ch01_auditing assurance & intrnal ctrl

8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl

1/46

Hall & Singleton, 2e

Chapter 1:Auditing, Assurance, and

Internal Control


2/46

AUDITING

Auditing is a systematic process of

objectively obtaining and evaluating

evidence regarding assertions about

economic actions and events to ascertain

the degree of correspondence between

those assertions and establishing criteria

and communicating the results tointerested users.


3/46

INTERNAL AUDITS

Internal auditing:independent appraisal functionestablished within an organization to examineand evaluate its activities as a service to the

organization Financial Audits

Operational Audits

Compliance Audits

Fraud Audits IT Audits

CIA

IIA


4/46

IT AUDITS

IT audits:provide audit services whereprocesses or data, or both, are embedded intechnologies.

Subject to ethics, guidelines, and standards of theprofession (if certified)

CISA

Most closely associated with ISACA

Joint with internal, external, and fraud audits Scope of IT audit coverage is increasing

Characterized by CAATTs

IT governance as part of corporate governance


5/46

FRAUD AUDITS

Fraud audits:provide investigation serviceswhere anomalies are suspected, to developevidence to support or deny fraudulent

activities.Auditor is more like a detective

No materiality

Goal is conviction, if sufficient evidence of fraud

exists CFE

ACFE


6/46

EXTERNAL AUDITS

External auditing:Objective is that in all materialrespects, financial statements are a fairrepresentation of organizations transactions

and account balances. SECs role

Sarbanes-Oxley Act

FASB - PCAOB

CPA

AICPA


7/46

EXTERNAL vs. INTERNAL

External auditing: Independent auditor (CPA)

Independence defined by SEC/S-OX/AICPA

Required by SEC for publicly-traded companies

Referred to as a financial audit

Represents interests of outsiders, the public (e.g.,stockholders)

Standards, guidance, certification governed by AICPA, FASB,PCAOB; delegated by SEC who has final authority

Internal auditing:

Auditor (often a CIA or CISA) Is an employee of organization imposing independence on self

Optional per management requirements

Broader services than financial audit; (e.g., operational audits)

Represent interests of the organization

Standards, guidance, certification governed by IIA and ISACA


8/46

FINANCIAL AUDITS

An independent attestation performed by an expert (i.e.,

an auditor, a CPA) who expresses an opinion regarding

the presentation of financial statements

Key concept: Independence

{Should be} Similar to a trial by judge

Culmination of systematic process involving:

Familiarization with the organizations business

Evaluating and testing internal controls

Assessing the reliability of financial data

Product is formal written report that expresses an

opinionabout the reliability of the assertionsin financial

statements; in conformity with GAAP


9/46

ATTEST definition Written assertions

Practitioners written report

Formal establishment of measurement criteria or theirdescription

Limited to: Examination

Review

Application of agreed-upon procedures


10/46

ATTEST vs. ASSURANCE

ASSURANCE Professional services that are designed to improve

the quality of information, both financial and non-

financial, used by decision-makers IT Audit Groups in Big Four

IT Risk Management

I.S. Risk Management

Operational Systems Risk Management Technology & Security Risk Services

Typically a division of assurance services


11/46

AUDITING STANDARDS

Auditing standards Set by AICPA

Authoritative

#1 = Ten Generally Accepted Auditing Standards(GAAS)

Three categories:

General Standards

Standards of Field WorkReporting Standards

# 2 = Statements on Auditing Standards (SASs)

SAS #1 issued by AICPA in 1972


12/46


13/46

AUDITS

Systematic process

Five primary management assertions, and

correlated audit objectives and procedures

[Table 1-1]

Existence or Occurrence

Completeness

Rights & Obligations Valuation or Allocation

Presentation or Disclosure


14/46

AUDITS

Phases [Figure 1-3]

1. Planning

2. Obtaining evidence

Tests of Controls Substantive Testing

CAATTs

Analytical procedures

3. Ascertaining reliability MATERIALITY

4. Communicating results Audit opinion


15/46

AUDIT RISK:

The probability that the auditor

will give an inappropriate opinion

on the financial statements: that

is, that the statements will contain

materials misstatement(s) which

the auditor fails to find

Audit Risk Formula


16/46

INHERENT RISK:

The probability that material

misstatements have occurredMaterial vs. Immaterial

Includes economic conditions, etc.

