GERMANY: Auditing IT systems as part of the audit of the annual financial statements
Due to the digitalisation of accounting and payment processes in the federal administration, auditing IT systems has become an essential part of the German SAI’s mandatory audit of federal accounts. To conduct these IT system audits, we utilise a risk-based audit approach related to the International Standards on Auditing (ISA). In Germany, the ISA are transposed into national audit standards by the Institut der Wirtschaftsprüfer e.V. (Institute of Public Auditors in Germany, Incorporated Association – abbr. IDW) and published as IDW Auditing Standards (IDW PS).
We have aligned our IT system audit to IDW PS 330 (“Audit of Financial Statements in an Information Technology Environment”) which is closely related to ISA 315 / ISSAI 1315 “Identifying and assessing the risks of material misstatement through understanding the entity and its environment”. Our IT system audit approach covers all aspects of compliance and IT security matters in the use of IT systems for payment and accounting. The key criteria for assessing them are laid down in federal budget law and applicable IT governance frameworks such as COBIT, ITIL, ISO 27001, BSI Grundschutz.
Based on our audit reports, the Public Accounts Committee of Federal Parliament called to the government departments and agencies to study the risks arising from the use of IT in their accounting systems. Furthermore, the Federal Ministry of Finance provided government departments with support activities such as training, sample documents and process templates.
Due to the ongoing digital transformation of the payment and accounting processes (electronic invoicing, IT consolidation, automated recording and payments), the number and the complexity of IT systems as well as the amount of ledger entries are increasing. As a result, IT auditors need to adapt to this new environment. For this reason, we have embarked on a data-driven approach using computer-assisted audit tools to identify and assess risks and collect audit evidence. For the audit of a complex accounting system, we analysed a large amount of ledger entries (appr. 50 million records). First, we analysed the ledger entries to gain a basic insight into the business processes. The second step was to cluster the data and focus on cases that had been subject to manual changes and therefore carried risk. In a third step we assessed the internal controls by analysing the effectiveness of the segregation of duties. For example, we found cases where data had been changed by the same two users within a short amount of time. It took the users just a few seconds from entering a change into the system to approving it. We concluded from this that this internal control mechanism was apparently not as effective as it seemed at first sight. Visualising our findings in our audit report helped the auditee to better understand our methodology and the way in which we generated our findings (see case examples on the figure below).
Examples of visualising large amounts of data