Auditing, Assurance, Internal

Control

Contents

Attestation & assurance Services

Financial audit
Auditing standards
External vs. internal auditing
Information technology audit
Internal control
SAS 78
2

Attest Services
An engagement in which a practitioner is
engaged to issue, or does issue, a written
communication that expresses a conclusion
about the reliability of a written assertion
that is the responsibility of another party.
Attest: To affirm to be correct, true, or
genuine
3

Requirements applied to
attestation services
Attestation services require written assertions and
a practitioners written report.
Attestation services require the formal
establishment of measurement criteria or their
description in the presentation.
The levels of service in attestation engagements
are limited to examination, review, and application
of agreed-upon procedures.
4

Assurance Services
Broader than attestation (Fig. 1-1)
Professional services designed to improve the
quality of information, both financial and nonfinancial, used by decision-makers.
Intended to help people make better decisions by
improving information.
Assurance: A statement or indication that inspires
confidence; a guarantee or pledge
5

Assurance Services
Evolution of accounting profession is expected to
follow the assurance services model.
All Big Five professional services firms have
renamed their traditional audit functions
Assurance Services.
Organizational unit responsible for conducting IT
audits is named either IT Risk Management,
Information Systems Risk Management, or
Operational Systems Risk Management (OSRM)
6

Financial Audit
An independent attestation performed by an
expert, the auditor, who expresses an
opinion regarding the presentation of
financial statements.
Auditors role is similar in concept to a
judge who collects and evaluates evidence
and renders an opinion.
7

Financial Audit
Key concept in this process is independence; Judge
must remain independent in his or her deliberation.
Judge cannot be advocate of either party in the
trial, but must apply law impartially based on
evidence presented.
Likewise, independent auditor collects and
evaluates evidence and renders an opinion based
on evidence.
8

Financial Audit
Throughout audit process, auditor must
maintain his or her independence from
client organization.
Public confidence in the reliability of the
companys internally produced financial
statements rests directly on their being
evaluated by an independent expert audit.
9

Financial Audit
Systematic audit process involves three
conceptual phases:
Familiarization w/ organizations business
Evaluating and testing internal control
Assessing the reliability of financial data

10

Auditors Report
Product of attestation function is a formal
written report that expresses an opinion
about the reliability of the assertions
contained in financial statements
Auditors report expresses an opinion as to
whether the financial statements are in
conformity w/ generally accepted
accounting principles
11

Auditing Standards
Auditors are guided in their professional
responsibility by the ten generally accepted
auditing standards (GAAS) Fig. 1-2
GAAS establishes a framework for
prescribing auditor performance, but it is not
sufficiently detailed to provide meaningful
guidance in specific circumstances
12

Auditing Standards
To provide specific guidance, American Institute
of Certified Public Accountants (AICPA) issues
Statements on Auditing Standards (SASs) as
authoritative interpretations of GAAS.
SASs are often referred to as auditing standards,
or GAAS, although they are not the ten generally
accepted auditing standards.

13

SAS
First issued by AICPA in 1972
Since then, many SASs have been issued to
provide auditors w/ guidance on a spectrum
of topics, including methods of
investigating new clients, techniques for
obtaining background information on
clients industry.
14

External vs. Internal Auditing

External auditing is often called independent
auditing because it is done by certified public
accountants who are independent of the
organization being audited.
External auditors represent the interests of thirdparty stakeholders in the organization, such as
stockholders, creditors, and government agencies.
Because the focus of external audit is on financial
statements, this type of audit is called financial
audit
15

External vs. Internal Auditing

Institute of Internal Auditors defines
internal auditing as an independent
appraisal function established within an
organization to examine and evaluate its
activities

16

External vs. Internal Auditing

Internal auditors perform a wide range of
activities on behalf of the organization,
including conducting financial audits,
examining an operations compliance with
organizational policies, reviewing the
organizations compliance with legal
obligations, evaluating operational
efficiency, detecting and pursuing fraud
within the firm, and conducting IT audits.
17

