Professional Documents
Culture Documents
Contents
Attestation & assurance Services Financial audit Auditing standards External vs. internal auditing Information technology audit Internal control SAS 78
2
Attest Services
An engagement in which a practitioner is engaged to issue, or does issue, a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party. Attest: To affirm to be correct, true, or genuine
3
Assurance Services
Broader than attestation (Fig. 1-1) Professional services designed to improve the quality of information, both financial and nonfinancial, used by decision-makers. Intended to help people make better decisions by improving information. Assurance: A statement or indication that inspires confidence; a guarantee or pledge
5
Assurance Services
Evolution of accounting profession is expected to follow the assurance services model. All Big Five professional services firms have renamed their traditional audit functions Assurance Services. Organizational unit responsible for conducting IT audits is named either IT Risk Management, Information Systems Risk Management, or Operational Systems Risk Management (OSRM)
6
Financial Audit
An independent attestation performed by an expert, the auditor, who expresses an opinion regarding the presentation of financial statements. Auditors role is similar in concept to a judge who collects and evaluates evidence and renders an opinion.
7
Financial Audit
Key concept in this process is independence; Judge must remain independent in his or her deliberation. Judge cannot be advocate of either party in the trial, but must apply law impartially based on evidence presented. Likewise, independent auditor collects and evaluates evidence and renders an opinion based on evidence.
8
Financial Audit
Throughout audit process, auditor must maintain his or her independence from client organization. Public confidence in the reliability of the companys internally produced financial statements rests directly on their being evaluated by an independent expert audit.
9
Financial Audit
Systematic audit process involves three conceptual phases:
Familiarization w/ organizations business Evaluating and testing internal control Assessing the reliability of financial data
10
Auditors Report
Product of attestation function is a formal written report that expresses an opinion about the reliability of the assertions contained in financial statements Auditors report expresses an opinion as to whether the financial statements are in conformity w/ generally accepted accounting principles
11
Auditing Standards
Auditors are guided in their professional responsibility by the ten generally accepted auditing standards (GAAS) Fig. 1-2 GAAS establishes a framework for prescribing auditor performance, but it is not sufficiently detailed to provide meaningful guidance in specific circumstances
12
Auditing Standards
To provide specific guidance, American Institute of Certified Public Accountants (AICPA) issues Statements on Auditing Standards (SASs) as authoritative interpretations of GAAS. SASs are often referred to as auditing standards, or GAAS, although they are not the ten generally accepted auditing standards.
13
SAS
First issued by AICPA in 1972 Since then, many SASs have been issued to provide auditors w/ guidance on a spectrum of topics, including methods of investigating new clients, techniques for obtaining background information on clients industry.
14
16
20
Definition of Auditing
Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users
21
Elements of auditing
A systematic process Management assertions and audit objectives Obtaining evidence Ascertaining the degree of correspondence between established criteria Communicating results
See Pages 5~7
22
Structure of IT Audit
IT audit is divided into three phases: audit planning, tests of controls, and substantive testing (See Figure 1-3)
24
Internal Control
The establishment and maintenance of a system of internal control is an important management obligation. A fundamental aspect of managements stewardship responsibility is to provide shareholders with reasonable assurance that the business is adequately controlled. Additionally, management has a responsibility to furnish shareholders and potential investors with reliable financial information on a timely basis. (Sarbanes-Oxley act) An adequate system of internal control is necessary to managements discharge of these obligations. - Securities and Exchange Commission
25
28
29
3 Levels of Control
Preventive controls, detection controls, and corrective controls (Fig. 1-5)
31
Preventive Controls
First line of defense in the control structure Passive techniques designed to reduce the frequency of occurrence of undesirable events Preventing errors and fraud is far more costeffective than detecting and correcting problems after they occur In information security: firewall
32
Preventive Controls
For example, a well-designed data entry screen is an example of a preventive control Not all problems can be anticipated and prevented.
33
Detective Controls
Second line of defense Devices, techniques, and procedures designed to identify and expose undesirable events that elude preventive controls In information security: Intrusion detection
34
Corrective Controls
Corrective actions taken to reverse the effects of detected errors Detective controls identify undesirable events and draw attention to the problem; corrective controls fix the problem.
35
Control Environment
Foundation for the other control components Important elements:
Integrity and ethical values of management Structure of organization Participation of organizations board of directors and audit committee Managements philosophy and operating style see page 13
37
Control Environment
SAS 78 requires that auditors obtain sufficient knowledge to assess the attitude and awareness of organizations management, board of directors, and owners regarding internal control. See page 13 for examples of techniques that may be used to obtain an understanding of control environment
38
Risk Assessment
Identify, analyze, and manage risks relevant to financial reporting See page 14 for risks that can rise out of changes in circumstances SAS 78 requires that auditors obtain sufficient knowledge of organizations risk assessment procedures to understand how management identifies, prioritizes, and manages risks related to financial reporting.
