Professional Documents
Culture Documents
Province of Rizal
Binangonan Campus
COLLEGE OF ACCOUNTANCY
Auditing and
Internal Control
Submitted by:
Arago, Jayson Vincent B.
Tayag, Jimwell Carl A.
BSA 3-2
Submitted to:
Prof. Liberty Ocampo
Auditing in CIS Environment (Acctg. Major 6)
CHAPTER 1 - Auditing and Internal Control
Overview of Auditing
Audit - is a systematic process of objectively obtaining and evaluating evidence
regarding assertions about economic actions and events to ascertain the degree of
correspondence between these assertions and established criteria and communicating
the results thereof.
In Summary
Attest Service Advisory Service
Attest services involve the verification and Advisory services focus on providing
validation of financial information or advice, recommendations, and solutions
assertions. to clients based on their specific needs.
The main objective of attest services is to Advisory services aim to assist clients in
enhance the credibility and reliability of making informed decisions, improving
information for external users, such as performance, and addressing challenges
investors, creditors, or regulatory bodies. or opportunities within their organizations.
2. Internal Audits
- Internal Auditing as an independent appraisal function established within
an organization to examine and evaluate its activities as a service to the
organization.
3. Fraud Audits
- The objective of a fraud audit is to investigate anomalies and gather
evidence of fraud that may lead to criminal conviction.
- Fraud auditors have earned the Certified Fraud Examiner (CFE)
certification, which is governed by the Association of Certified Fraud
Examiners (ACFE).
The auditor must have Audit work must be The auditor must state in
adequate technical adequately planned. the report whether financial
training and proficiency. statements were prepared
in accordance with
generally accepted
accounting principles.
The auditor must have The auditor must gain a The report must identify
independence of mental sufficient understanding of those circumstances in
attitude. the internal control which generally accepted
structure. accounting principles were
not applied.
The auditor must exercise The auditor must obtain The report must identify
due professional care in sufficient, competent any items that do not have
the performance of the evidence. adequate informative
audit and the preparation disclosures.
of the report.
2. A Systematic Process
- Conducting an audit is a systematic and logical process that applies to all forms
of information systems.
- A logical framework for conducting an audit in the IT environment is critical to
help the auditor identify all-important processes and data files.
4. Obtaining Evidence
- In the IT environment, this process involves gathering evidence relating to
the reliability of computer controls as well as the contents of databases
that have been processed by computer programs.
- Evidence is collected by performing tests of controls, which establish
whether internal controls are functioning properly, and substantive tests,
which determine whether accounting databases fairly reflect the
organization’s transactions and account balances.
5. Ascertaining Materiality
- The auditor must determine whether weaknesses in internal controls and
misstatements found in transactions and account balances are material. In all
audit environments assessing materiality is an auditor's judgment.
- In an IT environment, however, this decision is complicated further by technology
and a sophisticated internal control structure.
6. Communicating Results
- Auditors must communicate the results of their tests to interested users.
- An independent auditor renders a report to the audit committee of the
board of directors or stockholders of a company.
- IT auditors often communicate their findings to internal and external
auditors, who can then integrate these findings with the non-IT aspects of
the audit.
AUDIT RISK
- is the probability that the auditor will render an unqualified (clean) opinion on
financial statements that are, in fact, materially misstated.
- Audit risk can be computed as:
Audit Risk = Inherent Risk x Control Risk x Detection Risk
1. Inherent Risk
- Is associated with the unique characteristics of the business or industry of
the client.
- Firms in declining industries have greater inherent risk than firms in stable
or thriving industries.
- Auditors cannot reduce the level of inherent risk.
- Even in a system protected by excellent controls, financial data and,
consequently, financial statements, can be materially misstated.
2. Control Risk
- is the likelihood that the control structure is flawed because controls are
either absent or inadequate to prevent or detect errors in the accounts.
- Auditors assess the level of control risk by performing tests of internal
controls.
3. Detection Risk
- is the risk that auditors are willing to take that errors not detected or
prevented by the control structure will also not be detected by the auditor.
- Auditors set an acceptable level of detection risk that influences the level
of substantive tests that they perform.
