Understanding SAS 94


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Understanding SAS 94

  1. 1. Understanding SAS 94 NYSSCPA Emerging Technologies Committee Bruce H. Nearon J.H. Cohn LLP [email_address] 973-403-6955 April 26, 2001
  2. 2. Introduction <ul><li>What is SAS 94? </li></ul><ul><ul><li>Au Section 319 – The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit </li></ul></ul><ul><li>What is the effective date of SAS 94? </li></ul><ul><ul><li>Audits of financial statements for periods beginning on or after June 1, 2001 </li></ul></ul>
  3. 3. Why do I have to understand SAS 94? <ul><li>Au 150.02 GAAS – The second standard of field work </li></ul><ul><ul><li>A sufficient understanding of internal control is to be obtained to plan the audit and to determine the nature, timing, and extent of the tests to be performed. </li></ul></ul>
  4. 4. What is Internal Control? <ul><li>A device to regulate a system </li></ul><ul><li>Ex. What keeps gasoline from leaking as it flows from your gas tank to the engine? </li></ul><ul><ul><li>The construction of the fuel tank, fuel pipe, and connections. </li></ul></ul>
  5. 5. <ul><li>Ex. What keeps money and resources from leaking as it flows through a business entity? </li></ul><ul><ul><li>The construction of the financial accounting and internal control system. </li></ul></ul>
  6. 6. How much time do I need to spend on SAS 94 Procedures? <ul><li>How big is the client? </li></ul><ul><ul><li>Assets? Sales? </li></ul></ul><ul><li>How many transactions? </li></ul><ul><ul><li>1000’s, 10,000’s, 100,000’s, millions </li></ul></ul><ul><li>How sophisticated is the computer system? </li></ul><ul><li>How much time is in your audit budget for I/C work? </li></ul>
  7. 7. What if I only have 8 hours or less? <ul><li>Au Sec 319.04 Assess control risk at the maximum. Document your conclusion. The basis of the conclusion need not be documented. </li></ul>
  8. 8. Taking the easy way out <ul><li>Assessing Control Risk at the Max </li></ul><ul><ul><li>WARNING! You need to be satisfied that performing only substantive tests will be sufficient. </li></ul></ul><ul><ul><li>If initiation, recording, and processing of financial data exists only in computers then the power of substantive tests is significantly reduced. </li></ul></ul>
  9. 9. Do you understand the extent of computer processing in your audit client? <ul><li>Au 319.17 – The use of IT (Computers) affects the fundamental manner in which transactions are initiated, recorded, processed, and reported. </li></ul>
  10. 10. <ul><li>Automated procedures may: </li></ul><ul><ul><li>Initiate </li></ul></ul><ul><ul><li>Record </li></ul></ul><ul><ul><li>Process </li></ul></ul><ul><ul><li>Report </li></ul></ul><ul><li>Producing e-records: </li></ul><ul><ul><li>Purchase orders </li></ul></ul><ul><ul><li>Invoices </li></ul></ul><ul><ul><li>Shipping documents </li></ul></ul><ul><ul><li>Journals and ledgers </li></ul></ul>
  11. 11. You may not understand e-records and IT controls, and rely on paper hardcopy and manual controls <ul><li>BEWARE! Paper records provided by clients and their manual controls may not be independent of IT, may in fact be produced from e-records, and may lack credibility. </li></ul>
  12. 12. IT risks to internal control <ul><li>Au 319.19 </li></ul><ul><li>Unauthorized access to menus, programs, and data </li></ul><ul><ul><li>destruction or improper changes </li></ul></ul><ul><ul><li>unauthorized, nonexistent or inaccurate transactions. </li></ul></ul><ul><ul><li>errors and fraud. </li></ul></ul><ul><li>Failure to make necessary changes to systems or programs i.e. obsolete programs and patch levels </li></ul>
  13. 13. <ul><li>Au 319.20 </li></ul><ul><li>A lack of control at a single user entry point might compromise the security of the entire database. </li></ul><ul><ul><li>Improper changes </li></ul></ul><ul><ul><li>Destruction of data </li></ul></ul><ul><li>When IT personnel and users are given, or can gain access privileges beyond necessary to perform their assigned duties, a breakdown in segregation of duties can occur </li></ul>
  14. 14. <ul><li>Au 319.21 </li></ul><ul><li>Errors may occur in designing, maintaining, or monitoring IT controls </li></ul><ul><li>IT personnel may not completely understand how the system processes transactions </li></ul><ul><li>AU 319.22 </li></ul><ul><li>Edit routines in programs designed to identify and report transactions that exceed certain limits may be overridden or disabled </li></ul>
