Auditing in a Computer Integrated System (CIS)

Allen Leo Castro, CPA, CIA

College of Business and Government Management
Pamantasan ng Lungsod ng Maynila
Agenda

 Introduction & Expectations Setting

 Class policy and grading system
 Class Project
 Course Objectives
 Group Reporting
Class Policy and Grading System

 Class presidents will check the attendance of the class

 4 absences will mean incomplete/failed the subject
 Will not tolerate late students – late for 10 minutes – tagged as absent
 Grading system:
Class Project (to be confirmed by Sept. 14)

 Project 1: Preparation of working papers

– Engagement Letter
– Understanding the Business, and Risk Statements
– Audit Team
– Understanding Entity-Level Controls
– Audit Plan and Procedures

 Project 2: Substantive Testing Procedures (TBC)

– Test of Revenue
– Test of Expenses
Course Objectives: Auditing in a CIS Environment

 Understand the role of IT audit in the entire audit process

 Auditing IT General Controls:
– Understand the design and placement of internal controls
– Document the impact of the IT components to the overall objectives
– Understands the risks involving different IT components
 Understand the use of CAATTS (Computer Assisted Auditing Tools and
Techniques)
 Be able to use CAATTS in the audit of Revenue and Expenditure cycles
Group Reporting

 The group will prepare their own reporting framework, but should have at least
the following:
– Objectives of the chapter should be covered
– An exercise or activity that the class can participate
– Sample company/case (Actual)
 Must be in a powerpoint presentation
– Less words per slide, much better (be creative and use pictures!!)
 Share the reporting framework 1 week before the actual reporting
(Wednesday or Thursday of the week before reporting day)
Group Reporting – Assignments

Group Chapters
1 Auditing IT Governance Controls (2)
2 Auditing IT Security: Operating systems and Networks (3)
3 Auditing IT Security: Database Systems (4)
4 Auditing Systems Development and Program Change
Activities (5)
5 CAATTS - Data Structure and CAATTS for Data Extraction (7)
6 Auditing the Revenue Cycle (9)
7 Auditing the Expenditure Cycle (10)
Review of the Auditing Process and
Introduction to IT Audit
Allen Leo Castro, CPA, CIA
College of Business and Government Management
Pamantasan ng Lungsod ng Maynila
Contents

 What is Audit?
 Audit Roadmap
 Pre-Engagement Activities
 Planning Activities
 Internal Control Evaluation
 Evidence Gathering
 Reporting and Completion Activities
 Focus of IT Audit

Review of the Auditing Process and Introduction to IT Audit

What is Audit?
Assurance vs Attestation vs Audit

 Agreed Upon Procedures

 Compilation
 Tax Services
 Management Consulting
 Internal Audit
 Compliance Audit
 External Audit
 Review

Review of the Auditing Process and Introduction to IT Audit

What is Audit?

 Systematic process, obtaining and evaluating evidence, regarding assertions,

to ascertain a degree of correspondence between assertions and established
criteria
 Objective is to express and opinion as to whether the information is presented
fairly

Review of the Auditing Process and Introduction to IT Audit

AUDIT PHASES
Audit Roadmap

Internal
Evidence Reporting and
Pre-engagement Planning Control
Gathering Completion
Evaluation

 Acceptance and  Understanding the  IT General  Substantive  Audit Completion

Client and it’s Procedures
Continuance environment Control Analytical
Procedures  Significant
 Determine the  Materiality  Application Matters
Audit Team Control (Manual  Substantive Test  Internal Control
 Policies and Memo
Procedures and Automated) of Details
 Independence  SUD
Assessment  Internal Control  Physical Control  Specific
Assessment Identification  Subsequent
 Terms of Events
 Significant Areas
Engagement  Audit  Final Analytical
 Analytical Procedures Sampling Procedures
(Prelim)
 Audit Opinion
 Risk Assessment
 Qualified
(includes Fraud Risk)
 Unqualified
 Identify and evaluate
controls that mitigate  Adverse
the assessed risk
 Disclaimer

Review of the Auditing Process and Introduction to IT Audit

12
Pre-Engagement Activities
Pre-engagement Activities

 Is this a new client?

Acceptance and
 Is the client High Risk or PIE?
Continuance  Have I established a system of Quality Control?

 Does the team has the skills to do the job?

– Appropriate Training
Determine the Audit – Experience
Team – Compliance with Professional and Ethical Standards
 Is there a need to use specialist?

Independence
 Am I complying with Code of Ethics and PSA?
Assessment

 Management Responsibility  Reports

Terms of  Inherent Limitations  Objectives of the Audit
Engagement  Scope of Audit  Timetable and fees
 Unrestricted Access

Review of the Auditing Process and Introduction to IT Audit

Acceptance and Continuance
Establish a system of Quality Control (PSADA-CM)

 Professional Requirements
 Skills and Competence
 Assignment
 Delegation
 Acceptance and Retention of Clients
 Consultation
 Monitoring

Review of the Auditing Process and Introduction to IT Audit

Determine the Audit Team
Compliance with Professional and Ethical Standards (InProCon-InPrOTech)

 Integrity
 Professional Competence and Due Care
 Confidentiality
 Independence
 Professional Behavior
 Objectivity
 Technical Knowledge

Review of the Auditing Process and Introduction to IT Audit

Terms of the Engagement
Components of the Engagement Letter (MISUROT)

 Management’s Responsibility
 Inherent Limitations
 Scope of Audit
 Unrestricted Access
 Reports
 Objectives of the Audit
 Timetable and Fees

