Note: This is the third article in a series about the AICPA’s new standard on auditor’s risk assessment. The first article provides an overview of the new standard. The second article summarizes new concepts and requirements related to the auditor’s assessment of inherent risk and determination of significant risks. This article will discuss information technology-related considerations in the new standard.
While risk assessment has been fundamental to auditing since the beginning, the AICPA’s Auditing Standards Board periodically clarifies or enhances the requirements and guidance for the auditor’s risk assessment process. Often, such changes are the result of common deficiencies identified by practice monitoring programs such as the AICPA Peer Review Program. Many changes in the AICPA’s new standard on auditor’s risk assessment [Statement on Auditing Standards (SAS) No. 145] address such deficiencies.
However, other changes in SAS No. 145 are aimed at modernizing the auditor’s risk assessment process in relation to information technology (IT) considerations, including addressing risks arising from an entity’s use of IT.
In general, SAS No. 145 requires auditors to consider an entity’s use of IT, the risks the use of IT presents, and what, if any, controls the entity has in place to address such risks. To assist auditors with identifying and addressing risks that the use of IT can introduce, SAS No. 145 now includes explicit definitions of general information technology (IT) controls, information-processing controls, IT environment, and risks arising from the use of IT. The definitions general IT controls and risks arising from the use of IT are particularly important to the auditor’s risk assessment process.
General IT Controls
General IT controls are “controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information-processing controls and the integrity of information in the entity’s information system.” General IT controls are broad, “tone at the top” controls such as controls over IT staffing, roles and responsibilities, and segregation of duties; logical and physical controls to prevent unauthorized access to systems, applications, and data; controls that relate to the acquisition and development of new application software; controls that relate to the acquisition and implementation of system software such as operating systems, database management systems, security software, and file management systems; operational controls that relate to matters such as activity logs and incident reporting; and disaster recovery and contingency planning. General IT controls support the continued, effective functioning of the other, specific information-processing controls or manual information processes in the entity’s information system.
Risks Arising from the Use of IT
Risks arising from the use of IT relate to the “susceptibility of information-processing controls to ineffective design or operation, or risks to the integrity of information in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes.” The integrity of information may include the completeness, accuracy, and validity of transactions and other information.
SAS No. 145 requires auditors to obtain an understanding of “how information flows through the entity’s information system, including how transactions are initiated, and how information about them is recorded, processed, corrected as necessary, incorporated in the general ledger, and reported in the financial statements.” In other words, auditors should identify the IT applications and other aspects of the entity’s IT environment that are subject to risks arising from the use of IT, the specific risks arising from the use of IT, and the general IT controls that address those risks. Once auditors understand the risks, they identify controls and perform procedures around those controls.
SAS No. 145 provides some guidance that may assist in determining whether an IT application is more or less susceptible to risks arising from the use of IT. Characteristics of an IT application that make risks arising from the use of IT more likely include applications that are interfaced, the volume of data involved is significant, and the application’s functionality is complex because the application automatically initiates transactions and there are a variety of complex calculations underlying automated entries. Characteristics of an IT application that make risks arising from the use of IT less likely include stand-alone applications, the volume of data involved is not significant, the application’s functionality is not complex, and each transaction is supported by original hard copy documentation.
In addition, SAS No. 145 indicates risks arising from the use of IT include risks related to inappropriate reliance on IT applications that are inaccurately processing data, processing inaccurate data, or both. Such risks include unauthorized access to data that may result in destruction of data or improper changes to data, the possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties, unauthorized changes to data in master files, unauthorized changes to IT applications or other aspects of the IT environment, failure to make necessary changes to IT applications or other aspects of the IT environment, inappropriate manual intervention, and potential loss of data or inability to access data as required.
Auditors do not need to identify general IT controls for every IT process. General IT controls are identified based on the risks arising from the use of IT. To identify the risks arising from the use of IT, the auditor identifies the IT applications and other aspects of the entity’s IT environment that are subject to such risks. Such IT applications and other aspects are identified based on the identified controls that address the risks of material misstatement at the assertion level.
Again, SAS No. 145 does not fundamentally change the key concepts behind the auditor’s risk assessment process. SAS No. 145 does, however, recognize that as the reliance on IT continues to grow, the risks associated with IT increase as well. For instance, there is no longer a “paper trail” for many transactions; that is, transactions may only exist in electronic form. In order to audit such transactions, the auditor has to obtain a deeper understanding of the controls surrounding information processing. The changes in SAS No. 145 provide auditors with valuable guidance to identify, assess, and respond to risks associated with IT effectively.