  15. 15. Obtaining an understanding of Internal Control <ul><li>Au 319.26 </li></ul><ul><li>Procedures depend on: </li></ul><ul><ul><li>Size and complexity of entity </li></ul></ul><ul><ul><li>Previous experience </li></ul></ul><ul><ul><li>Specific controls </li></ul></ul><ul><ul><li>Entity’s use of IT </li></ul></ul><ul><ul><li>Changes in systems and operations </li></ul></ul>
  16. 16. Planning the audit <ul><li>Au 319.30 </li></ul><ul><li>What IT risks can result in misstatements? </li></ul><ul><li>The more complex and sophisticated the entity’s operations and systems the more likely the need to increase the auditor’s understanding of internal control </li></ul>
  17. 17. Do you need an IT Audit Specialist? <ul><li>Au 319.31 </li></ul><ul><li>How complex is the IT system? </li></ul><ul><li>How is IT used in operations? </li></ul><ul><li>Have there been significant changes to the system or implementation of new systems? </li></ul><ul><li>Is data shared with other systems either internally or externally? </li></ul><ul><li>Is there e-commerce? </li></ul><ul><li>Is there emerging technology such as wireless networks and devices? </li></ul><ul><li>Is audit evidence available only in electronic form? </li></ul>
  18. 18. What IT audit skills are needed? <ul><li>Developing IT questionnaires </li></ul><ul><li>Understanding and challenging IT personnel responses to technical inquiries </li></ul><ul><li>Locating online system control settings, understanding and evaluating them </li></ul><ul><li>Selecting and using audit software tools </li></ul><ul><li>Designing and performing IT audit tests </li></ul><ul><li>Knowing classic computer control weaknesses </li></ul><ul><li>Keeping up with the latest hacking techniques </li></ul>
  19. 19. A Common Control Environment Weakness <ul><li>Au 319.36 </li></ul><ul><li>Management’s failure to commit sufficient resources to address security risks presented by IT may adversely affect internal control by allowing improper changes to be made to computer programs or to data, or by allowing unauthorized transactions to be processed. </li></ul>
  20. 20. Control Activities <ul><li>Au 319.43 </li></ul><ul><li>The auditor should obtain an understanding of how IT affects control activities that are relevant to planning the audit. </li></ul>
  21. 21. <ul><li>General Controls </li></ul><ul><ul><li>Data center and network operations </li></ul></ul><ul><ul><li>System and application acquisition, development, and maintenance </li></ul></ul><ul><ul><li>Access security </li></ul></ul>
  22. 22. <ul><li>Application controls </li></ul><ul><ul><li>Initiation, recording, processing, and reporting </li></ul></ul><ul><ul><li>Authorization, completeness, validity, accuracy </li></ul></ul>
  23. 23. What is a sufficient understanding? How much is enough? <ul><li>Au 319.49 The auditor should understand </li></ul><ul><ul><li>The IT and manual procedures to record, process, and report transactions from occurrence to inclusion in the financial statements. </li></ul></ul><ul><ul><li>The related records whether electronic or manual used to initiate or record transactions </li></ul></ul><ul><ul><li>How the information system captures events and conditions significant to the financial statements. </li></ul></ul>
  24. 24. How can misstatements occur? <ul><li>Does the system allow employees in the accounting or IT department to inappropriately override automated processes? </li></ul><ul><ul><li>Ex. Changes to account numbers, vendor or customers, or amounts in journals or ledgers </li></ul></ul><ul><li>Does the IT system leave little or no visible evidence of such changes? </li></ul>
  25. 25. Nonstandard, nonrecurring, or unusual transactions <ul><li>Do you understand how nonstandard, nonrecurring, or unusual transactions are authorized, documented, and posted to the system? </li></ul><ul><li>Au 319.51 Such entries may exist only in electronic form and may be more difficult to identify through physical inspection of printed documents </li></ul>
  26. 26. Monitoring <ul><li>Much of the information used in monitoring may be produced by IT. This information may be unintentionally or intentionally incomplete and erroneous. Audit monitoring logs may not be retained, may have gaps in them, or be subject to alteration. Management and auditors may rely on this information and develop a false sense of confidence. </li></ul>
