Chapter
7-1
Prepared by
Coby Harmon
University of California, Santa Barbara
Westmont College

Chapter
7-2

Study Objectives
1.
An introduction to auditing IT processes
2.
The various types of audits and auditors
3.
Information risk and IT-enhanced internal control
4.
Authoritative literature used in auditing
5.
Management assertions used in the auditing process and the related audit objectives
6.
The phases of an IT audit
7.
The use of computers in audits
8.
Tests of controls
9.
Tests of transactions and tests of balances
10.
Audit completion/reporting
11.
Other audit considerations
12.
Ethical issues related to auditing
Chapter
7-3

Introduction to Auditing IT Processes
Accounting services that improve the quality of information are called assurance services.
An audit is the most common type of assurance service.
Chapter
7-4
SO 1 An introduction to auditing IT processes

Types of Audits and Auditors
Main purpose of the audi t is to assure users of financial information about the accuracy and completeness of the information.
Three primary types of audits include
 compliance audits,
 operational audits, and
 financial statement audits.
Chapter
7-5
SO 2 The various types of audits and auditors

Types of Audits and Auditors
Audits are typically conducted by accountants.
 Certified public accountants (CPAs)
 Internal auditor
 IT auditors
 Government auditors
Chapter
7-6
SO 2 The various types of audits and auditors

Real World
Top management at Ford Motor Co. is proud of the fact that Ford was the only U.S. auto manufacturer to make it through the darkest days of the economic recession
(between 2008 –2010) without government assistance. This is due, in part, to Ford’s long history of focusing on financial processes and controls, and its ability to alter its processes under pressures of elevated risks or new compliance requirements. A key element in this process is a rotational succession and development plan in use for staffing Ford’s internal audit team. Under this model, the internal audit department is comprised of experienced professionals on rotation from the company’s finance and IT functions, who serve the internal audit department for two to three years before returning to a previous or different functional area. This allows Ford’s personnel to gain broad corporate exposure and to develop strong risk, control, and compliance skills to take with them to the various areas where they will work after their internal audit stint.
This also helps to promote the importance of the internal audit function throughout the organization. By carefully planning the succession so that no new auditors will audit their prior functions for at least 12 months, Ford’s plan ensures that its internal auditors maintain a high level of objectivity.
Chapter
7-7
SO 2 The various types of audits and auditors

Types of Audits and Auditors
IT environment plays a key role in how auditors conduct their work in the following areas:
 Consideration of risk
 Audit procedures used to obtain knowledge of accounting and internal control systems
 Design and performance of audit tests
Chapter
7-8
SO 2 The various types of audits and auditors

Types of Audits and Auditors
Chapter
7-9
Concept Check
Which of the following types of audits is most likely to be conducted for the purpose of identifying areas for cost savings?
a. Financial statement audits b. Operational audits c. Regulatory audits d. Compliance audits
SO 2 The various types of audits and auditors

Types of Audits and Auditors
Concept Check
Financial statement audits are required to be performed by a. government auditors.
b. CPAs.
c. internal auditors.
d. IT auditors.
Chapter
7-10
SO 2 The various types of audits and auditors

Risk and IT-Enhanced Internal Control
Information risk is the chance that information used by decision makers may be inaccurate.
Following are some causes of information risk:
 Remoteness of information
 Volume and complexity of underlying data
 Motive of the preparer
Chapter
7-11
SO 3 Information risk and IT-enhanced internal control

Authoritative Literature Used in Auditing
Chapter
7-12
 Generally accepted auditing standards (GAAS)
 Public Company Accounting Oversight Board (PCAOB)
 Auditing Standards Board (ASB)
 International Audit and Assurance Standards Board
(IAASB)
 Internal Auditing Standards Board (IASB)
 Information Systems Audit and Control Association
(ISACA).
SO 4 Authoritative literature used in auditing

Authoritative Literature Used in Auditing
Chapter
7-13
Exhibit 7-1
Generally Accepted
Auditing Standards
SO 4 Authoritative literature used in auditing

Authoritative Literature Used in Auditing
Concept Check
Which of the following is not a part of generally accepted auditing standards?
a. general standards b. standards of fieldwork c. standards of information systems d. standards of reporting
Chapter
7-14
SO 4 Authoritative literature used in auditing

Authoritative Literature Used in Auditing
Concept Check
Which of the following best describes what is meant by the term
“generally accepted auditing standards”?
a. Procedures used to gather evidence to support the accuracy of a client’s financial statements b. Measures of the quality of an auditor’s conduct c. Professional pronouncements issued by the Auditing
Standards Board
Chapter
7-15 d. Rules acknowledged by the accounting profession because of their widespread application
SO 4

Authoritative Literature Used in Auditing
Concept Check
In an audit of financial statements in accordance with generally accepted auditing standards, an auditor is required to a. document the auditor’s understanding of the client company’s internal controls.
b. search for weaknesses in the operation of the client company’s internal controls.
c. perform tests of controls to evaluate the effectiveness of the client company’s internal controls.
Chapter
7-16 d. determine whether controls are appropriately designed to prevent or detect material misstatements.
SO 4

Management Assertions and Audit
Objectives
Chapter
7-17
Responsibility for operations, compliance, and financial reporting lies with management of the company.
Management assertions are claims regarding the condition of the business in terms of its operations, financial results, and compliance with laws and regulations
.
Audit tests developed for an audit client are documented in an audit program.
SO 5 Management assertions used in the auditing process and the related audit objectives

Exhibit 7-2
Management Assertions and
Related Audit Objectives
Chapter
7-18
SO 5

Management Assertions and Audit
Objectives
Chapter
7-19
Exhibit 7-3
Specific Audit Procedures
Address General Audit
Objectives and Assertions
SO 5 Management assertions used in the auditing process and the related audit objectives

Management Assertions and Audit
Objectives
Concept Check
Chapter
7-20
Auditors should design a written audit program so that a. all material transactions will be included in substantive testing.
b. substantive testing performed prior to year end will be minimized.
c. the procedures will achieve specific audit objectives related to specific management assertions.
d. each account balance will be tested under either a substantive test or a test of controls.
SO 5

Management Assertions and Audit
Objectives
Chapter
7-21
Concept Check
Which of the following audit objectives relates to the management assertion of existence?
a. A transaction is recorded in the proper period.
b. A transaction actually occurred (i.e., it is real).
c. A transaction is properly presented in the financial statements.
d. A transaction is supported by detailed evidence.
SO 5 Management assertions used in the auditing process and the related audit objectives

Phases of an IT Audit
1. planning,
2. tests of controls,
3. substantive tests, and
4. audit completion/reporting.
Chapter
7-22
SO 6 The phases of an IT audit

Phases of an IT Audit
Exhibit 7-4
Process Map of
Phases of an Audit
Chapter
7-23
SO 6 The phases of an IT audit

Phases of an IT Audit
Chapter
7-24
 physically examining or inspecting assets or supporting documentation
 obtaining written confirmations from an independent source
 Reperforming tasks or recalculating information
 observing the underlying activities
 making inquiries of company personnel
 analyzing financial relationships and making comparisons
SO 6 The phases of an IT audit

Phases of an IT Audit
Audit Planning
Chapter
7-25
SO 6 The phases of an IT audit

Information about the company
Phases of an IT Audit
Chapter
7-26
Exhibit 7-5
Audit Planning Phase
Process Map
SO 6 The phases of an IT audit

Phases of an IT Audit
Concept Check
Risk assessment is a process designed to a. identify possible circumstances and events that may effect the business.
b. establish policies and procedures to carry out internal controls.
c.
identify and capture information in a timely manner.
d. test the internal controls throughout the year.
Chapter
7-27
SO 6 The phases of an IT audit

Phases of an IT Audit
Chapter
7-28
Concept Check
Which of the following audit procedures is most likely to be performed during the planning phase of the audit?
a.
Obtain an understanding of the client’s risk assessment process.
b. Identify specific internal control activities that are designed to prevent fraud.
c.
Evaluate the reasonableness of the client’s accounting estimates.
d. Test the timely cutoff of cash payments and collections.
SO 6 The phases of an IT audit

Use of Computers in Audits



►
Chapter
7-29
SO 7 The use of computers in audits

Use of Computers in Audits
Chapter
7-30
Concept Check
Which of the following is the most significant disadvantage of auditing around the computer rather than through the computer?
a. The time involved in testing processing controls is significant.
b. The cost involved in testing processing controls is significant.
c. A portion of the audit trail is not tested.
d. The technical expertise required to test processing controls is extensive.
SO 7 The use of computers in audits

Tests of Controls
Tests of controls involve audit procedures designed to evaluate both general controls and application controls.
Chapter
7-31
Exhibit 7-6
Control Testing Phase
Process Map
SO 8 Test of controls

Tests of Controls
General Controls
 IT administration and related operating systems development and maintenance processes
 Security controls and related access issues
Chapter
7-32
SO 8 Test of controls

Tests of Controls
Chapter
7-33
General Controls
Audit tests include review for the existence and communication of company policies regarding:
 personal accountability and segregation of incompatible responsibilities
 job descriptions and clear lines of authority
 computer security and virus protection
 IT systems documentation
SO 8 Test of controls

Tests of Controls
General Controls
To test external access controls, auditors may perform:
 Authenticity tests.
 Penetration tests
 Vulnerability assessments
 Review access logs to identify unauthorized users or failed access attempts
Chapter
7-34
SO 8 Test of controls

Tests of Controls
Chapter
7-35
Application Controls
Computerized controls over application programs.
Auditors should test
 Systems documentation
 Main functions of the computer applications
► Input controls,
► Processing controls, and
► Output controls.
SO 8 Test of controls

Tests of Controls
Application Controls
Chapter
7-36
1. Financial totals
2. Hash totals
3. Completeness or redundancy tests
4. Limit tests
5. Validation checks
6. Field checks
SO 8 Test of controls

Tests of Controls
Application Controls
1. Test data method
2. Program tracing
3. Integrated test facility
4. Parallel simulation
5. Embedded audit modules
Chapter
7-37
SO 8 Test of controls

Real World
Ernst & Young LLP employs thousands of auditors in its IT Risk and
Assurance Advisory Services group. This specialized group assists with financial statement audits and provides other services concerning its clients’ information systems. Information systems assurance services focus on audits of business information systems, assessment of the underlying control environment, and the use of CAATs to verify accounting and financial data. As one of the Big Four CPA firms, Ernst & Young is responsible for auditing the financial statements of many public companies. It serves clients in hundreds of locations in approximately 140 countries. These client companies are quite diverse in terms of the type of business they perform, their size, and their complexity, but tend to be alike in their need for timely information. The use of
CAATs helps Ernst & Young provide timely service to its clients, while accumulating audit evidence necessary for doing its job as auditor.
Chapter
7-38
SO 8 Test of controls

Tests of Controls
Application Controls
1. Reasonableness tests
2. Audit trail tests
3. Rounding errors tests
Chapter
7-39
SO 8 Test of controls

Tests of Controls
Concept Check
The primary objective of compliance testing in a financial statement audit is to determine whether a. procedures have been updated regularly.
b. financial statement amounts are accurately stated.
c. internal controls are functioning as designed.
d. collusion is taking place.
Chapter
7-40
SO 8 Test of controls

Tests of Controls
Concept Check
Chapter
7-41
Which of the following computer assisted auditing techniques processes actual client input data (or a copy of the real data) on a controlled program under the auditor’s control to periodically test controls in the client’s computer system?
a. Test data method b. Embedded audit module c. Integrated test facility d. Parallel simulation
SO 8 Test of controls

Tests of Controls
Concept Check
Which of the following is a general control to test for external access to a client’s computerized systems?
a. Penetration tests b. Hash totals c. Field checks d. Program tracing
Chapter
7-42
SO 8 Test of controls

Tests of Transactions and Balances
Substantive Testing - tests of accuracy of monetary amounts of transactions and account balances .
Chapter
7-43
Computerized auditing tools make it possible for more efficient audit tests such as:
 mathematical and statistical calculations
 data queries
 identification of missing items in a sequence
 stratification and comparison of data items
 selection of items of interest from the data files
 summarization of testing results into a useful format for decision making
SO 9 Test of transactions and tests of balances

Tests of Transactions and Balances
Exhibit 7-9
Substantive Testing
Phase Process Map
Chapter
7-44
SO 9 Test of transactions and tests of balances

Tests of Transactions and Balances
Concept Check
Generalized audit software can be used to a. examine the consistency of data maintained on computer files.
b. perform audit tests of multiple computer files concurrently.
c. verify the processing logic of operating system software.
d. process test data against master files that contain both real and fictitious data.
Chapter
7-45
SO 9 Test of transactions and tests of balances

Audit Completion/Reporting
1. Unqualified opinion
2. Qualified opinion
3. Adverse opinion
4. Disclaimer
The most important task is obtaining a letter of representations from client management.
Chapter
7-46
SO 10 Audit completion/reporting

Audit Completion/Reporting
Exhibit 7-10
Audit Completion/Reporting
Phase Process Map
Chapter
7-47
SO 10

Other Audit Considerations
Some audit techniques used to test controls specifically in the use of PCs:
 Make sure that PCs and removable hard drives are locked in place to ensure physical security.
 Programs and data files should be password protected.
 Make sure computer programmers do not have access to systems operations.
Chapter
7-48
SO 11 Other audit considerations

Other Audit Considerations
Chapter
7-49
Some audit techniques used to test controls specifically in the use of PCs:
 Software programs should not permit the users to make program changes.
 Ascertain that computer-generated reports are regularly reviewed by management.
 Determine the frequency of backup procedures.
 Verify the use of antivirus software and the frequency of virus scans.
SO 11 Other audit considerations

Other Audit Considerations
Chapter
7-50
 networks,
 database management systems,
 e-commerce systems,
 cloud computing, and/or
 other forms of IT outsourcing.
SO 11 Other audit considerations

Other Audit Considerations
Chapter
7-51
Auditors must consider whether additional audit testing is needed. Specific audit tests include verification of:
 Assessment of user needs


