CHAP1 - Overview of Audit

Understanding
Assurance Services
Accounting Information Systems, 8e

James A. Hall
Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
1
Assurance Service Elements
Assurance services are (1) independent (2) professional

services that (3) improve the quality of information, or
its context, (4) for decision makers. Assurance services
include many areas of information, including
nonfinancial areas.


its context, (4) for decision makers. Assurance services
include many areas of information, including
nonfinancial areas.


services that (3) improve the quality of
information, or its context, (4) for decision makers.
Assurance services include many areas of information,
including nonfinancial areas.


its context, (4) for decision makers. Assurance
services include many areas of information, including
nonfinancial areas.

Attestation Services define
Attestation involves an
engagement resulting in the
issuance of a report on
subject matter or an
assertion about the subject
matter that is the
responsibility of another
party.
Auditing is a specific type of
attestation.
External (Financial) Audits
 An independent attestation by a professional

(CPA) regarding the faithful representation
of the financial statements
 Three phases of a financial audit:
 familiarization with client firm
 evaluation and testing of internal controls
 assessment of reliability of financial data
Hall, Accounting Information Systems, 8e 7

Attest and Assurance Services

©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 9
What is an External Financial Audit?
 An attestation performed by an expert-the

auditor-who expresses an opinion regarding the
presentation of FS
 Audit objective is associated with the
presentation of FS, in particular that in all
material respects, the statement are fairly stated.

External vs. Internal Auditing
 External auditing is often called independent
auditing because it is done by CPA who are
independent of the organization being audited
 Internal auditing as an independent appraisal

function established within an organization to examine
and evaluate its activities as a service to the
organization. IIA

External versus Internal Auditing
 External auditors – represent the interests

of third party stakeholders
 Internal auditors – serve an independent
appraisal function within the organization
 Often perform tasks which can reduce
external audit fees and help to achieve audit
efficiency

Elements of Auditing
Auditing is a systematic process of
objectively obtaining and
evaluating evidence regarding
Financial Statements assertions about economic actions
(including footnotes)
and events to ascertain the degree
of correspondence between the
assertions and established criteria GAAP
and communicating the results to
interested users. Auditor's Report/
Persons who rely on Other Reports
the financial reports
•Creditors Source: American Accounting Association Committee on Basic Auditing
•Investors Concepts. 1973. A Statement of Basic Auditing Concepts, American
Accounting Association (Sarasota, FL).

Overview of Financial Statement Auditing
IFRS
IAS
IFRIC

Generally Accepted Auditing
Standards (GAAS)

Audit Risk is...
the probability the auditor will issue an

unqualified (clean) opinion when in fact
the financial statements are materially
misstated.
 Errors – unintentional mistakes
 Irregularities (fraud) – intentional
misrepresentations to perpetrate fraud to
mislead the uses of FS

Three Components of Audit Risk
 Inherent risk – associated with the unique

characteristics of the business or industry of the
client
 Control risk – the likelihood that the control
structure is flawed because controls are either
absent or inadequate to prevent or detect errors in
the accounts
 Detection risk – the risk that errors not detected
or prevented by the control structure will also not
be detected by the auditor
Types of Audit Tests
 Tests of controls – tests to determine if

appropriate IC are in place and
functioning effectively
 Substantive testing – detailed
examination of account balances and
transactions

Audit Risks Components
Systems
Risks
AR = IR x CR x DR
Tests of Controls
Substantive Tests
What is an IT Audit?
Since most information systems employ IT,

the IT audit is a critical component of all
external and internal audits.
 IT audits:
 focus on the computer-based aspects of an
organization’s information system
 assess the proper implementation, operation, and
control of computer resources

Elements of an IT Audit
 Systematic procedures are used

 Evidence is obtained
 tests of internal controls
 substantive tests
 Determination of materiality for weaknesses
found
 Prepare audit report & audit opinion

A Systematic Process
 Audit is a systematic and logical process that
applies to all forms of information systems. The
lack of physical procedures that can be visually
verified and evaluated injects a high degree of
complexity into the IT audit. Therefore, a logical
framework for conducting an audit in the IT
environment is critical to help the auditor
identify important processes and data files

