1558-395 Risk Based Auditing FAQ.indd

PRACTICE AID Ass Conforming to Privacy Frequently Asked Questions: managem IT Considerations in Disaster Recovery Risk-Based Auditing Business Continuit This IT Considerations in Risk-Based Auditing Frequently Asked Questions for ITMS members is intended to address the most common practitioner questions related to the application of the IT aspects of SAS Nos. 104-111. It is a component of the IT Considerations in Risk-Based Information Techn Auditing Framework and Discussion Paper. Understanding the Environment Securing To what degree of depth do the new audit standards require auditors to understand their clients’ IT environment? and Con SAS 109 requires auditors to obtain a sufficient understanding of internal controls to assess the risks of material misstatements. Because IT is an important component of an entity’s internal control, the auditor’s understanding of a client’s IT environment should be in-depth enough that he can adequately assess the risks of material misstatements. Are there risks represented by off-the-shelf financial systems (e.g., QuickBooks, Peachtree)? Mobile If so, please provide some examples. and Remot Yes, any general ledger system can introduce risk regardless of its size. Risk can be related to access to the general ledger data or transactions, whether within the application or from outside of the application. Many off-the-shelf financial systems are installed on networks, or in multi-user environments. When not operating on a stand-alone PC, IT General Controls must be reviewed to determine if they mitigate risk to the data stored in Electonic the financial systems. For example, security settings embedded within off-the-shelf financial software should be Archiving reviewed to determine if appropriate segregation of duties is present. Implementations of some off-the-shelf financial systems also may require customization to support specialized computations or functions and create IT-related risks, such as: Change management-related risks associated with design and deployment of the customization Document, Authorization and control of access rights to the application Conten The Audit Risk Model Please provide an example of risks at the assertion level vs. the financial-statements-level. An example of an assertion-level risk is the use of a complex customized application to value inventory (where inventory valuation is material). Examples of how IT can affect financial-statements-level risk include: The general ledger application that generates the trial balance The application used to generate financial statements The IT organization (including third parties) Can you give an example of Inherent Risk and Control Risk in the Risk of Material Misstatement (RMM)? Consider the example of an entity that uses an IT system to track and report inventory and calculate cost of goods sold. The entity’s technical and financial personnel make frequent changes to this application, and inventory represents approximately 60% or more of the entity’s asset valuation. The Inherent Risk may occur when inventory and COGS value involve complex calculations such Last in, First Out (LIFO). In this example, the auditor may conclude Inherent Risk is at a high level (rated HIGH, or perhaps 5 on a scale of 1 - 5). In terms of this example, consider how Control Risk is assessed. Assume the auditor determines that the entity has developed and deployed policies and procedures associated with change control, and they have developed and deployed policies and procedures for access control over the application, database and supporting network. The fact that the entity has these controls, which mitigate the Inherent Risk outlined above, placed in operation may provide the auditor the basis to conclude Control Risk is low. Finally, for purposes of making an RMM assessment, the auditor considers both Inherent Risk and Control Risk. This requires a degree of professional judgment supported by strong rationale and evidence for both Inherent and Control risk assessments. In this example, the auditor might conclude that the significance of Inherent Risk outweighs the impact of the low Control Risk assessment, and that the RMM assessment is therefore of a moderate or high level. Test of Controls Can you provide an example of how to test an automated control? Automated controls can be tested by gathering system-generated evidence that indicates whether a control is functioning or not. For example: Screen shots that show how access rights are limited by individual or role can demonstrate that logical security access is appropriately segregated and applied. An edit-check control can be assessed by entering invalid data, and ensuring that the control prevents this error from being processed. Does a control have to be documented for it to be considered for testing? No. However, it is recommended that entities document their controls so their auditors can efficiently test them for operating effectiveness and reliance thereon. If the entity does not document the control, and it is an important control, then the auditor will need to document the control as part of the assessment of the control environment. Inquiry, observation and re-performance are types of control tests that could be performed to determine if a particular control has been placed in operation. However, it may not be practical to test the operating effectiveness of controls throughout the audit period without some level of documentation of the control by the client. How do you scope IT General Controls (ITGCs)? Are these only in scope for the financial systems they support, or can non-financial systems be in scope from a general control perspective? ITGCs are in scope only if they support or impact financial applications that have some relevance to financial processes. Where can we find examples of IT controls? Refer to ISACA at www.isaca.org and IIA GTAG series at the www.theiia.org. When do you recommend that the IT controls review be performed? In general, the earlier in the planning process the IT controls review can be performed, the better. While interim reviews can be performed, it may be necessary for the auditor to update the review if a significant change capable of impacting the assessed risk of material misstatement occurs. The Role of the IT Auditor When should you get the IT auditor involved in the planning process? The more complex the entity’s systems and IT environment, the more likely an IT professional should be an integral part of the audit team. We recommend you consider including an IT professional in your audit planning meeting to brainstorm and/or dialogue with the audit team regarding the potential impact of IT, need for IT audit functions and skills needed. Where do we find an IT specialist to assist in the audit? You can explore finding an IT Auditor through your state CPA society, the Information Technology Membership Section at