SAS 145 Audit Risk Assessment

Information Technology

This blog is about a particular topic of SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, which largely stays hidden in plain sight. That topic is audit risk assessment related to information technology (“IT”). Risks related to IT are often (intentionally) overlooked. It’s problematic because some auditors don’t exactly feel IT-empowered, myself included. And even though IT requirements have been there for some time now, we find that SAS 145 has given it particular emphasis, perhaps to draw our attention to its importance. It will be no surprise if IT risk assessment is a target for peer review engagements in 2024 and several years after.

SAS 145 requires auditors to consider IT controls that address risks of material misstatement at the assertion level. The standard breaks this down to 1) the risk of use of IT and 2) the general IT controls that address those risks.

In the codification of auditing standards, AU-C Glossary – Glossary of Terms defines the two related aspects of IT risk assessment as follows:

  • Risks arising from the use of IT. Susceptibility of information-processing controls to ineffective design or operation, or risks to the integrity of information in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes.
  • General IT controls. Controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information-processing controls and the integrity of information in the entity’s information system.

Risks arising from the use of IT

Some IT systems inherently have more risk than other systems. Canned software for which the company cannot access the source code is inherently less risky than larger, more complex, internally developed systems subject to source code modifications.

Interfacing applications inherently have more risk of material misstatement than packages that integrate the various applications.

A partial list of risks arising from the use of IT are:

  • Miscalculations: Coding errors could cause miscalculations of the financial data.
  • Unauthorized Access: Weak controls related to data entry or bugs in the system could compromise the financial data.
  • Data Loss or Corruption: System crashes, cyberattacks, and other failures could lead to the loss of critical financial data.
  • Failure to Update Software: Old versions of accounting software could lead to a host of risks, such as security and compatibility issues
  • Limited Data Backup and Recovery. Again, this could lead to the loss of critical financial data.

Electronic Spreadsheet Risk of Use

A particular IT category inherently prone to greater risk of material misstatements is the use of electronic spreadsheets, such as Excel.

Here are two examples of risks arising from the use of IT as it relates to electronic spreadsheets:

  • Example 1: Material Misstatement of Construction Revenue. An Excel spreadsheet is a type of IT tool. Many contractors use it to calculate the percentage-of-completion revenue measurement of individual construction contracts. Such spreadsheets may contain numerous contracts rolled over from period to period. Contract information is often imported from the job activity ledgers, but some companies may manually input the data. The calculations are complex and data intensive.
  • Example 2: Material Misstatement of Accrued Loss on Uncompleted Contracts. Certain contractors also use Excel to pull takeoffs from specs and drawings. The takeoff information is summarized in Excel, and formulas and perhaps pivot tables are used to create a summarized bid for a prospective construction project.

The risks arising from the use of IT associated with Excel in the above two examples are extensive. It includes potential design and operation errors, such as incorrect cell formulas, cells not being protected whereby formulas can be accidentally or intentionally deleted, manual input errors, and human misunderstanding of Excel functionality.

For the first example, there is a significant risk of a material misstatement of construction revenue. The relevant assertions primarily affected by this significant risk of a material misstatement are accuracy and occurrence.

In the second example, there is a significant risk of material misstatement due to the potential failure to record the total amount of the accrued loss on the contract obtained (because, at inception, the bidding error was not discovered by management). The relevant assertions primarily affected by this significant risk of a material misstatement are accuracy and completeness.

General IT Controls

Here is a list of broad general IT controls (not all-inclusive) that auditors should be aware of:

  • Logical Access Controls: Ensure proper access rights and permissions are assigned to appropriate users based on their roles.
  • Change Management: Ensures that software, hardware, and configuration changes are approved and monitored.
  • Data Backup and Recovery: Regularly back up critical data and test the recovery process.
  • Network Security Management: Implement firewalls, intrusion detection systems, and secure network architecture.
  • User Authentication: Use robust authentication methods (e.g., multi-factor authentication) to verify user identities.
  • Physical Security: Safeguard physical access to servers, data centers, and other IT infrastructure.
  • Security Awareness Training: A formalized program to educate employees about security best practices.

Now, here’s the thing that you do not want to miss. General IT controls that address a significant risk of material misstatement arising from the use of IT are subject to design and implementation testing.

