Auditing and Internal

Control
Information Technology Auditing and Assurance
Overview of Auditing
 External (Financial) Audits
 It is an independent attestation performed by the auditor –
who expresses an opinion regarding the presentation of
financial statements.
 Attest service a task which performed by CPAs who work
for public accounting firms that are independent of the
client organization being audited. The audit objective is
always associated with assuring the fair presentation of FS.
 A key concept in this process is independence. Public
confidence in the reliability of the company’s internally
produced FS rests directly on an evaluation of them by an
independent auditor.
Attest Service versus Advisory
Services
 Attest Service is an engagement in which a practitioner is
engaged to issue, or does issue, a written communication
that expresses a conclusion about the reliability of a written
assertion that is the responsibility of another party.
 Advisory services are professional services offered by
public accounting firms to improve their client
organizations’ operational efficiency and effectiveness.
Internal Audits
 It is an independent appraisal function established within an
organization to examine and evaluate its activities as a
service to the organization. Internal auditors perform a wide
range of activities such as conducting financial audits,
examining an operation’s compliance with org policies,
reviewing the org’s compliance with legal obligations,
evaluating operational efficiency, and detecting and
pursuing fraud within the firm.
 Fraud audits have increased in popularity as a corporate
governance tool. Its objective is to investigate anomalies
and gather evidence of fraud that may lead to criminal
conviction.
External versus Internal Auditors
 External auditors represent outsiders while internal auditors
represent the interests of the organization. Internal auditors
often cooperate with and assist external auditors in
performing aspects of financial audits to achieve audit
efficiency and reduce audit fees.
 The internal auditor’s independence is compromised, and
the external auditor is prohibited by professional standards
from relying on evidence provided by the internal auditors.
In contrast, external auditors can rely in part on evidence
gathered by internal audit departments that are
organizationally independent and report to the board of
directors’ audit committee.
The Role of the Audit Committee

 The committee usually consists of three people who should

be outsiders. The audit committee serves an independent
“check and balance” for the internal audit function and
liaison with external auditors.
 The audit committee must be willing to challenge the
internal auditors as well as management. Part of its role is
to look for ways to identify risk.
Financial Audit Components

 The product of the attestation function is a formal written

report that expresses an opinion about the reliability of the
assertions in the FS. The auditor’s report expresses an
opinion as to whether the FS are in conformity with GAAP;
external users of FS are presumed to rely on the auditor’s
opinion about the reliability of FS in making decisions.
Auditors are guided in their professional responsibility by
the ten GAAS.
Auditing Standards
 These are divided into three classes: general qualification
standards, field work standards, and reporting standards.
The AICPA issues Statements on Auditing Standards (SASs)
as authoritative interpretations of GAAS. SASs are often
referred to as auditing standards, or GAAS.
 Many SASs have been issued to provide auditors with
guidance on a spectrum of topics.
 SASs are regarded as authoritative pronouncements
because every member of the profession must follow their
recommendations. The burden of justifying departures from
the SASs falls upon the individual auditor.
A Systematic Process