Management Assertions & Audit Objectives
Management Assertion Audit Objective Audit Procedure
Existence or Occurrence Inventories listed on SFP exist Observe the counting of

physical inventory
Completeness AP include all obligation to Compare RR, supplier
vendors for period invoices, P.O and JE for the
period and the beginning of
the next period
Rights and Obligation PPE listed in SFP are owned Review purchase agreements,
by the entity insurance policies, and
related documents
Valuation or allocation AR are stated at NRV Review entity’s aging of AR
and evaluate the adequacy
of the ADA
Presentation and Disclosure Contingencies not reported in Obtain information from
accounts are properly entity lawyers about the
disclosed in footnotes status of litigation and
estimate of potential loss

physical inventory
the next period
related documents
of the ADA

physical inventory
the next period
related documents
of the ADA

physical inventory
the next period
related documents
of the ADA

physical inventory
the next period
related documents
of the ADA
Obtaining Evidence
 Evidence is collected by performing tests of
controls, which establish whether internal controls
are functioning properly, and substantive tests,
which determine whether accounting databases
fairly reflect the organization’s transactions and
account balances

Ascertaining the Degree of Correspondence
with Established Criteria
 The auditor must determine whether weaknesses

in internal controls and misstatements found in
transactions and account balances are material.
 In an IT environment, technology and a
sophisticated internal control structure further
complicate this decision.

Communicating Results
 Auditor must communicate the results of their
tests to interested users. Independent (External)
auditor report to the audit committee of the
BoD or SHs of a company.
 Audit report contains, among other things, an
audit opinion.
 IT auditors often communicate their findings to
internal and external auditors, who can then
integrate these findings with the non-IT aspects
of the audit
30

Phases of an IT Audit
Figure 15-9

IT Controls Part I:
Sarbanes-Oxley &
IT Governance
Accounting Information Systems, 8e

James A. Hall
Objectives for Chapter
 Understand the key features of Sections 302 and 404 of the
Sarbanes-Oxley Act.
 Understand management and auditor responsibilities
under Sections 302 and 404.
 Understand the risks of incompatible functions and how to
structure the IT function.
 Be familiar with the controls and precautions required to
ensure the security of an organization’s computer facilities.
 Understand the key elements of a disaster recovery plan.
 Be familiar with the benefits, risks and audit issues related
to IT Outsourcing.

Sarbanes-Oxley Act of 2002 (SOX)
A. Major Provisions of Sarbanes-Oxley

B. Management Responsibility Under SOX
C. Prohibited Services to Audit Clients
A. Major Provisions of Sarbanes-Oxley
Congress passed the Sarbanes-Oxley Act in an attempt to address a
number of weaknesses found in corporate financial reporting in
the wake of the recent accounting scandals. The Act’s major
provisions include:
Requirement of CEO/CFO certification of financial
statements (Section 302)
Requirement of auditor examination of company internal
controls
Creation of the Public Company Accounting Oversight Board
(PCAOB) to serve as an auditing profession “watchdog.”
Prohibition of certain client services by firms conducting a
client’s audit.

B. Management’s Responsibility Under SOX
One of its most important provisions (Section 302) states that

the key company officials must certify the financial statements.
Certification means that the company CEO and CFO must sign
a statement indicating:
1. They have read the financial statements.
2. They are not aware of any false or misleading statements

(or any key omitted disclosures).
3. They believe that the financial statements present an

accurate picture of the company’s financial condition.
Source: U.S. Congress, Sarbanes-Oxley Act of 2002, Pub. L. 107-204, 116 Stat/ 745 (2002).

