Informational support in the financial statement audit

• 1.    Introduction

  Operating of a modern company without application of information and communication technologies is inconceivable. “Companies require information technology to assist their operational tasks” (Dharma-wati et al, 2022: 3036). Information technologies (IT) and information systems (IS) bring many benefits. The topic of IT’s impact on accounting (accounting information system – AIS), audit and profession has been attracting the attention of many researchers, professional circles and general public. While on one hand there are very progressive predictions that IT will fully replace accountants, on the other hand there are somewhat more traditional standpoints indicating that IT cannot replace humans. There is no simple response to this dilemma, and there is anyway no final response. There is no simple response because the impact of IT on accounting concept, organization and functioning of AIS and on the audit itself is manifold. Then again, it is impossible to provide a final response because at this moment one cannot even conceive which technologies and systems will exist in 50 or 100 years. In order to analyze the specified problem in a

  more detail, two crucial change domains need to be identified. The first one implies accounting (including AIS organization and functioning issues) and auditing processes, and the second one changes in accounting profession (Sutton, 2010: 4).

• 2.    Application of information technologies in accounting and audit

  Regarding the impact of IT on organization and functioning if AIS, it should be emphasized that the changes occur in domain of accounting organization instruments (bookkeeping documents, business records and reports), but also in methodological solutions domain (Malinić & Todorović, 2011: 25). Importance of bookkeeping documents is decreasing due to emergence of electronic documents. Basically, documents maintain the function of verification (validation) of incurred business changes, but some of their other functions lose their significance (e.g. function of account assignment instrument). Additionally, even though the obligation to keep a journal as a compulsory and the main business book is still in force, its significance is decreasing (loss of function of automated double entry control).

• 3.    Properties of information technologies used in financial statements audit

  Speaking of application of information technology in the financial statements audit, audit software should be distinguished from computer assisted audit techniques. Audit software and Computer Assisted Audit Tools and Techniques (CAATT) should be implemented for the purpose of providing efficient and effective audit process (Hunton et. al, 2003).

Application of integrated information systems, for example, enables recording of business events in real time and place of the event. Accordingly, business books can be closed almost on a daily basis, and financial statements can be made on a daily basis as well. Hence the increased assortment and volume of produced information and reports for numerous users.

The International Auditing and Assurance Standards Board has defined audit software as a computer program that assists auditors in accessing client’s data and implementing audit tests (IAASB, 2013:7). Software that serves to satisfy specific requirements of financial statements audit can be observed as generalized audit software or customized audit software depending on whether it is purchased at the market as a readymade software solution or is customized to suit the needs of auditing company (Cascarino, 2007).

Generalized audit software implies programs purchased at the market as a ready-made software solution designed to satisfy auditor’s needs. Best known software solutions in generalized audit software domain include Audit Command Language (ACL) and Interactive Data Extraction and Analysis (IDEA). Alternatively, audit companies can decide to have the software specifically developed for their own needs concerning the financial statements audit. Those are the cases of so-called customized audit software that is typically developed in Excel environment and is attuned to audit company specifics.

Development of such customized software is typically more costeffective compared with purchase and maintenance of generalized software. On the other hand, generalized software functions more to the sufficiency of supplier’s testing of software before going to the market. The final decision on the selection of software in audit is made by the management or by the audit company’s owner. Regardless of the type of implemented software, the audit software should provide realization of the following specific activities related to financial statements audit.

During financial statements audit, auditors are obliged to test the client’s internal control system. As clients use AIS, auditors are also obliged to inspect internal controls of accounting information system since they make up an integral part of the overall internal control system. Computer assisted audit techniques are primarily used for examining the adequacy of internal controls functioning in information systems environment, as well as for performance of some basic tests (Coderre, 2008).

Some of the techniques for implementing audit financial statements are as follows: (Andrić et. al, 2015: 185)

• -    Test data;

• -    Integrated test data;

• -    Parallel simulation;

• -    Online audit monitoring and - Program code and its evaluation.

• 4.    Implementation of software in financial statements audit

Implementation of audit software changes the manner in which the audit activities are performed. Auditing process does not change. The activities included by financial statements audit are defined by audit regulations. The only change imposed by digitalization of financial statements audit refers to the manner the audit is performed. Therefore, when audit is performed in digital environment, auditor shifts from manual data processing to implementation of information technologies. In that sense, main specifics of audit software application in financial statements audit may be observed from the several aspects (Mijić, 2015: 248):

• -    Volume of evidence to be collected,

• -    Reliability of audit evidence, - Duration of audit activities.

Application of audit software for performing control and substantive audit tests contributes considerably to abandonment of the sample application concept in audit. To be precise, by using audit software, auditors are able to perform audit test in a rather short time period based on entire population. This reduces the risk of the auditors not detecting material errors in their work, i.e. the risk of material errors being contained in domain not subjected to the audit. So, for example, by using audit software, calculation of depreciation for all fixed assets, accuracy of foreign currency translation for liabilities and receivables denominated in foreign currency etc. can be checked in a quick and easy manner. In that way evidence is collected in such volume that, for some tests, equals the whole population, which reduces the risk from expressing inadequate audit opinion.

