RELEVANCE OF 'IT' IN AN AUDIT

RELEVANCE OF ‘IT’ IN AN AUDIT

When a business operates in a more automated environment it is likely that we will see several business functions and activities happening within the systems. Consider the following aspects instead of:

•  Computation and Calculations are automatically carried out (for example, bank interest computation and inventory valuation). 
•  Accounting entries are posted automatically (for example, sub-ledger to GL postings are automatic). 
•  Business policies and procedures, including internal controls, are applied automatically (for example, delegation of authority for journal approvals, customer credit limit checks are performed automatically).
•  Reports used in business are produced from systems. Management and other stakeholders rely on these reports and information produced (for example, debtors ageing report). 
• User access and security are controlled by assigning system roles to users (for example, segregation of duties can be enforced effectively). 

Companies derive benefit from the use of IT systems as an enabler to support various business operations and activities. Auditors need to understand the relevance of these IT systems to an audit of financial statements.
While it is true that the use of IT systems and automation benefit the business by making operations more accurate, reliable, effective and efficient, such systems also introduce certain new risks, including IT specific risks, which need to be considered, assessed and addressed by management.

To the extent that it is relevant to an audit of financial statements, even auditors are required to understand, assess and respond to such risks that arise from the use of IT systems.
[Note: Students may refer SA 315 – Identifying and assessing the risks of material misstatement through understanding the entity and its environment for detailed understanding] 

In an audit of financial statements, the primary focus is around those risks that are relevant to financial reporting. However, there could be other non-audit assurance engagements that auditors maybe involved wherein the area of focus could include those IT risks relevant to company’s compliance and business operations in addition to financial reporting risks.

With the introduction of the Companies Act 2013, there is greater emphasis given to internal financial controls (IFC) from a regulatory point of view. Directors and those charged with governance (including Board of directors, Audit committee) are responsible for the implementation of internal controls framework within the company. The auditors’ responsibilities now include reporting on Internal Financial Controls over Financial Reporting which include and understanding IT environment of the company and relevant risks & controls. We will learn more about IFC in further sections of this chapter.

In some of the above situations it is likely that carrying out audit using traditional substantive audit procedures may be difficult or even not feasible if the company prepares, records and conducts majority of business activities through IT systems only.

On the other hand, many companies may use less complex IT systems including desktop based accounting or spreadsheets. In such situations, the relevance of IT to an audit could be less. However, the auditor is still required to carry out at least an understanding the IT environment of the company and document the same.

Another area where IT can be relevant to audit is by using data analytics using computer assisted audit techniques (CAATs). By using data analytics, it is possible to improve the effectiveness and efficiency of an audit. We will learn more about data analytics in the later sections of this chapter.

From the above, we can see how IT is relevant to an audit under different situations viz., audit, non-audit and meeting regulatory compliance requirements. We will learn more about understanding risks, controls and documentation in further sections of this chapter.