（2009）Evaluating Software Risk as Part of a Financial Audit.pdfVIP

T E C H N O L O G Y t h e c p a t h e c o m p u t e r Evaluating Software Risk as Part of a Financial Audit By Yigal Rechtman he attention standards setters have given to the comput- Reliance on IT controls has become more formally recognized erized environment has varied over the years. Currently, under the Public Company Accounting Oversight Board’s Treferences to information technologies (IT) are sprinkled (PCAOB) Auditing Standards 2 and 5. AS5 requires the around the margins of audit standards. Yet in most com- following: plex organizations (defined here as a work environment large [27.] As part of evaluating the period-end financial reporting enough to enable a degree of segregation of duties), the process, the auditor should assess— majority of an entity’s internal controls are handled by IT. ■ Inputs, procedures performed, and outputs of the processes According to a GAO estimate, internal controls are approxi- the company uses to produce its annual and quarterly finan- mately 80% performed in some way by a computerized fea- cial statements; ture (Standards for Internal Control in the Federal Government, ■ The extent of information technology … involvement in November 1999, /special.pubs/ai00021p.pdf). the period-end financial reporting process. 68 JUNE 2009 / THE CPA JOURNAL Similarly, Statement on Auditing output” activity, meaning that the validity able, accounts payable, and payroll. A lega- Standards 109, Understanding the Entity of the inputs and outputs would ensure cy software would be