MODULE ACCOUNTING INFORMATION SYSTEMS WITH CLOUD COMPUTING

CHAPTER 5: AUDITING INFORMATION TECHNOLOGY-BASED PROCESSES

Objectives:
1. An introduction to auditing IT processes
2. The various types of audits and auditors
3. Information risk and IT-enhanced internal control
4. Management assertions used in the auditing process and the related
audit objectives

INTRODUCTION TO AUDITING IT PROCESSES

Nearly all business organizations rely on computerized systems to assist in the accounting
function. Technological advances have transformed the business world by providing new ways
for companies to do business and maintain records. This boom in technological developments
has increased the amount of information that is readily available. Business managers, investors,
creditors, and government agencies often have a tremendous amount of data to use when making
important business decisions. However, it is often a challenge to verify the accuracy and
completeness of the information.
Accountants have an important role in the business world because they are called upon
to improve the quality of information provided to decision makers. Accounting services that
improve the quality of information are called assurance services. Many types of services
performed by accountants are considered assurance services because they lend credibility to the
underlying financial information. An audit is the most common type of assurance service.

TYPES OF AUDITS AND AUDITORS

An audit is a type of assurance service that involves accumulating and analyzing support for
information provided by others. The main purpose of the audit is to assure users of financial
information about the accuracy and completeness of the information. To carry out an audit,
accountants collect and evaluate proof of procedures, transactions, and/or account balances and
compare the information with established criteria. The three primary types of audits include
compliance audits, operational audits, and financial statement audits. Although all audits involve
an investigation of supporting information, each type of audit has a different purpose. Compliance
audits determine whether the company has complied with regulations and policies established
by contractual agreements, governmental agencies, company management, or other high
authority. Operational audits assess operating policies and procedures for efficiency and
effectiveness. Financial statement audits determine whether the company has prepared and
presented its financial statements fairly, and in accordance with established financial accounting
criteria.
Audits are typically conducted by accountants who have knowledge of the established
criteria. For example, financial statement audits are performed by certified public accountants
(CPAs) who have extensive knowledge of generally accepted accounting principles (GAAP) in
the United States and/or International Financial Reporting Standards (IFRS). There are different
types of audit specialization that exist in business practice today, including internal auditors, IT
auditors, government auditors, and CPA firms. An internal auditor is an employee of the
company that he or she audits. Most large companies have a staff of internal auditors who perform
compliance, operational, and financial audit functions at the request of management. Some
internal auditors achieve special certification as certified internal auditors (CIAs). IT auditors
specialize in information systems assurance, control, and security, and they may work for CPA
firms, government agencies, or with the internal audit group for any type of business organization.
Some IT auditors achieve special certification as certified information systems auditors (CISAs).
Government auditors conduct audits of government agencies or income tax returns. CPA firms
 MODULE ACCOUNTING INFORMATION SYSTEMS WITH CLOUD COMPUTING

represent the interests of the public by performing independent audits of many types of business
organizations.
Each type of auditor may perform any of the three types of audits described earlier.
However, only CPA firms can conduct financial statement audits of companies whose stock is
sold in public markets such as the New York Stock Exchange. An important requirement for CPA
firms is that they must be neutral with regard to the company being audited. This requirement of
neutrality allows the CPA firm to provide a completely unbiased opinion on the information it
audits, and it is the foundation of an external audit performed by CPAs. An external audit is
performed by independent auditors who are objective and neutral with respect to the company
and information being audited. To keep their neutrality, CPA firms and their individual CPAs are
generally prohibited from having financial connections with client companies and from having
personal ties to those working for client companies. A CPA’s objectivity could be impaired by
having financial and personal relationships with a client company or with anyone having the ability
to influence the client’s decisions and financial reporting activities.

MANAGEMENT ASSERTIONS AND AUDIT OBJECTIVES

Responsibility for operations, compliance, and financial reporting lies with management of the
company. A company’s various reports are assumed to represent a set of management
assertions. Management assertions are claims regarding the condition of the business
organization in terms of its operations, financial results, and compliance with laws and regulations.
The role of the auditors is to analyze the underlying facts to decide whether information provided
by management is fairly presented. Auditors design audit tests to analyze information in order to
determine whether management’s assertions are valid. To accomplish this, audit tests are created
to address general audit objectives. Each audit objective relates to one of management’s
assertions. Exhibit 7-2 summarizes the relationship between management assertions and general
audit objectives for a financial statement audit.
Auditors design specific tests to address these objectives in each audit area. For example,
an auditor will develop tests to determine whether a company has properly accounted for its
borrowing transactions during the period. These tests are specific to the accounts and information
systems in place at the company being audited. Audit tests developed for an audit client are
documented in an audit program.

