Reasonable Skepticism Required
Comments on
广州“A Framework for Evaluating Process/Transaction-Level and Information Technology General Control Exceptions and Deficiencies Version 2, 21 October, 2005” in light of the Public Company Accounting Oversight Board (PCAOB) propod auditing standard, “An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements” (“AS5”) Chris Anderson, CA(NZ), CISA, CMC, CISSP
Toronto, Canada, 8 May, 2007
The views prented in this document are the author’s alone and do not claim to reprent the views of any other organization.
On December 20, 2004, a working group of reprentatives from the major accounting firms in the U.S.A. outlined a suggested framework for evaluating manual and automated process/ transaction level, and information technology general control (“ITGC”) exceptions and deficiencies, in the context of ‘AUDITING STANDARD No. 2 – An Audit of Internal Control Over Financial Reporting Performed in
Conjunction with An Audit of Financial Statements’ issued March 9, 2004 by the Public Company Accounting Oversight Board. While the Introduction to this framework document cautioned readers that ‘the mere mechanical application of this framework will not, in and of itlf, necessarily lead to an appropriate conclusion’, it us unproven logic to provide guidance to auditors that could lead to incread audit sampling risk and non-sampling risk, particularly when complex information systems are being evaluated by audit teams lacking appropriate experience and experti. This aspect of the framework should not be adopted by regulatory and standards tting bodies without debate, since it ts the stage for liberal asssment of internal controls over financial reporting.wsm
infrastructure中文
This paper looks at whether the changes from AS2 to the draft AS5 provides better direction to ‘integrated auditors’ on how to incorporate ITGC deficiencies into evaluation of internal control design.
cache是什么意思
In summary, the ‘framework’ appears to allow the auditor to evaluate ITGC as not designed effectively, but ignore the evidence of such a pervasive internal control deficiency when evaluating business cycle and associated application level internal control design effectiveness. Further, the requirement to expand the nature and extent of testing application controls in a weak IT general controls environment is merely an
‘additional consideration’ at the end of the ction titled “Evaluating ITGC Deficiencies” (Chart 3). This could result in a situation where the nature and extent of application control testing for the purpos of evaluating the operational effectiveness of internal controls over financial reporting will be bad on an optimistic but incorrect asssment of a) the expected number of internal control deviations in the IT general controls population, and b) the confidence that can be placed on the compliance test results. The auditor will also be able to conduct ‘point-in-time’ tests of business cycle/ application level internal controls in a period before a client’s year-end (or required reporting date), and u the results of such tests as a basis for concluding on internal control operational effectiveness at year-end (or the reporting date). This removes the expectation that auditors apply ‘reasonable skepticism’ in conducting their control risk asssments.
abreastThe framework was incorporated into PCAOB ‘Staff Questions and Answers – Auditing Internal Control Over Financial Reporting’ issued November 22, 2004. Question Q35 of this document makes the following claim:
“IT general controls, by their nature, do not affect a company's financial
statements directly.”
This premi is not supported by any explanation of the logic behind the statement or empirical evidence.
Answer A35 states:
“To evaluate the significance of a deficiency in IT general controls, the
effect of the deficiency on application controls should be evaluated. An
edgewaterapplication control might be effective even if deficiencies exist in IT
general controls. For example, in the prence of deficient program
change controls, management and the auditor might be able to determine
that, in the circumstances, the relevant application controls were
operating effectively as of the date of management's asssment……In this
ca, the deficiency in IT general controls could be classified as only a
deficiency. On the other hand, deficient program change controls might
过秦论原文及翻译
result in unauthorized changes to application controls, in which ca the
application controls are ineffective…….An IT general control deficiency
in the abnce of an application control deficiency could be classified as
only a control deficiency.”
Automated controls need a ‘safe hou’ within which to operate! If proper evaluation of internal control design effectiveness requires that the identified control is not only correctly designed on paper but placed in operation, then where el is an application control ‘placed’ if not into what we ud to call a ‘computer environment’? The conceptual and practical problem lies in the situation where apparently strong application controls operate in a weakly controlled computer environment, for example were accounting system packages are installed on a computer rver within a LAN where the LAN and rver operating system and databa management system password rules are weak, little or no logging and review of possible unauthorized activity takes place and too many people have LAN and rver administration privileges. This actually happens in small to medium organizations, and in a few large ones from time to time!.
