Professional Documents
Culture Documents
AUDITING
Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and establishing criteria and communicating the results to interested users.
INTERNAL AUDITS
Internal auditing: independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization
Financial Audits Operational Audits Compliance Audits Fraud Audits IT Audits CIA IIA
IT AUDITS
IT audits: provide audit services where processes or data, or both, are embedded in technologies.
Subject to ethics, guidelines, and standards of the profession (if certified) CISA Most closely associated with ISACA Joint with internal, external, and fraud audits Scope of IT audit coverage is increasing Characterized by CAATTs IT governance as part of corporate governance
FRAUD AUDITS
Fraud audits: provide investigation services where anomalies are suspected, to develop evidence to support or deny fraudulent activities.
Auditor is more like a detective No materiality Goal is conviction, if sufficient evidence of fraud exists CFE ACFE
EXTERNAL AUDITS
External auditing: Objective is that in all material respects, financial statements are a fair representation of organizations transactions and account balances.
External auditing:
Independent auditor (CPA) Independence defined by SEC/S-OX/AICPA Required by SEC for publicly-traded companies Referred to as a financial audit Represents interests of outsiders, the public (e.g., stockholders) Standards, guidance, certification governed by AICPA, FASB, PCAOB; delegated by SEC who has final authority Auditor (often a CIA or CISA) Is an employee of organization imposing independence on self Optional per management requirements Broader services than financial audit; (e.g., operational audits) Represent interests of the organization Standards, guidance, certification governed by IIA and ISACA
Internal auditing:
FINANCIAL AUDITS
An independent attestation performed by an expert (i.e., an auditor, a CPA) who expresses an opinion regarding the presentation of financial statements Key concept: Independence {Should be} Similar to a trial by judge Culmination of systematic process involving:
Familiarization with the organizations business Evaluating and testing internal controls Assessing the reliability of financial data
Product is formal written report that expresses an opinion about the reliability of the assertions in financial statements; in conformity with GAAP
ATTEST definition
Written assertions Practitioners written report Formal establishment of measurement criteria or their description Limited to:
ASSURANCE
Professional services that are designed to improve the quality of information, both financial and nonfinancial, used by decision-makers IT Risk Management I.S. Risk Management Operational Systems Risk Management Technology & Security Risk Services Typically a division of assurance services
AUDITING STANDARDS
Auditing standards
Set by AICPA Authoritative #1 = Ten Generally Accepted Auditing Standards (GAAS) Three categories: General Standards Standards of Field Work Reporting Standards # 2 = Statements on Auditing Standards (SASs) SAS #1 issued by AICPA in 1972
AUDITS
Systematic process Five primary management assertions, and correlated audit objectives and procedures [Table 1-1]
Existence or Occurrence
Completeness Rights & Obligations Valuation or Allocation Presentation or Disclosure
AUDITS
Phases [Figure 1-3] 1. Planning 2. Obtaining evidence
3. Ascertaining reliability
4. Communicating results
RISK:
probability that the auditor will give an inappropriate opinion on the financial statements: that is, that the statements will contain materials misstatement(s) which the auditor fails to find
RISK:
vs. Immaterial
Includes
RISK:
probability that the internal controls will fail to detect material misstatements
RISK:
probability that the audit procedures will fail to detect material misstatements Substantive procedures
AR = IR * CR * DR example inventory with: IR=40%, CR=60%, AR=5% (fixed) .05 = .4 * .6 * DR ... then DR=4.8% Why is AR = 5%? What is detection risk? Can CR realistically be 0? Relationship between DR and substantive procedures
Illustrate higher reliability of the internal controls and the Audit Risk Model
What happens if internal controls are more reliable than last audit? Last year: .05 = .4 * .6 * DR [DR = 4.8] This year: .05 = .4 * .4 * DR [DR = 3.2] The more reliable the internal controls, the lower the CR probability; thus the lower the DR will be, and fewer substantive tests are necessary.
Selected from board of directors Usually three members Outsiders (S-OX now requires it) Fiduciary responsibility to shareholders Serve as independent check and balance system Interact with internal auditors Hire, set fees, and interact with external auditors Resolved conflicts of GAAP between external auditors and management
What is an IT Audit?
most accounting transactions to be in electronic form without any paper documentation because electronic storage is more efficient. These technologies greatly change the nature of audits, which have so long relied on paper documents.
THE IT ENVIRONMENT
There has always been a need for an effective internal control system. The design and oversight of that system has typically been the responsibility of accountants. The I.T. Environment complicates the paper systems of the past.
Concentration of data Expanded access and linkages Increase in malicious activities in systems vs. paper Opportunity that can cause management fraud (i.e., override)
THE IT ENVIRONMENT
Audit planning
Tests of controls
Substantive tests
CAATTs
INTERNAL CONTROL
safeguard assets ensure accuracy and reliability promote efficiency measure compliance with policies
Ivar Kreugers Contribution to U.S. Financial Reporting, Accounting Review, Flesher & Flesher All corporations that report to the SEC are required to maintain a system of internal control that is evaluated as part of the annual external audit.
Modifying Assumptions
1. Management responsibility
2. Reasonable assurance no I.C.S. is perfect benefits => costs 3. Methods of data processing Objectives same regardless of DP method Specific controls vary w/different technologies
Modifying Assumptions
4.
Limitations
of risk
Destruction
of assets Theft of assets Corruption of information or the I.S. Disruption of the I.S.
is most cost effective? Which one tends to be proactive measures? Can you give an example of each?
Predictive
controls
(Treadway Commission)
control environment Risk assessment Information & communication Monitoring Control activities
SAS 78
(#1:Control Environment -- elements)
The
integrity and ethical values Structure of the organization Participation of audit committee Managements philosophy and style Procedures for delegating
Describe possible activity or tool for each. Assess the integrity of organizations management Conditions conducive to management fraud Understand clients business and industry Determine if board and audit committee are actively involved Study organization structure
SAS 78
(#2:Risk Assessment)
Changes in environment Changes in personnel Changes in I.S. New ITs Significant or rapid growth New products or services (experience) Organizational restructuring Foreign markets New accounting principles
SAS 78
(#3:Information & Communication-elements)
Initiate, identify, analyze, classify and record economic transactions and events.
Identify and record all valid economic transactions Provide timely, detailed information Accurately measure financial values Accurately record transactions
SAS 78
(#3:Information & Communication-techniques)
SAS 78
(#4: Monitoring)
By separate procedures (e.g., tests of controls) By ongoing activities (Embedded Audit Modules EAMs and Continuous Online Auditing - COA)
SAS 78
(#5: Control Activities)
Transaction authorization
Example:
Segregation of duties
Authorization vs. processing [e.g., Sales vs. Auth. Cust.] Custody vs. recordkeeping [e.g., custody of inventory vs. DP of inventory] Fraud requires collusion [e.g., separate various steps in process]
Supervision
Access controls
Direct (the assets) Indirect (documents that control the assets) Fraud Disaster Recovery Management can assess:
Independent verification
The performance of individuals The integrity of the AIS The integrity of the data in the records Examples
IT Risks Model
Operations Data
management systems New systems development Systems maintenance Electronic commerce (The Internet) Computer applications