You are on page 1of 55

Chapter 1:

Auditing, Assurance, and Internal Control

IT Auditing, Hall, 3e
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part.
Auditing
Auditing is a systematic process of objectively
obtaining and evaluating evidence regarding
assertions about economic actions and events to
ascertain the degree of correspondence between
those assertions and establishing criteria and
communicating the results to interested users.

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 2
Internal Audits

Internal auditing: independent appraisal


function established within an organization to
examine and evaluate its activities as a service
to the organization
Financial Audits
Operational Audits
Compliance Audits
Fraud Audits
IT Audits
CIA
IIA
2011 Cengage Learning. All Rights Reserved. May not be scanned,
copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 3
External Audits

External auditing: Objective is that in all


material respects, financial statements are a fair
representation of organizations transactions
and account balances.
SECs role
Sarbanes-Oxley Act
FASB - PCAOB
CPA
AICPA

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 4
Financial Audits
An independent attestation performed by an expert
(i.e., an auditor, a CPA) who expresses an opinion
regarding the presentation of financial statements
Key concept: Independence

{Should be} Similar to a trial by judge

Culmination of systematic process involving:


Familiarization with the organizations business
Evaluating and testing internal controls
Assessing the reliability of financial data
Product is formal written report that expresses an
opinion about the reliability of the assertions in
financial statements; in conformity with GAAP
2011 Cengage Learning. All Rights Reserved. May not be scanned,
copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 5
Attest Services
Requirements of attestation services
Written assertions and practitioners written report

Formal establishment of measurement criteria

Limited to examination, review, and application of


agreed-upon procedures

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 6
Advisory Services
Advisory services
Professional services offered by public accounting
firms to improve their client organizations operational
efficiency and effectiveness
Services include:
Actuarial advice
Business advice
Fraud investigation services
Information system design and implementation
Internal control assessments for compliance with SOX

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 7
IT Audits
IT audits: provide audit services where
processes or data, or both, are embedded in
technologies.
Subject to ethics, guidelines, and standards of the
profession (if certified)
CISA
Most closely associated with ISACA
Joint with internal, external, and fraud audits
Scope of IT audit coverage is increasing
Characterized by CAATTs
IT governance as part of corporate governance

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 8
External vs. Internal
External auditing:
Independent auditor (CPA)
Independence defined by SEC/S-OX/AICPA
Required by SEC for publicly-traded companies
Referred to as a financial audit
Represents interests of outsiders, the public (e.g.,
stockholders)
Standards, guidance, certification governed by AICPA, FASB,
PCAOB; delegated by SEC who has final authority
Internal auditing:
Auditor (often a CIA or CISA)
Is an employee of organization imposing independence on self
Optional per management requirements
Broader services than financial audit; (e.g., operational audits)
Represent interests of the organization
2011 Cengage Standards,
Learning. All Rightsguidance, certification
Reserved. May not be scanned, governed by IIA and ISACA
copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 9
Fraud Audits
Fraud audits: provide investigation services
where anomalies are suspected, to develop
evidence to support or deny fraudulent
activities.
Auditor is more like a detective
No materiality
Goal is conviction, if sufficient evidence of fraud exists
CFE
ACFE

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 10
Role of Audit Committee
Selected from board of directors
Usually three members
Outsiders (S-OX now requires it)
Fiduciary responsibility to shareholders
Serve as independent check and balance
system
Interact with internal auditors
Hire, set fees, and interact with external
auditors
Resolved conflicts of GAAP between external
auditors and management
2011 Cengage Learning. All Rights Reserved. May not be scanned,
copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 11
Auditing Standards
Auditing standards
Set by AICPA
Authoritative
#1 = Ten Generally Accepted Auditing Standards
(GAAS)
Three categories:
General Standards
Standards of Field Work
Reporting Standards
# 2 = Statements on Auditing Standards (SASs)
SAS #1 issued by AICPA in 1972

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 12
Generally Accepted Auditing Standards
General Standards Standards of Field Reporting Standards
Work
1. The auditor must have 1. Audit work must be 1. The auditor must state in
adequate technical adequately planned. the report whether financial
training and proficiency. statements were prepared in
accordance with generally
accepted accounting
principles.
2. The auditor must have 2. The auditor must gain a 2. The report must identify
independence of mental sufficient understanding of those circumstances in which
attitude. the internal control generally accepted accounting
structure. principles were not applied.

