Implementing SAS no. 55 in a computer environment; strategies for addressing control risk in entities that use computers to process accounting transactions.
Because the majority of businesses use computers to process significant accounting transactions, the guide contains many examples of the computer processing aspects of an entity's internal control structure. This article summarizes much of the guidance and , in the process, answers some of the most frequently asked questions about how to apply SAS no. 55 in a computerized environment.
For audit practitioner not intimately familiar with computerized environments, it's important to recognize both their weaknesses and their strenghts. On one hand, computer systems involve certain basic risks, such as the difficulty of detecting unauthorized changes to data files (although safeguards do exist). There are also certain benefits to computer systems. For example, with consistent use of the same computer program, like transactions will be processed in exactly the same way, and human error won't be a factor.
KNOWLEDGE OF THE INTERNAL
SAS no. 55 says the auditor must gain sufficient understanding of an entity's internal control structure to plan the audit. Exactly what that means will vary based on the facts and circumstances and the audit strategy selected. But in every case, the auditor needs to know enough about the three elements of the control structure--the control environment, the accounting system and control procedures--to recognize the potential for material misstatements that can occur in an assertion and to be able to use that information in designing an effective audit plan. Exhibit 1, page 64, provides some examples of the computer aspects of these three elements.
THE CONTROL ENVIRONMENT
The first element the auditor must understand is the client's control environment. This includes matters such as management's philosophy and operating style, the method of assigning authority and delegating responsibility and the "tone at the top." These factors can have a pervasive effect on other elements of the control structure. In a small organization, the owner--manager sets the tone for the care given to executing and recording transactions. In a larger organization, senior management's attitude determines the care with which lower management levels carry out the entity's plans.
In considering the computer aspects of the control environment, the auditor should focus on such factors as management's involvement in setting and monitoring computer operations policies, testing programs changes or controlling access to programs and data files. Obtaining an understanding of these control environment factors may involve inspecting accounting and computer operations manuals and reports, and making inquiries regarding implementation of policies and procedures.
THE ACCOUNTING SYSTEM
An auditor must understand how the computerized accounting system processes significant classes of transactions. This would include
* What computer reports are produced.
* Which computer files are accessed and updated.
* The nature of computer processing, from initiation of a transaction to its inclusion in the general ledger. Different processing methods are subject to different risk of error.
* How data are summarized in the financial reporting process.
* How transactions are converted to machine-readable form.
Computers are often used to summarize information for financial statements and the auditor should understand whether the client has a setup program that specifies how accounts processed by the computer are summarized and included in the financial statements.
How much should the auditor learn about the third element of the control structure--control procedures? Control procedures take on unique characteristics in a computer environment. The guide acknowledges the auditor often lears about certain control procedures while obtaining an understanding of the control environment and accounting system. For example, it's difficult not to learn about such basic control procedures as reconciliation of subsidiary records to general ledger accounts. When an auditor plans to follow a primarily substantive approach to audit a particular assertion, the knowledge of control procedures obtained when examining the control environment and accounting system is usually sufficient to design sustantive procedures.
When the auditor plans to assess control risk at a lower level than would be obtained by following a primarily substantive approach, he or she will place more emphasis on understanding and testing control procedures. Although such decisions are a function of strategy, the guide points out two circumstances in which an auditor must understand and test control procedures.
To audit an assertion. In some cases, the auditor isn't able to design substantive tests that will be sufficiently effective to detect a material misstatement. For example, if a nonprofit intity receives a large amount of cash donations, it would be difficult for the auditor to audit the completeness assertion related to cash receipts without understanding and testing the effectiveness of control procedures over incoming cash receipts.
Similarly, if a financial institution angages in futures transactions, the auditor may need to understand and test the control procedures that provide assurance all futures transactions are accounted for. Under these circumstances, the auditor would plan to assess control risk significantly below the maximum and would need to understand and test relevant control procedures.
To plan an audit that isn't unreasonably costly. A client's system is sometimes so complex that taking a substantive approach would be unreasonably expensive: for example, when a company has an electronic data interchange system. The company's computer system is linked to those of its suppliers or customers, and transactions may be automatically initiated by the system. The auditor may find the only reasonable strategy is to obtain an understanding of controls and perform tests on them sufficient to support a lower assessed level of control risk.
While the knowledge the auditor seeks of the three control structure elements is a matter of judgment, SAS no. 55 says the auditor cannot--because of a decision to assess control risk at the maximum--ignore the control structure. Such knowledge is needed to identify the types of potential misstatements and related risks and to design effective substantive tests. Substantive tests are not designed in a vacuum--they must be based on a certain knowledge of the entity's control structure.
USE OF COMPUTER PROCESSING
KNOWLEDGE TO SUPPORT
AN AUDIT STRATEGY
From both an accounting and auditing perspective, the computer has become an important business tool. Few businesses today are able to function without one. As a result, an understanding of the computer-related control environment and accounting system issues illustrated in exhibit 1 is necessary to plan a primarily substantive approach. The guide presents several audit strategies for which varying degrees of understanding and tests of controls are both efficient and effective. These strategies are described below.
PLANNING A PRIMARILY SUBSTANTIVE
When transactions and their processing aren't complicated and substantive tests are economical, the auditor frequently plans a primarily substantive approach to reduce audit risk to an acceptable level. The auditor focuses on the control environment and the accounting system; he rarely sets out to obtain an understanding of control procedures directly or to test their operating effectiveness. However, while focusing on the control environment and the accounting system, the auditor often will learn about some control procedures, including computer procedures.
