Professional Documents
Culture Documents
(Chapter 1)
The product of the attestation function is a formal
AUDITING AND INTERNAL CONTROL written report that expresses an opinion about the
reliability of the assertions contained in the financial
OVERVIEW OF AUDITING statements. (Generally Accepted Accounting Principles)
EXTERNAL (FINANCIAL) AUDITS – an GENERALLY ACCEPTED AUDITING STANDARDS
independent attestation performed by an expert (the
auditor) who expresses an opinion regarding the General Qualification Standards
presentation of financial statements. 1. The auditor must have adequate technical
Attest Service – task, performed by CPA who work training and proficiency.
for public accounting firms that are independent of 2. The auditor must have independence of mental
the client organization being audited. attitude.
Independence – the independent auditor collects 3. The auditor must exercise due professional care
and evaluates evidence and renders an opinion based in the performance of the audit and the
on the evidence. preparation of the report.
Sarbanes-Oxley Act of 2002 – strict rules that Field Work Standards
external auditors must follow in conducting financial
audits. 1. Audit work must be adequately planned.
2. The auditor must gain a sufficient understanding
ATTEST SERVICE VS. ADVISORY SERVICES of the internal control structure.
3. The auditor must obtain sufficient, competent
Attest Service – an engagement in which a
evidence.
practitioner is engaged to issue, or does issue, a
written communication that expresses a conclusion Reporting Standards
about the reliability of a written assertion that is the
responsibility of another party. 1. The auditor must state in the report whether
Advisory Service – are professional services offered financial statements were prepared in
by the public accounting firms to improve their accordance with generally accepted accounting
client organizations' operational efficiency and principles.
effectiveness. 2. The report must identify those circumstances in
which generally accepted accounting principles
INTERNAL AUDITS – is typically conducted by were not applied.
auditors who work for the organization, but this task 3. The report must identify any items that do not
may be outsourced to other organization. have adequate informative disclosures.
4. The report shall contain expression of the
Internal Auditing – an independent appraisal
auditor’s opinion on the financial statements as a
function established within organization to examine
whole.
and evaluate its activities as a service to the
organization.
Statement on Auditing Standards – are regarded
EXTERNAL VS. INTERNAL AUDITORS as authoritative pronouncements.
Internal Auditors – represent the interest of the Conducting a systematic and logical process that applies
organization. to all forms of information systems. A systematic
approach is particularly important in the IT environment.
FRAUD AUDITS – they have been thrust into
prominence by a corporate environment in which both MANAGEMENT ASSERTIONS AND AUDIT
employee theft of assets and major financial frauds by OBJECTIVES
management.
Management Assertions – are the implicit or
Objective: to investigate anomalies and gather evidence explicit assertions that the preparer of fs is making to
of fraud that may lead to criminal conviction. its users.
These assertions fall into five categories:
Objective: Contingencies not reported in financial Organization management is required by law to establish
accounts are properly disclosed in footnotes. and maintain an adequate system of internal control.
Corrective Controls – actually fix the problem. Prior to the passage of SOX, external auditors were not
required to test internal controls as part of their attest
Statement on Auditing Standards No. 109 – current function. They were required to be familiar with the
authoritative document for specifying internal client organization’s internal controls but had the option
objectives and techniques. of not relying on them and thus not performing tests of
controls.
COSO INTERNAL CONTROL FRAMEWORK
The Control Environment – foundation for the other
four control components. It sets the tone for the
organization and influences the control awareness of its
management and employees.
Risk Assessment – identify, analyze, and manage risks
relevant to financial reporting.
Information and Communication – the accounting
information system consists of the records and methods
used to initiate, identify, analyze, classify, and record the
organization’s transactions and to account for the related
assets and liabilities.
Separating Database Administration from Other
Functions
Separating New Systems Development from
Maintenance
AUDITING IN CIS ENVIRONMENT
(Chapter 2) Inadequate Documentation. poor-quality systems
documentation is a chronic IT problem and a
AUDITING IT GOVERNANCE CONTROLS significant challenge for many organizations seeking
SOX compliance.
INFORMATION TECHNOLOGY GOVERNANCE
Program Fraud. involves making unauthorized
Information Technology (IT) Governance – is a changes to program modules for the purpose of
relatively new subset of corporate governance that committing an illegal act.
focuses on the management and assessment of
strategic IT resources. A Superior Structure for Systems Development
IT GOVERNANCE CONTROLS
A DISTRIBUTED MODEL
1. Organizational structure of the IT function
2. Computer center operation Distributed Data Processing (DDP) – an alternative to
3. Disaster recovery planning the centralized model.
BENEFITS OF EDI
Digital Signatures - is electronic authentication that
cannot be forged. EDI has made considerable inroads in several industries,
Digital Certificate - verifying the sender’s identity including automotive, groceries, retail, health care, and
requires a digital certificate, which is issued by a electronics.
trusted third party called a certification authority
The following are some common EDI cost savings that
(CA).
justify the approach.
Message Sequence Numbering – a sequence
number is inserted in each message, and any such Data keying. EDI reduces or even eliminates the
attempt will become apparent at the receiving end. need for data entry.
Message Transaction Log – through this all Error reduction. Firms using EDI see reductions in
incoming and outgoing messages, as well as data keying errors, human interpretation and
attempted (failed) access, should be recorded in a classification errors, and filing (lost document)
message transaction log. errors.
Request -Response Technique – using this a control Reduction of paper. The use of electronic envelopes
message from the sender and a response from the and documents drastically reduces the paper forms
receiver are sent at periodic, synchronized intervals. in the system.
Call-Back Devices - requires the dial-in user to enter Postage. Mailed documents are replaced with much
a password and be identified. cheaper data transmissions.
Audit Objectives Relating to Subversive Threats - Automated procedures. EDI automates manual
the auditor’s objective is to verify the security and activities associated with purchasing, sales order
integrity of financial transactions. processing, cash disbursements, and cash receipts.
Inventory reduction. By ordering directly as needed
CONTROLLING RISKS FROM EQUIPMENT FAILURE
from vendors, EDI reduces the lag time that
Line Errors - the most common problem in data promotes inventory accumulation.
communications is data loss due to this.
FINANCIAL EDI
Using electronic funds transfer (EFT) for cash Weak Access Control – Security software that provides
disbursement and cash receipts processing is more logon procedures is available for PCs.
complicated than using EDI for purchasing and selling
Inadequate Segregation of Duties – Employees in PC
activities.
environments, particularly those of small companies,
EDI CONTROLS may have access to multiple applications that constitute
incompatible tasks.
Transaction Authorization and Validation
Multiverse Password Control – is used to restrict
Both the customer and the supplier must establish that
employees who are sharing the same computers to
the transaction being processed is to (or from) a valid
specific directories, programs, and data files.
trading partner and is authorized.
Risk of Theft – because of their size, PCs are objects of
ACCESS CONTROL
theft, and the portability of laptops places them at the
To function smoothly, EDI trading partners must permit highest risk.
a degree of access to private data files that would be
Weak Backup Procedures - Computer failure, usually
forbidden in a traditional environment.
disk failure, is the primary cause of data loss in PC
EDI Audit Trail environments.
The absence of source documents in EDI transactions Risk of Virus Infection - Virus infection is one of most
eliminates the traditional audit trail and restricts the common threats to PC integrity and system availability.
ability of accountants to verify the validity,
completeness, timing, and accuracy of transactions.