UNIVERSITY OF RIZAL SYSTEM

Province of Rizal

Binangonan Campus

COLLEGE OF ACCOUNTANCY

CHAPTER 1: AUDITING AND

INTERNAL CONTROL

Reporters:

OLABRE, GINO IZAR P.

RIVERA, MARK TIMOTHY R.
TALANAY, NIÑO RHAYNIEL S.C
BSA 3-1

MRS. LIBERTY OCAMPO

Professor
 OVERVIEW OF AUDITING

External Audits
● is an independent attestation performed by an expert (auditor), who expresses
an opinion regarding the presentation of financial statements.

Attest Service versus Advisory Services

● Attest service is an engagement in which a practitioner is engaged to issue, or
does issue a written communication that expresses a conclusion about the
reliability of a written assertion that is the responsibility of another party.
● Advisory services are professional services offered by public accounting firms to
improve their client organization's operational efficiency and effectiveness.

Internal Audits
● an internal audit function established within an organization to examine and
evaluate its activities as a service to organization

External versus Internal Auditors

● external auditors represent outsiders, internal auditors represent the interest of
the organization.
● internal auditors often cooperate with and assist external auditors in performing
aspects of financial audits.
● the independence and competence of the internal audit staff determine the extent
to which external auditors may cooperate with and rely on work performed by
internal auditors.

Fraud Audits
● The objective of this audit is to investigate anomalies and gather evidence of fraud
that may lead to criminal conviction.

Role of Audit Committee

● Audit committee - subcommittee formed by the board of directors which has
special responsibilities regarding audits.
● This committee usually consists of three people who should be outsiders (not related
with the management).
● The audit committee serves as an independent "check and balance" for the internal
audit function and liaison with external auditors.

Financial Audit Components

● Product of attestation function is a formal written report that expresses an opinion
about the reliability of the assertions.

1. Auditing standards
 ● General standards
a. Must have adequate technical training and proficiency
b. Must have independence of mental attitude
c. Must exercise due professional care in the performance of audit and
preparation of report

● Standards of Fieldwork
a. Audit work must be adequately planned
b. Must gain sufficient understanding of the internal control structure
c. Must obtain sufficient, competent evidence

● Reporting standards
a. Must state if financial statements was prepared according to GAAP
b. Must identify circumstance of inconsistency
c. Must identify items that do not have informative disclosure
d. Report shall contain an expression of auditor’s opinion

2. A Systematic Process
● Conducting an audit is a systematic and logical process
● Systematic approach is particularly important to the IT environment. Logical
framework for conducting an IT audit is critical to help auditor identify all
important processes and data files

3. Management Assertions and Audit Objectives

● Five general categories of assertions
a. Existence and Occurrence – all assets and equities in FP exist and all
transactions in IS occurred
b. Completeness – no material asset, equity, or transactions has been
omitted
c. Rights and obligations – assets on FS are owned by the entities and
liabilities reported are obligations
d. Valuation or allocation – assets & equity are valued in accordance to
GAAP and allocated amounts are calculated on systematic and rational
basis
e. Presentation and disclosure – all items are correctly classified and
disclosures are adequate

4. Obtaining evidence
● Auditors seek evidential matter that corroborates management assertions
● Evidence is collected by performing test of controls and substantive tests
● Test of controls – establish if internal control is functioning properly
● Substantive test – determine if accounting databases fairly reflect the
transactions and account balances

5. Ascertaining Materiality
● Auditors must determine if weaknesses in internal control and misstatements
found are material.
● By determining materiality, the auditor can concentrate on areas that have a
higher likelihood of containing significant errors or weaknesses, ensuring that
their work is focused on matters that are most relevant to the financial statements
 6. Communication Results
● Auditors must communicate the results to interested users
● Renders report to the audit committee

Audit risk
● The probability that the author will render an unqualified opinion on financial
statements that are, in fact, materially misstated, caused by errors or
irregularities or both.
● Errors – unintentional mistakes.
● Irregularities – intentional misrepresentations associated with the commission of
fraud.

Audit risk components

1. Inherent risk
● Associated with the unique characteristic of the business or industry of the client.
● Auditors cannot reduce the level of inherent risk.
● It is influenced by factors such as the complexity of transactions, the nature of
the industry, the entity's size, and the regulatory environment. Higher inherent
risk indicates a greater likelihood of material misstatements.

2. Control risk
● Is the likelihood that the control structure is flawed because controls are either
absent or inadequate to prevent or detect errors in the accounts.
● Reflects the effectiveness of the entity's internal control system in mitigating
inherent risk.
● Auditors assess the level of control risk by performing a test of control.

