Standards on Technology and Internal Control
By: Gary A. Porter, CPA
Technology offers associations many conveniences, but it can also diminish an auditor’s ability to obtain the desired assurance of balances from substantive year-end tests, primarily because no paper trail exists. Thus, in May 2001, the Auditing Standards Board of the American Institute of CPAs (AICPA) issued Statement on Auditing Standards (SAS) No. 94: The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit. This new statement is an amendment to SAS No. 55: Consideration of Internal Control in a Financial Statement Audit. Since many companies currently operate in a completely electronic environment, the need for this amendment is obvious.
This new standard sets forth several important concepts. Control standards must correspond to the increased volume and complexity of transactions. In the past, most auditors used a memorandum or a checklist to document their findings, a system that was sufficient when working with relatively few transactions. Thanks to technology, however, auditors will have to expand their documentation to include flowcharts, questionnaires, or decision tables to document their understanding of the system of internal control.
The auditor is required to design procedures to understand the control mechanisms and assess control risk for the account balance, transaction class, and disclosure components of the financial statement. If the auditor assesses control risk at the maximum level, it will require significant substantive tests to determine the accuracy of the recorded amounts. If the auditor assesses control risk below the maximum level, it may be more efficient to perform control tests rather than substantive tests. In addition, when financial data exist only in electronic form, the auditor’s ability to obtain the desired assurance only from substandard tests is significantly diminished. This may mean that it is not possible to restrict detection risk to an acceptable level only by the performance of substantive tests. Instead, control tests may be required.
One of the key concepts in SAS No. 94 is that evidential manner may be obtained from tests of controls, planned and performed concurrent with, or subsequent to, obtaining the understanding. Such evidential matter may also come from procedures that were not specifically planned to test controls, but that nevertheless provide evidential matter about the effectiveness of the design and operation of the control.
In our firm, we have long performed limited tests of expenditures by stratifying transactions and looking at high-dollar-value transactions. This is a type of substantive test, and provides the auditor with evidence of the accuracy of recorded balances for the larger-dollar-value transactions by examining underlying documentation. By virtue of looking at the key existing controls to make sure that a transaction is properly recorded, classified, approved, and authorized, we are also testing the controls at the same time. Having relied upon this process to perform our own tests of our own controls for a number of years, it’s nice to finally see it in writing from the AICPA.
The new SAS also points out that technology enables firms to improve effectiveness and efficiency in the following ways:
- Consistently apply predefined business rules and perform complex calculations when processing large- volume transactions or data.
- Enhance the timeliness, availability, and accuracy of information.
- Facilitate additional analysis of information.
- Enhance the ability to monitor the performance of the entity’s activities and its policies and procedures.
- Reduce the risk that controls will be circumvented.
- Enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems.
At the same time, SAS 94 also describes the specific risks technology poses to internal control, including:
- Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both.
- Unauthorized access to data may result in destruction of data, improper changes to data, including the recording of unauthorized or nonexistent transactions, or inaccurate recording of transactions.
- Unauthorized changes to data in master files.
- Unauthorized changes to systems or programs.
- Failure to make necessary changes to systems or programs.
- Inappropriate manual intervention.
- Potential loss of data.
SAS 94 states that, while planning an audit, the knowledge gained in obtaining an understanding of internal control and determining whether the controls have been placed should be used to:
- Identify types of potential misstatement.
- Consider factors that affect risk of material misstatement.
- Design tests of controls when applicable.
- Design substantive tests.
Once the auditor has documented this understanding, assessing risk is the next consideration. If the auditor determines that it is more effective or efficient to assess the control risk at less than the maximum level, the auditor should, for the specific assertion involved, consider:
- The nature of the assertion.
- The volume of transactions or data related to the assertion.
- The nature and complexity of the systems, including the use of technology, by which the entity processes and controls information supporting the assertion.
- The nature of the available evidential matter, including audit evidence that is available only in electronic form.
Assessing control risk at the below the maximum level involves:
- Identifying specific controls relevant to specific assertions.
- Performing tests of controls.
- Assessing control risk.
This statement on auditing standards is effective for periods beginning on or after June 1, 2001.