Regularly germinating conformity demands, increased globalisation, and the changeless force per unit area to better operating efficiency are merely some of the factors that place immense force per unit area on concerns to follow advanced information engineering ( IT ) in order to streamline their activities. As concerns continue to use more sophisticated engineering, it is critical that, in executing their audit of a company ‘s internal controls, external hearers understand the hazards of stuff misstatement, internal control concerns, required proficient accomplishments, and possible benefits associated with those engineerings.
Harmonizing to the Internal Audit 2012, a large-scale interview undertaking conducted by PricewaterhouseCoopers, 79 per centum of study participants believe “ engineering hazards will present a higher grade of hazard to their organisations between now and 2012. aˆ¦ Some audit leaders plan to get more sophisticated engineering tools to turn to these hazards while others plan to incorporate hearers with IT skills into a nucleus internal-audit map. ”[ I ]These tendencies further cement the importance for external hearers to hold the proficient know-how and apprehensions in order to carry on a successful audit.
Understanding IT-Related Built-in Hazards
Both the AICPA Statements on Auditing Standards ( SAS ) 104-111, and the Public Company Accounting Board ( PCAOB ) Auditing Standard 5 ( AS 5 ) indicate that IT can transport important built-in audit hazard.[ two ]As a consequence, when Information technology does play a large function in finding a company ‘s fiscal statements, external hearers must take the clip to clearly understand the IT systems in topographic point and the hazards of material misstatement associated with those applications.
While the usage of IT to supply more people with entree to informations can positively increase workflow efficiency, there is the related hazard that the increased figure of people with entree will besides do it easier to improperly unwrap or by chance modify sensitive information. The 2011 Top Technology Initiatives Survey by the American Institute of Certified Public Accountants ( AICPA ) found that the usage of nomadic engineering, such as smart phones and tablet computing machines, to direct sensitive informations was a figure one concern engineering concern for CPAs.[ three ]Ron Box, CPA/CITP, CFF notes that, A ” The engineering is progressing so quickly that the capablenesss for commanding and protecting the information on nomadic devices is dawdling behind. ”[ four ]
In respects to another type of newer engineering called “ cloud computer science, ” the accounting industry is trying to maintain up with the related hazards. Cloud calculating can be defined as a bringing of information engineering services that is based wholly on-line. “ Worldwide, cloud services gross is forecast to make $ 68.3 billion in 2010, a 16.6 % addition from 2009 gross of $ 58.6 billion, harmonizing to analyst house Gartner Inc. ”[ V ]A As more companies store and portion information through cloud computer science, the AICPA has begun offering Service Organization Controls Reports ( what used to be SAS 70 studies ) on a assortment of cloud calculating sellers. These studies provide rigorous ratings of the internal controls of these sellers.
The hazards associated with the usage of IT besides extend to the applications used within a house to hive away, cipher, and record information. For illustration, in sing stock list and cost of goods sold histories, it is rather possible that when IT plays a important function in the computation of history balances, there is the hazard that these computations be by chance modified to bring forth mistakes and lead to material misstatements in the fiscal statements. Because information can be so interrelated within each IT application and throughout an organisation ‘s fiscal recording system, a simple alteration to a spreadsheet computation can hold far-reaching effects.
Understanding IT Internal Controls
A couple factors contribute to the demand for external hearers to non merely understanding a company ‘s information engineering and the hazards associated, but besides go further to besides decently see the company ‘s IT controls.
First, in sing the tremendous sums of informations being collected, stored, and managed throughout an organisation ‘s IT system, it is obvious that the truth of an organisation ‘s fiscal statements could easy be affected should their IT systems be compromised.A It is hence critical that external hearers consider and trial controls to be certain that they are sufficient to forestall and observe material mistakes or deceitful activities.
