With the digitisation of information, and advent of new technologies and electronic infrastructure in business, traditional computerised auditing or electronic data processing has been transformed. It is now a specialised systems- and process-oriented technological role that needs to meet the requirements of regulators and regulatory changes in the auditing profession.
An audit is no longer centred around the IT system, requiring manual intensive sampling methods to review loads of documents. It has evolved into a system involving a deeper and broader understanding of the clients’ key business processes relevant to financial reporting, and testing of automated controls, most of which are integrated within the system.
Automation of the roadmap within the audit process has helped audit firms achieve a sharper assessment of audit risks, and increase efficiency and effectiveness in performing audit procedures. Auditors can now perform audits remotely instead of having to spend weeks at the client site, and — with the help of specialist teams — obtain and analyse data, and evaluate the quality of the information processed by computer systems by using Computed Assisted Audit Techniques. This has also helped companies relook at their business processes and enhance the design and operating effectiveness of key controls relevant for financial reporting. The responsibility of ensuring that adequate internal controls are in place rests clearly with the management.
With the emergence of new data enabled smart devices providing enterprise mobility solutions, wireless connectivity, integrated voice, data and video systems, cloud computing, and social media, auditing of IT systems will be exciting and challenging. Today, the IT auditor has taken on a specialist role, and requires significant in-house training and professional development to cater to the needs of the profession and clients. With India poised to become one of the largest consumer markets globally by 2020, and with the proposed retail reforms, young professionals would need to adapt themselves to keep the growth engine going.
IT systems pose specific risks to an organisation’s internal control — these include reliance on systems or programs that are inaccurately processing data, allowing unauthorised access to data that may result in destruction or improper changes, recording of unauthorised or non-existent transactions, inaccurate recording of transactions, breakdown in segregation of duties, unauthorised changes to data in master files or programs, and the failure to make necessary changes to systems or programs.
The auditor should obtain an understanding of the information system relevant to financial reporting, including the reporting process used to prepare the client’s financial statements. These include significant accounting estimates and disclosures, controls surrounding journal entries, including non-standard journal entries used to record non-recurring, unusual transactions or adjustments.
Controls in IT systems consist of a combination of automated controls — such as those embedded in computer programs — and manual controls. Furthermore, manual controls may be dependent upon the IT system, or may use information produced by system-generated reports, such as a debtors ageing or a sales report.
As an audit tool, Computed Assisted Audit Techniques (CAATs) are computer programs and data that an auditor uses to process data of audit significance in a client’s IT system. CAATs allow the auditor to obtain access to data without depending on the client, test the reliability of client software, and perform audit tests more efficiently. They are most commonly used in tests of details of transactions, such as for re-calculating interest or extraction of invoices over a certain value from computer records or the analysis of journal vouchers. They are also used to test the set-up or configuration of the operating system or access procedures to the program libraries, and test application controls such as testing the functioning of a programmed control and re-performing calculations performed by the client’s accounting systems.
To conclude, with the paradigm shift to risk-based audit approach, the involvement of IT specialists helps identify and consider risks posed by the client’s use of information technology, and assists in the understanding and evaluation of internal controls relevant to an audit.
The role of IT auditors is set to change from only ensuring compliance to adding value to the business by improving efficiency, suggesting best practices, and identifying areas of improvement for their clients. The role of IT education in the auditing process is crucial for nurturing and retaining young talent in the auditing profession
(Balaji Ganesan is Partner, and Arvind Nath is Associate Director at Price Waterhouse)