3. The auditor must 3. The auditor must 3. The report must identify
exercise due professional obtain sufficient, any items that do not have
care in the performance competent evidence. adequate informative
of the audit and the disclosures.
preparation of the report.
4. The report shall contain an
expression of the auditors
2011 Cengage Learning. All Rights Reserved. May not be scanned, opinion on the financial
copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e statements13 as a whole.
Audits
Systematic process
Five primary management assertions, and

correlated audit objectives and procedures


[Table 1-2]:
Existence or Occurrence
Completeness
Rights and Obligations
Valuation or Allocation
Presentation and Disclosure

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 14
Audits
Phases:
1. Planning
2. Obtaining evidence
Tests of Controls
Substantive Testing
CAATTs
Analytical procedures
3. Ascertaining reliability
MATERIALITY
4. Communicating results
Audit opinion

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 15
Audit Risk Components

Audit Risk:
The probability that the auditor
will give an inappropriate opinion
on the financial statements: that
is, that the statements will contain
materials misstatement(s) which
the auditor fails to find
2011 Cengage Learning. All Rights Reserved. May not be scanned,
copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 16
Audit Risk Components
Inherent Risk:
The probability that material
misstatements have occurred
Material vs. Immaterial
Includes economic conditions, etc.
Relative risk (e.g., cash)

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 17
Audit Risk Components
Control Risk:
The probability that the internal controls
will fail to detect material misstatements

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 18
Audit Risk Components
Detection Risk:
The probability that the audit procedures
will fail to detect material misstatements
Substantive procedures

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 19
Audit Risk Formula
AUDIT RISK MODEL:
AR = IR * CR * DR
example inventory with:
IR=40%, CR=60%, AR=5% (fixed)
.05 = .4 * .6 * DR
... then DR=4.8%
Why is AR = 5%?
What is detection risk?
Can CR realistically be 0?
Relationship between DR and substantive
procedures
2011 Cengage Learning. All Rights Reserved. May not be scanned,
copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 20
Audit Risk Model
Relationship between tests of controls and
substantive tests
Illustrate higher reliability of the internal controls and
the Audit Risk Model
What happens if internal controls are more reliable than last
audit?
Last year: .05 = .4 * .6 * DR [DR = 4.8]
This year: .05 = .4 * .4 * DR [DR = 3.2]
The more reliable the internal controls, the lower the CR
probability; thus the lower the DR will be, and fewer substantive
tests are necessary.
Substantive tests are labor intensive

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 21
What is an IT Audit?

most accounting transactions to be in electronic


form without any paper documentation because
electronic storage is more efficient. These
technologies greatly change the nature of audits,
which have so long relied on paper documents.

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 22
The IT Environment

There has always been a need for an effective


internal control system.
The design and oversight of that system has
typically been the responsibility of accountants.
The I.T. Environment complicates the paper
systems of the past.
Concentration of data
Expanded access and linkages
Increase in malicious activities in systems vs. paper
Opportunity that can cause management fraud (i.e.,
override)
2011 Cengage Learning. All Rights Reserved. May not be scanned,
copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 23
The IT Environment

Audit planning
Tests of controls
Substantive tests
CAATTs

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 24
Internal Control
is policies, practices, procedures
designed to
safeguard assets
ensure accuracy and reliability
promote efficiency
measure compliance with policies

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 25
Brief History - SEC
SEC acts of 1933 and 1934
Ivar Kreugers Contribution to U.S. Financial
Reporting, Accounting Review, Flesher & Flesher

All corporations that report to the SEC are required


to maintain a system of internal control that is
evaluated as part of the annual external audit.

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 26
Brief History - Copyright
Federal Copyright Act 1976
1. Protects intellectual property in the U.S.
2. Has been amended numerous times since
3. Management is legally responsible for violations of
the organization
4. U.S. government has continually sought
international agreement on terms for protection of
intellectual property globally vs. nationally

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 27
Brief History - FCPA
Foreign Corrupt Practices Act 1977
1. Accounting provisions
FCPA requires SEC registrants to establish and maintain books,
records, and accounts.
It also requires establishment of internal accounting controls
sufficient to meet objectives.
1. Transactions are executed in accordance with managements general
or specific authorization.
2. Transactions are recorded as necessary to prepare financial
statements (i.e., GAAP), and to maintain accountability.
3. Access to assets is permitted only in accordance with management
authorization.
4. The recorded assets are compared with existing assets at reasonable
intervals.
2. Illegal foreign payments

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 28
Brief History - COSO
Committee on Sponsoring Organizations - 1992

1. AICPA, AAA, FEI, IMA, IIA


2. Developed a management perspective model for
internal controls over a number of years
3. Is widely adopted

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 29
Brief History SOX
Sarbanes-Oxley Act - 2002
1. Section 404: Management Assessment of Internal
Control
Management is responsible for establishing and maintaining
internal control structure and procedures.
Must certify by report on the effectiveness of internal control
each year, with other annual reports.
2. Section 302: Corporate Responsibility for Incident
Reports
Financial executives must disclose deficiencies in internal
control, and fraud (whether fraud is material or not).

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 30
Internal Control System
Comprises policies, practices, and
procedures to achieve four broad
objectives:
To safeguard assets of the firm
To ensure the accuracy and reliability of
accounting records and information
To promote efficiency in the firms operations
To measure compliance with managements
prescribed policies and procedures.

