Proposed IT Audit Scope to Support
the Annual Financial Statement Audit
By: Mitchell H. Levine, CISA
Audit Serve, Inc.
The need to assess the effectiveness of IT controls to support the annual financial statement audit is becoming commonplace even for small non-public companies. Since small CPA firms do not have expertise within the IT Audit area, they are either adding IT Auditors to their staff or hiring IT auditors on a contract basis to perform IT Audits to support the annual financial statement audit.
The type of IT Audit which needs to be performed to support a financial statement audit is quite difference from the traditional IT Audits which are performed of an organization.
The IT Audit to support the annual Financial Statement Audit needs to provide assurance that Infrastructure and Application controls relating to data integrity are effective for the General Ledger system and those application systems which directly impact revenue, asset valuation and expenses. In order to identify the scope of these audits, all applications which impact revenue, asset valuation and expenses need to be identified.
Once the inventory of inscope applications has been established, the various types of controls which should be included in the IT Audit to support the Financial Statement audit needs to be identified. The key control areas should include:
- Logon security controls to prevent the takeover of IDs
- Software change controls to ensure proper security over the production directories which store inscope application programs and data
- Controls over system access to applications functions which data used within the financial statements to ensure they are restricted to the appropriate individuals
- Controls relating to handling of security requests
- System level access controls relating to direct update to financially-impacted data stored in the databases and files used by the inscope applications
- OS level access review to ensure that privileged IDs are restricted to the appropriate individuals
- Enabling of audit trails where possible at the OS, application and database levels to identify unauthorized access attempts and updates to financial-impacted data
From an infrastructure standpoint, the key areas which need to be reviewed include the internal network domain which ties to the OS level controls and the control of remote access. The control over remote access permitted via the internet needs to include controls to ensure that sessions are encrypted and the requirement to have an additional level of logon security.
The review of physical security, data backups and disaster recovery planning are not key controls for the financial statement audit but should be considered for inclusion in the scope of the audit. However, issues identified within these control areas would in most cases not lead to a significant deficiency. The review of the systems development methodology, service levels and IT performance management are typically excluded from the IT Audit which supports the financial statement audit. However, the effectiveness of the testing performed for the deployment of releases for inscope application could be considered inscope for the IT Audit to support the financial statement audit.
When performing an IT Audit to support the financial statement audit, the most difficult task is determining the issues which would represent a significant deficiency or a material weakness, Unfortunately, limited guidance has been provided by PCAOB or AICPA which has not included actual examples of IT Audit issues which would lead to a material weakness or a significant deficiency.