External vs. Internal Auditing

While external auditors represent outsiders,
internal auditors represent the interests of the
organization.
Internal auditors often cooperate with and assist
external auditors in performing financial audits.
This is done to achieve audit efficiency and reduce
audit fees. For example, a team of internal auditors
can perform tests of computer controls under the
supervision of a single external auditor.
18

External vs. Internal Auditing

While external auditors represent outsiders,
internal auditors represent the interests of the
organization.
Internal auditors often cooperate with and assist
external auditors in performing financial audits.
This is done to achieve audit efficiency and reduce
audit fees. For example, a team of internal auditors
can perform tests of computer controls under the
supervision of a single external auditor.
19

Information Technology (IT) Audit

Focus on the computer-based aspects of an
organizations information system
This includes assessing the proper
implementation, operation, and control of
computer resources

20

Definition of Auditing
Auditing is a systematic process of
objectively obtaining and evaluating
evidence regarding assertions about
economic actions and events to ascertain
the degree of correspondence between
those assertions and established criteria and
communicating the results to interested
users
21

Elements of auditing

A systematic process
Management assertions and audit objectives
Obtaining evidence
Ascertaining the degree of correspondence
between established criteria
Communicating results
See Pages 5~7
22

5 Categories of Management
Assertions (page 6)

Existence or occurrence assertion

Completeness assertion
Rights and obligations assertion
Valuation or allocation assertion
Presentation and disclosure assertion
Auditors develop their audit objectives and design
audit procedures based on preceding assertions.
See Table 1-1
23

Structure of IT Audit
IT audit is divided into three phases: audit
planning, tests of controls, and substantive
testing (See Figure 1-3)

24

Internal Control
The establishment and maintenance of a system of internal
control is an important management obligation.
A fundamental aspect of managements stewardship
responsibility is to provide shareholders with reasonable
assurance that the business is adequately controlled.
Additionally, management has a responsibility to furnish
shareholders and potential investors with reliable financial
information on a timely basis. (Sarbanes-Oxley act)
An adequate system of internal control is necessary to
managements discharge of these obligations.
- Securities and Exchange Commission
25

Internal Control in Concept

Internal control system comprises policies,
practices, and procedures employed by the
organization to achieve four broad objectives:
To safeguard assets of the firm.
To ensure the accuracy and reliability of accounting
records and information.
To promote efficiency in the firms operations.
To measure compliance with managements prescribed
policies and procedures
26

Exposure and Risk

Internal control shield (Figure 1-4) to
protect firms from numerous undesirable
events
Attempts at unauthorized access to firms assets
(including information)
Fraud perpetrated by persons both in and
outside the firm
Errors due to employee incompetence, faulty
computer programs, corrupted input data
27

Exposure and Risk

Internal control shield (Figure 1-4) to
protect firms from numerous undesirable
events
Mischievous acts, such as unauthorized access
by computer hackers and threats from computer
viruses that destroy programs and databases

28

Exposure and Risk

Absence or weakness of a control is called
exposure
Exposures increase firms risk to financial
loss or injury from undesirable events.

29

Exposure and Risk

A weakness in internal control may expose the
firm to one or more of the following types of risks:
Destruction of assets (both physical assets and
information)
Theft of assets
Corruption of information or the information system
(containing errors or alterations)
Disruption of information system (to break or burst;
rupture )
30

3 Levels of Control
Preventive controls, detection controls, and
corrective controls (Fig. 1-5)

31

Preventive Controls
First line of defense in the control structure
Passive techniques designed to reduce the
frequency of occurrence of undesirable
events
Preventing errors and fraud is far more costeffective than detecting and correcting
problems after they occur
In information security: firewall
32

Preventive Controls
For example, a well-designed data entry
screen is an example of a preventive control
Not all problems can be anticipated and
prevented.