From the aspect of audit data collecting, software application in audit provides high reliability evidence. In other words, audit software that is correctly made and tested always processes data in the same correct manner. This reduces the risk of error in data processing, extremely common in manual data processing by the auditor.

Table 1 : The aspects of observing application of audit software in financial statements audit

1.	Volume of evidence to be collected
2.	Reliability of audit evidence
3.	Duration of audit activities

Source: Mijić, 2015: 243.

Duration of financial statements audit is reduced due to application of audit software and automated performance of audit activities. Shortening of time needed for implementation of audit activities primarily refers to data processing, but then again it also gives auditors time for analysis and interpretation of results. Auditing is an intellectual activity done by a person, so application of information technologies will not replace auditors but will instead give them more space for implementing the specified activities. Reduced operational time of the auditor equals reduced audit costs, since the major audit cost is work, i.e. engagement time of audit team members.

As a part of testing and evidence collecting activities, auditors need to test and collect evidence on operating of auditee’s internal controls systems. Since auditees implement the accounting data processing by applying accounting information systems, in financial statements audit the auditors are obliged to test the internal controls of accounting information system. Internal controls of accounting information system represent an integral part of the overall internal control system of the client.

The following application controls are integrated into the accounting information system: (Andrić et al, 2015: 184)

• -    Input controls check the inte— grity of data entered into the information system as to whether the entered data satisfy the defined parameters. Input controls should prevent entry of incorrect data into accounting information system.

• -    Processing controls should assure that the accounting data processing is performed incompliance with accounting regulations.

• -    Output controls should provide accuracy and completeness of output and distribution of information to authorized persons.

• 5.    Information technology audit

For specific controls of the accounting information system the auditor creates test data and defines the anticipated results. The anticipated results are compared with the accomlished results for the purpose of checking the adequacy of functioning of the internal controls of the accounting information system.

Inadequate functioning of the internal controls of the accounting information system does not necessarily imply errors in financial statements, but only a higher risk of errors.

Development of information technology audit was caused by major, unexpected scandals that that have shaken the business circles. Barings, one of the oldest banks in London, went bankrupt following one such incident. To be specific, general manager of Barings managed to bypass organizational structures, regular audits and internal controls and to work without any supervision whatsoever. Bankruptcy occurred because of his so-called futures contracts, which are contracts between two parties, for sale or purchase of a particular property of standardized quality and quantity at prices agreed for that day (future prices), that are traded with at future exchanges.

After this, there was the scandal in Enron corporation, one of the biggest energy companies in the USA. By using accounting loopholes and poor financial statements, as well as the pressure on Arthur Andersen’s auditors, management of Enron corporation managed to hide billion-dollar debts related to unsuccessful offers and projects. This scandal was followed by the collapse of Arthur Andersen company that was one of the “Big Five”

These events resulted in stricter audit and control. New laws and regulations were enforced in order to ensure independence and objectivity of auditors, and financial reoring was expanded and improved.

In the light of those events, information systems audit must be well revised. Information systems and technologies cannot be observed separately from the remaining control environment, and it is only logical to implement legal regulations and corporative management requirements (Basel II) in that operating area as well. IT audit is the assessment of information technologies, practices and operations that assure integrity of information subject. Such assessment includes evaluation of effectiveness, efficiency and cost-effectiveness of computer assisted practices.

• -    Assessment of internal controls in information technology environment in order to assure validity, reliability and security of information;

• -    Assessment of effectiveness and efficiency of information technology environment in economic terms;

• -    Types of IT audit by operation area

• -    Technical IT audit – it covers infrastructure, data transmission and communication data;

• -    Application IT audit – it covers business and financial elements;

• -    Organizational IT audit – it covers information technologies governance;

• -    Developmental and implementation IT audit – it covers specifications, requirements, design, development and implementation;

• -    Legal IT audit – it covers national and international standards.

Nowadays, when computers and information technologies have become an integral part of life and business, their constant and ever more dynamic changes and advancements as well as large companies’ dependence on information systems and technologies call for necessity of control and audit of those technologies.

Table2: IT audit types by operation area

Technical IT audit – covers infrastructure, data transmission and communication data Application IT audit – covers business and financial elements Organizational IT audit – covers information technology management

Developmental and implementation IT audit –covers specifications, requirements, design, development and implementation

Legal IT audit – covers national and international standards

2015:158.

IT Governance consists of management, organizational structure and processes that guarantee that IT supports and expands organizational goals and strategies. IT governance is the responsibility of both management and board of directors. Assurance of IT values, management of IT risks and control of information represent the core of IT governance. Development of IT leads to increased significance of audit and control of these technologies’ governance.

