CHAPTER 1 AUDITING, ASSURANCE
AND INTERNAL CONTROL
Auditing: systematic process of objectively
obtaining and evaluating evidence regarding
assertions about economic actions and
events to ascertain the degree of
correspondence between those assertions
and establishing criteria and communicating
the results to interested users.
Internal auditing: independent appraisal
function established within an organization
to examine and evaluate its activities as a
service to the organization
Financial Audits
Operational Audits
Compliance Audits
Fraud Audits
IT Audits
CIA
IIA
IT audits: provide audit services where
processes or data, or both, are embedded in
technologies.
Subject to ethics, guidelines, and
standards of the profession (if certified)
CISA
Most closely associated with ISACA
Joint with internal, external, and fraud
audits
Scope of IT audit coverage is increasing
Characterized by CAATTs
IT governance as part of corporate
governance
Fraud audits: provide investigation services
where anomalies are suspected, to develop
evidence to support or deny fraudulent
activities.
Auditor is more like a detective
No materiality
Goal is conviction, if sufficient evidence of
fraud exists
CFE
ACFE
External auditing: Objective is that in all
material respects, financial statements are a
fair representation of organizations
transactions and account balances.
SECs role
Sarbanes-Oxley Act
FASB - PCAOB
CPA
AICPA
EXTERNAL vs. INTERNAL
External auditing:
Independent auditor (CPA)
Independence defined by SEC/S-OX/AICPA
Required by SEC for publicly-traded
companies
Referred to as a financial audit
Represents interests of outsiders, the
public (e.g., stockholders)
Standards, guidance, certification
governed by AICPA, FASB, PCAOB;
delegated by SEC who has final authority
Internal auditing:
Auditor (often a CIA or CISA)
Is an employee of organization imposing
independence on self
Optional per management requirements
Broader services than financial audit;
(e.g., operational audits)
Represent interests of the organization
Standards, guidance, certification
governed by IIA and ISACA
FINANCIAL AUDITS
An independent attestation performed by
an expert (i.e., an auditor, a CPA) who
expresses an opinion regarding the
presentation of financial statements
Key concept: Independence
{Should be} Similar to a trial by judge
Culmination of systematic process
involving:
Familiarization with the
organizations business
Evaluating and testing internal
controls
Assessing the reliability of financial
data
Product is formal written report that
expresses an opinion about the reliability
of the assertions in financial statements;
in conformity with GAAP
Attest service: engagement in which a
practitioner is engaged to issue, or does
issue, a written communication that
expresses a conclusion about the reliability
of a written assertion that is the
responsibility of another party.
Written assertions
Practitioners written report
Formal establishment of measurement
criteria or their description
Limited to:
Examination
Review
Application of agreed-upon
procedures
Assurance: professional services that are
designed to improve the quality of
information, both financial and non-financial,
used by decision-makers
IT Audit Groups in Big Four
IT Risk Management
I.S. Risk Management
Operational Systems Risk
Management
Technology & Security Risk
Services
Typically a division of assurance
services
Advisory service: professional services
offered by public accounting firms to improve
their client organizations operational
efficiency and effectiveness.
Auditing standards
Set by AICPA
Authoritative
#1 = Ten Generally Accepted Auditing
Standards (GAAS)
Three categories:
General Standards
Standards of Field Work
Reporting Standards
# 2 = Statements on Auditing Standards
(SASs)
SAS #1 issued by AICPA in 1972
Audits
Systematic process
Five primary management assertions,
and correlated audit objectives and
procedures
Existence or Occurrence all assets and
equities contained in the balance sheet
exist and that all transactions in the
income statement actually occurred.
Completeness no material assets,
equities or transactions have been
omitted from the financial statements.
Rights & Obligations assets appearing
on the balance sheet are owned by the
entity and that the liabilities reported are
obligations.
Valuation or Allocation assets and
equities are valued in accordance with
GAAP and that allocated amounts are
calculated on a systematic and rational
basis.
Presentation or Disclosure financial
statements are correctly classified and
footnote disclosures are adequate to
avoid misleading the users of financial
statements.
General categories of audit objective:
1. Transactions and account balances that
directly impact financial reporting.
2. Information system includes the audit
objectives for assessing controls over
manual operations and computer
technologies used in transaction
processing.
