Understanding an Entity: IT Applications
An auditor needs to obtain an understanding of an entity’s IT applications that are directly or indirectly the source of financial transactions or the data used to record financial transactions. This understanding helps the auditor assess the risks of material misstatements and design further audit procedures. The following steps outline how to obtain an understanding of such IT applications and document the procedures performed:
- Identify relevant IT applications: Determine the key IT applications that are directly or indirectly the source of financial transactions or the data used to record financial transactions, such as accounting software, billing systems, procurement systems, or payroll systems.
- Review application documentation: Obtain and review the entity’s IT application documentation, such as user manuals, technical specifications, and configuration guides, to gain an initial understanding of the application’s features, functionalities, and data flows.
- Understand the IT environment: Gain an understanding of the entity’s overall IT environment, including hardware, software, networks, and data centers that support the identified IT applications. Consider any relevant third-party service providers, such as cloud providers or system integrators, involved in the application implementation and maintenance.
- Evaluate application-level controls: Assess the design and effectiveness of application-level controls, focusing on areas such as access controls, input validation, data processing integrity, and output controls. Understand the roles of system administrators, developers, and other IT personnel in managing and maintaining these controls.
- Perform walkthroughs: Conduct walkthroughs of key processes within the identified IT applications, tracing sample transactions from initiation through financial statement reporting and disclosure. Observe the execution of control activities and evaluate their effectiveness in addressing risks associated with the IT applications.
- Interview key personnel: Interview key personnel involved in the implementation, operation, and maintenance of the identified IT applications, such as IT management, system administrators, and business process owners. Obtain insights into the applications’ configuration, customization, and control activities, as well as any known issues or challenges.
- Review previous audit findings: Examine any previous internal or external audit findings related to the identified IT applications, assessing how the entity has addressed these issues and implemented any recommended improvements.
- Document the understanding: Create clear and comprehensive documentation of the procedures performed to obtain an understanding of the entity’s IT applications, including a narrative or flowchart that details the applications, processes, and related controls. Highlight any identified risks or control weaknesses and describe how they may impact the financial statements.
- Assess the risks of material misstatements: Based on the understanding of the entity’s IT applications, identify and assess the risks of material misstatements at the assertion level for each relevant financial statement item. This information will be used to plan further audit procedures, including tests of controls and substantive procedures.
By following these steps, auditors can obtain an understanding of an entity’s IT applications that are directly or indirectly the source of financial transactions or the data used to record financial transactions, providing a solid foundation for the planning and execution of the audit.