For example, the auditor might learn the computer keeps track of numerical sequences of sales orders, shipping records and sales invoices and produces a daily report of unmatched transactions (for example, sales orders that have not been shipped and billed). This feature of the computer system, along with the manual follow-up of items on the list, may provide the auditor with some assurance that all sales are recorded. In order for this knowledge to be useful for assessing control risk, the auditor must perform tests of controls. While obtaining the understanding, or subsequently, he may
* Question employees about follow-up procedures. Do items appear on the report on a timely basis? How long does it take for items to clear from the report? How often do items that should have cleared still appear on the report?
* Make corroborating inquiries of salespeople and the shipping department supervisor regarding the accuracy of items listed as exceptions on the report.
* Examine reports to determine that selected items appear on the report and clear from the report on a timely basis.
What can the auditor conclude from these tests? In answering this question, it must be recognized the effectiveness of these controls depends on the effectiveness of both the programs that generated the computer listing and follow-up procedures. While the tests focus primarily on follow-up procedures, they also may provide evidence about the operation of the computer programs themselves. If these tests include corroborating inquiries of client personnel (such as salespeople and shipping department supervisors who are in a position to know whether open sales orders, either individually or as an estimated total number of open orders, should be appearing on the exception reports when they are not), the auditor may draw a conclusion about whether the computer program is operating effectively.
Under these circumstances, could the auditor assess control risk for the completeness assertion related to sales as low? In most cases, such observations, inquiries and limited inspection of documents probably would not support a low assessed level. However, depending on the assertion and the results of the tests of controls, the auditor may be able to assess control risk at a significant lower level than if those control procedures had not been considered.
PLANNING A LOWER ASSESSED LEVEL
OF CONTROL RISK
Where the auditor plans a lower assessed level of control risk in a computer environment, the following strategies discussed in the guide may be helpful.
Tests of user control procedures. Some clients have control procedures that require personnel essentially to manually verify certain computer operations, thereby checking the completeness and accuracy of the computer output. The guide refers to these controls as user control procedures. For example, to check the completeness of computer processing, users may keep manual record counts of shipments or receipts and compare them with the number of computer-processed records to ensure all such transactions are recorded.
Testing user controls may be an effective alternative to testing procedures the computer performs. However, user control procedures are relatively uncommon in today's business environment. The volume and complexity of computer processing usually doesn't allow for them, and from a client's viewpoint such procedures are generally inefficient compared to other controls. Even if such user procedures are in effect, the auditor will often find other approaches for testing controls are more efficient.
Direct tests of programmed and manual follow-up procedures. Another approach the auditor can consider is to test directly the computer's accounting procedures as well as related manual follow-up procedures. An auditor can, for example, use computer-assisted audit techniques such as test data or parallel simulation to test programmed procedures that produce exception reports. These tests provide direct evidence of the design and operation of programmed procedures, but only for the specific times applied. Accordingly, an auditor would need to perform such tests repeatedly--at various times during the audit, or on data files for a number of dates--to see the effectiveness of the program's operation throughout the period. It can be costly to assess control risk at a low level using this approach.
The auditor also needs to test the procedures for following up on items listed on exception reports. To do this, the auditor could observe and ask employees about the follow-up procedures performed and examine reports and related documentation, as necessary.
Tests of computer general controls and manual follow-up procedures. Computer general control procedures influence the effectiveness of other control procedures. This is shown in exhibit 2, below. Specifically, computer general control procedures include controls over
* Program design, testing and implementation.
* Changes to programs.
* Operation of programs and use of data files.
* Access to programs and data files.
Understanding and testing general control procedures can provide an efficient and effective alternative when the auditor needs evidence of the consistent operation of programmed procedures throughout the period. If computer general control procedures operate effectively, there is assurance programmed procedures are designed properly and function consistently throughout the period. Evidence of effective computer general control procedures, combined with evidence of effective follow-up procedures, can support a lower--and even a low--assessed level of control risk.
An auditor could obtain evidence about the effectiveness of computer general control procedures over program development by examining
* Reviews of program change logs.
* Approvals by appropriate user department and data processing personnel.
* Program testing procedures.
* Acceptance of test results.
* Use of transfer and compile logs.
Because effective general control procedures can provide assurance that programs are developed properly and function consistently over time, the combination of tests of general control procedures and tests of manual follow-up procedures often supports a low control-risk assessment.
COMPUTER PROCESSING AND
INTERNAL CONTROL STRUCTURE
The auditor must understand the elements of the client's internal control structure sufficiently to enable him to identify the kinds of potential misstatements that could occur in the financial statements, to assess the risk of material misstatement and to design substantive tests. This includes understanding relevant computer processing. Because the vast majority of audits, even audits of small businesses, are conducted for companies that have significant computer processing of accounting transactions, the auditor must understand that computer processing.
SAS no. 55 and the guide explain that the auditor must understand how transactions are processed through computerized accounting systems. The auditor can take a primarily substantive approach and use evidence gained about design and effectiveness of controls to support assessments of control risk at less than the maximum. Where it's efficient to focus additional audit attention on controls, the guide presents the auditor with a variety of strategies. Implementing SAS no. 55 with the help of the guide requires the practitioner to exercise considerable audit judgment. At the same time, it facilitates more effective and efficient audits.
RICHARD M. STEINBERG, CPA, is a partner of Coopers & Lybrand, New York City. Co-chairman of the American Institute of CPAs control risk audit guide task force, he is chairman of the AICPA task force on consideration of the internal control structure in a computer environment. He also served as chairman of the AICPA task force on the auditor's use of microcomputers and is a member of the AICPA computer audit subcommittee. RAYMOND N. JOHNSON, CPA, PhD, is a professor of accounting and chairman of the accounting department at Portland State University School of Business, Portland, Oregon. A member of the AICPA task force that developed the control risk audit guide, he is also a member of the board of directors of the Oregon Society of CPAs.