SOX Section 302
 Section 302—in quarterly and annual financial
statements, management must:
 certify the internal controls (IC) over financial
reporting
 state responsibility for IC design
 provide reasonable assurance as to the reliability of
the financial reporting process
 disclose any recent material changes in IC

SOX Section 404
 Section 404—in the annual report on IC

effectiveness, management must:
 state responsibility for establishing and maintaining
adequate financial reporting IC
 assess IC effectiveness
 reference the external auditors’ attestation report on
management’s IC assessment
 provide explicit conclusions on the effectiveness of
financial reporting IC
 identify the framework management used to conduct
their IC assessment, e.g., COBIT
 SOX and the PCAOB prohibit professional service
firms from providing any of the following services to
an audit client:
 bookkeeping and related services
 design or implementation of financial information
systems
 appraisal or valuation services
 actuarial services
 internal audit outsourcing
 management or human resources services
 investment or broker/dealer services
 legal and expert services (unrelated to the audit)

 Professional service firms may provide client tax

services (with some restrictions) and other non-
prohibited services to audit clients if the company’s
audit committee has approved them in advance.
 SOX prohibits professional service firms from

performing any client services where auditors may
find themselves making management decisions or
auditing their own firm’s work.

IT Controls & Financial Reporting
 Modern financial reporting is driven by

information technology (IT)
 IT initiates, authorizes, records, and
reports the effects of financial
transactions.
 Financial reporting IC are inextricably
integrated to IT.

 Committee of Sponsoring
Organization of the Treadway
Commission (COSO) identifies two groups
of IT controls:
 Application controls – apply to specific
applications and programs, and ensure data
validity, completeness and accuracy
 General controls – apply to all systems and
address IT governance and infrastructure,
security of operating systems and databases,
and application and program acquisition and
development

Significant
Sales CGS Inventory AP Cash Financial
Accounts
Related
Order Entry Purchases Cash Disbursements
Application
Application Controls Application Controls Application Controls
Controls
Controls
for
Review
Systems Development and Program Change Control
Supporting
General
Database Access Controls Controls
Operating System Controls
SOX Audit Implications
 Pre-SOX, audits did not require IC tests.
 Only required to be familiar with client’s IC
 Audit consisted primarily of substantive tests
 SOX – radically expanded scope of audit
 Issue new audit opinion on management’s IC
assessment
 Required to test IC affecting financial information,
especially IC to prevent fraud
 Collect documentation of management’s IC tests
and interview management on IC changes

Computer Fraud Schemes
 Theft, misuse, or misappropriation of assets by
altering computer-readable records and files
 Theft, misuse, or misappropriation of assets by
altering logic of computer software
 Theft or illegal use of computer-readable
information
 Theft, corruption, illegal copying or intentional
destruction of software
 Theft, misuse, or misappropriation of computer
hardware
The General Model for Accounting Information
System
Using the general IS model, explain how fraud can occur at the
different stages of information processing?
Data Collection Fraud
 This aspect of the system is the most vulnerable

because it is relatively easy to change data as it is
being entered into the system.
 Also, the GIGO (garbage in, garbage out) principle
reminds us that if the input data is inaccurate,
processing will result in inaccurate output.
 No need to be expert, just understand how the
weakness of control operates

Examples…
 Deleting, altering or creating a transaction
 Payroll
 Cash Disbursement,
 Masquerading – gaining access to the system
from a remote site by pretending to be an
authorized user
 Piggybacking – technique at a remote site taps
in to the telecommunications lines and latches on
to an authorized user who is logging in to the
system
 Hacking – intention not to defraud for financial
gains – breaking the system than theft of assets
48
Data Processing Fraud
Program Frauds
 altering programs to allow illegal access to and/or
manipulation of data files
 destroying programs with a virus
 Examples…
Operations Frauds
 misuse of company computer resources, such as
using the computer for personal business
Example of Program Fraud
 Creating illegal programs that can access data
files to alter, delete or insert values into
accounting records
 Destroying or corrupting a program’s logic using
a computer virus
 Altering program logic to cause the application
to process data incorrectly
 “salami fraud” +- cents

Database Management Fraud
 Altering, deleting, corrupting, destroying, or stealing

an organization’s data
 Files are copied and sold to competitors
 Oftentimes conducted by disgruntled or ex-
employee
 “Logic bomb” – erases the data files that the program
accesses

Information Generation Fraud
Stealing, misdirecting, or misusing computer output
Scavenging
 searching through the trash cans on the computer
center for discarded output (the output should be
shredded, but frequently is not)
Eavesdropping
 Involves listening to output transmissions over
telecommunication lines.

