30/08/2016

HowtheITAuditorCanMakeSubstantiveContributionstoaFinancialAudit

HowtheITAuditorCanMakeSubstantiveContributionstoaFinancial
Audit
TommieW.Singleton,Ph.D.,CISA,CGEIT,CITP,CMA,CPA

Articlein
Digital
Form

Download
Article

ITauditorshavebeenmakingcontributionstofinancialauditsalmostsincethebeginningoftheITage,whenentities
otherthangovernmentsbegantousecomputersforfinancialrelatedbusinessprocesses.Infact,someoftheinitialIT
auditorswerepioneersincreatingmostofthetechniquesandprocedurestheyusedmanyofwhichhavebecome
commonplace,e.g.,usingITasanaudittool(reconcilinginventorytodigitalrecords),1 segregationofITduties,2
integratedtestfacilities(ITFs),3 andgeneralizedauditsoftware4 (alsoknownascomputerassistedaudittools/techniques
[CAATs]).
Overtheyears,financialaudittechnicalliteraturehasaddedtotheimportanceandneedforITauditorsinfinancialaudits,
e.g.,StatementonAuditingStandards(SAS)No.94,TheEffectofInformationTechnologyontheAuditorsConsideration
ofInternalControlinaFinancialStatementAudit.5 Obviously,theUSSarbanesOxleyActof2002alsoincreasedthe
importanceandneedforITauditorsinfinancialaudits,especiallyinassessingcontrolsandintegratingtheresultsintoa
riskbasedapproach(RBA)auditforpubliclytradedentities.But,theadoptionoftheriskbasedstandards(SASNo.104
111)in2006probablyincreasedtheimportanceofandneedforITauditorsmorethananyotherpreviousstandardor
eventsincetheadventofthecomputerintobusinesses.
ThisarticledescribessomeofthekeycontributionsITauditorscanmakeinafinancialaudit.Thesepotentialbenefits
shouldbereasonstomakesurethatITauditorsareutilizedtothefullestpotentialpossibleinfinancialaudits.

TestsofControls
Thefirstcontributionisatraditionalone,testsofcontrols(ToC).Whenthefinancialauditteamplanstorelyononeormore
controls,thosecontrolsneedtobetestedforassurancethattheyareoperatingeffectivelyandwerethroughoutthe
financialperiod.Today,thatusuallymeansanautomatedcontroland,thus,theneedforanITauditor(e.g.,aCertified
InformationSystemsAuditor[CISA]).
TherearesomekeystoeffectiveemploymentofToCthatITauditorsneedtoknowandunderstand.First,thereisahigh
potentialbenefittouseToCwhenanautomatedcontrolexistswhosepurposeisessentiallythesameastheaudit
objectiveforsomefurtherauditprocedure(i.e.,theyoverlap).Whenthissituationexists,thereisapotentialtogain
efficiencies(e.g.,lesslabor)andeffectiveness(e.g.,testingat100percent).Second,ifToCaretobedone,theITauditor
musthavesufficientassuranceoftheeffectivenessofITgeneralcontrols.Third,theriskbasedstandardsrequirethatthe
relevantITcontrolsweredesignedproperlyandimplemented.TheITauditorwillneedevidencetothateffect,which
shouldbeintheresultsoftheriskassessmentphaseofthefinancialaudit.Onelastimportantpoint:Itispossible,under
therightcircumstances,fortheITauditortoconductatestofonlyonetransactionandbeincompliancewithtechnical
literature(boththePublicCompanyAccountingOversightBoard[PCAOB]sAuditingStandardsandAmericanInstituteof
CertifiedPublicAccountantsSAS).
ThespecificnatureofToCvaries,butcouldincludetheneedtoprocessatransactionontheoperationalsystem(often
impractical),obtainingacopyofthesoftwareandtestingthecontrolononeoftheenterprisescomputers(difficultifthe
softwareisnotacommoncommercialproduct),testinginastagingarea,6 orsomeothereffectualprocess.

