Home  -  Publications  -  Papers > text
IT Contents included in the National Auditing Standards
2012-02-28日   Soure : :

Presented at the 7th Working-level meeting of SAIs of China, Japan and Korea

The amended National Auditing Standards of the People’s Republic of China is promulgated by the National Audit Office of China (to be abbreviated as the CNAO) on September 1, 2010 and shall be effective as of January 1, 2011. In accordance with The Auditing Law of P.R. China and the Regulations on the Implementation of the Audit Law of the People's Republic of China, the new National Auditing Standards coordinates code of conducts, auditing technical standards and auditing quality control standards, and provides guidance on process and standards of auditing practice, management and conducts.

Since the IT skills have been widely used in operation and governance of audited bodies, IT techniques extensively adopted in auditing field works and management process, and IT systems and electronic data closely focused by auditors, the CNAO summarizes the experience of IT development made by Chinese audit institutions in the past decade and provides The National Auditing Standards a distinctive feature with the priorities given to IT system and IT skills in the four basic links of audit process covering annual audit plan formulation, audit program preparation, audit field work & audit evidence collection, and audit conclusion & audit reporting.

1. Annual Audit Plan Formulation

In accordance with the provisions of National Auditing Standards, preparing annual plan of audit assignments should cover four steps, namely identifying the subject matters of auditing, undertaking preliminary analysis of the alternative audit assignments, evaluating the available audit resources, and selecting the audit assignments as follows:

1.1. Identifying the subject matters of auditing. Given the priority laid on IT system of audited entities, the Article 28 of the said Standards stipulates that the subject matters of auditing could also be identified by analyzing relevant data, which is a typical example of the IT contents of National Auditing Standards. This amendment was put forward on the fact that the Chinese audit institutions have adopted on-line audit yet and could use IT skills to make analysis on the historic data. For example, CAATs are introduced to help auditors analyze financial statements of past consecutive years in a certain audited enterprise. Once a comprehensive audit is proved necessary to clear certain suspicious problems, the auditors may propose to list the audit of the concerned enterprise in the annual audit plan for the next year.

1.2. Undertaking preliminary analysis of the alternative audit assignments. The Article 29 of the said Standards stipulates that the relevant information system and its electronic data of the audited entity should be understood when undertaking preliminary analysis of the alternative audit assignments. According to Chinese practice, the provision ratio of IT systems in main business lines, the types of database and storage formats of electronic data in those audited entities can impose significant impacts on the amount of audit resources required. For example, to conduct the audit field works in an entity that installs accounting transaction software , the audit institutions need only send out audit teams equipped with laptops and expertise of audit IT skills. Nevertheless, to audit an entity where ERP is adopted in its management activities, the audit institutions may consider the possibility to dispatch auditors with special training, to provide audit teams necessary equipments such as portable servers and desktop storage devices, and to seek for assistance from external experts.

1.3. Evaluating the available audit resources. The Article 37 of the said Standards stipulates that the allocation of its audit resources should be considered when preparing annual plan of audit assignments. The Article 42 further stipulates that the resources to be applied to audit should include staff, time, skills and facilities, and expenses. In China, the auditors with IT information and skills and outside experts constitute the main part of audit human resources with capability to conduct audit in a computerized environment. The IT facilities, audit software and network are major technique equipments in IT audit assignments. The cost for auditors’ IT skills training and equipments operation maintenance take the leading share of audit financial resources.

1.4. Selecting and conducting the audit assignments. The audit assignments specified in the annual plan of audit institutions in China would be implemented by the audit teams composed of assigned appropriated personnel. Recognizing the fact that information system and electronic data have become the subject matters of auditing, the Article 13 of the said Standards stipulates that the staffing with auditors of professional competence is one of the qualifications which shall be required when audit institutions carry out their audit work. The Article 14 stipulates that auditors should be professionally competent in carrying out their audit work. The Article 20 stipulates shat the external experts employed by audit institutions to carry out the audit work should be equally professionally competent. From the current perspective, professional competence should include the knowledge of information technology and the ability to use IT audit software. Recognizing the fact that audit teams are the main party of the audit institutions involved in the audit assignment, the said Standards also makes stipulation with regard to the professional competence of the audit team as a whole. The Article 23 stipulates that where the information technology used by the audited entity may significantly affect the audit objective, the professional competence of the audit team as a whole should include its competence in the field of information technology. The Article 74 also stipulates that when deploying audit resources, the audit team should assign experienced auditors to the significant subject matters of auditing with sufficient time, and assess whether the work of external experts are required for specific subject matters of auditing.

2. Audit Program Preparation

The National Auditing Standards provides that the audit institutions and auditors shall prepare audit programs in accordance with annual audit plan when executing audit assignments. The audit program preparation shall include three steps, namely obtaining an adequate understanding of the audited entity, assessing the possibility of existence of material irregularities in the audited entity, and determining relevant audit procedures.