Relative risk (e.g., cash)

Audit Risk Formula


17/46

CONTROL RISK:

The probability that the internal

controls will failto detect materialmisstatements

Audit Risk Formula


18/46

DETECTION RISK:

The probability that the audit

procedures will failto detect materialmisstatements

Substantive procedures

Audit Risk Formula


19/46

AUDIT RISK MODEL:AR = IR * CR * DR

example inventory with:

IR=40%, CR=60%, AR=5% (fixed).05 = .4 * .6 * DR

... then DR=4.8%

Why is AR = 5%?

What is detection risk? Can CR realistically be 0?

Relationship between DR and substantive

procedures

Audit Risk Formula


20/46

Relationship between tests of controls andsubstantive tests Illustrate higher reliability of the internal controls and

the Audit Risk Model What happens if internal controls are more reliable than last

audit?

Last year: .05 = .4 * .6 * DR [DR = 4.8]

This year: .05 = .4 * .4 * DR [DR = 3.2]

The more reliable the internal controls, the lower the CRprobability; thus the lower the DR will be, and fewersubstantive tests are necessary.

Substantive tests are labor intensive

Audit Risk Model


21/46

Role of Audit Committee

Selected from board of directors

Usually three members

Outsiders (S-OX now requires it)

Fiduciary responsibility to shareholders

Serve as independent check and balancesystem

Interact with internal auditors Hire, set fees, and interact with external auditors

Resolved conflicts of GAAP between externalauditors and management


22/46

What is an IT Audit?

most accounting transactions to be in

electronic form without any paper

documentation because electronic storageis more efficient. These technologies

greatly change the nature of audits, which

have so long relied on paper documents.


23/46

THE IT ENVIRONMENT

There has always been a need for an effectiveinternal control system.

The design and oversight of that system has

typically been the responsibility of accountants. The I.T. Environment complicates the paper

systems of the past.

Concentration of data

Expanded access and linkages

Increase in malicious activities in systems vs. paper

Opportunity that can cause management fraud (i.e.,override)


24/46

THE IT ENVIRONMENT

Audit planning

Tests of controls

Substantive tests

CAATTs


25/46

INTERNAL CONTROL

is policies, practices, procedures designed to

safeguard assets

ensure accuracy and reliability

promote efficiency

measure compliance with policies


26/46

BRIEF HISTORY - SEC

SEC acts of 1933 and 1934

Ivar Kreugers Contribution to U.S.

Financial Reporting,Accounting Review,Flesher & Flesher

All corporations that report to the SEC arerequired to maintain a system of internal

control that is evaluated as part of theannual external audit.


27/46

BRIEF HISTORY - Copyright

Federal Copyright Act 1976

1. Protects intellectual property in the U.S.

2. Has been amended numerous times since

3. Management is legally responsible for violations ofthe organization

4. U.S. government has continually soughtinternational agreement on terms for protection of

intellectual property globally vs. nationally


28/46

BRIEF HISTORY - FCPA

Foreign Corrupt Practices Act 1977

1. Accounting provisions

FCPA requires SEC registrants to establish and maintain books,records, and accounts.

It also requires establishment of internal accounting controlssufficient to meet objectives.

1. Transactions are executed in accordance with managementsgeneral or specific authorization.

2. Transactions are recorded as necessary to prepare financialstatements (i.e., GAAP), and to maintain accountability.

3. Access to assets is permitted only in accordance with managementauthorization.

4. The recorded assets are compared with existing assets atreasonable intervals.

2. Illegal foreign payments


29/46

BRIEF HISTORY - COSO

Committee on Sponsoring Organizations - 1992

1.AICPA, AAA, FEI, IMA, IIA

2. Developed a management perspective model

for internal controls over a number of years

3. Is widely adopted


30/46

BRIEF HISTORYS-OX

Sarbanes-Oxley Act - 2002

1. Section 404: Management Assessment of InternalControl

Management is responsible for establishing and maintaininginternal control structure and procedures.

