REVIEW and INTRODUCTION

Attestation versus Assurance

• Attestation:
– practitioner is engaged to issue a written
communication that expresses a conclusion about
the reliability of a written assertion that is the
responsibility of another party.
• Assurance:
– professional services that are designed to improve
the quality of information, both financial and non-
financial, used by decision-makers
– includes, but is not limited to attestation
Attest and Assurance Services
What is an External Financial Audit?
• An independent attestation by a professional
(CPA) regarding the faithful representation of
the financial statements
• Three phases of a financial audit:
– familiarization with client firm
– evaluation and testing of internal controls
– assessment of reliability of financial data
Generally Accepted Auditing Standards
(GAAS)
Auditing Management’s Assertions
 External versus Internal Auditing
• External auditors – represent the interests of
third party stakeholders
• Internal auditors – serve an independent
appraisal function within the organization
– Often perform tasks which can reduce external
audit fees and help to achieve audit efficiency
and reduce audit fees
 What is an IT Audit?
Since most information systems employ IT,
the IT audit is a critical component of all
external and internal audits.
• IT audits:
– focus on the computer-based aspects of an
organization’s information system
– assess the proper implementation, operation,
and control of computer resources
 Elements of an IT Audit
• Systematic procedures are used
• Evidence is obtained
– tests of internal controls
– substantive tests
• Determination of materiality for weaknesses
found
• Prepare audit report & audit opinion
Phases of an IT Audit
 Audit Risk is...
the probability the auditor will issue an
unqualified (clean) opinion when in fact the
financial statements are materially misstated.
 Three Components of Audit Risk
• Inherent risk – associated with the unique
characteristics of the business or industry of
the client
• Control risk – the likelihood that the control
structure is flawed because controls are either
absent or inadequate to prevent or detect
errors in the accounts
• Detection risk – the risk that errors not
detected or prevented by the control structure
will also not be detected by the auditor
 Test of Controls and Substantive Tests
- These are auditing techniques used for
reducing total audit risk.
- The lower the control risk, the less substantive
testing the auditor must do.
- Increased substantive testing translates into
longer and more disruptive audits and higher
audit costs.
 INTERNAL CONTROL
CONCEPTS and TECHNIQUES
 The internal control system comprises
policies, practices, and procedures employed by
the organization to achieve four broad
objectives:
• To safeguard assets of the firm.
• To ensure accuracy and reliability of
accounting records and information.
• To promote efficiency in the firm’s operations.
• To measure compliance with management’s
prescribed policies and procedures.
 Four Modifying Assumptions
1. Management Responsibility
2. Reasonable Assurance
3. Methods of Data Processing
4. Limitations
– the possibility of error
– Circumvention
– management override
– changing conditions
 Weak Internal Control
A weakness in internal control may expose
the firm to one or more of the following types of
risks:
• Destruction of assets (both physical assets and
information)
• Theft of assets
• Corruption of information or the information
system
• Disruption of the information system
The Internal Controls Shield
 The P-D-C Internal Control Model
Preventive Controls
- passive techniques designed to reduce the
frequency of occurrence of undesirable event.
Detective Controls
- devices, techniques and procedures designed to
identify and expose undesirable events that elude
preventive controls.
Corrective Controls
- actions taken to reverse the effects of errors
detected in the previous step.
Preventive, Detective, and Corrective
Controls
 Five Components of Internal Control
System

• The Control Environment

• Risk Assessment
• Information and Communication
• Monitoring
• Control Activities
 1: The Control Environment
• Integrity and ethics of management
• Organizational structure
• Role of the board of directors and the audit
committee
• Management’s policies and philosophy
• Delegation of responsibility and authority
• Performance evaluation measures
• External influences—regulatory agencies
• Policies and practices managing human resources
 2: Risk Assessment
• Identify, analyze and manage risks relevant
to financial reporting:
– changes in external environment
– risky foreign markets
– significant and rapid growth that strain internal
controls
– new product lines
– restructuring, downsizing
– changes in accounting policies
3: Information and Communication

• The AIS should produce high quality information

which:
– identifies and records all valid transactions
– provides timely information in appropriate detail to
permit proper classification and financial reporting
– accurately measures the financial value of
transactions
– accurately records transactions in the time period in
which they occurred
 Information and Communication
• Auditors must obtain sufficient knowledge of the IS to
understand:
– the classes of transactions that are material
• how these transactions are initiated
• the associated accounting records and accounts used in
processing
– the transaction processing steps involved from the
initiation of a transaction to its inclusion in the
financial statements
– the financial reporting process used to compile
financial statements, disclosures, and estimates
 4: Monitoring
The process for assessing the quality of internal
control design and operation
• Separate procedures—test of controls by internal auditors
• Ongoing monitoring:
– computer modules integrated into routine
operations
– management reports which highlight trends and
exceptions from normal performance
 5: Control Activities
• Policies and procedures to ensure that the
appropriate actions are taken in response to
identified risks
• Fall into two distinct categories:
– IT /Computer controls—relate specifically to the
computer environment
– Physical controls—primarily pertain to human
activities
 Two Types of IT Controls

• General controls—pertain to the entitywide

computer environment
– Examples: controls over the data center,
organization databases, systems development,
and program maintenance
• Application controls—ensure the integrity of
specific systems
– Examples: controls over sales order processing,
accounts payable, and payroll applications
 Six Types of Physical Controls

• Transaction Authorization
• Segregation of Duties
• Supervision
• Accounting Records
• Access Control
• Independent Verification
 Physical Controls
Transaction Authorization
• used to ensure that employees are carrying
out only authorized transactions
• general (everyday procedures) or specific
(non-routine transactions) authorizations
 Physical Controls
Segregation of Duties
• In manual systems, separation between:
– authorizing and processing a transaction
– custody and recordkeeping of the asset
– subtasks
• In computerized systems, separation between:
– program coding
– program processing
– program maintenance
 Physical Controls
Supervision
• a compensation for lack of segregation;
some may be built into computer systems
Accounting Records
• provide an audit trail
 Physical Controls
Access Controls
• help to safeguard assets by restricting
physical access to them
Independent Verification
• reviewing batch totals or reconciling
subsidiary accounts with control accounts
 Nested Control Objectives for
Transactions

Control Authorization Processing

Objective 1

Control Authorization Custody Recording

Objective 2

Custody Recording

Control Authorization Task 1 Task 2 Task 1 Task 2

Objective 3
 Physical Controls in IT Contexts

Transaction Authorization
• The rules are often embedded within
computer programs.
– EDI/JIT: automated re-ordering of inventory
without human intervention
 Physical Controls in IT Contexts

Segregation of Duties
• A computer program may perform many tasks
that are deemed incompatible.
• Thus the crucial need to separate program
development, program operations, and program
maintenance.
 Physical Controls in IT Contexts
Supervision
• The ability to assess competent employees
becomes more challenging due to the greater
technical knowledge required.
 Physical Controls in IT Contexts

Accounting Records
• ledger accounts and sometimes source
documents are kept magnetically
– no audit trail is readily apparent
 Physical Controls in IT Contexts

Access Control
• Data consolidation exposes the organization to
computer fraud and excessive losses from
disaster.
 Physical Controls in IT Contexts

Independent Verification
• When tasks are performed by the computer
rather than manually, the need for an
independent check is not necessary.
• However, the programs themselves are checked.
END OF DISCUSSION