Auditing, Assurance, and

Internal Control

Annalyn Rayos, CPA

 LEARNING OBJECTIVES
After studying this chapter, you should:

• Know the difference between attest services and

advisory services and be able to explain the relationship
between the two.
• Understand the structure of an audit and have a firm
grasp of the conceptual elements of the audit process.
• Understand internal control categories
• Understand the relationship between general controls,
application controls, and financial data integrity.
 AUDITING

Auditing is a systematic process of objectively

obtaining and evaluating evidence regarding
assertions about economic actions and events to
ascertain the degree of correspondence between
those assertions and establishing criteria and
communicating the results to interested users.
 EXTERNAL AUDITS

External auditing: Objective is that in all

material respects, financial statements are a
fair representation of organization’s
transactions and account balances.
 Attest Service versus Advisory
Services
• The attest service is • Advisory services are
defined as: professional services
... an engagement in which a offered by public
practitioner is engaged to accounting firms to
issue, or does issue, a written
communication that improve their client
expresses a conclusion about organizations’ operational
the reliability of a written efficiency and effectiveness.
assertion that is the
responsibility of another
party.
 INTERNAL AUDITS
Internal auditing: independent appraisal function
established within an organization to examine and
evaluate its activities as a service to the organization
Financial Audits
Operational Audits
Compliance Audits
Fraud Audits
IT Audits
 CIA
 IIA
 IT AUDITS
IT audits: provide audit services where processes or
data, or both, are embedded in technologies.
Subject to ethics, guidelines, and standards of the
profession (if certified)
 CISA
 Most closely associated with ISACA
Joint with internal, external, and fraud audits
Scope of IT audit coverage is increasing
Characterized by CAATTs
IT governance as part of corporate governance
 FRAUD AUDITS
Fraud audits: provide investigation services where
anomalies are suspected, to develop evidence to
support or deny fraudulent activities.
Auditor is more like a detective
No materiality
Goal is conviction, if sufficient evidence of fraud exists
 CFE
 ACFE
 EXTERNAL vs. INTERNAL
 External auditing:
 Independent auditor (CPA)
 Independence
 Required by SEC for publicly-traded companies
 Referred to as a “financial audit”
 Represents interests of outsiders, “the public” (e.g., stockholders)
 Standards, guidance, certification governed by government bodies
 Internal auditing:
 Auditor (often a CIA or CISA)
 Is an employee of organization imposing independence on self
 Optional per management requirements
 Broader services than financial audit; (e.g., operational audits)
 Represent interests of the organization
 Standards, guidance, certification governed by IIA and ISACA
 FINANCIAL AUDITS
An independent attestation performed by an expert (i.e., an
auditor, a CPA) who expresses an opinion regarding the
presentation of financial statements
Key concept: Independence
{Should be} Similar to a trial by judge
Culmination of systematic process involving:
 Familiarization with the organization’s business
 Evaluating and testing internal controls
 Assessing the reliability of financial data
Product is formal written report that expresses an opinion
about the reliability of the assertions in financial statements;
in conformity with GAAP
ATTEST definition
Written assertions
Practitioner’s written report
Formal establishment of measurement criteria or their description
Limited to:
 Examination
 Review
 Application of agreed-upon procedures
 ATTEST vs. ASSURANCE
ASSURANCE
 Professional services that are designed to improve the
quality of information, both financial and non-financial,
used by decision-makers
IT Audit Groups in “Big Four”
 IT Risk Management
 I.S. Risk Management
 Operational Systems Risk Management
 Technology & Security Risk Services
 Typically a division of assurance services
 AUDITING STANDARDS
Auditing standards
Set by PICPA
Authoritative
Ten Generally Accepted Auditing Standards (GAAS)
Three categories:
 General Standards
 Standards of Field Work
 Reporting Standards
 AUDITS
Systematic process
Five primary management assertions, and correlated
audit objectives and procedures [Table 1.2]
Existence or Occurrence
Completeness
Rights & Obligations
Valuation or Allocation
Presentation or Disclosure
AUDITS
 AUDITS
 Phases [Figure 1-1]
1. Planning
2. Obtaining evidence
 Tests of Controls
 Substantive Testing
 CAATTs
 Analytical procedures
3. Ascertaining reliability
 MATERIALITY
4. Communicating results
 Audit opinion
 Audit Risk Formula
AUDIT RISK:
The probability that the auditor will
give an inappropriate opinion on the
financial statements: that is, that the
statements will contain materials
misstatement(s) which the auditor fails
to find
 Audit Risk Formula

INHERENT RISK:
The probability that material
misstatements have occurred
 Material vs. Immaterial

Includes economic conditions, etc.

