Intro to Audit and Caats
-
Upload
muhammad-kashif-parvez -
Category
Documents
-
view
227 -
download
0
Transcript of Intro to Audit and Caats
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 1/34
10-1
AUDITING
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 2/34
10-2
Auditing
AAA’s Definition: Auditing is a systematic process of objective ly obtaining and evaluatingevidence regarding assertions about economicactions and events to ascertain the degree ofcorrespondence between those assertions andestablished criteria and communicating the
results to interested users.My Definition: To examine and assure
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 3/34
10-3
Auditing
2 broad categories of audits:1. Internal Auditing (R&S focus)2. External Auditing
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 4/34
10-4
Internal Auditing
Who does it? Internal employees(outsource)
For whom? Management
What? employee adherence to companypolicies and procedures – efficiency andeffectiveness
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 5/34
10-5
Internal Auditing -Types
Information systems: review AIS controlsto assess compliance with internal controlpolicies/procedures & effectiveness insafeguarding assetsOperational/management: reviewscompany resources and operations – for
efficiency, effectiveness, as plannedCompliance: ensure compliance with laws,rules, and regulations
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 6/34
10-6
External Auditing (FS Audit)
Who does it? Independent, external auditorsFor whom? SEC, investors
What?Examination of a client’s FS for the purposeof deciding whether or not the FS are fairlypresented according to GAAP.
Attest function : give an opinion on thefairness of the FS wrt GAAP applying GAAS.Reliability and integrity of accounting records
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 7/34
10-7
5 Step Audit Process(for all audit types)
(1) Audit Planning: Establish audit objectives,identify risks, Audit program
(2) Collect audit evidence: interviews, examinations,recalculations, sampling
(3) Evaluate evidence: materiality(4) Arrive at an opinion –
FS: standard unqualified, unqualified withexplanatory paragraph, qualified, adverse,disclaimer
(5) Communicate Audit ResultsFS: audit report
IDEA, ACL
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 8/34
10-8
Auditing Around vs Throughthe Computer
THROUGH
AROUND
INPUT
OUTPUT
PROCESSING
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 9/34
10-9
Auditing Around the Computer
Ignores the controls and computer processing -assumes accurate output = proper processingAuditor examines, on a sample basis, inputs tothe computer and corresponding outputsSuitable only if the following conditions are met:
1. computer processing is relatively simple
2. Audit trail is clearly visible3. A substantial amount of up-to-date documentation
exists about how the system works.
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 10/34
10-10
Audit Trail in Computer-Based System
Visibility of audit trail is diminishedIn relational database systems, foreign keys that link related tables form an electronicaudit trail.Example:
I/S Revenue
Sale invoice
Customer TableCustomer ID
Invoice No.
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 11/34
10-11
Auditing Through theComputer
Auditor follows the audit trail through theinternal computer operations; attempts toverify that the processing controls arefunctioning correctlyDirectly tests the computer controls andverifies the accuracy of computer-basedprocessing of input data.Tests controls that, if functioning properlywould prevent errors from occurring.
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 12/34
10-12
Which approach isbest?
Let’s look at the audit guidelines…..
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 13/34
10-13
Auditing Standards
Statement on Auditing Standards (SAS) 94 “TheEffect of Information Technology on the Auditor'sConsideration of Internal Control in a FinancialStatement Audit”
Auditor’s must have sufficient understanding (anddocument ) of each of the 5 components of the ICwhen planning the audit ( 2C RIM )Addresses the effects of IT on ICMay need to design tests of controls in addition tosubstantive tests (of balances)
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 14/34
10-14
AUDIT BENEFITS OF THE ITENVIRONMENT (SAS 94)
Consistent processing large volumes of transactionsor dataEnhanced information timeliness, availability, andaccuracyFacilitation of the additional analysis of informationEnhanced ability to monitor the performance of
activities, policies, and proceduresReduction in the risk that controls will becircumvented, if IT system controls are effective
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 15/34
10-15
RISKS OF THE ITENVIRONMENT (SAS 94)
Incorrectly processing data or consistently processinginaccurate dataUnauthorized access to data that might be destroyedor improperly changedUnauthorized changes to computer programsFailure to make necessary changes to computerprogramsInappropriate manual interventionPotential loss of data
Increase in potential loss resulting from computerfraud relative to manual fraud (increase of 10X ).
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 16/34
10-16
Which is the bestapproach?
Auditing Through the computer
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 17/34
10-17
Auditing Through theComputer
1. Testing Computer Programs Test data : exception data, compare
processed info to predetermined answersITF (Integrated Test Facility): processtransaction to update dummy records (TEST
DATA IN REAL SYSTEM!!!)Parallel Simulation :live data in programwritten by auditor (COSTLY!!!)
