Chapter 1:
Auditing, Assurance, and
Internal Control
Hall & Singleton, 2e
AUDITING
Auditing is a systematic process of
objectively obtaining and evaluating
evidence regarding assertions about
economic actions and events to ascertain
the degree of correspondence between
those assertions and establishing criteria
and communicating the results to
interested users.
INTERNAL AUDITS

Internal auditing: independent appraisal function
established within an organization to examine
and evaluate its activities as a service to the
organization

Financial Audits
Operational Audits
Compliance Audits
Fraud Audits
IT Audits
 CIA
 IIA




IT AUDITS

IT audits: provide audit services where
processes or data, or both, are embedded in
technologies.





Subject to ethics, guidelines, and standards of the
profession (if certified)
 CISA
 Most closely associated with ISACA
Joint with internal, external, and fraud audits
Scope of IT audit coverage is increasing
Characterized by CAATTs
IT governance as part of corporate governance
FRAUD AUDITS

Fraud audits: provide investigation services
where anomalies are suspected, to develop
evidence to support or deny fraudulent
activities.



Auditor is more like a detective
No materiality
Goal is conviction, if sufficient evidence of fraud
exists
 CFE
 ACFE
EXTERNAL AUDITS

External auditing: Objective is that in all material
respects, financial statements are a fair
representation of organization’s transactions
and account balances.



SEC’s role
Sarbanes-Oxley Act
FASB - PCAOB
 CPA
 AICPA
EXTERNAL vs. INTERNAL

External auditing:







Independent auditor (CPA)
Independence defined by SEC/S-OX/AICPA
Required by SEC for publicly-traded companies
Referred to as a “financial audit”
Represents interests of outsiders, “the public” (e.g.,
stockholders)
Standards, guidance, certification governed by AICPA, FASB,
PCAOB; delegated by SEC who has final authority
Internal auditing:






Auditor (often a CIA or CISA)
Is an employee of organization imposing independence on self
Optional per management requirements
Broader services than financial audit; (e.g., operational audits)
Represent interests of the organization
Standards, guidance, certification governed by IIA and ISACA
FINANCIAL AUDITS




An independent attestation performed by an expert (i.e.,
an auditor, a CPA) who expresses an opinion regarding
the presentation of financial statements
Key concept: Independence
{Should be} Similar to a trial by judge
Culmination of systematic process involving:




Familiarization with the organization’s business
Evaluating and testing internal controls
Assessing the reliability of financial data
Product is formal written report that expresses an
opinion about the reliability of the assertions in financial
statements; in conformity with GAAP

ATTEST definition




Written assertions
Practitioner’s written report
Formal establishment of measurement criteria or their
description
Limited to:



Examination
Review
Application of agreed-upon procedures
ATTEST vs. ASSURANCE

ASSURANCE


Professional services that are designed to improve
the quality of information, both financial and nonfinancial, used by decision-makers
IT Audit Groups in “Big Four”





IT Risk Management
I.S. Risk Management
Operational Systems Risk Management
Technology & Security Risk Services
Typically a division of assurance services
AUDITING STANDARDS

Auditing standards





Set by AICPA
Authoritative
#1 = Ten Generally Accepted Auditing Standards
(GAAS)
Three categories:
 General Standards
 Standards of Field Work
 Reporting Standards
# 2 = Statements on Auditing Standards (SASs)
 SAS #1 issued by AICPA in 1972
AUDITS


Systematic process
Five primary management assertions, and
correlated audit objectives and procedures
[Table 1-1]

Existence or Occurrence

Completeness
Rights & Obligations
Valuation or Allocation
Presentation or Disclosure