Must certify by report on the effectiveness of internal controleach year, with other annual reports.

2. Section 302: Corporate Responsibility for Incident

Reports Financial executives must disclose deficiencies in internal

control, and fraud (whether fraud is material or not).


31/46

Modifying Assumptions

1. Management responsibility

2. Reasonable assurance

no I.C.S. is perfect benefits => costs

3. Methods of data processing

Objectives same regardless of DP method Specific controls vary w/different

technologies


32/46

4. Limitations

Possibility of error

Possibility of circumvention Management override

Changing conditions

Modifying Assumptions


33/46

EXPOSURES AND RISK

Exposure(definition)

Risks(definition)

Types of riskDestruction of assets

Theft of assets

Corruption of information or the I.S.Disruption of the I.S.


34/46

THE P-D-C MODEL

Preventive controls

Detective controls

Corrective controls Which is most cost effective?

Which one tends to be proactive measures?

Can you give an example of each?

Predictive controls


35/46

SAS 78: Consideration of Internal

Control in a Financial Statement Audit

COSO (Treadway Commission)

The control environment

Risk assessment

Information & communication

MonitoringControl activities


36/46

SAS 78(#1:Control Environment -- elements)

Describe how each one could adverselyaffect internal control.

The integrity and ethical values

Structure of the organization

Participation of audit committee

Managements philosophy and styleProcedures for delegating


37/46

Managements methods of assessing

performance

External influences Organizations policies and practices for

managing human resources

SAS 78

(#1:Control Environment -- elements)


38/46

Describe possible activity or tool for each.

Assess the integrity of organizations

management

Conditions conducive to management fraud

Understand clients business and industry

Determine if board and audit committee are

actively involved Study organization structure

SAS 78

(#1:Control Environment -- techniques)


39/46

Changes in environment

Changes in personnel

Changes in I.S.

New ITs

Significant or rapid growth

New products or services (experience)

Organizational restructuring Foreign markets

New accounting principles

SAS 78

(#2:Risk Assessment)


40/46

Initiate, identify, analyze, classify and record

economic transactions and events.

Identify and record all valid economic

transactions

Provide timely, detailed information

Accurately measure financial values

Accurately record transactions

SAS 78(#3:Information & Communication-elements)


41/46

Auditors obtain sufficient knowledge of

I.S.s to understand:

Classes of transactions that are material

Accounting records and accounts used

Processing steps:initiation to inclusion in

financial statements (illustrate)

Financial reporting process (including

disclosures)

SAS 78(#3:Information & Communication-techniques)


42/46

By separate procedures (e.g., tests of

controls)

By ongoing activities (Embedded AuditModulesEAMs and Continuous

Online Auditing - COA)

SAS 78(#4: Monitoring)


43/46

SAS 78

(#5: Control Activities)


44/46

Physical Controls (1-3)

Transaction authorization

Example:

Sales only to authorized customer

Sales only if available credit limit

Segregation of duties Examples of incompatible duties:

Authorization vs. processing [e.g., Sales vs. Auth. Cust.]

Custody vs. recordkeeping [e.g., custody of inventory vs.

DP of inventory]

Fraud requires collusion [e.g., separate various steps in

process]

Supervision

Serves as compensating control when lack of segregation

of duties exists by necessity


45/46

Physical Controls (4-6)

Accounting records (audit trails; examples)

Access controls

Direct(the assets)

Indirect(documents that control the assets)

Fraud

Disaster Recovery

Independent verification

Management can assess:

The performance of individuals

The integrity of the AIS

The integrity of the data in the records

Examples


46/46

Operations

Data management systems

New systems developmentSystems maintenance

Electronic commerce (The Internet)

Computer applications

IT Risks Model

ch01_auditing assurance & intrnal ctrl

Documents