Achieving Efficiencies of the Financial Statement Audit Through ITBy Melissa Ouari | January 10, 2020
Technology is playing a significant role in how nonprofit organizations conduct their business and is creating new risks, challenges and opportunities at a rapid pace. From an audit perspective, the ability to leverage technology in financial statement audits is bringing increased value to audit committees, boards of directors and executive teams. From the use of data analytic tools to an increasing focus on IT controls around the systems supporting the financial applications, significant efficiencies can be attained within the audit process.
The value that the information technology audit brings to nonprofits is within the internal control environment and being able to validate that IT level controls are working effectively to protect their data assets. The value of using data analytics is immeasurable. However, it is essential for the auditor to be able to rely on the completeness and accuracy of the data. As they say, “your data output is only as good as what you put into the system.” To achieve this, the auditor must have a strong understanding of the IT general control (ITGC) environment of the organization.
ITGCs are a critical component of business operations and financial system controls. The security, integrity, reliability and availability of information relies on the controls around user access, change management and disaster recovery. IT systems are enablers of business processes and controls over financial and other critical data. As such, organizations are investing heavily to increase their focus on IT level controls to maintain the reliability of data. The IT controls put into place provide the basis for reliance on data, reports and interfaces between systems.
The information generated from the application systems supports financial information that is being relied upon by key decision-makers, auditors, investors and stakeholders, resulting in the Information Technology (IT) audit becoming more critical to the audit of financial statements. The IT auditor needs to be able to ascertain whether controls around user access controls, change management and disaster recovery are effective. Maintaining reliable financial information is contingent upon having effective ITGCs as part of the organization’s internal control framework.
FOCUS OF THE IT AUDIT
Specifically, the IT audit looks at the following:
- User Access Management
- The IT auditor needs to determine that users are authorized and that their access is commensurate with their job functions, roles and responsibilities. Access that is not in line with their job function could lead to the posting of unauthorized financial transactions.
- The IT auditor also needs to determine that administrator access accounts are monitored to deter misuse.
- The IT auditor needs to review user access de-provisioning controls to ensure that if an employee either separates from an organization or transfers between departments, the access to data is revoked in a timely manner.
- User access provisioning is key to controlling the access management of an IT application. Additionally, periodic user access review keeps the access aligned with what is appropriate based upon the job requirement. In the absence of periodic user access reviews, a user may continue to maintain access rights to applications and data that is not appropriate. Further, user access reviews also detect any anomalies within the user access management process.
- Change Management
- The IT auditor needs to assess controls over the ability to make direct changes in the IT application production environment to mitigate any risk over data integrity. If changes can be made in the production environment, existing controls for a financial transaction could be compromised. For example, if an unauthorized change is made to a calculation algorithm of depreciation, it could result in incorrect values that the financial team is relying upon.
- The IT auditor needs to assess the system development life cycle of a change to validate that changes are developed and tested prior to implementation into the production environment. For example, if a change is implemented impacting the revenue cycle, testing must be done prior to promotion of the change to production to ensure that the appropriate impact on sales is considered.
- Disaster Recovery
- The IT auditor needs to assess that regular backups are taken and the ability to restore data can be done to meet recovery time objectives. Organizations that have moved their financial data to “the cloud” must validate that the uptime guarantees as defined in the Service Line Agreements (SLAs) can be met.
- The IT auditor also needs to assess that recovery capabilities can be met based upon defined recovery strategies and assumptions.
IMPORTANCE OF ITGCs
The importance and relevance of the ITGCs continue to increase exponentially. It factors into management decision making, financial reporting, and transparency of data and information to stakeholders, boards and audit committees. Additionally, automation and interfaces are becoming increasingly important given the reliance on automated controls such as calculations, access controls, segregation of duties and processing controls.
What happens should there be ineffective ITGCs? This may impact management’s ability to prepare accurate financials which could result in delays around the financial closing process. From an audit perspective, if the IT auditor concludes that there are ineffective ITGCs, the audit effort may increase due to additional audit procedures and increased sampling necessary to address IT risks.
Conversely, if the IT audit concludes that ITGCs are effective, this opens up further opportunities to achieve efficiencies on the audit. Once IT controls are in place to promote complete, accurate and reliable data, the use of data analytics offers significant benefits to the audit teams. Traditionally, audits were conducted by risk assessment, substantive sample testing and assessment of controls. With data analytics, a full population of entries can be evaluated. There is heightened certainty and precision and less judgment.
A CFO of a large organization stated, “The ability of technology to allow the testing of entire populations shifts the perspective on the value of an audit.” The value of technology is the ability to make the audit more efficient and reduce the amount of time as testing becomes more automated and conducted on a real-time basis. Risks can be identified in a data analytics output report which allows the audit team to adjust the testing and focus on the higher risk areas.
In conclusion, technology and IT audit will continue to evolve and enhance the ability for the audit function to progress from a ”what could happen” to a “what happened” mindset based upon the ability to leverage technology to look at full populations that were once just sampled. This change is transformational and of utmost value to our clients. The use of technology and IT audit will help minimize the level of judgment that was once associated with audits. Technology can help identify critical issues in a timely manner so that organizations can address them before they impact the organization’s future performance and financials.
About Melissa Ouari
Melissa Ouari, CISA, CBCP, is a Senior Manager in the Nonprofit, Government & Healthcare Group at Marks Paneth. To this role, she brings more than 20 years of experience in accounting and information technology. Working with clients in an array of industries, including nonprofit and healthcare, Ms. Ouari specializes in IT risk assessment and management as well as IT audits and application level reviews. She is a Certified Information System Auditor (CISA) and Certified Business... READ MORE +