USE OF COMPUTERS IN AUDITS

Many companies design their IT systems so that important information such as purchase and
sales orders, shipping and receiving reports, and invoices can be retrieved from the system in
readable form. This kind of supporting documentation, as well as journals and ledgers, can be
printed from the computer system to serve as evidence for auditors. Under these conditions,
auditors can compare documents used to input data into the system with reports generated from
the system, without gaining extensive knowledge of the computer system logic. In such cases,
the use of IT systems does not have a great impact on the conduct of the audit, since the auditor
can perform audit testing in the same manner as would be done for a manual system. This
practice is known as auditing around the computer because it does not require evaluation of
computer controls. Sometimes it is also referred to as “the black box approach,” because it does
not involve detailed knowledge of the computer programs. Auditing around the computer merely
uses and tests output of the computer system in the same manner as the audit would be
conducted if the information had been generated manually. Because this approach does not
consider the effectiveness of computer controls, auditing around the computer has limited
usefulness.
Auditing through the computer involves directly testing the internal controls within the
IT system, whereas auditing around the computer does not. Auditing through the computer is
sometimes referred to as “the white box approach,” because it requires auditors to understand
the computer system logic. This approach requires auditors to evaluate IT controls and processing
 MODULE ACCOUNTING INFORMATION SYSTEMS WITH CLOUD COMPUTING

so that they can determine whether the information generated from the system is reliable. Auditing
through the computer is necessary under the following conditions:
The auditor wants to test computer controls as a basis for evaluating risk and reducing the amount
of substantive audit testing required.
The author is required to report on internal controls in connection with a financial statement audit
of a public company.
Supporting documents are available only in electronic form.

Auditors can use their own computer systems and audit software to help con- duct the audit. This
approach is known as auditing with the computer. A variety of computer-assisted audit
techniques (CAATs) are available for auditing with the computer. CAATs are useful audit tools
because they make it possible for auditors to use computers to test more evidence in less time.

AUDIT COMPLETION/REPORTING

After the tests of controls and substantive audit tests have been completed, auditors evaluate all
the evidence that has been accumulated and draw conclusions based on this evidence. This
phase is the audit completion/reporting phase.
In forming a conclusion, auditors must consider whether the evidence supports the
information presented. All of the evidence from all phases of the audit and covering all types of
accounts and transactions must be considered collectively so that the auditors can make an
overall decision on the fairness of the information. The auditors must also consider whether the
extent of testing has been adequate in light of the risks and controls identified during the planning
phase versus the results of procedures performed in the testing phases.
The completion phase includes many tasks that are needed to wrap up the audit. For
many types of audits, the most important task is obtaining a letter of representations from
company management. The letter of representations is often considered the most significant
single piece of audit evidence, because it is a signed acknowledgment of management’s
responsibility for the reported information. In this letter, management must declare that it has
provided complete and accurate information to its auditors during all phases of the audit.
For a financial statement audit, when the auditors are satisfied with the extent of testing and a
representations letter has been obtained from the client, an audit report must be issued. The audit
report expresses the auditors’ overall opinion of the financial statements. There are four basic
types of reports that could be issued:
1. Unqualified opinion, which states that the auditors believe the financial statements
are fairly and consistently presented in accordance with GAAP or IFRS
2. Qualified opinion, which identifies certain exceptions to an unqualified opinion
3. Adverse opinion, which notes that there are material misstatements presented
4. Disclaimer, which states that the auditors are unable to reach a conclusion.
When reporting on the effectiveness of internal controls auditors must choose between an
unqualified, adverse, or disclaimer opinion. Communication is key to the proper conclusion of an
audit. In addition to management communicating information in the representations letter and
auditors issuing the audit report, auditors must discuss the overall results of the audit with the
company’s directors.
MODULE ACCOUNTING INFORMATION SYSTEMS WITH CLOUD COMPUTING

For more knowledge, please follow the link provided;

https://www.youtube.com/watch?v=RMf9fhNMdcQ
https://www.youtube.com/watch?v=rN_SCW9qB3g
https://www.youtube.com/watch?v=l-rEtMjRxQU