In add-on, despite the fact that since the transition of Sarbanes-Oxley, many public companies have increased their internal audit budgets,[ six ]there still exists the likely possibility that a company non hold entree to the specialised proficient cognition needed to plan and implement effectual IT controls. Even should the company have in-house proficient expertness, Deloitte notes that the initial coaction attempts between a company ‘s CEO and Chief Information Officers ( CIOs ) “ about ever turn out to be more ambitious than anticipated. This is frequently due to the CFO aˆ¦ undervaluing the importance and the function of IT controls in the organisation ‘s overall internal control model. ”[ seven ]As a consequence, external hearers should be cognizant of these possible challenges and be able to inquire the right inquiries in order to measure the company ‘s IT controls.
Questions that external hearers should inquire are related to whether the internal controls are “ appropriately designed to extenuate the built-in hazards… [ and are ] placed in operation… ”[ eight ]A appropriately designed control provides sensible confidence that it will either forestall or observe mistakes or fraud as it is designed to make.
In big portion, internal controls related to information engineering include both application controls and general controls. Application controls are created to forestall or observe dealing treating mistakes related to the different applications a company might utilize. These IT controls include controls that prevent unauthorised entree, A require proper mandate controls in order to forestall fraud, controls to observe and manage mistakes, and more.A General computing machine controls are non specific to any application and include controls that protect the system from any unauthorised alterations, entree controls, and even the proper endorsing up of the system should information be lost.
Ultimately, given the velocity of engineering promotion, external audit professionals face the undertaking of go oning to educate themselves about the possible hazards and internal controls associated with sophisticated IT systems or need to understand how and when to convey in specialised IT audit professionals.
Hiring a Specialist
The hazard of material misstatement depends finally on the effectivity of the internal controls in topographic point, but finally, without the ability to genuinely understand those hazards and controls, external hearers would fall short in supplying a qualified sentiment. As companies continue to implement more complex IT applications for usage in fiscal coverage, there is an of all time increasing demand for specialised and in-depth cognition of how information technologies map, the hazards associated with those engineerings, and the internal controls that should be in topographic point.[ nine ]As a consequence, in be aftering their audit, hearers should see the demand to convey in an IT audit specializer. Auditing Understanding 311 provinces that “ The usage of professionals possessing information engineering ( IT ) accomplishments… is a important facet of many audit battles. ”[ x ]
As a contemplation of the strong demand for specialised cognition, the accounting profession presently offers three well-known appellations that demonstrate one ‘s ability to carry on fiscal statement and internal information engineering audits. The Certified Information Technology Professional ( CITP ) is recognized by the AICPA, the Certified Information Systems Auditor ( CISA ) is recognized by the Information Systems Audit and Control Association and Foundation ( ISACA ) , and the Certified Information Systems Security Professional ( CISSP ) is recognized by the International Information Systems Security Certification Consortium.[ xi ]
While being able to set up proficient expertness based on enfranchisement is good to hearers, the assortment in enfranchisements can take to confusion. One possible issue in holding such a assortment of appellations is that there are differences in countries of expertness, sum of preparation required to achieve the enfranchisement, and demands for ongoing preparation among those enfranchisements. Atkinson, Professor of Accounting at Central Washington University writes that besides confusing mattes is the fact that “ The nature of the IT field allows many persons with no preparation or experience to name themselves “ IT advisers ” or “ security specializers. ”[ xii ]Therefore, in taking the right IT Audit professional to fall in an audit squad, the audit squad leader should clearly understand the assorted appellations and the makings they require.
Potential Benefits of Internal Control Testing
Despite the challenges and excess considerations associated with scrutinizing complex information engineering systems, IT internal controls when successfully designed and efficaciously in operation, can be valuable decreasing the clip and labour in the audit.
During the IT hazard appraisal, external hearers may place IT controls that, one time tested to be runing efficaciously, can successfully cut down audit hazard and thereby cut down the demand for extended substantial testing. Substantial proving frequently requires much more clip, labour, and increased audit costs ;[ xiii ]and diminishing the sum of necessary substantial testing can therefore cut down the sum of audit work required. As a consequence of the possible to salvage clip, labour, and audit costs, external hearers should, hence, understand how to leverage the testing of internal controls in order to can efficiently lower audit hazard and simplify their audit.
