|
By Donald E. Sheehy & David J. Moore
Illustration: Susanna Denti
The ITAC was set up to advise on national accounting and auditing standards. today, it has a broader focus
Twelve years ago this month, a four-person information technology advisory group was set up to help CICA Studies & Standards keep abreast of the potential impact of technological developments on Canadian accounting and auditing standards, practices and methodologies. Its mandate was to propose and coordinate research projects on IT issues, provide assistance in the development of Canadian accounting and auditing standards impacted by IT, and assist Studies & Standards in the implementation of technology.
Throughout the 1990s, the advisory group's focus was assisting the auditing profession, since technology had made it possible for auditors to implement procedures not possible previously, because of time constraints and costs. One of its first tasks was to coordinate an audit technique study on Application of computer Assisted Audit Techniques Using Microcomputers (published by the CICA in 1994) to encourage wider use of CAATs by auditors. That was followed in 1996 and 1997 with the publication of two audit technique studies (undertaken with the AICPA): Audit Implications of EDI, and Audit Implications of Electronic Document Management. These studies discussed the opportunities and challenges presented to the auditor in these developing areas.
By the mid-1990s, securities commissions, regulatory agencies and government departments were requiring entities to file information electronically, giving rise to issues relating to the integrity of the information filed. This led to the publication in 1995 of the booklet Electronic Filing of Information that discussed the controls that should be implemented in order to ensure the integrity of documents filed.
In 1998, the third edition of the CICA's benchmark publication Computer Control Guidelines was published, and renamed Information Technology Control Guidelines. The decade ended with the publication of three booklets relating to the Year 2000 issue: Year 2000 — Guidance for Practitioners; Effective Monitoring and Management Reporting of Year 2000 Activities; and Contingency Planning for the Year 2000. In addition, The Impact of Technology on Financial and Business Reporting, a research study, and continuous Auditing, a research report, were published.
In 1999, the advisory group was reconstituted as the Information Technology Advisory Committee (ITAC) and its focus was broadened to provide advice and assistance on a range of IT matters affecting the accounting profession, not just those relating to accounting and auditing standards. (ITAC's current responsibilities are set out in Exhibit 1 at CAmagazine.com.) It was expanded to 10 members.
During the past four years, ITAC has produced the following, with all its products being posted on the CICA website (www.cica.ca/itac):
• 20 Questions Directors Should Ask About IT. This document's objective is to provide guidance to members of boards of directors and other governance bodies, such as the audit committee and the IT steering committee, in evaluating IT issues that might arise in discharging their board or committee responsibilities. The questions cover strategic issues (strategy and planning, technology trends, performance, personnel); internal control issues (governance of IT); and risk issues (risk and security, personal information privacy); e-business, availability and legal issues. The document also notes it is essential to have a follow-up program of responses. If the answers to the questions raised indicate that procedures will be implemented to deal with perceived shortcomings in the control system, this must be followed up by the board or committee at its next meeting to determine if, in fact, those procedures have been implemented.
• 20 Questions Directors Should Ask About Privacy. As of January 1, 2004, businesses must have a privacy compliance regime to protect individuals' privacy rights. This document was prepared to assist directors in evaluating personal information privacy issues. It summarizes the board's responsibilities for privacy and the key questions directors should ask management — questions relating to understanding privacy risk, implementing a privacy compliance regime, managing privacy risk and obtaining privacy assurance.
• Privacy Compliance: A Guide for Organizations & Assurance Practitioners. This 79-page guide offers a framework to develop privacy control systems and discusses the assurance practitioner's role in providing value-added services on privacy. It is a living document with links to legislation, publications and websites. There are four chapters: Privacy and the PIPEDA; Implementing a privacy compliance regime; Preparing privacy policies and procedures; Obtaining privacy assurance. Appendices cover international privacy developments, provincial privacy legislation, Canadian privacy codes and practices, readiness assessment, privacy enhancing technologies and online privacy seals.
ITAC is also preparing a series of white papers to increase CAs' and other interested parties' awareness of IT topics considered significant to the accounting profession and the business community. They are not intended to provide detailed guidance. Three have been issued to date.
• Audit and Control Implications of XBRL. Extensible business reporting language (XBRL) is an implementation of extensible mark-up language (XML) that is specifically designed for financial and business reporting. The white paper briefly covers the most critical documents relating to the use of XBRL — the XBRL specification, XBRL taxonomies, XBRL instance documents and style sheets — as well as the procedure for preparing XBRL reports and the risk of error. It then covers a number of control and assurance issues. It notes the use of XBRL for generating audited financial statements leads to a number of additional factors that auditors must consider.
• Security for Wireless Systems. The objective of this paper is to draw attention to the issues that need to be considered when wireless networks and such devices as cellphones and personal digital assistants are used for transmitting data. It reviews the main wireless technologies and their security features. There is a short overview of the major audit implications of wireless systems and significant risk areas and approaches to dealing with them.
• Using an Ethical Hacking Technique to Assess Information Security. This paper was issued to provide organizations with information about a technique, referred to as "penetration testing," that involves a series of techniques undertaken by an independent qualified IT professional to assess how easy or difficult it might be to penetrate an organization's security controls or gain unauthorized access to its information systems and data. It discusses various strategies for carrying out this technique, types of testing, key risks in using this technique and the steps that should be taken to manage these risks.
A white paper, IT Outsourcing, on the risks involved and the steps that could be taken to mitigate risks is being considered.
ITAC and the Auditing and Assurance Standards Board sponsored the research report Electronic Audit Evidence published in June. The ITAC is also sponsoring a study on electronic filing and reporting, which should be published in the spring, and a report on e-business infrastructure.
ITAC has also provided advice on projects underway, or ones being considered, by other CICA boards or committees, particularly the AASB and its international counterpart, the International Auditing and Assurance Board. One of the first tasks of the reconstituted ITAC in 1999 was the preparation of a report entitled A Roadmap for Auditing e-Business. ITAC is concerned that the CICA Handbook – Assurance does not adequately reflect the current electronic environment; it is still geared to a paper-based environment. The report identified changes to Handbook recommendations that could correct this perceived deficiency. It felt a number of these changes could be made right away, whereas additional study would be needed before other changes could be implemented. A number of additional research projects were also identified for consideration. The report was presented to the AASB in July 2000. The AASB indicated it would take ITAC's proposals into consideration when revising Handbook sections or commencing new ones.
ITAC has also reviewed the international exposure draft on Auditing e-Business and passed its comments to the International Auditing Practices Committee. It is very involved in the projects that are underway on auditing risk and review of internal controls and, in addition to providing comments on drafts produced at the national and international level, it has a representative on the task forces set up by the AASB on these two subjects.
On the education side, ITAC has reacted to and commented on the Competency Map during its development. It also led the Canadian response to the International Federation of Accountants education committee's exposure draft on Information technology for Professional Accountants issued in September 2001.
ITAC meets four times a year for a one-day meeting. Conference calls are scheduled as needed. It is made up of representatives from accounting firms, financial institutions, government and academe. All members are CAs, with most having additional technology-based designations.
Anyone interested in more information or recent publications can log onto the ITAC section on the CICA website (www.cica.ca/itac). Information on research reports and studies covered in this article can be obtained by referring to the research guidance-research activities section of the CICA website.
Donald Sheehy, CA•CISA, Deloitte & Touche, is the chairman of ITAC. David Moore, CA, is the CICA's research studies director
Technical Editor: Bob Rutherford, VP, Standards | 
