The-Accountant-Jan-Feb-2018
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Financial Reporting and Assurance<br />
occurrence, completeness,<br />
accuracy, cutoff, allocation<br />
and classification of<br />
financial statement<br />
balances. If the integrity<br />
and availability of data has<br />
an issue, then, the financial<br />
statement account balances<br />
may not be complete,<br />
accurate, may not have been<br />
allocated or classified in<br />
the correct financial period<br />
or account/budget codes<br />
and transactions may not<br />
have occurred. Meanwhile,<br />
confidentiality has a direct<br />
link on the existence of<br />
IT assets. If there is an<br />
issue with physical access<br />
controls of IT physical<br />
assets, as a result, the IT<br />
physical assets may not<br />
have existed as at year end.<br />
Linking IT audit<br />
to financial audit<br />
process<br />
According to ISA 315,<br />
the planning phase of a<br />
financial audit process<br />
requires an auditor to<br />
understand the IT internal<br />
control environment as<br />
part of understanding the<br />
entity. Significant risks<br />
identified in this stage<br />
are considered in risk of<br />
material misstatements in<br />
the financial statements.<br />
<strong>The</strong>se key risks identified<br />
should be linked to<br />
financial statements<br />
balances and responses to<br />
the identified risks should<br />
be determined. This is in<br />
accordance to ISA 330, the<br />
auditor should determine<br />
the appropriate responses<br />
to the identified significant<br />
risks.<br />
Secondly, when<br />
performing the audit<br />
program, test of controls<br />
and substantive test of<br />
details should include a<br />
response to the IT risk<br />
assessment. Finally, audit<br />
findings from IT audit<br />
should be incorporated in<br />
the management letter to<br />
IT assertions<br />
include<br />
confidentiality,<br />
integrity and<br />
availability.<br />
Confidentiality<br />
entails restricted<br />
access techniques<br />
to ensure that<br />
information and<br />
information<br />
resources are<br />
only accessible to<br />
those who have<br />
been authorized.<br />
the auditee. <strong>The</strong>re should also be a linkage<br />
of internal control weaknesses that arose<br />
from significant IT risks identified.<br />
Challenges of linking IT Audit<br />
to Financial Audit process<br />
<strong>The</strong>re are challenges that have been<br />
identified in linking IT audit to financial<br />
statements audit. <strong>The</strong>se include:<br />
• Lack of integration of IT controls<br />
weaknesses in the management letter;<br />
• IT control weaknesses may not<br />
have been reported or communicated<br />
adequately and timely to financial<br />
auditors;<br />
• Lack of clear understanding of IT Audit<br />
issues by Financial Auditors;<br />
• Lack of clear understanding of<br />
Financial Audit issues by IT Auditors;<br />
• IT control weaknesses follow-up has<br />
not been carried out beyond the planning<br />
phase;<br />
• <strong>The</strong> risk of material misstatement at the<br />
financial statement level resulting from<br />
IT control weaknesses is not addressed<br />
during planning, fieldwork, audit<br />
conclusion and audit reporting phases.<br />
Connecting the dots…<br />
<strong>The</strong> following are practical suggestions<br />
of connecting the dots… between IT<br />
audit and financial audit process:<br />
• Risk assessments should also<br />
include a rigorous IT risk assessment<br />
at planning phase. <strong>The</strong> IT internal<br />
control checklist should be filled<br />
accurately with sufficient details to<br />
identify significant IT risks that<br />
would affect the financial audit<br />
approach;<br />
• Responses to significant IT risks<br />
assessed during planning phase should<br />
be documented throughout the audit<br />
process, i.e. in the risk of material<br />
misstatement, overall audit strategy,<br />
audit plan/audit program, reliance on<br />
key controls and audit procedures to<br />
be performed working papers;<br />
• IT controls weaknesses should be<br />
reported accurately and timely to<br />
financial auditors so that they can<br />
be incorporated in the management<br />
letter to the auditee;<br />
• <strong>The</strong>re is need for training for<br />
financial auditors to understand<br />
significant IT risks and how they can<br />
affect their audit approach;<br />
• <strong>The</strong>re is need for training for IT<br />
auditors to understand how significant<br />
IT risks affect the financial statement<br />
assertions and hence financial audit<br />
approach;<br />
• <strong>The</strong>re is need for training for IT<br />
auditors to understand how to report<br />
IT controls weaknesses without using<br />
IT jargon, so that they can be easily<br />
understood;<br />
• IT auditors need to collaborate more<br />
with financial auditors throughout<br />
the audit process; hence IT audit and<br />
financial audit findings should be<br />
reported jointly in one management<br />
letter. <strong>The</strong> two teams should work as<br />
one team;<br />
• Financial audit findings that have<br />
IT control weaknesses related-causes<br />
should be escalated to IT auditor for a<br />
complex IT audit to be carried out.<br />
Conclusion<br />
Going forward, in complex information<br />
technology environments, audit<br />
quality will be particularly determined<br />
by financial statement auditors’ ability<br />
to incorporate IT audit risk assessment<br />
in their audit approach.<br />
achendaeunice@gmail.com<br />
JANUARY - FEBRUARY <strong>2018</strong> 7