Intro to Audit and Caats

8/4/2019 Intro to Audit and Caats

http://slidepdf.com/reader/full/intro-to-audit-and-caats 1/34

10-1

AUDITING



10-2

Auditing

AAA’s Definition: Auditing is a systematic process of objective ly obtaining and evaluatingevidence regarding assertions about economicactions and events to ascertain the degree ofcorrespondence between those assertions andestablished criteria and communicating the

results to interested users.My Definition: To examine and assure



10-3

Auditing

2 broad categories of audits:1. Internal Auditing (R&S focus)2. External Auditing



10-4

Internal Auditing

Who does it? Internal employees(outsource)

For whom? Management

What? employee adherence to companypolicies and procedures – efficiency andeffectiveness



10-5

Internal Auditing -Types

Information systems: review AIS controlsto assess compliance with internal controlpolicies/procedures & effectiveness insafeguarding assetsOperational/management: reviewscompany resources and operations – for

efficiency, effectiveness, as plannedCompliance: ensure compliance with laws,rules, and regulations



10-6

External Auditing (FS Audit)

Who does it? Independent, external auditorsFor whom? SEC, investors

What?Examination of a client’s FS for the purposeof deciding whether or not the FS are fairlypresented according to GAAP.

Attest function : give an opinion on thefairness of the FS wrt GAAP applying GAAS.Reliability and integrity of accounting records



10-7

5 Step Audit Process(for all audit types)

(1) Audit Planning: Establish audit objectives,identify risks, Audit program

(2) Collect audit evidence: interviews, examinations,recalculations, sampling

(3) Evaluate evidence: materiality(4) Arrive at an opinion –

FS: standard unqualified, unqualified withexplanatory paragraph, qualified, adverse,disclaimer

(5) Communicate Audit ResultsFS: audit report

IDEA, ACL



10-8

Auditing Around vs Throughthe Computer

THROUGH

AROUND

INPUT

OUTPUT

PROCESSING



10-9

Auditing Around the Computer

Ignores the controls and computer processing -assumes accurate output = proper processingAuditor examines, on a sample basis, inputs tothe computer and corresponding outputsSuitable only if the following conditions are met:

1. computer processing is relatively simple

2. Audit trail is clearly visible3. A substantial amount of up-to-date documentation

exists about how the system works.



10-10

Audit Trail in Computer-Based System

Visibility of audit trail is diminishedIn relational database systems, foreign keys that link related tables form an electronicaudit trail.Example:

I/S Revenue

Sale invoice

Customer TableCustomer ID

Invoice No.



10-11

Auditing Through theComputer

Auditor follows the audit trail through theinternal computer operations; attempts toverify that the processing controls arefunctioning correctlyDirectly tests the computer controls andverifies the accuracy of computer-basedprocessing of input data.Tests controls that, if functioning properlywould prevent errors from occurring.



10-12

Which approach isbest?

Let’s look at the audit guidelines…..



10-13

Auditing Standards

Statement on Auditing Standards (SAS) 94 “TheEffect of Information Technology on the Auditor'sConsideration of Internal Control in a FinancialStatement Audit”

Auditor’s must have sufficient understanding (anddocument ) of each of the 5 components of the ICwhen planning the audit ( 2C RIM )Addresses the effects of IT on ICMay need to design tests of controls in addition tosubstantive tests (of balances)



10-14

AUDIT BENEFITS OF THE ITENVIRONMENT (SAS 94)

Consistent processing large volumes of transactionsor dataEnhanced information timeliness, availability, andaccuracyFacilitation of the additional analysis of informationEnhanced ability to monitor the performance of

activities, policies, and proceduresReduction in the risk that controls will becircumvented, if IT system controls are effective



10-15

RISKS OF THE ITENVIRONMENT (SAS 94)

Incorrectly processing data or consistently processinginaccurate dataUnauthorized access to data that might be destroyedor improperly changedUnauthorized changes to computer programsFailure to make necessary changes to computerprogramsInappropriate manual interventionPotential loss of data

Increase in potential loss resulting from computerfraud relative to manual fraud (increase of 10X ).



10-16

Which is the bestapproach?

Auditing Through the computer



10-17


1. Testing Computer Programs Test data : exception data, compare

processed info to predetermined answersITF (Integrated Test Facility): processtransaction to update dummy records (TEST

DATA IN REAL SYSTEM!!!)Parallel Simulation :live data in programwritten by auditor (COSTLY!!!)



