Understanding SAS 94 - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

Understanding SAS 94

Description:

What is the effective date of SAS 94? ... Walkthroughs, narratives. Systems with limited use of IT, non-complex, few transactions ... – PowerPoint PPT presentation

Number of Views:83
Avg rating:3.0/5.0
Slides: 40
Provided by: itall
Category:

less

Transcript and Presenter's Notes

Title: Understanding SAS 94


1
Understanding SAS 94
  • ITA Fall Collaborative
  • Bruce H. Nearon
  • J.H. Cohn LLP
  • Bnearon_at_jhcohn.com 973-403-6955
  • November 5, 2002

2
Introduction
  • What is SAS 94?
  • Au Section 319 The Effect of Information
    Technology on the Auditors Consideration of
    Internal Control in a Financial Statement Audit
  • What is the effective date of SAS 94?
  • Audits of financial statements for periods
    beginning on or after June 1, 2001

3
Why do I have to understand SAS 94?
  • Au 150.02 GAAS The second standard of field
    work
  • A sufficient understanding of internal control is
    to be obtained to plan the audit and to determine
    the nature, timing, and extent of the tests to be
    performed.

4
What is Internal Control?
  • A device to regulate a system
  • Ex. What keeps gasoline from leaking as it flows
    from your gas tank to the engine?
  • The construction of the fuel tank, fuel pipe, and
    connections.

5
  • Ex. What keeps money and resources from leaking
    as it flows through a business entity?
  • The construction of the financial accounting and
    internal control system.

6
How much time do I need to spend on SAS 94
Procedures?
  • How big is the client?
  • Assets? Sales?
  • How many transactions?
  • 1000s, 10,000s, 100,000s, millions
  • How sophisticated is the computer system?
  • How much time is in your audit budget for I/C
    work?

7
What if I only have 8 hours or less?
  • Au Sec 319.04 Assess control risk at the maximum.
    Document your conclusion. The basis of the
    conclusion need not be documented.

8
Taking the easy way out
  • Assessing Control Risk at the Max
  • WARNING! You need to be satisfied that performing
    only substantive tests will be sufficient.
  • If initiation, recording, and processing of
    financial data exists only in computers then the
    power of substantive tests is significantly
    reduced.

9
Do you understand the extent of computer
processing in your audit client?
  • Au 319.17 The use of IT (Computers) affects the
    fundamental manner in which transactions are
    initiated, recorded, processed, and reported.

10
  • Automated procedures may
  • Initiate
  • Record
  • Process
  • Report
  • Producing e-records
  • Purchase orders
  • Invoices
  • Shipping documents
  • Journals and ledgers

11
You may not understand e-records and IT controls,
and rely on paper hardcopy and manual controls
  • BEWARE! Paper records provided by clients and
    their manual controls may not be independent of
    IT, may in fact be produced from e-records, and
    may lack credibility.

12
IT risks to internal control
  • Au 319.19
  • Unauthorized access to menus, programs, and data
  • destruction or improper changes
  • unauthorized, nonexistent or inaccurate
    transactions.
  • errors and fraud.
  • Failure to make necessary changes to systems or
    programs i.e. obsolete programs and patch levels

13
  • Au 319.20
  • A lack of control at a single user entry point
    might compromise the security of the entire
    database.
  • Improper changes
  • Destruction of data
  • When IT personnel and users are given, or can
    gain access privileges beyond necessary to
    perform their assigned duties, a breakdown in
    segregation of duties can occur

14
  • Au 319.21
  • Errors may occur in designing, maintaining, or
    monitoring IT controls
  • IT personnel may not completely understand how
    the system processes transactions
  • AU 319.22
  • Edit routines in programs designed to identify
    and report transactions that exceed certain
    limits may be overridden or disabled

15
Obtaining an understanding of Internal Control
  • Au 319.26
  • Procedures depend on
  • Size and complexity of entity
  • Previous experience
  • Specific controls
  • Entitys use of IT
  • Changes in systems and operations

16
Planning the audit
  • Au 319.30
  • What IT risks can result in misstatements?
  • The more complex and sophisticated the entitys
    operations and systems the more likely the need
    to increase the auditors understanding of
    internal control

17
Do you need an IT Audit Specialist?
  • Au 319.31
  • How complex is the IT system?
  • How is IT used in operations?
  • Have there been significant changes to the system
    or implementation of new systems?
  • Is data shared with other systems either
    internally or externally?
  • Is there e-commerce?
  • Is there emerging technology such as wireless
    networks and devices?
  • Is audit evidence available only in electronic
    form?

18
What IT audit skills are needed?
  • Developing IT questionnaires
  • Understanding and challenging IT personnel
    responses to technical inquiries
  • Locating online system control settings,
    understanding and evaluating them
  • Selecting and using audit software tools
  • Designing and performing IT audit tests
  • Knowing classic computer control weaknesses
  • Keeping up with the latest hacking techniques

19
A Common Control Environment Weakness
  • Au 319.36
  • Managements failure to commit sufficient
    resources to address security risks presented by
    IT may adversely affect internal control by
    allowing improper changes to be made to computer
    programs or to data, or by allowing unauthorized
    transactions to be processed.

