SlideShare a Scribd company logo

Tech Audit, Assurance & Internal Control

Download as PPT, PDF
Z
Zefren Edior

This document provides an overview of technology auditing, assurance, and internal controls. It discusses attestation and assurance services, financial audits, auditing standards, external vs internal auditing, information technology audits, and internal controls including SAS 78. Key points include definitions of attestation, assurance, and financial audit services; a comparison of external and internal auditing; descriptions of auditing standards, IT audits, and the three levels of internal controls - preventive, detective, and corrective. It also summarizes the five components of internal control as defined in SAS 78: control environment, risk assessment, control activities, information and communication, and monitoring.

Technology
1 of 68
Technology Auditing, Assurance, Internal Control 1
2 Contents • Attestation & assurance Services • Financial audit • Auditing standards • External vs. internal auditing • Information technology audit • Internal control • SAS 78
3 Attest Services • An engagement in which a practitioner is engaged to issue, or does issue, a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party. Attest: To affirm to be correct, true, or genuine
4 Requirements applied to attestation services • Attestation services require written assertions and a practitioner’s written report. • Attestation services require the formal establishment of measurement criteria or their description in the presentation. • The levels of service in attestation engagements are limited to examination, review, and application of agreed-upon procedures.
5 Assurance Services • Broader than attestation (Fig. 1-1) • Professional services designed to improve the quality of information, both financial and non- financial, used by decision-makers. • Intended to help people make better decisions by improving information. Assurance: A statement or indication that inspires confidence; a guarantee or pledge
6 Assurance Services • Evolution of accounting profession is expected to follow the assurance services model. • All “Big Five” professional services firms have renamed their traditional audit functions “Assurance Services.” • Organizational unit responsible for conducting IT audits is named either IT Risk Management, Information Systems Risk Management, or Operational Systems Risk Management (OSRM)
7 Financial Audit • An independent attestation performed by an expert, the auditor, who expresses an opinion regarding the presentation of financial statements. • Auditor’s role is similar in concept to a judge who collects and evaluates evidence and renders an opinion.
8 Financial Audit • Key concept in this process is independence; Judge must remain independent in his or her deliberation. • Judge cannot be advocate of either party in the trial, but must apply law impartially based on evidence presented. • Likewise, independent auditor collects and evaluates evidence and renders an opinion based on evidence.
9 Financial Audit • Throughout audit process, auditor must maintain his or her independence from client organization. • Public confidence in the reliability of the company’s internally produced financial statements rests directly on their being evaluated by an independent expert audit.
10 Financial Audit • Systematic audit process involves three conceptual phases: – Familiarization w/ organization’s business – Evaluating and testing internal control – Assessing the reliability of financial data
11 Auditor’s Report • Product of attestation function is a formal written report that expresses an opinion about the reliability of the assertions contained in financial statements • Auditor’s report expresses an opinion as to whether the financial statements are in conformity w/ generally accepted accounting principles
12 Auditing Standards • Auditors are guided in their professional responsibility by the ten generally accepted auditing standards (GAAS) Fig. 1-2 • GAAS establishes a framework for prescribing auditor performance, but it is not sufficiently detailed to provide meaningful guidance in specific circumstances
13 Auditing Standards • To provide specific guidance, American Institute of Certified Public Accountants (AICPA) issues Statements on Auditing Standards (SASs) as authoritative interpretations of GAAS. • SASs are often referred to as auditing standards, or GAAS, although they are not the ten generally accepted auditing standards.
14 SAS • First issued by AICPA in 1972 • Since then, many SASs have been issued to provide auditors w/ guidance on a spectrum of topics, including methods of investigating new clients, techniques for obtaining background information on client’s industry.
15 External vs. Internal Auditing • External auditing is often called independent auditing because it is done by certified public accountants who are independent of the organization being audited. • External auditors represent the interests of third- party stakeholders in the organization, such as stockholders, creditors, and government agencies. • Because the focus of external audit is on financial statements, this type of audit is called financial audit
16 External vs. Internal Auditing • Institute of Internal Auditors defines internal auditing as an independent appraisal function established within an organization to examine and evaluate its activities
17 External vs. Internal Auditing • Internal auditors perform a wide range of activities on behalf of the organization, including conducting financial audits, examining an operation’s compliance with organizational policies, reviewing the organization’s compliance with legal obligations, evaluating operational efficiency, detecting and pursuing fraud within the firm, and conducting IT audits.
18 External vs. Internal Auditing • While external auditors represent outsiders, internal auditors represent the interests of the organization. • Internal auditors often cooperate with and assist external auditors in performing financial audits. • This is done to achieve audit efficiency and reduce audit fees. For example, a team of internal auditors can perform tests of computer controls under the supervision of a single external auditor.
19 External vs. Internal Auditing • While external auditors represent outsiders, internal auditors represent the interests of the organization. • Internal auditors often cooperate with and assist external auditors in performing financial audits. • This is done to achieve audit efficiency and reduce audit fees. For example, a team of internal auditors can perform tests of computer controls under the supervision of a single external auditor.
20 Information Technology (IT) Audit • Focus on the computer-based aspects of an organization’s information system • This includes assessing the proper implementation, operation, and control of computer resources
