If you're a financial auditor needing working knowledge of IT and application controls, Automated Auditing Financial Applications for Small and Mid-Sized Businesses provides you with the guidance you need. Conceptual overviews of key IT auditing issues are included, as well as concrete hands-on tips and techniques. Inside, you'll find background and guidance with appropriate reference to material published by ISACA, AICPA, organized to show the increasing complexity of systems, starting with general principles and progressing through greater levels of functionality.

Provides straightforward IT guidance to financial auditors seeking to develop quality and efficacy of software controls
Offers small- and middle-market business auditors relevant IT coverage
Covers relevant applications, including MS Excel, Quickbooks, and report writers
Written for financial auditors practicing in the small to midsized business space

The largest market segment in the United States in quantity and scope is the small and middle market business, which continues to be the source of economic growth and expansion. Uniquely focused on the IT needs of auditors serving the small to medium sized business, Automated Auditing Financial Applications for Small and Mid-Sized Businesses delivers the kind of IT coverage you need for your organization.

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Yes, you can access IT Auditing and Application Controls for Small and Mid-Sized Enterprises by Jason Wood, William Brown, Harry Howe in PDF and/or ePUB format, as well as other popular books in Business & Auditing. We have over one million books available in our catalogue for you to explore.

Information

Publisher

Wiley

Year

2013

ISBN

9781118233191

Edition

Topic

Business

Subtopic

Auditing

Index

Business

CHAPTER ONE

Why Is IT Auditing Important to the Financial Auditor and the Financial Statement Audit?

MANY FINANCIAL AUDITORS BELIEVE THAT complex IT environments require a technically trained professional to fully comprehend the technologies employed in the environment. Other financial auditors may decide to rescope the audit (if a non-Sarbanes-Oxley [SOx] engagement) in order to avoid looking at internal controls, or at least the IT controls, while yet others may perform a superficial, high-level review of the IT controls and hope no one notices that it was not very detailed.

Anything that a client provides that is not manually created relies on IT for the accounting process, and you must understand how to test the IT systems and whether to rely on it. By appropriately assessing the IT controls, you may be able to reduce the overall effort of the audit, and bring new observations to your client about the IT environment.

An effective assessment of IT controls may actually increase the amount of time required to perform an audit. However, consistent with Auditing Standards (SASs) Nos. 104–111, if you have an adequate understanding of the entity, its internal control and processes, and its environment and other factors, the cost increase will likely be less because the auditor will have a reduced learning curve. The cost to make audit methodology changes could be significant in the first year, but is likely to increase the efficiency with which you conduct your future audits, minimizing audit fee increases to the less complex clients.

It is common in academic curricula and continuing professional education to describe audits by one of four categories:

1. Internal audits

2. Financial or external audits

3. Fraud audits

4. Information technology audits

Following graduation from an accounting or equivalent program and certification as a Certified Public Accountant (CPA) or in another area (e.g., Certified Internal Auditor [CIA]), the practitioner keeps those definitions in mind. As a practical matter, these “silos” are helpful to delineate the differences between the audits, but they overwhelmingly ignore one common reality: All financial audits require the auditor to understand where the information comes from and what processes ensure its reliability. A second reality is that information technology is becoming increasing pervasive and more sophisticated.

Our philosophy of IT auditing embraces the answer to a question you may have asked: Where does IT auditing fit into the financial auditing process? We believe that it should fit in throughout the entire engagement. At any step in the process, when we are retrieving information for any cycle, we need to ask—and to be able to answer—questions about where the information came from and what processes ensure its reliability. In virtually all phases of the audit, the auditor must understand the answers to those questions, including the IT controls that cover a particular system or process and knowing how to test these controls in order to provide evidence that they are working properly.

MANAGEMENT'S ASSERTIONS AND THE IT AUDIT

Auditors are familiar with the concept of management assertions, the idea that the financial statements imply a set of claims concerning the reported amounts and balances. Each of these assertions can be associated with potential misstatements and in turn with audit procedures. In the following paragraphs we review the principal assertions and briefly expand the financial-auditing discussion to encompass related IT-auditing issues.