For the sake of bringing it all together, general IT controls that address the risk of the use of IT related to electronic spreadsheets (and are subject to design and implementation testing) are:

  • Logical access controls (restrictions as to who can use the worksheet)
  • Change management (controls over who can change the formulas and other functionality of the spreadsheets)
  • Data backup and recovery (always important to make sure these are in place)

Since the above general IT controls address significant risks of a material misstatement from the use of IT (i.e., electronic spreadsheets) to calculate construction revenue and the accrued losses on uncompleted contracts, the auditor should evaluate the design of those identified controls and determine if such controls have been implemented. This evaluation and determination are customarily done through narratives (perhaps internal control questionnaires) and walkthroughs.

Information Technology

A Strange Bed-Fellow Indeed

I recall the first day of my public accounting career. Right out of college and eager. When I walked through the office door on the 19th floor that cold January morning, I was immediately issued an Addo-x adding machine. What a jewel it was. It was huge. It had to be made from cast iron and weighed enough to earn the nickname TwoTon Tessie from Tennessee. That thing was lugged around to clients in a banged-up dull black carrying case that was impregnable –designed to carry a small nuclear arsenal. And what an arsenal it was. It could perform two functions- add and subtract. That was it. (Well, it could perform multiplication. But it just took too long to use that clunky function.)

There were smaller machines in the office of a different brand, but they were reserved for those with more experience than me. But still, they could only add and subtract. However, there was one machine, a recent purchase, which could actually perform multiplication and division. Large as it was, it was a for-real calculator. It must have cost a small fortune. So remarkable was this new technology that it merited a special cart with casters—more akin to a mobile throne. If you need it, you would have to locate it and then roll it down to your office. It was a delight to use. Eventually, it migrated to the managing partner’s office, where it remained. And that was quite a shame because he never used it.

The managing partner was very savvy. The accounting practice bore his name. Everyone else, including the other partners, were his associates. He had an eye for recognizing crucial new technology. The kind of technology that would become a game-changer. Now, understand that he didn’t intend to use the technology himself, but he saw the value of his associates doing so.

However, occasionally, he would miss one. He misjudged the importance of the facsimile machine. He resisted acquiring one for the longest time because he felt that clients would become more demanding. “If you have a fax machine,” he would say, “clients will expect you to stop what you are doing and send it to them right then.” Of course, he was right about that. Finally, a client shamed him into buying one.

But he was spot-on about one bit of technology — the personal computer. When IBM premiered its first PC, the office bought one. He placed it in a vacant office and said it was up to us. “Learn to use it if you want to. But if you don’t, it will eat your lunch.”

It was an odd and scary machine. No hard drive. It had a 5.25 floppy drive. It gave you this bewildering “A>.” OK. What do you do next? And what the heck is DOS, and how do you pronounce it?

Information Technology is a Strange Bedfellow

Information technology is much like that weird college buddy who asks to spend a few days with you but doesn’t move out. Not only does he not move out, he also takes over the entire house. Information technology can be your friend but also drive you up the wall screaming for mercy. And IT is replete with odd names and nicknames, like cross-platform, cloud computing, big data, C-prompt, disaster recovery, virtualization, and, worst of all, blog—what a disgusting word.

Disruptive Technology

IT can be very disruptive. It changes the old way of doing things. Thinking back over the years, here are just a few examples of IT disrupting established business practices at firms I worked for many years ago.

Spreadsheets. I wonder how many folks practicing accounting today remember the thirteen-column spreadsheet? Probably some. But I bet many don’t. Before there was Excel, before there was Lotus 1-2-3, before there was Quattro, and yes, before there was Apple’s VisiCalc, there was the thirteen-column pad. A must-have tool of the trade.

I never understood why thirteen columns instead of twelve or fifteen. But the thirteen-column spreadsheet was very versatile and could quickly become a twenty-six-column spreadsheet with a bit of scotch tape. Nevertheless, the thirteen-column pad was used to prepare such work papers as depreciation and percentage-of-completion job schedules.

Electronic spreadsheets changed everything for accountants. Now number-crunching wasn’t quite as laborious. It reduced many careless errors often replete in a manual spreadsheet and was much faster at making corrections and running proforma calculations.