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 31
Modifying Principles
1. Management responsibility
2. Methods of data processing
Objectives same regardless of DP method
Specific controls vary with different technologies
3. Limitations
4. Reasonable assurance
No I.C.S. is perfect
Benefits => costs

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 32
Modifying Principles

Limitations:
Possibility of error
Possibility of circumvention
Management override
Changing conditions

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 33
Exposures and Risk
Exposure: absence or weakness of a
control
Risks: potential threat to compromise
use or value of organizational assets
Types of risk
Destruction of assets
Theft of assets
Corruption of information or the I.S.
Disruption of the I.S.

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 34
2011 Cengage Learning. All Rights Reserved. May not be scanned,
copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 35
The PDC Model
Preventive controls
Detective controls
Corrective controls
Which is most cost effective?
Which one tends to be proactive measures?
Can you give an example of each?

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 36
2011 Cengage Learning. All Rights Reserved. May not be scanned,
copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 37
COSO Internal Control Framework

COSO (Treadway Commission)


The control environment
Risk assessment
Information & communication
Monitoring
Control activities

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 38
The Control Environment

Describe how each one could adversely


affect internal control.
The integrity and ethical values
Structure of the organization
Participation of audit committee
Managements philosophy and style
Procedures for delegating

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Hall, 3e 39
The Elements of the Control
Environment
Integrity and ethical values of management
Structure of the organization

Participation of the organizations board of directors

and the audit committee


Managements philosophy and operating style

Procedures for delegating responsibility and authority

Managements methods for assessing performance

External influences

Organizations policies and practices for managing

human resources

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 40
Techniques Used to Understand the
Control Environment
Describe possible activity or tool for each.
Assess the integrity of organizations

management
Conditions conducive to management fraud
Understand clients business and industry
Determine if board and audit committee are

actively involved
Study organization structure

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 41
Risk Assessment
Changes in environment
Changes in personnel
Changes in I.S.
New ITs
Significant or rapid growth
New products or services (experience)
Organizational restructuring
Foreign markets
New accounting principles

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 42
Elements of Information and
Communication
Initiate,identify, analyze, classify and record
economic transactions and events.
Identify and record all valid economic transactions
Provide timely, detailed information
Accurately measure financial values
Accurately record transactions

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 43
Techniques Used to Understand Information
and Communication Structures

Auditors obtain sufficient knowledge of I.S.s to


understand:
Classes of transactions that are material
Accounting records and accounts used
Processing steps: initiation to inclusion in financial
statements (illustrate)
Financial reporting process (including disclosures)

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 44
Monitoring
By separate procedures (e.g., tests of controls)
By ongoing activities (Embedded Audit Modules

EAMs and Continuous Online Auditing - COA)

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 45
COSO
(Control Activities)
2011 CengageLearning.
2011 Cengage Learning. All Rights
All Rights Reserved.
Reserved. May notMay not becopied
be scanned, scanned,
or
copied or duplicated,
duplicated, or posted to aor postedaccessible
publicly to a publicly
website,accessible
in whole orwebsite,
in part. in whole or in part. Hall, 3e 46
Physical Controls
Transaction authorization
Example:
Sales only to authorized customer
Sales only if available credit limit
Segregation of duties
Examples of incompatible duties:
Authorization vs. processing [e.g., Sales vs. Auth. Cust.]
Custody vs. recordkeeping [e.g., custody of inventory vs. DP of
inventory]
Fraud requires collusion [e.g., separate various steps in process]
Supervision
Serves as compensating control when lack of segregation of
duties exists by necessity
2011 Cengage Learning. All Rights Reserved. May not be scanned,
copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 47
Physical Controls
Accountingrecords (audit trails; examples)
Access controls
Direct (the assets)
Indirect (documents that control the assets)
Fraud
Disaster Recovery
Independent verification
Management can assess:
The performance of individuals
The integrity of the AIS
The integrity of the data in the records
Examples
2011 Cengage Learning. All Rights Reserved. May not be scanned,
copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 48
IT Controls
Applications controls
Ensure validity, completeness, and accuracy of
financial transactions
General controls
Not application-specific, i.e. apply to all systems
Include controls over:
IT governance
IT infrastructure
Security and access to operating systems and
databases
Application acquisition and development
Program change procedures

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 49
Audit Implications of SOX
Expanded role of auditors
Must attest to the quality of their client
organizations internal controls
PCAOB Standard No. 5 requires auditors to
understand:
Transaction flows
Controls pertaining to how transactions are
initiated, authorized, recorded, and reported
Auditors are responsible for detecting
fraudulent activity

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 50
Seatwork: Mini-case
Analysis

2011 Cengage Learning. All Rights Reserved. May not be scanned,


copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 51
2011 Cengage Learning. All Rights Reserved. May not be scanned,
copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 52
2011 Cengage Learning. All Rights Reserved. May not be scanned,
copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 53
2011 Cengage Learning. All Rights Reserved. May not be scanned,
copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 54
2011 Cengage Learning. All Rights Reserved. May not be scanned,
copied or duplicated, or posted to a publicly accessible website, in whole or in part. Hall, 3e 55