Who Watches the Watchers

Tyler HamiltonMarissa Kaprow

Jeff Reifeiss

Why IT Fraud?• Businesses are becoming more and more technologically

dependant

• As auditors, it is our job to monitor, identify and control material weaknesses.

• Cybercrimes was already taken.

3 Focuses

• What are auditors required to know about IT?

• How do proper controls lead to fraud prevention?

• What are the effects of fraud on financial reporting?

Auditor Knowledge• Second standard of Fieldwork

• As businesses become more and more computer driven, IT knowledge is essential

• Audit quality depends upon the auditor’s ability to detect errors.

External Auditors• Generally have higher knowledge expectations than Internal

Auditors

• Why? Larger client base, diverse information systems

• IT Knowledge should include “knowledge of IT systems for financial accounting and reporting, including relevant current issues and developments, as well as detailed knowledge of various frameworks for evaluating controls and assessing risks in accounting and reporting systems as appropriate for the audit of historical financial information”

---IES8

GMQ Study• 2008 study, attempt to determine how self-efficacy impacts

perception of new technology and implementation

• 36 questions across a broad spectrum of IT topics

• 25% rated “Less than Adequate” overall

• Self-assessment leads to improvement

Internal Auditors• Due to in-house nature, internal auditors tend to focus on

business controls, and leave IT controls to IT staff.

• When it exists, IT knowledge is more focused than External Auditors, but less broad.

• Integrated audits- Business and IT aspects being audited separately but simultaneously, and reports joined in the reporting stage.

Flaws to Integrated Auditing• Inadequate scoping and execution

• Misunderstandings in accountability

• Poor identification and testing of automated controls

• $$$

Integrated Auditors• Internal auditors who expand their IT knowledge

• Able to understand and properly monitor automated controls

• Fully understand how data flows through their organizations information systems

• Failure to understand these things could lead to material oversights during audits.

Fraud and IT Controls• IT Controls provide and limit access to business critical

information

• Authorization & authentication provide ways of limiting this access

• Design of the system, which includes critical financial and business information should not rest solely on IT.

SAS 99 & AU 314

Opportunity• The ability or access to commit fraud

• IT controls offer an excellent line of defense

• Access controls

• Authentication

• Authorization

Perceived Pressure• The reasons behind the commission of fraud

• Mostly external

• Internal pressures can be countered

• Separation of duties

• Logs of overrides

Rationalization• The reasoning why the fraud is committed

• Most difficult to detect and counter due to the personal natures a persons moral and ethical code

• Company wide emphasis on the existence and importance of access controls

• Ethics training and policy

Importance of IT controls to accurate financial reporting

• Internal & external stakeholders require reliable financial information

• PCAOB definition of internal controls over financial performance:• “a process…to provide reasonable assurance regarding the reliability of

financial reporting.”

• IT controls must maintain integrity while remaining sufficiently flexible

Internal & External Uses for Financial Information

• Executive management• Craft strategies• Evaluate current strategies• Make corrective adjustments

• Operational management• Problem solving• Cost management• Employee evaluations

• BOD• Existing shareholders, potential shareholders & creditors

• Relevant & reliable financial statements• Rationally allocate capital

Ramifications of Insufficient IT-Related Internal Controls• IT control material weaknesses (MWs) threaten the

information value chain

• IT MWs lead to more IT MWs according to a study by Klamm & Watson (2011)

• Larger audit fees

• Weaker overall Control Environment

• Sarbanes-Oxley Act noncompliance• Required to select framework to assess internal control structure

• COSO (too broad), CobIT, ISO

Effect on Stakeholders• Shareholders• Loss of representational faithfulness

• Biased accruals/earnings management• Increased fraud risk

• Management• Less reliable financial and operational reports

• Unreliable cost management information• Precludes: ABC, TQM, Continuous Improvement, Six Sigma, etc.

Future Considerations

• IT controls will only become more paramount to success

• XBRL & Continuous Auditing (CA)• 2006 PwC survey found 50% of U.S. companies use CA techniques

and another 31% are implementing

• Enterprise Risk Management (ERM)

• Cloud Computing & Integrated Supply Chains

Computer Economics Survey 2011 to 2012

• IT spending moves out of recession, but weakly• 60% of companies increased their IT budgets

• 25% IT executives expect operational spending cuts

• Half of IT executives believe that budget is inadequate

• IT operational spending per user is at lowest in six years

SOURCE: http://www.myitview.com/it-management/5-it-spending-and-staffing-trends-for-2011-to-2012