21 Definition of Auditing • Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users
22 Elements of auditing • A systematic process • Management assertions and audit objectives • Obtaining evidence • Ascertaining the degree of correspondence between established criteria • Communicating results See Pages 5~7
23 5 Categories of Management Assertions (page 6) • Existence or occurrence assertion • Completeness assertion • Rights and obligations assertion • Valuation or allocation assertion • Presentation and disclosure assertion Auditors develop their audit objectives and design audit procedures based on preceding assertions. See Table 1-1
24 Structure of IT Audit • IT audit is divided into three phases: audit planning, tests of controls, and substantive testing (See Figure 1-3)
25 Internal Control • The establishment and maintenance of a system of internal control is an important management obligation. • A fundamental aspect of management’s stewardship responsibility is to provide shareholders with reasonable assurance that the business is adequately controlled. • Additionally, management has a responsibility to furnish shareholders and potential investors with reliable financial information on a timely basis. (Sarbanes-Oxley act) • An adequate system of internal control is necessary to management’s discharge of these obligations. - Securities and Exchange Commission
26 Internal Control in Concept • Internal control system comprises policies, practices, and procedures employed by the organization to achieve four broad objectives: – To safeguard assets of the firm. – To ensure the accuracy and reliability of accounting records and information. – To promote efficiency in the firm’s operations. – To measure compliance with management’s prescribed policies and procedures
27 Exposure and Risk • Internal control shield (Figure 1-4) to protect firms from numerous undesirable events – Attempts at unauthorized access to firm’s assets (including information) – Fraud perpetrated by persons both in and outside the firm – Errors due to employee incompetence, faulty computer programs, corrupted input data
28 Exposure and Risk • Internal control shield (Figure 1-4) to protect firms from numerous undesirable events – Mischievous acts, such as unauthorized access by computer hackers and threats from computer viruses that destroy programs and databases
29 Exposure and Risk • Absence or weakness of a control is called exposure • Exposures increase firm’s risk to financial loss or injury from undesirable events.
30 Exposure and Risk • A weakness in internal control may expose the firm to one or more of the following types of risks: – Destruction of assets (both physical assets and information) – Theft of assets – Corruption of information or the information system (containing errors or alterations) – Disruption of information system (to break or burst; rupture )
31 3 Levels of Control • Preventive controls, detection controls, and corrective controls (Fig. 1-5)
32 Preventive Controls • First line of defense in the control structure • Passive techniques designed to reduce the frequency of occurrence of undesirable events • Preventing errors and fraud is far more cost- effective than detecting and correcting problems after they occur • In information security: firewall
33 Preventive Controls • For example, a well-designed data entry screen is an example of a preventive control • Not all problems can be anticipated and prevented.
34 Detective Controls • Second line of defense • Devices, techniques, and procedures designed to identify and expose undesirable events that elude preventive controls • In information security: Intrusion detection
35 Corrective Controls • Corrective actions taken to reverse the effects of detected errors • Detective controls identify undesirable events and draw attention to the problem; corrective controls fix the problem.
36 Statement on Auditing Standards No. 78 (SAS 78) • Current authoritative document for specifying internal control objectives and techniques. • Conforms to the recommendations of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) • Consists of five components: control environment, risk assessment, information and communication, monitoring, and control activities
37 Control Environment • Foundation for the other control components • Important elements: – Integrity and ethical values of management – Structure of organization – Participation of organization’s board of directors and audit committee – Management’s philosophy and operating style – … see page 13
38 Control Environment • SAS 78 requires that auditors obtain sufficient knowledge to assess the attitude and awareness of organization’s management, board of directors, and owners regarding internal control. • See page 13 for examples of techniques that may be used to obtain an understanding of control environment
39 Risk Assessment • Identify, analyze, and manage risks relevant to financial reporting • See page 14 for risks that can rise out of changes in circumstances • SAS 78 requires that auditors obtain sufficient knowledge of organization’s risk assessment procedures to understand how management identifies, prioritizes, and manages risks related to financial reporting.
40 Information and Communication • Accounting information system consists of records and methods used to initiate, identify, analyze, classify, and record organization’s transactions and to account for related assets and liabilities. • Quality of information generated by AIS impacts management’s ability to take actions and make decisions in connection with organization’s operations and to prepare reliable financial statements.
41 Effective AIS • Identify and record all valid financial transactions • Provide timely information about transactions in sufficient detail to permit proper classification and financial reporting • Accurately measure financial value of transactions so their effects can be recorded in financial statements • Accurately record transactions in time period in which they occur
42 Effective AIS • SAS 78 requires that auditors obtain sufficient knowledge of organization’s information systems to understand – Classes of transactions that are material to financial statements and how those transactions are initiated – Accounting records and accounts that are used in processing of material transactions
43 Effective AIS • SAS 78 requires that auditors obtain sufficient knowledge of organization’s information systems to understand – Transaction processing steps involved from initiation of economic event to its inclusion in financial statements – Financial reporting process used to prepare financial statements, disclosures, and accounting estimates
