CHAPTER 1

Auditing, Assurance,
and Internal Control

AUDITING

DIFFERENT TYPES OF AUDIT

INTERNAL AUDITS
Internal Auditing an independent appraisal
function established within an organization to
examine and evaluate its activities as a service to
organization.

CIA Certificate Internal Auditor

CISA Certified Information Systems Auditor
IIA Institute of Internal Auditors
ISACA Information Systems Audit and Control
Association

 IT AUDIT
An IT audit is associated with auditors who use
technical skills and knowledge to audit through the
computer system, or provide audit services where
processes or data, or both, are embedded in
technologies.
CAATS - Computer Assisted Audit Tools
- allow auditors to audit through the database and
computer.

 FRAUD AUDITS
- newest area of auditing, arising out of both rampant
employee theft of assets and major financial frauds.

CFE Certified Fraud Examiner Certificate

ACFE Association of Certified Fraud Examiners

EXTERNAL / FINANCIAL AUDITS

Associated with auditors who work outside, or
independent of, the organization being stated.
Sarbanes Oxley Act of 2002
Financial Accounting Standards Board
(FASB)
American Institute of Certified Public
Accountants (AICPA)

External Audits
outsiders
Prohibited by
professional
standards
from relying
on evidence
provided by
internal
auditors
Gather
evidence at
year end

Internal Audits
Interest of the
organization
Independence
is
compromised
Gather audit
evidence
throughout a
fiscal period

FINANCIAL AUDIT
An independent attestation performed by an
expert the auditor who expresses an opinion
regarding the presentation of financial statements.
Key concept is INDEPENDENCE; Judge must
remain independent in his/her deliberation.
Public confidence in the reliability of the
companys internally produced financial
statements rests directly on an evaluation of them
by an independent expert auditor.

Systematic audit process involves three

conceptual phases:
Familiarization with the organizations
business
Evaluating and testing internal controls
Assessing the reliability of financial data

ATTEST SERVICES
An engagement in which a practitioner is engaged to
issue, or does issue, a written communication that
expresses a conclusion about the reliability of a
written assertion that is the responsibility of another
party.

REQUIREMENTS APPLIED
T O ATT E S TAT I O N
S E RV I C E S
o Attestation services require written assertions and
a practitioners written report.
o Attestation services require the formal
establishment of measurement criteria or their
description in the presentation.
o The levels of service in attestation engagements
are limited to examination, review, and application
of agreed upon procedures.

ASSURANCE
SERVICES
Professional services that are designed to improved the
quality of information, both financial and nonfinancial,
used by decision makers.
Broader than attestation services
Intended to help people make better decisions by
improving information
Organizational unit responsible for conducting IT
audits is named either IT Risk Management,
Information Systems Risk Management, or Operational
Systems Risk Management (OSRM).

Relationship Between Assurance

Services and Attest Services

All attestation services are assurance services

but not every assurance services is attestation
services.

Generally Accepted Auditing

Standards (GAAS)
Genera
l
Standa
rds

Standar
ds of
Fieldwor
k

Standar
ds of
Reporti
ng

Technical

Planning
Internal

Generally

Training
and
Proficiency

Independe
nce

Profession
al Care

Control
Considerati
on

Evidential
Matter

Accepted
Accounting
Principles

Inconsistenc
y

Disclosure
Opinion

 A S Y S T E M AT I C P R O C E SS

An audit is a systematic and logical

process that applies to all forms of
information systems.

 MANAGEMENT
A SS E R T I O N S A N D A U D I T
OBJECTIVES

Manage
ment
Assertio
Existenc
n
e/
Occurre
nce

Complete
ness

Audit
Objectiv
Inventorie
e
s listed on
the
balance
sheet
Accounts
exist.
Payable

include all
obligations
to vendors
for the
period.

Audit
Procedur
e
Observe
the
counting
of physical
Compare
inventory.
receiving
reports, supplier
invoices, PO, and
journal entries
for the period
and the beg. of
the next period.

Manag
ement
Assert
Rights
ion
and

Audit
Object
ive

Valuation
or
Allocation

Accounts
Receivable
are stated
at NRV.
Contingencies not

Obligatio
ns

Presentati
on and
Disclosure

Plant and
equipment listed
in the balance
sheet are owned
by the entity.

reported in
financial accounts
are properly
disclosed in
footnotes.

Audit
Proced
ure
Review
purchase
agreements,
insurance
policies, and
related
Review entitys
documents.
aging
of accounts
and evaluate the
adequacy of the
allow. For
uncollectible
accounts.
Obtain
info. from
entity lawyers
about the status
of litigation and
estimates of
potential loss.

 O B TA I N I N G E V I D E N C E
A S C E R TA I N I N G T H E D E G R E E O F
CORRESPONDENCE WITH
E S TA B L I S H E D C R I T E R I A
C O M M U N I C AT I N G R E S U LT S
Auditors must communicate the results of their tests
to interested users.
An independent auditor renders a report to the audit
committee of the board of directors or stockholders
of a company.
The audit report contains, among other things, an
AUDIT OPINION.

