1 Chapter 1: Auditing, Assurance, and Internal Control.
-
Upload
alexandrina-johnston -
Category
Documents
-
view
225 -
download
2
Transcript of 1 Chapter 1: Auditing, Assurance, and Internal Control.
![Page 1: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/1.jpg)
1
Chapter 1:Auditing, Assurance, and
Internal Control
![Page 2: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/2.jpg)
2
Syllabus Course Description Textbooks Course Objectives Exams Research Papers Assignments Class Schedule Performance Evaluation
![Page 3: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/3.jpg)
3
Syllabus (cont.) Class Format
Lecture and Discussion In-Class AssignmentsShort Presentations
Blackboard and Class Websitestpt.usf.edu/gkearns/acg6936
Academic Dishonesty Disruption of the Academic Process
![Page 4: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/4.jpg)
4
IT AUDITS
IT audits: provide audit services where processes or data, or both, are embedded in technologies. Subject to ethics, guidelines, and standards of the
profession (if certified) CISA Most closely associated with ISACA
Joint with internal, external, and fraud audits Scope of IT audit coverage is increasing Characterized by CAATTs IT governance as part of corporate governance
![Page 5: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/5.jpg)
5
FRAUD AUDITS
Fraud audits: provide investigation services where anomalies are suspected, to develop evidence to support or deny fraudulent activities.
Auditor is more like a detective No materiality Goal is conviction, if sufficient evidence of fraud
exists CFE ACFE
![Page 6: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/6.jpg)
6
EXTERNAL AUDITS
External auditing: Objective is that in all material respects, financial statements are a fair representation of organization’s transactions and account balances.
SEC’s role Sarbanes-Oxley Act FASB - PCAOB
CPA AICPA
![Page 7: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/7.jpg)
7
ATTEST vs. ASSURANCE
ASSURANCE Professional services that are designed to improve
the quality of information, both financial and non-financial, used by decision-makers
IT Audit Groups in “Big Four” (e.g. Final Four) IT Risk Management I.S. Risk Management Operational Systems Risk Management Technology & Security Risk Services Typically a division of assurance services
![Page 8: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/8.jpg)
8
ATTEST definition Written assertions Practitioner’s written report Formal establishment of measurement criteria
or their description Limited to:
Examination Review Application of agreed-upon procedures
![Page 9: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/9.jpg)
9
THE IT ENVIRONMENT
There has always been a need for an effective internal control system.
The design and oversight of that system has typically been the responsibility of accountants.
The I.T. Environment complicates the paper systems of the past. Concentration of data Expanded access and linkages Increase in malicious activities in systems vs. paper Opportunity that can cause management fraud (i.e.,
override)
![Page 10: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/10.jpg)
10
IT Investigative and Forensic Techniques for Auditors
Purpose To assist auditors in developing the
knowledge, skills, and abilities to provide reasonable assurance for the security, availability, integrity and management of information systems and resources.
![Page 11: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/11.jpg)
11
The IT Audit
An IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives.
![Page 12: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/12.jpg)
12
The IT Audit
These reviews may be performed in conjunction with a financial statement audit, an internal audit, or other form of attestation engagement.
External auditors can accept the result of an internal audit only if the function reports to the audit committee.
External auditors may use and rely upon a 3rd party IT audit firm.
![Page 13: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/13.jpg)
13
IT Audit Process: 8 Steps
1. Plan the audit
2. Hold kickoff meeting
3. Gather data/test IT controls
4. Remediate identified deficiencies (organization)
5. Test remediated controls
6. Analyze and report findings
7. Respond to findings (organization)
8. Issue final report (auditor)
![Page 14: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/14.jpg)
14
INTERNAL CONTROL
is … policies, practices, procedures … designed to …
safeguard assets ensure accuracy and reliability promote efficiency measure compliance with policies
![Page 15: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/15.jpg)
15
BRIEF HISTORY - SECSEC acts of 1933 and 1934
All corporations that report to the SEC are required to maintain a system of internal control that is evaluated as part of the annual external audit.
![Page 16: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/16.jpg)
16
BRIEF HISTORY - CopyrightFederal Copyright Act 1976
1. Protects intellectual property in the U.S.2. Has been amended numerous times since3. Management is legally responsible for violations of
the organization4. U.S. government has continually sought
international agreement on terms for protection of intellectual property globally vs. nationally
![Page 17: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/17.jpg)
17
BRIEF HISTORY - FCPAForeign Corrupt Practices Act 1977
1. Accounting provisions FCPA requires SEC registrants to establish and maintain books,
records, and accounts. It also requires establishment of internal accounting controls
sufficient to meet objectives.1. Transactions are executed in accordance with management’s general
or specific authorization.2. Transactions are recorded as necessary to prepare financial
statements (i.e., GAAP), and to maintain accountability.3. Access to assets is permitted only in accordance with management
authorization.4. The recorded assets are compared with existing assets at reasonable
intervals.