Existence

Many account balances purport to describe quantities that actually exist (e.g., stocks of inventory or amounts owed to the company for past sales). Over- or understatements of these balances may result in material errors, and audit procedures typically rely on a combination of process analysis and physical counts or sampling approaches to evaluate the plausibility of a reported balance. The financial auditor ties information in the system back to transaction (source) documents (which may be paper or another electronic file), and, accordingly, he or she needs to understand the system's overall design, the flow of information, and the nature and location of files.

The IT audit process goes beyond a merely conceptual understanding of these issues in order to focus on specific features of the accounting system. The IT audit must evaluate the likelihood that problems or defects in design or operation could lead to misstatements. Thus there is an IT corollary to the financial statement assertion of existence, namely that the application controls that support processing integrity exist. These include such IT-based items as access controls, proper segregation, and appropriate configurations. For instance, when an IT auditor tests for access control, we would expect the existence of signed forms with management approval that specify the access needed. When an IT auditor tests change management, we would expect to see change control forms with the requested changes that are approved for each change that is captured in the system. In smaller organizations, this type of existence assertion can be challenging to achieve due to lack of supporting documentation.

In later chapters we examine these types of issues in specific detail for each of the major transaction cycles.

Completeness

The completeness assertion refers to the integrity of the recording process and the ability of the company's accounting system to ensure that the effects of all transactions, balances, accounts, estimates, and so on have been included in the financial statements. Traditional audit techniques such as cross-footing and internal validity checks of totals and subtotals can help to ensure that financial information flows correctly (as missing values may cause the statements and supporting schedules not to tie). At the IT level, the auditor is concerned with how the system ensures completeness—for instance, does the report writer pull all the items from the chart of accounts?

There is also an IT corollary to the completeness assertion, namely that all necessary and required controls exist. This completeness assertion differs slightly from the existence assertion: While the latter requires the IT auditor to verify that claimed controls actually exist, the former requires that he critically evaluate the overall system design and perhaps recommend additional controls or procedures. Note also that in smaller organizations it may be challenging to achieve completeness due to lack of understanding of how to determine how the accounting system pulls its data.

Rights and Obligations

This assertion addresses the legal status of a company's assets and liabilities and it can create exposures and areas of interest from an IT perspective. As an example, consider a company that ships merchandise on both a free-on-board (FOB) destination and FOB shipping point basis. The accounting system should be configured so as to properly classify these transactions and support accurate reporting of inventory, receivables, and sales.

There is also an IT corollary to the rights and obligations assertion, namely ownership of and responsibility for information resources controlled within the company's accounting system. Thus, from this perspective, adequate control over segregation of duties becomes an important part of the overall structure of rights and obligations as they affect accounting information. In some organizations, a person may have certain responsibilities that are well-controlled outside the system, but the system itself may not coordinate the necessary data access rights for employees to function effectively. Additionally, the company will usually have an obligation to protect data privacy.

Valuation

The area of valuation can range from the accuracy of original costs to complex and esoteric calculations relating to financial instruments. In order to ensure that account balances, transactions, fair value estimates, and other amounts are reported appropriately, the IT auditor may need to examine things such as links to pricing tables and lookup tables, the design and accuracy of spreadsheet models, and the integrity of proprietary data sources. The widespread use of spreadsheet models for a variety of valuation-related activities creates many exposures related to data transfer and change management.

IT and valuation intersect when the auditor needs to estimate the potential cost exposure from an IT audit issue. For example, if an auditor determines that inappropriate individuals have access to make adjusting journal entries, the auditor should then determine if any unauthorized journal entries were actually made by examining the general ledger entries. If any are identified, then the auditor would need to value the exposure to the financial statements.

Accounting Procedures

The realm of accounting procedures includes classification and aggregation procedures, proper cutoffs at the end of each accounting period, the preparation and posting of adjusting entries, the preparation of disclosure and supporting schedules, and the final presentation of the financial statements. It also presumes the fundamental accuracy of arithmetic processes and conformity with appropriate accounting standards.