AUDITS
Phases [Figure 1-3]
1. Planning
2. Obtaining evidence



Tests of Controls
Substantive Testing


CAATTs
Analytical procedures
3. Ascertaining reliability

MATERIALITY
4. Communicating results

Audit opinion
Audit Risk Formula
 AUDIT
 The
RISK:
probability that the auditor
will give an inappropriate opinion
on the financial statements: that
is, that the statements will contain
materials misstatement(s) which
the auditor fails to find
Audit Risk Formula
 INHERENT
RISK:
 The
probability that material
misstatements have occurred
 Material
 Includes
vs. Immaterial
economic conditions, etc.
 Relative risk (e.g., cash)
Audit Risk Formula
 CONTROL
 The
RISK:
probability that the internal
controls will fail to detect material
misstatements
Audit Risk Formula
 DETECTION
 The
RISK:
probability that the audit
procedures will fail to detect material
misstatements
 Substantive procedures
Audit Risk Formula

AUDIT RISK MODEL:






AR = IR * CR * DR
example inventory with:
IR=40%, CR=60%, AR=5% (fixed)
.05 = .4 * .6 * DR
... then DR=4.8%
Why is AR = 5%?
What is detection risk?
Can CR realistically be 0?
Relationship between DR and substantive
procedures
Audit Risk Model

Relationship between tests of controls and
substantive tests

Illustrate higher reliability of the internal controls and
the Audit Risk Model





What happens if internal controls are more reliable than last
audit?
Last year: .05 = .4 * .6 * PDR [PDR = 0.21]
This year: .05 = .4 * .4 * PDR [PDR = 0.31]
The more reliable the internal controls, the lower the CR
probability; thus the higher the PDR will be, and fewer
substantive tests are necessary.
Substantive tests are labor intensive
Role of Audit Committee








Selected from board of directors
Usually three members
Outsiders (S-OX now requires it)
Fiduciary responsibility to shareholders
Serve as independent check and balance
system
Interact with internal auditors
Hire, set fees, and interact with external auditors
Resolved conflicts of GAAP between external
auditors and management
What is an IT Audit?
… most accounting transactions to be in
electronic form without any paper
documentation because electronic storage
is more efficient. … These technologies
greatly change the nature of audits, which
have so long relied on paper documents.
THE IT ENVIRONMENT



There has always been a need for an effective
internal control system.
The design and oversight of that system has
typically been the responsibility of accountants.
The I.T. Environment complicates the paper
systems of the past.




Concentration of data
Expanded access and linkages
Increase in malicious activities in systems vs. paper
Opportunity that can cause management fraud (i.e.,
override)
THE IT ENVIRONMENT

Audit planning

Tests of controls

Substantive tests
 CAATTs
INTERNAL CONTROL

is … policies, practices, procedures
… designed to …

safeguard assets

ensure accuracy and reliability
promote efficiency
measure compliance with policies


BRIEF HISTORY - SEC
SEC acts of 1933 and 1934

“Ivar Kreuger’s Contribution to U.S.
Financial Reporting,” Accounting Review,
Flesher & Flesher

All corporations that report to the SEC are
required to maintain a system of internal
control that is evaluated as part of the
annual external audit.
BRIEF HISTORY - Copyright
Federal Copyright Act 1976
1. Protects intellectual property in the U.S.
2. Has been amended numerous times since
3. Management is legally responsible for violations of
the organization
4. U.S. government has continually sought
international agreement on terms for protection of
intellectual property globally vs. nationally
BRIEF HISTORY - FCPA
Foreign Corrupt Practices Act 1977
1. Accounting provisions