INHERENT
RISK

CONTRO
L
RISK

AUDI
TRISK
DETECTIO
N RISK

AUDIT RISK
the probability that the auditor
will render an unqualified opinion
on financial instruments that are,
in fact, materially stated.

CONTROL RISK
is the likelihood that the control
structure is flawed because controls
are either absent or inadequate to
prevent or detect errors in the
accounts.
Quantity
10 units

Unit Price
Php 20

Total
Php 2,000

DETECTION RISK
is the risk that auditors are willing
ton take that errors not detected or
prevented by the control structure will
not also be detected by the auditors.

AR

= IR X CR X DR

5% = 40% * 60% * DR
DR = 4.8%
5% = 40% * 40% * DR
DR = 3.2%

the higher the control risk; the higher

the detection risk and;
the lower the control risk; the lower the
detection risk.

AUDIT COMMIT TEE

it is made up of three (3) people and should

be outsiders and at least one of them must be
a financial expert.

ROLES OF AUDIT COMMITTEE

perform its fiduciary responsibility to the
shareholders.
assist the management in ensuring the
integrity of financial reports and in deterring
fraud.
serve as guardians of public interest.
serve as an independent check and balance
for the
internal audit function and liaison with
external auditors.
for entities that employ outside auditors, audit
committee are responsible for deciding which
external auditor to hire.

I.T. AUDIT
it focuses on the computer-based
aspects of an organizations
information system., it includes
assessing the proper implementation,
operation and control of computer
sources.

S T R U C T U R E O F A N I . T. A U D I T
Audit
Planning
Tests of
Controls
Substant
ive Tests

AUDIT PLANNING
the auditors objective is to obtain sufficient
information about the firm to plan the other phases
of the audit. He attempts to understand the
organizations policies, practices and structures.

TESTS OF CONTROL
it aims to determine whether
adequate internal controls are in place
and functioning properly. At the end, he
must able to assess the quality of the
internal controls.

SUBSTANTIVE
TESTING
it involves detailed investigation of specific account
balances and transactions. In an IT environment, IT auditors
uses CAATTs to get the data to tell them about the datas
integrity and reliability.

Computer-Assisted Audit Tools and

Techniques
Audit technology tools facilitate more granular
analysis of data and help to determine the accuracy
of the information

INTERNAL CONTROL
INTERNAL CONTROL SYSTEM comprises policies,
practices, and procedures employed by the organization to
achieve four broad objectives:
1. To safeguard assets of the firm.
2. To ensure accuracy and reliability of accounting records
and information.
3. To promote efficiency in the firms operation.
4. To measure compliance with managements prescribed
policies and procedures.

BRIEF HISTORY OF
INTERNAL CONTROL
SEC Acts of 1933
Objectives:
1. Require that investors receive financial and other
significant information concerning securities being
offered for public sale.
2. Prohibit deceit, misinterpretations, and other
fraud in the sae of securities.

SEC Act 1934

Created the Securities and Exchange Commission
(SEC) and empowered it with broad authority
overall aspects of the securities industry, which
included authority regarding auditing standards.
It required publicly traded companies to be
audited by an independent auditor.

Copy Right Law 1976

- It is concerned to IT auditors because
management is held personally liable for
violations if raided by the software police,
and sufficient evidence of impropriety is found.

Foreign Corrupt Practices Act (FCPA) of 1977

Requires companies registered
with the SEC to do the following:
1. Keep records that fairly and
reasonably reflect the
transactions of the firm and its
initial position.
2. Maintain a system of internal
control that provides reasonable
assurance that the organizations
objective are met.

Committee of Sponsoring Organizations

1192
The organizations that sponsored , and do
sponsor, this entity include Financial Executives
International (FEI), the Institute of Management
Accountants (IMA), the American Accounting
Association (AAA), AICPA, and the IIA.

MODIFYING ASSUMPTIONS OF
INTERNAL CONTROL
MANAGEMENT RESPONSIBILITY
REASONABLE ASSURANCE
METHODS OF DATA PROCESSING
LIMITATIONS

The Possibility of Error

Circumvention
Management Override
Changing Conditions

EXPOSURES AND
RISK

EXPOSURES

Deficiency Revenues

TYPES OF RISK
Destruction of assets
Theft of assets
Corruption of information or the information
system
Disruption of the information system

THE PDC MODEL

Preventive Controls = reduce the frequency of
occurrence of undesirable events
Detective Controls = devices, techniques, and
procedures designed to identify and expose
undesirable events that elude preventive controls.
Corrective Controls = fix the problem

SUPERVISION IN AN IT
ENVIRONMENT
The action or process of
watching and directing
what someone does or
how something is done

Reasons why should

Supervisory Control must
be more elaborated in an
IT Environment

1.

The need for competent employees,possessing

specialized skills.

2.

Trustworthiness of data processing

personnel

3.

Inadequately observing employees in

an IT Environment

ACCO UNT ING REC ORD S

IN AN IT ENVIR ONM EN T

Audit Trail

ACCESS CONTROLS

TWO FO RMS OF DATA

THREAT

INDEPENDENT
VERIFICATION