Professional Documents
Culture Documents
MAKANJU, T. A.
08029248172
08055821595
AUDITING
10-2
Auditing
• an examination of the controls within an entity's
financial information for the purpose of
determine whether an organization's financial
statements and financial condition are presented
fairly in accordance with generally accepted
accounting principles (GAAP)
10-3
Auditing
2 broad categories of audits:
1. Internal Auditing
2. External Auditing
10-4
Internal Auditing
• Who does it? Internal employees
(outsource)
10-5
Internal Auditing -Types
• Information systems: review AIS controls to
assess compliance with internal control
policies/procedures & effectiveness in
safeguarding assets
• Operational/management: reviews company
resources and operations – for efficiency,
effectiveness, as planned
• Compliance: ensure compliance with laws,
rules, and regulations
10-6
External Auditing (FS Audit)
• Who does it? Independent, external auditors
• For whom? SEC, investors
• What?
– Examination of a client’s FS for the purpose of
deciding whether or not the FS are fairly presented
according to GAAP.
– Attest function: give an opinion on the fairness of
the FS wrt GAAP applying GAAS. Reliability
and integrity of accounting records
10-7
5 Step Audit Process
(for all audit types)
(1) Audit Planning: Establish audit objectives, identify
risks, Audit program
(2) Collect audit evidence: interviews, examinations,
recalculations, sampling IDEA, ACL
(3) Evaluate evidence: materiality
(4) Arrive at an opinion –
FS: standard unqualified, unqualified with
explanatory paragraph, qualified, adverse, disclaimer
(5) Communicate Audit Results
FS: audit report
10-8
Auditing Standards
• Statement on Auditing Standards (SAS) 94 “The Effect
of Information Technology on the Auditor's
Consideration of Internal Control in a Financial
Statement Audit”
– Auditor’s must have sufficient understanding (and
document) of each of the 5 components of the IC when
planning the audit
– Addresses the effects of IT on IC
– May need to design tests of controls in addition to
substantive tests (of balances)
10-9
A. Phases of the Information
Systems Audit
1. Initial review and
evaluation of the area to
be audited, and the audit
plan preparation
2. Detailed review and
evaluation of controls
3. Compliance testing
4. Analysis and reporting of
results
B. Structure of the Financial
Statement Audit
Transactions Accounting
Accounting Financial
Financial
Transactions
System
System Reports
Reports
Financial
Interim Audit Statement Audit
Substantive
Compliance Testing
Testing
B1. Compliance Testing
Processing
Auditing Around the Computer
• Ignores the controls and computer processing -
assumes accurate output = proper processing
• Auditor examines, on a sample basis, inputs to the
computer and corresponding outputs
• Suitable only if the following conditions are met:
1. computer processing is relatively simple
2. Audit trail is clearly visible
3. A substantial amount of up-to-date documentation
exists about how the system works.
10-15
Auditing With The Computer
The utilization of the computer by an auditor to
perform some audit work that would otherwise
have to be done manually.
Auditing Through the Computer
The process of reviewing and evaluating the
internal controls in an electronic data
processing system.
Audit
Auditing Through the Computer
• Auditor follows the audit trail through the internal
computer operations; attempts to verify that the
processing controls are functioning correctly
• Directly tests the computer controls and verifies the
accuracy of computer-based processing of input data.
• Tests controls that, if functioning properly would
prevent errors from occurring.
10-18
Test Data
The auditor prepares input containing both valid
and invalid data. Prior to processing the test
data, the input is manually processed to
determine what the output should look like.
The auditor then compares the computer-
processed output with the manually processed
results.
Review of Systems
Documentation
The auditor reviews documentation such as
narrative descriptions, flowcharts, and program
listings. In desk checking the auditor processes
test or real data through the program logic.
Illustration of Test Data
Approach
Computer Operations Auditors
PrepareTest
Prepare Test
Transaction
Transaction Transactions
Transactions
TestData
Test Data
AndResults
And Results
Computer
Computer
Application
Application
System
System
Manually
Manually
Computer
Computer Auditor Compares Processed
Processed
Output
Output Results
Results
Integrated Test Facility (ITF)
Approach
A common form of an ITF is as follows:
1. A dummy ITF center is created for the auditors.
2. Auditors create transactions for controls they
want to test.
3. Working papers are created to show expected
results from manually processed information.
4. Auditor transactions are run with actual
transactions.
5. Auditors compare ITF results to working papers.
Illustration of ITF Approach
Computer Operations Auditors
Computer
Computer
Application
Application DataFiles
Data Files
System
System ITF Data
Reports
Reports Reports
Reports Manually
Manually
WithOnly
With Only WithOnly
With Only Auditor Processed
Processed
ActualData
Actual Data ITFData
ITF Data Results
Results
Compares
Parallel Simulation
The test data and ITF methods both process test
data through real programs. With parallel
simulation, the auditor processes real client data
on an audit program similar to some aspect of the
client’s program. The auditor compares the
results of this processing with the results of the
processing done by the client’s program.