39
Effective AIS
Identify and record all valid financial transactions Provide timely information about transactions in sufficient detail to permit proper classification and financial reporting Accurately measure financial value of transactions so their effects can be recorded in financial statements Accurately record transactions in time period in which they occur
41
Effective AIS
SAS 78 requires that auditors obtain sufficient knowledge of organizations information systems to understand
Classes of transactions that are material to financial statements and how those transactions are initiated Accounting records and accounts that are used in processing of material transactions
42
Effective AIS
SAS 78 requires that auditors obtain sufficient knowledge of organizations information systems to understand
Transaction processing steps involved from initiation of economic event to its inclusion in financial statements Financial reporting process used to prepare financial statements, disclosures, and accounting estimates
43
Monitoring
Process by which quality of internal control design and operation can be assessed May be accomplished by separate procedures or by ongoing activities Internal auditors may monitor entitys activities in separate procedures. They gather evidence of control adequacy by testing controls, then communicate control strengths and weaknesses to management
44
Monitoring
Ongoing monitoring may be achieved by integrating special computer modules into information system that capture key data and/or permit tests of control to be conducted as part of routine operations Such embedded audit modules (EAMs) allow management and auditors to maintain constant surveillance over functioning of internal controls
45
Control Activities
Policies and procedures used to ensure appropriate actions are taken to deal w/ organizations identified risks
46
Control Activities
Can be grouped into two categories:
Computer controls
General control Application control
Physical controls
transaction authorization segregation of duties supervision accounting records access control independent verification
47
48
Application Controls
Application controls ensure the integrity of specific systems such as sales order processing, accounts payable, and payroll applications
49
Control Activities
Can be grouped into two categories:
Computer controls
General control Application control
Physical controls
transaction authorization segregation of duties supervision accounting records access control independent verification
50
Physical Controls
Relates primarily to traditional accounting systems that employ manual procedures Six traditional categories of physical control activities: transaction authorization, segregation of duties, supervision, accounting records, access control, and independent verification
51
Transaction Authorization
Ensure that all material transactions processed by information systems are valid and in accordance w/ managements objectives Authorizations may be general or specific
52
General Authorization
Granted to operations personnel to perform day-to-day operations Example is procedure to authorize purchase of inventories from designated vendor only when inventory levels fall to their predetermined reorder points. This is called programmed procedure
53
Specific Authorization
Deal with case-by-case decisions associated w/ non-routine transactions. Example is the decision to extend a particular customers credit limit beyond the normal amount In an IT environment, the responsibility for achieving control objectives of transaction authorization rests directly on accuracy and consistency of computer programs that perform these tasks.
54
Segregation of Duties
To minimize incompatible functions 3 objectives provide general guidelines applicable to most organizations
Authorization for a transaction is separate from processing of the transaction. For example, purchases should not be initiated by purchasing department until authorized by inventory control department
55
Segregation of Duties
3 objectives provide general guidelines applicable to most organizations
Responsibility for custody of assets should be separate from recordkeeping responsibility. For example, the department that has physical custody of finished goods inventory should not keep official inventory records. Accounting for finished goods inventory is performed by inventory control, an accounting function.
56
Segregation of Duties
3 objectives provide general guidelines applicable to most organizations
Organization should be structured so that a successful fraud requires collusion between two or more individuals with incompatible responsibilities. In other words, no single individual should have sufficient access to assets and supporting records to perpetrate a fraud.
57
Segregation of Duties in IT
Computer errors are programming errors that are, in fact, human errors; no computer has ever perpetrated a fraud unless programmed to do so by a human Separating computer processing functions, therefore, serves no purpose
58
Segregation of Duties in IT
Segregation of duties still plays a role in IT environment Once proper functioning of a program is established at system implementation, its integrity must be preserved throughout the applications life cycle. The activities of program development, program operations, and program maintenance are critical IT functions that must be adequately separated.
59
Supervision
Achieving adequate segregation of duties often presents difficulties for small organization. In small organizations or in functional areas that lack sufficient personnel, management must compensate for absence of segregation controls with close supervision. For this reason, supervision is also called compensating control.
60
Accounting Records
Source documents, journals, and ledgers capture economic essence of transactions and provide an audit trail of economic events Audit trail enables auditor to trace any transaction through all phases of its processing from initiation of event to financial statements
61
Access Controls
Ensure that only authorized personnel have access to firms assets Access control in IT environment includes provisions for physical security of computer facilities. Database security and authorization is important access control mechanism in modern organizations.
62
Audit Risk
Probability that auditor will render an unqualified opinion on financial statements that are, in fact, materially misstated Auditors objective is to minimize audit risk by performing tests of controls and substantive tests. 3 components of audit risk are inherent risk, control risk, and detection risk
64
Inherent Risk
Associated with unique characteristics of the business or industry of the client Firms in declining industries have greater inherent risk than firms in stable or thriving industries. Auditors can not reduce level of inherent risk.
65
Control Risk
is the likelihood that control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts Auditors reduce level of control risk by performing tests of internal controls, e.g., running test transactions and seeing if erroneous transactions can be detected
66
Detection Risk
is the risk that auditors are willing to take that errors not detected or prevented by control structure will also not be detected by the auditor Lower planned detection risk requires more substantive testing
67
68