2.1 Obtaining an adequate understanding of the audited entity

Considering the priority given to IT development in audit entities, the Article 60 stipules that” situation of information system and electronic data” shall be studied when audit teams obtain an adequate understanding of audited entities. Since IT system and electronic data have been closely focused by auditors, the elements relating to IT development have inevitably involved among other main subject matters relating to environment of audited entities such as organization structure, business activities and objectives, financial management system and business administration, internal control and its implementation, supervision undertaken and corresponding correction, etc.

How to obtain an adequate understanding of internal control and its implementation of the audited entity is further defined in the Article 61 of the said standards, which provides a study shall be made on control environment, risk assessment, control activities, information and communication, and supervision on control. An additional article- Article 61 is made to clarify how to obtain an adequate understanding of information system in audited entity. It further falls into two parts, the first part-“ General control, i.e. the controls designed to ensure the stability, validity and security of normal operation of information system”; the second part-“ Application control, i.e. the controls directed to ensure the authenticity, integrity and reliability of data produced by information system.”Why the priority is given to the understanding of control on IT system is based on the experience of both audit practice in China and foreign countries. It also represent increasingly important role of Information system audit and electronic data audit in the new IT environment.

To further specify the contents regarding an adequate understanding of audited entities, the Article 63 of the said standards stipulates five categories of techniques: (1) To inquire relevant persons inside and outside the audited entity in written or verbal way; (2) To examine relevant documents, reports, internal management handbooks, technical files and operational manuals of information system; (3) To physically observe business activities and their location and facilities, and the implementation of internal control; (4) To trace the process of relevant transactions; (5) To analyze relevant data. Except for the written or oral inquiry commonly used by auditors in their past career, all other techniques listed are endowed with distinctive features of IT development.

2.2 Assessing existence of irregularities in the audited entity

Based on the understanding of audited entities, auditors then assess the possibility of irregularities existed in the audited entities. The National Auditing Standards requires that auditors shall select proper criteria as the basis for their professional judgments during the audit process. During the financial audit and performance audit, professional criteria shall be “ laws, regulations, rules and other guiding documents” , “accounting standards and systems”, “budget, plan and contract” that are commonly accepted by auditors. Nevertheless, since IT system and electronic data are include in the audit scope, some standards and technical guidance such as Cobit and other best practice guide shall be regarded as standards that auditors must follow. Some amendments have been made in the Article 65 of the National Auditing Standards that says auditors may select relevant guidelines and policies of the State, historical data and performance of the audited entity, generally accepted business tradition or best practice, opinions of professional institutions and experts as the basis for their professional judgment. In addition, auditors need to pay attention to the applicability of the criteria in a consistent manner during the conduct of the audit. The expanding scope of basis for professional judgment enable auditors to choose the criteria being more objective, applicable, relevant and generally accepted during their verification of IT system and electronic data, which then provides technical assistance for auditors to assess establishment, utilization, management of IT system, to make professional judgment of possible irregularities and issue auditors’ opinion accordingly.

In light of the understanding on audited entities, the audit teams shall make their judgment on the possible risk areas and issues. When judging the nature of materiality of risks, the Article 69 of said standards specially lists “ deficiency of design of information system” as one of key areas that auditors shall consider when judging materiality among other issues such as “ being suspected of having committed a crime” , “ prohibited by the laws, regulations and policies” , “arisen by the actions done on purpose”, “huge quantity or amount related to the possible irregularities.” , “serious defection involved with relevant policy, system or mechanism” and “hot spot of the society”. The reason is that deficiency of design information system will inevitably lead to the occurrence of errors and especially those intentionally-imbedded deficiency will bring about tremendous risks of “conducting genuine auditing over fake information” under the environment of information technology. The priority laid on “ deficiency of design of information system” reflects the new ideas addressing the root cause of risks in the IT environment and serves as an important representation of auditing’s role as “ immune system” in the IT areas.

2.3 Determining relevant audit procedures.

In the past, the audit procedures adopted by auditors when conducting common financial audit and performance audit include assessing the reliability of internal control system, testing effectiveness of relevant internal control measures, exercising proper audit steps and methodology, etc. In an IT environment, a special provision is given as the Article 73 of said Standards says that audit teams shall regard it as one of audit procedures by “estimating the dependence on the information system, and deciding whether and how to examine the effectiveness and security of information system concerned”.

3. Audit field work & audit evidence collection

The Article 24 of the National Auditing Standards stipulates that during the process of audit execution, auditors shall make reasonable professional judgment and keep their professional prudence. They shall be alert on the possible material irregularities and collect audit evidence with due care. The process of conducting audit field work and gathering audit evidence covers three steps of testing effectiveness of internal control measure adopted by audited entities, collecting audit evidence and analyzing audit evidence.

3.1 Testing internal control

The National Auditing Standards gives clear guidance on when the effectiveness of internal control system shall be tested. The Article 76 says “auditors should examine the effectiveness and security of information system concerned under one of the following circumstances: (a) The examination on electronic data alone is not enough to provide adequate and sufficient evidence for the identification of material irregularities; (b) Some kinds of discrepancy happened with high frequency with electronic data.”. Regarding the testing approaches, it provides that “While conducting the examination on the information system of the audited entity, auditors can take the advantage of current functions of information system or employ other computer technologies and tools. They should also avoid any possible impact on the information system concerned and electronic data of the audited entity.”

