ACCOUNTANCY DEPARTMENT

1
Contents
Attestation & assurance Services
Financial audit
Auditing standards
External vs. internal auditing
Information technology audit
Internal control

2
Attest Services
An engagement in which a practitioner is engaged to
issue, or does issue, a written communication that
expresses a conclusion about the reliability of a
written assertion that is the responsibility of another
party.

Attest: To affirm to be correct, true, or genuine

3
Requirements applied to
attestation services
Attestation services require written assertions
and a practitioner’s written report.
Attestation services require the formal
establishment of measurement criteria or their
description in the presentation.
The levels of service in attestation engagements
are limited to examination, review, and
application of agreed-upon procedures.

4
Assurance Services
Broader than attestation (Fig. 1-1)
Professional services designed to improve the
quality of information, both financial and non-
financial, used by decision-makers.
Intended to help people make better decisions by
improving information.

Assurance: A statement or indication that inspires

confidence; a guarantee or pledge

5
Assurance Services
Evolution of accounting profession is expected to
follow the assurance services model.
All “Big Five” professional services firms have
renamed their traditional audit functions
“Assurance Services.”
Organizational unit responsible for conducting IT
audits is named either IT Risk Management,
Information Systems Risk Management, or
Operational Systems Risk Management (OSRM)

6
Financial Audit
An independent attestation performed by an expert,
the auditor, who expresses an opinion regarding the
presentation of financial statements.
Auditor’s role is similar in concept to a judge who
collects and evaluates evidence and renders an
opinion.

7
Financial Audit
Key concept in this process is independence;
Judge must remain independent in his or her
deliberation.
Judge cannot be advocate of either party in the
trial, but must apply law impartially based on
evidence presented.
Likewise, independent auditor collects and
evaluates evidence and renders an opinion based
on evidence.

8
Financial Audit
Throughout audit process, auditor must maintain his
or her independence from client organization.
Public confidence in the reliability of the company’s
internally produced financial statements rests directly
on their being evaluated by an independent expert
audit.

9
Financial Audit
Systematic audit process involves three conceptual
phases:
Familiarization w/ organization’s business
Evaluating and testing internal control
Assessing the reliability of financial data

10
Auditor’s Report
Product of attestation function is a formal written
report that expresses an opinion about the reliability
of the assertions contained in financial statements
Auditor’s report expresses an opinion as to whether
the financial statements are in conformity w/
generally accepted accounting principles

11
Auditing Standards
Auditors are guided in their professional
responsibility by the ten generally accepted auditing
standards (GAAS) Fig. 1-2
GAAS establishes a framework for prescribing auditor
performance, but it is not sufficiently detailed to
provide meaningful guidance in specific
circumstances

12
Auditing Standards
To provide specific guidance, American Institute
of Certified Public Accountants (AICPA) issues
Statements on Auditing Standards (SASs) as
authoritative interpretations of GAAS.
SASs are often referred to as auditing standards,
or GAAS, although they are not the ten generally
accepted auditing standards.

13
SAS
First issued by AICPA in 1972
Since then, many SASs have been issued to provide
auditors w/ guidance on a spectrum of topics,
including methods of investigating new clients,
techniques for obtaining background information on
client’s industry.

14
External vs. Internal Auditing
External auditing is often called independent
auditing because it is done by certified public
accountants who are independent of the
organization being audited.
External auditors represent the interests of third-
party stakeholders in the organization, such as
stockholders, creditors, and government agencies.
Because the focus of external audit is on financial
statements, this type of audit is called financial
audit

15
External vs. Internal Auditing
Institute of Internal Auditors defines internal
auditing as an independent appraisal function
established within an organization to examine and
evaluate its activities

16
External vs. Internal Auditing
Internal auditors perform a wide range of activities on
behalf of the organization, including conducting
financial audits, examining an operation’s compliance
with organizational policies, reviewing the
organization’s compliance with legal obligations,
evaluating operational efficiency, detecting and
pursuing fraud within the firm, and conducting IT
audits.