44 Monitoring • Process by which quality of internal control design and operation can be assessed • May be accomplished by separate procedures or by ongoing activities • Internal auditors may monitor entity’s activities in separate procedures. They gather evidence of control adequacy by testing controls, then communicate control strengths and weaknesses to management
45 Monitoring • Ongoing monitoring may be achieved by integrating special computer modules into information system that capture key data and/or permit tests of control to be conducted as part of routine operations • Such embedded audit modules (EAMs) allow management and auditors to maintain constant surveillance over functioning of internal controls
46 Control Activities • Policies and procedures used to ensure appropriate actions are taken to deal w/ organization’s identified risks
47 Control Activities • Can be grouped into two categories: – Computer controls • General control • Application control – Physical controls • transaction authorization • segregation of duties • supervision • accounting records • access control • independent verification
48 Computer Controls/General Controls • Fall into two broad groups: general controls and application controls • General controls pertain to entity-wide concerns such as controls over data center, organization databases, systems development, and program maintenance
49 Application Controls • Application controls ensure the integrity of specific systems such as sales order processing, accounts payable, and payroll applications
50 Control Activities • Can be grouped into two categories: – Computer controls • General control • Application control – Physical controls • transaction authorization • segregation of duties • supervision • accounting records • access control • independent verification
51 Physical Controls • Relates primarily to traditional accounting systems that employ manual procedures • Six traditional categories of physical control activities: transaction authorization, segregation of duties, supervision, accounting records, access control, and independent verification
52 Transaction Authorization • Ensure that all material transactions processed by information systems are valid and in accordance w/ management’s objectives • Authorizations may be general or specific
53 General Authorization • Granted to operations personnel to perform day-to-day operations • Example is procedure to authorize purchase of inventories from designated vendor only when inventory levels fall to their predetermined reorder points. This is called programmed procedure
54 Specific Authorization • Deal with case-by-case decisions associated w/ non-routine transactions. • Example is the decision to extend a particular customer’s credit limit beyond the normal amount • In an IT environment, the responsibility for achieving control objectives of transaction authorization rests directly on accuracy and consistency of computer programs that perform these tasks.
55 Segregation of Duties • To minimize incompatible functions • 3 objectives provide general guidelines applicable to most organizations – Authorization for a transaction is separate from processing of the transaction. For example, purchases should not be initiated by purchasing department until authorized by inventory control department
56 Segregation of Duties • 3 objectives provide general guidelines applicable to most organizations – Responsibility for custody of assets should be separate from recordkeeping responsibility. For example, the department that has physical custody of finished goods inventory should not keep official inventory records. Accounting for finished goods inventory is performed by inventory control, an accounting function.
57 Segregation of Duties • 3 objectives provide general guidelines applicable to most organizations – Organization should be structured so that a successful fraud requires collusion between two or more individuals with incompatible responsibilities. In other words, no single individual should have sufficient access to assets and supporting records to perpetrate a fraud.
58 Segregation of Duties in IT • Computer errors are programming errors that are, in fact, human errors; no computer has ever perpetrated a fraud unless programmed to do so by a human • Separating computer processing functions, therefore, serves no purpose
59 Segregation of Duties in IT • Segregation of duties still plays a role in IT environment • Once proper functioning of a program is established at system implementation, its integrity must be preserved throughout the application’s life cycle. • The activities of program development, program operations, and program maintenance are critical IT functions that must be adequately separated.
60 Supervision • Achieving adequate segregation of duties often presents difficulties for small organization. • In small organizations or in functional areas that lack sufficient personnel, management must compensate for absence of segregation controls with close supervision. • For this reason, supervision is also called compensating control.
61 Accounting Records • Source documents, journals, and ledgers capture economic essence of transactions and provide an audit trail of economic events • Audit trail enables auditor to trace any transaction through all phases of its processing from initiation of event to financial statements
62 Access Controls • Ensure that only authorized personnel have access to firm’s assets • Access control in IT environment includes provisions for physical security of computer facilities. • Database security and authorization is important access control mechanism in modern organizations.
63 Access Control in IT Environment • Limit personnel access authority • Restrict access to computer programs • Provide physical security for data processing center • Ensure adequate backup for data files • Provide disaster recovery capability
64 Audit Risk • Probability that auditor will render an unqualified opinion on financial statements that are, in fact, materially misstated • Auditor’s objective is to minimize audit risk by performing tests of controls and substantive tests. • 3 components of audit risk are inherent risk, control risk, and detection risk
65 Inherent Risk • Associated with unique characteristics of the business or industry of the client • Firms in declining industries have greater inherent risk than firms in stable or thriving industries. • Auditors can not reduce level of inherent risk.
66 Control Risk • is the likelihood that control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts • Auditors reduce level of control risk by performing tests of internal controls, e.g., running test transactions and seeing if erroneous transactions can be detected
67 Detection Risk • is the risk that auditors are willing to take that errors not detected or prevented by control structure will also not be detected by the auditor • Lower planned detection risk requires more substantive testing
68 General Framework for IT Risks and Controls • See Fig. 1-7

