How do financial statement auditors and IT auditors work together?
Through an experiment with practicing financial statement auditors, a recent study found that auditors will rely heavily on the testing of a competent IT auditor when assessing control risk and planning substantive testing. IT auditors can improve both the effectiveness and efficiency of the financial statement audit. When IT auditor competence is low, it appears that only auditors with high levels of AIS expertise are able to effectively compensate for this deficiency.
The Role of IT Auditors
Statement on Auditing Standards (SAS) 108 suggests that in complex IT settings auditors should consider assigning one or more computer assurance specialists (i.e., IT auditors) to the engagement in order to determine the effect of IT on the audit, gain an understanding of controls, and design and perform tests of IT controls. In addition, SAS 109 notes the importance of IT with respect to auditors' assessments of control risk. For publicly traded corporations, Public Company Accounting Oversight Board (PCAOB) Auditing Standard 5, An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements, requires auditors to gain an understanding and test IT system controls in order to provide an opinion on the effectiveness of internal controls over financial reporting. These auditing standards, as well as companies' adoptions of complex IT systems, have substantially enhanced the role of IT auditors on audit engagements.
A 2000 study estimated that the number of IT auditors employed by one Big Five firm would grow from 100 to 5,000 between 1990 and 2005 (N.A. Bagranoff and V.P. Vendrzyk, "The Changing Role of IS Audit Among the Big Five US-Based Accounting Firms," Information Systems and Control Journal, vol. 5), and IT auditor testing can now represent a substantial portion of the financial statement audit work. IT auditors have become a chief source of audit evidence. For example, IT auditors' tests of system access controls are relied upon by auditors when making control risk assessments. As technological developments continue, the use of IT auditors on financial audits will continue to grow, and auditors will need to expand their AIS knowledge and skills in order to perform effective and efficient audits.
The enhanced role of IT auditors on financial audits brings up three questions. First, what do auditors think of IT auditors as a source of audit evidence? Second, how do these two professions interact on audit engagements? And third, under what conditions can this relationship be most productive?
IT Auditors as a Source of Audit Evidence
Past research has indicated that auditors have substantial concerns about IT auditor competence in practice, and sometimes question the value IT auditors bring to the audit engagement (Bagranoff and Vendrzyk 2000; James E. Hunton, Arnold M. Wright, and Sally Wright, "Are Financial Auditors Overconfident in Their Ability to Assess Risks Associated with Enterprise Resource Planning Systems?" Journal of Information Systems, Fall 2004). Currently, increased demand for IT auditors due to the aforementioned standards has resulted in IT auditors' resources being stretched over more audit engagements, as well as audit firms losing highly competent IT auditors to corporations looking to improve the effectiveness of their own internal controls (C. Annesley, "Manual Processes Must Be Automated to Cut Cost of Sarbanes-Oxley Audits, Says Basda," Computer Weekly, October 25, 2005; Norman Marks, "Maintaining Control: Will a Boom in Internal Auditing Result in a Bust in Audit Quality?," Internal Auditor, February 2005).
These findings were confirmed by the author's own study. Participants were asked to respond, on a scale from 1 (disagree) to 10 (agree), whether they had experienced variation in IT auditor competence. The mean response was 7.23. The author does not conclude that there is a competency problem with IT auditors, but, rather, that their competency levels vary in practice. On the other hand, another study has shown that IT auditors are better at assessing risks in enterprise resource planning (ERP) environments and that auditors appear to be overconfident in their abilities in such settings (Hunton, Wright, and Wright 2004). This overconfidence, as well as high IT auditor billing rates, may help explain why auditors are sometimes hesitant to employ IT auditors, beyond the minimum firm-established requirements, on their engagements.
