By Thomas A. Ratcliffe and Paul Munter
ASB Tackles IT System Control Risk
Modern data processing systems pose new, risk-laden challenges to the traditional audit process. Whereas it was once possible to conduct a financial statement audit by assessing and monitoring the controls over paper-based transaction and accounting systems, businesses have increasingly turned to electronic transaction and accounting systems. SAS 94 offers guidance on collecting sufficient, competent evidence in an electronic processing environment. It pays particular attention to identifying circumstances when the system of control over electronic processing must be accessed.
Becognizing that it is increasingly difficult for auditors to rely on traditional (paper) audit evidence to acquire sufficient competent evidence, the Auditing Standards Board (ASB) issued SAS 94, The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit, in May 2001. SAS 94 is effective for audits of financial statements for periods beginning on or after June 1, 2001. Early application is permitted.
SAS 94 amends SAS 55, Consideration of Internal Control in a Financial Statement Audit, as previously amended by SAS No. 78, Consideration of Internal Control in a Financial Statement Audit: An Amendment to Statement on Auditing Standards No. 55. Specifically, SAS 94 addresses the effect of information technology (IT) on internal controls and on the auditor’s understanding of internal controls, including the required assessment of control risk.
In December 1996, the ASB issued SAS 80, entitled Amendment to Statement on Auditing Standards No. 31, Evidential Matter, in order to address questions about the validity, completeness, and integrity of electronic evidence. When entities transmit, process, maintain, or access information electronically, it may be impractical or even impossible to reduce detection risk to an acceptably low level by performing only substantive tests for one or more financial statements. Furthermore, SAS 80 concluded that tests of controls, in conjunction with substantive tests, should be sufficient to support an audit opinion.
The AICPA also published an Auditing Procedures Study (APS), The Information Technology Age: Evidential Matter in the Electronic Environment. The APS describes electronic evidence and discusses issues in evaluating it. Whether it is transmitted, processed, maintained, and accessed by electronic means (e.g., using a computer, scanner, sensor, or magnetic media) or it is in the form of computer-printed documents, electronic evidence differs from paper evidence in the following ways:
Difficulty of alteration. Easily altered evidence lacks credibility and has reduced value to the auditor. Whereas paper evidence is difficult to alter without detection, alterations attributable to the operation of a system might not be detected without performing specifically designed tests. Prima facie credibility. SAS 80 establishes a hierarchy of credibility for evidence. Credibility is enhanced when the source of evidence is independent of the client and confirmable. An electronic purchase order derives its credibility primarily from the controls within the electronic environment. When printed, a fraudulent or altered electronic purchase order appears no different from a valid purchase order. Completeness of documents. Whereas paper evidence typically includes all of the essential terms of a transaction on its face (e.g., customer name and address, preferred shipping methods), an electronic system may substitute codes or cross-references to other data files that may be hidden from users. Evidence of approvals. Approvals integrated into paper documents add to completeness. Electronic approvals may be similarly integrated into the electronic record, but they could require...