Chapter 1:

Auditing, Assurance, and

Internal Control

Hall & Singleton, 2e

AUDITING
Auditing is a systematic process of
objectively obtaining and evaluating
evidence regarding assertions about
economic actions and events to ascertain
the degree of correspondence between
those assertions and establishing criteria
and communicating the results to
interested users.

INTERNAL AUDITS

Internal auditing: independent appraisal function

established within an organization to examine
and evaluate its activities as a service to the
organization

Financial Audits
Operational Audits
Compliance Audits
Fraud Audits
IT Audits
CIA
IIA

IT AUDITS

IT audits: provide audit services where

processes or data, or both, are embedded in
technologies.

Subject to ethics, guidelines, and standards of the

profession (if certified)
CISA
Most closely associated with ISACA
Joint with internal, external, and fraud audits
Scope of IT audit coverage is increasing
Characterized by CAATTs
IT governance as part of corporate governance

FRAUD AUDITS

Fraud audits: provide investigation services

where anomalies are suspected, to develop
evidence to support or deny fraudulent
activities.

Auditor is more like a detective

No materiality
Goal is conviction, if sufficient evidence of fraud
exists
CFE
ACFE

EXTERNAL AUDITS

External auditing: Objective is that in all material

respects, financial statements are a fair
representation of organizations transactions
and account balances.

SECs role
Sarbanes-Oxley Act
FASB - PCAOB
CPA
AICPA

EXTERNAL vs. INTERNAL

External auditing:

Independent auditor (CPA)

Independence defined by SEC/S-OX/AICPA
Required by SEC for publicly-traded companies
Referred to as a financial audit
Represents interests of outsiders, the public (e.g., stockholders)
Standards, guidance, certification governed by AICPA, FASB,
PCAOB; delegated by SEC who has final authority

Internal auditing:

Auditor (often a CIA or CISA)

Is an employee of organization imposing independence on self
Optional per management requirements
Broader services than financial audit; (e.g., operational audits)
Represent interests of the organization
Standards, guidance, certification governed by IIA and ISACA

FINANCIAL AUDITS

An independent attestation performed by an expert (i.e.,

an auditor, a CPA) who expresses an opinion regarding
the presentation of financial statements
Key concept: Independence
{Should be} Similar to a trial by judge
Culmination of systematic process involving:

Familiarization with the organizations business

Evaluating and testing internal controls
Assessing the reliability of financial data

Product is formal written report that expresses an

opinion about the reliability of the assertions in financial
statements; in conformity with GAAP

ATTEST definition

Written assertions
Practitioners written report
Formal establishment of measurement criteria or their
description
Limited to:

Examination
Review
Application of agreed-upon procedures

ATTEST vs. ASSURANCE

ASSURANCE

Professional services that are designed to improve

the quality of information, both financial and nonfinancial, used by decision-makers

IT Audit Groups in Big Four

IT Risk Management
I.S. Risk Management
Operational Systems Risk Management
Technology & Security Risk Services
Typically a division of assurance services

AUDITING STANDARDS

Auditing standards

Set by AICPA
Authoritative
#1 = Ten Generally Accepted Auditing Standards
(GAAS)
Three categories:
General Standards
Standards of Field Work
Reporting Standards
# 2 = Statements on Auditing Standards (SASs)
SAS #1 issued by AICPA in 1972

AUDITS

Systematic process
Five primary management assertions, and
correlated audit objectives and procedures
[Table 1-1]

Existence or Occurrence
Completeness
Rights & Obligations
Valuation or Allocation
Presentation or Disclosure

AUDITS
Phases [Figure 1-3]
1. Planning
2. Obtaining evidence

Tests of Controls
Substantive Testing

CAATTs
Analytical procedures

3. Ascertaining reliability

MATERIALITY

4. Communicating results

Audit opinion

Audit Risk Formula

AUDIT
The

RISK:

probability that the auditor

will give an inappropriate opinion
on the financial statements: that
is, that the statements will contain
materials misstatement(s) which
the auditor fails to find

Audit Risk Formula

INHERENT

RISK:

The

probability that material

misstatements have occurred
Material

vs. Immaterial

Includes

economic conditions, etc.

