Professional Documents
Culture Documents
Auditing, Assurance,
and Internal Control
AUDITING
IT AUDIT
An IT audit is associated with auditors who use
technical skills and knowledge to audit through the
computer system, or provide audit services where
processes or data, or both, are embedded in
technologies.
CAATS - Computer Assisted Audit Tools
- allow auditors to audit through the database and
computer.
FRAUD AUDITS
- newest area of auditing, arising out of both rampant
employee theft of assets and major financial frauds.
External Audits
outsiders
Prohibited by
professional
standards
from relying
on evidence
provided by
internal
auditors
Gather
evidence at
year end
Internal Audits
Interest of the
organization
Independence
is
compromised
Gather audit
evidence
throughout a
fiscal period
FINANCIAL AUDIT
An independent attestation performed by an
expert the auditor who expresses an opinion
regarding the presentation of financial statements.
Key concept is INDEPENDENCE; Judge must
remain independent in his/her deliberation.
Public confidence in the reliability of the
companys internally produced financial
statements rests directly on an evaluation of them
by an independent expert auditor.
ATTEST SERVICES
An engagement in which a practitioner is engaged to
issue, or does issue, a written communication that
expresses a conclusion about the reliability of a
written assertion that is the responsibility of another
party.
REQUIREMENTS APPLIED
T O ATT E S TAT I O N
S E RV I C E S
o Attestation services require written assertions and
a practitioners written report.
o Attestation services require the formal
establishment of measurement criteria or their
description in the presentation.
o The levels of service in attestation engagements
are limited to examination, review, and application
of agreed upon procedures.
ASSURANCE
SERVICES
Professional services that are designed to improved the
quality of information, both financial and nonfinancial,
used by decision makers.
Broader than attestation services
Intended to help people make better decisions by
improving information
Organizational unit responsible for conducting IT
audits is named either IT Risk Management,
Information Systems Risk Management, or Operational
Systems Risk Management (OSRM).
Standar
ds of
Fieldwor
k
Standar
ds of
Reporti
ng
Technical
Planning
Internal
Generally
Training
and
Proficiency
Independe
nce
Profession
al Care
Control
Considerati
on
Evidential
Matter
Accepted
Accounting
Principles
Inconsistenc
y
Disclosure
Opinion
A S Y S T E M AT I C P R O C E SS
MANAGEMENT
A SS E R T I O N S A N D A U D I T
OBJECTIVES
Manage
ment
Assertio
Existenc
n
e/
Occurre
nce
Complete
ness
Audit
Objectiv
Inventorie
e
s listed on
the
balance
sheet
Accounts
exist.
Payable
include all
obligations
to vendors
for the
period.
Audit
Procedur
e
Observe
the
counting
of physical
Compare
inventory.
receiving
reports, supplier
invoices, PO, and
journal entries
for the period
and the beg. of
the next period.
Manag
ement
Assert
Rights
ion
and
Audit
Object
ive
Valuation
or
Allocation
Accounts
Receivable
are stated
at NRV.
Contingencies not
Obligatio
ns
Presentati
on and
Disclosure
Plant and
equipment listed
in the balance
sheet are owned
by the entity.
reported in
financial accounts
are properly
disclosed in
footnotes.
Audit
Proced
ure
Review
purchase
agreements,
insurance
policies, and
related
Review entitys
documents.
aging
of accounts
and evaluate the
adequacy of the
allow. For
uncollectible
accounts.
Obtain
info. from
entity lawyers
about the status
of litigation and
estimates of
potential loss.
O B TA I N I N G E V I D E N C E
A S C E R TA I N I N G T H E D E G R E E O F
CORRESPONDENCE WITH
E S TA B L I S H E D C R I T E R I A
C O M M U N I C AT I N G R E S U LT S
Auditors must communicate the results of their tests
to interested users.
An independent auditor renders a report to the audit
committee of the board of directors or stockholders
of a company.
The audit report contains, among other things, an
AUDIT OPINION.
INHERENT
RISK
CONTRO
L
RISK
AUDI
TRISK
DETECTIO
N RISK
AUDIT RISK
the probability that the auditor
will render an unqualified opinion
on financial instruments that are,
in fact, materially stated.
CONTROL RISK
is the likelihood that the control
structure is flawed because controls
are either absent or inadequate to
prevent or detect errors in the
accounts.
Quantity
10 units
Unit Price
Php 20
Total
Php 2,000
DETECTION RISK
is the risk that auditors are willing
ton take that errors not detected or
prevented by the control structure will
not also be detected by the auditors.
AR
= IR X CR X DR
5% = 40% * 60% * DR
DR = 4.8%
5% = 40% * 40% * DR
DR = 3.2%
I.T. AUDIT
it focuses on the computer-based
aspects of an organizations
information system., it includes
assessing the proper implementation,
operation and control of computer
sources.
S T R U C T U R E O F A N I . T. A U D I T
Audit
Planning
Tests of
Controls
Substant
ive Tests
AUDIT PLANNING
the auditors objective is to obtain sufficient
information about the firm to plan the other phases
of the audit. He attempts to understand the
organizations policies, practices and structures.
TESTS OF CONTROL
it aims to determine whether
adequate internal controls are in place
and functioning properly. At the end, he
must able to assess the quality of the
internal controls.
SUBSTANTIVE
TESTING
it involves detailed investigation of specific account
balances and transactions. In an IT environment, IT auditors
uses CAATTs to get the data to tell them about the datas
integrity and reliability.
INTERNAL CONTROL
INTERNAL CONTROL SYSTEM comprises policies,
practices, and procedures employed by the organization to
achieve four broad objectives:
1. To safeguard assets of the firm.
2. To ensure accuracy and reliability of accounting records
and information.
3. To promote efficiency in the firms operation.
4. To measure compliance with managements prescribed
policies and procedures.
BRIEF HISTORY OF
INTERNAL CONTROL
SEC Acts of 1933
Objectives:
1. Require that investors receive financial and other
significant information concerning securities being
offered for public sale.
2. Prohibit deceit, misinterpretations, and other
fraud in the sae of securities.
MODIFYING ASSUMPTIONS OF
INTERNAL CONTROL
MANAGEMENT RESPONSIBILITY
REASONABLE ASSURANCE
METHODS OF DATA PROCESSING
LIMITATIONS
EXPOSURES AND
RISK
EXPOSURES
Deficiency Revenues
TYPES OF RISK
Destruction of assets
Theft of assets
Corruption of information or the information
system
Disruption of the information system
SUPERVISION IN AN IT
ENVIRONMENT
The action or process of
watching and directing
what someone does or
how something is done
1.
2.
3.
Audit Trail
ACCESS CONTROLS
INDEPENDENT
VERIFICATION