Integrated Approach Model of Risk , Control and Auditing of Accounting Information Systems

The use of IT in the financial and accounting processes is growing fast and this leads to an increase in the research and professional concerns about the risks, control and audit of Accounting Information Systems (AIS). In this context, the risk and control of AIS approach is a central component of processes for IT audit, financial audit and IT Governance. Recent studies in the literature on the concepts of risk, control and auditing of AIS outline two approaches: (1) a professional approach in which we can fit ISA, COBIT, IT Risk, COSO and SOX, and (2) a research oriented approach in which we emphasize research on continuous auditing and fraud using information technology. Starting from the limits of existing approaches, our study is aimed to developing and testing an Integrated Approach Model of Risk, Control and Auditing of AIS on three cycles of business processes: purchases cycle, sales cycle and cash cycle in order to improve the efficiency of IT Governance, as well as ensuring integrity, reality, accuracy and availability of financial statements.


Introduction
The high level of using the information technology in financial and accounting processes in organizations [1] results in an increase in research and professional concerns about the risks, control and audit of Accounting Information Systems (AIS).The risks and vulnerabilities of Accounting Information Systems may lead to material misstatements in financial reporting.Most times these risks have negative impact on the integrity, accuracy, reality and availability of financial reports [2]; [3]; [4].In this context, risk and AIS control approach is central to both financial and IT audit processes and IT governance processes within the organization.In this study, researching financial and IT audit process relations, and using the concepts of risk and control, we developed and applied an integrated approach model of risk, control and auditing of AIS.The purpose of this model is the integration approach of risk, control and AIS audit in the IT audit processes and financial audit processes in order to improve the efficiency of IT Governance, as well as ensuring integrity, reality, accuracy and availability of financial statements.
The paper is structured in four parts.In the introduction we presented the current research regarding the integrated approach of risk, control and auditing in the IT auditor's perception, as well as the financial auditor's perception and we showed the need to develop a model.In the second part, we presented the research methodology.In the third part, we presented the model development and we discussed the findings of applying the model.Finally, we presented our conclusions regarding the research.

Literature Review
Recent studies in the literature on the concepts of risk, control and auditing of AIS outline two approaches: (1) a professional approach in which we can fit ISA, COBIT, IT Risk, COSO and SOX [5]; [6]; [7]; [8]; [9]; [10], and (2) a research oriented approach in which we emphasize research on continuous auditing and fraud using information technology [11]; [12]; [13].According to IFAC-ISA 315 financial auditors must understand and analyze AIS, which can affect financial reporting particularly on: significant transactions systems for financial statements; automatic or manual control pro-1 DOI: 10.12948/issn14531305/17.4.2013.08 cedures through which transactions are recorded, stored and processed in the general ledger, and reported in the Financial Statements; the process of obtaining and presenting the financial reports from the AIS [5].Also in the professional approach of the risk management process and ensuring the control of AIS, we noticed the COBIT 5 framework [6].According to ISACA, COBIT 5 is the only business framework for the governance and management of enterprise IT.Analyzing the objectives and the content of COBIT 5, we can say that starting with this version, ISACA has an integrated approach model of the risk, control and auditing of AIS.Moving to the research field, we notice some recent concerns regarding the integration of risk management processes, control and audit [14]; [14]; [15].In Ivan and Milodin's study (2010), we find the integrated audit approach of an application for permanent monitoring of risks and controls [16].A framework for integrated approach of risks and control was developed by Huang et al. that built an evaluation model of the Information Technology General Control (ITGC) for the certified public accountants (CPAs) under an Enterprise Risk Management (ERM) [17].To emphasize the need for a common approach of IT audit and financial audit we mention the recent work by Stoel, Havelka and Merhout shows that there are many factors that determine the quality of IT audit and their importance varies in the perception of the IT auditors and the financial auditors [18].Integrating IT audit processes and financial audit risks and controls in the AIS approach is a more actual requirement to ensure the integrity, accuracy, reality and availability of financial statements.The professional view (especially ISACA and IFAC-ISA) correlated to the current research lead us to formulate the objectives for the development of an integrated model approach to risk, control and audit of AIS.

Research Methodology
Research problem.We propose a model for an integrated approach to risks, controls and audit of Accounting Information Systems (AIS) (Figure 1).Our research is undertaken to explore and to probe the issue that the risks, the controls and the auditing tests can be integrated into a single approach.The developed model is using a set of risks, controls and audit procedures divided into several dimensions of business process supported by AIS.ware developed by Business Communications SRL [19] in order to apply the model for risks, controls and audit for the following processes: purchases, sales and cash in the accounting information system in one company.
Variables in the study.The variables in this study are the risks, the controls and the auditing tests specific for purchases, sales and cash.We analyzed three main cycles of the entity: Purchases cycle, Sales cycle and Cash cycle.Within these cycles there are various categories of potential risks identified in the entity's AIS to which optimal controls and audit tests needed for risk assessment of controls are applied.Data analysis.For each process cycle (purchases, sales, cash) we created a risk checklist, using worksheet sections in BCOMM Audit Manager, with coefficients assigned for the risk categories.Each risk category is represented by subsequent worksheets that contain the potential risks, type of controls identified, auditing tests applied to the controls and the audit assertions covered by the tests.Each specific process risk was given a relevance coefficient, and we developed test sections in the program to calculate the overall exposure to risk, by using SQL statements.

