OTHER AUDIT CONSIDERATIONS (STUDY OBJECTIVE 11)

DIFFERENT IT ENVIRONMENTS

Most companies use microcomputers or personal computers (PCs) in their accounting processes. General controls covering PCs are often less advanced than those covering the mainframe and client–server systems. As a result, PCs may face a greater risk of loss due to unauthorized access, lack of segregation of duties, lack of backup control, and computer viruses. Following are some audit techniques used to test controls specifically in the use of PCs:

• Make sure that PCs and removable hard drives are locked in place to ensure physical security. In addition, programs and data files should be password protected to prevent online misuse by unauthorized persons.
• Make sure that computer programmers do not have access to systems operations, so that there is no opportunity to alter source code and the related operational data. Software programs loaded on PCs should not permit the users to make program changes. Also ascertain that computer-generated reports are regularly reviewed by management.
• Compare dates and data included on backup files with live operating programs in order to determine the frequency of backup procedures.
• Verify the use of antivirus software and the frequency of virus scans.

In addition to, or as an alternative to using PCs, companies may use IT environments that involve networks, database management systems, e-commerce systems, cloud computing, and/or other forms of IT outsourcing. Many of the procedures described previously may also be used for these different computer configurations.

When companies have accounting information systems organized in local area networks (LANs) or wide area networks (WANs), the auditors must understand how the network is structured. In other words, they must learn how the company's computers are linked together, including the location of all servers and workstations. All of the risks and audit procedures that apply to a PC environment may also exist in networks, but the potential for loss is much greater. Since network operations typically involve a large number of computers, many users, and a high volume of data transfers, any lack of network controls could cause widespread damage. Auditors must apply tests over the entire network. It is especially important for auditors to test the software that manages the network and controls access to the servers.

When companies use database systems, the database management system (including the data, applications, and related controls) replicates or partitions data for many different users. The data will be organized in a consistent way. This tends to make it easier for auditors to select items for testing. However, there are some special considerations for auditors testing database management systems. For example, since many users may have access to the data, the auditors must be sure to evaluate access controls surrounding the database. In addition, it is more important than ever to maintain proper backups in a database environment, because so many people depend on the consistent operation of the database and availability of data. Auditors are responsible for understanding how the data are managed so that they are reliable as a source of information. In addition to testing access and backup controls, as discussed earlier in this chapter, the auditors should perform tests to verify that a database administrator is monitoring access to the company's data and backing up the database on a regular basis. Since many different applications may access and change the data in the database, database control is especially important.

Security risks always exist in companies that use e-commerce, because their computer systems are linked online with the systems of their business partners. As a result, the reliability of a company's IT system depends upon the reliability of its customers' and/or suppliers' systems. The audit procedures used to assess controls in e-commerce environments were addressed earlier in this chapter in the discussion on external access controls. In addition, auditors often

• Inspect message logs to identify the points of remote access, verify proper sequencing of transactions, and review for timely followup on unsuccessful transmissions between business partners
• Verify that the company has evaluated the computer systems of its business partners prior to doing business over the Internet
• Reprocess transactions to see whether they are controlled properly

Because of the difficulty of testing all possible points of access in an online system, auditors sometimes find it more cost effective to perform substantive tests rather than extensive tests of controls.

Some companies may rely on external, independent computer service providers to handle all or part of their IT needs. This is known as IT outsourcing. IT outsourcing creates a challenge for auditors, who must gain an adequate understanding of risks and controls that are located at an independent service center. However, the service center will likely have its own auditors who monitor, test, and/or report on internal controls. This third-party report can be used as audit evidence about the effectiveness of internal controls. Alternatively, auditors may choose to conduct testing at the service center's business location, or perform audit tests around the client's computer.

When companies use cloud computing, their auditors need to thoroughly understand the underlying technologies and related risks and controls. Within a cloud computing environment, the service provider performs important tasks that are traditionally the responsibility of the company's managers. Accordingly, risk assessment may be particularly challenging because the threats to a company's data are uncontrolled, and often unforeseen, by the company.

In addition to merely identifying the threats inherent in a cloud computing environment, it is particularly difficult to estimate their potential costs and overall impact. However, they may be far-reaching, to say the least. It is therefore more important than ever for a company and its auditors to carefully consider whether all relevant risks have been identified and controlled. Below are some sample questions for auditors to consider when evaluating a cloud computing environment:

Security Risks:

• What damage could result if an unauthorized user accessed the company's data?
• How and when are data encrypted?
• How does the cloud service provider handle internal security?