Interacting on Audit Engagements
While audit managers are typically sensitive to competence deficiencies in their audit staff and can compensate by employing additional procedures themselves, auditors' ability to effectively respond to IT auditor competence deficiencies may be determined by their own AIS expertise level. As the AIS expertise of an auditor increases, the auditor's knowledge of system design and controls should be greater and, thus, provide the auditor with a clearer understanding of what system controls the IT auditor has (or has not) tested, as well as the ability to compensate for the IT auditor's competence deficiencies. The pairing of a less competent IT auditor with an auditor who maintains a low level of AIS expertise may lead to an ineffective audit. Auditors with low AIS expertise may over-rely on weak IT auditor tests because they lack the AIS expertise to independently identify system risks and perform IT-related tests themselves. Conversely, when the IT auditor assigned to the engagement is highly competent, all auditors should benefit from their inclusion on the engagement team, as they can rely more on the IT auditor's testing and concentrate more on matters related to the financial statement audit. In summary, investigating the auditor-IT auditor relationship requires analyzing both the competence of the IT auditor as well as the AIS expertise the auditor brings to the engagement.
A Productive Relationship
To examine how auditors are interacting with IT auditors, one study had 74 practicing auditors complete an experimental audit case study that asked them to supply risk assessments and planned testing decisions in an ERP setting (see Joseph F. Brazel and Christopher P. Agoglia, "An Examination of Auditor Planning Judgments in a Complex Accounting Information System Environment," Contemporary Accounting Research, Winter 2007). Thirty-five of the auditors received internal control testing documentation concluding that system controls were reliable from a highly competent IT auditor, while the other 39 auditors received the exact same evidence from an IT auditor with low competence. To manipulate IT auditor competence between the two groups, auditors were given information about the extent of the IT auditor's prior training, experience, and performance (either all high or all low). As a check, participants later noted that both the high and low IT auditor competence descriptions were equally realistic. The study measured and assessed each auditor's AIS expertise level as either high or low via multiple scales measuring the auditor's experience and training with complex AIS. Thus, the experimental study consisted of four groups (see Exhibit 1).
The study provided all participants with a case that contained background information for a hypothetical client, relevant authoritative audit guidance, and several prior-year workpapers. These workpapers included prior-year risk assessments and substantive testing for the sales and collection cycle. Participants also received a current-year workpaper documenting the client's implementation of an ERP system module for the cycle and information that an IT auditor would be assigned to the engagement to test system controls. The current-year workpaper noted multiple potential implementation problems, including the migration of legacy-system data to the ERP system due to a mid-year conversion and the integration of a bolt-on internal control package with the system. Next, participants received information about the IT auditor's competence level (either high or low) and the IT auditor's control tests, which concluded that "system-related controls appear reliable." Participants then assessed and documented a control risk assessment and planned the nature, staffing, timing, and extent of substantive procedures for the cycle. Lastly, the authors had auditors at the senior manager and partner levels evaluate the effectiveness of the participants' judgments. These evaluators had extensive experience auditing companies with complex AIS.
Control Risk Assessments
After reviewing all of the case study materials, participants assessed control risk for the cycle on a scale ranging from 0 (very low) to 100 (very high). Exhibit 2, Panel A, presents the results relating to mean control risk assessments for the study's four groups. What the study found was that the competence of the IT auditor had a substantial effect on auditors' control risk assessments. Essentially, as the competence of the IT auditor increased, auditors tended to rely on their positive control testing results and assessed control risk as lower. Thus, in Panel A, all lines slope downward. This pattern emerged for auditors with both high and low AIS expertise. Given their superior knowledge of systems and the potential system risks posed in the case study, however, auditors with higher AIS expertise tended to assess control risk as higher, regardless of the IT auditor's level of competence.
EXHIBIT 1 Participants by Group Low IT Auditor High IT Auditor Competence Competence High Auditor AIS Expertise n = 18 n = 18 Low Auditor AIS Expertise n = 21 n = 17 n = Number of practicing audit senior participants in each experimental group.
Upon completion of their control risk assessments, participants planned the nature, staffing, timing, and extent of substantive testing for the cycle. The study measured the "nature" and "staffing" of participants' testing decisions as the total number of procedures planned and the number of procedures assigned to a more senior-level auditor than staff assistant, respectively. The "timing" and "extent" of participants' testing decisions were computed as the total number of testing hours budgeted at fiscal year-end (versus interim) and the total number of budgeted audit hours, respectively. Panels B-F in Exhibit 2 graphically illustrate the testing decisions of the study's four groups, as well as the effectiveness of their testing decisions [evaluated by experienced auditors on a scale ranging from 1 (very low) to 10 (very high)].
