The Impact of Enterprise Systems on Audits of Small Entities Lela Kitty Pumphrey Professor of Accounting Campus Box 8020

Idaho State University Pocatello, ID 83209 208-282-4292 (voice) 208-282-4367 (fax) pumplela@isu.edu Ken Trimmer Assistant Professor of Computer Information Systems Campus Box 8020 Idaho State University Pocatello, ID 83209 208-282-3788 (voice) 208-282-4367 (fax) trimkenn@isu.edu AAA Section: Auditing

The Impact of Enterprise Systems on Audits of Small Entities Abstract Small business integration of enterprise systems affects risks and internal control. Ideally, the use of enterprise systems should enhance internal control. However, enterprise systems can introduce new risks that may go undetected if the auditor does not adequately test system processes. Small audit firms appear more likely than large to place too much reliance on the untested accuracy of computer generated data. To identify trends we have interviewed three independent auditors of small audit firms that audit small businesses that use enterprise systems. We found that none of the firms have formal policies for auditing such company environments. Keywords: Auditing, Enterprise Resource Planning, Small Firms I. Introduction In recent years, auditing procedures and techniques have undergone many changes. These changes are often in response to external forces such as changes in auditing standards or changes in the way clients process data. Many of these adjustments (both in auditing standards

and in procedures and techniques used by auditors) are in direct response to advances in technology used by the client to process data used to prepare financial statements. Currently, auditors are trying to find new ways to audit recent technological innovationsenterprise systems. In order to provide reasonable assurance to support an opinion, auditors must continually develop new procedures to audit enterprise systems. Many of these technological advances have shifted the audit focus from auditing the details of transactions to auditing systems and/or processes. The accounting profession is changing and the integrity of information and management systems is becoming the focus of audit work (Ravlic, 2003). 1

Although the audit industry is experiencing technological shifts, auditors of small auditees appear to be slow to change their audit procedures to reflect the changing environment. Auditors surveyed said that although they perform some tests of the information system for reliance on internal controls, generally they only audit the output of the system. Larger auditing firms are more likely to provide audits of the integrity of systems that develop numbers for the financial statements. This indicates a difference between the way large firms audit and the small firms audit the audits of smaller entities. It is important for auditors to have a clear understanding of the potential consequences of their clients implementation of complex enterprise systems. Such consequences may include a lack of visibility of the audit trail, unauthorized access, loss of data, lack of segregation of duties, more time-consuming audit procedures, and lack of auditor training. Of the auditors interviewed, all attested to the increased time and cost associated with auditing companies with enterprise systems. Enterprise systems were implemented on a company-wide basis at all three companies audited. II. Methodology To obtain information about the current state of auditing procedures practiced by auditors of smaller entities with significant computerized information systems a case study was conducted. A questionnaire was derived from an instrument developed by the Institute of Internal Auditors (IIA, 2003) (Appendix A). A representative auditor from each of three firms agreed to be interviewed by the researchers. The three firms were selected to be representative of sizes of audit firmsa small, one office accounting firm; a small accounting firm with multiple offices in the intermountain west; and a local office of a large international accounting

firm. The three firms were not selected at random but rather were selected to allow a pilot study involving three different size firms, each of which audited smaller clients. Smaller clients were defined as nonpublic clients with gross revenues under $100 million. Selection of this amount allowed the auditors interviewed to address the questions relative to audit clients of approximately the same size. III. Integrated (enterprise) Systems Integrated enterprise systems present an entirely new set of risks to the audit. Some of these risks are pervasive systemic errors, security, privacy, and transaction integrity. It is necessary for auditors to pay attention to transaction authorization, duplication or modification of information, and the timeliness of system processing. External auditors should review documentation including company procedures and policies. External auditors should also review transaction files to better understand the system and to track the flow of transactions. This allows auditors to assess the financial statement assertions (existence, completeness, rights and obligations, valuation and allocation, and presentation and disclosure). Audit risk increases as firms implement advanced systems to monitor their firms operations. Enterprise systems are implemented to support the operations of an organization and require complete integration to be successful. Enterprise systems can add to the risks or challenges of auditing an organization. Additional auditing risks include the business environment, business processes, system functionality, application security, data integrity, and business continuity (ISACA, 2003). Furthermore, although audit guidelines for some systems exist (AuditNet.org, 2005), these aids are available for top tier enterprise systems such as SAP/R3, Oracle, Baan, and 3

