IT MeetsAuditing.

• Author: Snyder, Troy

You've no doubt kept up with the AICPA Risk Assessment Standards issued in 2006. You may have already conducted an audit using the new internal controls-oriented guidelines, SAS 104-111.

But when it comes to incorporating information technology into auditing--specifically outlined in SAS 108-you may have hit a wall.

That's understandable. After all, valid reasons exist against blindly jumping in and wrangling with IT control issues, experts, processes and terminology. Especially when you're already up to your neck adding the new procedures to your existing audit methods, which have been painstakingly crafted after years in the profession.

There also may be reluctance to bringing in the IT audit experts because they bring with them new practices and terminology you must learn (and who has the time to do that, right?); you may consider IT auditing unnecessary because you would not rely on the systems, anyway; or you believe the adverse impact IT audit experts may have on your client relationships is too high a risk to take.

[ILLUSTRATION OMITTED]

This article will hopefully give you some tools to start navigating through that wall.

Getting Started

The process can be broken down into four steps, much of it delineated in SAS 108.

Step 1--Determine if an IT expert is needed.

SAS 108 guidelines suggest IT audit experts be engaged, or at least considered, when the client:

* Uses complex financial systems and IT controls, or uses IT extensively in business operations.

* Makes significant changes to existing information systems or has brought in a new information system.

* Has multiple systems that share data.

* Engages in electronic commerce.

* Has adopted emerging technologies.

* Retains significant amounts of audit evidence available only in electronic form.

Step 2--Make sure your IT audit expert has appropriate knowledge.

Information systems competency has now become reliant on industry- and technology-specific knowledge and expertise. Similarly, IT audit experts are very specialized in their skills.

Several credentials can be used to vet people who can help provide IT audit expertise.

Within the accounting industry, for example, IT experts can include CITPs (Certified Information Technology Professionals). Credentialed by the AICPA, CITPs are CPAs with varying degrees of information systems and IT expertise.

Further, consider the use of a Certified Information Systems Auditor (CISA), a credentialed professional designated by the Information...