For the most part, a typical pattern can be seen in Panels B-F. When IT auditor competence is high (right-hand side of the graphs), the testing decisions of auditors with low and high AIS expertise are generally the same, moderate in scope, and reasonably effective. Competent IT auditors appear to let all auditors rely on their system testing and concentrate on the non-system testing in which they are adept (e.g., accounts receivable confirmation, analytical procedures related to sales). On the other hand, when IT auditor competence is low (left-hand), there appears to be a substantial difference between the testing decisions of auditors with low and high AIS expertise. These results suggest that the superior knowledge base of auditors with high AIS expertise allows them to effectively expand the scope of substantive tests, to include their own tests of the system, when there are IT auditor competence deficiencies. Unfortunately, when auditor AIS expertise is low, it appears that under-auditing may result. Indeed, the pairing of low IT auditor competence and low auditor AIS expertise had the lowest mean effectiveness rating in Panel F (4.87).
If the above results show that auditor AIS expertise can play an important role in ERP settings, what role does the general audit experience of the auditor play? The answer appears to be very little; at the very least, AIS expertise seems to trump general audit experience in an ERP setting. The authors examined the effects of general audit experience on both the judgments of the participants, as well as the effectiveness of those judgments. Results showed no relationship between general experience and these factors. Thus, when assigning staff to an audit engagement, it may be prudent to consider the staff members' levels of AIS expertise (with respect to the client's AIS), in addition to their general audit experience levels. In other words, a fourth-year senior with high AIS expertise may be more valuable than a fifth-year senior with a lower level of AIS expertise.
To answer the three questions posed above: Auditors perceive that IT auditor competence varies in practice, both auditor AIS expertise and IT auditor competence affect how these two professions interact on an audit engagement, and this relationship can be most productive when at least one (preferably both) of the two professions exhibits expertise or competence related to a company's IT system. The findings of the study have implications for practice and education. For example, given the potential for deleterious effects in complex IT settings, PCAOB inspection teams should consider evaluating whether policies (e.g., training, scheduling) are in place to ensure both the competence of the IT auditor and the AIS expertise of auditors assigned to the engagement. The results of this study clearly point to the advantages of sufficiently training both auditors and IT auditors so that they are equipped with the requisite expertise, given the complexity of their clients' IT.
In light of recently increased auditor responsibilities with respect to internal control assessment, auditors should consider the implications for audit efficiency and effectiveness if they either allocate additional internal control testing to IT auditors or provide auditors with greater training in evaluating IT risks and performing tests of IT. When IT is used to maintain the general ledger, it's worthwhile noting that SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, discusses how nonstandard journal entries "may exist only in electronic form and may be more easily identified through the use of computer-assisted audit techniques." Should auditors be performing these procedures? Will they be effective? Or would it be more effective and efficient to rely on an IT auditor to perform this task? Firms could also explore ways in which to improve the IT auditor-auditor relationship (e.g., combined training and increased communication throughout the audit).
From an educational standpoint, the study points to an increasing need to improve the system-related educational experiences of accounting students who will be the IT and financial statement auditors of the future. Undergraduate and master's degree programs in accounting might want to partner with management information systems departments, or develop faculty strengths in the field of AIS, in order to incorporate an IT concentration into their programs. After having completed three years of Sarbanes-Oxley section 404 audits, auditors now know the specific skill sets needed to effectively perform these audits in a complex AIS setting. Accounting academics should maintain an open dialogue with these professionals when developing and updating their system-related accounting classes. Such advances in education should help provide the profession with accounting graduates who have the required skill set to flourish in the complex IT settings of the future.
Joseph F. Brazel, PhD, is an assistant professor of accounting at the college of management at North Carolina State University, Raleigh, N.C.
|Printer friendly Cite/link Email Feedback|
|Author:||Brazel, Joseph F.|
|Publication:||The CPA Journal|
|Date:||Nov 1, 2008|
|Previous Article:||Derivatives: new disclosures required.|
|Next Article:||Tax controversies in New York.|