CHAPTER 25 Assurance Services: Internal Auditing and Comprehensive Auditing
Ch1_IT Auditing and Assurance
-
Upload
little-bunny-foo-foo -
Category
Documents
-
view
64 -
download
2
description
Transcript of Ch1_IT Auditing and Assurance
Chapter 1:Auditing, Assurance, and
Internal Control
Hall & Singleton, 2e
AUDITING
Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and establishing criteria and communicating the results to interested users.
INTERNAL AUDITS
Internal auditing: independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization
Financial Audits Operational Audits Compliance Audits Fraud Audits IT Audits
CIA IIA
IT AUDITS
IT audits: provide audit services where processes or data, or both, are embedded in technologies.Subject to ethics, guidelines, and standards of the
profession (if certified) CISA Most closely associated with ISACA
Joint with internal, external, and fraud auditsScope of IT audit coverage is increasingCharacterized by CAATTs IT governance as part of corporate governance
FRAUD AUDITS
Fraud audits: provide investigation services where anomalies are suspected, to develop evidence to support or deny fraudulent activities.Auditor is more like a detectiveNo materialityGoal is conviction, if sufficient evidence of fraud
exists CFE ACFE
EXTERNAL AUDITS
External auditing: Objective is that in all material respects, financial statements are a fair representation of organization’s transactions and account balances.
SEC’s roleSarbanes-Oxley ActFASB - PCAOB
CPA AICPA
EXTERNAL vs. INTERNAL External auditing:
Independent auditor (CPA) Independence defined by SEC/S-OX/AICPA Required by SEC for publicly-traded companies Referred to as a “financial audit” Represents interests of outsiders, “the public” (e.g.,
stockholders) Standards, guidance, certification governed by AICPA, FASB,
PCAOB; delegated by SEC who has final authority Internal auditing:
Auditor (often a CIA or CISA) Is an employee of organization imposing independence on self Optional per management requirements Broader services than financial audit; (e.g., operational audits) Represent interests of the organization Standards, guidance, certification governed by IIA and ISACA
FINANCIAL AUDITS
An independent attestation performed by an expert (i.e., an auditor, a CPA) who expresses an opinion regarding the presentation of financial statements
Key concept: Independence {Should be} Similar to a trial by judge Culmination of systematic process involving:
Familiarization with the organization’s business Evaluating and testing internal controls Assessing the reliability of financial data
Product is formal written report that expresses an opinion about the reliability of the assertions in financial statements; in conformity with GAAP
ATTEST definition Written assertionsPractitioner’s written reportFormal establishment of measurement criteria or their
descriptionLimited to:
ExaminationReviewApplication of agreed-upon procedures
ATTEST vs. ASSURANCE
ASSURANCEProfessional services that are designed to improve
the quality of information, both financial and non-financial, used by decision-makers
IT Audit Groups in “Big Four” IT Risk Management I.S. Risk ManagementOperational Systems Risk ManagementTechnology & Security Risk ServicesTypically a division of assurance services
AUDITING STANDARDS
Auditing standardsSet by AICPAAuthoritative#1 = Ten Generally Accepted Auditing Standards
(GAAS)Three categories:
General StandardsStandards of Field WorkReporting Standards
# 2 = Statements on Auditing Standards (SASs)SAS #1 issued by AICPA in 1972
AUDITS
Systematic process Five primary management assertions, and
correlated audit objectives and procedures [Table 1-1]
Existence or OccurrenceCompletenessRights & ObligationsValuation or AllocationPresentation or Disclosure
AUDITS
Phases [Figure 1-3]
1. Planning2. Obtaining evidence
Tests of Controls Substantive Testing
CAATTs Analytical procedures
3. Ascertaining reliability MATERIALITY
4. Communicating results Audit opinion
Audit Risk Formula
AUDIT RISK:The probability that the auditor
will give an inappropriate opinion on the financial statements: that is, that the statements will contain materials misstatement(s) which the auditor fails to find
Audit Risk Formula
INHERENT RISK:The probability that material
misstatements have occurredMaterial vs. Immaterial
Includes economic conditions, etc.Relative risk (e.g., cash)
Audit Risk Formula
CONTROL RISK:The probability that the internal controls
will fail to detect material misstatements
Audit Risk Formula
DETECTION RISK:The probability that the audit
procedures will fail to detect material misstatements
Substantive procedures
Audit Risk Formula
AUDIT RISK MODEL:AR = IR * CR * DRexample inventory with:
IR=40%, CR=60%, AR=5% (fixed).05 = .4 * .6 * DR... then DR=4.8%
Why is AR = 5%?What is detection risk?Can CR realistically be 0?Relationship between DR and substantive
procedures
Audit Risk Model
Relationship between tests of controls and substantive tests Illustrate higher reliability of the internal controls and
the Audit Risk ModelWhat happens if internal controls are more reliable than last
audit?Last year: .05 = .4 * .6 * DR [DR = 4.8]This year: .05 = .4 * .4 * DR [DR = 3.2] The more reliable the internal controls, the lower the CR
probability; thus the lower the DR will be, and fewer substantive tests are necessary.
Substantive tests are labor intensive
Role of Audit Committee
Selected from board of directors Usually three members Outsiders (S-OX now requires it) Fiduciary responsibility to shareholders Serve as independent check and balance
system Interact with internal auditors Hire, set fees, and interact with external auditors Resolved conflicts of GAAP between external
auditors and management
What is an IT Audit?
… most accounting transactions to be in electronic form without any paper documentation because electronic storage is more efficient. … These technologies greatly change the nature of audits, which have so long relied on paper documents.