However, there was a learning curve with electronic spreadsheet applications. Some found it to be steep. A few accountants, fond of the old ways, would boast that they had their thirteen-column pad “booted up and running” long before you and your fancy spreadsheet program could say boo. And if you ever found yourself looking at the dreaded blue screen of death, you might catch a smug look out of the corner of your eye.

Tax Preparation. Preparing tax returns by hand, for the most part, had ended shortly before my career began. But not by much. Some in the office delighted in telling agonizing war stories of manual income tax preparation. But when I arrived, the firm used a couple of third-party computerized (mainframe—remember COBAL) tax processing services.

For individual tax returns, the tax information was hand-written on form sheets, picked up by the tax service at the end of the day, processed overnight, and returned the next morning. Then, upon review, invariably, errors were found. So, the process began again – picked up, processed overnight, and returned the next day. And yes. Sometimes it took a third cycle to get it right.

The business income tax return process was similar. Except the forms were shipped out of state. It took even longer.

Then came a better idea. Tax software was installed on the secretary’s PC. So now, the accountants would complete the form sheets and hand them to the secretary to input immediately. Nice.

But then came the game-changer. Someone suggested that a network be installed. Wow! Accountants could directly key the data into the tax program and receive immediate feedback, make corrections, and you’re done. But most accountants back then were men, and few of us had ever taken a typing class. That was a disruption.

Fixed Asset Accounting. As mentioned above, when I came on the scene, we did fixed asset accounting on a thirteen-column pad. As a result, it was slow and error-prone. In addition, it was a royal pain.

Electronic spreadsheets, such as Lotus 1-2-3 and Excel, helped considerably, but the methodology, mechanics, and sheet layout did not change. The format was the same as that used with the thirteen-column pad. As a result, updating the spreadsheet for statutory changes in MACRS percentage, property additions, and dispositions was still cumbersome. Therefore, the electronic format remained very error-prone. Mistakes were common, such as taking more depreciation than the asset’s cost basis and significant errors in depreciation calculations.

The game-changer, however, was applications explicitly written for fixed asset management. So now we were getting somewhere. Enter the data correctly once, and done. And you could easily slice and dice the data in several ways. However, it did have a learning curve.

Why Does New Technology Face Resistance?

Here are some of the reasons end-users resist new technology.

  1. IT is disruptive. Period! By its very nature, it disrupts the status quo. And guess what—some people do not like change of any kind. So perhaps it’s human nature combined with bad past experiences that cause a significant degree of apprehension.

    For years, I lugged around heavy briefcases full of work papers. For some clients, it was literally suitcases jammed full of stuff. And this was because of the fear of saving client work papers on an invisible network.

  2. Setup. IT can be disruptive and thus resisted by some because of an improper setup. Therefore, the company must carefully consider the user-specific design and be mindful of how people work.

    The customization of the application to address the company’s needs takes time. As a result, it is easy for some to jump to inaccurate conclusions about the software during the company’s developmental stage.

  3. Lack of Training. IT can face resistance because the company did not invest in adequate training. Without training, the IT project goes into a tailspin. And rightfully so. The people must be trained to use the application efficiently and adequately.
  4. Lack of Management Support. IT is resisted if it lacks management’s full support. Without the communicated support of management, end-users will not see the importance. Therefore, they will quietly continue doing things the same way.

  5. It Does Not Mirror. IT is resisted because it will never be able to replicate exactly what the people were doing before the new application—a favorite report, the links, the arrangement, the nomenclature–you name it.

    I’ve heard this so many times from clients. “Before the company installed that software, I was able to get a TPS report. But the new system doesn’t have it.”

    Nevertheless, new software often has the desired report or feature, especially if it’s business-critical. But it’s called under a different name, located in another section, arranged in an unfamiliar format, or available by selecting specific options.

  6. A Bad Fit or Bad Software. It could be the software is a bad fit for the company. Or perhaps the software itself is poorly designed by the developer. It’s clunky. It freezes up. It’s not intuitive. It happens, and it’s an expensive error. However, once that is determined, it’s best to cut your losses as quickly as possible and proceed in another direction.
Show Buttons
Hide Buttons