Ed. note: Today we debut a new contributor to Going Concern. Megan Lewczyk, CPA (pronounced left without the “t” and "chick" like a baby bird) is a Big 4 alumna who decided to venture off the beaten path early in her career. She owns a consulting firm, is an adjunct accounting instructor for a couple of online universities and a content development specialist for a CPA review company. She enjoys shattering CPA stereotypes, breathing life into topics like technology and internal controls and helping people.
Who hasn’t felt the sheer sense of dread hitting the "install now" button on an iPhone (especially after hearing the horror stories floating around about iOS 9)? Or felt a pit in their stomach after reading "Hi… all of your files are exactly where you left them…" when Windows 10 updated near the end of 2015? I was seriously creeped out and uneasy enough to do a virus scan immediately.
It’s no surprise that companies would rather stick with a legacy system –- the obsolete technology that continues to hang on for one dumb reason or another – than deal with the hassle and risk associated with a new system or software implementation.
This clinging to outdated technology means that accountants, especially auditors, have to deal with legacy systems. It is simply a fact of life. As time passes, however, it is becoming harder and harder to manage the sheer complexity. Wait, the client still has a mainframe?! Yikes.
Here are a few items to watch out for in a world chock full of legacy systems:
Data interface awareness
Data going from Point A to Point B should arrive unscathed and ready to rock and roll. If an interface is not properly configured (read: someone screwed up) it could lead to material misstatements down the road.
When a legacy system is hanging around, it’s a sure bet that a data interface (either manual or automatic) is worth considering during audit planning. To be safe and avoid a headache later, compare data before and after an interface just to make sure it is an accurate match. You know… like those spot the difference photo hunt games. Go ahead, you have my permission to practice this crucial skill but be sure to mute your speakers first.
Internal control enforcement
Older systems are notorious for procedural internal controls. Users must follow policies and procedures on their honor. For example, a state-of-the-art ERP system requires a new user to input a strong password adhering to system-enforced password parameters or the password is rejected. A legacy system may not automatically enforce password policies. The result is that there is nothing stopping a user from inputting a password that doesn’t pass muster. Might I remind you that “123456” was the most popular password in 2015… really people? Pathetic.
Be wary of legacy systems internal controls that are all talk (without much automated system enforcement). Also, as new internal control policies are adopted by the organization it is worth double checking to make sure every legacy system is able to satisfy the control objective.
System expertise MIA
Even more challenging than run-of-the-mill legacy systems are legacy systems that I refer to as dinosaurs. Why dinosaurs? Dinosaurs are all seriously past their prime. (Captain Obvious on the bridge!)
The crux of the problem arises when no one within a client’s company can confidently help an auditor understand these dinosaurs. While inconvenient, it's not unusual. Many companies find it easier and less expensive to call in a contractor for system maintenance and technical support.
In light of the fact that companies are determined to keep ancient systems forever, it is important not to let them become “black boxes” full of secrets. Someone needs to care for them with the respect and dignity they deserve after all these years. Likewise, auditors have to get creative to get the information necessary to rely on these systems.
Have you seen any legacy systems that refuse to bow out gracefully? Let us know in the comments.