Chapter 1:

Auditing, Assurance, and

Internal Control

Hall & Singleton, 2e

 AUDITING
Auditing is a systematic process of
objectively obtaining and evaluating
evidence regarding assertions about
economic actions and events to ascertain
the degree of correspondence between
those assertions and establishing criteria
and communicating the results to
interested users.
 INTERNAL AUDITS
 Internal auditing: independent appraisal function
established within an organization to examine
and evaluate its activities as a service to the
organization
 Financial Audits
 Operational Audits
 Compliance Audits
 Fraud Audits
 IT Audits
 CIA
 IIA
 IT AUDITS
 IT audits: provide audit services where
processes or data, or both, are embedded in
technologies.
 Subject to ethics, guidelines, and standards of the
profession (if certified)
 CISA
 Most closely associated with ISACA
 Joint with internal, external, and fraud audits
 Scope of IT audit coverage is increasing
 Characterized by CAATTs
 IT governance as part of corporate governance
 FRAUD AUDITS
 Fraud audits: provide investigation services
where anomalies are suspected, to develop
evidence to support or deny fraudulent
activities.
 Auditor is more like a detective
 No materiality
 Goal is conviction, if sufficient evidence of fraud
exists
 CFE
 ACFE
 EXTERNAL AUDITS
 External auditing: Objective is that in all material
respects, financial statements are a fair
representation of organization’s transactions
and account balances.
 EXTERNAL vs. INTERNAL
 External auditing:
 Independent auditor (CPA)
 Independence
 Required by SEC for publicly-traded companies
 Referred to as a “financial audit”
 Represents interests of outsiders, “the public” (e.g.,
stockholders)
 Standards, guidance, certification governed by government
bodies
 Internal auditing:
 Auditor (often a CIA or CISA)
 Is an employee of organization imposing independence on self
 Optional per management requirements
 Broader services than financial audit; (e.g., operational audits)
 Represent interests of the organization
 Standards, guidance, certification governed by IIA and ISACA
 FINANCIAL AUDITS
 An independent attestation performed by an expert (i.e.,
an auditor, a CPA) who expresses an opinion regarding
the presentation of financial statements
 Key concept: Independence
 {Should be} Similar to a trial by judge
 Culmination of systematic process involving:
 Familiarization with the organization’s business
 Evaluating and testing internal controls
 Assessing the reliability of financial data
 Product is formal written report that expresses an
opinion about the reliability of the assertions in financial
statements; in conformity with GAAP
 ATTEST definition
 Written assertions
 Practitioner’s written report
 Formal establishment of measurement criteria or their
description
 Limited to:
 Examination
 Review
 Application of agreed-upon procedures
 ATTEST vs. ASSURANCE
 ASSURANCE
 Professional services that are designed to improve
the quality of information, both financial and non-
financial, used by decision-makers
 IT Audit Groups in “Big Four”
 IT Risk Management
 I.S. Risk Management
 Operational Systems Risk Management
 Technology & Security Risk Services
 Typically a division of assurance services
 AUDITING STANDARDS
 Auditing standards
 Set by PICPA
 Authoritative
 Ten Generally Accepted Auditing Standards (GAAS)
 Three categories:
 General Standards
 Standards of Field Work
 Reporting Standards
 AUDITS
 Systematic process
 Five primary management assertions, and
correlated audit objectives and procedures
[Table 1-2]
 Existence or Occurrence
 Completeness
 Rights & Obligations
 Valuation or Allocation
 Presentation or Disclosure
AUDITS
 AUDITS
 Phases [Figure 1-1]
1. Planning
2. Obtaining evidence
 Tests of Controls
 Substantive Testing
 CAATTs
 Analytical procedures
3. Ascertaining reliability
 MATERIALITY
4. Communicating results
 Audit opinion
 Audit Risk Formula

