CIS-496 / I.S. Auditing

Chapter 1:Auditing, Assurance, and Internal ControlIT Auditing, Hall, 3e0AuditingAuditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and establishing criteria and communicating the results to interested users.1Hall, 3eInternal AuditsInternal auditing: independent appraisal function established within an organization to examine and evaluate its activities as a service to the organizationFinancial AuditsOperational AuditsCompliance AuditsFraud AuditsIT AuditsCIA (Certified Internal Audit) IIA (Institute of Internal Auditors)ISACA (Information System audit control association)2Hall, 3eExternal AuditsExternal auditing: Objective is that in all material respects, financial statements are a fair representation of organizations transactions and account balances.SECs roleSarbanes-Oxley ActFASB - PCAOB CPA AICPA3Hall, 3eFinancial AuditsAn independent attestation performed by an expert (i.e., an auditor, a CPA) who expresses an opinion regarding the presentation of financial statementsKey concept: Independence{Should be} Similar to a trial by judgeCulmination of systematic process involving:Familiarization with the organizations businessEvaluating and testing internal controlsAssessing the reliability of financial dataProduct is formal written report that expresses an opinion about the reliability of the assertions in financial statements; in conformity with GAAP4Hall, 3eAttest ServicesRequirements of attestation servicesWritten assertions and practitioners written report

Formal establishment of measurement criteria

Limited to examination, review, and application of agreed-upon procedures5Hall, 3eIT AuditsIT audits: provide audit services where processes or data, or both, are embedded in technologies.Subject to ethics, guidelines, and standards of the profession (if certified) CISA (Certified Information System Auditors) Most closely associated with ISACAJoint with internal, external, and fraud auditsScope of IT audit coverage is increasingCharacterized by CAATTsIT governance as part of corporate governance7Hall, 3eExternal vs. InternalExternal auditing:Independent auditor (CPA)Independence defined by SEC/S-OX/AICPARequired by SEC for publicly-traded companiesReferred to as a financial auditRepresents interests of outsiders, the public (e.g., stockholders)Standards, guidance, certification governed by AICPA, FASB, PCAOB; delegated by SEC who has final authorityInternal auditing:Auditor (often a CIA or CISA)Is an employee of organization imposing independence on selfOptional per management requirementsBroader services than financial audit; (e.g., operational audits)Represent interests of the organizationStandards, guidance, certification governed by IIA and ISACA8Hall, 3eFraud AuditsFraud audits: provide investigation services where anomalies are suspected, to develop evidence to support or deny fraudulent activities.Auditor is more like a detectiveNo materialityGoal is conviction, if sufficient evidence of fraud exists CFE (Certified Fraud Examiner) ACFE (Association Certified Fraud Examiners)9Hall, 3eRole of Audit CommitteeSelected from board of directorsUsually three membersOutsiders (S-OX now requires it)Responsibility to shareholdersServe as independent check and balance systemInteract with internal auditorsHire, set fees, and interact with external auditorsResolved conflicts between external auditors and management10Hall, 3eAuditing StandardsAuditing standardsSet by AICPAAuthoritative#1 = Ten Generally Accepted Auditing Standards (GAAS)Three categories:General StandardsStandards of Field WorkReporting Standards# 2 = Statements on Auditing Standards (SASs)SAS #1 issued by AICPA in 197211Hall, 3e11General StandardsStandards of Field WorkReporting Standards1. The auditor must have adequate technical training and