IT GOVERNANCE
CONTROLS
Organizational Structure IC
 Audit objective – verify that individuals in

incompatible areas are segregated to
minimize risk while promoting operational
efficiency
 IC, especially segregation of duties, affected by
which of two organizational structures applies:
 Centralized model
 Distributed model

Organizational Chart of a Centralized
Information Technology Function
Figure 15-3

Segregation of Duties
 Transaction authorization is separate from

transaction processing.
 Asset custody is separate from record-
keeping responsibilities.
 The tasks needed to process the transactions
are subdivided so that fraud requires
collusion.

Segregation of Duties Objectives
Nested Control Objectives for Transactions
TRANSACTION
Control Authorization Processing

Objective 1
Control Authorization Custody Recording

Objective 2
Control Journals Subsidiary Ledgers General Ledger

Objective 3
Figure 3-4

Centralized IT Structure
 Critical to segregate:
 systems development from computer
operations
 database administrator (DBA) from other
computer service functions
• DBA’s authorizing and systems development’s
processing
• DBA authorizes access
 maintenance from new systems development
 data library from operations

Distributed Organization with Corporate
Information Technology Function
Figure 15-5

Distributed IT Structure
 Despite its many advantages, important IC
implications are present:
 incompatible software among the various
work centers
 data redundancy may result
 consolidation of incompatible tasks
 difficulty hiring qualified professionals
 lack of standards

Creating a Corporate IT Function
 A corporate IT function alleviates

potential problems associated with
distributed IT organizations by providing:
 central testing of commercial hardware and
software
 a user services staff
 a standard-setting body
 reviewing technical credentials of prospective
systems professionals
Audit Objectives
 To verify that individuals in incompatible areas

are segregated in accordance with the level of
potential risk and in a manner that promotes a
working environment.

Audit Procedures
 Review the corporate policy on computer security
 Verify that the security policy is communicated to
employees
 Review relevant documentation to determine if
individuals or groups are performing incompatible
functions
 Review systems documentation and maintenance
records
 Verify that maintenance programmers are not also
design programmers
Audit Procedures
 Observe if segregation policies are followed in

practice.
 E.g., check operations room access logs to
determine if programmers enter for reasons other
than system failures
 Review user rights and privileges
 Verify that programmers have access privileges
consistent with their job descriptions

Computer Center IC
Audit objectives:
 physical security IC protects the computer
center from physical exposures
 insurance coverage compensates the
organization for damage to the computer
center
 operator documentation addresses routine
operations as well as system failures

COMPUTER CENTER SECURITY
AND CONTROLS
Computer Center IC
Considerations:
 man-made threats and natural hazards
 underground utility and communications lines
 air conditioning and air filtration systems
 access limited to operators and computer center
workers; others required to sign in and out
 fire suppression systems installed
 fault tolerance
 redundant disks and other system components
 backup power supplies
Audit Procedures
 Review insurance coverage on hardware,

software, and physical facility
 Review operator documentation, run
manuals, for completeness and accuracy
 Verify that operational details of a system’s
internal logic are not in the operator’s
documentation

DISASTER RECOVERY
PLANNING (DRP)
Disaster Recovery Planning
 Disaster recovery plans (DRP) identify:

 actions before, during, and after the disaster
 disaster recovery team
 priorities for restoring critical applications
 Audit objective – verify that DRP is
adequate and feasible for dealing with
disasters

Disaster Recovery Planning
 Major IC concerns:
 second-site backups
 critical applications and databases
• including supplies and documentation
 back-up and off-site storage procedures
 disaster recovery team
 testing the DRP regularly

Second-Site Backups
 Empty shell - involves two or more user
organizations that buy or lease a building and
remodel it into a computer site, but without
computer equipment
 Recovery operations center - a completely
equipped site; very costly and typically shared
among many companies
 Internally provided backup - companies
with multiple data processing centers may
create internal excess capacity

