Professional Documents
Culture Documents
Auditing, Assurance, and Internal Control: Hall & Singleton, 2e
Auditing, Assurance, and Internal Control: Hall & Singleton, 2e
AUDITING
Auditing is a systematic process of
objectively obtaining and evaluating
evidence regarding assertions about
economic actions and events to ascertain
the degree of correspondence between
those assertions and establishing criteria
and communicating the results to
interested users.
INTERNAL AUDITS
Financial Audits
Operational Audits
Compliance Audits
Fraud Audits
IT Audits
CIA
IIA
IT AUDITS
FRAUD AUDITS
EXTERNAL AUDITS
SECs role
Sarbanes-Oxley Act
FASB - PCAOB
CPA
AICPA
External auditing:
Internal auditing:
FINANCIAL AUDITS
ATTEST definition
Written assertions
Practitioners written report
Formal establishment of measurement criteria or their
description
Limited to:
Examination
Review
Application of agreed-upon procedures
ASSURANCE
IT Risk Management
I.S. Risk Management
Operational Systems Risk Management
Technology & Security Risk Services
Typically a division of assurance services
AUDITING STANDARDS
Auditing standards
Set by AICPA
Authoritative
#1 = Ten Generally Accepted Auditing Standards
(GAAS)
Three categories:
General Standards
Standards of Field Work
Reporting Standards
# 2 = Statements on Auditing Standards (SASs)
SAS #1 issued by AICPA in 1972
AUDITS
Systematic process
Five primary management assertions, and
correlated audit objectives and procedures
[Table 1-1]
Existence or Occurrence
Completeness
Rights & Obligations
Valuation or Allocation
Presentation or Disclosure
AUDITS
Phases [Figure 1-3]
1. Planning
2. Obtaining evidence
Tests of Controls
Substantive Testing
CAATTs
Analytical procedures
3. Ascertaining reliability
MATERIALITY
4. Communicating results
Audit opinion
RISK:
RISK:
The
vs. Immaterial
Includes
Relative
RISK:
RISK:
The
Substantive
procedures
AR = IR * CR * DR
example inventory with:
IR=40%, CR=60%, AR=5% (fixed)
.05 = .4 * .6 * DR
... then DR=4.8%
Why is AR = 5%?
What is detection risk?
Can CR realistically be 0?
Relationship between DR and substantive
procedures
What is an IT Audit?
most accounting transactions to be in
electronic form without any paper
documentation because electronic
storage is more efficient. These
technologies greatly change the nature of
audits, which have so long relied on paper
documents.
THE IT ENVIRONMENT
Concentration of data
Expanded access and linkages
Increase in malicious activities in systems vs. paper
Opportunity that can cause management fraud (i.e.,
override)
THE IT ENVIRONMENT
Audit planning
Tests of controls
Substantive tests
CAATTs
INTERNAL CONTROL
safeguard assets
ensure accuracy and reliability
promote efficiency
measure compliance with policies
Accounting provisions
2.
2.
3.
Is widely adopted
2.
Modifying Assumptions
1. Management responsibility
2. Reasonable assurance
no I.C.S. is perfect
benefits => costs
3. Methods of data processing
Objectives same regardless of DP method
Specific controls vary w/different
technologies
Modifying Assumptions
4.
Limitations
Possibility of error
Possibility of circumvention
Management override
Changing conditions
of risk
Destruction
of assets
Theft of assets
Corruption of information or the I.S.
Disruption of the I.S.
controls
Detective controls
Corrective controls
Which
controls
(Treadway Commission)
control environment
Risk assessment
Information & communication
Monitoring
Control activities
SAS 78
(#1:Control Environment -- elements)
The
SAS 78
(#1:Control Environment -- elements)
Managements methods of assessing
performance
External influences
Organizations policies and practices for
managing human resources
SAS 78
(#1:Control Environment -- techniques)
SAS 78
(#2:Risk Assessment)
Changes in environment
Changes in personnel
Changes in I.S.
New ITs
Significant or rapid growth
New products or services (experience)
Organizational restructuring
Foreign markets
New accounting principles
SAS 78
(#3:Information & Communication-elements)
SAS 78
(#3:Information & Communication-techniques)
Accounting
Processing
steps:initiation to inclusion in
financial statements (illustrate)
Financial
SAS 78
(#4: Monitoring)
SAS 78
(#5: Control Activities)
Transaction authorization
Segregation of duties
Example:
Supervision
Access controls
Fraud
Disaster Recovery
Independent verification
Examples
IT Risks Model
Operations
Data
management systems
New systems development
Systems maintenance
Electronic commerce (The Internet)
Computer applications