20
Control Activities
  • Au 319.43
  • The auditor should obtain an understanding of how
    IT affects control activities that are relevant
    to planning the audit.

21
  • General Controls
  • Data center and network operations
  • System and application acquisition, development,
    and maintenance
  • Access security

22
  • Application controls
  • Initiation, recording, processing, and reporting
  • Authorization, completeness, validity, accuracy

23
What is a sufficient understanding? How much is
enough?
  • Au 319.49 The auditor should understand
  • The IT and manual procedures to record, process,
    and report transactions from occurrence to
    inclusion in the financial statements.
  • The related records whether electronic or manual
    used to initiate or record transactions
  • How the information system captures events and
    conditions significant to the financial
    statements.

24
How can misstatements occur?
  • Does the system allow employees in the accounting
    or IT department to inappropriately override
    automated processes?
  • Ex. Changes to account numbers, vendor or
    customers, or amounts in journals or ledgers
  • Does the IT system leave little or no visible
    evidence of such changes?

25
Nonstandard, nonrecurring, or unusual transactions
  • Do you understand how nonstandard, nonrecurring,
    or unusual transactions are authorized,
    documented, and posted to the system?
  • Au 319.51 Such entries may exist only in
    electronic form and may be more difficult to
    identify through physical inspection of printed
    documents

26
Monitoring
  • Much of the information used in monitoring may be
    produced by IT. This information may be
    unintentionally or intentionally incomplete and
    erroneous. Audit monitoring logs may not be
    retained, may have gaps in them, or be subject to
    alteration. Management and auditors may rely on
    this information and develop a false sense of
    confidence.

27
Audit documentation
  • Complex IT systems
  • Flowcharts, questionnaires, checklists
  • Screen shots, CAAT reports
  • Walkthroughs, narratives
  • Systems with limited use of IT, non-complex, few
    transactions
  • memorandum

28
Assessing control risk at the maximum
  • Only substantive tests are performed
  • Confirm bank balances
  • Confirm a/r
  • Observe inventory
  • Substantive tests are typically performed based
    on information produced by the entitys IT system
  • What evidence do you have that information from
    the IT system is accurate, valid, and complete?

29
  • Au 319.68
  • Is there a significant amount of information
    supporting the financial statements
    electronically
  • Initiated and recorded?
  • Processed and reported ?
  • What evidence do you have that controls over IT
    are effective?
  • Your audit evidence derived solely from
    substantive tests may not be competent and
    sufficient

30
Assessing control risk below the maximum
  • Au 319.71
  • Identify the types of misstatements that can
    occur
  • Consider factors that affect the risk of material
    misstatement
  • Identify controls that are likely to prevent or
    detect material misstatement in specific
    assertions

31
Tests of general controls
  • Are changes to programs made without appropriate
    program change controls?
  • Segregation of duties
  • Testing
  • Documentation
  • Authorization

32
  • Are authorized versions of programs used for
    processing transactions?
  • Control of development and test libraries
  • Have changes been made to financial application
    programs?
  • Is packaged software used with modification or
    maintenance?

33
  • Are access logs produced, retained, and
    monitored?
  • Are changes to security settings monitored?
  • Are the security settings appropriate?
  • Are critical files and IT personnel audited?
  • Does someone independent of IT monitor the logs?

34
Warning for those that assess risk at the maximum
  • Audit samples, records, and reports that
    originate from a control environment that allows
    undocumented, unauthorized, and unmonitored
    changes may not be competent and sufficient.

35
What should I do? Im not an IT auditor and I
dont have time in my audit budget for this?
  • Take an hour or two and interview the CFO and IT
    manager.
  • Does the CFO take any interest in IT?
  • Who oversees the IT Manager?
  • What are the CFOs and IT managers attitude
    toward controlling IT

36
Interviewing the IT Manager
  • Have the IT manager explain the IT system and how
    financial information is processed.
  • Ask the IT manager how unauthorized changes to
    financial information are prevented and detected.
  • If you dont understand what the IT manager is
    saying tell him or her so.
  • If they still cant explain it so you understand
    it they probably dont understand the controls
    either, or worse there are no controls.

37
Conclusion
  • Even if you assess risk at the maximum dont just
    copy an old narrative or questionnaire and change
    the date.
  • Take an hour or two to interview the CFO and IT
    manager specifically about IT controls and
    document and analyze what they say
  • If you want to assess risk at less than the
    maximum
  • The JHC IT audit department has general and
    application controls audit programs available.
  • These audit programs can be modified specifically
    for your client
  • We can review the responses and help you assess
    risk and develop management letter comments

38
Questions
39
Thank you
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Understanding SAS 94" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!