Auditing, Assurance, Internal
Control
1
Contents
•
•
•
•
•
•
•
Attestation & assurance Services
Financial audit
Auditing standards
External vs. internal auditing
Information technology audit
Internal control
SAS 78
2
Attest Services
• An engagement in which a practitioner is
engaged to issue, or does issue, a written
communication that expresses a conclusion
about the reliability of a written assertion
that is the responsibility of another party.
Attest: To affirm to be correct, true, or
genuine
3
Requirements applied to
attestation services
• Attestation services require written assertions and
a practitioner’s written report.
• Attestation services require the formal
establishment of measurement criteria or their
description in the presentation.
• The levels of service in attestation engagements
are limited to examination, review, and application
of agreed-upon procedures.
4
Assurance Services
• Broader than attestation (Fig. 1-1)
• Professional services designed to improve the
quality of information, both financial and nonfinancial, used by decision-makers.
• Intended to help people make better decisions by
improving information.
Assurance: A statement or indication that inspires
confidence; a guarantee or pledge
5
Assurance Services
• Evolution of accounting profession is expected to
follow the assurance services model.
• All “Big Five” professional services firms have
renamed their traditional audit functions
“Assurance Services.”
• Organizational unit responsible for conducting IT
audits is named either IT Risk Management,
Information Systems Risk Management, or
Operational Systems Risk Management (OSRM)
6
Financial Audit
• An independent attestation performed by an
expert, the auditor, who expresses an
opinion regarding the presentation of
financial statements.
• Auditor’s role is similar in concept to a
judge who collects and evaluates evidence
and renders an opinion.
7
Financial Audit
• Key concept in this process is independence;
Judge must remain independent in his or her
deliberation.
• Judge cannot be advocate of either party in the
trial, but must apply law impartially based on
evidence presented.
• Likewise, independent auditor collects and
evaluates evidence and renders an opinion based
on evidence.
8
Financial Audit
• Throughout audit process, auditor must
maintain his or her independence from
client organization.
• Public confidence in the reliability of the
company’s internally produced financial
statements rests directly on their being
evaluated by an independent expert audit.
9
Financial Audit
• Systematic audit process involves three
conceptual phases:
– Familiarization w/ organization’s business
– Evaluating and testing internal control
– Assessing the reliability of financial data
10
Auditor’s Report
• Product of attestation function is a formal
written report that expresses an opinion
about the reliability of the assertions
contained in financial statements
• Auditor’s report expresses an opinion as to
whether the financial statements are in
conformity w/ generally accepted
accounting principles
11
Auditing Standards
• Auditors are guided in their professional
responsibility by the ten generally accepted
auditing standards (GAAS) Fig. 1-2
• GAAS establishes a framework for
prescribing auditor performance, but it is
not sufficiently detailed to provide
meaningful guidance in specific
circumstances
12
Auditing Standards
• To provide specific guidance, American Institute
of Certified Public Accountants (AICPA) issues
Statements on Auditing Standards (SASs) as
authoritative interpretations of GAAS.
• SASs are often referred to as auditing standards,
or GAAS, although they are not the ten generally
accepted auditing standards.
13
SAS
• First issued by AICPA in 1972
• Since then, many SASs have been issued to
provide auditors w/ guidance on a spectrum
of topics, including methods of
investigating new clients, techniques for
obtaining background information on
client’s industry.
14
External vs. Internal Auditing
• External auditing is often called independent
auditing because it is done by certified public
accountants who are independent of the
organization being audited.
• External auditors represent the interests of thirdparty stakeholders in the organization, such as
stockholders, creditors, and government agencies.
• Because the focus of external audit is on financial
statements, this type of audit is called financial
audit
15
External vs. Internal Auditing
• Institute of Internal Auditors defines
internal auditing as an independent
appraisal function established within an
organization to examine and evaluate its
activities
16
External vs. Internal Auditing
• Internal auditors perform a wide range of
activities on behalf of the organization,
including conducting financial audits,
examining an operation’s compliance with
organizational policies, reviewing the
organization’s compliance with legal
obligations, evaluating operational
efficiency, detecting and pursuing fraud
within the firm, and conducting IT audits.
