Once upon a time, broad reviews of general computer controls were a cornerstone of IT audits. Now, Auditing Standard No. 5 may well close the book on that practice.

Testing of operating systems, information security, and “change management” in a company’s IT environment has evolved rapidly since such audits became commonplace 15 years ago. AS5, however, with its commitment to auditing internal controls based on risk of material misstatement to financial reports, gives managers new discretion to scale down the scope of their IT audits in 2007 and beyond. Expect them to use it, experts say.


“In the past, more than 60 percent of the IT auditor’s job was to test the existence and functionality of general controls,” says Ross Wescott, chief IT auditor for Portland General Electric, a utility in Portland, Ore. “The IT audit function now has a reduced role in actual execution of the full range of GC testing.”

Wescott and others say the focus appears to be shifting—even contracting—to more granular, application-specific auditing methods.


Gregory Grocholski, finance director of $49 billion Dow Chemical, says corporations and auditors are giving more attention these days to systems and applications that simplify “continuous” auditing procedures. That move to auditing specific IT applications used to record trial balances, rather than conducting a general IT review, is more in step with AS5’s top-down, risk-based approach to audits, he says.

Grocholski gives the everyday example of Excel spreadsheets. “While an IT auditor may not audit Excel itself, the auditor should perform testing on the calculations that ultimately result in a number that would be used to make an accounting entry,” he says.


The computer fraud perpetrated at Equity Funding Corporation of America is often cited as the first known case of the misuse of IT at a corporation. For nearly a decade, from 1964 to 1973, managers at the company entered false data on insurance policies and premiums to boost the stock. That malfeasance and other incidents elsewhere eventually led to the Information Systems Audit and Control Association’s widely recognized Control Objectives for Information and related Technology (CoBIT) framework in 1992.

At the time, the thinking was that a comprehensive review of general computer controls would strengthen the integrity of data as well as the manual processes around data entry. That belief prevailed until the Sarbanes-Oxley Act came along in 2002—when reviews of general computer controls transformed into a very plum line of business for auditing firms. Companies with complex IT environments employed such testing to avoid the fate of Equity Funding, Enron, and the like.

The problem: CoBIT has more than 40 control objectives, many of them broad and some of them vauge. Auditors scrutinizing management’s attestation of internal controls quickly adopted the infamous (and expensive) “bottom-up” approach to testing IT controls with the CoBIT framework.

Today, however, controls over business applications more directly align with the businesses processes that touch material accounts—so it seems more sensible to scale back the scope of general IT audits and focus on the business applications that might gum up your financial statements if they fail. In doing this, companies can pair down their IT audit programs to fit specific information ecosystems as well as address identifiable risks inherent to them or their industry.

Are companies actually taking those steps? Recent evidence says they are at least thinking about it. In August, Ernst & Young published a study titled “The New 404 Balancing Act” that said a large majority of companies “tested too many IT controls without a corresponding benefit to addressing financial reporting.”

The report further states that “over-scoping IT” led to excessive costs in the early years of SOX compliance. Now, the report said, looking at “transaction-level” controls will help avoid unnecessary testing going forward.


“I think what you’re seeing, and what you will be seeing at many companies, is maybe not an outright extinction of IT general controls but a marked change of the controls mix,” says Joe Fodor, a principal at Ernst & Young. “I think that from a general controls perspective, you’ll see an emergence of a one-off test mentality coupled with a greater focus on applications.”

In that vein, IT auditors would spend more time reviewing significant accounts via enterprise resource planning systems such as SAP and JD Edwards, instead of going down a checklist for Windows network security or documenting how a company keeps track of who comes and goes at the server room.

Garbage in, Garbage out

Robert Greene, a senior manager at PricewaterhouseCoopers, acknowledges the apparent move toward more precise application reviews. Still, he doesn’t think the compliance community should jump the gun just to reduce costs.

“The market mentality is that AS5 means above all else that ‘The client shall pay less,’” Greene says. General control reviews “have always been, and will continue to be, the smaller portion of the scope and hours of a joint audit, but now they’re also generally receiving the biggest proportional hit in terms of reduction.”

Greene—who said he’s seen general computer controls testing segments such as physical IT security and network considerations become “de-emphasized”—warns against what he calls a “garbage in, garbage out,” approach to IT systems as they relate to financial statement audits.

“You could reduce scope, and maybe the chance of a material misstatement is mitigated, but what of the whole bunch of immaterial misstatements, frauds, and errors that may be slipping through the cracks?” he says. “Make sure your controls are strong. It’s easier to keep garbage out than it is to deal with once it’s piled up in your domain.”

Lynn Lawton, international president of ISACA, agrees. Despite cost-cutting trends, she says, there will always be room for general approaches to IT auditing in other areas. For example, Lawton says, “non-financial” operational risk still requires attention from IT auditors and can have an ancillary affect on financial reporting.

“Like everything else in business, [IT auditing] has to change to survive,” she says. “In the financial statement audit world, the audit effort is now much more clearly focused on those elements of IT that have an impact on the financial statement assertions—but financial reporting risk is only one type of risk faced by entities, and they need IT auditors as part of their governance of other risks too.”