Phases
1. Planning
2. Obtaining evidence
Tests of Controls
Substantive Testing
CAATTs
Analytical procedures
3. Ascertaining reliability
MATERIALITY
4. Communicating results
Audit opinion
AUDIT RISK: The probability that the auditor
will give an inappropriate opinion on the
financial statements: that is, that the
statements will contain materials
misstatement(s) which the auditor fails to
find
INHERENT RISK: The probability that
material misstatements have occurred
Material vs. Immaterial
Includes economic conditions, etc.
Relative risk (e.g., cash)
CONTROL RISK: The probability that the
internal controls will fail to detect material
misstatements
DETECTION RISK: The probability that the
audit procedures will fail to detect material
misstatements
Substantive procedures
AUDIT RISK MODEL:
AR = IR * CR * DR
example inventory with:
IR=40%, CR=60%, AR=5% (fixed)
.05 = .4 * .6 * DR
... then DR=4.8%
Why is AR = 5%?
What is detection risk?
Can CR realistically be 0?
Relationship between DR and substantive
procedures
The higher the DR, the more
substantive procedures needed.
The lower the DR, the fewer
substantive procedures needed.
Relationship between tests of controls
and substantive tests
Illustrate higher reliability of the
internal controls and the Audit Risk
Model
What happens if internal
controls are more reliable
than last audit?
Last year: .05 = .4 * .6 * DR
[DR = 4.8]
This year: .05 = .4 * .4 * DR
[DR = 3.2]
The more reliable the
internal controls, the lower
the CR probability; thus the
lower the DR will be, and
fewer substantive tests are
necessary.
Substantive tests are labor
intensive
Role of Audit Committee
Selected from board of directors
Usually three members
Outsiders (S-OX now requires it)
Fiduciary responsibility to shareholders
Serve as independent check and balance
system
Interact with internal auditors
Hire, set fees, and interact with external
auditors
Resolved conflicts of GAAP between
external auditors and management
THE IT ENVIRONMENT
There has always been a need for an
effective internal control system.
The design and oversight of that system
has typically been the responsibility of
accountants.
The I.T. Environment complicates the
paper systems of the past.
Concentration of data
Expanded access and linkages
Increase in malicious activities in
systems vs. paper
Opportunity that can cause
management fraud (i.e., override)
Audit planning: auditors objective is to
obtain sufficient information about the firm
to plan the other phases of the audit.
Techniques: questionnaires, interviewing
management, reviewing systems
documentation, and observing activities.
Tests of controls: to determine whether
adequate internal controls are in place and
functioning properly
Techniques: manual techniques and
specialized computer audit techniques.
Substantive tests: involves a detailed
investigation of specific amount balances
and transactions.
CAATTs
Internal control system comprises
policies, practices, and procedures to
achieve four broad objectives.
safeguard assets
ensure accuracy and reliability
promote efficiency
measure compliance with policies
Brief history of internal control
legislation
SEC acts of 1933 and 1934
Ivar Kreugers Contribution to U.S.
Financial Reporting, Accounting Review,
Flesher & Flesher
 All corporations that report to the SEC are
required to maintain a system of internal
control that is evaluated as part of the
annual external audit.
Federal Copyright Act 1976
1. Protects intellectual property in the U.S.
2. Has been amended numerous times since
3. Management is legally responsible for
violations of the organization
4. U.S. government has continually sought
international agreement on terms for
protection of intellectual property globally
vs. nationally
Foreign Corrupt Practices Act 1977
1. Accounting provisions
FCPA requires SEC registrants to
establish and maintain books,
records, and accounts.
It also requires establishment of
internal accounting controls
sufficient to meet objectives.
Transactions are executed in
accordance with
managements general or
specific authorization.
Transactions are recorded as
necessary to prepare
financial statements (i.e.,
GAAP), and to maintain
accountability.
Access to assets is permitted
only in accordance with
management authorization.
The recorded assets are
compared with existing
assets at reasonable
intervals.
2. Illegal foreign payments
Committee on Sponsoring Organizations
- 1992
1. AICPA, AAA, FEI, IMA, IIA
2. Developed a management perspective
model for internal controls over a number
of years
3. Is widely adopted
Sarbanes-Oxley Act - 2002
1. Section 404: Management Assessment of
Internal Control
Management is responsible for
establishing and maintaining
internal control structure and
procedures.
