AUDITING
10-1
Auditing
AAA’s Definition: Auditing is a systematic
process of objectively obtaining and evaluating
evidence regarding assertions about economic
actions and events to ascertain the degree of
correspondence between those assertions and
established criteria and communicating the
results to interested users.
 My Definition: To examine and assure

10-2
Auditing
2 broad categories of audits:
1. Internal Auditing (R&S focus)
2. External Auditing
10-3
Internal Auditing

Who does it? Internal employees
(outsource)

For whom? Management

What? employee adherence to company
policies and procedures – efficiency and
effectiveness
10-4
Internal Auditing -Types
Information systems: review AIS controls to
assess compliance with internal control
policies/procedures & effectiveness in
safeguarding assets
 Operational/management: reviews
company resources and operations – for
efficiency, effectiveness, as planned
 Compliance: ensure compliance with laws,
rules, and regulations

10-5
External Auditing (FS Audit)
Who does it? Independent, external auditors
 For whom? SEC, investors
 What?

Examination of a client’s FS for the purpose
of deciding whether or not the FS are fairly
presented according to GAAP.
 Attest function: give an opinion on the
fairness of the FS wrt GAAP applying GAAS.
Reliability and integrity of accounting records

10-6
5 Step Audit Process
(for all audit types)
(1)
(2)
(3)
(4)
(5)
Audit Planning: Establish audit objectives,
identify risks, Audit program
Collect audit evidence: interviews, examinations,
recalculations, sampling
IDEA, ACL
Evaluate evidence: materiality
Arrive at an opinion –
FS: standard unqualified, unqualified with
explanatory paragraph, qualified, adverse,
disclaimer
Communicate Audit Results
FS: audit report
10-7
Auditing Around vs Through
the Computer

INPUT
PROCESSING
THROUGH
OUTPUT
AROUND
10-8
Auditing Around the Computer



Ignores the controls and computer processing assumes accurate output = proper processing
Auditor examines, on a sample basis, inputs to
the computer and corresponding outputs
Suitable only if the following conditions are met:
1.
2.
3.
computer processing is relatively simple
Audit trail is clearly visible
A substantial amount of up-to-date documentation
exists about how the system works.
10-9
Audit Trail in ComputerBased System



Visibility of audit trail is diminished
In relational database systems, foreign keys
that link related tables form an electronic
audit trail.
Example:
I/S Revenue
Invoice No.
Sale invoice
Customer ID
Customer Table
10-10
Auditing Through the
Computer



Auditor follows the audit trail through the
internal computer operations; attempts to
verify that the processing controls are
functioning correctly
Directly tests the computer controls and
verifies the accuracy of computer-based
processing of input data.
Tests controls that, if functioning properly
would prevent errors from occurring.
10-11
Which approach is
best?
Let’s look at the audit guidelines…..
10-12
Auditing Standards

Statement on Auditing Standards (SAS) 94 “The
Effect of Information Technology on the Auditor's
Consideration of Internal Control in a Financial
Statement Audit”



Auditor’s must have sufficient understanding (and
document) of each of the 5 components of the IC
when planning the audit (2C RIM)
Addresses the effects of IT on IC
May need to design tests of controls in addition to
substantive tests (of balances)
10-13
AUDIT BENEFITS OF THE IT
ENVIRONMENT (SAS 94)





Consistent processing large volumes of transactions
or data
Enhanced information timeliness, availability, and
accuracy
Facilitation of the additional analysis of information
Enhanced ability to monitor the performance of
activities, policies, and procedures
Reduction in the risk that controls will be
circumvented, if IT system controls are effective
10-14
RISKS OF THE IT
ENVIRONMENT (SAS 94)







Incorrectly processing data or consistently processing
inaccurate data
Unauthorized access to data that might be destroyed
or improperly changed
Unauthorized changes to computer programs
Failure to make necessary changes to computer
programs
Inappropriate manual intervention
Potential loss of data
Increase in potential loss resulting from computer
10-15
fraud relative to manual fraud (increase of 10X).
Which is the best
approach?
Auditing Through the computer
10-16
Auditing Through the
Computer
1. Testing Computer Programs
 Test data: exception data, compare
processed info to predetermined answers
 ITF (Integrated Test Facility): process
transaction to update dummy records (TEST
DATA IN REAL SYSTEM!!!)
 Parallel Simulation:live data in program
written by auditor (COSTLY!!!)
10-17
Auditing Through the
Computer
2. Validate Computer Programs
 Test of program change control: make sure
IC procedures exists and are followed
 Program comparison:compare production
program with archived old version (trojan
horse, salami)
 Surprise audits and surprise use of
programs: compare accounting application
programs unexpectedly with authorized
version
10-18
Auditing Through the
Computer
3. Review of systems software
 Operating systems software
 Utility programs that do basic
“housekeeping” chores such as sorting and
copying
 Program library software that controls and
monitors storage of programs
 Access control software that controls
logical access to programs and data files
10-19
Auditing Through the
Computer
4. Continuous Auditing:
Audit tools installed within the IS
 Audit hooks
 Continuous and intermittent simulation
 Embedded audit modules
Match these terms
 Exception reporting
With their definitions
 SCARF
On the next slides
 Snapshot technique
 Transaction tagging
10-20
Auditing Through the
Computer