17
External vs. Internal Auditing
• While external auditors represent outsiders,
internal auditors represent the interests of the
organization.
• Internal auditors often cooperate with and assist
external auditors in performing financial audits.
• This is done to achieve audit efficiency and reduce
audit fees. For example, a team of internal auditors
can perform tests of computer controls under the
supervision of a single external auditor.
18
External vs. Internal Auditing
• While external auditors represent outsiders,
internal auditors represent the interests of the
organization.
• Internal auditors often cooperate with and assist
external auditors in performing financial audits.
• This is done to achieve audit efficiency and reduce
audit fees. For example, a team of internal auditors
can perform tests of computer controls under the
supervision of a single external auditor.
19
Information Technology (IT) Audit
• Focus on the computer-based aspects of an
organization’s information system
• This includes assessing the proper
implementation, operation, and control of
computer resources
20
Definition of Auditing
• Auditing is a systematic process of
objectively obtaining and evaluating
evidence regarding assertions about
economic actions and events to ascertain
the degree of correspondence between
those assertions and established criteria and
communicating the results to interested
users
21
Elements of auditing
•
•
•
•
A systematic process
Management assertions and audit objectives
Obtaining evidence
Ascertaining the degree of correspondence
between established criteria
• Communicating results
See Pages 5~7
22
5 Categories of Management
Assertions (page 6)
•
•
•
•
•
Existence or occurrence assertion
Completeness assertion
Rights and obligations assertion
Valuation or allocation assertion
Presentation and disclosure assertion
Auditors develop their audit objectives and design
audit procedures based on preceding assertions.
See Table 1-1
23
Structure of IT Audit
• IT audit is divided into three phases: audit
planning, tests of controls, and substantive
testing (See Figure 1-3)
24
Internal Control
• The establishment and maintenance of a system of internal
control is an important management obligation.
• A fundamental aspect of management’s stewardship
responsibility is to provide shareholders with reasonable
assurance that the business is adequately controlled.
• Additionally, management has a responsibility to furnish
shareholders and potential investors with reliable financial
information on a timely basis. (Sarbanes-Oxley act)
• An adequate system of internal control is necessary to
management’s discharge of these obligations.
- Securities and Exchange Commission
25
Internal Control in Concept
• Internal control system comprises policies,
practices, and procedures employed by the
organization to achieve four broad objectives:
– To safeguard assets of the firm.
– To ensure the accuracy and reliability of accounting
records and information.
– To promote efficiency in the firm’s operations.
– To measure compliance with management’s prescribed
policies and procedures
26
Exposure and Risk
• Internal control shield (Figure 1-4) to
protect firms from numerous undesirable
events
– Attempts at unauthorized access to firm’s assets
(including information)
– Fraud perpetrated by persons both in and
outside the firm
– Errors due to employee incompetence, faulty
computer programs, corrupted input data
27
Exposure and Risk
• Internal control shield (Figure 1-4) to
protect firms from numerous undesirable
events
– Mischievous acts, such as unauthorized access
by computer hackers and threats from computer
viruses that destroy programs and databases
28
Exposure and Risk
• Absence or weakness of a control is called
exposure
• Exposures increase firm’s risk to financial
loss or injury from undesirable events.
29
Exposure and Risk
• A weakness in internal control may expose the
firm to one or more of the following types of risks:
– Destruction of assets (both physical assets and
information)
– Theft of assets
– Corruption of information or the information system
(containing errors or alterations)
– Disruption of information system (to break or burst;
rupture )
30
3 Levels of Control
• Preventive controls, detection controls, and
corrective controls (Fig. 1-5)
31
Preventive Controls
• First line of defense in the control structure
• Passive techniques designed to reduce the
frequency of occurrence of undesirable
events
• Preventing errors and fraud is far more costeffective than detecting and correcting
problems after they occur
• In information security: firewall
32
Preventive Controls
• For example, a well-designed data entry
screen is an example of a preventive control
• Not all problems can be anticipated and
prevented.
33
Detective Controls
• Second line of defense
• Devices, techniques, and procedures
designed to identify and expose undesirable
events that elude preventive controls
• In information security: Intrusion detection
34
Corrective Controls
• Corrective actions taken to reverse the
effects of detected errors
• Detective controls identify undesirable
events and draw attention to the problem;
corrective controls fix the problem.
35
Statement on Auditing Standards
No. 78 (SAS 78)
• Current authoritative document for specifying
internal control objectives and techniques.
• Conforms to the recommendations of the
Committee of Sponsoring Organizations of the
Treadway Commission (COSO)
• Consists of five components: control environment,
risk assessment, information and communication,
monitoring, and control activities
36
Control Environment
• Foundation for the other control components
• Important elements:
– Integrity and ethical values of management
– Structure of organization
– Participation of organization’s board of directors and
audit committee
– Management’s philosophy and operating style
– … see page 13
37
Control Environment
• SAS 78 requires that auditors obtain
sufficient knowledge to assess the attitude
and awareness of organization’s
management, board of directors, and owners
regarding internal control.
• See page 13 for examples of techniques that
may be used to obtain an understanding of
control environment
38
Risk Assessment
• Identify, analyze, and manage risks relevant to
financial reporting
• See page 14 for risks that can rise out of changes
in circumstances
• SAS 78 requires that auditors obtain sufficient
knowledge of organization’s risk assessment
procedures to understand how management
identifies, prioritizes, and manages risks related to
financial reporting.
39
Information and Communication
• Accounting information system consists of records
and methods used to initiate, identify, analyze,
classify, and record organization’s transactions and
to account for related assets and liabilities.
• Quality of information generated by AIS impacts
management’s ability to take actions and make
decisions in connection with organization’s
operations and to prepare reliable financial
statements.
40
Effective AIS
• Identify and record all valid financial transactions
• Provide timely information about transactions in
sufficient detail to permit proper classification and
financial reporting
• Accurately measure financial value of transactions
so their effects can be recorded in financial
statements
• Accurately record transactions in time period in
which they occur
41
Effective AIS
• SAS 78 requires that auditors obtain
sufficient knowledge of organization’s
information systems to understand
– Classes of transactions that are material to
financial statements and how those transactions
are initiated
– Accounting records and accounts that are used
in processing of material transactions
42
Effective AIS
• SAS 78 requires that auditors obtain
sufficient knowledge of organization’s
information systems to understand
– Transaction processing steps involved from
initiation of economic event to its inclusion in
financial statements
– Financial reporting process used to prepare
financial statements, disclosures, and
accounting estimates
43
Monitoring
• Process by which quality of internal control design
and operation can be assessed
• May be accomplished by separate procedures or
by ongoing activities
• Internal auditors may monitor entity’s activities in
separate procedures. They gather evidence of
control adequacy by testing controls, then
communicate control strengths and weaknesses to
management
44
Monitoring
• Ongoing monitoring may be achieved by
integrating special computer modules into
information system that capture key data and/or
permit tests of control to be conducted as part of
routine operations
• Such embedded audit modules (EAMs) allow
management and auditors to maintain constant
surveillance over functioning of internal controls
45
Control Activities
• Policies and procedures used to ensure
appropriate actions are taken to deal w/
organization’s identified risks
46
Control Activities
• Can be grouped into two categories:
– Computer controls
• General control
• Application control
– Physical controls
•
•
•
•
•
•
transaction authorization
segregation of duties
supervision
accounting records
access control
independent verification
47
Computer Controls/General Controls
• Fall into two broad groups: general controls
and application controls
• General controls pertain to entity-wide
concerns such as controls over data center,
organization databases, systems
development, and program maintenance
48
Application Controls
• Application controls ensure the integrity of
specific systems such as sales order
processing, accounts payable, and payroll
applications
49
Control Activities
• Can be grouped into two categories:
– Computer controls
• General control
• Application control
– Physical controls
•
•
•
•
•
•
transaction authorization
segregation of duties
supervision
accounting records
access control
independent verification
50
Physical Controls
• Relates primarily to traditional accounting
systems that employ manual procedures
• Six traditional categories of physical control
activities: transaction authorization,
segregation of duties, supervision,
accounting records, access control, and
independent verification
51
Transaction Authorization
• Ensure that all material transactions
processed by information systems are valid
and in accordance w/ management’s
objectives
• Authorizations may be general or specific
52
General Authorization
• Granted to operations personnel to perform
day-to-day operations
• Example is procedure to authorize purchase
of inventories from designated vendor only
when inventory levels fall to their
predetermined reorder points. This is called
programmed procedure
53
Specific Authorization
• Deal with case-by-case decisions associated w/
non-routine transactions.