33

Detective Controls
Second line of defense
Devices, techniques, and procedures
designed to identify and expose undesirable
events that elude preventive controls
In information security: Intrusion detection

34

Corrective Controls
Corrective actions taken to reverse the
effects of detected errors
Detective controls identify undesirable
events and draw attention to the problem;
corrective controls fix the problem.

35

Statement on Auditing Standards

No. 78 (SAS 78)
Current authoritative document for specifying
internal control objectives and techniques.
Conforms to the recommendations of the
Committee of Sponsoring Organizations of the
Treadway Commission (COSO)
Consists of five components: control environment,
risk assessment, information and communication,
monitoring, and control activities
36

Control Environment
Foundation for the other control components
Important elements:
Integrity and ethical values of management
Structure of organization
Participation of organizations board of directors and
audit committee
Managements philosophy and operating style
see page 13

37

Control Environment
SAS 78 requires that auditors obtain
sufficient knowledge to assess the attitude
and awareness of organizations
management, board of directors, and owners
regarding internal control.
See page 13 for examples of techniques that
may be used to obtain an understanding of
control environment
38

Risk Assessment
Identify, analyze, and manage risks relevant to
financial reporting
See page 14 for risks that can rise out of changes
in circumstances
SAS 78 requires that auditors obtain sufficient
knowledge of organizations risk assessment
procedures to understand how management
identifies, prioritizes, and manages risks related to
financial reporting.
39

Information and Communication

Accounting information system consists of records
and methods used to initiate, identify, analyze,
classify, and record organizations transactions and
to account for related assets and liabilities.
Quality of information generated by AIS impacts
managements ability to take actions and make
decisions in connection with organizations
operations and to prepare reliable financial
statements.
40

Effective AIS
Identify and record all valid financial transactions
Provide timely information about transactions in
sufficient detail to permit proper classification and
financial reporting
Accurately measure financial value of transactions
so their effects can be recorded in financial
statements
Accurately record transactions in time period in
which they occur
41

Effective AIS
SAS 78 requires that auditors obtain
sufficient knowledge of organizations
information systems to understand
Classes of transactions that are material to
financial statements and how those transactions
are initiated
Accounting records and accounts that are used
in processing of material transactions
42

Effective AIS
SAS 78 requires that auditors obtain
sufficient knowledge of organizations
information systems to understand
Transaction processing steps involved from
initiation of economic event to its inclusion in
financial statements
Financial reporting process used to prepare
financial statements, disclosures, and
accounting estimates
43

Monitoring
Process by which quality of internal control design
and operation can be assessed
May be accomplished by separate procedures or by
ongoing activities
Internal auditors may monitor entitys activities in
separate procedures. They gather evidence of
control adequacy by testing controls, then
communicate control strengths and weaknesses to
management
44

Monitoring
Ongoing monitoring may be achieved by
integrating special computer modules into
information system that capture key data and/or
permit tests of control to be conducted as part of
routine operations
Such embedded audit modules (EAMs) allow
management and auditors to maintain constant
surveillance over functioning of internal controls
45

Control Activities
Policies and procedures used to ensure
appropriate actions are taken to deal w/
organizations identified risks

46

Control Activities
Can be grouped into two categories:
Computer controls
General control
Application control

Physical controls

transaction authorization
segregation of duties
supervision
accounting records
access control
independent verification

47

Computer Controls/General Controls

Fall into two broad groups: general controls
and application controls
General controls pertain to entity-wide
concerns such as controls over data center,
organization databases, systems
development, and program maintenance

48

Application Controls
Application controls ensure the integrity of
specific systems such as sales order
processing, accounts payable, and payroll
applications

49

Control Activities
Can be grouped into two categories:
Computer controls
General control
Application control

Physical controls

transaction authorization
segregation of duties
supervision
accounting records
access control
independent verification

50

Physical Controls
Relates primarily to traditional accounting
systems that employ manual procedures
Six traditional categories of physical control
activities: transaction authorization,
segregation of duties, supervision,
accounting records, access control, and
independent verification
51