proficiency.1. Audit work must be adequately planned.1. The auditor must state in the report whether financial statements were prepared in accordance with generally accepted accounting principles.2. The auditor must have independence of mental attitude.2. The auditor must gain a sufficient understanding of the internal control structure.2. The report must identify those circumstances in which generally accepted accounting principles were not applied.3. The auditor must exercise due professional care in the performance of the audit and the preparation of the report.3. The auditor must obtain sufficient, competent evidence.3. The report must identify any items that do not have adequate informative disclosures.4. The report shall contain an expression of the auditors opinion on the financial statements as a whole.Generally Accepted Auditing Standards12Hall, 3eAuditsSystematic processFive primary management assertions, and correlated audit objectives and procedures [Table 1-2]:Existence or OccurrenceCompletenessRights and ObligationsValuation or AllocationPresentation and Disclosure13Hall, 3eAuditsPhases:1. Planning2. Obtaining evidenceTests of Controls Substantive Testing CAATTsAnalytical procedures3. Ascertaining reliabilityMATERIALITY (Weakness in internal controls and misstatements)4. Communicating resultsAudit opinion14Hall, 3eAudit Risk:The probability that the auditor will give an inappropriate opinion on the financial statements: that is, that the statements will contain materials misstatement(s) which the auditor fails to findAudit Risk Components15Hall, 3e15Inherent Risk:The probability that material misstatements have occurredIncludes economic conditions, etc.Relative risk (e.g., cash)Audit Risk Components16Hall, 3e16Control Risk:The probability that the internal controls will fail to detect material misstatementsAudit Risk Components17Hall, 3e17Detection Risk:The probability that the audit procedures will fail to detect material misstatementsSubstantive proceduresAudit Risk Components18Hall, 3e18AUDIT RISK MODEL:AR = IR * CR * DRexample inventory with:IR=40%, CR=60%, AR=5% (fixed).05 = .4 * .6 * DR DR=4.8% Which is good detection risk is lowerAudit Risk Formula19Hall, 3e19Relationship:The higher the DR, the more substantive procedures needed. The lower the DR, the fewer substantive procedures needed.Relationship between tests of controls and substantive testsIllustrate higher reliability of the internal controls and the Audit Risk ModelWhat happens if internal controls are more reliable than last audit?Last year: .05 = .4 * .6 * DR [DR = 4.8]This year: .05 = .4 * .4 * DR [DR = 3.2] The more reliable the internal controls, the lower the CR probability; thus the lower the DR will be, and fewer substantive tests are necessary.Substantive tests are labor intensiveAudit Risk Model20Hall, 3e20What is an IT Audit? most accounting transactions to be in electronic form without any paper documentation because electronic storage is more efficient. These technologies greatly change the nature of audits, which have so long relied on paper documents.21Hall, 3eThe IT EnvironmentThere has always been a need for an effective internal control system.The design and oversight of that system has typically been the responsibility of accountants.The I.T. Environment complicates the paper systems of the past.Concentration of dataExpanded access and linkagesIncrease in malicious activities in systems vs. paperOpportunity that can cause management fraud (i.e., override)22Hall, 3eThe IT EnvironmentAudit planningTests of controlsSubstantive testsCAATTs23Hall, 3eInternal Controlis policies, practices, procedures designed to safeguard assetsensure accuracy and reliabilitypromote efficiencymeasure compliance with policies24Hall, 3eBrief History - SECSEC acts of 1933 and 1934

