Uploaded by Wa Vy

IT AUDITING

advertisement
lOMoARcPSD|17754866
CIS - Chapter 1 Notes - INFORMATION TECHNOLOGY
AUDITING and ASSURANCE THIRD EDITION
by JAMES A. HALL
BS Accountancy (University of Nueva Caceres)
Studocu is not sponsored or endorsed by any college or university
Downloaded by Wa Vy (waveboarder21@gmail.com)
lOMoARcPSD|17754866
CHAPTER 1: AUDITING AND INTERNAL
CONTROL
OVERVIEW OF AUDITING
External (Financial) Audits
THE ROLE OF AUDIT COMMITTEE
Audit committee – subcommittee form by the board of
directors which has special responsibilities regarding audits.
-
External audit – an independent attestation performed by
an expert – the auditor
-
Auditor – who expresses an opinion regarding the
presentation of financial statements.
*This task is known as the attest service, performed by
CPA
The audit objective is always associated with assuring the
fair presentation of financial statements. *referred to as
financial audits
SOX – Sarbanes-Oxley Act of 2002
Attest Service – an engagement in which practitioner is
engaged to issue, or does issue, a written
communication that expresses a conclusion about the
reliability of a written assertion that is the responsibility of
another party. (SSAE No. 1, AT Sec. 100.01)
Requirements to attestation services:
• Written assertions and practitioner’s written report
• Formal establishment of measurement criteria or
their description in the presentation
• Levels of service are limited to examination, review,
and application of agreed-upon procedures.
Advisory Service – professional services offered by public
accounting firms to improve their client organizations’
operational efficiency and effectiveness.
-
Intentionally unbounded to not inhibit the growth
of future services that are currently unforeseen.
Advisory services units of public accounting firms
are responsible for providing IT control-related
client support, known as IT risk management
Internal audits
-
-
-
FINANCIAL AUDIT COMPONENTS
Attest Service versus Advisory Services
-
-
Consists of 3 people who are outsiders with at least,
one member must be a financial expert.
Serves as independent check balance for the
internal audit function and liaison with external
auditors.
SOX mandates that external auditors report to
audit committee who hire and fire auditors and
resolve disputes.
Audit committee must be willing to challenge the
internal auditors and management, when
necessary.
Part of its role is to look for ways to identify risk.
Corporate fraud has something to do with audit
committee failures, such as lack of independence,
inactive, total absence, and inexperienced
An independent appraisal function established
within an organization to examine and evaluate its
activities as a service to the organization (Institute of
internal auditors (IIA))
Performs financial audit, examining operations’
compliance to organization policy, reviewing
compliance to legal obligations, evaluating
operational efficiency and detecting and pursuing
fraud within firm
External vs Internal Auditors
External represents outsiders
Internal represents the interest of organization
Fraud Audits
The objective of fraud audit is to investigate anomalies
and gather evidence of fraud that may lead to criminal
conviction.
Product of attestation function is a formal written report
that expresses an opinion about the reliability of the
assertions
1) Auditing standards
1. General standards
a. Must have adequate Technical training and
proficiency
b. Must have Independence of mental attitude
c. Must exercise due Professional care in the
performance of audit and preparation of
report
2. Standards of Fieldwork
a. Audit work must be adequately Planned
b. Must gain sufficient understanding of the
Internal control structure
c. Must obtain sufficient, competent Evidence
3. Reporting standards
a. Must state if fs was prepared according to
GAAP
b. Must
identify
circumstance
of
Inconsistency
c. Must identify items that do not have
informative Disclosure
d. Report shall contain an expression of
auditor’s Opinion
2) A Systematic Process
- Conducting an audit is a systematic and logical
process
- Systematic approach is particularly important to IT
environment. Logical framework for conducting an
IT audit is critical to help auditor identify allimportant processes and data files
3) Management Assertions and Audit Objectives
- Five general categories of assertions
a. Existence and Occurrence – all assets and equities
in FP exist and all transactions in IS occurred
b. Completeness – no material asset, equity, or
transactions has been omitted
c. Rights and obligations – assets on FS are owned
bu the entities and liabilities reported are obligations
d. Valuation or allocation – assets & equity are
valued in accordance to GAAP and allocated
amounts are calculated on systematic and rational
basis
e. Presentation and disclosure – all items are
correctly classified and disclosures are adequate
Downloaded by Wa Vy (waveboarder21@gmail.com)
lOMoARcPSD|17754866
4) Obtaining evidence
- Auditors seek evidential matter that corroborates
management assertions.