Application controls do not operate in a vacuum. An operating system has to translate the application instructions into machine instructions, perform arithmetic and logic tasks, and provide the result back to the application. It is not logical to say that an application control continued to operate effectively even for 24 hours (e.g the date of management’s asssment) where the organization has weak program change controls. In order for management, and the auditor, to have sufficient appropriate evidence that a specific application function supporting a control objective was designed effectively (including ‘placed in operation’) and operating effectively, either: a) the application software and all supporting system software has to be shown to have been frozen for at least the reporting date in question and then tested by management and the auditor in that 24 hours, or the whole system frozen for longer to accommodate the required testing; or b) the extent of testing performed by management and the auditor should be extensive enough to support the claim that the application control operated effectively as of the asssment date in an
environment that was not well managed and potentially hostile (i.e. not adequately protected from erroreous and malicious actions). Further, what extent of application control testing is sufficient to conclude that weak program controls did not cau application controls to stop operating correctly? If we have weak change controls that apply to the majority of a client’s systems, just how much testing, and how rigorous a test plan is needed?
委托人英文The CICA IT Control Guidelines (3rd Edition) clearly disagrees with the approach suggested by the working group in the ‘evaluation framework’: ‘For reliance by management or auditors to be placed on fully automated control procedures or computer-assisted control procedures, general computer controls must be implemented and operating consistently and reliably. If they are not, there can be no assurance that fully automated and computer-assisted controls continue to operate as designed. Fully automated and computer –assisted controls do not compensate for weak general computer controls. If the condition of general computer controls is less than satisfactory, greater assurance must be sought from manual control procedures which do not in turn require assurance from general computer controls.’
In July, 2004, the CICA Information Technology Advisory Committee issued a white paper titled ‘IT Control Asssments in the context of CEO/CFO Certification’. It states: “IT controls are fundamental to the reliability and integrity of the information procesd by the automated systems on which most organizations are dependent for their business and financial transaction processing – and overlooking or minimizing their importance creates a significant risk. ……The effectiveness of other controls, particularly manual controls, is also more often than not dependent on the effectiveness of IT controls.”
reflect是什么意思
The propod AS5 provides better, but not ideal, guidance on how the risk that application controls will or will not function with a high level of processing integrity should be evaluated. However, it does not specifically require that an application bad internal control be situated within a ‘well controlled’ computer environment for it to be considered designed effectively. Again, where an application control should be placed in
operation ems to have not been considered. What AS5 says that is relevant to this important issue is:
AS5 Extract Commentary
4. The general standards …. require … professional skepticism. To blithely evaluate the design of an application control without considering the controls over the computing environment it has been placed is the antithesis of skepticism
5. The auditor should u the same suitable, recognized control framework to perform his or her audit of internal control over financial reporting as management us for its annual evaluation of the effectiveness of the company's internal control over financial reporting. The widely ud COSO framework does not specifically address the relationship between application controls and ITGCs.
nv
12. …. A smaller and less complex company with simple business process and centralized accounting operations often has relatively simple information systems that make greater u of off-the-shelf packaged software without modification. In the areas in which off-the-shelf software is ud, the auditor's testing of information technology controls should focus on the application controls built into the pre-packaged software that management relies on to achieve its control objectives and the IT general controls that are important to the effective operation of tho application controls. This ction leads one to consider the risk that application controls will not operate effectively without strong ITGC. If an application control is not going to operate effectively becau of weak ITGC, how can it be evaluate as designed effectively?
34. For each significant process identified, The flow of transactions within an
the auditor should…..Understand the flow of major class of transactions, including how the transactions are initiated, authorized, procesd and recorded; application system obviously includes not only the compiled or run-time application logic and data but also the loading of the application logic into the CPU by the operating system and the manipulation of the associated data within say a databa management system. We can’t just conveniently state that this flow within the computer does not occur.
35. … Paragraphs .16 through .20, .30 through .32, and .77 through .79, of AU c. 319, Consideration of Internal Control in a Financial Statement Audit, discuss the effect of information technology on internal control over financial reporting and the risks the auditor should asss. The auditor should apply this direction when auditing internal control over financial reporting. See below for specific comments on AU c. 319.
52. Factors that affect the risk associated with a control include…..The degree to which the control relies on the effectiveness of other controls (e.g., the control environment or information technology general controls); For application controls, there is direct risk/reliance on ITGC.
62. In determining the extent of procedures to perform, the auditor should asss the following factors:…….Frequency of operation. Generally, the more frequently a manual control operates, the more operations of the control the auditor should If the logic concerning a ‘test of one’ is sound, then it also follows that an
‘automated control’ has to be tested extensively in the abnce of ITGC operating effectiveness. In fact, it is difficult to argue that such testing should