THE IT ENVIRONMENT
There has always been a need for an effective internal control system.
The design and oversight of that system has typically been the responsibility of accountants.
The I.T. Environment complicates the paper systems of the past.Concentration of dataExpanded access and linkages Increase in malicious activities in systems vs. paperOpportunity that can cause management fraud (i.e.,
override)
THE IT ENVIRONMENT
Audit planning
Tests of controls
Substantive testsCAATTs
INTERNAL CONTROL
is … policies, practices, procedures … designed to …
safeguard assetsensure accuracy and reliabilitypromote efficiencymeasure compliance with policies
BRIEF HISTORY - SEC
SEC acts of 1933 and 1934
“Ivar Kreuger’s Contribution to U.S. Financial Reporting,” Accounting Review, Flesher & Flesher
All corporations that report to the SEC are required to maintain a system of internal control that is evaluated as part of the annual external audit.
BRIEF HISTORY - Copyright
Federal Copyright Act 1976
1. Protects intellectual property in the U.S.2. Has been amended numerous times since3. Management is legally responsible for violations of
the organization4. U.S. government has continually sought
international agreement on terms for protection of intellectual property globally vs. nationally
BRIEF HISTORY - FCPA
Foreign Corrupt Practices Act 19771. Accounting provisions
FCPA requires SEC registrants to establish and maintain books, records, and accounts.
It also requires establishment of internal accounting controls sufficient to meet objectives.
1. Transactions are executed in accordance with management’s general or specific authorization.
2. Transactions are recorded as necessary to prepare financial statements (i.e., GAAP), and to maintain accountability.
3. Access to assets is permitted only in accordance with management authorization.
4. The recorded assets are compared with existing assets at reasonable intervals.
2. Illegal foreign payments
BRIEF HISTORY - COSO
Committee on Sponsoring Organizations - 1992
1. AICPA, AAA, FEI, IMA, IIA
2. Developed a management perspective model
for internal controls over a number of years
3. Is widely adopted
BRIEF HISTORY – S-OX
Sarbanes-Oxley Act - 20021. Section 404: Management Assessment of Internal
Control Management is responsible for establishing and maintaining
internal control structure and procedures. Must certify by report on the effectiveness of internal control
each year, with other annual reports.
2. Section 302: Corporate Responsibility for Incident Reports Financial executives must disclose deficiencies in internal
control, and fraud (whether fraud is material or not).
Modifying Assumptions
1. Management responsibility
2. Reasonable assurance no I.C.S. is perfect benefits => costs
3. Methods of data processing Objectives same regardless of DP method Specific controls vary w/different
technologies
Modifying Assumptions
4. Limitations Possibility of error Possibility of circumvention Management override Changing conditions
EXPOSURES AND RISK
Exposure (definition)
Risks (definition)
Types of riskDestruction of assetsTheft of assetsCorruption of information or the I.S.Disruption of the I.S.
THE P-D-C MODEL
Preventive controlsDetective controlsCorrective controls
Which is most cost effective?Which one tends to be proactive measures?Can you give an example of each?
Predictive controls
SAS 78: Consideration of Internal Control in a Financial Statement Audit
• COSO (Treadway Commission)The control environmentRisk assessmentInformation & communicationMonitoringControl activities
SAS 78(#1:Control Environment -- elements)
Describe how each one could adversely affect internal control.
The integrity and ethical valuesStructure of the organizationParticipation of audit committeeManagement’s philosophy and styleProcedures for delegating
SAS 78 (#1:Control Environment -- elements)
Management’s methods of assessing performance
External influencesOrganization’s policies and practices for
managing human resources
SAS 78 (#1:Control Environment -- techniques)
Describe possible activity or tool for each. Assess the integrity of organization’s
management Conditions conducive to management fraud Understand client’s business and industry Determine if board and audit committee are
actively involved Study organization structure
SAS 78 (#2:Risk Assessment)
Changes in environment Changes in personnel Changes in I.S. New IT’s Significant or rapid growth New products or services (experience) Organizational restructuring Foreign markets New accounting principles
SAS 78 (#3:Information & Communication-elements)
Initiate, identify, analyze, classify and record Initiate, identify, analyze, classify and record economic transactions and events.economic transactions and events.
Identify and record all valid economic transactions
Provide timely, detailed informationAccurately measure financial valuesAccurately record transactions
SAS 78(#3:Information & Communication-techniques)
Auditors obtain sufficient knowledge of I.S.’s to understand:Classes of transactions that are materialAccounting records and accounts usedProcessing steps:initiation to inclusion in
financial statements (illustrate)Financial reporting process (including
disclosures)
SAS 78(#4: Monitoring)
By separate procedures (e.g., tests of controls)
By ongoing activities (Embedded Audit Modules – EAMs and Continuous Online Auditing - COA)
SAS 78(#5: Control Activities)
Physical Controls (1-3)Transaction authorization
Example: Sales only to authorized customer Sales only if available credit limit
Segregation of dutiesExamples of incompatible duties:
Authorization vs. processing [e.g., Sales vs. Auth. Cust.] Custody vs. recordkeeping [e.g., custody of inventory vs.
DP of inventory] Fraud requires collusion [e.g., separate various steps in
process]
SupervisionServes as compensating control when lack of segregation
of duties exists by necessity
Physical Controls (4-6)Accounting records (audit trails; examples)Access controls
Direct (the assets) Indirect (documents that control the assets)Fraud Disaster Recovery
Independent verificationManagement can assess:
The performance of individuals The integrity of the AIS The integrity of the data in the records Examples
IT Risks Model
OperationsData management systemsNew systems developmentSystems maintenanceElectronic commerce (The Internet)Computer applications