Professional Documents
Culture Documents
1
Contents
Attestation & assurance Services
Financial audit
Auditing standards
External vs. internal auditing
Information technology audit
Internal control
2
Attest Services
An engagement in which a practitioner is engaged to
issue, or does issue, a written communication that
expresses a conclusion about the reliability of a
written assertion that is the responsibility of another
party.
3
Requirements applied to
attestation services
Attestation services require written assertions
and a practitioner’s written report.
Attestation services require the formal
establishment of measurement criteria or their
description in the presentation.
The levels of service in attestation engagements
are limited to examination, review, and
application of agreed-upon procedures.
4
Assurance Services
Broader than attestation (Fig. 1-1)
Professional services designed to improve the
quality of information, both financial and non-
financial, used by decision-makers.
Intended to help people make better decisions by
improving information.
5
Assurance Services
Evolution of accounting profession is expected to
follow the assurance services model.
All “Big Five” professional services firms have
renamed their traditional audit functions
“Assurance Services.”
Organizational unit responsible for conducting IT
audits is named either IT Risk Management,
Information Systems Risk Management, or
Operational Systems Risk Management (OSRM)
6
Financial Audit
An independent attestation performed by an expert,
the auditor, who expresses an opinion regarding the
presentation of financial statements.
Auditor’s role is similar in concept to a judge who
collects and evaluates evidence and renders an
opinion.
7
Financial Audit
Key concept in this process is independence;
Judge must remain independent in his or her
deliberation.
Judge cannot be advocate of either party in the
trial, but must apply law impartially based on
evidence presented.
Likewise, independent auditor collects and
evaluates evidence and renders an opinion based
on evidence.
8
Financial Audit
Throughout audit process, auditor must maintain his
or her independence from client organization.
Public confidence in the reliability of the company’s
internally produced financial statements rests directly
on their being evaluated by an independent expert
audit.
9
Financial Audit
Systematic audit process involves three conceptual
phases:
Familiarization w/ organization’s business
Evaluating and testing internal control
Assessing the reliability of financial data
10
Auditor’s Report
Product of attestation function is a formal written
report that expresses an opinion about the reliability
of the assertions contained in financial statements
Auditor’s report expresses an opinion as to whether
the financial statements are in conformity w/
generally accepted accounting principles
11
Auditing Standards
Auditors are guided in their professional
responsibility by the ten generally accepted auditing
standards (GAAS) Fig. 1-2
GAAS establishes a framework for prescribing auditor
performance, but it is not sufficiently detailed to
provide meaningful guidance in specific
circumstances
12
Auditing Standards
To provide specific guidance, American Institute
of Certified Public Accountants (AICPA) issues
Statements on Auditing Standards (SASs) as
authoritative interpretations of GAAS.
SASs are often referred to as auditing standards,
or GAAS, although they are not the ten generally
accepted auditing standards.
13
SAS
First issued by AICPA in 1972
Since then, many SASs have been issued to provide
auditors w/ guidance on a spectrum of topics,
including methods of investigating new clients,
techniques for obtaining background information on
client’s industry.
14
External vs. Internal Auditing
External auditing is often called independent
auditing because it is done by certified public
accountants who are independent of the
organization being audited.
External auditors represent the interests of third-
party stakeholders in the organization, such as
stockholders, creditors, and government agencies.
Because the focus of external audit is on financial
statements, this type of audit is called financial
audit
15
External vs. Internal Auditing
Institute of Internal Auditors defines internal
auditing as an independent appraisal function
established within an organization to examine and
evaluate its activities
16
External vs. Internal Auditing
Internal auditors perform a wide range of activities on
behalf of the organization, including conducting
financial audits, examining an operation’s compliance
with organizational policies, reviewing the
organization’s compliance with legal obligations,
evaluating operational efficiency, detecting and
pursuing fraud within the firm, and conducting IT
audits.
17
External vs. Internal Auditing
While external auditors represent outsiders,
internal auditors represent the interests of the
organization.
Internal auditors often cooperate with and assist
external auditors in performing financial audits.
This is done to achieve audit efficiency and
reduce audit fees. For example, a team of internal
auditors can perform tests of computer controls
under the supervision of a single external auditor.
18
External vs. Internal Auditing
While external auditors represent outsiders,
internal auditors represent the interests of the
organization.
Internal auditors often cooperate with and assist
external auditors in performing financial audits.
This is done to achieve audit efficiency and
reduce audit fees. For example, a team of internal
auditors can perform tests of computer controls
under the supervision of a single external auditor.
19
Information Technology (IT) Audit
Focus on the computer-based aspects of an
organization’s information system
This includes assessing the proper implementation,
operation, and control of computer resources
20
Definition of Auditing
Auditing is a systematic process of objectively
obtaining and evaluating evidence regarding
assertions about economic actions and events to
ascertain the degree of correspondence between
those assertions and established criteria and
communicating the results to interested users
21
Elements of auditing
A systematic process
Management assertions and audit objectives
Obtaining evidence
Ascertaining the degree of correspondence
between established criteria
Communicating results
22
5 Categories of Management Assertions
(page 6)
Existence or occurrence assertion
Completeness assertion
Rights and obligations assertion
Valuation or allocation assertion
Presentation and disclosure assertion
23
Structure of IT Audit
IT audit is divided into three phases: audit planning,
tests of controls, and substantive testing (See Figure 1-
3)
24
Internal Control
The establishment and maintenance of a system of
internal control is an important management obligation.
