Professional Documents
Culture Documents
Ch1 Auditing, Assurance and Internal Control
Ch1 Auditing, Assurance and Internal Control
Internal Control
INHERENT RISK:
The probability that material
misstatements have occurred
Material vs. Immaterial
CONTROL RISK:
The probability that the internal
controls will fail to detect material
misstatements
Audit Risk Formula
DETECTION RISK:
The probability that the audit
procedures will fail to detect
material misstatements
Substantive procedures
Audit Risk Formula
AUDIT RISK MODEL:
AR = IR * CR * DR
example inventory with:
IR=40%, CR=60%, AR=5% (fixed)
.05 = .4 * .6 * DR
... then DR= 20.83%
Why is AR = 5%?
What is detection risk?
Can CR realistically be 0?
Relationship between DR and substantive procedures
Audit Risk Model
Relationship between tests of controls and substantive tests
Illustrate higher reliability of the internal controls and the
Audit Risk Model
What happens if internal controls are more reliable than last audit?
Last year: .05 = .4 * .6 * DR [DR = 0.2083]
This year: .05 = .4 * .4 * DR [DR = 0.3125]
The more reliable the internal controls, the lower the CR probability;
thus the lower the DR will be, and fewer substantive tests are
necessary.
Substantive tests are labor intensive
The relationship between TOC and
Substantive Testing
• Tests of Controls are audit procedures performed
to test the operating effectiveness of controls in
preventing or detecting material misstatements at the
relevant assertion level.
• Substantive testing is the stage of an audit when
the auditor gathers evidence as to the extent of
misstatements in client’s accounting records or other
information.
Role of Audit Committee
Selected from board of directors
Usually three members
Outsiders (S-OX now requires it)
Fiduciary responsibility to shareholders
Serve as independent check and balance system
Interact with internal auditors
Hire, set fees, and interact with external auditors
Resolved conflicts of GAAP between external auditors and
management
What is an IT Audit?
1. Management responsibility
2. Reasonable assurance
no I.C.S. is perfect
benefits => costs
3. Methods of data processing
Objectives same regardless of DP method
Specific controls vary w/ different technologies
Modifying Assumptions
4. Limitations
Possibility of error
Possibility of circumvention
Management override
Changing conditions
EXPOSURES AND RISK
Exposure
Risks
Types of risk
Destruction of assets
Theft of assets
Corruption of information or the I.S.
Disruption of the I.S.
THE P-D-C MODEL
Preventive controls
Detective controls
Corrective controls
THE P-D-C MODEL
SAS 78
(#5: Control Activities)
Physical Controls
Transaction authorization
Example:
Sales only to authorized customer
Sales only if available credit limit
Segregation of duties
Examples of incompatible duties:
Authorization vs. processing [e.g., Sales vs. Auth. Cust.]
Custody vs. recordkeeping [e.g., custody of inventory vs. DP of
inventory]
Fraud requires collusion [e.g., separate various steps in process]
Supervision
Serves as compensating control when lack of segregation of duties
exists by necessity
Physical Controls
Accounting records (audit trails)
Access controls
Direct (the assets)
Indirect (documents that control the assets)
Fraud
Disaster Recovery
Independent verification
Management can assess:
The performance of individuals
The integrity of the AIS
The integrity of the data in the records
IT controls