Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Get this document free

Implementing the IT-Related Aspects of Risk-Based Auditing Standards

VIEWS: 60 PAGES: 7

Information technology (IT) requires special consideration in the practical application of risk-based auditing, as defined under both the AICPA risk-based audit standards, Statements on Auditing Standards (SAS) 104-111, and the Public Company Accounting Board Auditing Standard (AS) 5. Both SAS 104-111 and AS5 emphasize the need to establish tight linkage between audit procedures and a thorough assessment of financial statement and assertion level risk. Both standards reference the role of IT as a potentially significant source of inherent audit risk. Because risk-based auditing requires an auditor to understand the entity being audited, including its internal controls, the audit plan must consider how an auditor will gain this understanding. Because IT is pervasive in the financial reporting of most entities today, auditors must identify the key changes that will need to be made to their audit methodology and the makeup of their audit team to ensure that IT-related risks are appropriately considered and addressed.

More Info
									                                                   T E C H N O L O G Y
                                                  electronic reporting




Implementing the IT-Related Aspects
of Risk-Based Auditing Standards
By Dan Schroeder and
Tommie Singleton




I
   nformation technology (IT) requires spe-
   cial consideration in the practical appli-
   cation of risk-based auditing, as
   defined under both the AICPA risk-
based audit standards, Statements on
Auditing Standards (SAS) 104–111, and
the Public Company Accounting Board
(PCAOB) Auditing Standard (AS) 5. Both
SAS 104–111 and AS5 emphasize the
need to establish tight linkage between
audit procedures and a thorough assess-
ment of financial statement and assertion
level risk. Both standards reference the role
of IT as a potentially significant source of
inherent audit risk.
   The risk-based audit standards adopted by
the AICPA in 2006, along with AS5 released
in 2007, emphasize a top-down, risk-based
approach to the financial audit. The AICPA
IT Executive Committee (ITEC), which
includes the authors, has developed a white
paper and other materials to complement
those standards; these tools have been
extremely well received by auditors. Their
experience has affirmed the following ben-
efits of risk-based auditing:                     ■ IT risk assessment procedures can usu-           financial purposes is not complex and there
■ The IT risk assessment procedures are           ally be leveraged to provide valuable rec-         is little or no dependency on IT for finan-
necessary to completely identify and under-       ommendations to management.                        cial purposes—i.e., IT presents a relatively
stand how IT affects financial statement             This overall approach for IT considerations     low level of risk of material misstatement.
assertions and the level of risk.                 in risk-based auditing, discussed in more          When IT does play a significant role for
■ By gaining an understanding of an enti-         detail below, is summarized in Exhibit 1.          financial purposes, an audit plan must define
ty’s controls that exist to mitigate IT-related                                                      how the auditor will gain an understanding
risks, an auditor may be able to incorporate      Planning Risk Assessment Procedures:               of the role of IT for financial audit purpos-
tests of IT controls into further audit proce-    Need for an IT Specialist                          es related to material transactions, financial
dures (FAP) and thus improve the overall             Because risk-based auditing requires an         reporting, and material disclosures. The fol-
efficiency of their audit procedures.             auditor to understand the entity being audit-      lowing are some common objectives for IT-
■ IT risk assessment procedures often             ed, including its internal controls, the audit     related audit risk assessment procedures:
improve the auditor’s understanding of how        plan must consider how an auditor will             ■ Identify how IT contributes to the risk of
computer-aided audit tools and techniques         gain this understanding. In many cases, espe-      material misstatement—i.e., identify inherent
(CAATT) can be applied to improve the             cially in smaller entities that have a low level   risk—at the assertion and financial statement
efficiency of substantive audit procedures.       of IT sophistication, the role of IT for           level. An audit plan will often specify one or


66                                                                                                               JULY 2010 / THE CPA JOURNAL
more transaction classes relevant for consid-      ■ Application controls are controls that             closets). The use of flowcharts to depict
eration (e.g., accounts payable, or inventory      address the application level risks in the           the flow of financial information may,
and cost of goods sold, when both are mate-        form of computerized controls built into             depending on the complexity, provide
rial and IT plays a significant role in compu-     the system, (related) manually performed             insight into the role of technology in finan-
tation of amounts or account balances).            controls, or a combination of both.                  cial processes, as well as be useful in iden-
■ Determine whether controls exist,                Examples include: controls to ensure                 tifying inherent risks.
that, if operating effectively, would provide      integrity of calculations and system pro-
reasonable, but not absolute, assurance that       cedures, edit checks, error handling, com-           Assessing Risk of Material Misstatement
the inherent risks would be prevented or           puterized matching of documents, and                    Gaining a thorough understanding of the
detected (i.e., assess control risk).              application-related access controls.                 role of IT for financial purposes will enable
■ Design and execute further IT-related            Application controls should be observed              an auditor to effectively understand how
audit procedures, as appropriate.                  and confirmed as part of normal walk-                IT impacts inherent risk and control risk
   As IT related to financial reporting grows      through procedures.                                  (or, when combined, risk of mat
								
To top