A fundamental aspect of management’s stewardship
responsibility is to provide shareholders with reasonable
assurance that the business is adequately controlled.
Additionally, management has a responsibility to furnish
shareholders and potential investors with reliable financial
information on a timely basis. (Sarbanes-Oxley act)
An adequate system of internal control is necessary to
management’s discharge of these obligations.
- Securities and Exchange Commission
25
Internal Control in Concept
Internal control system comprises policies,
practices, and procedures employed by the
organization to achieve four broad objectives:
To safeguard assets of the firm.
To ensure the accuracy and reliability of accounting
records and information.
To promote efficiency in the firm’s operations.
To measure compliance with management’s prescribed
policies and procedures
26
Exposure and Risk
Internal control shield (Figure 1-4) to protect firms
from numerous undesirable events
Attempts at unauthorized access to firm’s assets
(including information)
Fraud perpetrated by persons both in and outside the
firm
Errors due to employee incompetence, faulty computer
programs, corrupted input data
27
Exposure and Risk
Internal control shield to protect firms from
numerous undesirable events
Mischievous acts, such as unauthorized access by
computer hackers and threats from computer viruses
that destroy programs and databases
28
Exposure and Risk
Absence or weakness of a control is called exposure
Exposures increase firm’s risk to financial loss or
injury from undesirable events.
29
Exposure and Risk
A weakness in internal control may expose the
firm to one or more of the following types of risks:
Destruction of assets (both physical assets and
information)
Theft of assets
Corruption of information or the information system
(containing errors or alterations)
Disruption of information system (to break or burst;
rupture )
30
3 Levels of Control
Preventive controls, detection controls, and
corrective controls
31
Preventive Controls
First line of defense in the control structure
Passive techniques designed to reduce the frequency
of occurrence of undesirable events
Preventing errors and fraud is far more cost-effective
than detecting and correcting problems after they
occur
In information security: firewall
32
Preventive Controls
For example, a well-designed data entry screen is an
example of a preventive control
Not all problems can be anticipated and prevented.
33
Detective Controls
Second line of defense
Devices, techniques, and procedures designed to
identify and expose undesirable events that elude
preventive controls
In information security: Intrusion detection
34
Corrective Controls
Corrective actions taken to reverse the effects of
detected errors
Detective controls identify undesirable events and
draw attention to the problem; corrective controls fix
the problem.
35
Statement on Auditing Standards
No. 78 (SAS 78)
Current authoritative document for specifying
internal control objectives and techniques.
Conforms to the recommendations of the
Committee of Sponsoring Organizations of the
Treadway Commission (COSO)
Consists of five components: control
environment, risk assessment, information and
communication, monitoring, and control
activities
36
Control Environment
Foundation for the other control components
Important elements:
Integrity and ethical values of management
Structure of organization
Participation of organization’s board of directors and
audit committee
Management’s philosophy and operating style
… see page 13
37
Control Environment
SAS 78 requires that auditors obtain sufficient
knowledge to assess the attitude and awareness of
organization’s management, board of directors, and
owners regarding internal control.
See page 13 for examples of techniques that may be
used to obtain an understanding of control
environment
38
Risk Assessment
Identify, analyze, and manage risks relevant to
financial reporting
See page 14 for risks that can rise out of changes
in circumstances
SAS 78 requires that auditors obtain sufficient
knowledge of organization’s risk assessment
procedures to understand how management
identifies, prioritizes, and manages risks related to
financial reporting.
39
Information and Communication
Accounting information system consists of records
and methods used to initiate, identify, analyze,
classify, and record organization’s transactions and
to account for related assets and liabilities.
Quality of information generated by AIS impacts
management’s ability to take actions and make
decisions in connection with organization’s
operations and to prepare reliable financial
statements.
