Auditing and Internal

Control

Prepared by:
Ambrocio, Sheila Mae B.

Common types of Audits

External ( Financial ) Audits
- is an independent attestation performed by an expertthe
auditorwho expresses an opinion regarding the
presentation of financial statements.
Internal Audit
- an independent appraisal function established within an
organization to examine and evaluate its activities as a
service to the organization.
Fraud Audit
- is to investigate anomalies and gather evidence of fraud
that may lead to criminal conviction.

History of the Audit Committee

1939: The New York Stock Exchange (NYSE) first endorsed the audit committee concept.
1972: The U.S. Securities and Exchange Commission (SEC) first recommends that publicly held
companies establish audit committees composed of outside (non-management) directors.
1977: NYSE adopts a listing requirement that audit committees be composed entirely of
independent directors.
1988: AICPA issues SAS 61 "Communication with Audit Committees" addressing
communications between the external auditor, audit committee and management of SEC
reporting companies.
1999: NYSE, NASD, AMEX, SEC and AICPA finalize major rule changes based on Blue Ribbon
Committee on Improving the Effectiveness of the Corporate Audit Committee.
2002: Sarbanes-Oxley Act is passed in the wake of corporate scandals and includes
whistleblower and financial expert disclosure requirements for audit committees.

The Role of the Audit Committee

The audit committee will consist of at least three
and no more than six members of the board of
directors
Each committee member will be both independent
and financially literate.
At least one member shall be designated as the
"financial expert," as defined by applicable
legislation and regulation. -IIA

Responsibilities of the Audit

Committee

risk management;
internal control;
financial statements;
compliance requirements;
internal audit and;
external audit

Audit Committee Charter

sets forth the general purpose, authority, composition and
responsibilities of the committee.
should be tailored to the organization.
determine that all responsibilities outlined in the charter
have been carried out.
should be reviewed, and proposed updates presented to
the board for approval.

Impact of the Sarbanes-Oxley Act of

2002
increased audit committees responsibilities and
authority.
raised membership requirements and committee
composition to include more independent directors.
Companies were required to disclose whether or
not a financial expert is on the Committee.

Ten Generally Accepted Auditing

Standards

Financial Audit Components

Auditing Standards
A Systematic Process
Management Assertions and Audit Objectives
Obtaining Evidence
Ascertaining Materiality
Communicating Results

Audit Risk
is the probability that the auditor will render an
unqualified (clean) opinion on financial statements
that are, in fact, materially misstated.
Error - are unintentional mistakes.
Irregularities - are intentional misrepresentations
associated with the commission of a fraud

Audit Risk Components

Inherent Risk
A risk of misstatement due to error or fraud that is said to exist
within a financial statement based on an assessment by
an independent auditor regardless of management awareness of
the error.
Control Risk
- is the likelihood that the control structure is flawed because
controls are either absent or inadequate to prevent or detect errors in
the accounts
Detection Risk
- is the risk that auditors are willing to take that errors not
detected or prevented by the control structure will also not be
detected by the auditor.

Audit Risk Model

used by the auditors to manage the overall risk of an
audit engagement.
inherent and control risk is high, the detection risk is
set at a lower level to keep the audit risk at an
acceptable level and vice versa.
Audit Risk = Inherent Risk x Control Risk x
Detection Risk ( AR IR CR DR )

The IT Audit

Brief History of Internal Control

Legislation
SEC Acts of 1933 and 1934
(1) require that investors receive financial and other significant information
concerning securities being offered for public sale; and
(2) prohibit deceit, misrepresentations, and other fraud in the sale of
securities.

- Securities Exchange Act, 1934, created the Securities and

Exchange Commission (SEC) and empowered it with broad
authority over all aspects of the securities industry, which included
authority regarding auditing standards.

 Copyright Law1976
- had multiple revisions, added software and other intellectual
properties into the existing copyright protection laws.
Foreign Corrupt Practices Act (FCPA) of 1977
The FCPA requires companies registered with the SEC to do the following:

1. Keep records that fairly and reasonably reflect the

transactions of the firm and its financial position.
2. Maintain a system of internal control that provides
reasonable assurance that the organizations objectives are
met.