Ivar Kreugers Contribution to U.S. Financial Reporting, Accounting Review, Flesher & Flesher

All corporations that report to the SEC are required to maintain a system of internal control that is evaluated as part of the annual external audit.25Hall, 3eBrief History - CopyrightFederal Copyright Act 1976

Protects intellectual property in the U.S.Has been amended numerous times sinceManagement is legally responsible for violations of the organizationU.S. government has continually sought international agreement on terms for protection of intellectual property globally vs. nationally26Hall, 3e26Auditing (Guy) p.234-235Brief History - FCPAForeign Corrupt Practices Act 1977Accounting provisionsFCPA requires SEC registrants to establish and maintain books, records, and accounts.It also requires establishment of internal accounting controls sufficient to meet objectives.Transactions are executed in accordance with managements general or specific authorization.Transactions are recorded as necessary to prepare financial statements (i.e., GAAP), and to maintain accountability.Access to assets is permitted only in accordance with management authorization.The recorded assets are compared with existing assets at reasonable intervals.Illegal foreign payments27Hall, 3e27Brief History - COSOCommittee on Sponsoring Organizations - 1992

AICPA, AAA, FEI, IMA, IIADeveloped a management perspective model for internal controls over a number of yearsIs widely adopted28Hall, 3e28Brief History SOXSarbanes-Oxley Act - 2002Section 404: Management Assessment of Internal ControlManagement is responsible for establishing and maintaining internal control structure and procedures.Must certify by report on the effectiveness of internal control each year, with other annual reports.Section 302: Corporate Responsibility for Incident ReportsFinancial executives must disclose deficiencies in internal control, and fraud (whether fraud is material or not).29Hall, 3e29Internal Control SystemComprises policies, practices, and procedures to achieve four broad objectives:To safeguard assets of the firmTo ensure the accuracy and reliability of accounting records and informationTo promote efficiency in the firms operationsTo measure compliance with managements prescribed policies and procedures.30Hall, 3eModifying PrinciplesManagement responsibilityMethods of data processingObjectives same regardless of DP methodSpecific controls vary with different technologiesLimitationsReasonable assuranceBenefits => costs31Hall, 3eModifying PrinciplesLimitations:Possibility of errorPossibility of circumventionManagement overrideChanging conditions32Hall, 3eExposures and RiskExposure: absence or weakness of a controlRisks: potential threat to compromise use or value of organizational assetsTypes of riskDestruction of assetsTheft of assetsCorruption of information33Hall, 3e33EXPOSURE: Absence or weakness of a controlRISK: Potential threat to compromise use or value of organizational assetsThe PDC ModelPreventive controlsDetective controlsCorrective controls34Hall, 3eCOSO Internal Control FrameworkCOSO (Treadway Commission)The control environmentRisk assessmentInformation & communicationMonitoringControl activities35Hall, 3e35The Control EnvironmentDescribe how each one could adversely affect internal control.

The integrity and ethical valuesStructure of the organizationParticipation of audit committeeManagements philosophy and styleProcedures for delegating36Hall, 3e36Page 13Integrity and ethical values of managementStructure of the organizationParticipation of the organizations board of directors and the audit committeeManagements philosophy and operating styleProcedures for delegating responsibility and authorityManagements methods for assessing performanceExternal influencesOrganizations policies and practices for managing human resourcesThe Elements of the Control Environment37Hall, 3e37Describe possible activity or tool for each.Assess the integrity of organizations managementConditions conducive to management fraudUnderstand clients business and industryDetermine if board and audit committee are actively involvedStudy organization structureTechniques Used to Understand the Control Environment38Hall, 3e38Changes in environmentChanges in personnelNew ITsSignificant or rapid growthNew products or services (experience)Organizational restructuringForeign marketsNew accounting principlesRisk Assessment39Hall, 3e39Initiate, identify, analyze, classify and record economic transactions and events.Identify and record all valid economic transactionsProvide timely, detailed informationAccurately measure financial valuesAccurately record transactionsElements of Information and Communication40Hall, 3e40Auditors obtain sufficient knowledge of I.S.s to understand:Classes of transactions that are materialAccounting records and accounts usedProcessing steps: initiation to inclusion in financial statements (illustrate)Financial reporting process (including disclosures)Techniques Used to Understand Information and Communication Structures41Hall, 3e41By separate procedures (e.g., tests of controls)By ongoing activitiesMonitoring42Hall, 3e42

COSO(Control Activities)43Hall, 3eTransaction authorizationExample: Sales only to authorized customerSegregation of dutiesExamples of incompatible duties:Custody vs. recordkeeping [e.g., custody of inventory vs. DP of inventory]SupervisionServes as compensating control when lack of segregation of duties exists by necessityPhysical Controls44Hall, 3e44Accounting records (audit trails; examples)Access controlsDirect (the assets)Indirect (documents that control the assets)Fraud Disaster RecoveryIndependent verificationManagement can assess:The performance of individualsThe integrity of the data in the recordsExamplesPhysical Controls45Hall, 3e45Applications controlsEnsure validity, completeness, and accuracy of financial transactionsGeneral controlsNot application-specific, i.e. apply to all systemsInclude controls over:IT governanceIT infrastructureSecurity and access to operating systems and databases Application acquisition and developmentProgram change proceduresIT Controls46Hall, 3eExpanded role of auditorsMust attest to the quality of their client organizations internal controlsPCAOB Standard No. 5 requires auditors to understand:Transaction flowsControls pertaining to how transactions are initiated, authorized, recorded, and reportedAuditors are responsible for detecting fraudulent activityAudit Implications of SOX47Hall, 3e