Relative

risk (e.g., cash)

Audit Risk Formula

CONTROL
The

RISK:

probability that the internal

controls will fail to detect material
misstatements

Audit Risk Formula

DETECTION

RISK:

The

probability that the audit

procedures will fail to detect material
misstatements

Substantive

procedures

Audit Risk Formula

AUDIT RISK MODEL:

AR = IR * CR * DR
example inventory with:
IR=40%, CR=60%, AR=5% (fixed)
.05 = .4 * .6 * DR
... then DR=4.8%
Why is AR = 5%?
What is detection risk?
Can CR realistically be 0?
Relationship between DR and substantive
procedures

Audit Risk Model

Relationship between tests of controls and

substantive tests

Illustrate higher reliability of the internal controls and

the Audit Risk Model

What happens if internal controls are more reliable than last

audit?
Last year: .05 = .4 * .6 * DR [DR = 4.8]
This year: .05 = .4 * .4 * DR [DR = 3.2]
The more reliable the internal controls, the lower the CR
probability; thus the lower the DR will be, and fewer
substantive tests are necessary.

Substantive tests are labor intensive

Role of Audit Committee

Selected from board of directors

Usually three members
Outsiders (S-OX now requires it)
Fiduciary responsibility to shareholders
Serve as independent check and balance
system
Interact with internal auditors
Hire, set fees, and interact with external auditors
Resolved conflicts of GAAP between external
auditors and management

What is an IT Audit?
most accounting transactions to be in
electronic form without any paper
documentation because electronic
storage is more efficient. These
technologies greatly change the nature of
audits, which have so long relied on paper
documents.

THE IT ENVIRONMENT

There has always been a need for an effective

internal control system.
The design and oversight of that system has
typically been the responsibility of accountants.
The I.T. Environment complicates the paper
systems of the past.

Concentration of data
Expanded access and linkages
Increase in malicious activities in systems vs. paper
Opportunity that can cause management fraud (i.e.,
override)

THE IT ENVIRONMENT

Audit planning

Tests of controls

Substantive tests
CAATTs

INTERNAL CONTROL

is policies, practices, procedures

designed to

safeguard assets
ensure accuracy and reliability
promote efficiency
measure compliance with policies

BRIEF HISTORY - SEC

SEC acts of 1933 and 1934

Ivar Kreugers Contribution to U.S.

Financial Reporting, Accounting Review,
Flesher & Flesher

All corporations that report to the SEC are

required to maintain a system of internal
control that is evaluated as part of the
annual external audit.

BRIEF HISTORY - Copyright

Federal Copyright Act 1976
1.
2.
3.
4.

Protects intellectual property in the U.S.

Has been amended numerous times since
Management is legally responsible for violations of
the organization
U.S. government has continually sought
international agreement on terms for protection of
intellectual property globally vs. nationally

BRIEF HISTORY - FCPA

Foreign Corrupt Practices Act 1977
1.

Accounting provisions

FCPA requires SEC registrants to establish and maintain books,

records, and accounts.
It also requires establishment of internal accounting controls
sufficient to meet objectives.
1.
2.
3.
4.

2.

Transactions are executed in accordance with managements general or

specific authorization.
Transactions are recorded as necessary to prepare financial statements
(i.e., GAAP), and to maintain accountability.
Access to assets is permitted only in accordance with management
authorization.
The recorded assets are compared with existing assets at reasonable
intervals.

Illegal foreign payments

BRIEF HISTORY - COSO

Committee on Sponsoring Organizations - 1992
1.

AICPA, AAA, FEI, IMA, IIA

2.