17
External vs. Internal Auditing
While external auditors represent outsiders,
internal auditors represent the interests of the
organization.
Internal auditors often cooperate with and assist
external auditors in performing financial audits.
This is done to achieve audit efficiency and
reduce audit fees. For example, a team of internal
auditors can perform tests of computer controls
under the supervision of a single external auditor.

18
External vs. Internal Auditing
While external auditors represent outsiders,
internal auditors represent the interests of the
organization.
Internal auditors often cooperate with and assist
external auditors in performing financial audits.
This is done to achieve audit efficiency and
reduce audit fees. For example, a team of internal
auditors can perform tests of computer controls
under the supervision of a single external auditor.

19
Information Technology (IT) Audit
Focus on the computer-based aspects of an
organization’s information system
This includes assessing the proper implementation,
operation, and control of computer resources

20
Definition of Auditing
Auditing is a systematic process of objectively
obtaining and evaluating evidence regarding
assertions about economic actions and events to
ascertain the degree of correspondence between
those assertions and established criteria and
communicating the results to interested users

21
Elements of auditing
A systematic process
Management assertions and audit objectives
Obtaining evidence
Ascertaining the degree of correspondence
between established criteria
Communicating results

22
5 Categories of Management Assertions
(page 6)
Existence or occurrence assertion
Completeness assertion
Rights and obligations assertion
Valuation or allocation assertion
Presentation and disclosure assertion

Auditors develop their audit objectives and

design audit procedures based on preceding
assertions.

23
Structure of IT Audit
IT audit is divided into three phases: audit planning,
tests of controls, and substantive testing (See Figure 1-
3)

24
Internal Control
The establishment and maintenance of a system of
internal control is an important management obligation.
A fundamental aspect of management’s stewardship
responsibility is to provide shareholders with reasonable
assurance that the business is adequately controlled.
Additionally, management has a responsibility to furnish
shareholders and potential investors with reliable financial
information on a timely basis. (Sarbanes-Oxley act)
An adequate system of internal control is necessary to
management’s discharge of these obligations.
- Securities and Exchange Commission

25
Internal Control in Concept
Internal control system comprises policies,
practices, and procedures employed by the
organization to achieve four broad objectives:
To safeguard assets of the firm.
To ensure the accuracy and reliability of accounting
records and information.
To promote efficiency in the firm’s operations.
To measure compliance with management’s prescribed
policies and procedures

26
Exposure and Risk
Internal control shield (Figure 1-4) to protect firms
from numerous undesirable events
Attempts at unauthorized access to firm’s assets
(including information)
Fraud perpetrated by persons both in and outside the
firm
Errors due to employee incompetence, faulty computer
programs, corrupted input data

27
Exposure and Risk
Internal control shield to protect firms from
numerous undesirable events
Mischievous acts, such as unauthorized access by
computer hackers and threats from computer viruses
that destroy programs and databases

28
Exposure and Risk
Absence or weakness of a control is called exposure
Exposures increase firm’s risk to financial loss or
injury from undesirable events.

29
Exposure and Risk
A weakness in internal control may expose the
firm to one or more of the following types of risks:
Destruction of assets (both physical assets and
information)
Theft of assets
Corruption of information or the information system
(containing errors or alterations)
Disruption of information system (to break or burst;
rupture )

30
3 Levels of Control
Preventive controls, detection controls, and
corrective controls

31
Preventive Controls
First line of defense in the control structure
Passive techniques designed to reduce the frequency
of occurrence of undesirable events
Preventing errors and fraud is far more cost-effective
than detecting and correcting problems after they
occur
In information security: firewall

32
Preventive Controls
For example, a well-designed data entry screen is an
example of a preventive control
Not all problems can be anticipated and prevented.