Transaction Authorization
Ensure that all material transactions
processed by information systems are valid
and in accordance w/ managements
objectives
Authorizations may be general or specific

52

General Authorization
Granted to operations personnel to perform
day-to-day operations
Example is procedure to authorize purchase
of inventories from designated vendor only
when inventory levels fall to their
predetermined reorder points. This is called
programmed procedure
53

Specific Authorization
Deal with case-by-case decisions associated w/
non-routine transactions.
Example is the decision to extend a particular
customers credit limit beyond the normal amount
In an IT environment, the responsibility for
achieving control objectives of transaction
authorization rests directly on accuracy and
consistency of computer programs that perform
these tasks.
54

Segregation of Duties
To minimize incompatible functions
3 objectives provide general guidelines
applicable to most organizations
Authorization for a transaction is separate from
processing of the transaction. For example,
purchases should not be initiated by purchasing
department until authorized by inventory
control department
55

Segregation of Duties
3 objectives provide general guidelines
applicable to most organizations
Responsibility for custody of assets should be
separate from recordkeeping responsibility. For
example, the department that has physical
custody of finished goods inventory should not
keep official inventory records. Accounting for
finished goods inventory is performed by
inventory control, an accounting function.
56

Segregation of Duties
3 objectives provide general guidelines
applicable to most organizations
Organization should be structured so that a
successful fraud requires collusion between two
or more individuals with incompatible
responsibilities. In other words, no single
individual should have sufficient access to
assets and supporting records to perpetrate a
fraud.
57

Segregation of Duties in IT
Computer errors are programming errors
that are, in fact, human errors; no computer
has ever perpetrated a fraud unless
programmed to do so by a human
Separating computer processing functions,
therefore, serves no purpose

58

Segregation of Duties in IT
Segregation of duties still plays a role in IT
environment
Once proper functioning of a program is
established at system implementation, its integrity
must be preserved throughout the applications life
cycle.
The activities of program development, program
operations, and program maintenance are critical
IT functions that must be adequately separated.
59

Supervision
Achieving adequate segregation of duties often
presents difficulties for small organization.
In small organizations or in functional areas that
lack sufficient personnel, management must
compensate for absence of segregation controls
with close supervision.
For this reason, supervision is also called
compensating control.
60

Accounting Records
Source documents, journals, and ledgers
capture economic essence of transactions
and provide an audit trail of economic
events
Audit trail enables auditor to trace any
transaction through all phases of its
processing from initiation of event to
financial statements
61

Access Controls
Ensure that only authorized personnel have
access to firms assets
Access control in IT environment includes
provisions for physical security of computer
facilities.
Database security and authorization is
important access control mechanism in
modern organizations.
62

Access Control in IT Environment

Limit personnel access authority
Restrict access to computer programs
Provide physical security for data
processing center
Ensure adequate backup for data files
Provide disaster recovery capability
63

Audit Risk
Probability that auditor will render an
unqualified opinion on financial statements
that are, in fact, materially misstated
Auditors objective is to minimize audit risk
by performing tests of controls and
substantive tests.
3 components of audit risk are inherent risk,
control risk, and detection risk
64

Inherent Risk
Associated with unique characteristics of
the business or industry of the client
Firms in declining industries have greater
inherent risk than firms in stable or thriving
industries.
Auditors can not reduce level of inherent
risk.
65

Control Risk
is the likelihood that control structure is
flawed because controls are either absent or
inadequate to prevent or detect errors in the
accounts
Auditors reduce level of control risk by
performing tests of internal controls, e.g.,
running test transactions and seeing if
erroneous transactions can be detected
66

Detection Risk
is the risk that auditors are willing to take
that errors not detected or prevented by
control structure will also not be detected
by the auditor
Lower planned detection risk requires more
substantive testing

67

General Framework for IT Risks and

Controls
See Fig. 1-7

68