INFORMATION TECHNOLOGY ISSUES FOR THE ATTEST, AUDIT, AND ASSURANCE SERVICES FUNCTIONS
By Glenn L. Helms and
Jane M. Mancino
As information technology continues to have an increasing effect on most organizations, practitioners should consider information technology (IT) issues in planning their attest, audit, and assurance engagements. The Computer Auditing Subcommittee (CAS) of the Auditing Standards Board (ASB) has ranked 47 IT issues in terms of their impact on attest, audit, and assurance engagements. In previous rankings, CAS only identified those issues that impacted the audit of historical financial statements. CAS believes that by broadening the related services on which it bases its ranking, it can be of more help to practitioners expanding their practices beyond the traditional audit function. Eight IT issues were identified as being of high concern to practitioners that provide this broader range of services. These issues are discussed below in order of ranking.
Major Technology Issues and
Security consists of the policies and procedures for assuring that access to IT resources (e.g., equipment, software, and data) is restricted to authorized users and procedures. The two major types of security, software security and physical security, should provide assurance that only authorized individuals have access to IT resources and that controls are in place to prevent unauthorized modification or destruction of data, software, and equipment. If these controls are not in place, an increased likelihood of fictitious or erroneous data being entered into the information system exists, which in turn could result in poor management decisions. Software security includes the detection of unauthorized attempts to access restricted data and the use of firewalls to permit only authorized users access to corporate data contained on a website. Physical security measures include putting locks on doors, limiting access to the computer equipment room to authorized individuals, and adopting and testing a disaster recovery plan. Such a plan could mitigate the risk of lost transactions and business interruption if an electronic data interchange (EDI) network were to fail.
Electronic Commerce (E-Commerce) is the use of information technologies to facilitate business transactions between trading partners. There is general agreement that e-commerce includes technologies such as EDI, electronic funds transfer (EFT), automated teller machines (ATMs), and business done on the Internet (more fully discussed below). For example, many corporations have adopted a business strategy that provides for the exchange of transactions in an electronic format through an intermediary service provider known as a value added network (VAN). The major concerns for practitioners are that only authorized transactions are transmitted and received and that they are not duplicated, lost, or modified during processing. The practitioner should consider learning how the EDI transaction flows through the trading partner's computer system and the VAN and determining the methods for authorization, encryption techniques if appropriate, and whether hardware and software contain transmission detection and correction functions.
A VAN is a service center, and the auditor may wish to obtain a service auditor's report that contains, at a minimum, a report on the policies and procedures in operation. Additional guidance is provided in SAS No. 70, Reports on the Processing of Transactions by Service Organizations.
Internet Capability is a major force in e-commerce and is also being used for online banking, bill payment, data entry, inquiry, and advertising. New methods of payment for merchandise and services include digital cash and smart cards.
There are several professional opportunities for practitioners on the Internet. For example, one major CPA firm has offered online consulting services for small businesses through the Internet, for which subscribers pay a flat fee. Some firms have assisted their clients in developing websites and have trained clients in related security issues such as firewalls, password policy, and off-site backup of files. Other firms plan to provide assurance services for their business clients' websites in the form of a WebTrustSM seal, which is placed on the client's website as assurance that the business has adequately described its business practice, the electronic transaction retains its integrity from inception to completion, and submitted information remains confidential.
Continuous Auditing has historically meant using software to detect auditor-specified exceptions from among all transactions that are processed either in a real-time or near real-time environment. These exceptions could be investigated immediately or written to an auditor's log for subsequent test work. The audit software was incorporated into the system during the design phase of its development.
The classical definition of continuous auditing was developed in an era when a large amount of financial information for decision-making was available primarily in historical financial statements. Today, however, decision-makers are using a continuous flow of information that may be more current and varied than that provided in traditional financial statements. Users of this information may desire assurances from the independent auditor on a more timely basis.
The auditor can provide a high level of assurance on continuous information by reporting in real-time or in a short (perhaps a day or a week) time frame. The auditor may provide an opinion on a written assertion by management or provide a direct evaluation, using reasonable criteria, of subject matter for which management is responsible. The auditor's audit process will be highly integrated with the entity's information system and controls.
