In the last two editions of this newsletter, we published a two-part article on how SAS No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, will affect governmental audits. This article examines in more detail the new information technology (IT) requirements that will affect governmental audits. Auditors will begin applying the new risk assessment standards in audits of governmental entities with periods ending on or after December 15, 2023. SAS No. 145 provides new IT risk assessment definitions and has scalability provisions based on complexity. Additionally, there are further considerations for information processing and general IT controls.
IT Complexity
IT systems vary from government to government, sometimes quite significantly. Consider these two scenarios:
- First, a small city uses a cloud-based accounting system, which does not allow changes to the software code. The software is well-established and has a reputation for reliability. The government has one bookkeeper who enters information from paper documents. The volume of transactions is not significant. The bookkeeper enters a password to access the software.
- In the second example, a government uses interfaced applications with significant data volume. The software automatically initiates transactions. The government has four IT employees who manage its ever-expanding needs. Sixty persons use the IT system in various ways, including payroll, inventory management, accounts payable, and financial reporting. The accounting department uses IT data in spreadsheets to summarize information for the elected board and management.
Auditors should approach these two entities differently. Why? Because the IT systems impact the risk of material misstatement differently. The audit documentation will also scale based on complexity. Noncomplex IT structures require less documentation, while complex IT structures require more.
SAS No. 145 provides new definitions that assist auditors in determining relevant IT system components.
IT Definitions
Auditors need to understand the risks arising from the use of IT before determining identified IT controls. SAS No. 145 defines risks arising from the use of IT as: Susceptibility of information-processing controls to ineffective design or operation, or risks to the integrity of information in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes.
So, the auditors should focus on information-processing controls and those that enhance the integrity of the IT-generated information. But what are information-processing controls?
SAS No. 145 defines information-processing controls as: Controls relating to the processing of information in IT applications or manual information processes in the entity’s information system that directly address risks to the integrity of information.
An example of an information-processing control is a three-way match in the accounts payable software where the purchase order, vendor invoice, and shipping document must agree. The auditor should consider the need to evaluate the design and implementation of such a control because it enables the auditor to assess the risk of material misstatement at the assertion level. For example, the three-way match affects the completeness assertion for payables and can affect further audit procedures. Consequently, the auditor will include this control in their accounts payable documentation (such as a walkthrough) because it is part of the flow of transactions.
Even if transaction-level controls are sound, employees might corrupt accounting information if general IT controls, such as password protection, are absent. SAS No. 145 defines general IT controls as: Controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information-processing controls and the integrity of information in the entity’s information system.
Examples of general IT controls include:
- Passwords
- Logical access (restrictions to software module access)
- Backup and recovery
- Intrusion detection
- Change management
Now, let’s consider SAS No. 145 IT requirements.
SAS No. 145 IT Requirements
SAS No. 145 requires the auditor to identify the IT applications and other aspects of the entity’s IT environment that involve risks arising from the use of IT. Additionally, the auditor should determine the general IT controls that address the risks arising from the use of IT and evaluate their design and implementation.
So, consider what IT components affect the entity’s transactions, account balances, and disclosures. For example, would the three-way match control affect accounts payable and expenses? And is the entity relying upon this control to process its financial information accurately? Obviously, yes. So, the auditor gains an understanding of this information-processing control. Are there general IT controls related to accounts payable, such as passwords and logical access assignments? Usually the answer is yes. Therefore, the auditor needs to evaluate the design of these controls and see if they are in use.
Can emerging technologies such as blockchain affect the audit? Yes. The SAS No. 145 requirements remain the same for more complex IT processes.
Auditors should consider the entity’s reliance on IT system components and understand the related information-processing and general IT controls as part of audit planning.
| Practical Consideration: Know your limits. If your client has a particularly complex IT process, consider adding an IT audit specialist to the audit team. |
© 2024 Thomson Reuters/PPC. All rights reserved.