PeopleSoft. An audit guide exists for the J.D. Edwards enterprise software (AuditNet.org, 2005), a series of applications that smaller firms may encounter. However, J.D. Edwards, as part of PeopleSoft, is now part of the Oracle Corporation.Due to the size of organizations employing top tier enterprise systems, such institutions typically are not audited by the smaller firm. Lacking specific domain expertise, smaller audit firms are also denied audit guidelines for the specific enterprise systems they may encounter. It is necessary to perform an assessment of the enterprise system when it is introduced, and each time it is upgraded or modified, in order to identify critical controls supporting key business processes. The objective of the enterprise system assessment is to determine the adequacy of the design and to assess any risks. IV. Auditing Standards AICPA Statement on Auditing Standards No. 94 (SAS No. 94) (AICPA, 2001) was issued to address the changing risks involved with auditing information systems. In a fully integrated environment a significant amount of information supporting one or more financial statement assertions is electronically initiated, recorded, processed, or reported. Visibility of the audit trail is reduced when enterprise systems are used company-wide. Significant audit evidence may be available only in electronic form. The ability to collect competent and sufficient evidence may be impaired when auditing an enterprise system. Increased risk of failing to identify material misstatements prompts small company auditors to set control risk at the maximum. Tests of system processes should be completed in order to lower control risk. However, two out of three auditors interviewed said that they placed more reliance on application and general controls to lower control risk below the maximum. The 4

problem with this is that small company auditors rely on controls that are embedded in the software instead of testing them. Enterprise systems enable increased speed of transaction processing which heightens the risk of systematic errors. These types of errors are difficult to identify if the auditors are not auditing system processes. Further, we found that most small company auditors do not audit systems differently whether the systems are off the shelf or developed internally. Internally developed enterprise systems present higher risks because the systems have not been tested extensively. There is no outside guarantee that that the system is sufficiently reliable. Enterprise systems have advanced resulting increased system reliability to off the shelf systems, but internally developed systems do not provide the same level of assurance. It is becoming increasing important for auditors to understand enterprise systems they audit (ISACA, 2005). An advanced understanding of enterprise systems is necessary since many transactions are completed entirely in electronic form. Auditors performing audit services for clients will need to be well versed in the software they are auditing because of the lack of supporting documentation. Auditors will need to revise their traditional audit approach by focusing on an organizations enterprise system work flow and the associated risks that may occur. Small company auditors are concerned with meeting the requirements of auditing standards, and are performing only the minimum procedures to satisfy due diligence. The rapid speed of enterprise systems integration reduces an auditors reliance on historic data because the audit information is generated in real time and exists within the computer. This causes new problems for auditors since documentation may not be available at the time of the audit. Information within the system is always changing making it difficult for auditors to be back and verify information for a given point in time. The companys business practices and 5

internal controls must be relied on heavily by auditors in order to provide reasonable assurance about the numbers depicted in the financial statements. Auditors of small company enterprise systems should be concerned that only authorized transactions are transmitted and received. They must perform tests of controls to verify that transactions are not duplicated, altered or lost during processing. Further, it is important to obtain an adequate understanding of internal controls of enterprise systems to enable the auditor to rely on the system. This is required to prove these processes can be relied on and to given an unqualified audit opinion. The auditors we spoke with seemed to compensate for a lack of system testing by performing more balance sheet confirmation. Most large accounting firms have been forced to modify their audit procedures to address the technological advances in integrated enterprise information systems. Auditors are relying more on system processes as business transactions become more integrated. In contrast, small company auditors have no spent much time or effort redesigning their audit approach to address new concerns. These auditors reassess control risk when systems are modified or upgraded, however, none of the firms contacted have specific audit procedures designed to identify added risks. Most auditors realize that financial auditing skills along with technological auditing skills are extremely important to be able to adequately audit an enterprise system. SAS No. 94 provides guidance to help auditors in determining if an IT specialist will be needed for an assignment. It may be necessary to hire a computer specialist to assist in auditing the system (Pathak and Lind, 2003). In contrast, we discovered that the need for specialists was seldom considered by firms auditing small companies. Additionally, the audit firms did not modify their recruitment efforts to recruit people with IT backgrounds. Staff accountants are