While the IT hazard appraisal and testing of IT controls can be good to the overall audit, external hearers should maintain in head a twosome of import considerations. First, in order for hearers to take advantage of this chance to expeditiously cut down the demand for substantial testing, the IT hazard appraisal must be produced early on adequate to be considered during the audit planning procedure. With proper consciousness and planning, this is more likely to be achieved. Besides, the external hearer should cognize that regardless of the IT hazard appraisal, whenever the audit processs to be performed rely on computer-generated informations, external hearers will ever necessitate to carry on trials of controls to guarantee that the information generated is accurate and dependable ( who cite? ? ) .[ xiv ]
Benefits of Technology and Reliance on Internal Hearers
Harmonizing to the Internal Audit 2012 study conducted by PWC, study participants believe that engineering will impact the internal audit map more than any other concern tendency. All study respondents predict that their usage of engineering will increase over current degrees, with 46 per centum anticipating the addition to be dramatic and 43 per centum projecting a moderate addition. Furthermore, respondents foresee a crisp rush in the importance of engineering in uninterrupted monitoring and fraud sensing.
Overall, the increased usage of engineering, such as computer-assisted audit techniques and improved information engineering, serves to increase the efficiency of the internal audit map. This frees up work force, which allows internal hearers and external hearers to concentrate more on bad countries. In Protiviti ‘s 2008 Internal Audit Capabilities and Needs study, computer-assisted audit techniques, uninterrupted auditing, and informations analysis are listed as the greatest engineering countries in demand of betterment.[ xv ]
Besides, with the transition of AS 5, external hearers could trust on the work of others, and as companies have begun to put in and turn their internal audit sections, this trust on others has equated to an increased trust on the work of internal hearers. The increased capableness and range of internal audit work due to the increased usage of more advanced engineering has enabled external hearers to trust progressively on internal audit ‘s work in carry oning their external audits. A 2005 study found that in 88 % of 117 companies main internal audit executives reported that external hearers relied to some extent on the work of their internal hearers ( Kaplan & A ; Schultz, 2006 ) .[ xvi ]
Trusting on the work of internal hearers besides benefits external hearers because internal hearers have are more likely to hold a more in-depth apprehension about the company ‘s current concern environment, operations, and policies. Specifically, one country that likely virtues more trust on internal hearers is the country of fraud hazard appraisal. Because internal hearers have better cognition about a company ‘s processs, they could be really unambiguously qualified to assist with fraud hazard appraisal. KPMG surveies support this thought when uncovering that internal hearers are more likely to detect fraud than external hearers ( KPMG, 2003 ) . For case, while 65 % of frauds were discovered in 2003 by internal hearers, merely 12 % were discovered by external hearers ( KPMG, 2003 ) . So, it would behove external hearers to trust on internal audit work associating to fraud hazard appraisal.
However, external hearers must weigh the benefits of trusting on the work of internal hearers with the demand to keep both professional incredulity and hearer independency. In 2002, The Panel on Audit Effectiveness noted that in its reappraisal of 126 public company audits, referees were satisfied overall with how external hearers assessed and reviewed the work of internal hearers, and when external hearers relied in the internal hearers ‘ work, the external hearers seemed to hold a good footing for their trust. On the other manus, there were some referees who questioned if there was equal retesting of the work that internal hearers did as helpers to the external hearer. For illustration, in some instances, “ the external hearers may non hold tested, supervised, and reviewed the internal hearers ‘ work every bit exhaustively as would hold been desirable ( Panel on Audit Effectiveness, 2002, P. 63 ) . ”[ xvii ]The referees noted that there were times when the external hearers did non demo as much professional incredulity as would hold been ideal. In the terminal, it is of import that external hearers take attention to adequately confirm the work of internal hearers irrespective of how confident they are in the abilities of those internal hearers.
Client fee force per unit areas watch out for. ! !
As the usage of of all time more complex engineering proliferates throughout companies, external hearers are faced with the challenge of
Analyze Findings ( comparison, contrasts, shows where there is understanding, dissension, unreciprocated issues, etc. )
Summary — Synthesizes your research ( connects the points ) to reason what you found, what still remains to be answered, etc.