Information Technology, Internal Control,and Financial Statement Audits

By Thomas A. Ratcliffe and Paul Munter

In Brief

ASB Tackles IT System Control Risk

Modern data processing systems pose new, risk-laden challenges to the traditional audit process. Whereas it was once possible to conduct a financial statement audit by assessing and monitoring the controls over paper-based transaction and accounting systems, businesses have increasingly turned to electronic transaction and accounting systems. SAS 94 offers guidance on collecting sufficient, competent evidence in an electronic processing environment. It pays particular attention to identifying circumstances when the system of control over electronic processing must be accessed.

Becognizing that it is increasingly difficult for auditors to rely on traditional (paper) audit evidence to acquire sufficient competent evidence, the Auditing Standards Board (ASB) issued SAS 94, The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit, in May 2001. SAS 94 is effective for audits of financial statements for periods beginning on or after June 1, 2001. Early application is permitted.

SAS 94 amends SAS 55, Consideration of Internal Control in a Financial Statement Audit, as previously amended by SAS No. 78, Consideration of Internal Control in a Financial Statement Audit: An Amendment to Statement on Auditing Standards No. 55. Specifically, SAS 94 addresses the effect of information technology (IT) on internal controls and on the auditor’s understanding of internal controls, including the required assessment of control risk.


In December 1996, the ASB issued SAS 80, entitled Amendment to Statement on Auditing Standards No. 31, Evidential Matter, in order to address questions about the validity, completeness, and integrity of electronic evidence. When entities transmit, process, maintain, or access information electronically, it may be impractical or even impossible to reduce detection risk to an acceptably low level by performing only substantive tests for one or more financial statements. Furthermore, SAS 80 concluded that tests of controls, in conjunction with substantive tests, should be sufficient to support an audit opinion.

The AICPA also published an Auditing Procedures Study (APS), The Information Technology Age: Evidential Matter in the Electronic Environment. The APS describes electronic evidence and discusses issues in evaluating it. Whether it is transmitted, processed, maintained, and accessed by electronic means (e.g., using a computer, scanner, sensor, or magnetic media) or it is in the form of computer-printed documents, electronic evidence differs from paper evidence in the following ways:

Objectives of SAS 94

Prior to the release of SAS 94, although some guidance addressed audit considerations in an IT environment, there had not been an update to the evaluation of controls and assessment of control risk since SAS 78. SAS 94 filled this gap. It is intended to fulfill the following objectives:

SAS 94 notes that assessing control risk at the maximum and performing a substantive audit may not result in an effective audit because audit evidence does not exist outside the IT environment. Furthermore, even when evidential matter allows an assessment of control risk below the maximum, there remains a need to perform substantive tests on significant amounts. Stated differently, an audit involves both the assessment of control risk and the design, performance, and evaluation of substantive tests to reduce audit risk to an acceptably low level.

Internal Control

When the ASB issued SAS 78, it incorporated a “COSO model” approach to the definition of internal controls. Internal controls are effected by an entity’s board of directors, management, and other personnel in order to provide reasonable assurance of achieving three objectives: reliable financial reporting, effective and efficient operations, and compliance with applicable laws and regulations. In addition, internal controls over the safeguarding of assets against unauthorized acquisition, use, or disposition will often include controls relating to financial reporting and operations objectives. Internal control consists of five interrelated components: the control environment, risk assessment, control activities, information and communication, and monitoring.

Because an auditor focuses on controls pertinent to financial statement assertions—how the transactions are authorized, recorded, aggregated, and displayed in the financial statements—when planning and performing an audit, it may not be necessary to obtain an understanding of controls of operating units and business functions. The following controls might not be relevant to the audit:

Obtaining an understanding of the components of internal control sufficient to plan the audit requires consideration of the entity’s—

Effects of IT on Internal Control and Audit Processes

Because of the extensive use of IT in today’s businesses, SAS 94 cautions that its implications may need to be considered in evaluating any of the five components of internal control. As ERP systems have become more comprehensive and more widely used, even small entities have complex, highly integrated IT systems that share data and support all aspects of financial reporting, operations, and compliance.

