The Role of Accountants in AIS

Accountants are involved in both the design and audit of AIS. The final section of this chapter briefly outlines
key areas of responsibility; these issues are expanded upon in subsequent chapters.

ACCOUNTANTS AS SYSTEM DESIGNERS

Accountants play a prominent role on systems development teams as domain experts. In that capacity, they
are responsible for many aspects of the conceptual system. This involves specifying certain operational rules,
reporting requirements, and framing internal control objectives that the system must achieve. The IT professionals
on the team are responsible for the physical system, including system architecture,programming, and database
design.
To illustrate the distinction between conceptual and physical systems, consider the following example:

The credit department of a retail business requires information about delinquent accounts from the AR
department. The information is used to support decisions made by the credit manager regarding the
creditworthiness of customers.

The design of the conceptual system involves specifying the criteria for identifying delinquent customers and the
information that needs to be reported. As the domain expert, the accountant determines the nature of the
information required, its sources, its destination, and the accounting rules that need to be applied. The Physical
system includes the data storage medium to be used and the method for capturing and presenting the information.
IT professionals determine the most economical and effective technologies for accomplishing the task.
Hence, systems design is a collaborative effort. Because of the specificity of accounting rules, the implications of
material error, and the potential for fraud, the accountant’s involvement in systems design is essential and pervasive
throughout the development process.

ACCOUNTANTS AS SYSTEM AUDITORS

Accountants perform audits of business organizations for various reasons, which typically involve the AIS.
The most common audits are external (attestation) audits,internal (operational) audits, and fraud audits. Each type
of audit requires that the auditor have a thorough understanding of AIS functions and internal controls.
An external audit is an independent attestation performed by an expert the auditor who expresses an opinion in the
form of a formal audit report regarding the presentation of financial statements.

This task, known as the attest function, is performed by certified public accountants (CPAs) who work for
accounting firms that are independent of the client organization being audited. The audit objective is to assure the
fair presentation of corporate financial statements. This requires auditors to perform tests of the information
system’s internal controls as well as substantive tests of data that reside in the system’s databases. External audits
are often referred to as financial audits and the SEC requires all publicly traded companies to undergo a financial
audit annually. CPAs conducting such audits are acting on behalf of outsiders such as stockholders, creditors,
government agencies, and the general public.
A critical element in the relationship between auditors and their constituents is the concept of auditor
independence. Within the context of an audit, independence means that the auditor is free from factors that might
influence the auditor’s report regarding the financial position of the client firm. Such factors include, but are not
limited to, financial interests in the client firm including stock holding or employment outside of the attest service,
family ties or other personal relationships with the client, or provision of nonaudit (advisory) services to audit clients.
In the absence of independence, the auditor’s report would be of little value to its users.

Attest Service versus Advisory Services

An important distinction needs to be made regarding the external auditor’s attestation function and the rapidly
growing field of advisory services, which many public accounting firms offer. Advisory services are professional
services offered by public accounting firms to improve their client organizations operational efficiency and
effectiveness. The domain of advisory services is intentionally unbounded so that it does not inhibit the growth of
future services that are currently unforeseen. As examples, advisory services include actuarial advice, business
advice, fraud investigation services information system design and implementation, and internal control assessments
for compliance with SOX.
Prior to the passage of SOX, accounting firms were permitted to provide advisory advisory services and attest
services concurrently to clients. SOX legislation, however greatly restricts the types of nonaudit services that
auditors may render audit clients. It is now unlawful for a registered public accounting firm that is currently
providing attest services for a client to provide the following services:
 Bookkeeping or other services related to the accounting records or financial statements of the audit client
 Financial information systems design and implementation
 Appraisal or valuation services,fairness opinions, or contribution-in-kind reports
 Actuarial services
 Internal audit outsourcing services
 Management functions or human resources
 Broker or dealer, investment adviser, or investment banking services
 Legal services and expert services unrelated to the audit
 Any other service that the board determines, by regulation, is impermissible

The IT advisory service units of public accounting firms have different names in different firms, but they all
engage in tasks generally known as risk management. These groups often play a dual role within their respective
firms; they provide non audit clients with IT advisory services and also work with their firm’s financial audit staff to
perform IT-related tests of controls (often called IT auditing) as part of the attestation function. Keep in mind that in
many cases, the purpose of the task, rather than the task itself, defines the service being rendered. For example, a
risk management professional may perform a test if IT controls as an advisory service for a nonaudit client who is
preparing for a financial audit by a different public firm. The same professional may perform the same test for an
audit client as part of the attest function.

