View CartView Cart
QuestionsContact Us

Useful Guidance



The objective of the materials offered below is to share our professional, Big 4, consulting, and industry experience in the information systems security, risk management, audit, control assurance and regulatory compliance fields. Our goal is to help organizations as well as the IT & non-IT audit, risk and security professionals to:
  • Identify opportunities for efficiency
  • Streamline and simplify regulatory compliance efforts.

We also strive to help organizations interested in reducing the work, and therefore the fees, of the Big 4 audit firms by having their external audit function rely on the work performed by management as part of the regulatory compliance procedures.

Useful Guidance

Auditing Standard No.5 (AS5) - Opportunities for Efficiency

Companies that do not take the full advantage of the Auditing Standard No. 5 miss out on the opportunities for efficiency and incur unnecessary costs associated with the regulatory compliance efforts. Does your company take a full advantage of the AS5? Listed below are the key opportunities for efficiency:

(1) AS5 allows greater flexibility and places maximum emphasis on auditor judgment. What this means is that anything is possible as long as you can substantiate/ explain it. Documentation is the key.

(2) Restrictions on areas where and the extent to which External Auditors can use the work of others (management or consultants executing internal control compliance procedures on management’s behalf) to obtain evidence about design and operating effectiveness of controls are eliminated.
The necessary level of competence and objectivity of those who perform the work needs to meet the requirements. As assessed risk related to the control increases, the necessary level of competence and objectivity of those who perform the work needs to increase in order for the External Auditors to be able to use their work - see http://soxmadeeasy.com/reliance1.html for guidance.
External Auditors will need to determine whether the tests are performed properly. This determination is done via “reperformance” testing. External Auditors generally select approximately 20% of control activities and reperform a sufficient portion (judgmental) of management’s testing to conclude whether the test of controls was performed properly. Again, documentation is the key - see http://soxmadeeasy.com/testing_checklist.html for guidance.

(3) Auditors are allowed to receive direct assistance from company personnel or third parties working under the direction of management (i.e. consultants).
This offers infinite possibilities. External Auditors charge on average $450 per hour for their services. Doing certain things internally means substantial savings. Walk through the budget with External Auditors and identify the areas where offering direct assistance would make sense.

For instance, about 20% of External Audit’s budget is comprised of what they call “administrative costs” (things like coordinating status meetings, etc.). It does not take much effort to have such costs reduced to 5-10% of the budget just by helping with coordination of the audit. To save more, companies can have their internal staff help External Auditors with testing, etc.


(4) Risk-focus of the standard - management should understand how IT affects the company's flow of transactions when understanding the likely sources of misstatement and identifying where material misstatements might occur.
What this basically means is that identification of risks and controls within IT should not be a separate evaluation. Focus on application systems that affect financials. If the system cannot be linked to the financial statements, it should be scoped out. Also, focus on the systems and controls likely to pose a greater risk to financial reporting - thus reducing effort and cost.

Helpful tip – put together a spreadsheet that lists application systems used by the organization and document your reasoning for scoping systems in or out to save time on explaining your reasoning to external auditors or other interested parties.


(5) Auditors are allowed to incorporate the knowledge obtained during past audits into the decision-making process for determining the nature, timing, and extent of testing necessary in the current year.
The extent of the testing procedures performed in the current year can be further reduced by the knowledge obtained from prior audits based on the following factors:
  • Nature, timing and extent of testing performed in previous audits, and the results thereof - auditors can roll forward prior year’s testing when control was sufficiently tested and found to be effective in the past.
  • Whether there have been changes in the control or the process in which it operates - auditors can roll forward prior year’s testing if no change has occurred in the control or the process in which it operates (a quick walkthrough or equivalent procedures should suffice for low-risk controls to assess the control’s operating effectiveness or less extensive than normal tests for higher risk controls).