Is the Data From Your Computer Any Good? - Part 2

Yesterday we asked the question "Is the data from your computer any good?" This is more than a rhetorical question - all auditors, including contract auditors and the independent public accountants that perform attest functions (e.g. those who audit your financial statements) must necessarily concern themselves with the validity of data produced by electronic means. There is always the specter of underlying fraud and auditors are required by Generally Accepted Auditing Standards (GAAS) or Generally Accepted Government Auditing Standards (GAGAS) to consider fraud when assessing risk and designing transaction plans. However, far more likely are simple errors. Sometimes these errors can be very significant. We just finished an audit where some revenue items were mapped to an expense account so that instead of increasing revenue, the transactions decreased expenses. That was caused by a fundamental misunderstanding of how the accounting software worked. It resulted a "material" error (in auditor jargon, that means significant). But it was not fraud.

So how do auditors assure themselves that evidence obtained during an audit, where such evidence is dependent on computerized information systems, can be relied upon? Well, it depends. At larger Government contractors, where contract auditors have a continuous presence, they most likely develop and apply specific testing procedures to determine whether management is taking the requisite approach to ensuring the accuracy of computerized information systems. The expectation here is that management will undertake the controls necessary to ensure reliability. These include

• Periodic internal and external reviews of IT operations to ensure that policies and procedures have been implemented and are working effectively.
• Duties and responsibilities should be adequately segregated so that no one person can perpertrate and conceal material errors or misstatements.
• System and application software should be consistent with management objectives, operate within specifications, tested prior to implementation, and not susceptible to unautorized modification.
• Ensure the integrity and reliability of all activities impacting the physical operation of the computer
• Access to computing resources should be limited to those individuals with a documented and authorized need for such access.
• Contingency plans should be developed to ensure data safety.

At the other end of the spectrum are the very small contractors - sometimes one or two persons. These contractors, of course, do not have resources to dedicate to any internal controls, much less those affecting computerized information technology. In those cases, the auditor, if he/she does not have the time or resources necessary to test for the accuracy of computerized data will most likely qualify the audit report. That's not the most desirable thing for a contractor but in most cases, has not practical implications. For example, when evaluating a price proposal, the auditor might state word to the effect that the audit results reflect data based on computerized information systems that have not been audited. That probably would not prevent a contracting officer from negotiating and awarding the contract but it does protect the auditor if subsequent events disclose that such data was unreliable.

At the end of the day however, no one likes qualifications so auditors will usually undertake some level of analysis to gain assurance that IT systems (Information Technology) are operating as designed. The auditor might track a few transactions from source document to general ledger, a timecard to payroll, a material receipt to billing document. Contractors might wonder why auditors perform audit steps that have no apparent relevance to the audit they are performing. Its not unheard of that auditors will stray far from their appointed tasks. However, it is more likely that they are trying to validate the reliability of one or more information systems. If its not clear to you, it is certainly appropriate to inquire of the auditor the purpose of what he/she is doing.