 A systematic approach is particularly important in the IT

environment. The lack of physical procedures that can be
visually verified and evaluated injects a high degree of
complexity into the IT audit. Therefore, a logical framework
for conducting an audit in the IT environment is critical to
help the auditor identify all-important processes and data
files.
Management Assertions and Audit
Objectives
 The org’s FS reflect a set of management assertions about
the financial health of the entity. To accomplish of this goal, the
auditor establishes audit objectives, design procedures, and
gathers evidence that corroborate or refute management’s
assertions. These assertions fall into five general categories:
 1. The existence or occurrence assertion affirms that all
assets and equities contained in the balance sheet exist and
that all transactions in the income statement actually occurred.
 2. The completeness assertion declares that no material
assets, equities, or transactions have been omitted from the FS.
Management Assertions and Audit
Objectives
 3. The rights and obligations assertion maintains that assets
appearing on the balance sheet are owned by the entity and that
the liabilities reported are obligations.
 4. The valuation or allocation assertion states that assets and
equities are valued in accordance with GAAP and that allocated
amounts are calculated on a systematic and rational basis.
 5. The presentation and disclosure assertion alleges that FS
items are correctly classified and that footnote disclosures are
adequate to avoid misleading the users of FS.
 Audit objectives two general categories: the transactions and account
balances that directly impact financial reporting, and the information
system itself.
Obtaining Evidence
 Auditors seek evidential matter that corroborates
management assertions. In the IT environment, this
process involves gathering evidence relating to the
reliability of computer controls as well as the contents of
databases that have been processed by computer
programs. Evidence is collected by performing tests of
controls, which establish whether internal controls are
functioning properly, and substantive tests, which
determine whether accounting databases fairly reflect the
org’s transactions and account balances.
Ascertaining Materiality
 The auditor must determine whether weaknesses in
internal controls and misstatements found in transactions
and account balances are material.
 In all audit environments, assessing materiality is an
auditor judgment. In an IT environment, however, this
decision is complicated further by technology and a
sophisticated internal control structure.
Communicating Results
 Auditors must communicate the results of their tests to
interested users. The audit report contains an audit
opinion. It is distributed along with the financial report to
interested parties both internal and external to the org. IT
auditors often communicate their findings to internal and
external auditors, who can integrate these findings with the
non-IT aspects of the audit.
Audit Risk
 It is the probability that the auditor will render an unqualified (clean)
opinion on FS that are, in fact, materially misstated. Material
misstatements may be caused by errors or irregularities or both.
Errors are unintentionally mistakes. Irregularities are intentional
misrepresentations associated with the commission of a fraud.
 Audit Risk Components:
 Inherent Risk is associated with the unique characteristics of the
business or industry of the client.
 Control risk is the likelihood that the control structure is flawed
because controls are either absent or inadequate to prevent or
detect errors in the accounts.
 Detection Risk is the risk that auditors are willing to take that
errors not detected or prevented by the control structure will also
not be detected by the auditor.
The Relationship between Tests of
Controls and Substantive Tests
 Tests of controls and substantive tests are auditing techniques
used for reducing audit risk to an acceptable level. The stronger
the internal control structure, as determined through tests of
controls, the lower the control risk and the less substantive testing
the auditor must do. When controls are in place and effective, the
auditor may limit substantive testing. In contrast, the weaker the
internal control structure, the greater the control risk and the more
substantive testing the auditor must perform to reduce total audit
risk.
 The more reliable the internal controls, the lower the CR
probability. That leads to a lower DR, which will lead to fewer
substantive tests being required.
The IT Audit
 The public expression of the auditor’s opinion is the
culmination of a systematic financial audit process that
involves three conceptual phases:
 Audit planning
 Tests of controls
 Substantive testing

 An IT audit focuses on the computer-based aspects of an

organization’s information system; and modern systems
employ significant levels of technology.
Phases of an IT Audit
Audit Tests of Substantive
Planning Controls Testing
Phase
Review Phase Phase
Organization’s Perform
Start Perform Test of
Policies, Substantive
Controls
Practices, and Tests
Structure

Review General
Controls and Evaluate Results
Evaluate Test
Application and Issue
Results
Controls Auditor’s Report

Plan Tests of Determine

Controls and
Degree of Audit Report
Substantive
Testing
Reliance on
Procedures Controls
The Structure of an IT Audit
 Audit Planning
 The first step in the IT audit is audit planning. A major part of
this phase of the audit is the analysis of audit risk. The
auditor’s objective is to obtain sufficient information about the
firm to plan the other phases of the audit. The risk analysis
incorporates an overview of the organization’s internal
controls.
 The techniques for gathering evidence at this phase include:
 Conducting questionnaires,
 Interviewing management,
 Reviewing management,
 Reviewing systems documents, and
 Observing activities.
The Structure of an IT Audit