expected to have a certain level of technological competency when they join an accounting firm. The auditors surveyed did not feel additional IT credentials were necessary. An enterprise system audit requires the performance of substantive tests for significant account balances and transaction classes. It specifically requires the auditor to gain an understanding of how the entity uses its enterprise system and how manual procedures affect controls. The extent and nature of the effectiveness of internal controls will vary and depend largely on whether or not the system is internally developed or purchased off the shelf. The trend in auditing small companies is that auditors depend heavily on enterprise system controls to ensure that the data is processed correctly. Auditors of small businesses tend to audit around the computer relying solely on the output of the enterprise system. By assessing control risk at the maximum and relying on other controls the auditor may not be performing an effective audit. This is caused by a lack of visibility of audit documentation. We asked our subjects specifically which types of risks they associated with auditing small company enterprise systems. The most frequently identified risks include unauthorized access and of not identifying material misstatements. Small company auditors are concerned with improper application controls. Failure to limit access decreases data integrity thereby increasing the risk of material misstatement in the financial statements. System controls are only one aspect of internal control. Enterprise systems are increasingly integrating functions and organizations, creating new concerns for auditors about the design and programming of the systems. This makes it difficult for the auditor to provide reasonable assurance based solely on the enterprise system. All internal control systems, regardless of their design, face certain inherent limitations that make absolute assurance impossible. In an IT system, errors can occur in designing, maintaining, or monitoring 7

automated controls. The Committee of Sponsoring Organizations of the Treadway Commission (COSO, 1985) report is enforced by SAS 94 and requires the auditor to obtain an understanding of each of the five elements of internal control, control environment; risk assessment; control activities; information and communication; and monitoring in order to plan an effective audit. A complex enterprise system allows the organization to process a large volume of transactions in a short amount of time. Small company auditors assess the control risk at maximum in order to reduce the time and cost involved with the audit. However, small audit firms auditing small companies do not have the resources to extensively test processes to obtain reasonable assurance of the financial statements. In gaining an understanding of internal controls auditors need to identify the types of misstatements that could occur in financial statements. When financial information is generated in an enterprise sys tem, the risk of error in the financial statements may increase depending on the controls in place. SAS 94 states, When evidence of an entitys initiation, recording, or processing of financial data exists only in electronic form, the auditors ability to obtain the desired assurance only from substantive tests would significantly diminish (Youngwon Shin, 2003). SAS No. 94 raises the bar by requiring the auditor to consider how an organizations IT use affects his or her audit strategy. A key aspect of this strategy is the auditors decision on whether to design and perform tests of controls or to assess control risk at a maximum level and perform only substantive tests (Tucker, 2001). One of the subjects indicated that they set control risk at a maximum and rely on other controls to reduce control risk.

V. Conclusion This case study reveals that small firms auditing small companies with enterprise systems have not taken appropriate steps to understand the impact enterprise systems have on the financial statements. These firms have no implemented formal polices to audit enterprise systems. It appears that small firms are not concerned with specializing in IT audits and do not feel the need to differentiate based on IT knowledge. To emphasize this point, several of the smaller auditing firms we contacted were not familiar with the term enterprise system. Further, small audit firms do not place a greater importance on IT training. They do not look for people with an IT background to audit enterprise systems. Small firms still audit around the computer and rely too heavily on system controls. They primarily audit the output of the computer and have not taken steps to formalize policies about auditing systems. The trend is different for larger audit firms which are competing based on specialization. Larger firms tend to emphasize IT training and certification as part of their strategy to specialize. VI. References American Institute of Certified Public Accountants (AICPA). 2001. Statement on Auditing Standards No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit. New York, NY. AuditNet.Org. 2005. Auditors Sharing Audit Programs http://www.auditnet.org/asapind.htm, accessed 1/16/2005. Information Systems Audit and Control Association (ISACA). 2005. IS Auditing Guideline: Enterprise Resource Planning (ERP) Systems. http://www.isaca.org/Content/ContentGroups/Standards2/Standards,_Guidelines,_Proced ures_for_IS_Auditing/IS_Auditing_Guideline_Enterprise_Resource_Planning_(ERP)_Sy stems_Review1.htm Accessed 1/16/2005. Pathak, Jagdish, and Lind, Mary R., Integrated Information Systems, SAS 94 & Auditors, http://www.ssrn.comp, January 2003. Ravlic, Tom, The heart of Future Audits, The Age Company Limited, September 20, 2003 The Committee of Sponsoring Organizations of the Treadway Commission (COSO). 1985. New York, NY. The Institute of Internal Auditors (IIA). 2003. Impact of ERP System Adoption on Internal Audit Function. http://www.gain2.org/erp2.htm. Accessed 1/16/2005. 9

Tucker, George H., IT and the Audit, Journal of Accountancy, September, 2001 Youngwon Shin, Ryan, XSBRL, Financial Reporting, and Auditing, The CPA Journal, December 10, 2003.