 AUDIT RISK:
 The probability that the auditor
will give an inappropriate opinion
on the financial statements: that
is, that the statements will contain
materials misstatement(s) which
the auditor fails to find
 Audit Risk Formula
 INHERENT RISK:
 Theprobability that material
misstatements have occurred
 Material vs. Immaterial
 Includes economic conditions, etc.
 Relative risk (e.g., cash)
 Audit Risk Formula

 CONTROL RISK:
 Theprobability that the internal
controls will fail to detect material
misstatements
 Audit Risk Formula

 DETECTION RISK:
 Theprobability that the audit
procedures will fail to detect material
misstatements
 Substantive procedures
 Audit Risk Formula
 AUDIT RISK MODEL:
 AR = IR * CR * DR
 example inventory with:
IR=40%, CR=60%, AR=5% (fixed)
.05 = .4 * .6 * DR
... then DR= 20.83%
 Why is AR = 5%?
 What is detection risk?
 Can CR realistically be 0?
 Relationship between DR and substantive
procedures
 Audit Risk Model
 Relationship between tests of controls and
substantive tests
 Illustrate higher reliability of the internal controls and
the Audit Risk Model
 What happens if internal controls are more reliable than last
audit?
 Last year: .05 = .4 * .6 * DR [DR = 0.2083]
 This year: .05 = .4 * .4 * DR [DR = 0.3125]
 The more reliable the internal controls, the lower the CR
probability; thus the lower the DR will be, and fewer
substantive tests are necessary.
 Substantive tests are labor intensive
 Role of Audit Committee
 Selected from board of directors
 Usually three members
 Outsiders (S-OX now requires it)
 Fiduciary responsibility to shareholders
 Serve as independent check and balance
system
 Interact with internal auditors
 Hire, set fees, and interact with external auditors
 Resolved conflicts of GAAP between external
auditors and management
 What is an IT Audit?

… most accounting transactions to be in

electronic form without any paper
documentation because electronic
storage is more efficient. … These
technologies greatly change the nature of
audits, which have so long relied on paper
documents.
 THE IT ENVIRONMENT
 There has always been a need for an effective
internal control system.
 The design and oversight of that system has
typically been the responsibility of accountants.
 The I.T. Environment complicates the paper
systems of the past.
 Concentration of data
 Expanded access and linkages
 Increase in malicious activities in systems vs. paper
 Opportunity that can cause management fraud (i.e.,
override)
THE IT ENVIRONMENT
 INTERNAL CONTROL
 is … policies, practices, procedures
… designed to …
 safeguard assets
 ensure accuracy and reliability
 promote efficiency
 measure compliance with policies
 Modifying Assumptions
1. Management responsibility
2. Reasonable assurance
 no I.C.S. is perfect
 benefits => costs

3. Methods of data processing

 Objectives same regardless of DP method
 Specific controls vary w/ different
technologies
 Modifying Assumptions

4. Limitations
 Possibility of error
 Possibility of circumvention
 Management override
 Changing conditions
 EXPOSURES AND RISK
 Exposure
 Risks
 Types of risk
 Destruction of assets
 Theft of assets
 Corruption of information or the I.S.
 Disruption of the I.S.
 THE P-D-C MODEL
 Preventive controls
 Detective controls
 Corrective controls
THE P-D-C MODEL
 SAS 78
(#5: Control Activities)
 Physical Controls
 Transaction authorization
 Example:
 Sales only to authorized customer
 Sales only if available credit limit
 Segregation of duties
 Examples of incompatible duties:
 Authorization vs. processing [e.g., Sales vs. Auth. Cust.]
 Custody vs. recordkeeping [e.g., custody of inventory vs. DP of
inventory]
 Fraud requires collusion [e.g., separate various steps in process]
 Supervision
 Serves as compensating control when lack of segregation of
duties exists by necessity
 Physical Controls
 Accounting records (audit trails)
 Access controls
 Direct (the assets)
 Indirect (documents that control the assets)
 Fraud
 Disaster Recovery
 Independent verification
 Management can assess:
 The performance of individuals
 The integrity of the AIS
 The integrity of the data in the records