CAATs
TheuseofCAATsis,ofcourse,anothertraditionalandfairlyfrequentactivityforITauditorsinafinancialaudit.Theuseof
CAATsisoftenassociatedwithdatamining7 (extractingdata)anddataanalysis.Dataanalysisisusuallyassociatedwith
eithergatheringevidenceortestsforcertainauditobjectives(e.g.,testingforcertainanomalies).
PerhapsnoothertoolortechniqueisasvaluabletotheITauditorasCAATs.ItisalsoimportanttonotethatCAATs
continuetoadvanceintheircapabilitiesandfunctionality.Forinstance,inthelastfewmonths,severalCAATsarenow
abletoreadPDFfiles/digitaldocumentsandreliablyparsedataintheextractionprocess.
Itis,therefore,importantforITauditorstodevelopsufficientskillsandabilitiesusingCAATsinordertobepositionedto
providemaximumbenefitstoanaudit.8 ITauditorsneedtoknowtheCAATsavailableinthemarket,evaluatetheneedsof
theaudit,andfindaneffectivefitforthecombinationoftoolsandauditobjectives.

SubstantiveITrelatedProcedures
SubstantiveITrelatedproceduresarecloselyassociatedwithCAATs.Theycanbeusedtosupport,complementor
replacesubstantiveproceduresforfurtherauditprocedures.ItisnotuncommonforanexperiencedITauditorto
http://www.isaca.org/Journal/archives/2011/Volume1/Pages/HowtheITAuditorCanMakeSubstantiveContributionstoaFinancialAudit.aspx

1/3

30/08/2016

HowtheITAuditorCanMakeSubstantiveContributionstoaFinancialAudit

brainstormwiththeauditteamastheauditplanandfurtherauditproceduresarebeingdevelopedandfortheITauditorto
recognizetheopportunitytogainefficienciesoreffectivenessbyincludinganITrelatedprocedure.
ItcouldbeassimpleasusingaCAATtogeneratesampledataforsubstantivetesting.Therehavebeenreportsof
significantlaborreductionbyusingthistechniquealone.
Itcan,ofcourse,bemoresophisticated.Forexample,theITauditormaysuggestasubstitutionformanualsubstantive
proceduresrelatedtosubsequenteventsontestingliabilities.Specifically,theITauditorcouldextractallbillspaidinthe
firstmonthofanewfiscalyear,usethedatasetofinvoicesthatwererecordedinthepriormonth(fiscalyearbeing
audited)andidentifyanyliabilitiesthatwerenotrecordedproperly.Thetraditionalprocessnormallyinvolveshours,even
ifthereisacutoffamount,ofpullinginvoicesandtracing/auditingtransactions.Inadditiontoalikelyreductioninlabor,
thisITapproachtests100percentofthetransactions.

ValueaddManagementComments
Thebenefitofmanagementcommentscanbeoverlookedormisunderstood.WhileITauditorsneedtoscopetheirefforts
totheriskofmaterialmisstatement(RMM)andfinancialauditintheprocessofevaluatingcontrolsintheriskassessment
phaseorinconductingproceduresinthefurtherauditprocedurephase,ITauditorswilllikelydiscoversomething
brokenintheITspacethatmanagementwouldlikelywanttofix.Inparticular,itseemsthatsecurityrelatedissuesarise
inmanyaudits.Itisalsolikelythatshouldtheauditteampointouttomanagementasecurityrisk,evenonethatis
irrelevanttotheRMM,managementwillbegratefultohavebeeninformed.
Forinstance,inanentitywithexcellentaccesscontrolsattheapplicationlevelandattheserver/networklevel,butpoor
controlsattheperimeter,itislikelythattheITauditorandauditteamwoulddecidetheperimeterweaknessisirrelevant
forfinancialauditpurposesbecausetheaccesscontrolsclosertothedatainthetwootherareascompensateforthe
perimeterweakness.However,managementwouldprobablyappreciatebeinginformedofthenatureofthatexposure
andofanyrecommendationstomitigatetheperimeterrisk.Thesetypesofcommentsdoaddintangiblevaluetotheaudit.
BecauseofthenatureofITcomments,itusuallytakesanITauditortorecognizetheseopportunitiesforvalueadd
managementcomments.Therefore,theITauditorneedstobecomeanauditorsurgeoninevaluatingtheITspace
carveoutwhatisrelevant,makeacontributiontotheauditandleavetherestoutbut,simultaneously,examineboth
partsforpotentialvaluetotheclientviamanagementcomments.

