Magazine article The CPA Journal

Information Technology Issues for the Attest, Audit, and Assurance Services Functions

Magazine article The CPA Journal

Information Technology Issues for the Attest, Audit, and Assurance Services Functions

Article excerpt

As information technology continues to have an increasing effect on most organizations, practitioners should consider information technology (IT) issues in planning their attest, audit, and assurance engagements. The Computer Auditing Subcommittee (CAS) of the Auditing Standards Board (ASB) has ranked 47 IT issues in terms of their impact on attest, audit, and assurance engagements. In previous rankings, CAS only identified those issues that impacted the audit of historical financial statements. CAS believes that by broadening the related services on which it bases its ranking, it can be of more help to practitioners expanding their practices beyond the traditional audit function. Eight IT issues were identified as being of high concern to practitioners that provide this broader range of services. These issues are discussed below in order of ranking.

Major Technology Issues and Audit Concerns

Security consists of the policies and procedures for assuring that access to IT resources (e.g., equipment, software, and data) is restricted to authorized users and procedures. The two major types of security, software security and physical security, should provide assurance that only authorized individuals have access to IT resources and that controls are in place to prevent unauthorized modification or destruction of data, software, and equipment. If these controls are not in place, an increased likelihood of fictitious or erroneous data being entered into the information system exists, which in turn could result in poor management decisions. Software security includes the detection of unauthorized attempts to access restricted data and the use of firewalls to permit only authorized users access to corporate data contained on a website. Physical security measures include putting locks on doors, limiting access to the computer equipment room to authorized individuals, and adopting and testing a disaster recovery plan. Such a plan could mitigate the risk of lost transactions and business interruption if an electronic data interchange (EDI) network were to fail.

Elc Commerce (E-Commerce) is the use of information technologies to facilitate business transactions between trading partners. There is general agreement that e-commerce includes technologies such as EDI, electronic funds transfer (EFI), automated teller machines (ATMs), and business done on the Internet (more fully discussed below). For example, many corporations have adopted a business strategy that provides for the exchange of transactions in an electronic format through an intermediary service provider known as a value added network (VAN). The major concerns for practitioners are that only authorized transactions are transmitted and received and that they are not duplicated, lost, or modified during processing. The practitioner should consider learning how the EDI transaction flows through the trading partner's computer system and the VAN and determining the methods for authorization, encryption techniques if appropriate, and whether hardware and software contain transmission detection and correction functions.

A VAN is a service center, and the auditor may wish to obtain a service auditor's report that contains, at a minimum, a report on the policies and procedures in operation. Additional guidance is provided in SAS No. 70, Reports on the Processing of Transactions by Service Organizations.

Internet Capability is a major force in e-commerce and is also being used for online banking, bill payment, data entry, inquiry, and advertising. New methods of payment for merchandise and services include digital cash and smart cards.

There are several professional opportunities for practitioners on the Internet. For example, one major CPA firm has offered online consulting services for small businesses through the Internet, for which subscribers pay a flat fee. Some firms have assisted their clients in developing websites and have trained clients in related security issues such as firewalls, password policy, and off-site backup of files. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.