- In IT environment, this process involves gathering
evidence relating to the reliability of computer
controls and contents of databases.
- Evidence is collected by performing TOC and
substantive tests
- Test of controls – establish if internal control is
functioning properly
- Substantive test – determine if accounting
databases fairly reflect the transactions and account
balances
5) Ascertaining Materiality
- auditor must determine if weaknesses in internal
control and misstatements found are material.
- Assessing materiality is based on auditor judgement.
6) Communication Results
- Auditors must communicate the results to interested
users
- Renders report to the audit committee
Audit Risk Model
AR = IR x CR x DR
DR = AR/ IR x CR
The Relationship Between Test of Controls and
Substantive Test
-
More reliable internal controls, lower
probability, lower DR, fewer substantive tests
CR
THE IT AUDIT
The structure of an IT Audit
AUDIT RISK
Audit risk – the probability that the author will render an
unqualified opinion on FS that are, in fact, materially
misstated, caused by errors or irregularities or both
Errors – unintentional mistakes
Irregularities – intentional misrepresentations associated
with the commission of fraud
Auditor’s objective is to achieve a level of audit risk that
is acceptable to the auditor
Audit risk components
1. Inherent risk – associated with the unique
characteristic of the business or industry of the
client.
- Auditors cannot reduce the level of
inherent risk
2. Control risk – is the likelihood that the control
structure is flawed because controls are either absent
or inadequate to prevent or detect errors in the
accounts.
- Auditors assess the level of control risk by
performing test of control
3. Detection risk – risk that the auditor are willing to
take that errors not detected or prevented.
- Auditors set an acceptable level of detection
risk that influences the level of substantive
test.
Audit planning – must gain a thorough understanding
about the firm to plan other phases of audit
- Major part of this phase is analysis of audit risk
- Risk analysis incorporates an overview of the org’s
internal controls.
- Techniques for gathering evidence at this phase:
- Questionnaires
- Interview management
- Review systems documentation
- Observing activities
Test of Controls – its objective is to determine whether
adequate internal controls are in place and functioning
properly.
- Evidence-gathering technique includes both manual
and specialized computer audit
- At the end, auditor assess the quality of internal
control by assigning level for control risk.
Substantive Testing – audit process that focuses on
financial data.
- Detailed investigation of specific account balances
and transactions
- Includes counting cash, counting inventories,
verifying existence
- Computer-assisted audit tools and techniques
(CAATTs) is used to extract IT info
Downloaded by Wa Vy (waveboarder21@gmail.com)
lOMoARcPSD|17754866
INTERNAL CONTROL
Brief History
Securities Acts of 1933
- Objectives:
1. Require investors to receive financial and other
significant information concerning securities
being offered for public sale
2. Prohibit deceit, misinterpretations, and other
fraud in the sale of securities
Securities Acts of 1934
created the Securities and Exchange Commission
PDC Model - 3 levels of control:
1. Preventive Controls – passive techniques designed
to reduce the frequency of occurrence of
undesirable events
2. Detective Controls – devices, techniques, and
procedure designed to identify and expose
undesirable events that elude preventive controls
3. Corrective Controls – corrective action executed to
fix the problem
COSO Internal Control Framework
Copyright Law – 1976
-
4. Reasonable assurance – should provide
reasonable assurance that the four broad objectives
of internal control are met.
