine Bruder, CPA.CITP, CISA, CISM

1
IT Issues in Risk Based Auditing

• Catherine Bruder, CPA.CITP, CISA, CISM
• Moore Stephens Doeren Mayhew
• September 24, 2007

2
Objective

• Discuss the IT-related aspects of the eight new
  Statements of Auditing Standards (SAS 104 through
  SAS 111)
• Provide insight to what IT issues should be
  considered
• Identify techniques for implementing

3
Our Agenda

• Background and Key Underlying Concepts
• Audit Planning
• Understanding the Entity, its IT Internal
  Control, and Assessing the Risk of Material
  Misstatement
• Designing and Performing Further Audit Procedures
• Documentation, Evaluation and Reporting

4
BackgroundandKey Underlying Concepts
5
Background New SASs

• 104 Due Professional Care
• 105 Amendment to SAS 95, GAAS
• 106 Audit Evidence
• 107 Audit Risk and Materiality
• 108 Planning and Supervision
• 109 Understanding the Entity and its environment
  and assessing the risks of Material Misstatement
• 110 performing Audit Procedures in response to
  assessed risks and evaluating the audit evidence
  obtained
• 111 Amendment to SAS 39, Audit Sampling

Effective Dates 104-111 Effective for audits of
F/S for periods beginning on or after 12-15-06.
Earlier application is permitted.
6
Primary Objective

• The primary objective of the new SASs is to
  enhance the auditors application of the Audit
  Risk Model
• Obtain a more in-depth understanding of the
  entity and its environment including its internal
  control
• More rigorously assess the Risk of Material
  Misstatement (RMM) in the financial statements
• Improve the linkage between the auditors
  assessment of risk and the nature, timing, and
  extent of audit procedures performed in response
  to those risks

7
Summary of New SAS
No
Yes
8
Relevancy of IT to Risk Based Standards

• Pervasive nature of IT in accounting functions
  and financial reporting
• Auditor needs to understand significant risks
  introduced by IT at the level of either financial
  statement assertions or financial statements as a
  whole
• An understanding of internal controls, including
  IT controls, must be obtained and incorporated
  into the audit plan
• IT offers the opportunity to identify
  efficiencies in the audit
• Reliance on IT controls
• Leverage CAATs for substantive and analytical
  procedures
• Identify other value-added management letter
  comments

9
Audit Risk Model

• AR RMM x DR
• (IR x CR)

Objective Reduce Audit Risk to a low level

• AR Audit Risk
• the risk that the financial statements are
  materially misstated and the audit fails to
  detect such a misstatement
• RMM Risk of Material Misstatement
• the risk that an assertion, account, or
  disclosure item contains a material misstatement
• RMM includes Inherent Risk (IR) and Control Risk
  (CR)
• DR Detection Risk
• the risk that the auditor will not detect
  material misstatements
• A function of the nature, timing and
  effectiveness of audit procedures and how the
  auditor responds at both the financial statement
  and the assertion level

10
Audit Planning
11
Planning and Supervision (SAS 108)

• The more complex the entitys systems and IT
  environment, the more likely an IT professional
  should be an integral part of the audit team
• Consider including an IT professional in your
  audit planning to brainstorm and/or dialogue with
  the audit team regarding the potential impact of
  IT, need for IT audit functions, and skills needed

12
Audit Planning IT Considerations

• Understand role of IT in financial processes
• Identify IT processes that support the relevant
  financial applications, their inherent general
  control risks, and mitigating controls
• Execute further audit procedures
• test of controls
• substantive procedures
• Identify opportunities to leverage Computer-Aided
  Audit Techniques (CAATs)

13
Audit Planning IT Considerations

• Identify how IT contributes to the RMM (i.e.,
  identify inherent risk)
• Assess whether controls exist, that if operating
  effectively, would provide reasonable, but not
  absolute, assurance, that these risks would be
  prevented or detected (i.e., assess control risk)
• In conjunction with audit team management,
  determine and execute further audit procedures as
  appropriate.

14
Audit Planning IT and the Planning Meeting

• When assessing the entity and its governance,
  include the impact of IT and its role in
  financial reporting
• Obtain a survey from the client of their IT
  systems that record financial information.
• Document the flow of financial information, from
  transaction origination through recording, and
  reporting

15
Audit Planning Impact of IT

• Assess whether the entity has designed controls
  to mitigate KEY risks
• Do these controls potentially provide a basis for
  reliance?
• Should we test controls for reliance?
• Assess where CAATs could be used to improve
  effectiveness and efficiency of substantive
  procedures

16
Audit Planning IT and the Planning Meeting

• Identify key inherent risks associated with
  financial IT environment
• General Controls (e.g. change management, backup,
  network security)
• Application functionality that supports financial
  transaction cycles (e.g. application access,
  e-commerce, management report review, SAS 70,
  edit checks, etc.)