33
Detective Controls
Second line of defense
Devices, techniques, and procedures designed to
identify and expose undesirable events that elude
preventive controls
In information security: Intrusion detection

34
Corrective Controls
Corrective actions taken to reverse the effects of
detected errors
Detective controls identify undesirable events and
draw attention to the problem; corrective controls fix
the problem.

35
Statement on Auditing Standards
No. 78 (SAS 78)
Current authoritative document for specifying
internal control objectives and techniques.
Conforms to the recommendations of the
Committee of Sponsoring Organizations of the
Treadway Commission (COSO)
Consists of five components: control
environment, risk assessment, information and
communication, monitoring, and control
activities

36
Control Environment
Foundation for the other control components
Important elements:
Integrity and ethical values of management
Structure of organization
Participation of organization’s board of directors and
audit committee
Management’s philosophy and operating style
… see page 13

37
Control Environment
SAS 78 requires that auditors obtain sufficient
knowledge to assess the attitude and awareness of
organization’s management, board of directors, and
owners regarding internal control.
See page 13 for examples of techniques that may be
used to obtain an understanding of control
environment

38
Risk Assessment
Identify, analyze, and manage risks relevant to
financial reporting
See page 14 for risks that can rise out of changes
in circumstances
SAS 78 requires that auditors obtain sufficient
knowledge of organization’s risk assessment
procedures to understand how management
identifies, prioritizes, and manages risks related to
financial reporting.

39
Information and Communication
Accounting information system consists of records
and methods used to initiate, identify, analyze,
classify, and record organization’s transactions and
to account for related assets and liabilities.
Quality of information generated by AIS impacts
management’s ability to take actions and make
decisions in connection with organization’s
operations and to prepare reliable financial
statements.

40
Effective AIS
Identify and record all valid financial transactions
Provide timely information about transactions in
sufficient detail to permit proper classification
and financial reporting
Accurately measure financial value of
transactions so their effects can be recorded in
financial statements
Accurately record transactions in time period in
which they occur

41
Effective AIS
SAS 78 requires that auditors obtain sufficient
knowledge of organization’s information systems to
understand
Classes of transactions that are material to financial
statements and how those transactions are initiated
Accounting records and accounts that are used in
processing of material transactions

42
Effective AIS
SAS 78 requires that auditors obtain sufficient
knowledge of organization’s information systems to
understand
Transaction processing steps involved from initiation of
economic event to its inclusion in financial statements
Financial reporting process used to prepare financial
statements, disclosures, and accounting estimates

43
Monitoring
Process by which quality of internal control
design and operation can be assessed
May be accomplished by separate procedures or
by ongoing activities
Internal auditors may monitor entity’s activities
in separate procedures. They gather evidence of
control adequacy by testing controls, then
communicate control strengths and weaknesses to
management

44
Monitoring
Ongoing monitoring may be achieved by
integrating special computer modules into
information system that capture key data and/or
permit tests of control to be conducted as part of
routine operations
Such embedded audit modules (EAMs) allow
management and auditors to maintain constant
surveillance over functioning of internal controls

45
Control Activities
Policies and procedures used to ensure appropriate
actions are taken to deal w/ organization’s identified
risks

46
Control Activities
Can be grouped into two categories:
Computer controls
 General control
 Application control

Physical controls
 transaction authorization
 segregation of duties
 supervision
 accounting records
 access control
 independent verification

47
Computer Controls/General Controls
Fall into two broad groups: general controls and
application controls
General controls pertain to entity-wide concerns such
as controls over data center, organization databases,
systems development, and program maintenance

48
Application Controls
Application controls ensure the integrity of specific
systems such as sales order processing, accounts
payable, and payroll applications

49
Control Activities
Can be grouped into two categories:
Computer controls
 General control
 Application control

Physical controls
 transaction authorization
 segregation of duties
 supervision
 accounting records
 access control
 independent verification

50
Physical Controls
Relates primarily to traditional accounting systems
that employ manual procedures
Six traditional categories of physical control activities:
transaction authorization, segregation of duties,
supervision, accounting records, access control, and
independent verification