For example, the manager of a mutual fund might produce daily performance statistics and assert that the returns on the fund are higher than the returns on the Dow Jones industrial average index. The practitioner could develop software modules to test the accuracy of the mutual fund's relative performance statistics, compare the statistics with the index's performance, and render a daily opinion on management's assertion as to the mutual fund's relative performance.
Privacy concerns must be addressed. The entity should maintain effective controls to ensure that private customer information is protected from uses not related to its business. For example, the information transmitted over the Internet and received by the business should not be inappropriately disclosed. The entity should obtain the customer's permission before storing, altering, or copying information on the customer's computer.
CPAs, in the course of professional engagements, may wish to consider whether the entity has appropriate controls to protect the confidentiality of data. For example, in the health-care industry, patients might be concerned that information concerning their medical history remains private. Controls such as passwords provide assurance that access to such information is restricted to authorized individuals and that unauthorized browsing or disclosure of this sensitive information is prohibited.
Communications Technology is the technology used to transmit data, voice, and video information. The technology can include modems, satellites, protocols, and fiber-optic cable. These technologies permit the use of e-commerce, EDI, image processing, and ATMs. Security and control issues associated with e-commerce and the Internet are also applicable here.
Year 2000 Issues are relevant to the auditor. The year 2000 presents a problem for many older computer systems, many of which are still in use today, perhaps in critical and unforeseen applications.
Quick Response is a business strategy that attempts to identify and meet the demands of the customer by maximizing the efficiency of moving merchandise from raw material suppliers to customers while at the same time reducing the amount of inventory in the merchandise pipeline. Quick response generally has enabling technologies which can include point-of-sale systems, bar coding/scanning, and EDI. Quick response usually leaves an electronic rather than paper trail of evidence.
In many instances suppliers take control of managing a retailer's inventory, more commonly known as just-in-time or vendor-managed inventory. Under this strategy, suppliers and retailers have access to each other's information systems and databases. For example, a retailer can electronically forward information concerning daily sales and sales forecasts to suppliers that then initiate inventory replenishment orders. Purchase orders, purchase order acknowledgements, and shipping notices are issued automatically and electronically. Ultimately, financial settlement is completed through the use of EFT from the customer's to the supplier's bank.
It has been suggested that quick response enables the retailer to remain competitive by identifying customer needs and fulfilling them faster, managing inventory and lowering inventory quantities, and reducing pricing errors. The supplier benefits from increased sales and market share and by better and more efficient production schedules, reduced payment terms, and higher inventory turnover.
The practitioner should also consider reviewing the trading partner agreement for transaction acceptance and dispute resolution terms. If the agreement allows trading partners' systems to initiate transactions for themselves, a client's system might be compromised by weaknesses in its trading partners' systems. Standards are unclear concerning the responsibility, if any, that an auditor might have for transactions initiated by the client's trading partners. This is an evolving area worthy of additional research.
IT's Relationship with Professional Standards
The transaction processing systems ranked as highly important by CAS include e-commerce, the Internet, and quick response. These systems leave an electronic and often ephemeral trail of evidence. Auditors should refer to SAS No. 80, Amendment to Statement on Auditing Standard No. 31, Evidential Matter, which addresses the implications of electronic evidence on the audit. SAS No. 80 suggests that auditors should consider using IT to obtain evidence supporting electronic transactions, and further counsels that the auditor might not be able to reduce detection risk to an acceptable level by performing only substantive tests for these advanced systems. The auditor might want to test the controls in systems that have primarily electronic evidence, as it might not be possible to rely solely upon the results of substantive tests. *
Glenn L. Helms, PhD, CPA, is an associate professor at the University of North Carolina at Greensboro. Jane M. Mancino, CPA, is a technical manager at the AICPA. Her views as expressed in this article do not necessarily reflect those of the AICPA.
Paul D. Warner, PhD, CPA
L. Murphy Smith, DBA, CPA
Texas A&M University
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.
©2009 The New York State Society of CPAs. Legal Notices
Visit the new cpajournal.com.