17
Audit Planning Memo - IT Components to Include

• Planning Memo
• Include audit planning objectives
• Document core financial applications and the KEY
  control points in the financial information flow,
  whether automated or manual, internal or
  involving third parties
• Provide an estimate of hours and costs for the IT
  aspects of the audit to be sure those costs are
  considered
• Include a list of IT related audit activities,
  including the owner, timing and estimates

18
Understanding the Entity, its Internal Controls
19
Understanding the Entity and Its Environment and
Assessing the RMM

• The auditor should understand the entity and its
  environment including its internal control
• This includes understanding the IT components and
  process that support financial transactions and
  reporting
• Assess the RMM at both the financial statement
  level and relevant assertion level

(SAS 105 and 109)
20
Risk of Material Misstatement

• Sources of risks
• Error
• Fraud

• Levels of risks
• Financial Statement
• Assertion

21
Examples of Potential Risks of Material
Misstatement

• Financial statement level
• Use of a highly customized application for
  financial processing where the entity does not
  also have effective controls as to how program
  changes are authorized, completed, and deployed
• Assertion level
• Use of customized application for valuation of
  inventory (where inventory valuation is material)

22
Understanding the Entity, its Use of IT, and its
IT Control Environment

• What controls has the entity designed and
  successfully implemented to mitigate the risk
  associated with the use of IT?
• IT General Controls (ITGCs)
• Application Controls

23
Understanding the Entity Audit Techniques

• Combination of methods
• Obtaining and read written policies and
  procedures
• Survey questionnaires
• Interviews (although not sufficient evidence
  alone!)
• Walk-throughs of processes, data centers, network
  closets, and other observable aspects of the IT
  infrastructure
• Flowcharts of the flow of financial information

24
Understanding Role of IT and Internal Controls

• Understand the role of IT relative to initiation,
  authorization, recording, processing, and
  reporting of financial results
• Identify the role of business applications and
  end-user computing used in each relevant
  transaction cycle

25
Understanding Role of IT and Internal Controls

• Examples of Key Roles
• Key financial transactions cycles, including
  revenue, purchasing, payroll, and financial
  reporting, and how IT is used in each
• IT organization and third parties that support
  and/or manage financial applications, data, and
  infrastructure
• IT infrastructure that supports key applications
• Financial applications and end-user computing
• Entity designed controls that are implemented to
  mitigate risks
• Application controls, e.g., role based security,
  edits, validations
• General controls, e.g., network security, change
  management, backup/recovery, physical security

26
Understanding IT Internal Controls
27
Assessing the Risk of Material Misstatement
28
Assessing the Risk of Material Misstatement
Example

• Inventory Tracking, Reporting and the COGS
  Calculation
• The entity uses a financial application that has
  been customized to manage inventory management
• Includes inventory valuation and reporting and
  cost-of-goods sold calculation
• The entitys technical and financial personnel
  make frequent changes to the application
• Inventory represents approximately 60 or more of
  the entitys asset valuation

29
Assessing the Risk of Material Misstatement

• Inherent risk
• Inventory and COGS could be misstated due to
  errors made as part of authorized changes being
  made
• There is potential for unauthorized changes being
  made that could affect inventory balances and
  COGS values
• These account balances are very significant to
  the overall profitability of the entity

30
Assessing the Risk of Material Misstatement

• Type of risk
• The risk is both for error and fraud
• Program changes are inherently at risk of error
• Financial personnel have the ability to make
  changes to the programs and this could enable
  them to change inventory balances and cost of
  goods sold

31
Assessing the Risk of Material Misstatement

• Risk level
• The risk is at the assertion level for
• Inventory existence and valuation
• Cost of Goods Sold (COGS) valuation
• Controls designed to mitigate this risk
• Change control
• The entity has written and implemented policies
  and procedures associated with change control.
• Access control
• The entity has written and implemented policies
  and procedures for access control over the
  application, database, and supporting network

32
Assessing the Risk of Material Misstatement

• Risk assessment
• Set to Low if the entitys controls effectively
  mitigate the inherent risks
• Change control
• the entity has well designed and implemented
  change management
• Access control
• the entity has designed and implemented
  procedures for granting and managing logical
  access rights to systems

33
Assessing the Risk of Material Misstatement

• Risk of Material Misstatement
• Moderate-to-High
• while the control risk is low, the inherent risk
  for this situation is very high
• Further Audit Procedures to Reduce Audit Risk
• Perform tests of operating effectiveness of the
  general controls
• Perform CAATs on general ledger entries for
  inventory valuation, inventory adjustments, and
  COGS.
• CAAT tests include
• Identify outliers (Benford tests for amounts,
  assess dates of entries)
• Confirm source of entries is consistent with
  understanding depicted in financial flow