www.aicpa.org/infotech, and Find a Certified Information Technology Professional (CITP) at infotech.aicpa.org/Community/Find+a+CITP.htm. CAATTs What does CAATTs stand for? Computer Assisted Audit Techniques or Computer Aided Audit Tools (CAATs), also known as Computer Assisted Audit Tools and Techniques (CAATTs), is the practice of using computers to automate or simplify the audit process. In the broadest sense of the term, CAATTs can refer to any use of a computer during the audit. This would include utilizing basic software packages such as Excel, Microsoft Access and even word processors. In practice, however, CAATTs has become synonymous with incorporating Data Analytics into the audit process. This is one of the emerging fields within the audit profession. Source: Wikipedia; en.wikipedia.org/wiki/Computer_Aided_Audit_Too What CAATTS tools do you recommend a CPA firm use in its audit methodology? There are many different tools available, and a CPA firm should choose the one that is most intuitive to its staff or best matches its audit approach. CAATTs can be used in a number of areas within the audit, including the selection and analysis of journal entries; aging and other recomputations in accounts receivable; and comparisons of product sales with inventory quantities to analyze potential obsolescence. Cost Implications Should I project a cost increase for my clients as we implement these new standards? If so, how much should I project and how can we minimize the increase? There is no one-size-fits-all answer for determining the costs of implementing the risk-based standards in your firm or the cost increase for client audit engagements based on the new risk-assessment standards. We hear that some auditors are projecting potential percentage increases in audit engagement fees across the board, but we believe that a single increase may not apply ratably across all clients. One suggestion you may consider is implementing these standards on a small sample of the firm engagements to get a better idea of the incremental costs, and then determining how you can apply the cost impacts to the remaining client engagements. Any increases in fees also will depend on your current audit methodology and the extent to which your firm already has implemented a risk-based approach. Many firms already have implemented a risk-based approach, in whole or in part, and changes in their audit methodology may not be as profound. When contemplating the fee increase for clients’ audit engagements, consider the following cost implications that could affect the audit engagement fees: Auditor-Based Cost Implications If you have an adequate understanding of the entity, its internal control and processes, the entity’s environment and other factors, the cost increase likely will be less because you will have a reduced learning curve. The cost increase likely will be higher if you need to allocate time for learning and documenting your understanding of the entity’s internal control and processes, the entity’s environment and other factors. If you apply, or “layer,” the new standards on top of your current audit methodologies without holistically exploring changes to your methodology or leveraging CAATTs to drive efficiencies and incorporate test of controls into their further audit procedures, the cost increase likely will be higher because you may perform redundant or additional tasks that are not necessary. If you modify your current audit methodologies and processes and incorporate the application of the new standards within these processes, the cost to make these internal audit methodology changes could be significant in the first year you apply these standards, but it is likely to increase the efficiency with which you conduct your audits and minimize audit-fee increases to less complex clients. Entity-Based Cost Implications Entities can better manage their audit costs by ensuring they have appropriate internal control in place and adequate documentation of their policies and procedures and design of the entity’s IT-related controls. This will assist auditors in obtaining an understanding of internal control and eventually developing an appropriate audit approach. The ability to do so could impact audit costs. Auditors can help clients reduce fees by meeting with clients and recommending that they begin the documentation process now. Examples include documenting internal control policies and procedures; creating flow charts of the information flow for significant transaction classes; and documenting the procedures for initiating, authorizing, recording, processing and reporting those procedures. I have read all the suggested materials and still have questions. Who can I contact? Members may call the Accounting and Auditing Technical Hotline at 888-777-7077 (choose menu option 5, then 3). Members also may submit questions to the online Accounting and Auditing Technical Hotline at www.aicpa.org/members/div/infohot/form.asp. DISCLAIMER: This publication has not been approved, disapproved or otherwise acted upon by any senior technical committees of, and does not represent an official position of, the American Institute of Certified Public Accountants. It is distributed with the understanding that the contributing authors and editors, and the publisher, are not rendering legal, accounting, or other professional services in this publication. If legal advice or other expert assistance is required, the services of a competent professional should be sought. ISO Certified 1558-395

premium docs
California Member-Managed LLC Operating Agreement$19.95
Acknowledgment of Independent Contractor$8.95
Artist-Agent Engagement Agreement$8.95
Website Design Non-Disclosure$14.95
Employee Handbook for Company$39.95
Limited Liability Partnership Agreement$29.95
Office Lease Agreement$8.95
Other docs by homers
Standard Form 255 Architect-Engineer and Related Services Questionnaire for Specific Project
Views: 745  |  Downloads: 30
Shareholders Resolution For Borrowing on Accounts Receivable
Views: 209  |  Downloads: 3
pos030
Views: 183  |  Downloads: 0
Business selection checklist
Views: 497  |  Downloads: 16
pegram-all
Views: 507  |  Downloads: 5
CorpDocs-Board Resolution Approving a Proposed Contract
Views: 198  |  Downloads: 2
CorpDocs-Action By Written Consent of Shareholders of California Corporation
Views: 240  |  Downloads: 1
COMPLAINT FOR INJUNCTIVE RELIEF
Views: 242  |  Downloads: 6
0307 Form FinCEN109 (PDF) Suspicious Activity Report by Money Services Business
Views: 423  |  Downloads: 3
Alexander and BaldwinInc Ammendments and By laws
Views: 187  |  Downloads: 0
Form 8582 Passive Activity Loss Limitations
Views: 474  |  Downloads: 1
0206 Inst W-3C (PR) (PDF) Instructions
Views: 236  |  Downloads: 3
Demand For Payment
Views: 273  |  Downloads: 7
2007 Inst W-3 (PR) (PDF) Instructions
Views: 331  |  Downloads: 4
Minutes of Meeting of Shareholders of a Corporation
Views: 297  |  Downloads: 5