Recommended

Internal Audit
Internal AuditInternal Audit
Internal AuditJami Martin
 
The Role of Internal Audit
The Role of Internal AuditThe Role of Internal Audit
The Role of Internal AuditArmeniaFED
 
Internal control
Internal controlInternal control
Internal controliPleaders - Re-engineering Legal education, New Delhi
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Sazzad Hossain, ITP, MBA, CSCA™
 
Internal controls in auditing
Internal controls in auditingInternal controls in auditing
Internal controls in auditingHardik Shah
 
Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit pptIbrahim Jimalle
 
Presentation on Audit Findings
Presentation on Audit FindingsPresentation on Audit Findings
Presentation on Audit FindingsDeshapriya Senanayake
 
Ch 5. assurance 5 Introduction to Internal Control
Ch 5. assurance 5 Introduction to Internal ControlCh 5. assurance 5 Introduction to Internal Control
Ch 5. assurance 5 Introduction to Internal ControlSazzad Hossain, ITP, MBA, CSCA™
 

Recommended

Internal Audit
Internal AuditInternal Audit
Internal AuditJami Martin
 
The Role of Internal Audit
The Role of Internal AuditThe Role of Internal Audit
The Role of Internal AuditArmeniaFED
 
Internal control
Internal controlInternal control
Internal controliPleaders - Re-engineering Legal education, New Delhi
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Sazzad Hossain, ITP, MBA, CSCA™
 
Internal controls in auditing
Internal controls in auditingInternal controls in auditing
Internal controls in auditingHardik Shah
 
Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit pptIbrahim Jimalle
 
Presentation on Audit Findings
Presentation on Audit FindingsPresentation on Audit Findings
Presentation on Audit FindingsDeshapriya Senanayake
 
Ch 5. assurance 5 Introduction to Internal Control
Ch 5. assurance 5 Introduction to Internal ControlCh 5. assurance 5 Introduction to Internal Control
Ch 5. assurance 5 Introduction to Internal ControlSazzad Hossain, ITP, MBA, CSCA™
 
Chapter audit report
Chapter audit reportChapter audit report
Chapter audit reportEasyStudy3
 
Audit Evidence Presentation
Audit Evidence PresentationAudit Evidence Presentation
Audit Evidence PresentationSheikh Ali Asghar
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management FrameworkTreasury Consulting LLP
 
Audit procedures
Audit proceduresAudit procedures
Audit proceduresBilal Ahmed Bhatti
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
Internal audit
Internal auditInternal audit
Internal auditiPleaders - Re-engineering Legal education, New Delhi
 
INTERNATIONAL AUDITING STANDARDS -PPT.pptx
INTERNATIONAL AUDITING STANDARDS -PPT.pptxINTERNATIONAL AUDITING STANDARDS -PPT.pptx
INTERNATIONAL AUDITING STANDARDS -PPT.pptxHeldaMaryA
 
AUDIT-PLANNING.pptx
AUDIT-PLANNING.pptxAUDIT-PLANNING.pptx
AUDIT-PLANNING.pptxKennethNinalga
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesManoj Agarwal
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
Unit 3 internal control
Unit 3 internal controlUnit 3 internal control
Unit 3 internal controlRadhika Gohel
 
Internal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraInternal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraJenard Wachira
 
Internal audit manager performance appraisal
Internal audit manager performance appraisalInternal audit manager performance appraisal
Internal audit manager performance appraisalcollinsbruce43
 
Ch 02. Obtaining an Engagement
Ch 02. Obtaining an Engagement Ch 02. Obtaining an Engagement
Ch 02. Obtaining an Engagement Sazzad Hossain, ITP, MBA, CSCA™
 
Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit pptLetzconsult.com
 
Audit evidence a framework (ppt ch7[1].pdf)
Audit evidence a framework (ppt ch7[1].pdf)Audit evidence a framework (ppt ch7[1].pdf)
Audit evidence a framework (ppt ch7[1].pdf)bagarza
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and YouSchellman & Company
 
Common internal audit findings & how to avoid them
Common internal audit findings & how to avoid themCommon internal audit findings & how to avoid them
Common internal audit findings & how to avoid themSurajit Datta
 
Chapter 2. audit planning procedures & documentation
Chapter 2. audit planning procedures & documentationChapter 2. audit planning procedures & documentation
Chapter 2. audit planning procedures & documentationThane
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Sreekanth Narendran
 
AUDIT.pptx
AUDIT.pptxAUDIT.pptx
AUDIT.pptxbeminaja
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controlTommy Zul Hidayat
 

More Related Content

What's hot

Chapter audit report
Chapter audit reportChapter audit report
Chapter audit reportEasyStudy3
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management FrameworkTreasury Consulting LLP
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
INTERNATIONAL AUDITING STANDARDS -PPT.pptx
INTERNATIONAL AUDITING STANDARDS -PPT.pptxINTERNATIONAL AUDITING STANDARDS -PPT.pptx
INTERNATIONAL AUDITING STANDARDS -PPT.pptxHeldaMaryA
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesManoj Agarwal
 
Unit 3 internal control
Unit 3 internal controlUnit 3 internal control
Unit 3 internal controlRadhika Gohel
 
Internal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraInternal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraJenard Wachira
 
Internal audit manager performance appraisal
Internal audit manager performance appraisalInternal audit manager performance appraisal
Internal audit manager performance appraisalcollinsbruce43
 
Audit evidence a framework (ppt ch7[1].pdf)
Audit evidence a framework (ppt ch7[1].pdf)Audit evidence a framework (ppt ch7[1].pdf)
Audit evidence a framework (ppt ch7[1].pdf)bagarza
 
Common internal audit findings & how to avoid them
Common internal audit findings & how to avoid themCommon internal audit findings & how to avoid them
Common internal audit findings & how to avoid themSurajit Datta
 
Chapter 2. audit planning procedures & documentation
Chapter 2. audit planning procedures & documentationChapter 2. audit planning procedures & documentation
Chapter 2. audit planning procedures & documentationThane
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Sreekanth Narendran
 

What's hot (20)

Chapter audit report
Chapter audit reportChapter audit report
Chapter audit report
 
Audit Evidence Presentation
Audit Evidence PresentationAudit Evidence Presentation
Audit Evidence Presentation
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management Framework
 
Audit procedures
Audit proceduresAudit procedures
Audit procedures
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
 
