VIEWS: 60 PAGES: 7 CATEGORY: Business & Economics POSTED ON: 7/24/2010
Information technology (IT) requires special consideration in the practical application of risk-based auditing, as defined under both the AICPA risk-based audit standards, Statements on Auditing Standards (SAS) 104-111, and the Public Company Accounting Board Auditing Standard (AS) 5. Both SAS 104-111 and AS5 emphasize the need to establish tight linkage between audit procedures and a thorough assessment of financial statement and assertion level risk. Both standards reference the role of IT as a potentially significant source of inherent audit risk. Because risk-based auditing requires an auditor to understand the entity being audited, including its internal controls, the audit plan must consider how an auditor will gain this understanding. Because IT is pervasive in the financial reporting of most entities today, auditors must identify the key changes that will need to be made to their audit methodology and the makeup of their audit team to ensure that IT-related risks are appropriately considered and addressed.
T E C H N O L O G Y electronic reporting Implementing the IT-Related Aspects of Risk-Based Auditing Standards By Dan Schroeder and Tommie Singleton I nformation technology (IT) requires spe- cial consideration in the practical appli- cation of risk-based auditing, as defined under both the AICPA risk- based audit standards, Statements on Auditing Standards (SAS) 104–111, and the Public Company Accounting Board (PCAOB) Auditing Standard (AS) 5. Both SAS 104–111 and AS5 emphasize the need to establish tight linkage between audit procedures and a thorough assess- ment of financial statement and assertion level risk. Both standards reference the role of IT as a potentially significant source of inherent audit risk. The risk-based audit standards adopted by the AICPA in 2006, along with AS5 released in 2007, emphasize a top-down, risk-based approach to the financial audit. The AICPA IT Executive Committee (ITEC), which includes the authors, has developed a white paper and other materials to complement those standards; these tools have been extremely well received by auditors. Their experience has affirmed the following ben- efits of risk-based auditing: ■ IT risk assessment procedures can usu- financial purposes is not complex and there ■ The IT risk assessment procedures are ally be leveraged to provide valuable rec- is little or no dependency on IT for finan- necessary to completely identify and under- ommendations to management. cial purposes—i.e., IT presents a relatively stand how IT affects financial statement This overall approach for IT considerations low level of risk of material misstatement. assertions and the level of risk. in risk-based auditing, discussed in more When IT does play a significant role for ■ By gaining an understanding of an enti- detail below, is summarized in Exhibit 1. financial purposes, an audit plan must define ty’s controls that exist to mitigate IT-related how the auditor will gain an understanding risks, an auditor may be able to incorporate Planning Risk Assessment Procedures: of the role of IT for financial audit purpos- tests of IT controls into further audit proce- Need for an IT Specialist es related to material transactions, financial dures (FAP) and thus improve the overall Because risk-based auditing requires an reporting, and material disclosures. The fol- efficiency of their audit procedures. auditor to understand the entity being audit- lowing are some common objectives for IT- ■ IT risk assessment procedures often ed, including its internal controls, the audit related audit risk assessment procedures: improve the auditor’s understanding of how plan must consider how an auditor will ■ Identify how IT contributes to the risk of computer-aided audit tools and techniques gain this understanding. In many cases, espe- material misstatement—i.e., identify inherent (CAATT) can be applied to improve the cially in smaller entities that have a low level risk—at the assertion and financial statement efficiency of substantive audit procedures. of IT sophistication, the role of IT for level. An audit plan will often specify one or 66 JULY 2010 / THE CPA JOURNAL more transaction classes relevant for consid- ■ Application controls are controls that closets). The use of flowcharts to depict eration (e.g., accounts payable, or inventory address the application level risks in the the flow of financial information may, and cost of goods sold, when both are mate- form of computerized controls built into depending on the complexity, provide rial and IT plays a significant role in compu- the system, (related) manually performed insight into the role of technology in finan- tation of amounts or account balances). controls, or a combination of both. cial processes, as well as be useful in iden- ■ Determine whether controls exist, Examples include: controls to ensure tifying inherent risks. that, if operating effectively, would provide integrity of calculations and system pro- reasonable, but not absolute, assurance that cedures, edit checks, error handling, com- Assessing Risk of Material Misstatement the inherent risks would be prevented or puterized matching of documents, and Gaining a thorough understanding of the detected (i.e., assess control risk). application-related access controls. role of IT for financial purposes will enable ■ Design and execute further IT-related Application controls should be observed an auditor to effectively understand how audit procedures, as appropriate. and confirmed as part of normal walk- IT impacts inherent risk and control risk As IT related to financial reporting grows through procedures. (or, when combined, risk of mat
Pages to are hidden for
"Implementing the IT-Related Aspects of Risk-Based Auditing Standards"Please download to view full document