The Information System: An Accountant’s Perspective
Accountants as System Auditors:
Auditing is a form of independent attestation performed by an expert—the auditor—who expresses an opinion about the fairness of a company’s financial statements. Public confidence in the reliability of internally produced financial statements rests directly on their being validated by an independent expert auditor. This service is often referred to as the attest function. Auditors form their opinions based on a systematic process that will be explained in Chapter 15. Both internal and external auditors conduct audits. External auditing is often called independent auditing because certified public accounting (CPA) firms that are independent of the client organization’s management perform them. External auditors represent the interests of third-party stakeholders in the organization, such as stockholders, creditors, and government agencies.
External Auditing:
Historically, the external accountant’s responsibility as a systems auditor was limited to the attest function described previously. In recent years this role has been expanded by the broader concept of assurance. The Big Four public accounting firms have now renamed their traditional audit functions assurance services.
Assurance. Assurance services are professional services, including the attest function, that are designed to improve the quality of information, both financial and nonfinancial, used by decision makers. For example, a client may contract assurance services to obtain an opinion as to the quality or marketability of a product. Alternatively, a client may need information about the efficiency of a production process or the effectiveness of their network security system. A gray area of overlap exists between assurance and consulting services, which auditors must avoid. They were once allowed to provide consulting services to audit clients. This is now prohibited under SOX legislation. These issues are discussed in later chapters.
IT Auditing. IT auditing is usually performed as part of a broader financial audit. The organizational unit responsible for conducting IT audits may fall under the assurance services group or be independent. Typically they carry a name such as IT Risk Management, Information Systems Risk Management, or Global Risk Management. The IT auditor attests to the effectiveness of a client’s IT controls to establish their degree of compliance with prescribed standards. Because many of the modern organization’s internal controls are computerized, the IT audit may be a large portion of the overall audit. We examine IT controls, risks, and auditing issues in Chapters 15, 16, and 17.
Internal Auditing:
Internal auditing is an appraisal function housed within the organization. Internal auditors perform a wide range of activities on behalf of the organization, including conducting financial statement audits, examining an operation’s compliance with organizational policies, reviewing the organization’s compliance with legal obligations, evaluating operational efficiency, detecting and pursuing fraud within the firm, and conducting IT audits. As you can see, the tasks external and internal auditors perform are similar. The feature that most clearly distinguishes the two groups is their respective constituencies. External auditors represent third-party outsiders, whereas internal auditors represent the interests of management.