Relative risk (e.g., cash)
 Audit Risk Formula

CONTROL RISK:
The probability that the internal
controls will fail to detect material
misstatements
 Audit Risk Formula

DETECTION RISK:
The probability that the audit
procedures will fail to detect
material misstatements
Substantive procedures
 Audit Risk Formula
AUDIT RISK MODEL:
AR = IR * CR * DR
example inventory with:
IR=40%, CR=60%, AR=5% (fixed)
.05 = .4 * .6 * DR
... then DR= 20.83%
Why is AR = 5%?
What is detection risk?
Can CR realistically be 0?
Relationship between DR and substantive procedures
 Audit Risk Model
Relationship between tests of controls and substantive tests
Illustrate higher reliability of the internal controls and the
Audit Risk Model
 What happens if internal controls are more reliable than last audit?
 Last year: .05 = .4 * .6 * DR [DR = 0.2083]
 This year: .05 = .4 * .4 * DR [DR = 0.3125]
 The more reliable the internal controls, the lower the CR probability;
thus the lower the DR will be, and fewer substantive tests are
necessary.
Substantive tests are labor intensive
 The relationship between TOC and
Substantive Testing
• Tests of Controls are audit procedures performed
to test the operating effectiveness of controls in
preventing or detecting material misstatements at the
relevant assertion level.
• Substantive testing is the stage of an audit when
the auditor gathers evidence as to the extent of
misstatements in client’s accounting records or other
information.
 Role of Audit Committee
Selected from board of directors
Usually three members
Outsiders (S-OX now requires it)
Fiduciary responsibility to shareholders
Serve as independent check and balance system
Interact with internal auditors
Hire, set fees, and interact with external auditors
Resolved conflicts of GAAP between external auditors and
management
 What is an IT Audit?

… most accounting transactions to be in electronic form without any paper

documentation because electronic storage is more efficient. … These
technologies greatly change the nature of audits, which have so long relied on
paper documents.
 THE IT ENVIRONMENT
There has always been a need for an effective internal
control system.
The design and oversight of that system has typically
been the responsibility of accountants.
The I.T. Environment complicates the paper systems
of the past.
Concentration of data
Expanded access and linkages
Increase in malicious activities in systems vs. paper
Opportunity that can cause management fraud (i.e., override)
THE IT ENVIRONMENT
 INTERNAL CONTROL
 is … policies, practices, procedures …
designed to …
safeguard assets
ensure accuracy and reliability
promote efficiency
measure compliance with policies
 Modifying Assumptions

1. Management responsibility
2. Reasonable assurance
 no I.C.S. is perfect
 benefits => costs
3. Methods of data processing
 Objectives same regardless of DP method
 Specific controls vary w/ different technologies
 Modifying Assumptions
4. Limitations
 Possibility of error
 Possibility of circumvention
 Management override
 Changing conditions
 EXPOSURES AND RISK
Exposure
Risks
Types of risk
Destruction of assets
Theft of assets
Corruption of information or the I.S.
Disruption of the I.S.
 THE P-D-C MODEL
Preventive controls
Detective controls
Corrective controls
THE P-D-C MODEL
 SAS 78
(#5: Control Activities)
Physical Controls
 Transaction authorization
 Example:
Sales only to authorized customer
Sales only if available credit limit
 Segregation of duties
 Examples of incompatible duties:
Authorization vs. processing [e.g., Sales vs. Auth. Cust.]
Custody vs. recordkeeping [e.g., custody of inventory vs. DP of
inventory]
Fraud requires collusion [e.g., separate various steps in process]
 Supervision
 Serves as compensating control when lack of segregation of duties
exists by necessity
Physical Controls
 Accounting records (audit trails)
 Access controls
 Direct (the assets)
 Indirect (documents that control the assets)
 Fraud
 Disaster Recovery
 Independent verification
 Management can assess:
The performance of individuals
The integrity of the AIS
The integrity of the data in the records
 IT controls

• Application Control - ensure the validity,

completeness, and accuracy of financial transactions

• General Control - apply to all systems

-THE END-