Chapter 1Auditing and Internal Control LEARNING OBJECTIVES • Know the difference between attest services and advisory services and be able to explain the relationship between the two. • Understand the structure of an audit and have a firm grasp of the conceptual elements of the audit process. • Understand internal control categories presented in the COSO framework. • Be familiar with the key features of Section 302 and 404 of the Sarbanes-Oxley Act. • Understand the relationship between general controls, application controls, and financial data integrity. Difference Between Information Systems and Information Technology Information Systems • is a discipline that bridges business and computer science. • encompasses systems, people and processes that create, store, manipulate or distribute information. • is concerned with the information that computer systems can provide to aid an organization in defining and achieving its goals. • is also concerned with the processes that an enterprise can implement and improve using information technology Information technology • is a subset of information systems. • can be defined as the study, design, implementation, support or management of computer-based information systems. – These systems could include software as well as hardware such as computers, servers and networks. • also often governs the acquisition, processing, storage and dissemination of digitized information, or data, generated through the disciplines of computing and telecommunications. Introduction • The IT’s impact on the field of auditing: – Advantages: reengineering of traditional business processes • to promote more efficient operations • to improve communications within the entity and between the entity and its customers and suppliers (ex. EDI). – Disadvantages: introduced new risks that require unique internal controls. • the need for new techniques for – evaluating controls and – for assuring the security and accuracy of corporate data and the information systems that produce it. Outline • An overview of IT auditing: – Describes the various types of audits that organizations commission and distinguish between the auditor’s traditional attestation responsibility and the emerging field of advisory services. • The structure of an IT audit: – the relationship between management assertions, audit objectives, tests of controls, and substantive tests are explained. • Outlines the key points of the COSO control framework, – which defines internal controls in both manual and IT environments. • Examines audit issues and implications related to Sarbanes- Oxley legislation. • Provides a conceptual framework that links general controls, application controls, and financial data integrity. Outline • Overview of Auditing – External (Financial) Audits • Attest Service versus Advisory Services – Internal Audits • External versus Internal Auditors – Fraud Audits • The Role of the Audit Committee • Financial Audit Components • Audit Risk • The IT Audit • Internal Control • Internal Control Objectives, Principles, and Models Overview of Auditing • Business organizations undergo different types of audits for different purposes. The most common of these are – external (financial) audits • Attest Service versus Advisory Services – internal audits • External versus Internal Auditors – fraud audits • Fraud audits – IT audits External (Financial) Audit • is an independent attestation performed by an expert—the auditor—who expresses an opinion regarding the presentation of FSs. • This task, known as the attest service. – is performed by CPA who work for public accounting firms that are independent of the client organization being audited. • CPAs conducting such audits represent the interests of outsiders: stockholders, creditors, government agencies, and the general public. • Audit objective – is always associated with assuring the fair presentation of FSs. • These audits are often referred to as financial audits. • SEC requires all publicly traded companies be subject to a financial audit annually. External (Financial) Audits • The CPA’s role is similar in concept to a judge – who collects and evaluates evidence and renders an opinion. – A key concept in this process is independence. • Throughout the audit process, the auditor must maintain independence from the client organization. – the independent auditor collects and evaluates evidence and renders an opinion based on the evidence. • Public confidence in the reliability of the company’s internally produced FSs rests directly on an evaluation by an independent auditor. External (Financial) Audits • Authoritative rules • The external auditor must follow strict rules in conducting financial audits. These authoritative rules have been defined by the – SEC • Regardless, under federal law, the SEC has final authority for financial auditing. – Financial Accounting Standards Board (FASB) • With the passage of SOX, Congress established the Public Company Accounting Oversight Board (PCAOB), which has to a great extent replaced the function served by the FASB, and some of the functions of the AICPA (e.g., setting standards and issuing reprimands and penalties for CPAs who are convicted of certain crimes or guilty of certain infractions). – AICPA – federal law (Sarbanes-Oxley [SOX] Act of 2002) Attest Service versus Advisory Services Attest Service (traditional) – Audit service • is defined as: ... an engagement in which a practitioner is engaged to issue, or does issue, a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party. (SSAE No. 1, AT Sec. 100.01). • Requirements: – written assertions and a practitioner’s written report. – the formal establishment of measurement criteria or their description in the presentation. – limited to examination, review, and application of agreed-upon procedures. Advisory Service (beyond traditional) – Nonaudit service • Is a professional service offered by public accounting firms to improve their client org.s’ operational efficiency and effectiveness. • includes actuarial advice, business advice, fraud investigation services, IS design and implementation, and internal control assessments for compliance with SOX. Attest Service versus Advisory Services • Prior to the passage of SOX, accounting firms could provide advisory services concurrently to audit (attest function) clients. • SOX legislation, however, greatly restricts the types of nonaudit services that auditors may render audit clients. It is now unlawful for a registered public accounting firm that is currently providing attest services for a client to provide the following services: – bookkeeping or other services related to the accounting records or financial statements of the audit client – financial information systems design and implementation – appraisal or valuation services, fairness opinions, or contribution-in-kind reports – actuarial services – internal audit outsourcing services – management functions or human resources – broker or dealer, investment adviser, or investment banking services – legal services and expert services unrelated to the audit – any other service that the board determines, by regulation, is impermissible IT Audit • is to provide an independent assessment of some technology- or systems-related object, such as: – proper IT implementation, or – controls over computer resources. • Because most modern accounting information systems use IT – IT plays a significant role in a financial (external audit) The Role of the Audit Committee • Board of directors of publicly traded companies – form a subcommittee known as the audit committee, which has special responsibilities regarding audits. • Audit Committee – usually consists of three people who should be outsiders (not associated with the families of executive management nor former officers, etc.). – at least one member of the audit committee must be a “financial expert.” The Role of the Audit Committee • Audit committee – serves as • an independent “check and balance” for the internal audit function – To be effective, the audit committee must be willing to challenge the internal auditors (or the entity performing that function) as well as management, when necessary. • liaison with external auditors. – Prior to SOX, external auditors were hired and fired by management. Many believe, with some justification, that this relationship erodes auditor independence when disputes over audit practices arise. – SOX mandates that external auditors now report to the audit committee who hire and fire auditors and resolve disputes. – Should look for ways to identify risk. For instance, it might serve as a sounding board for employees who observe suspicious behavior or spot fraudulent activities. – In general, it becomes an independent guardian of the entity’s assets by whatever means is appropriate. The Role of the Audit Committee • Corporate frauds often have some bearing on audit committee failures. These include – lack of independence of audit committee members – inactive audit committees – total absence of an audit committee – lack of experienced members on the audit committee. Financial Audit Components • Auditing Standards • A Systematic Process • Management Assertions and Audit Objectives • Obtaining Evidence • Ascertaining Materiality • Communicating Results Financial Audit Components • Auditor’s report – Is the product of the attestation function. – is a formal written report that expresses an opinion • about the reliability of the assertions contained in the FSs. • as to whether the FSs are in conformity with generally accepted accounting principles (GAAP). • External users of FSs – are presumed to rely on the auditor’s opinion about the reliability of FSs in making decisions. – must be able to place their trust in the auditor’s competence, professionalism, integrity, and independence. • Auditors – are guided in their professional responsibility by the ten generally accepted auditing standards (GAAS) presented in Table 1.1. Generally Accepted Auditing Standards Auditing Standards • Auditing standards are divided into three classes: – general qualification standards – field work standards – reporting standards. • GAAS – establishes a framework for prescribing auditor performance, but it is not sufficiently detailed to provide meaningful guidance in specific circumstances. • Statements on Auditing Standards (SASs) – Issued by American Institute of Certified Public Accountants (AICPA) – as authoritative interpretations of GAAS (To provide specific guidance) – are often referred to as auditing standards, or GAAS, although they are not the ten generally accepted auditing standards. – are regarded as authoritative pronouncements because every member of the profession must follow their recommendations or be able to show why a SAS does not apply in a given situation. • The burden of justifying departures from the SASs falls upon the individual auditor. A Systematic Process • Conducting an audit – is a systematic and logical process that applies to all forms of information systems. • A systematic approach – is particularly important in the IT environment. • A logical framework for conducting an audit in the IT environment – is critical to help the auditor identify all-important processes and data files. – The lack of physical procedures that can be visually verified and evaluated injects a high degree of complexity into the IT audit (e.g., the audit trail may be purely electronic, in a digital form, and thus invisible to those attempting to verify it). Management Assertions and Audit Objectives • The organization’s FSs reflect a set of management assertions about the financial health of the entity. • Task of the auditor: – to determine whether the FSs are fairly presented. • To accomplish this goal, the auditor – establishes audit objectives – designs procedures – gathers evidence that corroborate or refute management’s assertions. Management Assertions • These assertions fall into five general categories: • 1. The existence or occurrence assertion • 2. The completeness assertion • 3. The rights and obligations assertion • 4. The valuation or allocation assertion • 5. The presentation and disclosure assertion Management Assertions • These assertions fall into five general categories: • 1. The existence or occurrence assertion – affirms that all assets and equities contained in the BS exist and that all transactions in the income statement actually occurred. • Balance sheet – existence • Income statement - occurrence Management Assertions • These assertions fall into five general categories: • 2. The completeness assertion (no omission) – declares that no material assets, equities, or transactions have been omitted from the FSs. Management Assertions • These assertions fall into five general categories: • 3. The rights and obligations assertion – maintains that assets appearing on the BS are owned by the entity and that the liabilities reported are obligations. • Balance sheet – own • Liabilities - obligations Management Assertions • These assertions fall into five general categories: • 4. The valuation or allocation assertion – states that assets and equities are valued in accordance with GAAP and that allocated amounts such as depreciation expense are calculated on a systematic and rational basis. Management Assertions • These assertions fall into five general categories: • 5. The presentation and disclosure assertion – alleges that FS items are correctly classified (e.g., long-term liabilities will not mature within one year) and that footnote disclosures are adequate to avoid misleading the users of FSs. • Properly classified • Footnote disclosures Management Assertions and Audit Objectives Generally, auditors develop their audit objectives and design audit procedures based on the preceding assertions. The example in Table 1.2 outlines these procedures. Audit Objectives • Audit objectives may be classified into two general categories. – Those in Table 1.2 relate to transactions and account balances that directly impact financial reporting. – The second category pertains to the information system itself. • includes the audit objectives for assessing controls over manual operations and computer technologies used in transaction processing. • We consider both categories of audit objectives and the associated audit procedures. Obtaining Evidence • Auditors seek evidential matter that corroborates management assertions. • In the IT environment, this process involves gathering evidence relating to the – reliability of computer controls and the contents of databases that have been processed by computer programs. • Evidence is collected by performing – tests of controls - which establish whether internal controls are functioning properly, and – substantive tests - which determine whether accounting databases fairly reflect the org.’s transactions and account balances. Ascertaining Materiality • The auditor must determine the materiality of the following: – weaknesses in internal controls – misstatements found in transactions and account balances • What is the basis of materiality? – In all audit environments, assessing materiality is an auditor judgment. • In an IT environment, however, this decision is complicated further by technology and a sophisticated internal control structure. Ascertaining Materiality • Materiality - refers to the magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement. • Materiality levels – are generally considered in terms of the smallest aggregate level of misstatement that could be considered material to any one of the FSs. Communicating Results • Auditors must communicate the results of their tests to interested users. – Audit report • An independent auditor renders a report to the audit committee of the board of directors or stockholders of a company. – Audit opinion • The audit report contains, among other things, an audit opinion. • is distributed along with the financial report to interested parties both internal and external to the organization. Communicating Results • IT auditors often communicate their findings to internal and external auditors, who can then integrate these findings with the non-IT aspects of