[摘要] ENGLISH SUMMARY : We are living in what is being referred to as the information revolution, where the evolution oftechnology has and continues to have a pervasive impact on life and business. Newtechnologies are being developed on a rapid scale that present several opportunities for businesses, however it also exposes them to several risks. As leadership and management of businesses have a professional, as well as a legal responsibility to govern businesses well,they must select and implement strategies and internal frameworks to limit the businesses exposure to risks, including Information Technology (IT) risks. In response to the rapid evolution of IT, specialist internal control frameworks have been developed and refined over time to address an entity's exposure to IT related risks at a strategic and operational level.Several of these frameworks, which are recognised and used globally, have been specifically designed in such a manner to ensure that leadership are able to dispel their corporate governance responsibilities whilst adding value.As leadership of organisations have adapted the manner in which they address opportunities and risks, arising from evolving IT within an organisation, it is expected that the external auditorwould also have adapted his/her audit approach to account for the impact of evolving IT on auditees. The external audit has, over time, evolved with significant social and economic advances and is today regulated and performed by making use of the International Standards on Auditing (ISA). The ISA have been updated to account for the pervasive impact that IThas on auditees. These updates have been included to account for the impact of IT throughout the audit process that the external auditor applies to conduct the external audit. These updates to the ISA address several considerations that the external auditor needs to make regardingthe impact of IT on an auditee. However, when specifically considering the impact of IT when understanding the auditee and its environment, as well as the internal controls that are relevant to the audit, these updates to the ISA are broad in nature and do not necessarily provide theexternal auditor with the necessary detailed guidance. Several audit specialists have taken the general and application IT controls, included in the broad guidance of the ISA, and developed detailed control areas which the external auditor can use to address the impact of IT and the related internal controls on an auditee. Larger audit firms have developed internalframeworks that are used to address IT and its impact on the internal controls of auditees. However, in small and medium audit firms this is often not the case. Thus with the rapid evolution of IT and specialised internal control frameworks to govern IT, the question can be asked is, whether the ISA (together with the supporting guidance regarding IT), alone, suffice in enabling the external auditor of the small and medium audit firm to obtain a proper understanding of IT and address the impact of IT on their auditees.The primary objective of this study was to develop a compressive approach that the external auditor of the small and medium firm, can apply to understand and address the evolving nature of IT and specialised IT internal control frameworks used by auditees when conducting the external audit. In order to achieve this objective the study first investigated what additional guidance is available to all external auditors when considering the impact that IT has on the auditee as well as which of the IT related internal controls that management have implementedare relevant to the audit. The additional guidance that was identified is in the form of more detailed control areas within the general and application IT controls that the external auditor must consider within each auditee. The study then considered whether these detailed control areas will address all of the control areas that management are considering by comparing it with the internal control areas of a specialised integrated IT internal control framework. Finally,by understanding the approach, required by the ISA, that the external auditor uses to assess internal controls which are relevant to the audit the author developed the comprehensive approach to address the impact of IT on an auditee in assessing control risk. The findings showed that there is additional guidance, beyond the ISA, available to the externalauditor when assessing the impact of IT on the internal controls of the auditee. This guidance is in the form of specific control areas within the general and application IT controls that the external auditor is required to consider when performing the external audit. However, when these control areas were compared with the control areas of a specialised integrated IT internal control framework, there were certain control areas, at a technology or operational level, whichare not addressed through the control areas within the general and application IT controls. This confirmed the need for a comprehensive approach, to assist the external auditor of the small and medium audit firm, to assess the impact of IT on the auditee.The ISA provides the external auditor with an approach to assess the impact of internal controls that are relevant to the audit on the risk of material misstatement by understanding the entity and its control environment, using the control objectives to identify key controls that arerelevant to the audit and then testing the design and operation of those key controls. The author used a similar approach to develop a comprehensive approach to address the pervasiveimpact of IT, over and above the general and application IT controls already assessed, on the risk of material misstatement of the auditee taking into account the modern technologylandscape. In the first step when understanding the entity and its control environment the author suggested that the IT governance impact on each of the areas included in the ISA whenunderstanding the entity and its environment be used.Secondly, the internal control objectives related to IT (as set out in the ISA) can be used to identify which of the controls identified through the understanding of IT governance are key controls and are relevant to the audit. Finally, the external auditor can then test the design and operation of those key IT controls that were identified as being relevant to the audit.This revealed that there are likely to be IT related controls that are relevant to the audit at a strategic level (including general IT controls and strategic alignment through business imperatives), as well as an operational level (including application and technology IT controls). The comprehensive approach then requires the external auditor to test the design and operation of these relevant or key IT controls. It was found that the comprehensive approach can only be used by the external auditor of the small and medium firm, if applied at a strategicas well as an operational level. For this reason the external auditor of the small and medium firm, will need to have a more detailed understanding, or make use of an IT specialist, to assess the control risk impact at a technology level. To assist the external auditor of the small and medium firm, in gaining a more detailed understanding at a technology level the final finding of the study applied the comprehensive approach to common hardware and software components of IT systems found across several IT architectures.By using the comprehensive approach developed the external auditor of the small and medium firm, will be able to address the control risks relating to the evolving nature of IT and the use of specialised IT internal control frameworks by management to govern IT when conducting the external audit.