The nature of IT audits has shifted tremendously over the past two decades, spawning several myths in the process. Some of these myths need to be busted for public accounting:
- Myth No. 1: IT audits require auditors to review printouts of programming code.
A number of CPAs still seem to believe that IT auditors need to review programming code regularly in IT audits, especially in the IT audit function of a financial audit. The truth is that it is seldom necessary for IT auditors to spend a lot of time reviewing code. When they do review code, it usually is a short exercise, generally limited to one or two programs, looking for something specific, such as meeting a specific audit objective.
- Myth No. 2: IT audits require IT auditors to obtain copies of clients’ applications to test them.
If the client is using a commercial off-the-shelf (COTS) application, the CPA firm usually can acquire a copy for testing, if necessary. This is particularly useful if the firm has a number of clients using the same COTS system (e.g., QuickBooks, Microsoft Dynamics, or a Sage product). However, it is not always necessary to test the controls by obtaining a copy of the program. Under the right circumstances, IT auditors can perform the test of controls using a walkthrough. What are the right circumstances? Auditing Standard No. 5 (AS5), footnote 16 defines them as follows: “For example, in the audit of internal control, walkthroughs might provide sufficient evidence of operating effectiveness for some selected controls, depending on the risk associated with the control being tested, the specific procedures performed as part of the walkthrough, and the results of those procedures.” The specific procedures usually include inquiries and observation, including documentation of the controls.
There are other cases in which obtaining a copy of the program for a test of controls might not be required. If the client has custom applications, it might be too difficult to approach tests of controls in this manner, and experienced IT auditors know effective alternatives, such as performing tests of data using computer-assisted audit tools and techniques (CAATTs).
The key in determining the adequacy of controls in applications is to make sure the vendor is a reliable vendor and that the version number is one that indicates longevity of the application.
- Myth No. 3: IT audits require auditors to use extensive data sets.
The technical standards themselves dispute this myth. Both Statements on Auditing Standards (SAS) Nos. 104-111 and AS5 specifically state that under the right circumstances, a test of one instance might produce results sufficient for the IT auditor to determine the reliability and assurance of a specific control. For example, if the outcome of a control is dichotomous, it may be possible to test the affirmative side of the control with a sample of a single instance and gain satisfactory evidence. Other circumstances would lead to larger sets of data.
The existence of a staging area at the client’s facility makes acquiring applications and building data sets more manageable.
- Myth No. 4: IT audits require auditors to use an inordinate amount of time performing procedures.
The truth is that experienced IT auditors use their time efficiently. This is true because of the nature of the modern IT audit and the effectiveness of certain tools, especially CAATTs. IT auditors make the most of their time by taking advantage of concepts such as walkthroughs, CAATTs, and tests of one. In addition, the trained IT auditor knows how to properly scope and balance the audit procedures to include what needs examining, and to properly assess the remaining IT issues as out of scope. Almost all entities have some items in the IT space that are “broken” and need to be “fixed,” but a talented IT auditor is able to distinguish between the issues that are relevant and those that should be used for value-add management comments.
CAATTs provide an enormous advantage to the IT auditor in performing audit procedures, including testing of controls, measuring exceptions, fraud detection, pulling samples, and confirming receivables. Also, CAATTs are useful in examining much of the IT space for assurance services related to Service Organization Control (SOC) reports SOC 1, SOC 2, and SOC3. In addition, CAATTs are very helpful in the hands of the experienced IT auditor in terms of audit efficiency.
These are not all of the myths that seem to be hanging around, but they represent some of the key ones. With a moderate amount of training, an IT auditor can become effective recognizing these myths for what they are and proving them false.
|Rate this article 5 (excellent) to 1 (poor).
Send your responses here
Tommie Singleton, Ph.D., CPA (inactive)/CITP/CFF, CISA, CGEIT, is associate professor of accounting at the University of Alabama at Birmingham, where he also is director of the Forensic Accounting Program and Marshall Scholar. He served as the program chair for AICPA IT Audit Training School in 2011.