1. Dr. Donald McConnell Jr. The University of Texas at Arlington
Effects of IT on Consideration of Internal Control in a Financial Statement Audit
Dr. Donald McConnell Jr.
The University of Texas at Arlington
11/11/2018

2. The Following Summarizes IT Issues Relating to Internal Controls from Recently Issued SAS No This Information Has a High Probability of Appearing on Upcoming CPA Exams!
11/11/2018

3. Introductory Concepts
In obtaining an understanding of internal control [IC], the auditor considers how client use of information technology [IT] and manual procedures may affect controls relevant to the audit
The auditor must assess control risk for the assertions embodied in account balances or transaction types (319.02)
11/11/2018

4. Assessing Control Risk at Less Than Maximum
Assessing control risk below maximum is ordinarily more effective and efficient than performing only substantive tests
This is called a “controls reliance” audit
“Controls rely” audits characteristically:
Result in relatively lower audit fees
Allow the auditor to perform more work at interim
11/11/2018

5. Assessing Control Risk at Maximum
In assessing control risk at maximum:
Controls are effectively ignored
The auditor performs only substantive tests
However, it may may not be practical or possible to restrict detection risk to an acceptable level by performing only substantive tests (319.03)
Where evidence of initiation, recording, or processing of data exists only in electronic form, the auditor’s ability to obtain desired assurances from only substantive tests significantly diminishes!
11/11/2018

6. Some Controls May Relate to Objectives Irrelevant to the Audit
Though important to the entity, these ordinarily do not relate to the audit process
Consequently, these need not ordinarily be considered by the auditor
Examples would include:
Controls concerning management decision-making processes, e.g. pricing or capital expenditure (cap ex) decisions
Sophisticated IT controls to maintain an airline’s flight scheduling (319.12)
11/11/2018

7. Characteristics of Manual Systems (311.17)
Entity uses manual procedures and records in paper format:
Manually reported sales orders on paper forms or journals
Paper credit authorizations, shipping reports; individuals post A/R
Controls are also manual:
Manual approvals and reviews
Manual reconciliations and follow-up
11/11/2018

8. Characteristics of IT Based Systems (319.17)
Automated procedures to initiate, record, process, and report transactions
Records in electronic format replace paper purchase orders, invoices, shipping documents, and other records
Controls characteristically consist of a combination of automated controls (embedded in programs) and manual controls
Manual controls in IT systems may:
Be independent of IT
Use IT produced information
Be limited to monitoring of functioning of IT effectiveness
11/11/2018

9. Benefits of IT on Internal Controls (319.18)
Consistently applied predefined business rules and performance of complex calculations in large volumes of data
Enhanced timeliness, availability, and accuracy of information
Facilitates additional analysis of information
Enhanced ability to monitor performance of activities, policies, and procedures
Reduced risk of controls circumvention
Enhanced ability to effectively segregate duties through security controls
11/11/2018

10. Controls Risks Relating to IT (319.19)
Systems or programs inaccurately processing data, processing inaccurate data, or both
Unauthorized data access may cause:
Data destruction or loss
unauthorized or nonexistent transactions
Inaccurately recorded transactions
Unauthorized changes to master files
Unauthorized changes to systems or programs
Failure to make necessary system or program changes
Inappropriate manual intervention
11/11/2018

11. Inherent Limitations of Internal Controls: IT Perspectives (319.21-22)
Errors may occur in designing, maintaining, or monitoring automated controls
Errors may occur in use of information produced by IT
Program edit routines flagging transactions exceeding certain limits may be overridden or disabled
IT personnel may not completely understand how an order entry system should function.
Changes may be correctly designed, but improperly coded by programmers
Automated controls may report dollar limit violations for management review; however, reviewers may not understand the purpose of such and may fail to properly investigate unusual items.
11/11/2018

12. Extent of Understanding of Controls Activities Component (319.26)
May need only be a limited understanding in auditing a non complex entity with significant owner-manager approval and review
May require greater understanding for an entity with a large volume of revenue transactions relying on IT to measure and bill services in a complex, changing rate structure
11/11/2018

13. Determining Whether an IT Audit Professional is Needed (319.30-31)
Specialized IT skills may be needed in the audit:
To determine effects of IT on the audit
To understand IT controls
To design and perform tests of IT controls, and substantive testing
Cannot turn a generic audit senior loose in a complex DP environment excavation!
And client DP professional jargon and other IT gibberish!
11/11/2018

14. Factors to Consider in Determining Need for IT Auditor (319.31-32)
Complexity of IT system and related controls
Significance of system changes, or new system implementation
Extent to which data is shared among systems
Extent of electronic commerce transacted
Entity use of emerging technologies
Significance of audit evidence available only electronically
11/11/2018

15. IT Controls Characteristically Viewed As Being Application Controls and General Controls (319.43-46)
11/11/2018

16. Application Controls Apply to processing of individual applications
Help ensure transactions are authorized, occurred, complete, and accurately recorded and processed
Examples include edit checks, numerical sequence checks, reasonableness tests, completeness tests, and manual review of exception reports [See T 11-2 and 11-3 in text for further examples]
With manual reviews, controls effectiveness depends on both user review and accuracy of report information (319.43)
11/11/2018

17. General Controls Relate to many applications
Are therefore pervasive controls, supporting effective functioning of application controls
Ineffective general controls render evaluation of application controls moot!
Examples include:
data center and network operations controls [See fig in text]
System software acquisition and maintenance polices and controls
Access security, e.g. password controls
Segregation of duties often achieved by implementing security controls (319.45)
11/11/2018

18. Information and Communication IT Issues (319.50-51)
Automated processes & controls:
May reduce risk of inadvertent error
Do not overcome risk of inappropriate override by persons
There may be little or no visible evidence of system intervention
IT non-standard journal entries:
Examples: business combinations, non-recurrent asset impairment adjustments
May exist only in electronic form
May be more difficult to identify than would be the case with printed or paper documents and journals
11/11/2018

19. Monitoring IT Issues (319.54-55)
Characteristically much information used in monitoring produced by IT system
Management should not assume data used for monitoring is accurate! [GIGO]
GIGO can lead to incorrect management conclusions concerning monitoring
11/11/2018

20. Documenting Controls Understanding (319.61)
Means for documenting controls of complex IT systems where large volumes of data are electronically processed:
Flowcharts
Internal Control Questionnaires (ICQ’s)
Decision tables
Memorandums may be sufficient in documenting controls where little or no use of IT; or where few transactions are could usually processed
11/11/2018

21. Where Much Information is Electronically Initiated, Processed, and Reported (319.68-.69)
Substantive tests alone would not provide sufficient evidence that assertions are not materially misstated
Examples where substantive tests alone inadequate:
Auditor must perform IT-based tests of controls
11/11/2018

22. IT Considerations in Performing Tests of Controls (319.78)
Inherent consistency of IT processing may enable auditor to reduce extent of testing of an automated control
Perform T of C to determine controls still functioning effectively
Test to verify changes to programs have not been made
Testing automated controls may require CAATS
11/11/2018

23. Due to inherent Consistency of IT Processing… (319.85)
Procedures performed to determine whether an automated control has been placed in operation may serve as a test of operating effectiveness!
However, this is dependent upon:
whether the program has been changed
Whether there is significant risk of unauthorized change or improper intervention
11/11/2018

24. Timeliness of Evidential Matter (319.96)
Testing an application control may only provide evidence of operating effectiveness as of that point in time
Further T of C may be needed to provide evidence about entire audit period
Testing general controls pertinent to program modification may provide such
11/11/2018