10

APPENDIX

Internal Control Issues of Auditing ERP SystemsSurvey

1. Enterprise Resource Planning (ERP) System Questions: What ERP functions are currently used by your audit clients? (Check all that apply)? All ERP functions listed Payroll Human Resources Management Production Management Financial Accounting Workflow Management Accounting Sales & Distribution Industry Solutions Other Which ERP system(s) is your company currently auditing? SAP JD Edwards Oracle PeopleSoft Baan Other Is the ERP system that you are currently auditing implemented on a company wide basis? Yes No To what degree is the ERP System you are currently auditing integrated into your clients suppliers systems? All Suppliers Some suppliers No suppliers In what year did the ERP system first affect the audit? ____________

11

2. External Auditing: Transition to ERP System Audit Does your firm have formal policies for auditing small companies with ERP systems? Yes No What level of control risk do you assess for off-the-shelf systems? ______(high, medium, low or a specific %) If the system is modified by internal programmers, do you take additional steps to understand internal control? Yes No What steps do you take? Do you assess a different level of control risk for off-the-shelf systems that are internally modified? Yes No If yes, at what level do you assess the control risk? medium, low or a specific %) In auditing the system, what do you focus more on? Information output How the information is processed How do you perform the audit of the ERP system? Audit around the computer Audit through the computer. If checked, select how you audit. Test data approach Parallel simulation Embedded audit module approach ______(high,

12

Rank Effectiveness of Control Low General Controls Administration function Physical security Online security over access Back-up planning Application Controls Input controls Processing controls Output controls ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ Medium High

What is the involvement of the internal auditors in assisting the external auditors in understanding how to audit the ERP system? Does not participate. Participated only by teaching the auditor how to use the ERP system. Fully participated. When the system code is upgraded or enhanced, do you reassess control risk of the system? Yes No How does the transition to an ERP system by your client affect the time and cost involves in the audit? No effect. Increase time and cost. Decrease time and cost.

13

3. Risk Assessment and Risk Management For each audit, indicate how the ERP system has changed the level of risk and your ability to assess, and manage that risk in determining reliance on internal controls. What is your perceived level of risk involved in auditing a firm with an ERP system? Increase risk No change. Decrease risk. What risks has your firm identified in auditing small companies with ERP systems? Lack of visibility of audit trail. Risk of unauthorized access. Risk of fraud or employee defalcation. Risk of not identifying material misstatements Loss of data. Reduced segregation of duties. Lack of traditional authorization. Lack of trainingauditor inexperienced with system. Inability to assess the completeness of information. Risk of transactions being misclassified Unjustified reliance on the system to establish existence of transactions. Risk of transactions being stated at incorrect amounts Inaccurate reporting of rights and obligations Failure to identify timeliness of transactions. For each audit of a small company with ERP systems how does your company assess the impact of technology on control risk? Change in the Assessment of Control Risk
Increase Risk No change Decrease Risk

Security of System Data Integrity Contingency Plan Educated Operators System Upgrades System interface with Other Systems Other (Please specify)

____ ____ ____ ____ ____ ____ ____

____ ____ ____ ____ ____ ____ ____

____ ____ ____ ____ ____ ____ ____

14

How has the ERP system changed the costs involved with the audit? Change in the Cost of the Audit
Increase Cost No change Decrease Cost

Use of Specialist Planning the Audit Training Staff on The System Modify timing of audit Procedures Other (Please specify)

____ ____ ____ ____ ____

____ ____ ____ ____ ____

____ ____ ____ ____ ____

15

4. Personnel Issues How has the introduction of ERP systems into small companies being audited changed the way you recruit auditors? No change Increased recruitment of auditors with information technology training Which types of training does your firm require to keep its auditors knowledgeable about ERP systems? Internet research Classroom instruction Professional seminars Staff training by small business being audited. Other, please specify Did the implementation of the ERP sys tem result in turnover of key accounting personnel at the company under audit? Yes. No.

16

5. Demographics for the Audited Company What was the total revenue for the last fiscal year? $_______________

What were the total assets at the end of the last fiscal year? $_________ What is the number of full-time employees? ________________ _________

How many internal auditors are working at the company? How long have you been auditing this company? 0 5 years 5 10 years 11 15 years More than 15 years How many years of audit experience do you have? 0 5 years 5 10 years 11 15 years More than 15 years

Auditors Education Bachelors in Business Bachelors Other. Please specify _______________________ Graduate degree in Business PhD. Please specify Area ______________________________ Law degree Other. Please specify _________________________________ Check all professional certifications that apply CPA CIA CMA CISA CFA Other, Please specify __________________________

17