Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / Risk Assessment and Internal Control
Microlesson · 5-min read

IT-Related Risks and Their Impact on the Audit

## IT-Related Risks and Their Impact on the Audit

As entities rely more on IT systems, IT-related risks directly affect how the auditor plans and performs the audit.

### Three Areas of Impact

#### 1. Impact on Substantive Checking

  • Inability to address IT risks → non-reliance on data obtained from systems
  • Consequence: All information, data, and reports must be tested thoroughly for completeness and accuracy
  • Result: Increased (detailed) substantive checking

#### 2. Impact on Controls

  • Non-reliance on automated controls, system calculations, and accounting procedures built into applications
  • Result: Additional audit work required to compensate

#### 3. Impact on Reporting

  • Regulatory requirements for internal financial controls (especially for companies under the Companies Act)
  • Significant IT control failures may require modification of the auditor's report

### Practical Implication

The higher the IT risk, the more work the auditor must do — both in testing data and in evaluating the adequacy of IT-dependent controls.

Worked example

### Example 1

Scenario: An auditor finds that the entity's ERP system has poor access controls and no proper audit trails. What is the impact on the audit?

Answer: Three impacts arise: (1) The auditor cannot rely on system-generated reports, requiring increased substantive checking of all transactions. (2) Automated controls cannot be relied upon, requiring additional manual testing. (3) If this is a listed company or one subject to internal financial controls reporting, a report modification may be required.

### Example 2

Scenario: A company uses automated bank reconciliation software. During testing, the auditor discovers the software had an undetected bug that miscalculated reconciling items for two months. What should the auditor do?

Answer: The auditor should (1) not rely on automated controls for the affected period, (2) manually re-perform bank reconciliations for those months as a substantive procedure, and (3) consider whether this constitutes a reportable control deficiency.

⚠️ Common exam mistakes

  • Limiting IT risk impact to only data reliability — IT risks also affect automated controls and auditor reporting obligations.
  • Assuming IT risks are only relevant for technology companies — any entity using IT systems (which is most entities) is subject to IT-related audit risks.
  • Forgetting the reporting dimension — significant IT control failures in companies can require modification of the audit report under internal financial controls requirements.
Reference:
← Previous
General IT Controls: Access Se
Next →
Inquiries of Management and Ot
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic