ch01_auditing assurance & intrnal ctrl
TRANSCRIPT
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
1/46
Hall & Singleton, 2e
Chapter 1:Auditing, Assurance, and
Internal Control
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
2/46
AUDITING
Auditing is a systematic process of
objectively obtaining and evaluating
evidence regarding assertions about
economic actions and events to ascertain
the degree of correspondence between
those assertions and establishing criteria
and communicating the results tointerested users.
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
3/46
INTERNAL AUDITS
Internal auditing:independent appraisal functionestablished within an organization to examineand evaluate its activities as a service to the
organization Financial Audits
Operational Audits
Compliance Audits
Fraud Audits IT Audits
CIA
IIA
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
4/46
IT AUDITS
IT audits:provide audit services whereprocesses or data, or both, are embedded intechnologies.
Subject to ethics, guidelines, and standards of theprofession (if certified)
CISA
Most closely associated with ISACA
Joint with internal, external, and fraud audits Scope of IT audit coverage is increasing
Characterized by CAATTs
IT governance as part of corporate governance
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
5/46
FRAUD AUDITS
Fraud audits:provide investigation serviceswhere anomalies are suspected, to developevidence to support or deny fraudulent
activities.Auditor is more like a detective
No materiality
Goal is conviction, if sufficient evidence of fraud
exists CFE
ACFE
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
6/46
EXTERNAL AUDITS
External auditing:Objective is that in all materialrespects, financial statements are a fairrepresentation of organizations transactions
and account balances. SECs role
Sarbanes-Oxley Act
FASB - PCAOB
CPA
AICPA
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
7/46
EXTERNAL vs. INTERNAL
External auditing: Independent auditor (CPA)
Independence defined by SEC/S-OX/AICPA
Required by SEC for publicly-traded companies
Referred to as a financial audit
Represents interests of outsiders, the public (e.g.,stockholders)
Standards, guidance, certification governed by AICPA, FASB,PCAOB; delegated by SEC who has final authority
Internal auditing:
Auditor (often a CIA or CISA) Is an employee of organization imposing independence on self
Optional per management requirements
Broader services than financial audit; (e.g., operational audits)
Represent interests of the organization
Standards, guidance, certification governed by IIA and ISACA
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
8/46
FINANCIAL AUDITS
An independent attestation performed by an expert (i.e.,
an auditor, a CPA) who expresses an opinion regarding
the presentation of financial statements
Key concept: Independence
{Should be} Similar to a trial by judge
Culmination of systematic process involving:
Familiarization with the organizations business
Evaluating and testing internal controls
Assessing the reliability of financial data
Product is formal written report that expresses an
opinionabout the reliability of the assertionsin financial
statements; in conformity with GAAP
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
9/46
ATTEST definition Written assertions
Practitioners written report
Formal establishment of measurement criteria or theirdescription
Limited to: Examination
Review
Application of agreed-upon procedures
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
10/46
ATTEST vs. ASSURANCE
ASSURANCE Professional services that are designed to improve
the quality of information, both financial and non-
financial, used by decision-makers IT Audit Groups in Big Four
IT Risk Management
I.S. Risk Management
Operational Systems Risk Management Technology & Security Risk Services
Typically a division of assurance services
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
11/46
AUDITING STANDARDS
Auditing standards Set by AICPA
Authoritative
#1 = Ten Generally Accepted Auditing Standards(GAAS)
Three categories:
General Standards
Standards of Field WorkReporting Standards
# 2 = Statements on Auditing Standards (SASs)
SAS #1 issued by AICPA in 1972
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
12/46
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
13/46
AUDITS
Systematic process
Five primary management assertions, and
correlated audit objectives and procedures
[Table 1-1]
Existence or Occurrence
Completeness
Rights & Obligations Valuation or Allocation
Presentation or Disclosure
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
14/46
AUDITS
Phases [Figure 1-3]
1. Planning
2. Obtaining evidence
Tests of Controls Substantive Testing
CAATTs
Analytical procedures
3. Ascertaining reliability MATERIALITY
4. Communicating results Audit opinion
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
15/46
AUDIT RISK:
The probability that the auditor
will give an inappropriate opinion
on the financial statements: that
is, that the statements will contain
materials misstatement(s) which
the auditor fails to find
Audit Risk Formula
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
16/46
INHERENT RISK:
The probability that material
misstatements have occurredMaterial vs. Immaterial
Includes economic conditions, etc.
Relative risk (e.g., cash)
Audit Risk Formula
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
17/46
CONTROL RISK:
The probability that the internal
controls will failto detect materialmisstatements
Audit Risk Formula
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
18/46
DETECTION RISK:
The probability that the audit
procedures will failto detect materialmisstatements
Substantive procedures
Audit Risk Formula
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
19/46
AUDIT RISK MODEL:AR = IR * CR * DR
example inventory with:
IR=40%, CR=60%, AR=5% (fixed).05 = .4 * .6 * DR
... then DR=4.8%
Why is AR = 5%?
What is detection risk? Can CR realistically be 0?
Relationship between DR and substantive
procedures
Audit Risk Formula
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
20/46
Relationship between tests of controls andsubstantive tests Illustrate higher reliability of the internal controls and
the Audit Risk Model What happens if internal controls are more reliable than last
audit?
Last year: .05 = .4 * .6 * DR [DR = 4.8]
This year: .05 = .4 * .4 * DR [DR = 3.2]
The more reliable the internal controls, the lower the CRprobability; thus the lower the DR will be, and fewersubstantive tests are necessary.
Substantive tests are labor intensive
Audit Risk Model
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
21/46
Role of Audit Committee
Selected from board of directors
Usually three members
Outsiders (S-OX now requires it)
Fiduciary responsibility to shareholders
Serve as independent check and balancesystem
Interact with internal auditors Hire, set fees, and interact with external auditors
Resolved conflicts of GAAP between externalauditors and management
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
22/46
What is an IT Audit?
most accounting transactions to be in
electronic form without any paper
documentation because electronic storageis more efficient. These technologies
greatly change the nature of audits, which
have so long relied on paper documents.
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
23/46
THE IT ENVIRONMENT
There has always been a need for an effectiveinternal control system.
The design and oversight of that system has
typically been the responsibility of accountants. The I.T. Environment complicates the paper
systems of the past.
Concentration of data
Expanded access and linkages
Increase in malicious activities in systems vs. paper
Opportunity that can cause management fraud (i.e.,override)
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
24/46
THE IT ENVIRONMENT
Audit planning
Tests of controls
Substantive tests
CAATTs
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
25/46
INTERNAL CONTROL
is policies, practices, procedures designed to
safeguard assets
ensure accuracy and reliability
promote efficiency
measure compliance with policies
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
26/46
BRIEF HISTORY - SEC
SEC acts of 1933 and 1934
Ivar Kreugers Contribution to U.S.
Financial Reporting,Accounting Review,Flesher & Flesher
All corporations that report to the SEC arerequired to maintain a system of internal
control that is evaluated as part of theannual external audit.
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
27/46
BRIEF HISTORY - Copyright
Federal Copyright Act 1976
1. Protects intellectual property in the U.S.
2. Has been amended numerous times since
3. Management is legally responsible for violations ofthe organization
4. U.S. government has continually soughtinternational agreement on terms for protection of
intellectual property globally vs. nationally
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
28/46
BRIEF HISTORY - FCPA
Foreign Corrupt Practices Act 1977
1. Accounting provisions
FCPA requires SEC registrants to establish and maintain books,records, and accounts.
It also requires establishment of internal accounting controlssufficient to meet objectives.
1. Transactions are executed in accordance with managementsgeneral or specific authorization.
2. Transactions are recorded as necessary to prepare financialstatements (i.e., GAAP), and to maintain accountability.
3. Access to assets is permitted only in accordance with managementauthorization.
4. The recorded assets are compared with existing assets atreasonable intervals.
2. Illegal foreign payments
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
29/46
BRIEF HISTORY - COSO
Committee on Sponsoring Organizations - 1992
1.AICPA, AAA, FEI, IMA, IIA
2. Developed a management perspective model
for internal controls over a number of years
3. Is widely adopted
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
30/46
BRIEF HISTORYS-OX
Sarbanes-Oxley Act - 2002
1. Section 404: Management Assessment of InternalControl
Management is responsible for establishing and maintaininginternal control structure and procedures.
Must certify by report on the effectiveness of internal controleach year, with other annual reports.
2. Section 302: Corporate Responsibility for Incident
Reports Financial executives must disclose deficiencies in internal
control, and fraud (whether fraud is material or not).
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
31/46
Modifying Assumptions
1. Management responsibility
2. Reasonable assurance
no I.C.S. is perfect benefits => costs
3. Methods of data processing
Objectives same regardless of DP method Specific controls vary w/different
technologies
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
32/46
4. Limitations
Possibility of error
Possibility of circumvention Management override
Changing conditions
Modifying Assumptions
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
33/46
EXPOSURES AND RISK
Exposure(definition)
Risks(definition)
Types of riskDestruction of assets
Theft of assets
Corruption of information or the I.S.Disruption of the I.S.
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
34/46
THE P-D-C MODEL
Preventive controls
Detective controls
Corrective controls Which is most cost effective?
Which one tends to be proactive measures?
Can you give an example of each?
Predictive controls
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
35/46
SAS 78: Consideration of Internal
Control in a Financial Statement Audit
COSO (Treadway Commission)
The control environment
Risk assessment
Information & communication
MonitoringControl activities
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
36/46
SAS 78(#1:Control Environment -- elements)
Describe how each one could adverselyaffect internal control.
The integrity and ethical values
Structure of the organization
Participation of audit committee
Managements philosophy and styleProcedures for delegating
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
37/46
Managements methods of assessing
performance
External influences Organizations policies and practices for
managing human resources
SAS 78
(#1:Control Environment -- elements)
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
38/46
Describe possible activity or tool for each.
Assess the integrity of organizations
management
Conditions conducive to management fraud
Understand clients business and industry
Determine if board and audit committee are
actively involved Study organization structure
SAS 78
(#1:Control Environment -- techniques)
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
39/46
Changes in environment
Changes in personnel
Changes in I.S.
New ITs
Significant or rapid growth
New products or services (experience)
Organizational restructuring Foreign markets
New accounting principles
SAS 78
(#2:Risk Assessment)
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
40/46
Initiate, identify, analyze, classify and record
economic transactions and events.
Identify and record all valid economic
transactions
Provide timely, detailed information
Accurately measure financial values
Accurately record transactions
SAS 78(#3:Information & Communication-elements)
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
41/46
Auditors obtain sufficient knowledge of
I.S.s to understand:
Classes of transactions that are material
Accounting records and accounts used
Processing steps:initiation to inclusion in
financial statements (illustrate)
Financial reporting process (including
disclosures)
SAS 78(#3:Information & Communication-techniques)
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
42/46
By separate procedures (e.g., tests of
controls)
By ongoing activities (Embedded AuditModulesEAMs and Continuous
Online Auditing - COA)
SAS 78(#4: Monitoring)
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
43/46
SAS 78
(#5: Control Activities)
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
44/46
Physical Controls (1-3)
Transaction authorization
Example:
Sales only to authorized customer
Sales only if available credit limit
Segregation of duties Examples of incompatible duties:
Authorization vs. processing [e.g., Sales vs. Auth. Cust.]
Custody vs. recordkeeping [e.g., custody of inventory vs.
DP of inventory]
Fraud requires collusion [e.g., separate various steps in
process]
Supervision
Serves as compensating control when lack of segregation
of duties exists by necessity
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
45/46
Physical Controls (4-6)
Accounting records (audit trails; examples)
Access controls
Direct(the assets)
Indirect(documents that control the assets)
Fraud
Disaster Recovery
Independent verification
Management can assess:
The performance of individuals
The integrity of the AIS
The integrity of the data in the records
Examples
-
8/13/2019 Ch01_Auditing Assurance & Intrnal Ctrl
46/46
Operations
Data management systems
New systems developmentSystems maintenance
Electronic commerce (The Internet)
Computer applications
IT Risks Model