FCPA requires SEC registrants to establish and maintain books,
records, and accounts.
It also requires establishment of internal accounting controls
sufficient to meet objectives.
1. Transactions are executed in accordance with management’s
general or specific authorization.
2. Transactions are recorded as necessary to prepare financial
statements (i.e., GAAP), and to maintain accountability.
3. Access to assets is permitted only in accordance with management
authorization.
4. The recorded assets are compared with existing assets at
reasonable intervals.
2. Illegal foreign payments
BRIEF HISTORY - COSO
Committee on Sponsoring Organizations - 1992
1. AICPA, AAA, FEI, IMA, IIA
2. Developed a management perspective model
for internal controls over a number of years
3. Is widely adopted
BRIEF HISTORY – S-OX
Sarbanes-Oxley Act - 2002
1. Section 404: Management Assessment of Internal
Control
 Management is responsible for establishing and maintaining
internal control structure and procedures.
 Must certify by report on the effectiveness of internal control
each year, with other annual reports.
2. Section 302: Corporate Responsibility for Incident
Reports
 Financial executives must disclose deficiencies in internal
control, and fraud (whether fraud is material or not).
Modifying Assumptions
1. Management responsibility
2. Reasonable assurance
 no I.C.S. is perfect
 benefits => costs
3. Methods of data processing
 Objectives same regardless of DP method
 Specific controls vary w/different
technologies
Modifying Assumptions
4.
Limitations




Possibility of error
Possibility of circumvention
Management override
Changing conditions
EXPOSURES AND RISK
 Exposure (definition)
 Risks (definition)
 Types
of risk
 Destruction
of assets
 Theft of assets
 Corruption of information or the I.S.
 Disruption of the I.S.
THE P-D-C MODEL
 Preventive
controls
 Detective controls
 Corrective controls
 Which
is most cost effective?
 Which one tends to be proactive measures?
 Can you give an example of each?
 Predictive
controls
SAS 78: Consideration of Internal
Control in a Financial Statement Audit
 COSO
 The
(Treadway Commission)
control environment
 Risk assessment
 Information & communication
 Monitoring
 Control activities
SAS 78
(#1:Control Environment -- elements)

Describe how each one could adversely
affect internal control.
 The
integrity and ethical values
 Structure of the organization
 Participation of audit committee
 Management’s philosophy and style
 Procedures for delegating
SAS 78
(#1:Control Environment -- elements)
Management’s methods of assessing
performance
 External influences
 Organization’s policies and practices for
managing human resources

SAS 78
(#1:Control Environment -- techniques)






Describe possible activity or tool for each.
Assess the integrity of organization’s
management
Conditions conducive to management fraud
Understand client’s business and industry
Determine if board and audit committee are
actively involved
Study organization structure
SAS 78
(#2:Risk Assessment)









Changes in environment
Changes in personnel
Changes in I.S.
New IT’s
Significant or rapid growth
New products or services (experience)
Organizational restructuring
Foreign markets
New accounting principles
SAS 78
(#3:Information & Communication-elements)

Initiate, identify, analyze, classify and record
economic transactions and events.
Identify and record all valid economic
transactions
 Provide timely, detailed information
 Accurately measure financial values
 Accurately record transactions

SAS 78
(#3:Information & Communication-techniques)

Auditors obtain sufficient knowledge of
I.S.’s to understand:
 Classes
of transactions that are material
 Accounting
records and accounts used
 Processing
steps:initiation to inclusion in
financial statements (illustrate)
 Financial
reporting process (including
disclosures)
SAS 78
(#4: Monitoring)
By separate procedures (e.g., tests of
controls)
 By ongoing activities (Embedded Audit
Modules – EAMs and Continuous
Online Auditing - COA)

SAS 78
(#5: Control Activities)

Physical Controls (1-3)

Transaction authorization

Example:



Segregation of duties

Examples of incompatible duties:




Sales only to authorized customer
Sales only if available credit limit
Authorization vs. processing [e.g., Sales vs. Auth. Cust.]
Custody vs. recordkeeping [e.g., custody of inventory vs.
DP of inventory]
Fraud requires collusion [e.g., separate various steps in
process]
Supervision

Serves as compensating control when lack of segregation
of duties exists by necessity

Physical Controls (4-6)

Accounting records (audit trails; examples)

Access controls





Direct (the assets)
Indirect (documents that control the assets)
Fraud
Disaster Recovery
Independent verification

Management can assess:

The performance of individuals

The integrity of the AIS
The integrity of the data in the records
Examples


IT Risks Model
 Operations
 Data
management systems
 New systems development
 Systems maintenance
 Electronic commerce (The Internet)
 Computer applications