40
Effective AIS
Identify and record all valid financial transactions
Provide timely information about transactions in
sufficient detail to permit proper classification
and financial reporting
Accurately measure financial value of
transactions so their effects can be recorded in
financial statements
Accurately record transactions in time period in
which they occur
41
Effective AIS
SAS 78 requires that auditors obtain sufficient
knowledge of organization’s information systems to
understand
Classes of transactions that are material to financial
statements and how those transactions are initiated
Accounting records and accounts that are used in
processing of material transactions
42
Effective AIS
SAS 78 requires that auditors obtain sufficient
knowledge of organization’s information systems to
understand
Transaction processing steps involved from initiation of
economic event to its inclusion in financial statements
Financial reporting process used to prepare financial
statements, disclosures, and accounting estimates
43
Monitoring
Process by which quality of internal control
design and operation can be assessed
May be accomplished by separate procedures or
by ongoing activities
Internal auditors may monitor entity’s activities
in separate procedures. They gather evidence of
control adequacy by testing controls, then
communicate control strengths and weaknesses to
management
44
Monitoring
Ongoing monitoring may be achieved by
integrating special computer modules into
information system that capture key data and/or
permit tests of control to be conducted as part of
routine operations
Such embedded audit modules (EAMs) allow
management and auditors to maintain constant
surveillance over functioning of internal controls
45
Control Activities
Policies and procedures used to ensure appropriate
actions are taken to deal w/ organization’s identified
risks
46
Control Activities
Can be grouped into two categories:
Computer controls
General control
Application control
Physical controls
transaction authorization
segregation of duties
supervision
accounting records
access control
independent verification
47
Computer Controls/General Controls
Fall into two broad groups: general controls and
application controls
General controls pertain to entity-wide concerns such
as controls over data center, organization databases,
systems development, and program maintenance
48
Application Controls
Application controls ensure the integrity of specific
systems such as sales order processing, accounts
payable, and payroll applications
49
Control Activities
Can be grouped into two categories:
Computer controls
General control
Application control
Physical controls
transaction authorization
segregation of duties
supervision
accounting records
access control
independent verification
50
Physical Controls
Relates primarily to traditional accounting systems
that employ manual procedures
Six traditional categories of physical control activities:
transaction authorization, segregation of duties,
supervision, accounting records, access control, and
independent verification
51
Transaction Authorization
Ensure that all material transactions processed by
information systems are valid and in accordance w/
management’s objectives
Authorizations may be general or specific
52
General Authorization
Granted to operations personnel to perform day-to-
day operations
Example is procedure to authorize purchase of
inventories from designated vendor only when
inventory levels fall to their predetermined reorder
points. This is called programmed procedure
53
Specific Authorization
Deal with case-by-case decisions associated w/
non-routine transactions.
Example is the decision to extend a particular
customer’s credit limit beyond the normal amount
In an IT environment, the responsibility for
achieving control objectives of transaction
authorization rests directly on accuracy and
consistency of computer programs that perform
these tasks.
54
Segregation of Duties
To minimize incompatible functions
3 objectives provide general guidelines applicable to
most organizations
Authorization for a transaction is separate from
processing of the transaction. For example, purchases
should not be initiated by purchasing department until
authorized by inventory control department
55
Segregation of Duties
3 objectives provide general guidelines applicable to
most organizations
Responsibility for custody of assets should be separate
from recordkeeping responsibility. For example, the
department that has physical custody of finished goods
inventory should not keep official inventory records.
Accounting for finished goods inventory is performed
by inventory control, an accounting function.
56
Segregation of Duties
3 objectives provide general guidelines applicable to
most organizations
Organization should be structured so that a successful
fraud requires collusion between two or more
individuals with incompatible responsibilities. In other
words, no single individual should have sufficient
access to assets and supporting records to perpetrate a
fraud.
57
Segregation of Duties in IT
Computer errors are programming errors that are, in
fact, human errors; no computer has ever perpetrated
a fraud unless programmed to do so by a human
Separating computer processing functions, therefore,
serves no purpose
58
Segregation of Duties in IT
Segregation of duties still plays a role in IT
environment
Once proper functioning of a program is
established at system implementation, its
integrity must be preserved throughout the
application’s life cycle.
The activities of program development, program
operations, and program maintenance are critical
IT functions that must be adequately separated.
59
Supervision
Achieving adequate segregation of duties often
presents difficulties for small organization.
In small organizations or in functional areas that
lack sufficient personnel, management must
compensate for absence of segregation controls
with close supervision.
For this reason, supervision is also called
compensating control.
60
Accounting Records
Source documents, journals, and ledgers capture
economic essence of transactions and provide an
audit trail of economic events
Audit trail enables auditor to trace any transaction
through all phases of its processing from initiation of
event to financial statements
61
Access Controls
Ensure that only authorized personnel have access to
firm’s assets
Access control in IT environment includes provisions
for physical security of computer facilities.
Database security and authorization is important
access control mechanism in modern organizations.
62
Access Control in IT Environment
Limit personnel access authority
Restrict access to computer programs
Provide physical security for data processing center
Ensure adequate backup for data files
Provide disaster recovery capability
63
Audit Risk
Probability that auditor will render an unqualified
opinion on financial statements that are, in fact,
materially misstated
Auditor’s objective is to minimize audit risk by
performing tests of controls and substantive tests.
3 components of audit risk are inherent risk, control
risk, and detection risk
64
Inherent Risk
Associated with unique characteristics of the business
or industry of the client
Firms in declining industries have greater inherent
risk than firms in stable or thriving industries.
Auditors can not reduce level of inherent risk.
65
Control Risk
is the likelihood that control structure is flawed
because controls are either absent or inadequate to
prevent or detect errors in the accounts
Auditors reduce level of control risk by performing
tests of internal controls, e.g., running test
transactions and seeing if erroneous transactions can
be detected
66
Detection Risk
is the risk that auditors are willing to take that errors
not detected or prevented by control structure will
also not be detected by the auditor
Lower planned detection risk requires more
substantive testing
67
General Framework for IT Risks and
Controls
68