AICPA Auditing: systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of EXTERNAL vs. INTERNAL correspondence between those assertions External auditing: and establishing criteria and communicating Independent auditor (CPA) the results to interested users. Independence defined by SEC/S-OX/AICPA Required by SEC for publicly-traded Internal auditing: independent appraisal companies function established within an organization Referred to as a financial audit to examine and evaluate its activities as a Represents interests of outsiders, the service to the organization public (e.g., stockholders) Financial Audits Standards, guidance, certification Operational Audits governed by AICPA, FASB, PCAOB; Compliance Audits delegated by SEC who has final authority Fraud Audits Internal auditing: IT Audits Auditor (often a CIA or CISA) CIA Is an employee of organization imposing IIA independence on self Optional per management requirements IT audits: provide audit services where Broader services than financial audit; processes or data, or both, are embedded in (e.g., operational audits) technologies. Represent interests of the organization Subject to ethics, guidelines, and Standards, guidance, certification standards of the profession (if certified) governed by IIA and ISACA CISA Most closely associated with ISACA FINANCIAL AUDITS Joint with internal, external, and fraud An independent attestation performed by audits an expert (i.e., an auditor, a CPA) who Scope of IT audit coverage is increasing expresses an opinion regarding the Characterized by CAATTs presentation of financial statements IT governance as part of corporate Key concept: Independence governance {Should be} Similar to a trial by judge Culmination of systematic process Fraud audits: provide investigation services involving: where anomalies are suspected, to develop Familiarization with the evidence to support or deny fraudulent organizations business activities. Evaluating and testing internal Auditor is more like a detective controls No materiality Assessing the reliability of financial Goal is conviction, if sufficient evidence of data fraud exists Product is formal written report that CFE expresses an opinion about the reliability ACFE of the assertions in financial statements; in conformity with GAAP External auditing: Objective is that in all material respects, financial statements are a Attest service: engagement in which a fair representation of organizations practitioner is engaged to issue, or does transactions and account balances. issue, a written communication that SECs role expresses a conclusion about the reliability Sarbanes-Oxley Act of a written assertion that is the exist and that all transactions in the responsibility of another party. income statement actually occurred. Written assertions Completeness no material assets, Practitioners written report equities or transactions have been Formal establishment of measurement omitted from the financial statements. criteria or their description Rights & Obligations assets appearing Limited to: on the balance sheet are owned by the Examination entity and that the liabilities reported are Review obligations. Application of agreed-upon Valuation or Allocation assets and procedures equities are valued in accordance with GAAP and that allocated amounts are calculated on a systematic and rational basis. Assurance: professional services that are Presentation or Disclosure financial designed to improve the quality of statements are correctly classified and information, both financial and non-financial, footnote disclosures are adequate to used by decision-makers avoid misleading the users of financial IT Audit Groups in Big Four statements. IT Risk Management I.S. Risk Management General categories of audit objective: Operational Systems Risk 1. Transactions and account balances that directly impact financial reporting. Management 2. Information system includes the audit Technology & Security Risk objectives for assessing controls over Services manual operations and computer Typically a division of assurance technologies used in transaction services processing. Advisory service: professional services Phases offered by public accounting firms to improve 1. Planning their client organizations operational 2. Obtaining evidence efficiency and effectiveness. Tests of Controls Substantive Testing Auditing standards CAATTs Set by AICPA Analytical procedures Authoritative 3. Ascertaining reliability #1 = Ten Generally Accepted Auditing MATERIALITY Standards (GAAS) 4. Communicating results Three categories: Audit opinion General Standards Standards of Field Work AUDIT RISK: The probability that the auditor Reporting Standards will give an inappropriate opinion on the # 2 = Statements on Auditing Standards financial statements: that is, that the (SASs) statements will contain materials SAS #1 issued by AICPA in 1972 misstatement(s) which the auditor fails to find Audits Systematic process INHERENT RISK: The probability that material misstatements have occurred Five primary management assertions, Material vs. Immaterial and correlated audit objectives and Includes economic conditions, etc. procedures Relative risk (e.g., cash) Existence or Occurrence all assets and equities contained in the balance sheet CONTROL RISK: The probability that the Serve as independent check and balance internal controls will fail to detect material system misstatements Interact with internal auditors Hire, set fees, and interact with external DETECTION RISK: The probability that the auditors audit procedures will fail to detect material Resolved conflicts of GAAP between misstatements external auditors and management Substantive procedures THE IT ENVIRONMENT AUDIT RISK MODEL: There has always been a need for an AR = IR * CR * DR effective internal control system. example inventory with: The design and oversight of that system IR=40%, CR=60%, AR=5% (fixed) has typically been the responsibility of .05 = .4 * .6 * DR accountants. ... then DR=4.8% The I.T. Environment complicates the Why is AR = 5%? paper systems of the past. What is detection risk? Concentration of data Can CR realistically be 0? Expanded access and linkages Increase in malicious activities in Relationship between DR and substantive systems vs. paper procedures Opportunity that can cause The higher the DR, the more management fraud (i.e., override) substantive procedures needed. The lower the DR, the fewer Audit planning: auditors objective is to substantive procedures needed. obtain sufficient information about the firm to plan the other phases of the audit. Techniques: questionnaires, interviewing Relationship between tests of controls management, reviewing systems and substantive tests documentation, and observing activities. Illustrate higher reliability of the internal controls and the Audit Risk Tests of controls: to determine whether Model adequate internal controls are in place and What happens if internal functioning properly controls are more reliable Techniques: manual techniques and than last audit? specialized computer audit techniques. Last year: .05 = .4 * .6 * DR Substantive tests: involves a detailed [DR = 4.8] investigation of specific amount balances This year: .05 = .4 * .4 * DR and transactions. [DR = 3.2] CAATTs The more reliable the internal controls, the lower Internal control system comprises the CR probability; thus the policies, practices, and procedures to lower the DR will be, and achieve four broad objectives. fewer substantive tests are safeguard assets necessary. ensure accuracy and reliability Substantive tests are labor promote efficiency intensive measure compliance with policies
Role of Audit Committee Brief history of internal control
Selected from board of directors legislation Usually three members SEC acts of 1933 and 1934 Outsiders (S-OX now requires it) Ivar Kreugers Contribution to U.S. Fiduciary responsibility to shareholders Financial Reporting, Accounting Review, Flesher & Flesher All corporations that report to the SEC are Management is responsible for required to maintain a system of internal establishing and maintaining control that is evaluated as part of the internal control structure and annual external audit. procedures. Must certify by report on the Federal Copyright Act 1976 effectiveness of internal control 1. Protects intellectual property in the U.S. each year, with other annual 2. Has been amended numerous times since reports. 3. Management is legally responsible for 2. Section 302: Corporate Responsibility for violations of the organization Incident Reports 4. U.S. government has continually sought Financial executives must disclose international agreement on terms for deficiencies in internal control, and protection of intellectual property globally fraud (whether fraud is material or vs. nationally not). Foreign Corrupt Practices Act 1977 Modifying Assumptions 1. Accounting provisions 1. Management responsibility FCPA requires SEC registrants to Reasonable assurance establish and maintain books, no I.C.S. is perfect records, and accounts. benefits => costs It also requires establishment of Methods of data processing internal accounting controls Objectives same regardless of DP sufficient to meet objectives. method Transactions are executed in Specific controls vary w/different accordance with technologies managements general or Limitations specific authorization. Possibility of error Transactions are recorded as Possibility of circumvention necessary to prepare Management override financial statements (i.e., GAAP), and to maintain Changing conditions accountability. Access to assets is permitted Exposure: Absence or weakness of a control only in accordance with Risks: Potential threat to compromise use or management authorization. value of organizational assets The recorded assets are Types of risk: Destruction of assets compared with existing assets at reasonable Theft of assets intervals. Corruption of information or the I.S. 2. Illegal foreign payments Disruption of the I.S.
The PDC Model
Preventive controls: passive techniques designed to reduce the frequency of Committee on Sponsoring Organizations occurrence of undesirable events. - 1992 1. AICPA, AAA, FEI, IMA, IIA Detective controls: devices, techniques, 2. Developed a management perspective and procedures designed to identify and model for internal controls over a number expose undesirable events that elude of years preventive controls. 3. Is widely adopted Corrective controls: actually fix the Sarbanes-Oxley Act - 2002 problem 1. Section 404: Management Assessment of Which is most cost effective? Internal Control Which one tends to be proactive Accurately measure financial values measures? Accurately record transactions Can you give an example of each? Techniques: Predictive controls Auditors obtain sufficient knowledge of I.S.s to understand: COSO Classes of transactions that are Control environment: sets the tone for the material organization and the influences the control Accounting records and accounts awareness of its management and used employees. Processing steps:initiation to Elements: inclusion in financial statements The integrity and ethical values Financial reporting process Structure of the organization (including disclosures) Participation of audit committee Managements philosophy and Monitoring: process by which the quality of style internal control design and operation can be Procedures for delegating assessed. Managements methods of By separate procedures (e.g., tests of assessing performance controls) External influences By ongoing activities (Embedded Audit Organizations policies and Modules EAMs and Continuous Online Auditing - COA) practices for managing human resources Control activities: policies and procedures Techniques: used to ensure that appropriate actions are Assess the integrity of taken to deal with the organizations organizations management identified risks. Conditions conducive to management fraud Physical Controls: class of controls Understand clients business and relate primarily to the human activities industry employed in accounting systems. Determine if board and audit Transaction authorization: to committee are actively involved ensure that all material Study organization structure transactions processed by the information system are valid and in Risk assessment: identify, analyze, and accordance with the manage risks relevant to financial reporting. managements objective. Changes in environment General authority: granted to Changes in personnel operations personnel to perform Changes in I.S. day-to-day activities. New ITs Specific authority: deal with Significant or rapid growth case-by-case decisions associated New products or services (experience) with non-routine transactions. Organizational restructuring Example: Foreign markets Sales only to authorized New accounting principles customer Sales only if available credit limit Information & communication: Initiate, Segregation of duties: identify, analyze, classify and record economic transactions and events. Segregation of duties should be Identify and record all valid economic such that the authorization for a transactions transaction is separate from Provide timely, detailed information processing of the transaction Responsibility for asset custody the initiation of the event to should be separate from the the financial statements. record-keeping responsibility. Access controls: to ensure that Organized should be structured so only authorized personnel have that a successful fraud requires access to the firms asset. collusion between two or more Direct (the assets) individuals with incompatible Indirect (documents that responsibilities. control the assets) Examples of incompatible Fraud duties: Disaster Recovery Authorization vs. processing Independent verification: [e.g., Sales vs. Auth. Cust.] independent checks of the Custody vs. recordkeeping accounting system to identify [e.g., custody of inventory errors and misrepresentations. vs. DP of inventory] Management can assess: Fraud requires collusion The performance of [e.g., separate various individuals steps in process] The integrity of the AIS Supervision: serves as The integrity of the data in compensating control when lack of the records segregation of duties exists by necessity IT Risks Model Accounting records: consist of Operations source documents, journals and Data management systems ledgers. New systems development Audit trail: enables the Systems maintenance auditor to trace any transaction through all Electronic commerce (The Internet) phases of its processing from Computer applications