IT in Audit
Information technology (“IT”) is essential in today’s accounting world and management information systems. Auditors need to fully understand how information technology is being used by their clients to gather, process and report financial information in their financial statements, and how auditors can use IT in the process of auditing the financial statements.
The reliance on system generated reports is evident within many companies we audit, being gaming companies, retail companies, software companies and more. Within gaming companies, we note reports issued by the system to list all bets, wins, losses, player liabilities, bonuses and more. In the case of trading entities holding inventory, we note reliance on inventory management systems to keep track of inventory balances following relevant purchases and sales of inventory items. We also note the reliance of retail companies on their Point-Of-Sale systems (“POS”). The list of systems used by today’s entities is endless, with the above examples displaying just a portion of the systems we see in today’s entities.
While such entities would rely heavily on their systems, these systems could or could not be linked to the accounting system the entity has in place. The transfer of data from general systems to accounting systems needs to be effected in such a way that the data transferred is complete and accurate to ensure such data is also reliable.
Whether an audit engagement is carried out in a manual or a computer-based environment, the key objectives of the audit should remain consistent, thereby enabling the auditor to express an opinion on whether the financial statements are prepared in accordance with the applicable financial reporting framework. However, the manner in which the audit is carried out changes, specifically with respect to the audit approach, the planning considerations and the testing used to obtain sufficient and appropriate audit evidence.
In audits of clients with highly automated systems, the auditor is required to obtain an understanding of such information systems and related business processes, specifically with respect to the initiation, recording and processing of transactions within the general ledger, and relevant reporting within the financial statements. The auditor must also understand the process by which data is transferred between client systems to ensure this is being done appropriately.
It is vital that the auditor understands the systems in place at every given client, and the reports generated by those systems. Once the auditor is comfortable with this understanding, relevant planning needs to be carried out to assess the testing that will be carried out on such reports, and how these reports feed into the client accounting system in place.
The use of computers is therefore imperative within an audit of IT systems and would involve a range of different applications for auditing procedures using the computer as an audit tool. Such auditing procedures could be used to perform both substantive procedures or tests of controls.
The understanding of controls used by the entity, and the effectiveness of those controls in place will assist the auditor in assessing what controls can be relied upon and accordingly design relevant audit procedures in response to this understanding.
Application Controls
Application controls within an entity would include those controls over the posting of transactions and standing data pertaining to a computer-based accounting system. Such controls would need to be evaluated by the auditor as part of its audit procedures. Input controls within an entity would be designed to ensure that the inputting of transactions and data is authorised, complete, accurate and timely. These could include:
- Sequence checks: to confirm the completeness of information through the sequential ordering of numbers. Such as, for example, the completeness of journal entries posted through the journal entry reference number.
- Format checks: to confirm that information is being input within the system in the correct form.
- Range checks: to confirm that information input is within a specified range, and therefore in line with expectation.
- Compatibility checks: to confirm that data input from two or more fields is compatible. For example, a sales invoice value should be compatible with the amount of sales tax charged on the invoice.
- Validity checks: to confirm that data input is valid.
- Exception checks: whereby an exception report is issued to highlight unusual factors following the input of a specific item.
- Digit verification: the use of algorithms to ensure that data input is accurate.
Core Benefits of CAATs
The use of computer assisted audit techniques (CAAT’s) will assist the auditor in their audit testing procedures and are designed to carry out tests of controls and /or substantive procedures. Companies can have different hardware and software environments, data structures, and record formats. Considering the complexity of systems, using a software tool to collect evidence is essential. Such a tool enables the auditor to gather information and extract data independently. The reliability of the source of the data and information used grants assurance. Using CAATs could support substantially the effective and successful discovery of irregularities or illegal acts and improve audit efficiency through continuous online auditing techniques.