I have been getting a lot of requests from my readers and followers asking questions on how to audit an AIS (Accounting Information Systems).
In my continuous bid to share knowledge from my many years of experience in accounting, finance, internal audit, systems development and IT/IS audit, I have decided to compile the various answers that I have given to people in the past into an article.
I hope you will find answers to what you are looking for somewhere in this post on how to audit an accounting information systems.
In this article, I will be discussing the basics of auditing an Accounting Information Systems in a very simple non-technical manner that will be understood by all accountants and finance professionals
What is accounting information systems (AIS) audit?
An AIS audit is a specialized audit that is geared towards giving credibility to the ultimate end products of an AIS. The end products of an AIS ranges from full sets of Financial Statements to Profitability Analysis Report to periodic Inventory Reports, etc.
Accounting information systems audit is performed with the needs of the users of accounting information systems in mind. Haven said that, the most important question to ask at this point as an AIS auditor is;
“what are those things that I intend to achieve at the end of this audit exercise?
Note however that sometimes the client gives objective(s) of what they intend to achieve but that still doesn’t mean that the AIS auditor will not ask key questions at the audit planning stage.
What are the objectives of auditing Accounting Information Systems (AIS)?
To answer this question, we have to firstly clarify two important misconceptions that I have over the years seen in practice as an IS/IT auditor.
- People think that AIS is all about business technology. NO, AIS is not just all about IT infrastructures. See my older post on components of AIS for more on this. AIS is much more than information technology.
- People think that AIS is a trendy thing to have. The overriding objective of an AIS is to help an organization achieve its goals and objectives – whatever that may be.
Okay, with the above two clarifications made, let us now dive into discussing the objectives of having an AIS audit. Please note that the audit objectives are what acts as a guide to what tasks are to be completed. My standard recommendation is to have a pen and paper ready when going through the AIS audit objectives so that you can easily note tasks that must be completed in order to satisfy an objective.
AIS Audit Objectives Quadrants
I will be discussing the objectives of AIS under the following 4 quadrants:
People, Processes & Infrastructures (PPI): The PPI quadrant contains the core foundational ingredients upon which other important stuff are built on. This is where the IT/IS auditor seek evidence that supports the assertion that the right people, processes and infrastructures are in place. This objective is then broken down into the following headings;
- Training/Workshops/Seminars. Regardless of what a company chooses to call her learning and development exercises, the AIS auditor need to gather and evaluate evidences in this area for appropriateness and sufficiency. No AIS auditor needs a fortune teller to tell him or her that more work is needed to validate the input into an ERP system when there is no evidence of any form of training since over the last five years that an off the shelf ERP system was implemented for example.
- Suitability of Technologies: I only know of two ways of putting a square peg in a round hole. One is by bending the peg – this option may end up damaging the peg in the process and the other is to put a small peg in a big round hole – the question here is, does it serve our need? The best place to start in this regard is to look at the requirement phase of the technology acquisition cycle. Loads of insights are gained here. For example, was the correct AIS acquisition cycle followed? Also, were end users (current and proposed) of the technology carried along at the initial stage of acquiring the technology? Issues around software licensing is also reviewed here.
- Contracts and SLAs: AIS cannot be separated from the procurement system of an organization. The objective of ensuring that phony and fraudulent vendors are not added to the vendors’ masters list for example can be met by reviewing vendors’ pre-qualification files. According to the 2022 ACFE’s State of the Nation report, 20% of occupational fraud are committed by people with relationship of some sort with the vendors (vendor/staff relationship).
- Processes: A functional process is the oil that the engine of any system depends on. The lack of a well-defined process is a sure recipe for ‘cold served disaster’. The objective here does not stop at merely confirming that a process exit. Of what use is a process that is only there to hinder operations? Are business processes put in place acting as enablers or are they simply causing nuisance or obstructing the achievement of business objectives?
Security: Another AIS audit objective is to make sure that the whole system is sufficiently secure. In fact, the number one objective of an Accounting Information System audit is to express opinion on the security of the accounting assets of the organization. To be able to do this effectively, the AIS auditor must know the basics of securing an accounting systems to start with. This is usually further broken down into the following subheadings;
- Confidentiality: Only those that have a need to know the content of our information system should see what is in it. The aim of ais audit here is to confirm that the right cipher tools and /or technologies are used to make sure that no unauthorized person can access the clients AIS. Information assets at the very least should be encrypted using the latest encryption technology.
- Integrity: Are information assets passed from point A to point B without being altered? Integrity of information heavily reflects the; accuracy, reliability and consistency of the contents of AIS. This AIS audit objective is pervasive in nature that works hand in hand with other legs of the security triad.
- Availability: Of what use is information asset if those that need it cannot gain access to it when needed and in the right quantity? Meeting the security of information assets availability is usually the most important part that is often the weakest link of information assets security. Provide too much security; risk shutting out bona-fide users, provide too few security, expose the assets that you are striving to secure.
- Authorization / approvals: Can changes to systems setup be made without appropriate approvals? As mundane as this may sound, I have once reviewed an accounting software setup (a component of AIS) where end users have admin rights that allows them to make changes to the systems setups without leaving a trail. The most amazing part of it is that both the finance and accounting department and members of the board saw nothing wrong with this.
Compliances: The current reality of our world is that no system survives outside the legal system. The control objectives here include ensuring;
- Compliance to various relevant rules & laws
- Compliance to various standard like IFRS, US GAAP
- Compliance to company’s policies
Finances & Money: At the end of the day, everything that an organization does boils down to money. The objectives of the AIS auditor here includes’
- Safe guarding financial resources
- Cost-benefit-analysis of controls
- Suitable reporting
Summary of how to audit an AIS
Notice that I did not provide any brief explanations to components of Compliance & Financial sections of the accounting information systems audit quadrant because they are fairly straight forward. Also, this post is already becoming too long.
AIS audit is premised on risk based audit philosophy. It starts with gaining understanding of an entity’s line of business and then ends at the follow up stage.
The first step in auditing an AIS is to gain sufficient understanding of an entity’s business environment. The best way to do this is to build a risk register while you are gaining understanding of the business. The benefit with doing it this way is that the chance of missing anything out will be greatly reduced. Please note that this is after you have prepared your audit charter and get it approved by those charged with governance.
Once you are done with gaining sufficient understanding of the entity’s business environment and your risk register is done. Discuss with those charged with governance at this point to factor in their risk appetite.
The next thing to do is to develop an audit plan to cater for the already identified risks. From here, audit program and time table is developed. Next is the execution of the various tasks as identified and allocated.
Analyse all the evidence gathered to ensure that they are sufficient, appropriate and properly kept – chain of custody. Once you are satisfied with this, go ahead to discuss findings with management, get their response and prepare the audit report. I personally build a sketched report while carrying out the audit assignment so I don’t usually spend much time here.
The final step in the audit of AIS is to follow up to ensure that all recommendations have been implemented. You can link all that we have discussed here today to the COSO framework established 1992 (with various updates to date) to get a broader picture of what objectives to look out for while auditing an accounting information systems audit.