Developed a management perspective model

for internal controls over a number of years

3.

Is widely adopted

BRIEF HISTORY S-OX

Sarbanes-Oxley Act - 2002
1.

Section 404: Management Assessment of Internal

Control

2.

Management is responsible for establishing and maintaining

internal control structure and procedures.
Must certify by report on the effectiveness of internal control
each year, with other annual reports.

Section 302: Corporate Responsibility for Incident

Reports

Financial executives must disclose deficiencies in internal

control, and fraud (whether fraud is material or not).

Modifying Assumptions
1. Management responsibility
2. Reasonable assurance
no I.C.S. is perfect
benefits => costs
3. Methods of data processing
Objectives same regardless of DP method
Specific controls vary w/different
technologies

Modifying Assumptions
4.

Limitations

Possibility of error
Possibility of circumvention
Management override
Changing conditions

EXPOSURES AND RISK

Exposure (definition)
Risks (definition)
Types

of risk

Destruction

of assets
Theft of assets
Corruption of information or the I.S.
Disruption of the I.S.

THE P-D-C MODEL

Preventive

controls
Detective controls
Corrective controls
Which

is most cost effective?

Which one tends to be proactive measures?
Can you give an example of each?
Predictive

controls

SAS 78: Consideration of Internal

Control in a Financial Statement Audit
COSO
The

(Treadway Commission)

control environment
Risk assessment
Information & communication
Monitoring
Control activities

SAS 78
(#1:Control Environment -- elements)

Describe how each one could adversely

affect internal control.

The

integrity and ethical values

Structure of the organization
Participation of audit committee
Managements philosophy and style
Procedures for delegating

SAS 78
(#1:Control Environment -- elements)
Managements methods of assessing
performance
External influences
Organizations policies and practices for
managing human resources

SAS 78
(#1:Control Environment -- techniques)

Describe possible activity or tool for each.

Assess the integrity of organizations
management
Conditions conducive to management fraud
Understand clients business and industry
Determine if board and audit committee are
actively involved
Study organization structure

SAS 78
(#2:Risk Assessment)

Changes in environment
Changes in personnel
Changes in I.S.
New ITs
Significant or rapid growth
New products or services (experience)
Organizational restructuring
Foreign markets
New accounting principles

SAS 78
(#3:Information & Communication-elements)

Initiate, identify, analyze, classify and record

economic transactions and events.

Identify and record all valid economic

transactions
Provide timely, detailed information
Accurately measure financial values
Accurately record transactions

SAS 78
(#3:Information & Communication-techniques)

Auditors obtain sufficient knowledge of

I.S.s to understand:
Classes

of transactions that are material

Accounting

records and accounts used

Processing

steps:initiation to inclusion in
financial statements (illustrate)

Financial

reporting process (including

disclosures)

SAS 78
(#4: Monitoring)

By separate procedures (e.g., tests of

controls)

By ongoing activities (Embedded Audit

Modules EAMs and Continuous
Online Auditing - COA)

SAS 78
(#5: Control Activities)

Physical Controls (1-3)

Transaction authorization

Sales only to authorized customer

Sales only if available credit limit

Segregation of duties

Example:

Examples of incompatible duties:

Authorization vs. processing [e.g., Sales vs. Auth. Cust.]

Custody vs. recordkeeping [e.g., custody of inventory vs. DP of

inventory]

Fraud requires collusion [e.g., separate various steps in

process]

Supervision

Serves as compensating control when lack of segregation of

duties exists by necessity

Physical Controls (4-6)

Accounting records (audit trails; examples)

Access controls

Direct (the assets)

Indirect (documents that control the assets)

Fraud

Disaster Recovery

Independent verification

Management can assess:

The performance of individuals

The integrity of the AIS

The integrity of the data in the records

Examples

IT Risks Model
Operations
Data

management systems
New systems development
Systems maintenance
Electronic commerce (The Internet)
Computer applications