DRP Audit Procedures
 Evaluate adequacy of second-site backup

arrangements
 Review list of critical applications for
completeness and currency
 Verify that procedures are in place for
storing off-site copies of applications and
data
 Check currency back-ups and copies

DRP Audit Procedures
 Verify that documentation, supplies, etc.,

are stored off-site
 Verify that the disaster recovery team
knows its responsibilities
 Check frequency of testing the DRP

OUTSOURCING IT FUNCTION

Benefits of IT Outsourcing
 Improved core business processes

 Improved IT performance
 Reduced IT costs

Risks of IT Outsourcing
 Failure to perform
 Vendor exploitation
 Costs exceed benefits
 Reduced security
 Loss of strategic advantage

Audit Implications of IT
Outsourcing
 Management retains SOX responsibilities

 SAS No. 70 report or audit of vendor will be
required

THANK YOU!


CHAP1 - Overview of Audit

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CHAP1 - Overview of Audit

Uploaded by

Copyright:

Available Formats

Understanding

Accounting Information Systems, 8e

Hall, Accounting Information Systems, 8e

Assurance services are (1) independent (2) professional

Hall, Accounting Information Systems, 8e

Assurance services are (1) independent (2) professional

Hall, Accounting Information Systems, 8e

Assurance services are (1) independent (2) professional

Hall, Accounting Information Systems, 8e

Assurance services are (1) independent (2) professional

Hall, Accounting Information Systems, 8e

 An independent attestation by a professional

Hall, Accounting Information Systems, 8e 7

Hall, Accounting Information Systems, 8e 8

 An attestation performed by an expert-the

Hall, Accounting Information Systems, 8e 10

 Internal auditing as an independent appraisal

Hall, Accounting Information Systems, 8e 11

 External auditors – represent the interests

Hall, Accounting Information Systems, 8e 12

Hall, Accounting Information Systems, 8e

Hall, Accounting Information Systems, 8e

Hall, Accounting Information Systems, 8e 15

the probability the auditor will issue an

Hall, Accounting Information Systems, 8e 16

 Inherent risk – associated with the unique

 Tests of controls – tests to determine if

Hall, Accounting Information Systems, 8e 18

Since most information systems employ IT,

Hall, Accounting Information Systems, 8e 20

 Systematic procedures are used

Hall, Accounting Information Systems, 8e 21

Hall, Accounting Information Systems, 8e 22

Management Assertion Audit Objective Audit Procedure

Existence or Occurrence Inventories listed on SFP exist Observe the counting of

Management Assertion Audit Objective Audit Procedure

Existence or Occurrence Inventories listed on SFP exist Observe the counting of

Management Assertion Audit Objective Audit Procedure

Existence or Occurrence Inventories listed on SFP exist Observe the counting of

Management Assertion Audit Objective Audit Procedure

Existence or Occurrence Inventories listed on SFP exist Observe the counting of

Management Assertion Audit Objective Audit Procedure

Existence or Occurrence Inventories listed on SFP exist Observe the counting of

Hall, Accounting Information Systems, 8e 28

 The auditor must determine whether weaknesses

Hall, Accounting Information Systems, 8e 29

Hall, Accounting Information Systems, 8e

Hall, Accounting Information Systems, 8e 31

Accounting Information Systems, 8e

Hall, Accounting Information Systems, 8e

Hall, Accounting Information Systems, 8e 33

A. Major Provisions of Sarbanes-Oxley

Hall, Accounting Information Systems, 8e

One of its most important provisions (Section 302) states that

1. They have read the financial statements.

2. They are not aware of any false or misleading statements

3. They believe that the financial statements present an

Hall, Accounting Information Systems, 8e

Hall, Accounting Information Systems, 8e 37

 Section 404—in the annual report on IC

Hall, Accounting Information Systems, 8e

 Professional service firms may provide client tax

 SOX prohibits professional service firms from

Hall, Accounting Information Systems, 8e