Professional Documents
Culture Documents
Control
Contents
Attest Services
An engagement in which a practitioner is
engaged to issue, or does issue, a written
communication that expresses a conclusion
about the reliability of a written assertion
that is the responsibility of another party.
Attest: To affirm to be correct, true, or
genuine
3
Requirements applied to
attestation services
Attestation services require written assertions and
a practitioners written report.
Attestation services require the formal
establishment of measurement criteria or their
description in the presentation.
The levels of service in attestation engagements
are limited to examination, review, and application
of agreed-upon procedures.
4
Assurance Services
Broader than attestation (Fig. 1-1)
Professional services designed to improve the
quality of information, both financial and nonfinancial, used by decision-makers.
Intended to help people make better decisions by
improving information.
Assurance: A statement or indication that inspires
confidence; a guarantee or pledge
5
Assurance Services
Evolution of accounting profession is expected to
follow the assurance services model.
All Big Five professional services firms have
renamed their traditional audit functions
Assurance Services.
Organizational unit responsible for conducting IT
audits is named either IT Risk Management,
Information Systems Risk Management, or
Operational Systems Risk Management (OSRM)
6
Financial Audit
An independent attestation performed by an
expert, the auditor, who expresses an
opinion regarding the presentation of
financial statements.
Auditors role is similar in concept to a
judge who collects and evaluates evidence
and renders an opinion.
7
Financial Audit
Key concept in this process is independence; Judge
must remain independent in his or her deliberation.
Judge cannot be advocate of either party in the
trial, but must apply law impartially based on
evidence presented.
Likewise, independent auditor collects and
evaluates evidence and renders an opinion based
on evidence.
8
Financial Audit
Throughout audit process, auditor must
maintain his or her independence from
client organization.
Public confidence in the reliability of the
companys internally produced financial
statements rests directly on their being
evaluated by an independent expert audit.
9
Financial Audit
Systematic audit process involves three
conceptual phases:
Familiarization w/ organizations business
Evaluating and testing internal control
Assessing the reliability of financial data
10
Auditors Report
Product of attestation function is a formal
written report that expresses an opinion
about the reliability of the assertions
contained in financial statements
Auditors report expresses an opinion as to
whether the financial statements are in
conformity w/ generally accepted
accounting principles
11
Auditing Standards
Auditors are guided in their professional
responsibility by the ten generally accepted
auditing standards (GAAS) Fig. 1-2
GAAS establishes a framework for
prescribing auditor performance, but it is not
sufficiently detailed to provide meaningful
guidance in specific circumstances
12
Auditing Standards
To provide specific guidance, American Institute
of Certified Public Accountants (AICPA) issues
Statements on Auditing Standards (SASs) as
authoritative interpretations of GAAS.
SASs are often referred to as auditing standards,
or GAAS, although they are not the ten generally
accepted auditing standards.
13
SAS
First issued by AICPA in 1972
Since then, many SASs have been issued to
provide auditors w/ guidance on a spectrum
of topics, including methods of
investigating new clients, techniques for
obtaining background information on
clients industry.
14
16
20
Definition of Auditing
Auditing is a systematic process of
objectively obtaining and evaluating
evidence regarding assertions about
economic actions and events to ascertain
the degree of correspondence between
those assertions and established criteria and
communicating the results to interested
users
21
Elements of auditing
A systematic process
Management assertions and audit objectives
Obtaining evidence
Ascertaining the degree of correspondence
between established criteria
Communicating results
See Pages 5~7
22
5 Categories of Management
Assertions (page 6)
Structure of IT Audit
IT audit is divided into three phases: audit
planning, tests of controls, and substantive
testing (See Figure 1-3)
24
Internal Control
The establishment and maintenance of a system of internal
control is an important management obligation.
A fundamental aspect of managements stewardship
responsibility is to provide shareholders with reasonable
assurance that the business is adequately controlled.
Additionally, management has a responsibility to furnish
shareholders and potential investors with reliable financial
information on a timely basis. (Sarbanes-Oxley act)
An adequate system of internal control is necessary to
managements discharge of these obligations.
- Securities and Exchange Commission
25
28
29
3 Levels of Control
Preventive controls, detection controls, and
corrective controls (Fig. 1-5)
31
Preventive Controls
First line of defense in the control structure
Passive techniques designed to reduce the
frequency of occurrence of undesirable
events
Preventing errors and fraud is far more costeffective than detecting and correcting
problems after they occur
In information security: firewall
32
Preventive Controls
For example, a well-designed data entry
screen is an example of a preventive control
Not all problems can be anticipated and
prevented.
33
Detective Controls
Second line of defense
Devices, techniques, and procedures
designed to identify and expose undesirable
events that elude preventive controls
In information security: Intrusion detection
34
Corrective Controls
Corrective actions taken to reverse the
effects of detected errors
Detective controls identify undesirable
events and draw attention to the problem;
corrective controls fix the problem.
35
Control Environment
Foundation for the other control components
Important elements:
Integrity and ethical values of management
Structure of organization
Participation of organizations board of directors and
audit committee
Managements philosophy and operating style
see page 13
37
Control Environment
SAS 78 requires that auditors obtain
sufficient knowledge to assess the attitude
and awareness of organizations
management, board of directors, and owners
regarding internal control.
See page 13 for examples of techniques that
may be used to obtain an understanding of
control environment
38
Risk Assessment
Identify, analyze, and manage risks relevant to
financial reporting
See page 14 for risks that can rise out of changes
in circumstances
SAS 78 requires that auditors obtain sufficient
knowledge of organizations risk assessment
procedures to understand how management
identifies, prioritizes, and manages risks related to
financial reporting.
