Scribd
Upload
31 views7 pages

(Notes) Chapter 1 - Auditing and Internal Control

Concept outline of Chapter 1 in Auditing in CIS by James Hall

Uploaded by

frederickherrscher
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
31 views7 pages

(Notes) Chapter 1 - Auditing and Internal Control

Concept outline of Chapter 1 in Auditing in CIS by James Hall

Uploaded by

frederickherrscher
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

CHAPTER 1: Auditing and Internal Control

Information technology (IT): field of computer science that focuses on the infrastructure of
processing and storing information used in communication.

Auditing: the process of verifying that an assertion is true.

Types of Audit:
1. External (Financial) Audit
2. Internal Audit
3. Fraud Audit

External Audit: independent attestation made by a CPA-designated auditor who expresses an


opinion on the financial statements.
- Independence: the key concept governing the process of auditing.

Attestation: the process of providing a written report expressing a conclusion about the
reliability of a written assertion, with the process set by agreed-upon procedures.

Sarbanes-Oxley (SOX) Act of 2002: US legislation that enforces the requirement of having
strict internal controls in public companies for their information systems, particularly their
accounting information systems

Securities and Exchange Commission (SEC): final authority for financial auditing

Other authorities of financial auditing in the US:


1. SEC
2. Financial Accounting Standards Board (FASB)
3. American Institute of Certified Public Accountants (AICPA)
4. Public Company Accounting Oversight Board (PCAOB) - replaced FASB’s and some of
AICPA’s functions

Advisory services: professional services offered by public accounting firms to improve their
clients’ operational efficiency and effectiveness.
- Domain is unbounded to not inhibit the growth of future services that are currently
unforeseen
- Prohibited to be offered along with attest services after SOX

Advisory services prohibited by SOX concurrent with attest services:


1. Bookkeeping
2. Financial information systems
3. Appraisal
4. Actuarial
5. Internal audit
6. Management functions
7. Broker, investment adviser, investment banking services
8. Legal and expert services
9. Other services specified by PCAOB

Internal auditing: independent appraisal function within an organization that examines and
evaluates its activities as a service to the organization.
- Defined by Institute of Internal Auditors (IIA)
- Internal auditors are often designated as Certified Internal Auditors (CIA)
- Internal auditing standards are governed by IIA and to a lesser degree by the
Information Systems Audit and Control Association (ISACA)

Fraud Audit: engagement where the objective is to investigate anomalies and gather evidence
of fraud that may lead to criminal conviction.
- Fraud auditors are typically Certified Fraud Examiners (CFE), which is governed by the
Association of Certified Fraud Examiners (ACFE)

Audit Committee: subcommittee of the Board of Directors which has special responsibilities
regarding audits.
- Three people who are “outsiders”
- One member must be a financial expert
- Serves as check and balance for internal audit function, and as liaison with external
auditors
- After the passage of SOX. external auditors report to audit committee
Auditing Standards
- Guided by the ten (10) Generally Accepted Auditing Standards (GAAS)
- AICPA issues Statements on Auditing Standards (SASs) as authoritative
interpretations of GAAS. Often referred to as auditing standards or GAAS.
- SASs are authoritative pronouncements. Departures from SAS must be justified by the
auditor.

Classes of Auditing Standards:


1. General Qualification Standards
a. Adequate training and proficiency
b. Independence
c. Due professional care
2. Field Work Standards
a. Adequately planned (audit)
b. Gain sufficient understanding of internal controls (auditor)
c. Obtain sufficient and competent evidence (auditor)
3. Reporting Standards
a. Auditor must state in report of financial statements’ compliance with GAAP
b. Report must identify circumstances where GAAP is not applied
c. Report must identify items with insufficient disclosures
d. Report shall contain auditor’s opinion on financial statements as a whole

Five General Categories of Management Assertions:


1. Existence or Occurrence
2. Completeness
3. Rights and Obligations
4. Valuation or Allocation
5. Presentation and Disclosure
Note:
- Audit procedures are based on assertions
- Related to the General Objective of Auditing on Financial Reporting

Two General Categories of Audit Objectives:


1. Financial Reporting
2. Information System

Audit Risk (AR): probability that the auditor will render an unqualified (clean) opinion on
financial statements that are materially misstated.

