Trusted Professional

Speakers Advocate for IT Audits to Move From Templates to Risk Modeling

Many information technology audits are performed through the use of simple templates provided by practice advisers, mainly because they are easy to complete and don't require much IT knowledge per se. But a pair of speakers at the Foundation for Accounting Education's Nov. 14 Auditing Standards Conference said these templates don't account for the rapid technological advances that have become features of our modern world.

Geraldo Vasquez, an associate professor of accounting and finance at York College, said the problem is that the templates often include outdated descriptions of obsolete systems, some of them 10 or even 20 years out of date. What's more, they're often completed by entry-level staff who don't even understand the questions being asked. 

"These forms often accomplish the opposite of their intent in providing evidence that the auditor does not understand the IT environment. If you don't understand the IT environment, you probably can't assess the IT audit risk," he said. 

But he understands why firms, especially smaller ones, gravitate to them. Many lack the expertise to properly assess the complexity of client accounting systems. They may lack the resources needed to identify risk in the course of an IT audit. They may simply not have enough IT audit experience under their belts to know what to look for. But, he said, relying on templates carries risk not just for the client, but for the auditor as well if the Public Company Accounting Oversight Board (PCAOB) finds out. 

The proposed solution, he said, is to go from a template approach to what he and the other speaker, Bruce Nearon, called a portfolio approach incorporating risk modeling. 

Nearon, managing partner of SOC 1 and SOC 2 Quality PLLC, said the model weighs 35 different factors, many of them not even technology-related, and has the auditor assess each one. He warned that it cannot be followed like a template because it requires the auditor to make value judgments. Depending on the client, some factors will be more important than others, and it's up to the auditor to make that call. So, for example, one factor is whether the client outsources its IT operations. 

"It could be good or bad. Why good? Because it's too complex and hard for this business to run its own IT, so they outsource it. Why could it be bad? Because [the IT company] may keep their financial applications running, but the company [may not] know anything about their security," he said. 

Many other factors present a similar need for value judgment. Does a client using a cloud software provider translate into more risk? It depends on the provider and its own certifications. How many IT employees does the company have? How many IT consultants? The more there are, there more complex things become, but then there's also more support. 

Others factors are a little more straightforward: Is the client in an industry that's generally at higher risk for IT control failures? Is it a public company? Does it use Yellowbook standards, which means it's not subject to peer review? Is this the first time it is doing this audit, or has it done one before and worked to fix problems previously identified? 

"All these factors add up," said Nearon. 

These are all eventually scored on a spreadsheet, which finally produces an IT audit risk and complexity score. Yet auditors, he said, should not use this score as a final result, but rather as a starting point for further conversation. Scores above a certain point level mean further IT procedures are warranted, which would then be overseen by the IT audit specialist. He also noted that the thresholds can be adjusted based on the amount of risk a client is willing to tolerate. 

Nearon is very confident in his model because, he said, it has been field tested for 15 years without a single incidence of the PCAOB commenting on it, ever. In fact, he said, it seems the board has been quite supportive. 

"Watch out if the audit staff downgrades the audit risk from high and medium to low, and the audit staff says, 'We don't consider these to be high or medium risk', and they say, 'We have compensating controls we tested.' ... The response was a PCAOB comment [saying,] 'What gives you, the audit staff, the expertise to dispute what the IT auditors are saying if this is not a high or medium risk?'" he said.