IT often fundamentally changes the initiating, recording, processing, and reporting of transactions. Controls in such IT systems consist of a combination of automated (e.g., those embedded in computer programs) and manual controls. Manual controls may function independently of the IT system or use information produced by the IT system to monitor the automated controls. The appropriate mix of manual and automated controls varies with the nature and complexity of the IT system. Exhibit 1 lists some of the audit benefits of the IT environment; Exhibit 2 presents some of the audit risks IT environments pose.

IT internal controls can provide only reasonable assurance regarding the achievement of an entity’s control objectives. All internal control systems, regardless of their design, face certain inherent limitations that make absolute assurance impossible. In an IT system, errors can occur in designing, maintaining, or monitoring automated controls. For example, IT personnel may not understand how an IT system processes sales transactions, resulting in incorrect changes to the system for processing sales for a new product line.

SAS 94 repeats the requirement to obtain a sufficient understanding of each of the five components of internal control in order to plan the audit. Audit procedures to understand the design and operation of financial statement controls should produce valuable information that will help audit planners—

An auditor could still determine that performing substantive tests alone would be effective and more efficient than performing tests of controls for assertions in some circumstances. For example, in an audit of fixed assets and long-term debt, where there is a limited number of readily corroborated transactions, the auditor could perform substantive tests alone.

In more complex situations with a large volume of transactions processed in a complex IT environment, performing tests of controls to assess control risk below the maximum level for certain assertions would be effective and more efficient than performing only substantive tests. Alternatively, it may be impractical or impossible to restrict detection risk to an acceptable level by performing only substantive tests. In such cases, SAS 94 requires tests of both the design and operation of controls in order to reduce the assessed level of control risk. Not performing such control tests would likely result in a scope limitation and preclude the auditor from issuing an opinion on the financial statements. Exhibit 3 lists some of the factors to consider when determining whether tests of controls are mandatory in an audit. Exhibit 4 provides examples of situations where the auditor may determine that tests of controls are necessary in an audit.

Assessing Control Risk below the Maximum

Assessing control risk below the maximum level requires the following:

The knowledge gained from an understanding of internal controls should be used to identify the types of potential misstatements that could occur in financial statement assertions. The controls that are likely to prevent or detect material misstatements in specific financial statement assertions may relate directly to one or more of them, but their continued effective operation usually depends on general controls that are indirectly related to the assertions. Indirect general controls usually include controls that restrict access to programs and related data.

Techniques for testing automated controls may differ from those for manual controls. For example, computer-assisted audit techniques may be used to test automated controls or data related to assertions. In addition, other automated tools could test the operating effectiveness of indirect controls, such as access controls. Specialized computer skills may be needed to design and perform the tests of controls.

Ultimately, these situations call for an assessment of the level of control risk for specific financial statement assertions. The assessed level of control risk (along with the assessed level of inherent risk) should determine the acceptable level of detection risk for the financial statement assertions. As the acceptable level of detection risk decreases, the assurance provided from substantive tests should increase.

Documentation Requirements

SAS 94 changes the documentation requirements for understanding and evaluating of internal control. Consistent with the previous guidance of SAS 55 (as amended by SAS 78), the form and extent of this documentation depends upon the nature and complexity of the entity’s controls. For example, understanding the internal controls of a complex IT system in which a large volume of transactions is electronically initiated, recorded, processed, and reported might be documented by flowcharts, questionnaires, and decision tables. Generally, the more complex the internal control and the more extensive the procedures performed, the more extensive the documentation should be.

The basis for the conclusions about the assessed level of control risk also requires documentation. Conclusions about the assessed level of control risk may differ by account balances or classes of transactions. For those financial statement assertions where control risk is assessed at the maximum level, the level should be documented but there is no need to document the basis for that conclusion. For those assertions where the assessed level of control risk is below the maximum, the basis for the conclusion that the effectiveness of the design and operation of controls supports the assessed level should be documented.

Thomas A. Ratcliffe, PhD, CPA, is the Eminent Scholar of Accounting and dean of the Sorrell College of Business Administration at Troy State University, Ala.
Paul Munter, PhD, CPA, is the KPMG Professor and chairman of the department of accounting at the University of Miami, Fla

This Month | About Us | Archives | Advertise| NYSSCPA

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2002 CPA Journal. Legal Notices

Visit the new