3. Detection risk
● Risk that the auditor is willing to take that errors not detected or prevented.
● It is influenced by the nature, timing, and extent of audit procedures performed by
the auditors. Higher detection risk indicates a higher probability of auditors not
detecting material misstatements.

Audit Risk Model

● AR = IR x CR x DR
● DR = AR/ IR x CR

THE RELATIONSHIP BETWEEN TEST OF CONTROL AND SUBSTANTIVE TEST

More reliable internal controls, lower CR probability, lower DR, fewer substantive
tests.
THE STRUCTURE OF IT AUDIT

THE IT AUDIT

● Audit Planning – must gain a thorough understanding about the firm to plan
other phases of audit.
● Test of Controls – its objective is to determine whether adequate internal
controls are in place and functioning properly.
● Substantive Testing– audit process that focuses on financial data.

INTERNAL CONTROL

Securities Acts of 1993

- Require investors to receive financial and other significant information concerning

securities being offered for public sale.
- Prohibited deceit, misinterpretations, and other fraud in the sale of securities.

Securities Acts of 1934

- Created the Securities and Exchange Commission.

Copyright Law–1976

- Added software and other intellectual properties into the existing copyright
protection laws.

Foreign Corrupt Practices Act (FCPA) of 1977

Requires companies register with SEC to:

1. Keeps records that fairly and reasonably reflect the transaction of the firm and its
financial position.
2. Maintain a system of internal control that provides assurance that the org’s
objectives are met.

Committee of Sponsoring Organizations–1992

- Focus on an effective model for internal controls from a management perspective

– COSO Model.
- AICPA adopted the model into auditing standards.
Sarbanes-Oxley Act of 2002

- July 30, 2002

- Supports efforts to increase public confidence in capital markets by seeking to
improve corporate governance, internal controls, and audit quality.
- Requires management of public companies to implement an adequate system of
internal controls over their financial reporting process.
- Section 302 requires the corporate management to certify their internal controls
on a quarterly and annual basis.
- Section 404 requires management of public companies to assess effectiveness
of their internal control.

OBJECTIVES, PRINCIPLES AND MODELS;

1. To safeguard assets of the firm

2. To ensure the accuracy and reliability of accounting records and information
3. To promote efficiency in the firm’s operations
4. To measure compliance with management’s prescribed policies and procedures
5. To safeguard assets of the firm

MODIFYING PRINCIPLES

1. Management responsibility – the establishment and maintenance of a system

of internal control is a management responsibility
2. Methods of Data Processing – internal control systems should achieve the four
broad objectives of the data processing method.
3. Limitations – includes:
- Possibility of error
- Circumvention
- Management override
- Changing conditions
4. Reasonable Assurance – should provide reasonable assurance that the four
broad objectives of internal controls are met.

The PDC Model

a. Preventive Controls - passive techniques designed to reduce the frequency of

occurrence of undesirable events.
b. Detective Controls - techniques and procedures designed to identify and expose
undesirable events that elude preventive controls.
c. Corrective Controls - must be taken to reverse the effects of detected errors.
COSO Internal Control Framework

a. The Control Environment - foundation for other four control components, it sets the
tone for the organization and influences the control awareness of its management and
employees. It includes the following elements:
● Integrity and ethical values of management.
● Structure of the organization
● Participation of board of directors and audit committee.
● Management Philosophy and operating style
● Procedure for delegating responsibility and authority.
● Management methods for assessing performance.
● External influences (regulatory agencies).
● Organization's policies and practices for managing its human resources.

b. Risk Assessment - it is done to identify, analyze, and manage risks relevant to

financial reporting.

c. Information and Communication - the accounting information system consist of the

records and methods used to initiate, identify, analyze, classify, and record the
organization’s transactions and to account for the related assets and liabilities

d. Monitoring – is the process by which the quality of internal control design and
operation can be assessed.

e. Control activities – are the policies and procedures used to ensure that appropriate
actions are taken to deal with the organization’s identified risks.
INFORMATION TECHNOLOGY CONTROL

● Application controls – ensure the validity, completeness, and accuracy of

financial transactions. Controls are designed to be application-specific.
● General controls (general computer controls/information technology
controls) – include controls over IT governance, IT infrastructure, security and
access to operating systems and data bases, application acquisition and
development, and program change procedures.

AUDIT IMPLICATION OF SOX

● Mandates auditor to attest the quality of their client organizations’ internal

control.
● This constitutes the issuance of a separate audit opinion on the internal
controls and opinion on the fairness of the financial statement
● PCAOB Standard No. 5 specifically requires auditors to understand
transaction flows.
● Auditors has the responsibility to detect fraudulent activity and
emphasizes the importance of controls
● Management is implementing controls but auditors are expressly required
to test them.