 Committee of Sponsoring Organizations1992

Describes the relationship between the firms

- internal control structure,

- auditors assessment of risk, and
- the planning of audit procedures
How do these three interrelate?

- The weaker the internal control structure, the

higher the assessed level of risk; the higher the risk,
the more auditor procedures applied in the audit.

 Sarbanes-Oxley Act of 2002

- the law supports efforts to increase public
confidence in capital markets by seeking to improve
corporate governance, internal controls, and audit
quality.
- requires management of public companies to
implement an adequate system of internal controls
over their financial reporting process.

 Section 302 of SOA 2002

- external auditors must perform the following procedures
quarterly to identify any material modifications in controls that
may impact financial reporting :

1. Interview management regarding any significant changes

in the design or operation of internal control that occurred
subsequent to the preceding annual audit or prior review
of interim financial information.
2. Evaluate the implications of misstatements identified by
the auditor as part of the interim review that relate to
effective internal controls.
3. Determine whether changes in internal controls are likely
to materially affect internal control over financial reporting.

 Section 404 of SOA 2002

- requires the management of public companies to assess the
effectiveness of their organizations internal controls. This entails providing
an annual report addressing the following points:
1. Understand the flow of transactions, including IT aspects, in sufficient
detail to identify points at which a misstatement could arise.
2. Using a risk-based approach, assess both the design and operating
effectiveness of selected internal controls related to material accounts.
3. Assess the potential for fraud in the system and evaluate the controls
designed to prevent or detect fraud.
4. Evaluate and conclude on the adequacy of controls over the financial
statement reporting process.
5. Evaluate entity-wide (general) controls that correspond to the
components of the COSO framework.

Internal Control Objectives

1. Safeguard assets of the firm
2. Ensure accuracy and reliability of accounting
records and information
3. Promote efficiency of the firms operations
4. Measure compliance with managements
prescribed policies and procedures

Modifying Principles
Management Responsibility
- The establishment and maintenance of a system of
internal control is the responsibility of management.

Reasonable Assurance
- The cost of achieving the objectives of internal control
should not outweigh its benefits.

Methods of Data Processing

- The techniques of achieving the objectives will vary
with different types of technology.

 Limitations
- Possibility of honest errors
- Circumvention via collusion
- Management override
- Changing conditions especially in companies with high
growth
Exposures of Weak Internal Controls (Risk)
Destruction of an asset
Theft of an asset
Corruption of information
Disruption of the information system

The PDC Model

 Preventive Controls
-are passive techniques designed to reduce the frequency
of occurrence of undesirable events.
Detective Controls
- are devices, techniques, and procedures designed to
identify and expose undesirable events that elude
preventive controls & reveal specific types of errors by
comparing actual occurrences to pre-established
standards
Corrective Controls
- Detective controls identify undesirable events and draw
attention to the problem; corrective controls actually fix
the problem.

Coso Internal Control

Framework

Control Environment
Risk Assessment
Information and Communication
Monitoring
Control Activities

Physical Controls
This class of controls relates primarily to the human
activities employed in accounting systems. There
are six types of physical control:
Transaction Authorization
Segregation of Duties
Supervision
Accounting Records
Access Control
Independent Verification

IT Controls
Application controls
- Are to ensure the validity, completeness, and accuracy of
financial transactions
Examples: controls over sales order processing, accounts payable,
and payroll applications

General controls
- pertain to the entity wide computer environment or all the
systems.
Examples: controls over the data center, organization
databases, systems development, and program maintenance

Audit Implications of SOX

expands the role of external auditors by mandating
that they attest to the quality of their client
organizations internal controls.
Constitutes the issuance of a separate audit opinion
on the internal controls in addition to the opinion on
the fairness of the financial statements.

 PCAOB Standard No. 5 specifically requires auditors to

understand transaction flows, including the controls pertaining
to how transactions are initiated, authorized, recorded, and
reported.
places responsibility on auditors to detect fraudulent activity
and emphasizes the importance of controls designed to
prevent or detect fraud that could lead to material
misstatement of the financial statements.
PCAOB Auditing Standard No. 5 emphasizes that
management and auditors use a risk-based approach rather
than a onesize-fits-all approach in the design and assessment
of controls.