 Tests of Controls
 The objective of the tests of controls phase is to determine
whether adequate internal controls are in place and
functioning properly. To accomplish this, the auditor
performs various tests of controls. The evidence-gathering
techniques used in this phase may include both manual
techniques and specialized computer audit techniques.
The Structure of an IT Audit

 Substantive Testing
 This third phase of the audit process focuses on financial
data. This phase involves a detailed investigation of
specific account balances and transactions through what
are called substantive tests.
 Some substantive tests are physical, labor-intensive
activities, such as counting cash, counting inventories in
the warehouse, and verifying the existence of stock
certificates in a safe.
The Structure of an IT Audit

 Internal Control
 Organization management is required by law to establish
and maintain an adequate system of internal control.
Internal Control

 Internal Control Objectives, Principles and Models

 An organization’s internal control system comprises
policies, practices, and procedures to achieve four broad
objectives:
1. To safeguard assets of the firm.
2. To ensure the accuracy and reliability of accounting
records and information.
3. To promote efficiency in the firm’s operations.
4. To measure compliance with management’s prescribed
policies and procedures
Internal Control

 Modifying Principles
 Inherent in these control objectives are four modifying
principles that guide designers and auditors of internal
control systems.
 Management Responsibility
 Methods of Data Processing
 Limitations
 Reasonable Assurance
Internal Control
Modifying Principles

 Management Responsibility
 This concept holds that the establishment and maintenance
of a system of internal control is a management
responsibility.
 Methods of Data Processing
 The internal control system should achieve the four broad
objectives regardless of the data processing method used
(whether manual or computer based). However, the specific
techniques used to achieve these objectives will vary with
different types of technology.
Internal Control
Modifying Principles
 Limitations
 The possibility of error
 Circumvention
 Management override
 Changing conditions
 Reasonable Assurance
 Provide the four broad objectives of internal control are met.
This reasonableness means that the cost of achieving
improved control should not weigh its benefits.
The PDC Model
 Preventive Controls
 Prevention is the first line of defense in the control structure.
Preventive controls are passive techniques designed to
reduce the frequency of occurrence of undesirable events.
Preventive controls force compliance with prescribed or
desired actions thus screen out aberrant events.
 Detective Controls
 Detection of problems is the second line of defense. Detective
controls are devices, techniques, and procedures designed to
identify and expose undesirable events that elude preventive
controls. Detective controls reveal specific types of errors by
comparing actual occurrences to pre-established standards.
The PDC Model

 Corrective Controls
 Corrective actions must be taken to reverse the effects of
detected errors. There is an important distinction between
detective and corrective controls. Detective controls
identify undesirable events and draw attention to the
problem; corrective controls actually fix the problem.
COSO Internal Control Framework

 The COSO framework consist of five components:

 Control Environment
 Risk Assessment
 Information and Communication
 Monitoring
 Existing Control Activities
 Control Environment
 Sets the tone for the organization and influences the control
awareness of its management and employees. Important elements of
the control environment are:
 The integrity and ethical values of management.
 The structure of the organization.
 The participation of the organization’s board of directors and the
audit committee, if one exists.
 Management’s philosophy and operating style.
 The procedures for delegating responsibility and authority.
 Management’s methods for assessing performance.
 External influences, such as examinations by regulatory agencies.
 The organization’s policies and practices for managing its human
resources.
Control Environment
 Understanding of the control environment
 Auditors should assess the integrity of the organization’s
management and may use investigative agencies to report
on the backgrounds of key managers.
 Auditors should aware of conditions that would predispose
the management of an organization to commit fraud.
 Auditors should understand a client’s business and industry
and should be aware of conditions peculiar to the industry
that may affect the audit.
Control Environment
 Understanding of the control environment (cont.)
 The board of directors should adopt, the following
guidelines represent established best practices.
 Separate CEO and chairman
 Set ethical standards
 Establish an independent audit committee.
 Compensation committees.
 Nominating committees.
 Access to outside professionals.
Risk Assessment
Organizations must perform a risk assessment to identify,
analyze, and manage risks relevant to financial reporting.
Changes in the operating environment that impose new or
changed competitive pressures on the firm.
New personnel who have a different or inadequate
understanding of internal control.
New or reengineered information systems that affect
transaction processing.
The implementation of new technology into the production
process or information system that impacts transaction
processing.
Risk Assessment (cont.)
 The introduction of new product lines or activities with
which the organization has little experience.
 Organizational restructuring resulting in the reduction
and/or reallocation of personnel such that business
operations and transaction processing are affected.
 Entering into foreign markets that may impact operations
(that is, the risks associated with foreign currency
transactions).
 Adoption of a new accounting principle that impacts the
preparation of financial statements.
Information and Communication
The accounting information system consists of the records and
methods used to initiate, identify, analyze, classify and record
the organization’s transactions and to account for the related
assets and liabilities.
Identify and record all valid financial transactions.
Provide timely information about transactions in sufficient
detail to permit proper classification and financial statements.
Accurately measure the financial value of transactions so their
effects can be recorded in financial statements.
Accurately record transactions in the time period in which they
occurred.
Information and Communication
(cont.)
 The classes of transactions that are material to the
financial statements and how those transactions are
initiated.
 The accounting records and accounts that are used in the
processing of material transactions.
 The transaction processing steps involved from the
initiation of a transaction to its inclusion in the financial
statements.
 The financial reporting process used to prepare financial
statements, disclosures, and accounting estimates.
Monitoring

 The process by which the quality of internal control design

and operation can be assessed. Ongoing monitoring may
be achieved by integrating special computer modules into
the information system that capture key data and/or permit
tests of controls to be conducted as part of routine
operations.
Control Activities
Control Activities are the policies and procedures used to ensure that
appropriate actions are taken to deal with organization’s identified risks.
Categories: physical controls and information technology (IT) controls.
Physical Controls
This class of controls relates primarily to the human activities
employed in accounting systems. These activities may be purely
manual, such as the physical custody of assets, or they may involve the
physical use of computers to record transactions or update accounts.
Transaction Authorization
The purpose of transactions authorization is to ensure that all material
transactions processed by the information system are valid and in
accordance with management’s objectives.
Control Activities
 Segregation of Duties
 One of the most important control activities is the segregation of
employee duties to minimize incompatible functions. Segregation
duties can take many forms, depending on the specific duties to be
controlled.
 Supervision
 Implementing adequate segregation of duties requires that a firm
employ a sufficient large number of employees.
 Accounting Records
 The accounting records of organization consist of source documents,
journals, and ledgers. These records capture the economic essence
of transactions and provide and audit trail economic events.
Control Activities
 Access Control
 The purpose of access controls is to ensure that only
authorized personnel have access to the firm’s assets.
Unauthorized access exposes assets to misappropriation,
damage, and theft.
 Independent Verification
 Verification procedures are independent checks of the
accounting system to identify errors and
misrepresentations. Verification differs from supervision
because it takes place after the fact, by an individual who is
not directly involved with the transaction or task being
verified.
Control Activities
 Through independent verification procedures, management can
assess
 (1) the performance of individuals,
 (2) the integrity of the transaction processing system, and
 (3) the correctness of data contained in accounting records.
Examples of independent verifications include:
 Reconciling batch totals at points during transaction processing.
 Comparing physical assets with accounting records.
 Recording subsidiary accounts with control accounts.
 Reviewing management reports (both computer and manually
generated) that summarize business activity.
Control Activities

 IT Controls
 Information technology drives the financial reporting
processes of modern organizations. Automated systems
initiate, authorize, record, and report the effects of financial
transactions.

 Application Controls - are to ensure the validity,

completeness, and accuracy of financial transactions.

 Generals Controls - apply to all systems.