Statement of Auditing Standard No. 94

1
Statement of Auditing Standard No. 94

• The Effect of Information Technology on the
  Auditors Consideration of Internal Control in a
  Financial Statement Audit
• Karl E. Dahlberg, New Jersey, ISACA

Click for Paper
2
IT and Internal Control

• SAS 94 says an organizations IT use may affect
  any of the five internal control components as
  well as how businesses initiate, record, process
  and report transactions. The SAS offers auditors
  some direction by pointing out these key aspects
  of the systems and controls on which
  organizations today rely.

3
Summary of the Audit Process

• Phase I Plan and design the audit approach
• Phase II Perform tests of controls and
  substantive tests of transactions
• Phase III Perform analytical procedures and
  tests of details of balances
• Phase IV Complete the audit and issue the audit
  report

4
Phase I Plan and design an audit approach

• Preplan
• Obtain background information
• Obtain information about contractors legal
  obligations
• Perform preliminary analytical procedures
• Set materiality, and assess acceptable risk and
  inherent risk

5
Phase I Plan and design an audit approach
(cont)

• Understand internal control and assess control
  risk
• Develop overall audit plan and audit program

6
Phase II Perform tests of controls and
substantive tests of trans.

• Plan to reduce assessed level of control risk?
  (Yes/No)
• Perform tests of controls
• Perform substantive tests of transactions
• Assess likelihood of misstatements in financial
  statements

7
Phase III Perform analytical proc. and tests of
details of balances

• Perform analytical procedures
• Perform tests of key items
• Perform additional tests of details of balances

8
Phase IV Complete the audit and issue an audit
report

• Review for contingent liabilities
• Review for subsequent events
• Accumulate final evidence
• Evaluate results
• Issue audit report
• Communicate with appropriate parties

9
SAS 94 Guidance

• Obtaining an understanding of internal control
• Definition of Information Technology
• Five interrelated components
• Potential benefits
• Specific risks

10
Obtaining an understanding of internal control

• A sufficient understanding is obtained by
  performing procedures to understand the design of
  controls relevant to an audit of financial
  statements and determining whether they have
  been placed in operation.

11
In planning the audit, such knowledge should be
used to

• Identify types of potential misstatement
• Consider factors that affect the risk of material
  misstatement
• Design tests of controls, when applicable
• Design substantive tests

12
Definition of Information Technology

• Information technology (IT) encompasses automated
  means of originating, processing, storing, and
  communicating information, and includes recording
  devices, communication systems, computer systems
  (including hardware and software components and
  data), and other electronic devices.

13
Five interrelated components

• Control environment
• Risk assessment
• Control activities
• Information and communications systems support
• Monitoring

14
Potential benefits

• Consistently apply predefined business rules and
  perform complex calculations in processing large
  volumes of transactions and data
• Enhance the timeliness, availability, and
  accuracy of information
• Facilitate the additional analysis of information

15
Potential benefits (cont)

• Enhance the ability to monitor the performance of
  the entitys activities and its policies and
  procedures
• Reduce the risk that controls will be circumvented

16
Specific risks

• Reliance on systems or programs that are
  inaccurately processing data, processing
  inaccurate data, or both
• Unauthorized access to data that may result in
  destruction of data or improper changes to data,
  including the recording of unauthorized or
  nonexistent transactions or inaccurate recording
  of transactions

17
Specific risks (cont)

• Unauthorized changes to data in master files
• Unauthorized changes to systems or programs
• Failure to make necessary changes to systems or
  programs
• Inappropriate manual intervention
• Potential loss of data

18
SAS 82 Exposure Draft

• Assessing the identified risks after taking into
  account an evaluation of the entitys programs
  and controls. This section requires the auditor
  to evaluate the entitys programs and controls
  that address the identified risks of material
  misstatement due to fraud, and to assess the
  risks taking into account this evaluation.