An auditor is responsible for objectively voicing an opinion and drawing a judgment on the accurate and fair view of accounting facts as provided in financial statements (Romney, M.B., and Steinbart, P.J., 2012, p. 12). An auditor must follow the rules and requirements outlined by the Auditing and Assurance Standards Board ( AASB). Internal or external auditors are both possible. Although the two categories of auditors are distinct, their roles and tasks are almost identical. As a result, an auditor should have the following five key characteristics: confidentiality; technical skill, professional behavior, independence, and integrity to perform the duties of auditing fraud or errors in an information system. The research paper seeks to critically analyze and evaluate the aspects and features of a corporate accounting information systems audit when focusing on the systems perspectives. The analysis is precipitated by the fraud reported at the Royal Bank of Scotland (RBS).
The key aspects of an Accounting System Audit
The corporate accounting information system is among the many Information systems. The corporate accounting system can integrate many systems such as the Transaction Processing System (TPS), the Management Information System (MIS), Expert System (ES), Expert Supporting System (ESS) the Decision Support System (DSS) and the E-Commerce System. The key aspects are as discussed below.
Information Technology (IT) Governance
According to Bushman, R.M. and Smith, A.J., (2001, p. 340), IT governance is the integration of the information system strategy into the business strategy. The Royal Bank of Scotland (RBS) has its objectives such as efficiently serving clients and maximizing profits by cutting costs. The auditor would be interested in identifying if the IT strategy was well integrated into the business strategy for instance, if all the employees at the RBS understand the infrastructure of the information system and if the employees appreciate the use of the IT system. If the auditor identifies that the integration of the IT system into the business was not well done, he or she may make an adverse opinion and state in the audit report that the poor integration had a material effect on the management of the Royal Bank of Scotland and that the effect contributed to the reported fraud.
IT risk management strategy assessment
The auditor can assess the processes and the frameworks embedded in the Information System functions to identify and manage risks. In the risk management strategy assessment aspect of the Information System, the auditor would evaluate the actions taken to mitigate risks, the level of accountability within the process and how the IT team identifies risks using the existing information system. Besides, the management would consider the measures that the information system can take once the risks are identified, whether the IT risk management processes followed and the clarity in risk coverage measures.
Management and maintenance of the Information system
An accounting system’s credibility will only be guaranteed if the system is maintained by the IT experts. The possible reasons for management can include obsolescence, change of business strategy addition of other functions into the system. For the fraud to have occurred at the Royal Bank of Scotland, the auditor would assess the processes IT has in place to govern capital allocation decisions and the formalization of the IT governing processes (Hall, J. A. 2012, p. 120). The auditor would also concentrate on the aspect of the information system that might have led to a decline in business confidence in IT governance such as inadequate security measures and the applicability of the Accountings System processes across all information systems at the bank.
IT risk assessment
There is a slight difference between the risk management strategy aspect of the information system and the Information Technology risk assessment. The IT risk assessment aspect is the ability of the accounting system to internally deal with system risks while the risk management strategy may involve the use of other external systems to help in identifying risks.
The questions that an auditor would have to consider when dealing with the corporate accounting systems risk assessment include whether there exist risks unique to the system, the possibility of the system to comprehensively assess risks and the possibility to coordinate the IT’s risk assessment and the internal audit risk assessment.
The system design
The system design is critical in evaluating the ability of an auditor to rely on the corporate accounting system for auditing, especially of fraud. An auditor can only rely on an acco8nting system if he or she can use the system to prove assertions made by the management (Gordon, L.A., and Miller, D., 1976, p. 60). The management can make many assertions such as existence, occurrence, accuracy, and completeness of the accounting information as presented in the balance sheet, income stamen, statement of changes in owners’ equity and any other financial statement.
The corporate accounting information system audit focuses on the key areas of risk assessment functions, the system design, the Information System governance, and the maintenance of the information system. An auditor should express his views as to whether the existing accounting system contributed to the fraud at the Royal Bank of Scotland and avoid threats such as intimidation, advocacy, conflict of interest. The threats may prevent an auditor from expressing his views honestly and independently.
Bushman, R.M. and Smith, A.J., 2001. Financial accounting information and corporate governance. Journal of Accounting and Economics, 32(1), pp.237-333.
Gordon, L.A., and Miller, D., 1976. A contingency framework for the design of accounting information systems. Accounting, Organizations and Society, 1(1), pp.59-69.
Hall, J. A. (2012). Accounting information systems. Cengage Learning.
Romney, M.B., and Steinbart, P.J., 2012. Accounting information systems. Boston: Pearson.