3.2 Collecting Audit Evidence

Audit evidence is all the information and facts that auditors have collected and used to serve as reasonable basis for audit conclusions, including the evidence when auditors obtain the understanding of the audited entity and conduct the examination over determined audit matters. Collecting audit evidence is the key task in the process of audit execution. Besides the common written and oral evidence generally accepted in the financial audit and performance audit, the Article 87 of said Standards stipulates “electronic audit evidence obtained includes configuration parameters relating to the controls of information system and electronic data reflecting the record of transactions”, which reflects the special requirements for gathering electronic audit evidence and helps to improve defensive ability of those evidence.

3.3 Analyzing audit evidence

According to the National Auditing Standards, the audit evidence that auditors obtained should meet the criteria of both adequacy and sufficiency. The adequacy and sufficiency will support audit evidence from the perspective of quality and quantity. The adequacy includes relevance and reliance. The Article 86 regarding reliance of audit evidence is formulated with full consideration of reality that audit institutions and auditors can gather evidence through internet, cross IT systems or directly from the database. It emphases that “ audit evidence obtained from outside is more reliable than that from the audited entity itself; audit evidence obtained directly from financial and accounting information of the audited entity is more reliable than that delivered after some processing by the entity itself”, which provide legal basis for means of evidence collection in IT environment.

4. Audit conclusion & audit reporting

The audit institution shall issue audit reports after field work are executed. The audit reports are the written documents issued by the audit institutions according to their legal mandates with auditors’ opinions given after verification of financial activities of audited entities. They are the final representative of audit results. The Article 120 of said standards stipulates that once the audit is finished, the audit team should submit audit report to the audit institution that dispatched the audit team. Audit institution should issue audit institution’s audit report accordingly after the examination and approval of the audit report prepared by audit team. During the phase of making audit conclusion and audit reporting, the steps involving IT system and IT skills are as follows:

4.1 Imposing treatment and punishment opinions

The National Auditing Standards stipulates that audit treatment and punishment opinions shall be given in the audit reports once the audit entities have problems against laws and regulations. The Article 135 says that “audit team shall request audited entity to make due rectification at stated time” in the audit report if the audited entity’s information system has significant loopholes or does not meet related national regulations. The reasons are that: (1) the frauds involving software installed have been found in the IT system audit conducted by Chinese audit institutions and; (2) in China, the state publishes the national standards for accounting interface. The Chinese government requires all the accounting software mush follow the national standards, otherwise, the audit institutions shall ask the audited entities to make rectification.

4.2 Review of audit reports

The review of audit reports cover four steps as reviews made by functional divisions dispatching audit teams, verification by special review units of audit institutions, certification made by business meeting of audit institutions and signing of leading staff of audit institutions before the audit report are sent to audited entities. Due to the disparity of audit targets, knowledge structure and working experience, it is unavoidable that auditors may have difference views regarding professional judgment and nature of certain problems when audit institutions review the audit reports. Normally, the review units will coordinate with involved audit teams and functional divisions and when necessary they need to collect more information from audited entities and relative staffs before the disparity can be resolved. Nevertheless, after the verification of audit IT systems and electronic data are included in audit scope, the disparity concerning the nature of problems and professional judgment become more complicated and hard to control. The Article 145 of said standards provides that “ If complex issues be met in audit judgment process, audit review entities, upon the approval of the head of audit institution, may invite specialists for argumentation.”

4.3 Preparing special issue reports and audit information

In order to better use the audit findings and imp0orve the quality and standard of audit results, the Article 151 of National Audit Standards says that “Audit institutions may report to the government of their corresponding level or audit institution of upper level with Specific Issue Report or Audit Information, if the following problems be found in audits: (1) the significant problems of the making and implementation of the policies; (2) issues that are suspected to be significant illegal/criminal activities; (3) significant issues that threat national economic security; (4) significant issues that threat national information security; (5) significant issues that impact citizen’s economic interests. Among these, the requirements that audit issues relating to national information security must be reported to the governments at corresponding level and audit institutions at next higher levels are put forward by summarizing experiences of IT system and electronic data audit conducted by Chinese audit institutions in recent years.

There are still some points of National Audit Standards calling for improvement from the perspective of reflecting IT development. For example, the eight requirements regarding audit reports are mainly stipulations involving traditional financial audit and performance audit, leaving a blank space of new standards for audit of IT system and electronic data. A concrete example is that a published audit report shall not describe the system loopholes, means of verification and relative details for the sake of sensitivity of IT system failure so as to avoid secondary losses. Nevertheless, the present context of the said standards only requires that “crime and other details that audit entities should not know” are not allowed to put into audit reports.

Generally speaking, the National Audit Standards is a set of standards that represents the spirits of time and reflects the most recent achievements of audit institutions under Chinese own conditions. As the professional standards guiding the 3000 audit institutions covering national, provincial, city and county levels and 80,000 auditors nationwide, the National Audit Standards will defiantly play an important role in promoting audit activities, ensuring audit quality, preventing audit risks and fighting against corruption.