lOMoARcPSD|17754866 CIS - Chapter 1 Notes - INFORMATION TECHNOLOGY AUDITING and ASSURANCE THIRD EDITION by JAMES A. HALL BS Accountancy (University of Nueva Caceres) Studocu is not sponsored or endorsed by any college or university Downloaded by Wa Vy (waveboarder21@gmail.com) lOMoARcPSD|17754866 CHAPTER 1: AUDITING AND INTERNAL CONTROL OVERVIEW OF AUDITING External (Financial) Audits THE ROLE OF AUDIT COMMITTEE Audit committee – subcommittee form by the board of directors which has special responsibilities regarding audits. - External audit – an independent attestation performed by an expert – the auditor - Auditor – who expresses an opinion regarding the presentation of financial statements. *This task is known as the attest service, performed by CPA The audit objective is always associated with assuring the fair presentation of financial statements. *referred to as financial audits SOX – Sarbanes-Oxley Act of 2002 Attest Service – an engagement in which practitioner is engaged to issue, or does issue, a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party. (SSAE No. 1, AT Sec. 100.01) Requirements to attestation services: • Written assertions and practitioner’s written report • Formal establishment of measurement criteria or their description in the presentation • Levels of service are limited to examination, review, and application of agreed-upon procedures. Advisory Service – professional services offered by public accounting firms to improve their client organizations’ operational efficiency and effectiveness. - Intentionally unbounded to not inhibit the growth of future services that are currently unforeseen. Advisory services units of public accounting firms are responsible for providing IT control-related client support, known as IT risk management Internal audits - - - FINANCIAL AUDIT COMPONENTS Attest Service versus Advisory Services - - Consists of 3 people who are outsiders with at least, one member must be a financial expert. Serves as independent check balance for the internal audit function and liaison with external auditors. SOX mandates that external auditors report to audit committee who hire and fire auditors and resolve disputes. Audit committee must be willing to challenge the internal auditors and management, when necessary. Part of its role is to look for ways to identify risk. Corporate fraud has something to do with audit committee failures, such as lack of independence, inactive, total absence, and inexperienced An independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization (Institute of internal auditors (IIA)) Performs financial audit, examining operations’ compliance to organization policy, reviewing compliance to legal obligations, evaluating operational efficiency and detecting and pursuing fraud within firm External vs Internal Auditors External represents outsiders Internal represents the interest of organization Fraud Audits The objective of fraud audit is to investigate anomalies and gather evidence of fraud that may lead to criminal conviction. Product of attestation function is a formal written report that expresses an opinion about the reliability of the assertions 1) Auditing standards 1. General standards a. Must have adequate Technical training and proficiency b. Must have Independence of mental attitude c. Must exercise due Professional care in the performance of audit and preparation of report 2. Standards of Fieldwork a. Audit work must be adequately Planned b. Must gain sufficient understanding of the Internal control structure c. Must obtain sufficient, competent Evidence 3. Reporting standards a. Must state if fs was prepared according to GAAP b. Must identify circumstance of Inconsistency c. Must identify items that do not have informative Disclosure d. Report shall contain an expression of auditor’s Opinion 2) A Systematic Process - Conducting an audit is a systematic and logical process - Systematic approach is particularly important to IT environment. Logical framework for conducting an IT audit is critical to help auditor identify allimportant processes and data files 3) Management Assertions and Audit Objectives - Five general categories of assertions a. Existence and Occurrence – all assets and equities in FP exist and all transactions in IS occurred b. Completeness – no material asset, equity, or transactions has been omitted c. Rights and obligations – assets on FS are owned bu the entities and liabilities reported are obligations d. Valuation or allocation – assets & equity are valued in accordance to GAAP and allocated amounts are calculated on systematic and rational basis e. Presentation and disclosure – all items are correctly classified and disclosures are adequate Downloaded by Wa Vy (waveboarder21@gmail.com) lOMoARcPSD|17754866 4) Obtaining evidence - Auditors seek evidential matter that corroborates management assertions. - In IT environment, this process involves gathering evidence relating to the reliability of computer controls and contents of databases. - Evidence is collected by performing TOC and substantive tests - Test of controls – establish if internal control is functioning properly - Substantive test – determine if accounting databases fairly reflect the transactions and account balances 5) Ascertaining Materiality - auditor must determine if weaknesses in internal control and misstatements found are material. - Assessing materiality is based on auditor judgement. 6) Communication Results - Auditors must communicate the results to interested users - Renders report to the audit committee Audit Risk Model AR = IR x CR x DR DR = AR/ IR x CR The Relationship Between Test of Controls and Substantive Test - More reliable internal controls, lower probability, lower DR, fewer substantive tests CR THE IT AUDIT The structure of an IT Audit AUDIT RISK Audit risk – the probability that the author will render an unqualified opinion on FS that are, in fact, materially misstated, caused by errors or irregularities or both Errors – unintentional mistakes Irregularities – intentional misrepresentations associated with the commission of fraud Auditor’s objective is to achieve a level of audit risk that is acceptable to the auditor Audit risk components 1. Inherent risk – associated with the unique characteristic of the business or industry of the client. - Auditors cannot reduce the level of inherent risk 2. Control risk – is the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts. - Auditors assess the level of control risk by performing test of control 3. Detection risk – risk that the auditor are willing to take that errors not detected or prevented. - Auditors set an acceptable level of detection risk that influences the level of substantive test. Audit planning – must gain a thorough understanding about the firm to plan other phases of audit - Major part of this phase is analysis of audit risk - Risk analysis incorporates an overview of the org’s internal controls. - Techniques for gathering evidence at this phase: - Questionnaires - Interview management - Review systems documentation - Observing activities Test of Controls – its objective is to determine whether adequate internal controls are in place and functioning properly. - Evidence-gathering technique includes both manual and specialized computer audit - At the end, auditor assess the quality of internal control by assigning level for control risk. Substantive Testing – audit process that focuses on financial data. - Detailed investigation of specific account balances and transactions - Includes counting cash, counting inventories, verifying existence - Computer-assisted audit tools and techniques (CAATTs) is used to extract IT info Downloaded by Wa Vy (waveboarder21@gmail.com) lOMoARcPSD|17754866 INTERNAL CONTROL Brief History Securities Acts of 1933 - Objectives: 1. Require investors to receive financial and other significant information concerning securities being offered for public sale 2. Prohibit deceit, misinterpretations, and other fraud in the sale of securities Securities Acts of 1934 created the Securities and Exchange Commission PDC Model - 3 levels of control: 1. Preventive Controls – passive techniques designed to reduce the frequency of occurrence of undesirable events 2. Detective Controls – devices, techniques, and procedure designed to identify and expose undesirable events that elude preventive controls 3. Corrective Controls – corrective action executed to fix the problem COSO Internal Control Framework Copyright Law – 1976 - 4. Reasonable assurance – should provide reasonable assurance that the four broad objectives of internal control are met. Added software and other intellectual properties into the existing copyright protection laws Foreign Corrupt Practices Act (FCPA) of 1977 - Requires companies register with SEC to: 1. Keeps records that fairly and reasonably reflect the transaction of the firm and its financial position 2. Maintain system of internal control that provides assurance that the org’s objectives are met Committee of Sponsoring Organizations – 1992 - Focus on an effective model for internal controls from management perspective – COSO Model - AICPA adopted the model into auditing standards Sarbanes-Oxley Act of 2002 - July 30, 2002 - Supports efforts to increase public confidence in capital markets by seeking to improve corporate governance, internal controls, and audit quality - Requires management of public companies to implement an adequate system of internal controls over their financial reporting process. - Section 302 requires the corporate management to certify their internal controls on quarterly and annual basis - Section 404 requires management of public companies to assess effectiveness of their internal control Objectives, Principles and Models Objectives: 1. To safeguard assets of the firm 2. To ensure the accuracy and reliability of accounting records and information 3. To promote efficiency in the firm’s operations 4. To measure compliance with management’s prescribed policies and procedures Components: 1. Control environment – foundation for other control components - Sets tone for the organization and influences control awareness of its management and employees. - Elements: ▪ Integrity and ethical values ▪ Structure of org ▪ Participation of BOD and Audit committee ▪ Managements’ philosophy and operating style ▪ Procedure for delegating responsibility and authority ▪ Managements’ method for assessing performance ▪ External influences ▪ Org’s policies and practices for managing human resources 2. Risk assessment – should be performed to identify, analyze and manage risk relevant to financial reporting 3. Information and communication - Accounting information system consist of the records and methods used to initiate, identify, analyze, classify, and record the organization’s transactions and to account for the related assets and liabilities 4. Monitoring – is the process by which the quality of internal control design and operation can be assessed. 5. Control activities – are the policies and procedure used to ensure that appropriate actions are taken to deal with the organization’s identified risks. Modifying principles 1. Management responsibility – the establishment and maintenance of a system of internal control is a management responsibility 2. Methods of Data Processing – internal control system should achieve the four broad objectives of the data processing method. 3. Limitations – includes: a. Possibility of error b. Circumvention c. Management override d. Changing conditions Downloaded by Wa Vy (waveboarder21@gmail.com) lOMoARcPSD|17754866 Categories of control activities 1. Physical controls – related primarily to the human activities employed in accounting systems which involve manual or physical use of computers Categories: a. Transaction Authorization – ensure that all material transactions processed by the information system are valid and in accordance with management’s objectives b. Segregation of Duties- to minimize incompatible functions. Objectives: c. Supervision – compensating control d. Accounting record – consist of source documents, journals and ledgers that capture the economic essence of transactions and provide audit trail of economic events. e. Access control – to ensure that only authorized personnel have the access to the firm’s assets f. Independent verification – are independent checks of the accounting system to identify errors and misrepresentations. 2. Information technology controls a. Application controls – ensure the validity, completeness, and accuracy of financial transactions. Controls are designed to be application-specific b. General controls (general computer controls/information technology controls) – include controls over IT governance, IT infrastructure, security and access to operating systems and data bases, application acquisition and development, and program change procedures Audit implication of SOX - Mandates auditor to attest the quality of their client organizations’ internal control. This constitutes the issuance of a separate audit opinion on the internal controls and opinion on the fairness of the financial statement PCAOB Standard No. 5 specifically requires auditors to understand transaction flows. Auditors has the responsibility to detect fraudulent activity and emphasizes the importance of controls Management is implementing controls but auditors are expressly required to test them. Downloaded by Wa Vy (waveboarder21@gmail.com)