Auditing and Internal Controls
provided to IT control-related client
TYPES OF AUDIT
1., External (financial) Audits
● Is an attest service
● Performed by an expert - CPA - who
expresses the opinion regarding the
presentation of FS
● Objective: assure the fair presentation of FS
● SEC requires publicly listed companies to
be subject to financial audit annually
● CPA collects evidence and then renders
opinion(like judge)
● Independence is the concept in audit
● Public confidence on FS relies on
evaluation of an auditor
● External auditor follows strict rules defined
by:
○ SEC
○ FASB
○ AICPA
○ PCAOB
● SEC has final authority for financial audit
Attest service vs. Advisory Service
Attest
● Issuing a written communication that
express conclusion about written assertion
● Requirements:
○ Written assertion and practitioner’s
written report
○ Formal establishment of criteria
○ Limited to: examination, review and
application of agreed-upon
procedure
Advisory
● Providing advise
● Offered to improve client’s operational
efficiency and effectiveness
● Examples:
○ Actuarial service
○ Business advice
○ Fraud investigation service
○ Information system, design and
implementation
○ Internal control assessments for
compliance with SOX
● IT Risk Management - advisory service
○ Dual purpose of unit involve: IT
advisory service to non audit client,
and IT-related TOC as part of
attestation function
2., Internal Audits
● Independent appraisal function established
within the organization
● Internal Auditors:
○ Performs service on behalf of the
organization:
■ Conducting financial audits
■ Examining the operations
and compliance with the
organizational policies
■ Reviewing the organization’s
compliance with legal
obligations
■ Evaluating operational
efficiency
■ Detecting and pursuing fraud
in the firm
○ Certified as CIA or CISA
External vs. Internal Auditors
● Respective constituencies - distinguishes
external(represents outsiders) and internal
auditors(represents organization’s interest)
Note:
1. Internal auditors may cooperate with
external auditor to achieve audit efficiency
and reduce audit fees.
2. Independence and competence of internal
audit staff determine the extent to which
external auditor may rely on internal
auditor's work.
3. Standards prohibit external auditors from
relying on internal auditor’s work if they
report directly to controller(because
independence may be compromise)
4. External auditors may rely on the internal
auditor’s work if they report to the board
committee.
3., Fraud Audits
 ● Objective: investigate anomalies and gather
evidence of fraud that may lead to criminal
conviction
● look on theft of assets or financial fraud
● Are Certified Fraud Examiner(CFE)
The Role of Audit Committee
● Has responsibilities regarding audit
● Has 3 members which at least one must be
financial expert
● Serves as independent 'check and balance'
for internal auditor function in liaison with
external auditors
● After SOX, audit committee became the one
who hired and fired external auditors, not
the management anymore
● To be effective, audit committee must be
willing to challenge internal auditors and
management
Financial Audit Components
1. Auditing Standards
○ GAAS
● Not sufficiently detailed to provide
guidance on specific circumstance
○ So, Statements on Auditing
Standards(SASs) is issued
as its authoritative
interpretations,to provide
specific guidance
● Classes of auditing standards
2. A systematic Process
● Is particularly important in IT
environment, there is no audit trail,
so logical framework is critical
3. Management Assertion and Audit Objectives
4. Obtaining Evidence
5.Ascertaining Materiality
6. Communicating Results
Audit Risk Components
● Inherent Risk
● Control Risk ( assessed risk)
○ Pure substantive approach-
■ If max level
■ Control is not effective at all
■ Proceed to substantive test
○ Combine audit approach
■ If below max level
■ Perform TOC and then
substantive test
● Detection Risk (acceptable risk)
Note:
Strong internal control = low control risk = fewer
substantive testing = low detection risk
IT Audit(conceptual phases)
1. Audit Planning
○ Review organization's Policies,
Practices and Structure
○ Review General Controls and
Application Controls
○ Plan test of control and Substantive
testing procedures
2. Test of Control
○ Perform test of controls
○ Evaluate test results
○ Determine degree of reliance on
controls
3. Substantive Testing Phase
○ Perform Substantive Tests
○ Evaluate Results and Issue Auditor's
Report
Internal Controls
● Company’s mechanisms rules and
procedures to ensure financial and
accounting information integrity, promote
accountability, and prevent fraud
● Improves operational efficiency by
improving the accuracy and timeliness of
financial reporting
Internal Control Objectives
1. To safeguard the assets of the firm
2. To ensure the accuracy and reliability of
accounting records and information
3. To promote efficiency in the firm's
operations
4. To measure compliance with management's
prescribed policies and procedures

Internal Control Principles

1. Management Responsibility
○ Establishment and maintenance of a
system of internal control
2. Methods of Data Processing
○ IC should achieve four categories
regardless of data processing
3. Limitations
○ Possibility of error
○ Circumvention - through collusion
○ Management override
○ Changing conditions
4. Reasonable Assurance
○ Reasonableness means the cost
does not outweigh its benefits

Internal Control Model (PDC Model)

1. Preventive Control
2. Detective Control
3. Corrective Control

COSO Internal Control Framework

1. Control Environment
○ Overall tone of organization
○ Commitment level of top
management
2. Risk Assessment
○ Management's identification and
assessment of business risk
3. Information and Communication
4. Monitoring
○ Assessment improvement of IC
5. Control Activities