Availability Risks:

• What damage could result if the company's data were unavailable during peak times or for an extended period?
• How does the cloud service provider segregate information between clients?
• What disaster recovery and business continuity plans are in place?

Processing Risks:

• How are response times and other aspects of operating performance monitored?
• How does the service provider monitor its capacity for data storage and usage?
• Is the service provider's system flexible enough to accommodate the company's anticipated growth?

Compliance Risks:

• What compliance standards does the cloud service provider meet?
• What third-party assurance documentation is in place?
• What additional documentation is available to help the company maintain compliance with applicable laws and regulations?

Once an auditor has considered all the aspects of risk, an audit in a cloud computing environment can be carried out according to a typical audit approach. However, because there is no such thing as a standard cloud, it is not possible to standardize a risk assessment process and audit procedures for a cloud computing environment. Therefore, tests of controls must be specifically designed to determine whether identified risks are being properly mitigated, and substantive tests are used in areas where controls are deemed to be lacking. For either type of test, an auditor can gain access to the cloud system and perform testing from the company's location. Useful guidance in conducting audit procedures for cloud computing is available from ISACA's IT Assurance Framework, the International Organization for Standardization (ISO) user guides, and the AICPA's Service Organization Controls (SOC) Framework.

When an auditor is engaged to audit a company that uses cloud computing or some other outsourced service, then the auditor must decide how to obtain evidence regarding the service provider's overall control environment. Auditors can perform their own testing, as described previously, or they can rely upon SOC reports from the service provider's auditors. The SOC 1 report addresses internal controls over financial reporting. An SOC 1 Type I report contains management's assessment and the auditor's opinion on the operating design of internal controls over financial reporting. An SOC 1 Type II report is an extension of the Type I report in that it also evaluates the operating effectiveness of those internal controls. An SOC 2 report considers controls over compliance and operations, including the Trust Services Principles of security, availability, processing integrity, confidentiality, and privacy of a service provider's systems. Similar to the SOC 1 reports, the SOC 2 reporting options also allow for a Type I or Type II conclusion depending upon whether the auditor considers suitability of design or operating effectiveness of those controls, respectively. Finally, an SOC 3 report is an unaudited report that is available to the general public containing a CPA firm's conclusion on the elements of the Trust Services Principles.

CHANGES IN A CLIENT'S IT ENVIRONMENT

When a company changes the type of hardware or software used or otherwise modifies its IT environment, its auditors must consider whether additional audit testing is needed. During its period of change, data may be taken from different systems at different times. As a result, auditors should consider applying tests of controls at multiple times throughout the period in order to determine the effectiveness of controls under each of the systems. Specific audit tests include verification of the following items:

• An assessment of user needs
• Proper authorization for new projects and program changes
• An adequate feasibility study and cost–benefit analysis
• Proper design documentation, including revisions for changes made via updated versions, replacements, or maintenance
• Proper user instructions, including revisions for changes made via updated versions, replacements, or maintenance
• Adequate testing before the system is put into use

Overall, auditors need to evaluate the company's procedures for developing, implementing, and maintaining new systems or changes in existing systems. Chapter 6 addressed the systems development life cycle, which involves the various stages of change within the IT function.

When a client company plans to implement new computerized systems, auditors may find it advantageous to review the new features before they are placed in use. This way, the auditors can have a chance to identify controls and risks in the system, and to communicate relevant issues to management prior to the implementation. This may also give the auditors time to develop effective audit tests to be used when the system is activated.

SAMPLING

Auditors cannot possibly evaluate every aspect of every item that impacts reported information. Auditors rely on sampling, whereby they choose and test a limited number of items or transactions and then draw conclusions about the information as a whole on the basis of the results. Since audit tests do not cover all items in the population, there is some risk that a sample, or subset, of the population may not represent the balance as a whole. Auditors try to use sampling so that a fair representation of the population is evaluated. Computerized software is often employed to help auditors select samples. Random numbers can be generated by software programs. A sample is random if each item in the population has an equal chance of being chosen. The use of computer programs ensures that there is no bias in selecting the test items. Auditors may also use electronic spreadsheets to generate random numbers or to choose sample items by other methods, such as a selection based on item size. The choice of an appropriate sampling technique is very subjective, and different auditors tend to have different policies for using and selecting samples.