At the general financial level, the auditor may review personnel records in order to evaluate the suitability of individuals who perform these various tasks. The IT analog would include an analysis of access rights and log-on records. For instance, the IT auditor might run all the adjusting entries, check to see who posted them, and evaluate the list according to a chart of responsibilities.

In addition, the auditor should examine the configuration settings in the computer system to ensure that proper cutoff is achieved. For example, does the computer system configuration close the accounting period, or does the accounting period remain open indefinitely? Does the system have the correct days set for each month? When the financial statements are being produced, the IT auditor needs to ensure that all data within the accounting system are being pulled to the financial statements, confirming, for example, accurate tie-backs between subledgers, the general ledger, and the financial statements.

A Note on Sarbanes-Oxley

The discussion in this text does not focus on the Sarbanes-Oxley Act (SOx), in part because most SMEs do not have to comply with these provisions, and in part because there is already a significant quantity of published guidance in this area. It's worth noting, however, that many items of SOx guidance could be useful for a variety of general controls and as part of a program that addresses other company-specific control issues.

OBJECTIVES OF DATA PROCESSING FOR SMALL AND MEDIUM-SIZED ENTERPRISES (SMEs)

There are several paradigms and methodologies for conducting IT audits. As discussed in the sidebar titled “Committee of Sponsoring Organizations,” many of these focus on high-level concepts and principles that should guide the IT audit process. These paradigms share three pervasive IT objectives: the confidentiality, integrity, and availability (CIA) of data. From the Guide to the Assessment of IT Risk (GAIT) methodology we focus on three crucial IT domains: (1) change management, (2) operations, and (3) security.

In this section we briefly discuss CIA and then identify some crucial intersections.

1. Confidentiality: The confidentiality of data refers to both internal and external users. Internally, the system of rights and permissions to access and modify data is an essential building block in the design of properly segregated duties (or a key feature to analyze when insufficient personnel make it impossible to achieve an ideal level of segregation). Externally, the confidentiality of data rests on such IT constructs as firewalls, encryption, and access protocols.

2. Integrity: In an accounting context, data integrity relates directly to the management assertions discussed in the preceding section, and to the Conceptual Framework's notion of representational faithfulness. Thus, accounting information should represent what it purports to represent—quantities that actually exist, calculated from complete records, with due consideration to appropriate legal rights and obligations, and correctly valued in accordance with acceptable accounting procedures.

3. Availability: Data that is not available to users is by definition useless to them. Relevant IT concerns include server reliability, access controls, protocols for distributing data, and concurrency issues.

As Figure 1.1 suggests, there are crucial interconnections between these objectives. Confidentiality and integrity intersect in the design of a company's internal control system, as inadequate attention to confidentiality issues may create exposures that either corrupt the integrity of data or, at a minimum, raise concerns about the potential for this to happen. Confidentiality intersects with availability where the scheme of permissions and access rights is defined. Availability and integrity intersect at the point where information is required to process transactions (e.g., data from a customer's subledger account must be available when a payment is received), make estimates (e.g., receivables and collection data should be available in order to estimate credits to the valuation allowance), or prepare statements and schedules.

...

Cover
Series
Title Page
Copyright
Dedication
Preface
Acknowledgments
Chapter 1: Why Is IT Auditing Important to the Financial Auditor and the Financial Statement Audit?
Chapter 2: General Controls for the SME
Chapter 3: Application-Level Security
Chapter 4: General Ledger and the IT Audit
Chapter 5: The Revenue Cycle
Chapter 6: The Expenditure Cycle
Chapter 7: The Inventory Cycle
Chapter 8: The Payroll Cycle
Chapter 9: Risk, Controls, Financial Reporting, and an Overlay of COSO on COBIT
Chapter 10: Integrating the IT Audit into the Financial Audit
Chapter 11: Spreadsheet and Desktop Tool Risk Exposures
Chapter 12: Key Reports and Report Writers Risk Exposures
Chapter 13: IT Audit Deficiencies
References
About the Authors
Index