Internal audit
Internal auditInternal audit
Internal audit
 
INTERNATIONAL AUDITING STANDARDS -PPT.pptx
INTERNATIONAL AUDITING STANDARDS -PPT.pptxINTERNATIONAL AUDITING STANDARDS -PPT.pptx
INTERNATIONAL AUDITING STANDARDS -PPT.pptx
 
AUDIT-PLANNING.pptx
AUDIT-PLANNING.pptxAUDIT-PLANNING.pptx
AUDIT-PLANNING.pptx
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling Techniques
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
Unit 3 internal control
Unit 3 internal controlUnit 3 internal control
Unit 3 internal control
 
Internal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraInternal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo Wachira
 
Internal audit manager performance appraisal
Internal audit manager performance appraisalInternal audit manager performance appraisal
Internal audit manager performance appraisal
 
Ch 02. Obtaining an Engagement
Ch 02. Obtaining an Engagement Ch 02. Obtaining an Engagement
Ch 02. Obtaining an Engagement
 
Internal audit ppt
Internal audit pptInternal audit ppt
Internal audit ppt
 
Audit evidence a framework (ppt ch7[1].pdf)
Audit evidence a framework (ppt ch7[1].pdf)Audit evidence a framework (ppt ch7[1].pdf)
Audit evidence a framework (ppt ch7[1].pdf)
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
 
Common internal audit findings & how to avoid them
Common internal audit findings & how to avoid themCommon internal audit findings & how to avoid them
Common internal audit findings & how to avoid them
 
Chapter 2. audit planning procedures & documentation
Chapter 2. audit planning procedures & documentationChapter 2. audit planning procedures & documentation
Chapter 2. audit planning procedures & documentation
 
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
Information Systems Control and Audit - Chapter 4 - Systems Development Manag...
 

Similar to Tech Audit, Assurance & Internal Control

AUDIT.pptx
AUDIT.pptxAUDIT.pptx
AUDIT.pptxbeminaja
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controlTommy Zul Hidayat
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controljayussuryawan
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit Sreekanth Narendran
 
24201843 studdy-note-8
24201843 studdy-note-824201843 studdy-note-8
24201843 studdy-note-8Akash Saxena
 
auditpresentation-121006061658-phpapp02.pdf
auditpresentation-121006061658-phpapp02.pdfauditpresentation-121006061658-phpapp02.pdf
auditpresentation-121006061658-phpapp02.pdfowaissayyed0041
 
Auditing Short Note.pdf for accounting and finance
Auditing Short Note.pdf for accounting and financeAuditing Short Note.pdf for accounting and finance
Auditing Short Note.pdf for accounting and financeetebarkhmichale
 
Audit and nursing audit
Audit and nursing auditAudit and nursing audit
Audit and nursing auditEkta Patel
 
Internal control system
Internal control systemInternal control system
Internal control systemMadiha Hassan
 
Internal control system
Internal control systemInternal control system
Internal control systemMadiha Hassan
 
What is the procedure for financial statement audit.pdf
What is the procedure for financial statement audit.pdfWhat is the procedure for financial statement audit.pdf
What is the procedure for financial statement audit.pdfRathnakarReddy17
 
Internal-Audit-Methodology-VV.pdf
Internal-Audit-Methodology-VV.pdfInternal-Audit-Methodology-VV.pdf
Internal-Audit-Methodology-VV.pdfrobinverma31
 
Audit company - Audit for companies - PKC Management Consulting
Audit company - Audit for companies - PKC Management ConsultingAudit company - Audit for companies - PKC Management Consulting
Audit company - Audit for companies - PKC Management ConsultingPKCIndia2
 

Similar to Tech Audit, Assurance & Internal Control (20)

AUDIT.pptx
AUDIT.pptxAUDIT.pptx
AUDIT.pptx
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
 
chapter2-190516054412.pdf
chapter2-190516054412.pdfchapter2-190516054412.pdf
chapter2-190516054412.pdf
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit
 
chapter 1.pptx
chapter 1.pptxchapter 1.pptx
chapter 1.pptx
 
24201843 studdy-note-8
24201843 studdy-note-824201843 studdy-note-8
24201843 studdy-note-8
 
auditpresentation-121006061658-phpapp02.pdf
auditpresentation-121006061658-phpapp02.pdfauditpresentation-121006061658-phpapp02.pdf
auditpresentation-121006061658-phpapp02.pdf
 
Advance audit
Advance auditAdvance audit
Advance audit
 
Audit presentation
Audit presentationAudit presentation
Audit presentation
 
Auditing Short Note.pdf for accounting and finance
Auditing Short Note.pdf for accounting and financeAuditing Short Note.pdf for accounting and finance
Auditing Short Note.pdf for accounting and finance
 
Audit and nursing audit
Audit and nursing auditAudit and nursing audit
Audit and nursing audit
 
Internal control system
Internal control systemInternal control system
Internal control system
 
Internal control system
Internal control systemInternal control system
Internal control system
 
What is the procedure for financial statement audit.pdf
What is the procedure for financial statement audit.pdfWhat is the procedure for financial statement audit.pdf
What is the procedure for financial statement audit.pdf
 
Internal-Audit-Methodology-VV.pdf
Internal-Audit-Methodology-VV.pdfInternal-Audit-Methodology-VV.pdf
Internal-Audit-Methodology-VV.pdf
 