IntegratedAudit
ITauditorscanoftenseeopportunitiesforthepreviouslyidentifiedbenefitsoftheirparticipation,whichfinancialauditors
(withoutanITbackground)maynotbeabletoidentify.Infact,someITauditorshavethereputationofalwaysadding
valuetoanauditbecauseoftheirabilitytoprovidesomeofthebenefitslistedpreviously.Regardless,theITauditorcan
alwayscontributetothefinancialauditbybringinganaccurateassessmentoftheRMM,inherentriskassociatedwithIT
andcontrolrisk.
TheRBAauditingstandardsdescribeaprocesswherebyauditorstakearigorousapproachtoaccuratelyidentifyingthe
levelofriskinaccountbalances,classesoftransactionsanddisclosures.Thatis,eachaspectisevaluatedonitsown
levelofriskwithnopreauditassumptions.Then,forthoseaspectswithahighRMM,theauditteamdevelopsrelatively
highpoweredtestsformoderaterisk,moderatepowertestsandforlowrisks,lowtests(i.e.,theRBAstandardsrequire
analignmentofriskwiththenature,timingandextent[NTE]offurtherauditprocedures).TheassumptionintheRBAis
thattheauditteamwillstartwithacleanslateeachyear,albeitpriorauditsandotherinformationarekeytotheaudit
planningphase.AprocessthatinsulatesorignorestheworkofITauditorsintheriskassessmentphase,orthatoverlooks
theriskassessmentreport,clearlyviolatesthespiritoftheRBAstandards.Therefore,theITauditorneedstomakeevery
availableefforttobeengagedandinvolvedwiththeauditplanningphase,andtobringevidence,conclusionsand
informationaboutcontrolsandriskstothatprocess,inordertoendupwiththeoptimalauditplan.
ThePCAOBisemphaticonthissubject:Itisoneaudit,nottwo.

Conclusion
ThisarticleattemptstodescribesomeofthemajorbenefitsanITauditorcanbringtoafinancialaudit.Thesebenefits
includetangibleones,suchaslaborsavings,andintangibleones,suchasauditqualityandvalueaddmanagement
comments.Thelistisnotintendedtobeexhaustive,butisillustrativeandcontainsthemorecommonbenefits.Generally
speaking,ITauditorswillwanttobecomefamiliarwiththeseareasofopportunitytomakethemselvesvaluablepartnersin
financialauditsandtopurposelydeveloptheirskillsintheseareas.Obviously,akeytobeingsuccessfulintheseareasis
tobepersuasiveandarticulateinpresentingthesepossibilitiestoauditpartnersandmanagers.

Endnotes
1

CreatedbyFrankHowell,USAirForce(USAF)AuditorGeneralsStaff,publishedinN.A.C.A.Bulletin,June1956

CreatedbytheUSAirForce.AnarticleonthesubjectwaspublishedbyUSAFin1961.

http://www.isaca.org/Journal/archives/2011/Volume1/Pages/HowtheITAuditorCanMakeSubstantiveContributionstoaFinancialAudit.aspx

2/3

30/08/2016

HowtheITAuditorCanMakeSubstantiveContributionstoaFinancialAudit

TheITFconceptwascreatedbyWilliamPerryatKodak.ITFisaphonybusinessunitembeddedintheentityssystems
inwhichtransactionsdonotaffectlegitimatefinancialtransactions.Today,astagingareaservesthesamepurpose,butis
notembeddedinlivesystems.
4

TheseminaltoolwasAUDITAPE,introducedin1967anddevelopedprimarilybyKenStringerofHaskins&Sells.

