Information systems are essential to most companies today. During audits, we encounter various systems and applications at clients — from large ERP packages and core production systems to supporting records, Excel files, and purpose-built applications. Companies acquire these systems either as packaged software or as custom-developed solutions created by external providers or their own employees. These systems may run on different platforms, and the degree of integration and cooperation between them can vary — as can the staff who manage or operate these systems.
The auditor’s obligation to understand the client’s IT environment and perform a review of the functioning of the IT system arises from the international standard ISA 315. It is important to highlight that an IT review performed for audit purposes is not a full IT audit under commonly recognized frameworks (COBIT, NIST, ISO/IEC 27001) or other regulatory requirements. The scope of these tests is determined by the auditor based on their understanding of the client’s IT environment and their professional judgment in line with ISA standards.
What does the auditor focus on at the client?
For auditors, key systems include those used for accounting, inventory management, and point-of-sale operations. The auditor must understand the entire IT environment and its governance, the IT systems themselves, their architecture, data flows, processing and storage of transactions and data, and the security of these systems. But understanding alone is not sufficient. The auditor must identify general IT controls and other relevant controls and subsequently test their effectiveness. Simply stating and documenting effectiveness or ineffectiveness is not enough. The auditor must also consider whether compensating controls exist and attempt to determine the specific impact of ineffective IT controls.
What is the impact of ineffective IT controls on the financial statements?
It is often very difficult to determine the exact impact of ineffective IT controls on the financial statements. If the auditor finds that the security policy is not properly approved, password rules are weak, or monitoring and incident-logging tools are missing, the impact on the financial statements will generally be minimal. However, we can still inform management about these deficiencies in an official management letter. Ineffective IT controls may lead to events that could negatively affect the company’s future operations. Key areas of general IT control testing include access management, data security, change management, application testing, and data backups.
What are the most common auditor findings?
Common findings include ineffective provisioning and removal of access rights, excessive administrator privileges, use of shared accounts, non-compliance with the company’s security policy, insufficient server room security, access rights inconsistent with segregation-of-duties principles, lack of backup personnel for key IT roles, insufficient security monitoring, inadequate separation of development and production environments, insufficiently documented system testing, lack of business process automation resulting in excessive manual intervention and related data risks, and missing automated workflows.
When reviewing the client’s IT environment and testing controls, auditors may involve IT specialists (experts). This support is invaluable for performing an effective audit at a time when IT represents a significant part of most clients’ operations.