34
SAS 107 Key Provisions

• Assessed risks and the basis for those
  assessments should be documented
• The auditor should request that management
  respond appropriately when misstatements (known
  or likely) are identified during the audit

35
Designing and Performing Further Audit Procedures
36
Responding to Assessed Risk

• Performing Audit Procedures in Response to
  Assessed Risks and Evaluating the Audit Evidence
  Obtained (SAS 110)
• The auditor should design and perform further
  audit procedures to respond to the assessed RMM
  at either the relevant assertion level or
  financial statement level, which may include
• Tests of controls
• Substantive procedures
• SAS 110 provides guidance on matters the auditor
  should consider in determining the nature,
  timing, and extent of such audit procedures

37
Test of Controls Operating Effectiveness

• Effective operation of controls is different from
  their design and implementation
• The operating effectiveness of controls involves
  the consideration of
• How controls were applied during the audit period
• The consistency with which they were applied
• By whom they were applied
• To assess the operating effectiveness of
  controls, tests of controls should be performed

38
When to Test Controls

• When there is an expectation of operating
  effectiveness
• When substantive procedures alone do not provide
  sufficient evidence
• When there is a lack of an audit trail other than
  through IT

39
Extent of Test of Controls

• IT General Controls (ITGCs)
• Frequency of the control
• Length of the period
• Relationship of ITGCs to risks (assertion level,
  and/or Financial Statement level)
• Automated controls
• May apply to ITGCs and application controls
• Normally the test of one is sufficient
• Need specific mapping of control to risk(s)
• Effective change management controls are key

40
Control Sample Factors

• Focus effort to determine the
• Correct population
• Amount of credit to be taken
• Expected error rate
• Method of selection of items
• Review evidence of actual control in operation,
  not an entire walkthrough

41
Tests of Controls -- Example

• Select a sample of inventory system changes
• Check evidence of operation for key controls as
  noted in the walkthrough documentation
• Select a sample of logical access changes
• Check evidence of operation for key controls as
  noted in the walkthrough documentation

42
CAATs and Substantive Procedures

• These can replace and/or supplement traditional
  substantive procedures
• Allows the auditor to analyze 100 instead of
  sample
• Provides stratification/statistical analysis and
  improved sample selection
• Understanding related activities can help
  identify value-add CAATT tests
• Requirements
• Integrity of data
• Normalization of data

43
Performing Audit Sampling (SAS 111)

• Amendment to SAS No. 39
• Provides guidance relating to the auditors
  judgment about establishing tolerable
  misstatement for a specific audit procedure and
  on the application of sampling to tests of
  controls

44
Documentation, Evaluation and Reporting
45
Documentation

• Enable an experienced auditor with no previous
  connection to the audit to understand
• Nature, timing, and extent of procedures
  performed
• Results of procedures and evidence obtained
• Conclusion on significant matters
• Accounting records agree or reconcile to
  financial statements
• Include identifying characteristics!
• Document everything that is done!

46
Reporting Control Findings

• SAS 112 Communicating Internal Control Matters
  Identified in an Audit
• When implementing the risk assessment standards,
  the auditor may find internal control matters
  that should be communicated in writing

47
SAS 112 Key Definitions

• Control deficiency (CD) design or operation of
  control does not allow management to prevent or
  detect misstatements on a timely basis
• Significant deficiency (SD) one or more CDs that
  result in more than a remote likelihood that a
  misstatement of F/S, that is more than
  inconsequential will not be prevented or detected
• Material weakness one or more SDs that results
  in more than a remote likelihood that a material
  weakness in F/S will not be prevented or detected

48
Evaluating Deficiencies

• Consider likelihood and magnitude of error
• Consider possible mitigating effects of effective
  compensating controls

SAS 112 is effective for audits ending after
December 15, 2006
49
Questions
50
Resources and Additional Information
51
AICPA

• AICPA Audit Guide Assessing and Responding to
  Audit Risk in a Financial Statement Audit
  available from http//www.cpa2biz.com/index.jsp
• Guidance available from the AICPA Audit and
  Attest team at http//www.aicpa.org/ProfessionalR
  esources/AccountingandAuditing/AuditandAttest
  Standards/RiskAssessment/

52
For More IT Specific Information

• Visit www.aicpa.org/infotech for more information
  about the AICPA Top Technologies Initiatives, IT
  Section or CITP credential
• IT Section members can also access SAS 112 tools
  at http//infotech.aicpa.org/Community/MemberComm
  unications.htm
• For questions, e-mail AICPA at infotech_at_aicpa.org
  or call 888-777-7077, option 4