39
Effective AIS
Identify and record all valid financial transactions
Provide timely information about transactions in
sufficient detail to permit proper classification and
financial reporting
Accurately measure financial value of transactions
so their effects can be recorded in financial
statements
Accurately record transactions in time period in
which they occur
41
Effective AIS
SAS 78 requires that auditors obtain
sufficient knowledge of organizations
information systems to understand
Classes of transactions that are material to
financial statements and how those transactions
are initiated
Accounting records and accounts that are used
in processing of material transactions
42
Effective AIS
SAS 78 requires that auditors obtain
sufficient knowledge of organizations
information systems to understand
Transaction processing steps involved from
initiation of economic event to its inclusion in
financial statements
Financial reporting process used to prepare
financial statements, disclosures, and
accounting estimates
43
Monitoring
Process by which quality of internal control design
and operation can be assessed
May be accomplished by separate procedures or by
ongoing activities
Internal auditors may monitor entitys activities in
separate procedures. They gather evidence of
control adequacy by testing controls, then
communicate control strengths and weaknesses to
management
44
Monitoring
Ongoing monitoring may be achieved by
integrating special computer modules into
information system that capture key data and/or
permit tests of control to be conducted as part of
routine operations
Such embedded audit modules (EAMs) allow
management and auditors to maintain constant
surveillance over functioning of internal controls
45
Control Activities
Policies and procedures used to ensure
appropriate actions are taken to deal w/
organizations identified risks
46
Control Activities
Can be grouped into two categories:
Computer controls
General control
Application control
Physical controls
transaction authorization
segregation of duties
supervision
accounting records
access control
independent verification
47
48
Application Controls
Application controls ensure the integrity of
specific systems such as sales order
processing, accounts payable, and payroll
applications
49
Control Activities
Can be grouped into two categories:
Computer controls
General control
Application control
Physical controls
transaction authorization
segregation of duties
supervision
accounting records
access control
independent verification
50
Physical Controls
Relates primarily to traditional accounting
systems that employ manual procedures
Six traditional categories of physical control
activities: transaction authorization,
segregation of duties, supervision,
accounting records, access control, and
independent verification
51
Transaction Authorization
Ensure that all material transactions
processed by information systems are valid
and in accordance w/ managements
objectives
Authorizations may be general or specific
52
General Authorization
Granted to operations personnel to perform
day-to-day operations
Example is procedure to authorize purchase
of inventories from designated vendor only
when inventory levels fall to their
predetermined reorder points. This is called
programmed procedure
53
Specific Authorization
Deal with case-by-case decisions associated w/
non-routine transactions.
Example is the decision to extend a particular
customers credit limit beyond the normal amount
In an IT environment, the responsibility for
achieving control objectives of transaction
authorization rests directly on accuracy and
consistency of computer programs that perform
these tasks.
54
Segregation of Duties
To minimize incompatible functions
3 objectives provide general guidelines
applicable to most organizations
Authorization for a transaction is separate from
processing of the transaction. For example,
purchases should not be initiated by purchasing
department until authorized by inventory
control department
55
Segregation of Duties
3 objectives provide general guidelines
applicable to most organizations
Responsibility for custody of assets should be
separate from recordkeeping responsibility. For
example, the department that has physical
custody of finished goods inventory should not
keep official inventory records. Accounting for
finished goods inventory is performed by
inventory control, an accounting function.
56
Segregation of Duties
3 objectives provide general guidelines
applicable to most organizations
Organization should be structured so that a
successful fraud requires collusion between two
or more individuals with incompatible
responsibilities. In other words, no single
individual should have sufficient access to
assets and supporting records to perpetrate a
fraud.
57
Segregation of Duties in IT
Computer errors are programming errors
that are, in fact, human errors; no computer
has ever perpetrated a fraud unless
programmed to do so by a human
Separating computer processing functions,
therefore, serves no purpose
58
Segregation of Duties in IT
Segregation of duties still plays a role in IT
environment
Once proper functioning of a program is
established at system implementation, its integrity
must be preserved throughout the applications life
cycle.
The activities of program development, program
operations, and program maintenance are critical
IT functions that must be adequately separated.
59
Supervision
Achieving adequate segregation of duties often
presents difficulties for small organization.
In small organizations or in functional areas that
lack sufficient personnel, management must
compensate for absence of segregation controls
with close supervision.
For this reason, supervision is also called
compensating control.
60
Accounting Records
Source documents, journals, and ledgers
capture economic essence of transactions
and provide an audit trail of economic
events
Audit trail enables auditor to trace any
transaction through all phases of its
processing from initiation of event to
financial statements
61
Access Controls
Ensure that only authorized personnel have
access to firms assets
Access control in IT environment includes
provisions for physical security of computer
facilities.
Database security and authorization is
important access control mechanism in
modern organizations.
62
Audit Risk
Probability that auditor will render an
unqualified opinion on financial statements
that are, in fact, materially misstated
Auditors objective is to minimize audit risk
by performing tests of controls and
substantive tests.
3 components of audit risk are inherent risk,
control risk, and detection risk
64
Inherent Risk
Associated with unique characteristics of
the business or industry of the client
Firms in declining industries have greater
inherent risk than firms in stable or thriving
industries.
Auditors can not reduce level of inherent
risk.
65
Control Risk
is the likelihood that control structure is
flawed because controls are either absent or
inadequate to prevent or detect errors in the
accounts
Auditors reduce level of control risk by
performing tests of internal controls, e.g.,
running test transactions and seeing if
erroneous transactions can be detected
66
Detection Risk
is the risk that auditors are willing to take
that errors not detected or prevented by
control structure will also not be detected
by the auditor
Lower planned detection risk requires more
substantive testing
67
68