You are an external auditor in a firm that undertakes the audit of Canadian Life and Mutual (CLM), a large, Montreal-based financial institution. CLM relies heavily on its computer-based information systems to maintain its competitive position within the marketplace.

Currently you are undertaking interim audit work. You have been assigned by your partner to review the quality assurance function within CLM's information systems department. The QA function was established about one year ago, and your firm was notified of this fact. Indeed, your partner had consultations with CLM's chief information officer, and she indicated her strong support for the QA proposals that were made.

During an interview with the manager of the QA function, you ask whether project quality plans have been established for CLM's information systems. The QA manager replies that at this time QA plans have been developed only for new information systems; in other words, those commenced during the last financial year. He explains that QA plans will be developed for existing information systems when the QA function becomes better established and better resourced. You ask whether you might review a sample of these plans, and the QA manager readily agrees.

CLM has commenced the development of 17 new information systems during this past year. When you review the project documentation associated with these information systems, however, you find QA plans for only 6 of the information systems. The remaining 11 have no QA plans, and you note that 5 of the 11 systems are financial information systems of some sort.

You take this matter up with the QA manager. He explains that QA plans have been developed only for those systems that satisfy two requirements: (1) the system had to be material and (2) stakeholders had to reach agreement on quality goals for the system in a reasonable period of time. During this startup year for the QA function, he argues that he had neither the time nor resources to have his staff develop QA plans for systems that were not material nor systems where stakeholders could not reach agreement in a reasonable period of time on the quality goals to be set for the system. As his staff gain more experience with the QA function and he is better resourced, QA plans will be established for all new information systems.

Required. On the basis of the information you have collected so far, what are your conclusions about the reliability of controls associated with CLM's information systems QA function? Are there any exposures that concern you from the viewpoint of the opinion your firm ultimately must give on the financial statements? How would you advise your partner to now proceed with the audit?