Relationships Between Tests of Controls and Substantive Tests
- Tests of controls and substantive tests are auditing techniques used for reducing
audit risk to an acceptable level.
- The stronger the internal control structure, as determined through tests of
controls, the lower the control risk and the less substantive testing the auditor
must do.
- The more reliable the internal controls, the lower the CR probability which leads
to a lower DR, which will lead to fewer substantive tests being required as
substantive tests are labor intensive and time-consuming, they drive up audit
costs and exacerbate the disruptive effects of an audit.
THE IT AUDIT
INTERNAL CONTROL
According to SEC:
- “The establishment and maintenance of a system of internal control is an
important management obligation. A fundamental aspect of management’s
stewardship responsibility is to provide shareholders with reasonable assurance
that the business is adequately controlled. Additionally, management has a
responsibility to furnish shareholders and potential investors with reliable
financial information on a timely basis.”
Brief History of Internal Control Legislation
● SEC Acts of 1933 and 1934
For 1933:
1. Require that investors receive financial and other significant information
concerning securities being offered for public sale.
2. Prohibit deceit, misrepresentations, and other fraud in the sale of securities
For 1934:
- Empowered it with broad authority over all aspects of the securities industry,
which included authority regarding auditing standards.
● Copyright Law-1976
- This law added software and other intellectual properties into the existing
copyright protection laws as it is of concern to IT auditors because
management is held personally liable for violations (e.g., software piracy)
if “raided” by the software police, and sufficient evidence of impropriety is
found.
OBJECTIVES
1. To safeguard assets of the firm.
2. To ensure the accuracy and reliability of accounting records and information.
3. To promote efficiency in the firm’s operations.
4. To measure compliance with management’s prescribed policies and procedures.
MODIFYING PRINCIPLES
1. Management Responsibility
- Internal control is the management’s responsibility.
2. Methods of Data Processing
- Any method of data processing should still achieve the four objectives.
3. Limitations
● Possibility of Error - No system is perfect
● Circumvention - People in an organization can find ways to bypass the
controls
● Management Override - Management has the power to override control
procedures
● Changing Condition - Change is constant
4. Reasonable Assurance
- The internal control should provide reasonable assurance that the four
broad objectives are met.
Detective Controls
- Second line of defense, devices, techniques, and procedures designed to identify
and expose undesirable events that elude preventive controls.
Corrective Controls
- This fixes the problems or events that are identified by the detective controls.
2. Risk Assessment
- Organizations must perform a risk assessment to identify, analyze and
manage risks relevant to financial reporting.
4. Monitoring
- Management must determine that internal controls are functioning as
intended. It is the process by which the internal control effectiveness is
assessed.
5. Control Activities
- The policies and procedures used to ensure that appropriate actions are
taken to deal with the organization’s identified risks.
CATEGORIES OF CONTROL ACTIVITIES
1. INFORMATION TECHNOLOGY
- This drives the financial reporting processes of modern organizations.
Automated systems initiate, authorize, record, and report the effects of
financial transactions. This includes:
● General Controls - These are non application-specific controls that apply
to all systems.
● Application Controls - Application-specific controls that ensure the
validity, completeness, and accuracy of financial transactions.
2. PHYSICAL
- This class of controls relates primarily to the human activities employed in
accounting systems. These activities may be purely manual, such as the
physical custody of assets or they may involve the physical use of
computers to record transactions or update accounts. This includes:
● Independent Verification - This involves independent checks of the
accounting system to identify errors and misrepresentations.
● Transaction Authorization - All of the material transactions of the
organization shall have authorizations to ensure its alignment with the
management’s objectives.
● Segregation of Duties - Duties in the organization shall be well
segregated to minimize the risks of improper transactions or
embezzlement of an employee.
● Supervision - It involves overseeing, managing and directing the
organization’s employees to ensure that transactions and daily business
operations are done in accordance with the company’s objectives.
● Accounting Records - It consists of source documents, journals, and
ledgers of an organization. It should be well-documented, complete and
evidential.
● Access Control - Certain controls in an organization shall require
authorized access to protect and safeguard the organization’s assets.