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 18/34
10-18
Auditing Through theComputer
2. Validate Computer ProgramsTest of program change control : make sure
IC procedures exists and are followedProgram comparison: compare productionprogram with archived old version (trojanhorse, salami)
Surprise audits and surprise use of programs : compare accounting applicationprograms unexpectedly with authorizedversion
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 19/34
10-19
Auditing Through theComputer
3. Review of systems softwareOperating systems software
Utility programs that do basic“housekeeping” chores such as sorting andcopyingProgram library software that controls andmonitors storage of programsAccess control software that controlslogical access to programs and data files
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 20/34
10-20
Auditing Through theComputer
4. Continuous Auditing:Audit tools installed within the IS
Audit hooksContinuous and intermittent simulationEmbedded audit modules Exception reportingSCARFSnapshot techniqueTransaction tagging
Match these terms
With their definitionsOn the next slides
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 21/34
10-21
Auditing Through theComputer
Embedded audit modules :Application subroutine that captures
data for audit purposesWrite to a special log file called SCARF
(systems control audit review file)Ex: transactions affecting inactive
accounts, deviating from companypolicy, write-downs of asset values
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 22/34
10-22
Auditing Through theComputer
audit hooks :audit routine that flags suspicioustransactions (real-time notification)Exception reporting :mechanisms that reject certain transactionsthat fall outside predefined specifications
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 23/34
10-23
Auditing Through theComputer
Transaction taggingPlace a special identifier on transactions so that they
can be recorded as they pass through the IS.EX: tag an employee’s transaction records, manually
calculate & compareSnapshot technique
audit modules record selected transactions beforeand after processing. Auditor reviews to makesure all processing steps performed properly.
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 24/34
10-24
Auditing Through theComputer
Continuous and intermittent simulation (CIS)- audit module in DBMS
- examines all transactions that update the DBMS.If a transaction has special audit significance, theaudit module independently processes the data,records the results and compares them with the
DBMS results. If discrepancies, written to an auditlog for subsequent review OR may stop DBMSfrom executing the update process.
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 25/34
10-25
Auditing With the Computer
Additional Computer-assisted techniques(CAATS) Help auditor complete audit
General use software : productivity tools (Word,Excel, project management, ACCESS, SQL)Automated workpaper softwareGeneralized audit software (GAS): softwaredesigned for auditor
• Read, manipulate client’s computer -based data• Independent evidence about the validity of transactions
and balances
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 26/34
10-26
How do auditors putit all together?
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 27/34
10-27
Risk-based Audit ApproachGOAL: Provide a clear understanding of the
errors and irregularities that can occur andthe related risks and exposures
1. Determine the threats (errors, irregularities)2. Identify the needed control procedures3. Evaluate the control procedures4.
Evaluate weaknesses to determine effecton nature, timing, and extent of auditingprocedures. Compensating Controls?
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 28/34
10-28
Risk-based Audit Approach
Evaluate Control ProceduresSystem review – are procedures in place?
EX: review docs, interviewsTests of controls = compliance testing – arethe controls in place and working asprescribed?Ex: observe operations, check samples ofinput, verify use, trace transactions
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 29/34
10-29
Audit Risk Model
Used in audit planning:AR = audit risk: likelihood that the FS
are materially misstatedAR = IR x CR x DR
AuditorCannotreduce
Auditor can control this
Assesses generaland application controlsapplicable to each FS assertion;Tests of controls =Compliance tests
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 30/34
10-30
Audit Risk Model
IR = inherent risk: susceptibility of an account orclass of transactions to material errorCR = control risk = likelihood that the IC control
structure will fail to prevent/detect a material errorDR = detection risk = likelihood that the auditor’sprocedures will not uncover material errors
More auditing procedures = lower DRInversely related to CR: if CR is high, then anauditor sets DR low and performs more substantivetests (detail tests of transactions and accountbalances)
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 31/34
10-31
Audit Risk Model
ExampleAssume controls over the revenue
cycle are not effective and cannot berelied upon. The auditor is worriedabout the correctness of the A/Rbalance. To lower detection risk, whatwould the auditor do?
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 32/34
10-32
Audit Risk Model
ExampleAssume controls over the revenue cycle
are not effective and cannot be reliedupon. The auditor is worried about thecorrectness of the A/R balance. To lowerdetection risk, what would the auditor do?Increase substantive testing of the A/Rbalance – send out lots of confirmationletters to customers .
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 33/34
10-33
Generalized Audit Software2 main computer auditing software packages : ACL (Audit Command Language) and IDEA (InteractiveData Extraction and Analysis) .In this class, we will be using IDEA to audit severaldifferent general ledger accounts and look foremployee fraud.Clients: American Express, BDO Seidman, Grant
Thorton, KPMG, McGladrey and Pullen LLP,PriceWaterhouseCoopers, FDIC, GAO, USDepartments of Commerce, Education, Interior, Labor,Transportation, EPA, Treasury, Dow Chemical,Chicago Board of Trade, Exxon Company USA, Revlon
8/4/2019 Intro to Audit and Caats
http://slidepdf.com/reader/full/intro-to-audit-and-caats 34/34
10 34
General Functions ofComputer Audit Software
– reformatting – file manipulation – calculation – data selection – data analysis – file processing
– statistics – report generation – sampling
- data retrieval- apply edit checks
- file operations (join,merge, sort)