Review of the Auditing Process and Introduction to IT Audit

Planning Activities
Planning Activities
Considerations in Planning Activities (UMPISAR)

 Understanding the Client and its environment

 Materiality
 Policies and Procedures
 Internal Controls Understanding (always required)
 Significant Areas (will we rely on the work of internal audit, service
organizations or experts)
 Analytical Procedures (Preliminary – always required)
 Risk Assessment (Audit)
– Develop audit comfort matrix to identify all the audit risks
– Develop audit plan to reduce audit risk to an acceptably low level
– Develop audit procedures (nature, extent and timing)

Review of the Auditing Process and Introduction to IT Audit

Understanding the Client and its environment
Considerations in Understanding the Client (INOMIn)

 Industry, regulatory, and other external economic factors

 Nature of the entity, including it’s selection of accounting principles
 Objectives, strategies, and the related business risks that may result to FS
misstatement
 Measurement and Review of the entity’s financial performance
 Internal Control Documentation

Review of the Auditing Process and Introduction to IT Audit

Understanding the Client and its environment
Risk Assessment Procedures performed to help understand the client and its environment

1. Inquiries with Management and Others within the entity (GAME)

a. Governance
b. Audit Personnel
c. Marketing
d. Employees

2. Perform preliminary Analytical Procedures

a. Develop independent expectation
b. Define significant threshold
c. Compute for difference
d. Investigate significant difference and draw conclusion

3. Observation and Inspection

a. Entity activities and operations
b. Inspection of documentation, records, and internal control manual
c. Reading reports prepared by management and those charged with governance
d. Visit to entity premises and facilities
e. Walkthrough

4. Sharing cumulative audit knowledge and experience as applicable

5. Review previous year’s working paper as applicable
6. Other Considerations
1. Fraud (Consider Fraud Diamond, Client’s Responsibilities and Auditor’s Responsibillities)
2. Non-Compliance
3. Going Concern (GAAP vs FV Method)
4. Complexity of Transactions

Review of the Auditing Process and Introduction to IT Audit

Internal Controls

1. Objectives of Internal Controls

1. Fairly present financial statements and reports
2. Efficient and effective operations
3. Compliance with rules, regulations and laws
2. Gain understanding of the internal controls
1. Evaluate the design of a control
2. Determine whether it has been implemented (or already in operation)
3. Understand and evaluate internal control components (CRIME)
1. Control Activities
2. Risk Assessment Process
3. Information systems and communication
4. Monitoring of Controls
5. Control Environment

Review of the Auditing Process and Introduction to IT Audit

Materiality

 Should be considered when:

– determining the nature, extent and timing of substantive tests and
– when evaluating effects of misstatements
 Use what is important to the readers as the basis of materiality (Total Assets,
Revenues, or Net income)
 Apply based on Professional Judgment
– Over-all Materiality – materiality for the financial statement as a whole
– Planning Materiality (Planning Materiality) – materiality for classes of accounts,
transactions
– Summary of Unadjusted Differences – trivial errors. Summary should not exceed
over-all materiality

Review of the Auditing Process and Introduction to IT Audit

Risk Assessment Procedures

 Step 1: Obtain understanding of the entity and its environment, including its
internal control
 Step 2: Make a Preliminary assessment of the risk of material misstatement
 Step 3: Determine the procedures to perform in response to assessed risks
 Step 4: Revise the Preliminary Risk Assessment, as necessary
 Step 5: Finalize the Audit Strategy, audit plan and audit program

Review of the Auditing Process and Introduction to IT Audit

Materiality when determining nature, extent and timing of
procedures

 Inherent Risk –nature of the business, transaction

 Control Risk –effectiveness of internal control
 Detection Risk – audit procedures will not be able to detect the misstatement
 Audit Risk – auditor will provide a wrong opinion. We want to reduce the over-
all Audit Risk to an acceptable level

IR x CR x DR = AR (see sample)

Review of the Auditing Process and Introduction to IT Audit

Materiality when determining nature, extent and timing of
procedures

Review of the Auditing Process and Introduction to IT Audit

Internal Control Evaluation
Internal Control Evaluation

 Controls that operate at entity level and relate to all or many applications.
IT General Controls  Help effective functioning of application controls by ensuring continued proper operation of IT
system.

 Manual
Application Controls  Automated

Physical Controls

 Narrative Notes
Documentation
 Questionnaires
Methods  Flowcharts

Review of the Auditing Process and Introduction to IT Audit

Evidence Gathering
Evidence Gathering

Substantive  Trend analysis

Analytical  Financial ratios
Procedures  Budget vs actuals

Substantive Test of  Specific identification

Details  Audit sampling

Review of the Auditing Process and Introduction to IT Audit

Reporting and Completion
Activities
Reporting and Completion

 Significant matters
 Internal Control Memo
Audit Completion
 SUD
Procedures  Subsequent Events
 Final Analytical Procedures
 Qualfied
 Unqualified
Audit Opinion  Adverse
 Disclaimer

Review of the Auditing Process and Introduction to IT Audit

Focus of IT Audit
Focus of IT Audit

 Planning and Internal Control Evaluation

– Understanding and evaluation of IT General Controls
 Audit of IT Governance Controls
 Audit of Operating Systems and Networks
 Audit of Database systems
 Audit of the System Development and Program Change Activities
– Understanding and evaluation of Application Controls
 Automated controls and procedures
 IT-dependent manual controls
 Substantive Test of Details
– Audit of Revenues
– Audit of Expenditures

Review of the Auditing Process and Introduction to IT Audit