10-18


2. Validate Computer ProgramsTest of program change control : make sure

IC procedures exists and are followedProgram comparison: compare productionprogram with archived old version (trojanhorse, salami)

Surprise audits and surprise use of programs : compare accounting applicationprograms unexpectedly with authorizedversion



10-19


3. Review of systems softwareOperating systems software

Utility programs that do basic“housekeeping” chores such as sorting andcopyingProgram library software that controls andmonitors storage of programsAccess control software that controlslogical access to programs and data files



10-20


4. Continuous Auditing:Audit tools installed within the IS

Audit hooksContinuous and intermittent simulationEmbedded audit modules Exception reportingSCARFSnapshot techniqueTransaction tagging

Match these terms

With their definitionsOn the next slides



10-21


Embedded audit modules :Application subroutine that captures

data for audit purposesWrite to a special log file called SCARF

(systems control audit review file)Ex: transactions affecting inactive

accounts, deviating from companypolicy, write-downs of asset values



10-22


audit hooks :audit routine that flags suspicioustransactions (real-time notification)Exception reporting :mechanisms that reject certain transactionsthat fall outside predefined specifications



10-23


Transaction taggingPlace a special identifier on transactions so that they

can be recorded as they pass through the IS.EX: tag an employee’s transaction records, manually

calculate & compareSnapshot technique

audit modules record selected transactions beforeand after processing. Auditor reviews to makesure all processing steps performed properly.



10-24


Continuous and intermittent simulation (CIS)- audit module in DBMS

- examines all transactions that update the DBMS.If a transaction has special audit significance, theaudit module independently processes the data,records the results and compares them with the

DBMS results. If discrepancies, written to an auditlog for subsequent review OR may stop DBMSfrom executing the update process.



10-25

Auditing With the Computer

Additional Computer-assisted techniques(CAATS) Help auditor complete audit

General use software : productivity tools (Word,Excel, project management, ACCESS, SQL)Automated workpaper softwareGeneralized audit software (GAS): softwaredesigned for auditor

• Read, manipulate client’s computer -based data• Independent evidence about the validity of transactions

and balances



10-26

How do auditors putit all together?



10-27

Risk-based Audit ApproachGOAL: Provide a clear understanding of the

errors and irregularities that can occur andthe related risks and exposures

1. Determine the threats (errors, irregularities)2. Identify the needed control procedures3. Evaluate the control procedures4.

Evaluate weaknesses to determine effecton nature, timing, and extent of auditingprocedures. Compensating Controls?



10-28

Risk-based Audit Approach

Evaluate Control ProceduresSystem review – are procedures in place?

EX: review docs, interviewsTests of controls = compliance testing – arethe controls in place and working asprescribed?Ex: observe operations, check samples ofinput, verify use, trace transactions



10-29

Audit Risk Model

Used in audit planning:AR = audit risk: likelihood that the FS

are materially misstatedAR = IR x CR x DR

AuditorCannotreduce

Auditor can control this

Assesses generaland application controlsapplicable to each FS assertion;Tests of controls =Compliance tests



10-30

Audit Risk Model

IR = inherent risk: susceptibility of an account orclass of transactions to material errorCR = control risk = likelihood that the IC control

structure will fail to prevent/detect a material errorDR = detection risk = likelihood that the auditor’sprocedures will not uncover material errors

More auditing procedures = lower DRInversely related to CR: if CR is high, then anauditor sets DR low and performs more substantivetests (detail tests of transactions and accountbalances)



10-31

Audit Risk Model

ExampleAssume controls over the revenue

cycle are not effective and cannot berelied upon. The auditor is worriedabout the correctness of the A/Rbalance. To lower detection risk, whatwould the auditor do?



10-32

Audit Risk Model

ExampleAssume controls over the revenue cycle

are not effective and cannot be reliedupon. The auditor is worried about thecorrectness of the A/R balance. To lowerdetection risk, what would the auditor do?Increase substantive testing of the A/Rbalance – send out lots of confirmationletters to customers .



10-33

Generalized Audit Software2 main computer auditing software packages : ACL (Audit Command Language) and IDEA (InteractiveData Extraction and Analysis) .In this class, we will be using IDEA to audit severaldifferent general ledger accounts and look foremployee fraud.Clients: American Express, BDO Seidman, Grant

Thorton, KPMG, McGladrey and Pullen LLP,PriceWaterhouseCoopers, FDIC, GAO, USDepartments of Commerce, Education, Interior, Labor,Transportation, EPA, Treasury, Dow Chemical,Chicago Board of Trade, Exxon Company USA, Revlon



10 34

General Functions ofComputer Audit Software

– reformatting – file manipulation – calculation – data selection – data analysis – file processing

– statistics – report generation – sampling

- data retrieval- apply edit checks

- file operations (join,merge, sort)

Intro to Audit and Caats

Documents

Transcript of Intro to Audit and Caats