SeeCerullo,VirginiaMichaelCerulloImpactofSASNo.94onComputerAuditTechniques,InformationSystems
ControlJournal,vol.1,2003,formoreontheimpactofthisparticularstandard.
6

Astagingareaisaspeciallocationwheretheentityssystemissimulatedofflinefortestingpurposes.

7 SeeSingleton,TommieW.DataExtraction,AHindrancetoUsingCAATs,ISACAJournal,vol.6,2010,formore

informationonthiskeystep.
8

TheISACAJournalregularlypublisheseffectualarticlesonCAATs,andthereforethissectiondoesnotgointodetails
abouthowtouseCAATs.ItmerelyaddressesthehighvalueCAATshaveinfinancialauditsingeneral.Foradditional
information,seeISACAsITAuditandAssuranceGuidelineG3UseofCAATs,www.isaca.org/standards.
TommieW.Singleton,Ph.D.,CISA,CGEIT,CITP,CMA,CPA
isanassociateprofessorofinformationsystems(IS)attheUniversityofAlabamaatBirmingham(USA),aMarshallIS
ScholarandadirectoroftheForensicAccountingProgram.Priortoobtaininghisdoctorateinaccountancyfromthe
UniversityofMississippi(USA)in1995,Singletonwaspresidentofasmall,valueaddeddealerofaccountingISusing
microcomputers.SingletonisalsoascholarinresidenceforITauditandforensicaccountingatCarrRiggsIngram,a
largeregionalpublicaccountingfirminthesoutheasternUS.In1999,theAlabamaSocietyofCPAsawardedSingleton
the19981999InnovativeUserofTechnologyAward.SingletonistheISACAacademicadvocateattheUniversityof
AlabamaatBirmingham.Hisarticlesonfraud,IT/IS,ITauditingandITgovernancehaveappearedinnumerous
publications,includingtheISACAJournal.

Enjoyingthisarticle?ToreadthemostcurrentISACAJournalarticles,becomeamemberorsubscribetotheJournal.
TheISACAJournalispublishedbyISACA.Membershipintheassociation,avoluntaryorganizationservingIT
governanceprofessionals,entitlesonetoreceiveanannualsubscriptiontotheISACAJournal.
OpinionsexpressedintheISACAJournalrepresenttheviewsoftheauthorsandadvertisers.Theymaydifferfrom
policiesandofficialstatementsofISACAand/ortheITGovernanceInstituteandtheircommittees,andfromopinions
endorsedbyauthorsemployers,ortheeditorsofthisJournal.ISACAJournaldoesnotattesttotheoriginalityofauthors
content.
2011ISACA.Allrightsreserved.
Instructorsarepermittedtophotocopyisolatedarticlesfornoncommercialclassroomusewithoutfee.Forothercopying,
reprintorrepublication,permissionmustbeobtainedinwritingfromtheassociation.Wherenecessary,permissionis
grantedbythecopyrightownersforthoseregisteredwiththeCopyrightClearanceCenter(CCC),27CongressSt.,Salem,
MA01970,tophotocopyarticlesownedbyISACA,foraflatfeeofUS$2.50perarticleplus25perpage.Sendpayment
totheCCCstatingtheISSN(15267407),date,volume,andfirstandlastpagenumberofeacharticle.Copyingforother
thanpersonaluseorinternalreference,orofarticlesorcolumnsnotownedbytheassociationwithoutexpresspermission
oftheassociationorthecopyrightownerisexpresslyprohibited.

http://www.isaca.org/Journal/archives/2011/Volume1/Pages/HowtheITAuditorCanMakeSubstantiveContributionstoaFinancialAudit.aspx

3/3