Added software and other intellectual properties
into the existing copyright protection laws
Foreign Corrupt Practices Act (FCPA) of 1977
- Requires companies register with SEC to:
1. Keeps records that fairly and reasonably reflect
the transaction of the firm and its financial
position
2. Maintain system of internal control that
provides assurance that the org’s objectives are
met
Committee of Sponsoring Organizations – 1992
- Focus on an effective model for internal controls
from management perspective – COSO Model
- AICPA adopted the model into auditing standards
Sarbanes-Oxley Act of 2002
- July 30, 2002
- Supports efforts to increase public confidence in
capital markets by seeking to improve corporate
governance, internal controls, and audit quality
- Requires management of public companies to
implement an adequate system of internal controls
over their financial reporting process.
- Section 302 requires the corporate management to
certify their internal controls on quarterly and
annual basis
- Section 404 requires management of public
companies to assess effectiveness of their internal
control
Objectives, Principles and Models
Objectives:
1. To safeguard assets of the firm
2. To ensure the accuracy and reliability of
accounting records and information
3. To promote efficiency in the firm’s operations
4. To measure compliance with management’s
prescribed policies and procedures
Components:
1. Control environment – foundation for other
control components
- Sets tone for the organization and
influences control awareness of its
management and employees.
- Elements:
▪ Integrity and ethical values
▪ Structure of org
▪ Participation of BOD and Audit
committee
▪ Managements’ philosophy and
operating style
▪ Procedure
for
delegating
responsibility and authority
▪ Managements’
method
for
assessing performance
▪ External influences
▪ Org’s policies and practices for
managing human resources
2. Risk assessment – should be performed to
identify, analyze and manage risk relevant to
financial reporting
3. Information and communication
- Accounting information system consist of
the records and methods used to initiate,
identify, analyze, classify, and record the
organization’s transactions and to account
for the related assets and liabilities
4. Monitoring – is the process by which the quality of
internal control design and operation can be
assessed.
5. Control activities – are the policies and procedure
used to ensure that appropriate actions are taken to
deal with the organization’s identified risks.
Modifying principles
1. Management
responsibility
–
the
establishment and maintenance of a system of
internal control is a management responsibility
2. Methods of Data Processing – internal
control system should achieve the four broad
objectives of the data processing method.
3. Limitations – includes:
a. Possibility of error
b. Circumvention
c. Management override
d. Changing conditions
Downloaded by Wa Vy (waveboarder21@gmail.com)
lOMoARcPSD|17754866
Categories of control activities
1. Physical controls – related primarily to the human
activities employed in accounting systems which
involve manual or physical use of computers
Categories:
a. Transaction Authorization – ensure that
all material transactions processed by the
information system are valid and in
accordance with management’s objectives
b. Segregation of Duties- to minimize
incompatible functions. Objectives:
c. Supervision – compensating control
d. Accounting record – consist of source
documents, journals and ledgers that
capture the economic essence of
transactions and provide audit trail of
economic events.
e. Access control – to ensure that only
authorized personnel have the access to the
firm’s assets
f. Independent
verification
–
are
independent checks of the accounting
system
to
identify
errors
and
misrepresentations.
2. Information technology controls
a. Application controls – ensure the validity,
completeness, and accuracy of financial
transactions. Controls are designed to be
application-specific
b. General controls (general computer
controls/information technology controls)
– include controls over IT governance, IT
infrastructure, security and access to
operating systems and data bases,
application acquisition and development,
and program change procedures
Audit implication of SOX
-
Mandates auditor to attest the quality of their client
organizations’ internal control.
This constitutes the issuance of a separate audit
opinion on the internal controls and opinion on the
fairness of the financial statement
PCAOB Standard No. 5 specifically requires
auditors to understand transaction flows.
Auditors has the responsibility to detect fraudulent
activity and emphasizes the importance of controls
Management is implementing controls but auditors
are expressly required to test them.
Downloaded by Wa Vy (waveboarder21@gmail.com)
Download