This month brings the year-end audit season to a close and, with it, a familiar routine: Firm partners will either be spending their days reviewing workpapers prior to issuing reports or, if the reports have already been issued, conducting postmortems. They’ll engage in discussions about audit risk and attempt to identify how the audit team can place increased reliance on the client’s business processes to effectively achieve audit objectives. Then, in all likelihood, the talk will turn to the importance of IT in achieving these controls—and for many, this is where the disappointment sets in. Though conversations about audit risk increasingly zone in on IT concerns, all too often promises and commitments to shore up this area made at the start of the year get waylaid by the end, for one reason or another.

How successful was your team at maintaining its information technology risk commitments this past audit season? Use the questions below as a gauge.

1. Is the team storing all electronic client materials, especially those that contain nonpublic personal information (e.g., payroll) according to firm policies?
Before we consider the strength of a client’s controls, it may be wise to check our own. Audit teams gather very sensitive documents during the audit and many, if not most, firms require that these documents be maintained securely (e.g., using the firm’s electronic workpaper repository or some form of encryption). Unfortunately, we continue to read or hear stories in the media about firms that have lost laptops containing such information due to a lapse in policy or a staffer’s failure to adhere to guidelines. This is one risk that is very much in the control of the audit team and firm to mitigate or reduce to the appropriate level.

2. How well did the team employ computer assisted audit techniques during the audit?
Each of the major vendors used by CPAs when performing computer-assisted audit techniques issued some type of update during 2013. Partners should ask their team how these new features were employed to make the audit more effective. (My personal favorite is using some of the new statistical features available in many software tools already owned by CPAs to analyze revenue cycle transactions. See Mark J. Nigrini’s Forensic Analytics for other ideas on how to use common software.) Remember, it’s not about just using the technology, but using the technology effectively in order to reduce the audit risk to the extent necessary.

3. In assessing the risks of IT on financial reporting, was too much focus and effort expended on a central system or module used to produce financial reports rather than source systems or modules used to generate revenue cycle transactions?
Frequently, audit teams that have a limited appreciation of the role information technology plays in organizations today focus their efforts on those systems that are the last direct link to the production of financial statements. What they fail to realize is that much of the risk of the data contained in the systems comes from source systems or modules. For example, the audit team might focus exclusively on the general ledger module and not consider the risk associated with the revenue cycle model that generates the transactions. In addition to considering completeness and accuracy controls of the final module, the edit and validation checks of the source module should be considered as well.

4. Does management use information from its accounting systems when making business decisions?
This question is a bit more complex than it first appears to be. The tricky part: determining if the information maintained by the accounting system is sufficiently reliable so that it can be used in decision-making. Audit teams should be aware of the telltale signs that suggest the information may not be accurate. This includes the use of end user tools, such as spreadsheets, to compensate for inaccurate or incomplete data produced by the system; the inability of management to generate and use reports that are pre-programmed and provided by the vendor (and used by others in the industry without problem); and a delay in producing reports due to the need to have the accounting department review for accuracy and completeness.

5. As part of our fraud risk assessment, how did we consider the potential for computer-facilitated fraud, including threats from both external and internal sources?
All of us are well aware of the red flags or fraud risk factors identified in the Public Company Accounting Oversight Board (PCAOB) standard AU 316, Consideration of Fraud in a Financial Statement Audit. In fact, many audit teams use these red flags as a basis for their fraud risk brainstorming discussions. Unfortunately, these teams sometimes operate by the letter of the law but neglect its spirit, and fail to consider how the use of technology can facilitate the circumvention of established organizational controls. It is important to consider fraud mitigation strategies both from a manual perspective as well as through an IT lens.

So, how did your team do? Hopefully, you do not find yourself in a ‘wait till next year’ situation!

Joel Lanz, CPA/CITP, CFF, CISA, CISM, CISSP, CFE, is the sole proprietor of Joel Lanz, CPA P.C., and an adjunct professor at SUNY–College at Old Westbury. He is a member of the NYSSCPA’s Technology Assurance Committee and The CPA Journal Editorial Board, as well as a past chair of the Technology Assurance Committee. Mr. Lanz can be reached at jlanz@joellanzcpa.com.