Embedded audit modules:
Application subroutine that captures
data for audit purposes
Write to a special log file called SCARF
(systems control audit review file)
Ex: transactions affecting inactive
accounts, deviating from company
policy, write-downs of asset values
10-21
Auditing Through the
Computer
audit hooks:
audit routine that flags suspicious
transactions (real-time notification)
 Exception reporting:
mechanisms that reject certain transactions
that fall outside predefined specifications

10-22
Auditing Through the
Computer

Transaction tagging
Place a special identifier on transactions so that they
can be recorded as they pass through the IS.
EX: tag an employee’s transaction records, manually
calculate & compare

Snapshot technique
audit modules record selected transactions before
and after processing. Auditor reviews to make
sure all processing steps performed properly.
10-23
Auditing Through the
Computer

Continuous and intermittent simulation (CIS)
- audit module in DBMS
- examines all transactions that update the DBMS.
If a transaction has special audit significance, the
audit module independently processes the data,
records the results and compares them with the
DBMS results. If discrepancies, written to an audit
log for subsequent review OR may stop DBMS
from executing the update process.
10-24
Auditing With the Computer

Additional Computer-assisted techniques
(CAATS) Help auditor complete audit
General use software: productivity tools (Word,
Excel, project management, ACCESS, SQL)
 Automated workpaper software
 Generalized audit software (GAS): software
designed for auditor

• Read, manipulate client’s computer-based data
• Independent evidence about the validity of transactions
and balances
10-25
How do auditors put
it all together?
10-26
Risk-based Audit Approach
GOAL: Provide a clear understanding of the
errors and irregularities that can occur and
the related risks and exposures
1. Determine the threats (errors, irregularities)
2. Identify the needed control procedures
3. Evaluate the control procedures
4. Evaluate weaknesses to determine effect
on nature, timing, and extent of auditing
procedures. Compensating Controls?
10-27
Risk-based Audit Approach
Evaluate Control Procedures
 System review – are procedures in place?
EX: review docs, interviews
 Tests of controls = compliance testing – are
the controls in place and working as
prescribed?
Ex: observe operations, check samples of
input, verify use, trace transactions
10-28
Audit Risk Model
Used in audit planning:
 AR = audit risk: likelihood that the FS
are materially misstated
 AR = IR x CR x DR

Auditor can control this
Auditor
Cannot
Assesses general
and application controls
reduce
applicable to each FS assertion;
Tests of controls =Compliance tests
10-29
Audit Risk Model



IR = inherent risk: susceptibility of an account or
class of transactions to material error
CR = control risk = likelihood that the IC control
structure will fail to prevent/detect a material error
DR = detection risk = likelihood that the auditor’s
procedures will not uncover material errors


More auditing procedures = lower DR
Inversely related to CR: if CR is high, then an
auditor sets DR low and performs more substantive
tests (detail tests of transactions and account
balances)
10-30
Audit Risk Model
Example
 Assume controls over the revenue
cycle are not effective and cannot be
relied upon. The auditor is worried
about the correctness of the A/R
balance. To lower detection risk, what
would the auditor do?
10-31
Audit Risk Model
Example
 Assume controls over the revenue cycle
are not effective and cannot be relied
upon. The auditor is worried about the
correctness of the A/R balance. To lower
detection risk, what would the auditor do?
 Increase substantive testing of the A/R
balance – send out lots of confirmation
letters to customers.
10-32
Generalized Audit Software



2 main computer auditing software packages: ACL
(Audit Command Language) and IDEA (Interactive
Data Extraction and Analysis).
In this class, we will be using IDEA to audit several
different general ledger accounts and look for employee
fraud.
Clients: American Express, BDO Seidman, Grant
Thorton, KPMG, McGladrey and Pullen LLP,
PriceWaterhouseCoopers, FDIC, GAO, US
Departments of Commerce, Education, Interior, Labor,
Transportation, EPA, Treasury, Dow Chemical, Chicago
Board of Trade, Exxon Company USA, Revlon
10-33
General Functions of
Computer Audit Software
–
–
–
–
–
–
–
–
–
reformatting
file manipulation
calculation
data selection
data analysis
file processing
statistics
report generation
sampling
- data retrieval
- apply edit checks
- file operations (join,
merge, sort)
10-34