Implementing the IT-Related Aspects of Risk-Based Auditing Standards
Schroeder, Dan, Singleton, Tommie, The CPA Journal
Information technology (IT) requires special consideration in the practical application of risk-based auditing, as defined under both the AICPA riskbased audit standards, Statements on Auditing Standards (SAS) 104-111, and the Public Company Accounting Board (PCAOB) Auditing Standard (AS) 5. Both SAS 104-111 and AS5 emphasize the need to establish tight linkage between audit procedures and a thorough assessment of financial statement and assertion level risk. Both standards reference the role of IT as a potentially significant source of inherent audit risk.
The risk-based audit standards adopted by the AICPA in 2006, along with AS5 released in 2007, emphasize a top-down, risk-based approach to the financial audit. The AICPA IT Executive Committee (ITEC), which includes the authors, has developed a white paper and other materials to complement those standards; these tools have been extremely well received by auditors. Their experience has affirmed the following benefits of risk-based auditing:
* The IT risk assessment procedures are necessary to completely identify and understand how IT affects financial statement assertions and the level of risk.
* By gaining an understanding of an entity's controls that exist to mitigate IT-related risks, an auditor may be able to incorporate tests of IT controls into further audit procedures (FAP) and thus improve the overall efficiency of their audit procedures.
* IT risk assessment procedures often improve the auditor's understanding of how computer-aided audit tools and techniques (CAATT) can be applied to improve the efficiency of substantive audit procedures.
* IT risk assessment procedures can usually be leveraged to provide valuable recommendations to management.
This overall approach for IT considerations in risk-based auditing, discussed in more detail below, is summarized in Exhibit 1.
Planning Risk Assessment Procedures: Need for an IT Specialist
Because risk-based auditing requires an auditor to understand the entity being audited, including its internal controls, the audit plan must consider how an auditor will gain this understanding. In many cases, especially in smaller entities that have a low level of IT sophistication, the role of IT for financial purposes is not complex and there is little or no dependency on IT for financial purposes - i.e., IT presents a relatively low level of risk of material misstatement. When IT does play a significant role for financial purposes, an audit plan must define how the auditor will gain an understanding of the role of IT for financial audit purposes related to material transactions, financial reporting, and material disclosures. The following are some common objectives for ITrelated audit risk assessment procedures:
* Identify how IT contributes to the risk of material misstatement - i.e., identify inherent risk - at the assertion and financial statement level. An audit plan will often specify one or more transaction classes relevant for consideration (e.g., accounts payable, or inventory and cost of goods sold, when both are material and IT plays a significant role in computation of amounts or account balances).
* Determine whether controls exist, that, if operating effectively, would provide reasonable, but not absolute, assurance that the inherent risks would be prevented or detected (i.e., assess control risk).
* Design and execute further IT-related audit procedures, as appropriate.
As IT related to financial reporting grows more sophisticated - creating greater dependence on IT for transactions and processes - the need for an IT audit specialist becomes greater (see the SAS 108 narrative in the ITEC white paper). The benefit of employing professionals possessing IT audit skills can be a significant aspect of many audit engagements in determining the impact of IT to the audit, understanding the IT controls, and designing and performing tests of IT controls and substantive procedures (e. …