the audit. Audit Risk • Audit Risk Components – Inherent Risk – Control Risk – Detection Risk • Audit Risk Model • The Relationship Between Tests of Controls and Substantive Tests Audit Risk • is the probability that the auditor will render an unqualified (clean) opinion on FSs that are, in fact, materially misstated. • Unqualified opinion means – free from material misstatements – FSs are fairly and appropriately presented, and in accordance with GAAP. • Material misstatements – may be caused by errors or irregularities or both. • Errors – are unintentional mistakes. • Irregularities – are intentional misrepresentations associated with the commission of a fraud such as • the misappropriation of physical assets or • the deception of financial statement users. Audit Risk Components • Auditor’s objective: – to achieve a level of audit risk that is acceptable to the auditor. • Acceptable audit risk (AR) – is estimated based on the ex ante value of the components of the audit risk model. These are • inherent risk • control risk • detection risk. Ex ante value - a forecasted value of a variable. For instance, a firm may wish to save 10% of its gross receipts, the 10% is the ex ante value and the firm uses this value to compare it with the actual results. Inherent Risk • is associated with the unique characteristics of the business or industry of the client. – Firms in declining industries have greater inherent risk than firms in stable or thriving industries. – Industries that have a heavy volume of cash transactions have a higher level of inherent risk than those that do not. – Placing a value on inventory when the inventory value is difficult to assess due to its nature is associated with higher inherent risk than in situations where inventory values are more objective. • For example, the valuation of diamonds is inherently more risky than assessing the value of automobile tires. • Auditors cannot reduce the level of inherent risk. • Even in a system protected by excellent controls, financial data and, consequently, FSs, can be materially misstated. Control Risk • is the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts. – High control risk – means absent or inadequate internal control. – Low control risk – means adequate internal control. • To illustrate control risk, consider the following partial customer sales record, which is processed by the sales order system. Flawed - having or characterized by a fundamental weakness or imperfection. Control Risk • How to assess the level of control risk? – by performing tests of internal controls. – Example, test transactions • In the preceding example, the auditor could create test transactions, including some with incorrect Total values, which are processed by the application in a test run. • The results of the test will indicate that price extension errors are not detected and are being incorrectly posted to the AR file. Detection Risk • is the risk that auditors are willing to take that errors not detected or prevented by the control structure will also not be detected by the auditor. – Low detection risk – means errors not detected or errors not prevented by the control structure, thus weak internal control---high control risk – High detection risk – means errors detected or errors prevented by the control structure, thus strong internal control---low control risk • Auditors set an acceptable level of detection risk (planned detection risk) that influences the level of substantive tests that they perform. • Low detection risk means more substantive testing – For example, more substantive testing would be required when the planned detection risk is 10 percent than when it is 20 percent. • High detection risk means less substantive testing Audit Risk Model • Financial auditors use the audit risk components in a model – to determine the scope, nature, and timing of substantive tests. • The audit risk model is AR = IR ×CR ×DR Audit Risk Model • Assume that acceptable audit risk is assessed at a value of 5%, consistent with the 95% confidence interval associated with statistics. • By illustration, assume IR is assessed at 40%, & CR is assessed at 60%. What would be the level of planned detection risk (DR) needed to achieve the acceptable audit risk (AR) of 5%? 5% = 40%× 60%×DR DR = .05 x .24 DR = .20 Low detection risk, Notice that to achieve an acceptable level of audit risk in the first example. the auditor must set planned detection risk lower (20 percent) than in the second example (31 percent). High control risk (inadequate control) This is because the internal control structure in the first example is more risky (60 percent) than it is in the second case (40 percent). More substantive test To achieve the planned detection of 20% in the first example, the auditor will need to perform more substantive tests than in the second example, where the risk is lower. Audit Risk Model • Let’s now reduce the control risk (CR) value to 40 percent and recalculate DR. 5% = 40%× 40%×DR DR = 31 * Low control risk, high detection risk, thus less substantive testing The Relationship Between Tests of Controls and Substantive Tests • Tests of controls and substantive tests – are auditing techniques used for reducing audit risk to an acceptable level. • Low control risk – means strong controls, thus less substantive testing or limit substantive testing. – The stronger the internal