Authorization for new projects and program changes
Adequate feasibility study and cost –benefit analysis
 Proper design documentation
 Proper user instructions
 Adequate testing before system is put into use
SO 11 Other audit considerations

Other Audit Considerations
 Test a limited number of items or transactions and then draw conclusions about the balance as a whole on the basis of the results.
 Auditors try to use sampling so that a fair representation of the population is evaluated.
 The choice of an appropriate sampling technique is very subjective.
Chapter
7-52
SO 11 Other audit considerations

Other Audit Considerations
Concept Check
Independent auditors are generally actively involved in each of the following tasks except: a. preparation of a client’s financial statements and accompanying notes b. advising client management as to the applicability of a new accounting standard c. proposing adjustments to a client’s financial statements
Chapter
7-53 d. advising client management about the presentation of the financial statements
SO 11 Other audit considerations

Other Audit Considerations
Concept Check
Which of the following is most likely to be an attribute unique to the audit work of CPAs, compared with work performed by attorneys or practitioners of other business professions?
a. Due professional care b. Competence c. Independence d. A complex underlying body of professional knowledge
Chapter
7-54
SO 11 Other audit considerations

Other Audit Considerations
Concept Check
Which of the following terms is not associated with the auditor’s requirement to maintain independence?
a. Objectivity b. Neutrality c. Professional skepticism d. Competence
Chapter
7-55
SO 11 Other audit considerations

Ethical Issues Related to Auditing
Chapter
7-56
1.
Responsibilities.
2.
The Public Interest.
3.
Integrity.
4.
Objectivity and Independence.
5.
Due Care
6.
Scope and Nature of Services
Auditors must practice professional skepticism
SO 12 Ethical issues related to auditing

Real World
In the case of the Phar-Mor pharmaceutical company fraud, the auditors became too close to the management of Phar-Mor and shared audit information that they should not have. For example, the auditors told management which stores they would select for inventory testing. Phar-Mor managers were then able to move inventory between stores to conceal inventory shortages in the stores that were to be audited by the
CPA firm.
Chapter
7-57
SO 12 Ethical issues related to auditing

Ethical Issues Related to Auditing
Chapter
7-58
The Sarbanes –Oxley Act placed restrictions on auditors by prohibiting certain types of services.



Auditors can no longer perform IT design and implementation services for companies which are also audit clients.
requires public companies to have an audit committee as a subcommittee of the board of directors.
requires top management to verify in writing that the financial statements are fairly stated and that the company has adequate internal controls over financial reporting.
SO 12 Ethical issues related to auditing

Real World
A widely publicized case of management fraud involved Crazy Eddie’s electronics retail stores in New York. This case is particularly outrageous because the management of the company, including Eddie Antar and his family, used nearly every trick in the book to commit financial statement fraud and con the auditors in the process. Some of the tactics used by Antar included the reporting of fictitious sales and overstated inventories, hiding liabilities and expenses, and falsifying financial statement disclosures. The
Antars used their employees and suppliers to help carry out their illegal schemes. They also tampered with audit evidence. Because the auditors were too trusting and did not carefully protect the audit files when they went home at the end of the day, the client (Crazy Eddie’s) had the opportunity to alter audit documents. Even though this fraud occurred over two decades ago, it still provides a clear example of how management fraud can be pulled off and how auditors can be deceived.
Chapter
7-59
SO 12 Ethical issues related to auditing

Ethical Issues Related to Auditing
Chapter
7-60
Professional skepticism Auditors should not automatically assume that their clients are honest, but must have a questioning mind and a persistent
Auditors must practice professional skepticism approach to evaluating evidence for possible misstatements.
Auditors should:
 Examine financial reporting for unauthorized or unusual entries
 Review estimated information and changes in financial reporting for possible biases
 Determine a reasonable business purpose for all significant transactions
SO 12 Ethical issues related to auditing

Real World
Examples of management fraud were discovered at Enron, Xerox,
WorldCom, and other large, well-known companies during the past 15 years.
In fact, many of the big corporate fraud cases that have been in the news in recent years involved the company’s chief executive or top accounting managers. The financial statement misstatements resulting from these frauds have been staggering. At WorldCom, for example, nearly $4 billion in operating expenses were hidden when management decided to capitalize the expenditures rather than report them on the income statement. This illustrates the importance to auditors of varying the mix of audit procedures to include a reasonable combination of tests of controls and substantive tests.
Even in large companies with sophisticated systems of internal control, the audit needs to include tests of the accounting balances in order to increase the chances of discovering whether management may have circumvented controls in order to perpetrate fraud.
Chapter
7-61
SO 12 Ethical issues related to auditing

Copyright
Copyright © 2013 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful.
Request for further information should be addressed to the
Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.
Chapter
7-62