51
Transaction Authorization
Ensure that all material transactions processed by
information systems are valid and in accordance w/
management’s objectives
Authorizations may be general or specific

52
General Authorization
Granted to operations personnel to perform day-to-
day operations
Example is procedure to authorize purchase of
inventories from designated vendor only when
inventory levels fall to their predetermined reorder
points. This is called programmed procedure

53
Specific Authorization
Deal with case-by-case decisions associated w/
non-routine transactions.
Example is the decision to extend a particular
customer’s credit limit beyond the normal amount
In an IT environment, the responsibility for
achieving control objectives of transaction
authorization rests directly on accuracy and
consistency of computer programs that perform
these tasks.

54
Segregation of Duties
To minimize incompatible functions
3 objectives provide general guidelines applicable to
most organizations
Authorization for a transaction is separate from
processing of the transaction. For example, purchases
should not be initiated by purchasing department until
authorized by inventory control department

55
Segregation of Duties
3 objectives provide general guidelines applicable to
most organizations
Responsibility for custody of assets should be separate
from recordkeeping responsibility. For example, the
department that has physical custody of finished goods
inventory should not keep official inventory records.
Accounting for finished goods inventory is performed
by inventory control, an accounting function.

56
Segregation of Duties
3 objectives provide general guidelines applicable to
most organizations
Organization should be structured so that a successful
fraud requires collusion between two or more
individuals with incompatible responsibilities. In other
words, no single individual should have sufficient
access to assets and supporting records to perpetrate a
fraud.

57
Segregation of Duties in IT
Computer errors are programming errors that are, in
fact, human errors; no computer has ever perpetrated
a fraud unless programmed to do so by a human
Separating computer processing functions, therefore,
serves no purpose

58
Segregation of Duties in IT
Segregation of duties still plays a role in IT
environment
Once proper functioning of a program is
established at system implementation, its
integrity must be preserved throughout the
application’s life cycle.
The activities of program development, program
operations, and program maintenance are critical
IT functions that must be adequately separated.

59
Supervision
Achieving adequate segregation of duties often
presents difficulties for small organization.
In small organizations or in functional areas that
lack sufficient personnel, management must
compensate for absence of segregation controls
with close supervision.
For this reason, supervision is also called
compensating control.

60
Accounting Records
Source documents, journals, and ledgers capture
economic essence of transactions and provide an
audit trail of economic events
Audit trail enables auditor to trace any transaction
through all phases of its processing from initiation of
event to financial statements

61
Access Controls
Ensure that only authorized personnel have access to
firm’s assets
Access control in IT environment includes provisions
for physical security of computer facilities.
Database security and authorization is important
access control mechanism in modern organizations.

62
Access Control in IT Environment
Limit personnel access authority
Restrict access to computer programs
Provide physical security for data processing center
Ensure adequate backup for data files
Provide disaster recovery capability

63
Audit Risk
Probability that auditor will render an unqualified
opinion on financial statements that are, in fact,
materially misstated
Auditor’s objective is to minimize audit risk by
performing tests of controls and substantive tests.
3 components of audit risk are inherent risk, control
risk, and detection risk

64
Inherent Risk
Associated with unique characteristics of the business
or industry of the client
Firms in declining industries have greater inherent
risk than firms in stable or thriving industries.
Auditors can not reduce level of inherent risk.

65
Control Risk
is the likelihood that control structure is flawed
because controls are either absent or inadequate to
prevent or detect errors in the accounts
Auditors reduce level of control risk by performing
tests of internal controls, e.g., running test
transactions and seeing if erroneous transactions can
be detected

66
Detection Risk
is the risk that auditors are willing to take that errors
not detected or prevented by control structure will
also not be detected by the auditor
Lower planned detection risk requires more
substantive testing

67
General Framework for IT Risks and
Controls

68