Auditing
Auditing is a systematic process of objectively obtaining and
evaluating evidence regarding assertions about economic
actions and events to ascertain the degree of correspondence
between those assertions and establishing criteria and
communicating the results to interested users.
Internal auditing
Independent appraisal function established within an
organization to examine and evaluate its activities as a
service to the organization

Financial Audits

Operational Audits

Compliance Audits

Fraud Audits

IT Audits
 CIA
 IIA
External auditing
Objective is that in all material respects, financial statements
are a fair representation of organization’s transactions and
account balances.

SEC’s role

Sarbanes-Oxley Act

FASB - PCAOB

CPA

AICPA
External vs Internal
External auditing:

Independent auditor (CPA)

Independence defined by SEC/S-OX/AICPA

Required by SEC for publicly-traded companies

Referred to as a “financial audit”

Represents interests of outsiders, “the public” (e.g.,
stockholders)

Standards, guidance, certification governed by AICPA,
FASB, PCAOB; delegated by SEC who has final authority
Internal auditing:

Auditor (often a CIA or CISA)

Is an employee of organization imposing independence
on self

Optional per management requirements

Broader services than financial audit; (e.g., operational
audits)

Represent interests of the organization

Standards, guidance, certification governed by IIA and
ISACA
Financial Audits
An independent attestation performed by an expert (i.e., an
auditor, a CPA) who expresses an opinion regarding the
presentation of financial statements

Key concept: Independence

{Should be} Similar to a trial by judge

Culmination of systematic process involving:

Familiarization with the organization’s business

Evaluating and testing internal controls

Assessing the reliability of financial data
Product is formal written report that expresses an opinion
about the reliability of the assertions in financial statements;
in conformity with GAAP
Attest Services
Requirements of attestation services:

Written assertions and practitioner’s written report

Formal establishment of measurement criteria

Limited to examination, review, and application of
agreed-upon procedures
Advisory Services
Professional services offered by public accounting firms to
improve their client organizations’ operational efficiency and
effectiveness
Services include:

Actuarial advice

Business advice

Fraud investigation services

Information system design and implementation

Internal control assessments for compliance with SOX
IT Audits
Provide audit services where processes or data, or both, are
embedded in technologies.

Subject to ethics, guidelines, and standards of the
profession (if certified)

CISA

Most closely associated with ISACA

Joint with internal, external, and fraud audits

Scope of IT audit coverage is increasing

Characterized by CAATTs

IT governance as part of corporate governance
Fraud Audits
provide investigation services where anomalies are suspected,
to develop evidence to support or deny fraudulent activities.

Auditor is more like a detective

No materiality

Goal is conviction, if sufficient evidence of fraud exists

CFE

ACFE
Role of Audit Committee







Selected from board of directors
Usually three members
Outsiders (S-OX now requires it)
Fiduciary responsibility to shareholders
Serve as independent check and balance system
Interact with internal auditors
Hire, set fees, and interact with external auditors

Resolved conflicts of GAAP between external auditors
and management
Auditing Standards
Set by AICPA
Authoritative
#1 = Ten Generally Accepted Auditing Standards (GAAS)

Three categories:

General Standards

Standards of Field Work

Reporting Standards
# 2 = Statements on Auditing Standards (SASs)

SAS #1 issued by AICPA in 1972
Inherent Risk:
The probability that material misstatements have occurred

Material vs. Immaterial

Includes economic conditions, etc.

Relative risk (e.g., cash)


Generally Accepted Auditing Standards
Control Risk:
The probability that the internal controls will fail to detect
material misstatements
Detection Risk:
The probability that the audit procedures will fail to detect
material misstatements

Substantive procedures
Audit Risk Formula
AUDIT RISK MODEL:
AR = IR * CR * DR
example inventory with:
IR=40%
CR=60%
AR=5% (fixed)
.05 = .4 * .6 * DR
... then DR=4.8%
Why is AR = 5%?
What is detection risk?
Can CR realistically be 0?
Relationship between DR and substantive procedures
Audits



Systematic process
Five primary management assertions, and correlated
audit objectives and procedures

Existence or Occurrence

Completeness

Rights and Obligations

Valuation or Allocation

Presentation and Disclosure
Phases:
1. Planning
2. Obtaining evidence
 Tests of Controls
 Substantive Testing
 CAATTs
 Analytical procedures
3. Ascertaining reliability
 MATERIALITY
4. Communicating results
 Audit opinion
Audit Risk Components
Audit Risk:
The probability that the auditor will give an inappropriate
opinion on the financial statements: that is, that the
statements will contain materials misstatement(s) which the
auditor fails to find
Audit Risk Model
Relationship between tests of controls and substantive tests

Illustrate higher reliability of the internal controls and
the Audit Risk Model

What happens if internal controls are more reliable
than last audit?

Last year: .05 = .4 * .6 * DR [DR = 4.8]

This year: .05 = .4 * .4 * DR [DR = 3.2]

The more reliable the internal controls, the lower
the CR probability; thus the lower the DR will be,
and fewer substantive tests are necessary.

Substantive tests are labor intensive
What is an IT Audit?
… most accounting transactions to be in electronic form
without any paper documentation because electronic storage
is more efficient. … These technologies greatly change the
nature of audits, which have so long relied on paper
documents.
The IT Environment

There has always been a need for an effective internal
control system.

The design and oversight of that system has typically
been the responsibility of accountants.

The I.T. Environment complicates the paper systems of
the past.

Concentration of data

Expanded access and linkages

Increase in malicious activities in systems vs. Paper





Opportunity that can cause management fraud (i.e.,
override)
Audit planning
Tests of controls
Substantive tests
CAATTs
Internal Control
is … policies, practices, procedures … designed to …

safeguard assets

ensure accuracy and reliability

promote efficiency

measure compliance with policies
Laws and Organizations- Brief Histories
SEC
SEC acts of 1933 and 1934

“Ivar Kreuger’s Contribution to U.S. Financial Reporting,”
Accounting Review, Flesher & Flesher

All corporations that report to the SEC are required to
maintain a system of internal control that is evaluated
as part of the annual external audit.
Copyright
Federal Copyright Act 1976

Protects intellectual property in the U.S.

Has been amended numerous times since

Management is legally responsible for violations of the
organization

U.S. government has continually sought international
agreement on terms for protection of intellectual
property globally vs. nationally
FCPA
Foreign Corrupt Practices Act 1977

Accounting provisions

FCPA requires SEC registrants to establish and
maintain books, records, and accounts.

It also requires establishment of internal
accounting controls sufficient to meet objectives.

Transactions are executed in accordance with
management’s general or specific
authorization.

Transactions are recorded as necessary to
prepare financial statements (i.e., GAAP), and
to maintain accountability.

Access to assets is permitted only in
accordance with management authorization.

The recorded assets are compared with
existing assets at reasonable intervals.

Illegal foreign payments
COSO
Committee on Sponsoring Organizations - 1992

AICPA, AAA, FEI, IMA, IIA

Developed a management perspective model for
internal controls over a number of years

Is widely adopted
SOX
Sarbanes-Oxley Act - 2002

Section 404: Management Assessment of Internal
Control

Management is responsible for establishing and
maintaining internal control structure and
procedures.

Must certify by report on the effectiveness of
internal control each year, with other annual
reports.

Section 302: Corporate Responsibility for Incident
Reports

Financial executives must disclose deficiencies in
internal control, and fraud (whether fraud is
material or not).
Internal Control System
Comprises policies, practices, and procedures to achieve four
broad objectives:

To safeguard assets of the firm

To ensure the accuracy and reliability of accounting
records and information

To promote efficiency in the firm’s operations

To measure compliance with management’s prescribed
policies and procedures.
Modifying Principles

Management responsibility

Methods of data processing

Objectives same regardless of DP method

Specific controls vary with different technologies

Limitations

Reasonable assurance

No I.C.S. is perfect

Benefits => costs
Limitations:

Possibility of error

Possibility of circumvention

Management override

Changing conditions
Exposures and Risk
Exposure: absence or weakness of a control
Risks: potential threat to compromise use or value of
organizational assets
Types of risk

Destruction of assets

Theft of assets

Corruption of information or the I.S.

Disruption of the I.S.
The PDC Model

Preventive controls

Detective controls

Corrective controls

Which is most cost effective?

Which one tends to be proactive measures?

Can you give an example of each?




Elements of Information and Communication





COSO Internal Control Framework
COSO (Treadway Commission)

The control environment

Risk assessment

Information & communication

Monitoring

Control activities
The Elements of the Control Environment

Integrity and ethical values of management

Structure of the organization

Participation of the organization’s board of directors
and the audit committee

Management’s philosophy and operating style

Procedures for delegating responsibility and authority

Management’s methods for assessing performance

External influences

Organization’s policies and practices for managing
human resources
Techniques Used to Understand the
Control Environment

Describe possible activity or tool for each.

Assess the integrity of organization’s management

Conditions conducive to management fraud

Understand client’s business and industry

Determine if board and audit committee are actively
involved

Study organization structure
Risk Assessment

Changes in environment

Changes in personnel

Changes in I.S.

New IT’s

Significant or rapid growth
Initiate, identify, analyze, classify and record economic
transactions and events.
Identify and record all valid economic transactions
Provide timely, detailed information
Accurately measure financial values
Accurately record transactions
Techniques Used to Understand
Information and Communication Structures
Auditors obtain sufficient knowledge of I.S.’s to understand:

Classes of transactions that are material

Accounting records and accounts used

Processing steps: initiation to inclusion in financial
statements (illustrate)

Financial reporting process (including disclosures)
Monitoring

The Control Environment
Describe how each one could adversely affect internal
control.

The integrity and ethical values

Structure of the organization

Participation of audit committee

Management’s philosophy and style

Procedures for delegating
New products or services (experience)
Organizational restructuring
Foreign markets
New accounting principles

By separate procedures (e.g., tests of controls)
By ongoing activities (Embedded Audit Modules – EAMs
and Continuous Online Auditing - COA)
Physical Controls
Transaction authorization
Example:
Sales only to authorized customer
Sales only if available credit limit
Segregation of duties
Examples of incompatible duties:
Authorization vs. processing [e.g., Sales vs. Auth. Cust.]
Custody vs. recordkeeping [e.g., custody of inventory vs. DP
of inventory]
Fraud requires collusion [e.g., separate various steps in
process]
Supervision
Serves as compensating control when lack of segregation of
duties exists by necessity
Physical Controls
Accounting records (audit trails; examples)
Access controls

Direct (the assets)

Indirect (documents that control the assets)

Fraud

Disaster Recovery
Independent verification
Management can assess:

The performance of individuals

The integrity of the AIS

The integrity of the data in the records
IT Controls
Applications controls
Ensure validity, completeness, and accuracy of financial
transactions
General controls
Not application-specific, i.e. apply to all systems
Include controls over:

IT governance

IT infrastructure

Security and access to operating systems and databases

Application acquisition and development

Program change procedures
Audit Implications of SOX
Expanded role of auditors
Must attest to the quality of their client organization’s
internal controls
PCAOB Standard No. 5 requires auditors to understand:

Transaction flows

Controls pertaining to how transactions are initiated,
authorized, recorded, and reported
Auditors are responsible for detecting fraudulent activity