An IT audit is an integral part of an accounting audit to ensure the accuracy and reliability of financial statements.  

In this post, we will discuss the most important scoping considerations before starting an IT audit.

Before setting the scope of your IT audit, you should first understand what reasonable assurance is.

What is reasonable assurance?

In auditing, reasonable assurance refers to the concept that the auditor should obtain sufficient appropriate evidence to support the audit opinion on the financial statements. There is always a risk of rendering an inappropriate opinion, especially if there is a material misstatement or fraud in the financial statements. Therefore, auditors must perform their work with professional skepticism and obtain sufficient evidence to provide reasonable assurance that the financial statements are free from material misstatement. Reasonable assurance is necessary to provide users of financial statements with confidence that the information presented is reliable and can be used for decision-making purposes.

The process of obtaining reasonable assurance should consider effectiveness relative to the audit effort and should warrant accumulating information to reach this conclusion, assessing the risks associated with the assertion, identifying potential responses to those risks, and performing additional procedures to gather sufficient and appropriate evidence.

In other words, IT audits do not aim for absolute assurance, but rather prioritize the identification of systems/infrastructure that are critical to the financial disclosure process in order to understand the company's financial disclosure process and obtain reasonable assurance relative to the audit effort.

Why is it difficult to scope an IT audit? 

IT audits require a fundamental understanding of what is being done as part of an accounting audit. 

At the end of the day, an accounting audit is all about providing assurance that the data disclosed in the audited company's financial statements is appropriate, and the role of an IT audit in this process is to provide assurance that the systems and infrastructure associated with the financial data are error-free.

Determining the scope of an IT audit can be challenging because it requires an understanding of evolving IT technologies, such as cloud and big data systems, as well as an understanding of the auditee's business processes.

1. Setting goals

The first step in setting goals is to establish the materiality criteria for the important data to be considered in the audited company. Materiality is the degree of influence on the judgment process of a reasonable user of accounting information, and it means the extent to which the amount or nature of an error in the financial statements could affect the reasonable decision-making of a user of accounting information. The auditor should consider both quantitative and qualitative factors when making a judgment.

Quantitative factors are judged in terms of amounts or percentages, while qualitative factors are judged by considering the nature or characteristics of the omission or misstatement of information and its effect on the financial statements.

As a simple example, each accounting firm has its own criteria for quantitative materiality, but they generally start with net income before taxes. However, if the pre-tax profit fluctuates significantly from year to year depending on the company and industry, you can use pre-tax profit adjusted for non-recurring items, and if the pre-tax profit is negative, it is not appropriate to start with pre-tax profit, so you can calculate the materiality amount based on total assets, operating income, sales, etc. 

Once you understand the topic, you can set audit objectives. This involves setting specific goals that you need to accomplish during the course of the investigation. These goals should be measurable and achievable so that you can track your progress at each stage of the audit. 

2. Define the scope  

Once the target data has been established, you need to determine the scope. The scope defines the boundaries of the audit and should be clear. The scope should include the IT systems and associated infrastructure that are relevant to producing the target data. During this process, you should also consider any risks that may impact the scope of the audit.

3. Risk assessment 

The next step is to assess the risks associated with the IT systems and processes within the scope of the audit. The risk assessment should be performed by the ITGC and ITAC, considering both the likelihood and impact of potential risks. 

For ITGC and ITAC, please refer to the articles below.

- ITGC: http://tokenterrace.com/eng/132?sfl=wr_subject&stx=ITGC&sop=and

- ITAC: http://tokenterrace.com/eng/133?sfl=wr_subject&stx=ITAC&sop=and

However, the audit procedures are not one-size-fits-all and should be determined based on the company's internal controls. 

For example, if the company has adopted a packaged system rather than a homegrown system, but the functionality provided by the packaged system is very limited, it is necessary to consider whether the company's internal controls exist to mitigate the risk rather than simply identifying it as a deficiency. Also, if the infrastructure is not directly accessible to the audited organization, the risk may be mitigated by obtaining periodic reports from the service provider and checking the controls to monitor it, or by reports such as SOC Report 1 Type.