control structure, as determined through tests of controls, the lower the control risk and the less substantive testing the auditor must do. – This relationship is true because the likelihood of errors in the accounting records is reduced when controls are strong. – In other words, when controls are in place and effective, the auditor may limit substantive testing. • High control risk – means weak controls, thus more substantive testing. – In contrast, the weaker the internal control structure, the greater the control risk and the more substantive testing the auditor must perform to reduce total audit risk. Evidence of weak controls forces the auditor to extend substantive testing to search for misstatements. The Relationship Between Tests of Controls and Substantive Tests • Low control risk (more reliable internal controls), high DR, thus few substantive testing. – In summary, the more reliable the internal controls, the lower the CR probability. – That leads to a higher DR, which will lead to fewer substantive tests being required. • Because substantive tests – are labor intensive and time-consuming – drive up audit costs and – exacerbate the disruptive effects of an audit. • Thus, management’s best interests are served by having a strong internal control structure. Exacerbate - make (a problem, bad situation, or negative feeling) worse. The IT Audit: The Structure of an IT Audit • The Structure of an IT Audit – The public expression of the auditor’s opinion • is the culmination of a systematic financial audit process that involves three conceptual phases: – audit planning – tests of controls – substantive testing. The IT Audit • An IT audit – focuses on the computer-based aspects of an org.’s IS; and modern systems employ significant levels of technology. – For example, • transaction processing is automated and performed in large part by computer programs. • Similarly source documents, journals, and ledgers that traditionally were paper-based are now digitized and stored in relational databases • Figure 1.1 illustrates the steps involved in the phases of an IT Audit. The Structure of an IT Audit: Audit Planning • 1) Thorough understanding of the business – Before the auditor can determine the nature and extent of the tests to perform, he or she must gain a thorough understanding of the client’s business. • 2) the analysis of audit risk – A major part of this phase of the audit. – The risk analysis incorporates an overview of the org.’s internal controls. • During the review of controls, – the auditor attempts to understand the organization’s policies, practices, and structure. – the auditor also identifies the financially significant applications and attempts to understand the controls over the primary transactions that are processed by these applications. • Auditor’s objective: – to obtain sufficient information about the firm to plan the other phases of the audit. The Structure of an IT Audit: Audit Planning • The techniques for gathering evidence at this phase include – conducting questionnaires – interviewing management – reviewing systems documentation – observing activities. • During this process, the IT auditor must – identify the principal exposures and the controls that attempt to reduce these exposures. • Tests of controls – Having done so, the auditor proceeds to the next phase, where he or she tests the controls for compliance with preestablished standards. The Structure of an IT Audit: Tests of Controls • The objective of the tests of controls phase – is to determine whether adequate internal controls are in place and functioning properly. • To accomplish this, the auditor performs various tests of controls. • The evidence-gathering techniques used in this phase may include – both manual techniques and specialized computer audit techniques. • At the conclusion of the tests-of-controls phase, the auditor must – assess the quality of the internal controls by assigning a level for control risk. – the degree of reliance that the auditor can ascribe to internal controls will affect the nature and extent of substantive testing that needs to be performed. Ascribe - regard something as being due to (a cause). The Structure of an IT Audit: Substantive Testing • focuses on financial data. • involves a detailed investigation of specific account balances and transactions. • For example, a customer confirmation is a substantive test sometimes used to verify account balances. – The auditor selects a sample of AR balances and traces these back to their source—the customers—to determine if the amount stated is in fact owed by a bona fide customer. – By so doing, the auditor can verify the accuracy of each account in the sample. – Based on such sample findings, the auditor is able to draw conclusions about the fair value of the entire accounts receivable asset. The Structure of an IT Audit: Substantive Testing • Some substantive tests are physical, labor-intensive activities, such as – counting cash – counting inventories in the warehouse – verifying the existence of stock certificates in a safe. • In an IT environment, the data needed to perform substantive tests (such as account balances and names and addresses of individual customers) are contained in data files that often must be extracted using – Computer-Assisted Audit Tools and Techniques (CAATTs) software.
Report "Chap01 Auditing and Internal Control –1,2"