IT governance includes the following areas (Stanišić, 2009, 68):

• •    Strategic alignment focuses on ensuring the alignment of business and IT plans, on defining, maintenance and validation of IT values as well as IT operations management in compliance with business operations;

• •    Value delivery focuses on executing value proposition through a delivery cycle that assures that IT delivers promised benefits through strategy, with emphasis on cost optimization and IT’s own value validation;

• •    Resource governance implies optimal investment and proper

management of critical IT processes such as: applications, information, infrastructure and people. Key issues refer to optimization of knowledge and infrastructure;

• •    Risk management requires raising risk awareness among employees and management, clear understanding of company’s risk appetite, understanding of compliance, transparency concerning important risks within company and introducing accountability measures for risk management in organization;

• •    Implementation measures monitor and supervise application of strategy, projects closure, use of resources, work and service provision processes using for example balanced scorecard that translates strategies into action for the purpose of accomplishing the best gaols measured outside of conventional accounting methods.

“With the likelihood of a continued trend for digitization and accelerated change delivery,

IT strategy and governance needs to be both streamlined, and also in so-mecases, enhanced.” (Deloitte, 2021: 24).

IT governance framework, such as COBIT, may be a key element in providing appropriate control and management of information and systems.

• •    IT is aligned with operating;

• •    IT enables operating and maximizes benefits;

• •    IT resources are used responsibly;

• •    IT risks are managed adequately.

Companies should actively supervise governance of information technologies, ensure that IT operations, risks and opportunities are governed in such a manner so as to contribute to successful business score of organization, and yet the data of Nacional Association of Corporate Directors (NACD) indicate a small number of companies with IT supervision boards.

A key factor for a successful introduction and implementation of new technologies and information systems into internal control department is staff who need to have certain knowledge on information systems application. There is no doubt that in the last 10 to 15 years information technology and computer-assisted techniques have been invading conventional audit procedures and processes and established audit techniques used by auditors.

In information technology environment there are fewer written documents available for checking and adjustment of transactions, so the auditor should (Stanišić, 2009: 71):

• •    Acquire sufficient knowledge of IT processes and resources, as well as of information systems implemented in organization;

• •    Gain confidence that processes and information systems function correctly;

• •    Develop understanding of controls and audit approach that will confirm that company’s internal control system operates efficiently;

• •    Investigate and validate transactions through processing system in order to establish that transactions were processed fully and correctly.

• -    Alignment of organizational and IT strategy;

• -    Implementation of IT projects and business value;

• -    Realization of opportunities connected with information technologies;

• -    Effective governance and responsible usage of IT resources;

• -    Efficient management of business risks connected with information technologies;

• -    Alignment with valid laws, regulations and corporate standards.

• -    Understanding of expectations, role and overall operating in audit of information system, project management and software;

• -    Application of СААТ tools and techniques;

• -    Ability to estimate the issues of privacy and safety that may impose risk upon organization;

• -    Evolution of complex system life cycles;

• -    Development of new techniques that include fact production and system prototypes;

• -    Application of risk-oriented approach to audit;

• -    Inspection and verification of organization’s information technologies related to legal issues;

• -    Application of national and international standards, such as ISО 9000 / 3, ISO 27001, ISO 27002;

• -    Reporting and inspection as assurance of adequately performed job.

Conclusions

Successfulness of a company is influenced by the level of IT skills, their availability, reliability and safety. In that sense, a high level of IT governance becomes very important as well. Financial statements users benefit from improved reliability and higher quality of information needed for corporate decision making when financial statements have been audited. Requirements and problems set before the auditor grow with the improvement of financial reporting system. The volume of auditing work increases as a part of auditing process, and the work itself grows more difficult as a result of stricter standards for audit report accuracy and reliability. IT must be used in auditing process if the auditors want to respond to modern requirements and problems in proper manner. Application of IT in financial statements audit does not alter auditing process by itself, but it does alter the manner in which auditing operations are done and expands the auditor’s responsibility zone.

Nowadays, auditors use various auditing software programs instead of manual processing of data while collecting evidence. Some of crucial changes in the field of software assisted audit include collection of larger volume of evidence, abandonment of sampling concept when collecting particular types of evidence, i.e. when performing particular audit tests (depreciation or foreign currency tests etc), collection of high reliability data, reduction of possibility for errors in auditor’s work, reduction of time and costs of auditing process etc.

On the other hand, the auditee is obliged to test internal controls in AIS context because of application of IT in accounting data processing. This increases the current scope of auditor’s responsibility in the domain of control tests performance. Since the auditee’s internal control system must be credible to the auditor and since internal controls of accounting information system are a key component of the total internal control system, auditors use specific IT-based methodologies. Application of IT in financial statements audit has several advantages, including increased audit efficiency, improved reliability and quality of audit report, reduced audit costs etc. Continuous education of auditors in IT application field is a necessity for the purpose of assuring effective application and implementation of IT in the financial statements audit.