Model Development and Findings Purchases Cycle
In the purchases cycle we established risk assessments on: orders, reception, invoicing and accounting operations.For each category of risk assessment we designed a worksheet which contains potential risks for each type of operation, types of controls identified and audit tests applied to these controls.Effectiveness of control mechanisms in this process will be determined by audit testing and allocating appropriate coefficients.For each stage of the process we calculated the risk level and then the overall risk.Control DOI: 10.12948/issn14531305/17.4.2013.08 mechanisms are designed to prevent, detect and correct any risks that are identified in this phase, and the effectiveness of these controls is shown by audit tests and assigning specific coefficients.We identified a low risk level on control mechanisms specific to accounting operations (Figure 3), with a value between 0.20 -0.45.The auditor can be trusted in such a mechanism and will not have to perform additional tests.

Sales Cycle
In the sales cycle we established risk assessments on: orders, dispatching, invoicing and accounting operations.For each category of risk assessment we designed a worksheet which contains potential risks for each type of operation, types of controls identified and audit tests applied to these controls.In Figure 4 we presented the 4 sections CV.1.1,CV.1.2,CV.1.3,CV.1.4 in which we calculated the risk factors and Section CV.1.5where we presented the general risk assessment for sales.Effectiveness of control mechanisms in this process will be determined by audit testing and allocating appropriate coefficients.For each stage of the process we calculated the risk level and then the overall risk.Risks identified in this phase are specific risks on invoicing as follows: risks on issue, risks on disparity computing, risks on content mismatch and other errors that may be generated by the system.Invoicing system functionality is faulty and could have serious consequences on the business itself.We identified a high risk level on control mechanisms specific to invoicing control (Figure 5), with a value between 0.80 -1.00.Considering the risk identified, as auditor in charge, we must carry out further tests because we cannot rely on control mechanisms.Once we identify the causes that generate such a risk, we must notify management in order for appropriate corrective action to be taken to decrease the risk.DOI: 10.12948/issn14531305/17.4.2013.08

Cash Cycle
In the cash cycle we established risk assessments on: receipts, payments, cash register and bank accounts.For each category of risk assessment we designed a worksheet which contains potential risks for each type of operation, types of controls identified and audit tests applied to these controls.where we presented the general risk assessment for cash.Effectiveness of control mechanisms in this process will be determined by audit testing and allocating appropriate coefficients.For each stage of the process we calculated the risk level and then the overall risk.In the receipts phase we identified risks relating to segregation of duties, users access to system functions, users registration, compliance between the records from the system and documents values and other relevant risks.Using this model we conducted audit tests on controls to find where these controls fail.We identified a medium risk level on control mechanisms specific to receipts (Figure 7), with a value between 0.45 -0.80.Thus, we can say that the control mechanisms are satisfactory, but not optimal for a good business.The entity is in the safe area but these mechanisms should be continuously monitored, by proactive involvement of the auditor and conducting periodic tests of controls (preventive, detective and corrective) to minimize the impact of risks that can significantly affect financial reporting.Also the proactive monitoring must be ensured by the IT governance system of the organization.

Findings
Using BCOMM Audit Manager through audit tests applied to controls we obtained Me-dium level risk for each cycle (Figure 8 and Figure 9).The cycles (purchases, sales and cash) are interdependent, so if major changes occur to the controls on the first two cycles, these changes are reflected on the cash cycle.The interdependence between risk-control-audit in management information systems used in the cycles presented in this paper, offers the image of a stable IT environment for the entity.

Conclusions
Analyzing the current usage level of information technology in business processes, especially in the financial, accounting and controlling processes, we emphasize that risks associated to AIS can affect the obtaining and the presenting of the Financial Statements.In this context, the risk and control of AIS approach is a central component of processes for IT audit, financial audit and IT DOI: 10.12948/issn14531305/17.4.2013.08Governance.Current researches emphasize the need for an integrated approach to risk, control and audit of AIS to ensure integrity, reality, accuracy and availability of financial statements.Most current researches and approaches are limited to the separate risks and controls of AIS, and separate IT audit and financial audit perspectives, although these risks directly affect the obtaining of financial statements.Starting from the limits of existing approaches, our study is aimed to developing and testing an Integrated Approach Model of Risk, Control and Auditing of AIS.This model treats risk, control and audit on three cycles of business processes, as follows: purchases cycle, sales cycle and cash cycle.After building and testing the model, the results show the direct relationship between risks, controls and audit procedures in an integrated perspective on the 3 cycles.Also, the risk values obtained for each category were presented in an integrated form that allows the analysis both in terms of the IT audit and financial audit.We believe that this model is a powerful tool to support audit processes and IT Governance in the perspective of continuous auditing development.This research has two major limitations.The first limitation refers to the fact that the model treats only 3 cycles of business processes.The second limitation relates to the fact that the model has been tested only on a single organization.As future research directions we propose extending the model on the HR & Payroll, Controlling and Manufacturing cycles.We also propose to apply the model within other organizations and from different industries to overview the risks, controls and audit procedures in various industries.

Fig. 1 .
Fig. 1.Research problem [own development] Research design.The research is quantitative and action based to validate the proposed integrated model.Sample, population or subjects.The sample consists of a test company running its ac-counting processes in an information system.Instrumentation and materials.This riskcontrol-audit interdependence is integrated in an automated audit testing program.We used the BCOMM Audit Manager 4.4.4.0 soft-

Fig. 6 .
Fig. 6.Risks checklist on cash [own development] In Figure 6 we presented the 4 sections CT.1.1,CT.1.2,CT.1.3,CT.1.4 in which we calculated risk factors and Section CT.1.5wherewe presented the general risk assessment for cash.Effectiveness of control mechanisms in this process will be determined by audit testing and allocating appropriate coefficients.For each stage of the process we calculated the risk level and then the