Must certify by report on the
effectiveness of internal control
each year, with other annual
reports.
2. Section 302: Corporate Responsibility for
Incident Reports
Financial executives must disclose
deficiencies in internal control, and
fraud (whether fraud is material or
not).
Modifying Assumptions
1. Management responsibility
Reasonable assurance
no I.C.S. is perfect
benefits => costs
Methods of data processing
Objectives same regardless of DP
method
Specific controls vary w/different
technologies
Limitations
Possibility of error
Possibility of circumvention
Management override
Changing conditions
Exposure: Absence or weakness of a control
Risks: Potential threat to compromise use or
value of organizational assets
Types of risk:
Destruction of assets
Theft of assets
Corruption of information or the I.S.
Disruption of the I.S.
The PDC Model
Preventive controls: passive techniques
designed to reduce the frequency of
occurrence of undesirable events.
Detective controls: devices, techniques,
and procedures designed to identify and
expose undesirable events that elude
preventive controls.
Corrective controls: actually fix the
problem
Which is most cost effective?
 Which one tends to be proactive
measures?
Can you give an example of each?
Predictive controls
COSO
Control environment: sets the tone for the
organization and the influences the control
awareness of its management and
employees.
Elements:
The integrity and ethical values
Structure of the organization
Participation of audit committee
Managements philosophy and
style
Procedures for delegating
Managements methods of
assessing performance
External influences
Organizations policies and
practices for managing human
resources
Techniques:
Assess the integrity of
organizations management
Conditions conducive to
management fraud
Understand clients business and
industry
Determine if board and audit
committee are actively involved
Study organization structure
Risk assessment: identify, analyze, and
manage risks relevant to financial reporting.
Changes in environment
Changes in personnel
Changes in I.S.
New ITs
Significant or rapid growth
New products or services (experience)
Organizational restructuring
Foreign markets
New accounting principles
Information & communication: Initiate,
identify, analyze, classify and record
economic transactions and events.
Identify and record all valid economic
transactions
Provide timely, detailed information
Accurately measure financial values
Accurately record transactions
Techniques:
Auditors obtain sufficient knowledge of
I.S.s to understand:
Classes of transactions that are
material
Accounting records and accounts
used
Processing steps:initiation to
inclusion in financial statements
Financial reporting process
(including disclosures)
Monitoring: process by which the quality of
internal control design and operation can be
assessed.
By separate procedures (e.g., tests of
controls)
By ongoing activities (Embedded Audit
Modules EAMs and Continuous
Online Auditing - COA)
Control activities: policies and procedures
used to ensure that appropriate actions are
taken to deal with the organizations
identified risks.
Physical Controls: class of controls
relate primarily to the human activities
employed in accounting systems.
Transaction authorization: to
ensure that all material
transactions processed by the
information system are valid and in
accordance with the
managements objective.
General authority: granted to
operations personnel to perform
day-to-day activities.
Specific authority: deal with
case-by-case decisions associated
with non-routine transactions.
Example:
Sales only to authorized
customer
Sales only if available credit
limit
Segregation of duties:
Segregation of duties should be
such that the authorization for a
transaction is separate from
processing of the transaction
 Responsibility for asset custody
should be separate from the
record-keeping responsibility.
Organized should be structured so
that a successful fraud requires
collusion between two or more
individuals with incompatible
responsibilities.
Examples of incompatible
duties:
Authorization vs. processing
[e.g., Sales vs. Auth. Cust.]
Custody vs. recordkeeping
[e.g., custody of inventory
vs. DP of inventory]
Fraud requires collusion
[e.g., separate various
steps in process]
Supervision: serves as
compensating control when lack of
segregation of duties exists by
necessity
Accounting records: consist of
source documents, journals and
ledgers.
Audit trail: enables the
auditor to trace any
transaction through all
phases of its processing from
the initiation of the event to
the financial statements.
Access controls: to ensure that
only authorized personnel have
access to the firms asset.
Direct (the assets)
Indirect (documents that
control the assets)
Fraud
Disaster Recovery
Independent verification:
independent checks of the
accounting system to identify
errors and misrepresentations.
Management can assess:
The performance of
individuals
The integrity of the AIS
The integrity of the data in
the records
IT Risks Model
Operations
Data management systems
New systems development
Systems maintenance
Electronic commerce (The Internet)
Computer applications