The Audit Fields
The Audit FieldsThe Audit Fields
The Audit Fields
 
Audit company - Audit for companies - PKC Management Consulting
Audit company - Audit for companies - PKC Management ConsultingAudit company - Audit for companies - PKC Management Consulting
Audit company - Audit for companies - PKC Management Consulting
 
Audit Fields
Audit FieldsAudit Fields
Audit Fields
 
Advanced auditing lecture lecture 1.pptx
Advanced auditing lecture lecture 1.pptxAdvanced auditing lecture lecture 1.pptx
Advanced auditing lecture lecture 1.pptx
 

Recently uploaded

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Recently uploaded (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

Tech Audit, Assurance & Internal Control

  • 2. 2 Contents • Attestation & assurance Services • Financial audit • Auditing standards • External vs. internal auditing • Information technology audit • Internal control • SAS 78
  • 3. 3 Attest Services • An engagement in which a practitioner is engaged to issue, or does issue, a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party. Attest: To affirm to be correct, true, or genuine
  • 4. 4 Requirements applied to attestation services • Attestation services require written assertions and a practitioner’s written report. • Attestation services require the formal establishment of measurement criteria or their description in the presentation. • The levels of service in attestation engagements are limited to examination, review, and application of agreed-upon procedures.
  • 5. 5 Assurance Services • Broader than attestation (Fig. 1-1) • Professional services designed to improve the quality of information, both financial and non- financial, used by decision-makers. • Intended to help people make better decisions by improving information. Assurance: A statement or indication that inspires confidence; a guarantee or pledge
  • 6. 6 Assurance Services • Evolution of accounting profession is expected to follow the assurance services model. • All “Big Five” professional services firms have renamed their traditional audit functions “Assurance Services.” • Organizational unit responsible for conducting IT audits is named either IT Risk Management, Information Systems Risk Management, or Operational Systems Risk Management (OSRM)
  • 7. 7 Financial Audit • An independent attestation performed by an expert, the auditor, who expresses an opinion regarding the presentation of financial statements. • Auditor’s role is similar in concept to a judge who collects and evaluates evidence and renders an opinion.
  • 8. 8 Financial Audit • Key concept in this process is independence; Judge must remain independent in his or her deliberation. • Judge cannot be advocate of either party in the trial, but must apply law impartially based on evidence presented. • Likewise, independent auditor collects and evaluates evidence and renders an opinion based on evidence.
  • 9. 9 Financial Audit • Throughout audit process, auditor must maintain his or her independence from client organization. • Public confidence in the reliability of the company’s internally produced financial statements rests directly on their being evaluated by an independent expert audit.
  • 10. 10 Financial Audit • Systematic audit process involves three conceptual phases: – Familiarization w/ organization’s business – Evaluating and testing internal control – Assessing the reliability of financial data
  • 11. 11 Auditor’s Report • Product of attestation function is a formal written report that expresses an opinion about the reliability of the assertions contained in financial statements • Auditor’s report expresses an opinion as to whether the financial statements are in conformity w/ generally accepted accounting principles
  • 12. 12 Auditing Standards • Auditors are guided in their professional responsibility by the ten generally accepted auditing standards (GAAS) Fig. 1-2 • GAAS establishes a framework for prescribing auditor performance, but it is not sufficiently detailed to provide meaningful guidance in specific circumstances
  • 13. 13 Auditing Standards • To provide specific guidance, American Institute of Certified Public Accountants (AICPA) issues Statements on Auditing Standards (SASs) as authoritative interpretations of GAAS. • SASs are often referred to as auditing standards, or GAAS, although they are not the ten generally accepted auditing standards.
  • 14. 14 SAS • First issued by AICPA in 1972 • Since then, many SASs have been issued to provide auditors w/ guidance on a spectrum of topics, including methods of investigating new clients, techniques for obtaining background information on client’s industry.
  • 15. 15 External vs. Internal Auditing • External auditing is often called independent auditing because it is done by certified public accountants who are independent of the organization being audited. • External auditors represent the interests of third- party stakeholders in the organization, such as stockholders, creditors, and government agencies. • Because the focus of external audit is on financial statements, this type of audit is called financial audit
  • 16. 16 External vs. Internal Auditing • Institute of Internal Auditors defines internal auditing as an independent appraisal function established within an organization to examine and evaluate its activities
  • 17. 17 External vs. Internal Auditing • Internal auditors perform a wide range of activities on behalf of the organization, including conducting financial audits, examining an operation’s compliance with organizational policies, reviewing the organization’s compliance with legal obligations, evaluating operational efficiency, detecting and pursuing fraud within the firm, and conducting IT audits.
  • 18. 18 External vs. Internal Auditing • While external auditors represent outsiders, internal auditors represent the interests of the organization. • Internal auditors often cooperate with and assist external auditors in performing financial audits. • This is done to achieve audit efficiency and reduce audit fees. For example, a team of internal auditors can perform tests of computer controls under the supervision of a single external auditor.
  • 19. 19 External vs. Internal Auditing • While external auditors represent outsiders, internal auditors represent the interests of the organization. • Internal auditors often cooperate with and assist external auditors in performing financial audits. • This is done to achieve audit efficiency and reduce audit fees. For example, a team of internal auditors can perform tests of computer controls under the supervision of a single external auditor.
  • 20. 20 Information Technology (IT) Audit • Focus on the computer-based aspects of an organization’s information system • This includes assessing the proper implementation, operation, and control of computer resources
  • 21. 21 Definition of Auditing • Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users