Illustration of Parallel Simulation
Computer Operations Auditors
Actual
Actual
Transactions
Transactions
Computer
Computer Auditor’s
Auditor’s
Application
Application Simulation
Simulation
System
System Program
Program
Invoice No.
Sale invoice
Customer ID
Customer Table
10-31
Auditing Through the Computer
2. Validate Computer Programs
• Test of program change control: make sure
IC procedures exists and are followed
• Program comparison:compare production
program with archived old version (trojan
horse, salami)
• Surprise audits and surprise use of programs:
compare accounting application programs
unexpectedly with authorized version
10-32
Auditing Through the Computer
3. Review of systems software
• Operating systems software
• Utility programs that do basic
“housekeeping” chores such as sorting and
copying
• Program library software that controls and
monitors storage of programs
• Access control software that controls logical
access to programs and data files
10-33
Auditing Through the Computer
4. Continuous Auditing:
Audit tools installed within the IS
• Audit hooks
• Continuous and intermittent simulation
• Embedded audit modules Match these terms
• Exception reporting With their definitions
• SCARF On the next slides
• Snapshot technique
• Transaction tagging
10-34
Auditing Through the Computer
• Embedded audit modules:
Application subroutine that captures data for
audit purposes
Write to a special log file called SCARF (systems
control audit review file)
Ex: transactions affecting inactive accounts,
deviating from company policy, write-downs of
asset values
10-35
Auditing Through the Computer
• audit hooks:
audit routine that flags suspicious transactions
(real-time notification)
• Exception reporting:
mechanisms that reject certain transactions
that fall outside predefined specifications
10-36
Auditing Through the Computer
• Transaction tagging
Place a special identifier on transactions so that they can
be recorded as they pass through the IS.
EX: tag an employee’s transaction records, manually
calculate & compare
• Snapshot technique
audit modules record selected transactions before and
after processing. Auditor reviews to make sure all
processing steps performed properly.
10-37
Auditing Through the Computer
• Continuous and intermittent simulation (CIS)
- audit module in DBMS
- examines all transactions that update the DBMS. If a
transaction has special audit significance, the audit
module independently processes the data, records the
results and compares them with the DBMS results. If
discrepancies, written to an audit log for subsequent
review OR may stop DBMS from executing the update
process.
10-38
Risk-based Audit Approach
GOAL: Provide a clear understanding of the
errors and irregularities that can occur and the
related risks and exposures
1. Determine the threats (errors, irregularities)
2. Identify the needed control procedures
3. Evaluate the control procedures
4. Evaluate weaknesses to determine effect on
nature, timing, and extent of auditing
procedures. Compensating Controls?
10-39
Risk-based Audit Approach
Evaluate Control Procedures
System review – are procedures in place?
EX: review docs, interviews
Tests of controls = compliance testing – are the
controls in place and working as prescribed?
Ex: observe operations, check samples of input,
verify use, trace transactions
10-40
Audit Risk Model
• Used in audit planning:
• AR = audit risk: likelihood that the FS are
materially misstated
• AR = IR x CR x DR
Auditor can control this
Auditor Assesses general
Cannot and application controls
reduce applicable to each FS assertion;
Tests of controls =Compliance tests
10-41
Audit Risk Model
• IR = inherent risk: susceptibility of an account or class
of transactions to material error
• CR = control risk = likelihood that the IC control
structure will fail to prevent/detect a material error
• DR = detection risk = likelihood that the auditor’s
procedures will not uncover material errors
– More auditing procedures = lower DR
– Inversely related to CR: if CR is high, then an auditor
sets DR low and performs more substantive tests (detail
tests of transactions and account balances)
10-42
Audit Risk Model
Example
• Assume controls over the revenue cycle are
not effective and cannot be relied upon. The
auditor is worried about the correctness of
the A/R balance. To lower detection risk,
what would the auditor do?
10-43
Audit Risk Model
Example
• Assume controls over the revenue cycle are
not effective and cannot be relied upon. The
auditor is worried about the correctness of
the A/R balance. To lower detection risk,
what would the auditor do?
• Increase substantive testing of the A/R
balance – send out lots of confirmation
letters to customers.
10-44
AUDIT BENEFITS OF THE IT
ENVIRONMENT
• Consistent processing large volumes of transactions or data
• Enhanced information timeliness, availability, and
accuracy
• Facilitation of the additional analysis of information
• Enhanced ability to monitor the performance of activities,
policies, and procedures
• Reduction in the risk that controls will be circumvented, if
IT system controls are effective
10-45
RISKS OF THE IT
ENVIRONMENT
• Incorrectly processing data or consistently processing inaccurate
data
• Unauthorized access to data that might be destroyed or
improperly changed
• Unauthorized changes to computer programs
• Failure to make necessary changes to computer programs
• Inappropriate manual intervention
• Potential loss of data