2. Illegal foreign payments
![Page 18: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/18.jpg)
18
BRIEF HISTORY - COSOCommittee on Sponsoring Organizations - 1992
1. AICPA, AAA, FEI, IMA, IIA
2. Developed a management perspective model
for internal controls over a number of years
3. Is widely adopted
![Page 19: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/19.jpg)
19
BRIEF HISTORY – S-OX
Sarbanes-Oxley Act - 20021. Section 404: Management Assessment of Internal
Control Management is responsible for establishing and maintaining
internal control structure and procedures. Must certify by report on the effectiveness of internal control
each year, with other annual reports.
2. Section 302: Corporate Responsibility for Incident Reports Financial executives must disclose deficiencies in internal
control, and fraud (whether fraud is material or not).
![Page 20: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/20.jpg)
20
EXPOSURES AND RISK Exposure (definition) Risks (definition)
Types of riskDestruction of assetsTheft of assetsCorruption of information or the I.S.Disruption of the I.S.
![Page 21: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/21.jpg)
21
THE P-D-C MODEL Preventive controls Detective controls Corrective controls
Which is most cost effective? Which one tends to be proactive measures? Can you give an example of each?
Predictive controls
![Page 22: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/22.jpg)
22
COSO (Treadway Commission)
The five components of internal control are:
The control environmentRisk assessmentInformation & communicationMonitoringControl activities
![Page 23: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/23.jpg)
23
SAS 78
The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) incorporated the components of internal control presented in the COSO Report in its Statement on Auditing Standards No. 78 (SAS 78), entitled “Consideration of Internal Control in a Financial Statement Audit.”
![Page 24: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/24.jpg)
24
SAS 78(#1:Control Environment -- elements) Describe how each one could adversely
affect internal control. The integrity and ethical values Structure of the organization Participation of audit committee Management’s philosophy and style Procedures for delegating
![Page 25: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/25.jpg)
25
Management’s methods of assessing performance
External influences Organization’s policies and practices for
managing human resources
SAS 78 (#1:Control Environment -- elements)
![Page 26: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/26.jpg)
26
Describe possible activity or tool for each. Assess the integrity of organization’s
management Conditions conducive to management fraud Understand client’s business and industry Determine if board and audit committee are
actively involved Study organization structure
SAS 78 (#1:Control Environment -- techniques)
![Page 27: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/27.jpg)
27
Changes in environment Changes in personnel Changes in I.S. New IT’s Significant or rapid growth New products or services (experience) Organizational restructuring Foreign markets New accounting principles
SAS 78 (#2:Risk Assessment)
![Page 28: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/28.jpg)
28
Initiate, identify, analyze, classify and record Initiate, identify, analyze, classify and record economic transactions and events.economic transactions and events.
Identify and record all valid economic transactions
Provide timely, detailed information Accurately measure financial values Accurately record transactions
SAS 78 (#3:Information & Communication-elements)
![Page 29: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/29.jpg)
29
Auditors obtain sufficient knowledge of I.S.’s to understand: Classes of transactions that are material Accounting records and accounts used Processing steps:initiation to inclusion in
financial statements (illustrate) Financial reporting process (including
disclosures)
SAS 78(#3:Information & Communication-techniques)
![Page 30: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/30.jpg)
30
By separate procedures (e.g., tests of controls)
By ongoing activities (Embedded Audit Modules – EAMs and Continuous Online Auditing - COA)
SAS 78(#4: Monitoring)
![Page 31: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/31.jpg)
31
SAS 94The Effect of Information Technology on the Auditor’s Consideration of
Internal Control in a Financial Statement Audit
Provides auditors with guidance on IT’s effect on internal control and on the auditor’s understanding of internal control and the assessment of control risk.
Requires the auditor to consider how an organization’s IT use affects his or her audit strategy.
Where a significant amount of information is electronic, the auditor may decide it is not practical or possible to limit detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions. In such cases, the auditor should gather evidence about the effectiveness of both the design and operation of controls intended to reduce the assessed level of control risk.
![Page 32: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/32.jpg)
32
SAS 78(#5: Control Activities)
![Page 33: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/33.jpg)
33
Physical Controls (1-3) Transaction authorization
Example: Sales only to authorized customer Sales only if available credit limit
Segregation of duties Examples of incompatible duties:
Authorization vs. processing [e.g., Sales vs. Auth. Cust.] Custody vs. recordkeeping [e.g., custody of inventory vs. DP
of inventory] Fraud requires collusion [e.g., separate various steps in
process]
Supervision Serves as compensating control when lack of segregation
of duties exists by necessity
![Page 34: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/34.jpg)
34
Physical Controls (4-6) Accounting records (audit trails; examples) Access controls
Direct (the assets) Indirect (documents that control the assets) Fraud Disaster Recovery
Independent verification Management can assess:
The performance of individuals The integrity of the AIS The integrity of the data in the records Examples
![Page 35: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/35.jpg)
35
Operations Data management systems New systems development Systems maintenance Electronic commerce (The Internet) Computer applications
IT Risks Model
![Page 36: 1 Chapter 1: Auditing, Assurance, and Internal Control.](https://reader038.fdocuments.us/reader038/viewer/2022102801/56649d145503460f949e994f/html5/thumbnails/36.jpg)
36
End Ch. 1