  • 22. 22 Elements of auditing • A systematic process • Management assertions and audit objectives • Obtaining evidence • Ascertaining the degree of correspondence between established criteria • Communicating results See Pages 5~7
  • 23. 23 5 Categories of Management Assertions (page 6) • Existence or occurrence assertion • Completeness assertion • Rights and obligations assertion • Valuation or allocation assertion • Presentation and disclosure assertion Auditors develop their audit objectives and design audit procedures based on preceding assertions. See Table 1-1
  • 24. 24 Structure of IT Audit • IT audit is divided into three phases: audit planning, tests of controls, and substantive testing (See Figure 1-3)
  • 25. 25 Internal Control • The establishment and maintenance of a system of internal control is an important management obligation. • A fundamental aspect of management’s stewardship responsibility is to provide shareholders with reasonable assurance that the business is adequately controlled. • Additionally, management has a responsibility to furnish shareholders and potential investors with reliable financial information on a timely basis. (Sarbanes-Oxley act) • An adequate system of internal control is necessary to management’s discharge of these obligations. - Securities and Exchange Commission
  • 26. 26 Internal Control in Concept • Internal control system comprises policies, practices, and procedures employed by the organization to achieve four broad objectives: – To safeguard assets of the firm. – To ensure the accuracy and reliability of accounting records and information. – To promote efficiency in the firm’s operations. – To measure compliance with management’s prescribed policies and procedures
  • 27. 27 Exposure and Risk • Internal control shield (Figure 1-4) to protect firms from numerous undesirable events – Attempts at unauthorized access to firm’s assets (including information) – Fraud perpetrated by persons both in and outside the firm – Errors due to employee incompetence, faulty computer programs, corrupted input data
  • 28. 28 Exposure and Risk • Internal control shield (Figure 1-4) to protect firms from numerous undesirable events – Mischievous acts, such as unauthorized access by computer hackers and threats from computer viruses that destroy programs and databases
  • 29. 29 Exposure and Risk • Absence or weakness of a control is called exposure • Exposures increase firm’s risk to financial loss or injury from undesirable events.
  • 30. 30 Exposure and Risk • A weakness in internal control may expose the firm to one or more of the following types of risks: – Destruction of assets (both physical assets and information) – Theft of assets – Corruption of information or the information system (containing errors or alterations) – Disruption of information system (to break or burst; rupture )
  • 31. 31 3 Levels of Control • Preventive controls, detection controls, and corrective controls (Fig. 1-5)
  • 32. 32 Preventive Controls • First line of defense in the control structure • Passive techniques designed to reduce the frequency of occurrence of undesirable events • Preventing errors and fraud is far more cost- effective than detecting and correcting problems after they occur • In information security: firewall
  • 33. 33 Preventive Controls • For example, a well-designed data entry screen is an example of a preventive control • Not all problems can be anticipated and prevented.
  • 34. 34 Detective Controls • Second line of defense • Devices, techniques, and procedures designed to identify and expose undesirable events that elude preventive controls • In information security: Intrusion detection
  • 35. 35 Corrective Controls • Corrective actions taken to reverse the effects of detected errors • Detective controls identify undesirable events and draw attention to the problem; corrective controls fix the problem.
  • 36. 36 Statement on Auditing Standards No. 78 (SAS 78) • Current authoritative document for specifying internal control objectives and techniques. • Conforms to the recommendations of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) • Consists of five components: control environment, risk assessment, information and communication, monitoring, and control activities
  • 37. 37 Control Environment • Foundation for the other control components • Important elements: – Integrity and ethical values of management – Structure of organization – Participation of organization’s board of directors and audit committee – Management’s philosophy and operating style – … see page 13
  • 38. 38 Control Environment • SAS 78 requires that auditors obtain sufficient knowledge to assess the attitude and awareness of organization’s management, board of directors, and owners regarding internal control. • See page 13 for examples of techniques that may be used to obtain an understanding of control environment
  • 39. 39 Risk Assessment • Identify, analyze, and manage risks relevant to financial reporting • See page 14 for risks that can rise out of changes in circumstances • SAS 78 requires that auditors obtain sufficient knowledge of organization’s risk assessment procedures to understand how management identifies, prioritizes, and manages risks related to financial reporting.
  • 40. 40 Information and Communication • Accounting information system consists of records and methods used to initiate, identify, analyze, classify, and record organization’s transactions and to account for related assets and liabilities. • Quality of information generated by AIS impacts management’s ability to take actions and make decisions in connection with organization’s operations and to prepare reliable financial statements.
  • 41. 41 Effective AIS • Identify and record all valid financial transactions • Provide timely information about transactions in sufficient detail to permit proper classification and financial reporting • Accurately measure financial value of transactions so their effects can be recorded in financial statements • Accurately record transactions in time period in which they occur
  • 42. 42 Effective AIS • SAS 78 requires that auditors obtain sufficient knowledge of organization’s information systems to understand – Classes of transactions that are material to financial statements and how those transactions are initiated – Accounting records and accounts that are used in processing of material transactions
  • 43. 43 Effective AIS • SAS 78 requires that auditors obtain sufficient knowledge of organization’s information systems to understand – Transaction processing steps involved from initiation of economic event to its inclusion in financial statements – Financial reporting process used to prepare financial statements, disclosures, and accounting estimates
  • 44. 44 Monitoring • Process by which quality of internal control design and operation can be assessed • May be accomplished by separate procedures or by ongoing activities • Internal auditors may monitor entity’s activities in separate procedures. They gather evidence of control adequacy by testing controls, then communicate control strengths and weaknesses to management
  • 45. 45 Monitoring • Ongoing monitoring may be achieved by integrating special computer modules into information system that capture key data and/or permit tests of control to be conducted as part of routine operations • Such embedded audit modules (EAMs) allow management and auditors to maintain constant surveillance over functioning of internal controls
  • 46. 46 Control Activities • Policies and procedures used to ensure appropriate actions are taken to deal w/ organization’s identified risks
  • 47. 47 Control Activities • Can be grouped into two categories: – Computer controls • General control • Application control – Physical controls • transaction authorization • segregation of duties • supervision • accounting records • access control • independent verification
  • 48. 48 Computer Controls/General Controls • Fall into two broad groups: general controls and application controls • General controls pertain to entity-wide concerns such as controls over data center, organization databases, systems development, and program maintenance
  • 49. 49 Application Controls • Application controls ensure the integrity of specific systems such as sales order processing, accounts payable, and payroll applications
  • 50. 50 Control Activities • Can be grouped into two categories: – Computer controls • General control • Application control – Physical controls • transaction authorization • segregation of duties • supervision • accounting records • access control • independent verification
  • 51. 51 Physical Controls • Relates primarily to traditional accounting systems that employ manual procedures • Six traditional categories of physical control activities: transaction authorization, segregation of duties, supervision, accounting records, access control, and independent verification
  • 52. 52 Transaction Authorization • Ensure that all material transactions processed by information systems are valid and in accordance w/ management’s objectives • Authorizations may be general or specific
  • 53. 53 General Authorization • Granted to operations personnel to perform day-to-day operations • Example is procedure to authorize purchase of inventories from designated vendor only when inventory levels fall to their predetermined reorder points. This is called programmed procedure
  • 54. 54 Specific Authorization • Deal with case-by-case decisions associated w/ non-routine transactions. • Example is the decision to extend a particular customer’s credit limit beyond the normal amount • In an IT environment, the responsibility for achieving control objectives of transaction authorization rests directly on accuracy and consistency of computer programs that perform these tasks.
  • 55. 55 Segregation of Duties • To minimize incompatible functions • 3 objectives provide general guidelines applicable to most organizations – Authorization for a transaction is separate from processing of the transaction. For example, purchases should not be initiated by purchasing department until authorized by inventory control department
  • 56. 56 Segregation of Duties • 3 objectives provide general guidelines applicable to most organizations – Responsibility for custody of assets should be separate from recordkeeping responsibility. For example, the department that has physical custody of finished goods inventory should not keep official inventory records. Accounting for finished goods inventory is performed by inventory control, an accounting function.
  • 57. 57 Segregation of Duties • 3 objectives provide general guidelines applicable to most organizations – Organization should be structured so that a successful fraud requires collusion between two or more individuals with incompatible responsibilities. In other words, no single individual should have sufficient access to assets and supporting records to perpetrate a fraud.
  • 58. 58 Segregation of Duties in IT • Computer errors are programming errors that are, in fact, human errors; no computer has ever perpetrated a fraud unless programmed to do so by a human • Separating computer processing functions, therefore, serves no purpose
  • 59. 59 Segregation of Duties in IT • Segregation of duties still plays a role in IT environment • Once proper functioning of a program is established at system implementation, its integrity must be preserved throughout the application’s life cycle. • The activities of program development, program operations, and program maintenance are critical IT functions that must be adequately separated.
  • 60. 60 Supervision • Achieving adequate segregation of duties often presents difficulties for small organization. • In small organizations or in functional areas that lack sufficient personnel, management must compensate for absence of segregation controls with close supervision. • For this reason, supervision is also called compensating control.
  • 61. 61 Accounting Records • Source documents, journals, and ledgers capture economic essence of transactions and provide an audit trail of economic events • Audit trail enables auditor to trace any transaction through all phases of its processing from initiation of event to financial statements
  • 62. 62 Access Controls • Ensure that only authorized personnel have access to firm’s assets • Access control in IT environment includes provisions for physical security of computer facilities. • Database security and authorization is important access control mechanism in modern organizations.
  • 63. 63 Access Control in IT Environment • Limit personnel access authority • Restrict access to computer programs • Provide physical security for data processing center • Ensure adequate backup for data files • Provide disaster recovery capability
  • 64. 64 Audit Risk • Probability that auditor will render an unqualified opinion on financial statements that are, in fact, materially misstated • Auditor’s objective is to minimize audit risk by performing tests of controls and substantive tests. • 3 components of audit risk are inherent risk, control risk, and detection risk
  • 65. 65 Inherent Risk • Associated with unique characteristics of the business or industry of the client • Firms in declining industries have greater inherent risk than firms in stable or thriving industries. • Auditors can not reduce level of inherent risk.
  • 66. 66 Control Risk • is the likelihood that control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts • Auditors reduce level of control risk by performing tests of internal controls, e.g., running test transactions and seeing if erroneous transactions can be detected
  • 67. 67 Detection Risk • is the risk that auditors are willing to take that errors not detected or prevented by control structure will also not be detected by the auditor • Lower planned detection risk requires more substantive testing
  • 68. 68 General Framework for IT Risks and Controls • See Fig. 1-7