Can Financial Statement Auditors Identify Risk Patterns in IT Control Evidence?
Daniel Selby
Abstract
Anecdotal evidence suggests that audit clients are automating more internal controls over time. Audit firms customarily respond to their clients’ increasing IT (information technology) risks by including more IT audit specialists in their external audit engagements. But, using IT audit specialists on the audit engagement to examine the IT risks that external financial statement auditors can examine may be detrimental in the long-run for audit firms. First, IT audit specialists receive higher compensation than financial statement auditors. So, using IT audit specialists to perform tasks that could be performed by financial statement auditors may increase audit costs and decrease audit firms’ profits. Second, using IT audit specialist would deny financial auditors the opportunity to gain the procedural-knowledge required to evaluate automated portions of Internal Control Over Financial Reporting (ICFR). This paper investigates whether financial statement auditors can interpret risk patterns in automated-control evidence. I find that financial statement auditors with procedural-knowledge of automated-controls interpret risk patterns in automated-control evidence, whereas financial statement auditors with no procedural-knowledge of automated-controls do not. My results suggest that audit firms may benefit by allowing their financial statement auditors to gain procedural knowledge of automated-control evidence.
Full Text: PDF