  27. 27. Audit documentation <ul><li>Complex IT systems </li></ul><ul><ul><li>Flowcharts, questionnaires, checklists </li></ul></ul><ul><ul><li>Screen shots, CAAT reports </li></ul></ul><ul><ul><li>Walkthroughs, narratives </li></ul></ul><ul><li>Systems with limited use of IT, non-complex, few transactions </li></ul><ul><ul><li>memorandum </li></ul></ul>
  28. 28. Assessing control risk at the maximum <ul><li>Only substantive tests are performed </li></ul><ul><ul><li>Confirm bank balances </li></ul></ul><ul><ul><li>Confirm a/r </li></ul></ul><ul><ul><li>Observe inventory </li></ul></ul><ul><li>Substantive tests are typically performed based on information produced by the entity’s IT system </li></ul><ul><ul><li>What evidence do you have that information from the IT system is accurate, valid, and complete? </li></ul></ul>
  29. 29. <ul><li>Au 319.68 </li></ul><ul><li>Is there a significant amount of information supporting the financial statements electronically: </li></ul><ul><ul><li>Initiated and recorded? </li></ul></ul><ul><ul><li>Processed and reported ? </li></ul></ul><ul><li>What evidence do you have that controls over IT are effective? </li></ul><ul><ul><li>Your audit evidence derived solely from substantive tests may not be competent and sufficient </li></ul></ul>
  30. 30. Assessing control risk below the maximum <ul><li>Au 319.71 </li></ul><ul><li>Identify the types of misstatements that can occur </li></ul><ul><li>Consider factors that affect the risk of material misstatement </li></ul><ul><li>Identify controls that are likely to prevent or detect material misstatement in specific assertions </li></ul>
  31. 31. Tests of general controls <ul><li>Are changes to programs made without appropriate program change controls? </li></ul><ul><ul><li>Segregation of duties </li></ul></ul><ul><ul><li>Testing </li></ul></ul><ul><ul><li>Documentation </li></ul></ul><ul><ul><li>Authorization </li></ul></ul>
  32. 32. <ul><li>Are authorized versions of programs used for processing transactions? </li></ul><ul><ul><li>Control of development and test libraries </li></ul></ul><ul><li>Have changes been made to financial application programs? </li></ul><ul><li>Is packaged software used with modification or maintenance? </li></ul>
  33. 33. <ul><li>Are access logs produced, retained, and monitored? </li></ul><ul><li>Are changes to security settings monitored? </li></ul><ul><li>Are the security settings appropriate? </li></ul><ul><li>Are critical files and IT personnel audited? </li></ul><ul><li>Does someone independent of IT monitor the logs? </li></ul>
  34. 34. Warning for those that assess risk at the maximum <ul><li>Audit samples, records, and reports that originate from a control environment that allows undocumented, unauthorized, and unmonitored changes may not be competent and sufficient. </li></ul>
  35. 35. What should I do? I’m not an IT auditor and I don’t have time in my audit budget for this? <ul><li>Take an hour or two and interview the CFO and IT manager. </li></ul><ul><ul><li>Does the CFO take any interest in IT? </li></ul></ul><ul><ul><li>Who oversees the IT Manager? </li></ul></ul><ul><ul><li>What are the CFO’s and IT manager’s attitude toward controlling IT </li></ul></ul>
  36. 36. Interviewing the IT Manager <ul><li>Have the IT manager explain the IT system and how financial information is processed. </li></ul><ul><li>Ask the IT manager how unauthorized changes to financial information are prevented and detected. </li></ul><ul><li>If you don’t understand what the IT manager is saying tell him or her so. </li></ul><ul><li>If they still can’t explain it so you understand it they probably don’t understand the controls either, or worse there are no controls. </li></ul>
  37. 37. Conclusion <ul><li>Even if you assess risk at the maximum don’t just copy an old narrative or questionnaire and change the date. </li></ul><ul><ul><li>Take an hour or two to interview the CFO and IT manager specifically about IT controls and document and analyze what they say </li></ul></ul><ul><li>If you want to assess risk at less than the maximum: </li></ul><ul><ul><li>The JHC IT audit department has general and application controls audit programs available. </li></ul></ul><ul><ul><li>These audit programs can be modified specifically for your client </li></ul></ul><ul><ul><li>We can review the responses and help you assess risk and develop management letter comments </li></ul></ul>
  38. 38. Thank you
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.