• Example is the decision to extend a particular
customer’s credit limit beyond the normal amount
• In an IT environment, the responsibility for
achieving control objectives of transaction
authorization rests directly on accuracy and
consistency of computer programs that perform
these tasks.
54
Segregation of Duties
• To minimize incompatible functions
• 3 objectives provide general guidelines
applicable to most organizations
– Authorization for a transaction is separate from
processing of the transaction. For example,
purchases should not be initiated by purchasing
department until authorized by inventory
control department
55
Segregation of Duties
• 3 objectives provide general guidelines
applicable to most organizations
– Responsibility for custody of assets should be
separate from recordkeeping responsibility. For
example, the department that has physical
custody of finished goods inventory should not
keep official inventory records. Accounting for
finished goods inventory is performed by
inventory control, an accounting function.
56
Segregation of Duties
• 3 objectives provide general guidelines
applicable to most organizations
– Organization should be structured so that a
successful fraud requires collusion between two
or more individuals with incompatible
responsibilities. In other words, no single
individual should have sufficient access to
assets and supporting records to perpetrate a
fraud.
57
Segregation of Duties in IT
• Computer errors are programming errors
that are, in fact, human errors; no computer
has ever perpetrated a fraud unless
programmed to do so by a human
• Separating computer processing functions,
therefore, serves no purpose
58
Segregation of Duties in IT
• Segregation of duties still plays a role in IT
environment
• Once proper functioning of a program is
established at system implementation, its integrity
must be preserved throughout the application’s life
cycle.
• The activities of program development, program
operations, and program maintenance are critical
IT functions that must be adequately separated.
59
Supervision
• Achieving adequate segregation of duties often
presents difficulties for small organization.
• In small organizations or in functional areas that
lack sufficient personnel, management must
compensate for absence of segregation controls
with close supervision.
• For this reason, supervision is also called
compensating control.
60
Accounting Records
• Source documents, journals, and ledgers
capture economic essence of transactions
and provide an audit trail of economic
events
• Audit trail enables auditor to trace any
transaction through all phases of its
processing from initiation of event to
financial statements
61
Access Controls
• Ensure that only authorized personnel have
access to firm’s assets
• Access control in IT environment includes
provisions for physical security of computer
facilities.
• Database security and authorization is
important access control mechanism in
modern organizations.
62
Access Control in IT Environment
• Limit personnel access authority
• Restrict access to computer programs
• Provide physical security for data
processing center
• Ensure adequate backup for data files
• Provide disaster recovery capability
63
Audit Risk
• Probability that auditor will render an
unqualified opinion on financial statements
that are, in fact, materially misstated
• Auditor’s objective is to minimize audit risk
by performing tests of controls and
substantive tests.
• 3 components of audit risk are inherent risk,
control risk, and detection risk
64
Inherent Risk
• Associated with unique characteristics of
the business or industry of the client
• Firms in declining industries have greater
inherent risk than firms in stable or thriving
industries.
• Auditors can not reduce level of inherent
risk.
65
Control Risk
• is the likelihood that control structure is
flawed because controls are either absent or
inadequate to prevent or detect errors in the
accounts
• Auditors reduce level of control risk by
performing tests of internal controls, e.g.,
running test transactions and seeing if
erroneous transactions can be detected
66
Detection Risk
• is the risk that auditors are willing to take
that errors not detected or prevented by
control structure will also not be detected by
the auditor
• Lower planned detection risk requires more
substantive testing
67
General Framework for IT Risks and
Controls
• See Fig. 1-7
68