Causes of Misstatements
1. Errors - unintentional mistakes
2. Irregularities - intentional misrepresentation

Inherent Risk: associated with the unique characteristics of the business or industry of the
client.

Control Risk: likelihood that the control structure is flawed because controls are absent or
inadequate

Detection Risk: risk that auditors are willing to take that errors not detected or prevented by the
control structure won’t be detected during audit
- Auditors set an acceptable level of detection risk (known as planned detection risk)
that influences the level of substantive testing. The higher the detection risk, the lower
the need for substantive testing.

Audit Risk Model:


- AR = IR x CR x DR

Three Conceptual Phases of Audit Process:


1. Audit Planning
2. Test of Controls
3. Substantive Testing

Audit Planning
- Auditor must gain a thorough understanding of the client’s business
- Major part of this phase is the analysis of audit risk
- IT auditor must identify the principal exposures and the controls that attempt to reduce
these exposures
Test of Controls
- Determine whether adequate internal controls are in place and properly functioning
- At the conclusion, the auditor must assess the quality of internal controls by assigning a
level of control risk

Substantive Testing
- Involves detailed investigation of specific account balances and transactions
- Substantive tests may see the need for the use of Computer-Assisted Audit Tools
and Techniques (CAATTs)

Brief History of Internal Control Legislation


- SEC Acts of 1933 and 1934: (1) required companies to provide investors significant
financial information concerning publicly sold securities, (2) prohibited fraudulent
activities concerning the sale of securities.
- Copyright Law of 1976: required management to have licensed software.
- Foreign Corrupt Practices Act (FCPA) of 1977: (1) keep records that reflect the
transactions and financial position of the firm, (2) maintain a system of internal controls
to provide reasonable assurance of meeting organizational objectives.
- Committee of Sponsoring Organizations of the Treadway Commission (1992):
prescribed an effective model for internal controls from a management perspective
(COSO Model).
- Sarbanes-Oxley Act of 2002: requires public companies’ management to implement an
adequate system of internal controls over the financial reporting process (as codified in
Sections 302 and 404).

Specific Duties of External Auditors as mandated by SOX:


1. Interview management on significant changes in the design of internal control after
the latest annual audit or interim review
2. Evaluate implications of misstatements identified by the auditor
3. Determine whether changes in internal controls may materially affect internal control
over financial reporting
Points to be covered by Annual Report as mandated by Section 404 of SOX:
1. Understand flow of transactions to identify points in which a misstatement could arise
2. Assess the design and operating effectiveness of internal controls related to material
accounts
3. Assess potential for fraud and evaluate controls
4. Evaluate adequacy of controls over financial reporting process
5. Evaluate entity controls that correspond to COSO framework

COSO as recommended model: SEC deems COSO as a recommended model, with PCAOB
Auditing Standard No. 5 endorsing use of COSO.

Objectives of Internal Control System:


1. Safeguard assets
2. Ensure accuracy and reliability of records
3. Promote efficiency of operations
4. Measure compliance with policies and procedures

Four Modifying Principles of Internal Control Systems


1. Management Responsibility - SOX makes it law for internal control system to be
management’s responsibility
2. Methods of Data Processing - regardless of being computerized or manual
3. Limitations - (1) possibility of error, (2) circumvention, (3) management override, (4)
changing conditions
4. Reasonable Assurance

Three Components of PDC Model:


1. Preventive Controls
2. Detective Controls
3. Corrective Controls

SAS No. 109: current authoritative document for specifying internal control objectives and
techniques
Five Components of COSO Framework:
1. Control Environment
2. Risk Assessment
3. Information and Communication
4. Monitoring
5. Control Activities
a. Physical Controls
b. Information Technology Controls

Six Categories of Physical Control Activities:


1. Transaction Authorization
2. Segregation of Duties
3. Supervision
4. Accounting Records
5. Access Control
6. Independent Verification

Two Broad Groupings of IT Control Activities:


1. Application Controls
2. General Controls

Audit Implications of SOX


- Expands role of external auditors by mandating their attestation of clients’ internal
controls
- PCAOB Standard No. 5 requires auditors to understand transaction flow
- Computer fraud falls within the responsibility of management and audit responsibilities

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy