|
|
||
|
|
||
|
|
|
||
|
|
||
|
|
An Examination of Auditor Planning Judgements in a Complex Accounting Information System Environment
Joseph F. Brazel and Christpher P. Agoglia
Executive Summary
This study investigates the effects of computer assurance specialist (CAS) competence and auditor accounting information system (AIS) expertise on auditor planning judgements in a complex AIS environment. Recent professional standards state that auditors need to change their audit strategies in reaction to the all-encompassing changes in their clients’ AISs. Information technology (IT) applications, such as enterprise resource planning (ERP) systems, are significantly changing the ways in which companies operate their businesses (for example, business process re-engineering) and auditors perform their duties. For example, the implementation and utilization of ERP systems at many major corporations can increase audit-related risks such as business interruption, data base security, process interdependency, and overall control risk. As technological developments continue, auditors will need to expand their AIS knowledge and skills in order to perform effective and efficient audits. Prior research suggests that expertise in the AIS domain may make auditors more cognizant of AIS-specific risks and provide them with the sophisticated audit skills required in such settings. To our knowledge, our study is the first to examine whether auditors’ AIS expertise levels affect their risk assessments and subsequent testing decisions in a complex AIS setting.
Statement on Auditing Standards (SAS) No. 94 suggests that a CAS be assigned to assist in the audit of computer-intensive environments. CASs (also referred to as information systems audit specialists and IT auditors) provide auditors with control-testing evidence relating to their clients’ AISs, and auditors incorporate such evidence into their control risk assessments and subsequent testing. Client implementations of increasingly complex AISs, as well as the Public Company Accounting Oversight Board’s (PCAOB’s) requirement of auditor attestation to management’s internal control assessment, have substantially increased the role of CASs as evidence sources on audit engagements. From 1990 to 2005, the number of CASs employed by each Big 4 firm is estimated to have grown from 100 to 5,000, and CAS testing can now represent over half of the financial statement audit work. Their role is likely to expand further because inadequate system controls have recently been cited in Securities and Exchange Commission filings as a chief source of material weaknesses. Still, auditors typically perceive the skills of (and value added by) CASs to be suspect, and data gathered for our study indicate that auditors perceive substantial variation in the competence of CASs in practice. Given these auditor perceptions, in conjunction with the expanded role of CASs, there is a call for research examining the CAS/auditor relationship and its consequences on the audit.
While auditors are typically sensitive to subordinate auditor competence deficiencies (that is, unreliable evidence) and can compensate by employing additional procedures themselves, auditors’ ability to effectively respond to CAS competence deficiencies may be moderated by their own AIS expertise level. As the AIS expertise of the auditor increases, the auditor’s knowledge of system design and controls should be greater and thus provide the auditor with a clearer understanding of what system controls the CAS has (or has not) tested, as well as the ability to compensate for CAS competence deficiencies. We extend the literature by exploring the moderating effect of auditor AIS expertise on auditor control risk assessment and the nature, staffing, timing, extent, and effectiveness of the auditor’s planned substantive testing.
In our study, we gave auditors a quasi-experimental case where we manipulated the competence of the CASs as high and low between auditors and measured auditor AIS expertise by means of a post-experimental questionnaire. The case provided auditors with documentation related to a potentially risky change in a client’s AIS (that is, an ERP implementation) and evidence received from a CAS indicating that system controls were reliable. After examining the evidence, the auditors assessed control risk and planned the scope of substantive testing for a transaction cycle.
Our results indicate that auditor AIS expertise and CAS competence affected auditors’ control risk assessments, as both those with high AIS expertise and those assigned low competence CASs tended to assess control risk as higher than their counterparts. While we find no evidence that auditors’ AIS expertise moderated the effect of CAS competence on their control risk assessments, AIS expertise levels did moderate their ability to effectively incorporate CAS evidence into their planned substantive testing. Specifically, the difference between high AIS expertise auditors’ and low AIS expertise auditors’ scope and effectiveness of planned audit procedures was greater when CAS competence was low than when it was high. We performed a mediation analysis to identify why low AIS expertise auditors have difficulty incorporating unreliable CAS evidence into their planning judgements, while high AIS expertise appears to overcome this problem. Results suggest that, relative to auditors with lower AIS expertise, those with higher expertise are more likely to identify and react to potential AIS-specific risks when the competency of the CAS is deficient.
The findings of our study have a number of important implications. For example, our findings provide some insight into internal control testing and effective audit testing in complex AIS environments. Further, our results suggest that auditors’ AIS expertise can play a significant role in advanced AIS settings and in their ability to compensate for CAS competence deficiencies. Thus, it may be prudent for firms to consider the combined capabilities of these individuals when assigning them to engagements with complex AISs.