Internal Audits
Internal Auditing is an independent appraisal function established within an organization to examine and
evaluate its activities. Internal auditor performs a wide range of activities conducting financial audits, performing IT
audits, examining an operation’s compliance with organizational policies and legal obligations, evaluating
operational efficiency, and detecting and pursuing fraud within the firm.
An internal audit is typically conducted by auditors who work for the organization, but this task may be outsourced
to other organizations. Internal auditors are often certified as a Certified Internal Auditor (CIA) or a Certified
Information Systems Auditor (CISA).

External versus Internal Auditors

The characteristics that conceptually distinguishes external auditor from internal auditors is their respective
constituencies: While external auditors represent outsiders, internal auditors represent the interest of the
organization. Nevertheless, in this capacity, internal auditors often cooperated with and assist external auditors in
performing aspects of financial audits. This cooperation is done to achieve audit efficiency and reduce audit fees. For
example, a team of internal auditors can perform tests of computer controls under the supervision of a single
external auditors.
The independence and competence of the internal audit staff determine the extent to which external
auditors may cooperate with the rely on the work perform by the internal auditor. Some internal audit departments
report directly to the controller. Under this arrangement, the internal auditor’s independence is compromised, and
the external auditor is prohibited be professional standards from relying on evidence provided by them. In contrast,
external auditors can rely, in part, on evidence gathered by internal audit departments that are organizationally
independent and report to the board of directors’ audit committee (discussed later). A truly independent internal
audit staff adds value to the audit process. For example, internal auditors can gather audit evidence throughout a
fiscal period, which external auditors may then use at year-end to conduct more efficient, less disruptive, and less
costly audits of the organization’s financial statements.

Fraud Audits
In recent years, audits have, unfortunately, increased in popularity as a corporate governance tool. They
have been thrust into prominence by a corporate environment in which both employee theft of assets and major
financial frauds by management (e.g. Enron and Worldcom) have come rampant. The objective of a fraud audit is to
investigate anomalies and gather evidence of fraud that may lead to criminal conviction. Sometimes fraud audits are
initiated when corporate management suspects employee fraud. Alternatively, boards of directors may hire fraud
auditors to investigate their own executives if theft of assets or financial fraud is suspected. Organizations victimized
by fraud usually contract with specialized fraud units of public accounting firms or with companies that specialize in
forensic accounting. Typically, fraud auditors have earned CFE certification, which is governed by the Association of
Certified Fraud Examiners.
The Role of the Audit Committee
The boards of directors of publicly traded companies form a subcommittee known as the audit committee
that has special responsibilities regarding audits. This committee is usually composed of three people who should be
outsiders (not associated with the families of executive management nor former officers,etc) With the advent of the
SOX, at least one member of audit committee must be a “financial expert.” The audit committee serves as an
independent “check and balance” for the internal audit function and liaison with external auditors. One of the most
significant changes imposed by SOX has been to the relationship between management and external auditors. Prior
to SOX, external auditors were hired and fired by management.
Many believe, with some justification, that this relationship erodes auditor independence when disputes over audit
practices arise. SOA mandates that external auditors now report to the audit committee which hires and fires
auditors and resolves disputes.
To be effective, the audit committee must be willing to challenge the internal auditors (or the entity
performing that function) as well as management when necessary. Part of the role of committee members is to look
for the ways to identify risk. For instance, they might serve as a sounding board of employees who observe
suspicious behavior or spot fraudulent activities. In general, they become an independent guardian of the entity’s
assets by whatever means is appropriate. Corporate frauds often have some relationship to audit committee
failures. These include lack of independence of audit committee members, lack of experienced members on the
audit committee, inactive audit committees, and the total absence of an audit committee.

Designer / Auditor Duality

The accountant’s dual roles of designer and auditor draw upon a common skill set. An accountant cannot
effectively conduct an audit if he or she does not understand the principles of systems design. The functions involved
in a system, the tasks performed by, and the internal that are, or should be, in place are design issues about which
auditors routinely gather evidence. Similarly, an accountant cannot properly design a system without a thorough
understanding of audit issues and concerns. For example, the designer must understand the nature of a particular
audit risk before he or she can plan the design of internal control techniques needed to mitigate the risk.
Also, the designer must understand audit objectives regarding evidence gathering so he or she may create a system
that facilitates the subsequent extraction of audit evidences.
The accountant’s dual responsibility for systems design and auditing has greatly influenced the organization
an approach taken in this text. Although primarily an AIS design text, chapter topics are presented from the auditor’s
perspective. Human activities, manual procedures, and information technologies such as databases, and computer
applications that constitute the AIS are presented and discussed within the context of the audit risks they pose and
how those risks can be mitigated through internal controls. This approach is followed throughout the remaining
chapters of the book.