Chapter 1

Chapter 1Auditing, Assurance, and Internal ControlAUDITING

Different types of auditINTERNAL AUDITSInternal Auditing an independent appraisal function established within an organization to examine and evaluate its activities as a service to organization. CIA Certificate Internal AuditorCISA Certified Information Systems AuditorIIA Institute of Internal AuditorsISACA Information Systems Audit and Control AssociationIT AUDITAn IT audit is associated with auditors who use technical skills and knowledge to audit through the computer system, or provide audit services where processes or data, or both, are embedded in technologies.CAATS - Computer Assisted Audit Tools- allow auditors to audit through the database and computer.FRAUD AUDITS- newest area of auditing, arising out of both rampant employee theft of assets and major financial frauds.CFE Certified Fraud Examiner CertificateACFE Association of Certified Fraud ExaminersEXTERNAL / FINANCIAL AUDITSAssociated with auditors who work outside, or independent of, the organization being stated.Sarbanes Oxley Act of 2002Financial Accounting Standards Board (FASB)American Institute of Certified Public Accountants (AICPA)FINANCIAL AUDITAn independent attestation performed by an expert the auditor who expresses an opinion regarding the presentation of financial statements.Key concept is INDEPENDENCE; Judge must remain independent in his/her deliberation. Public confidence in the reliability of the companys internally produced financial statements rests directly on an evaluation of them by an independent expert auditor.Systematic audit process involves three conceptual phases:Familiarization with the organizations businessEvaluating and testing internal controlsAssessing the reliability of financial data

Attest servicesAn engagement in which a practitioner is engaged to issue, or does issue, a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party.

REQUIREMENTS APPLIED TO ATTESTATION SERVICESAttestation services require written assertions and a practitioners written report.Attestation services require the formal establishment of measurement criteria or their description in the presentation.The levels of service in attestation engagements are limited to examination, review, and application of agreed upon procedures.Assurance servicesProfessional services that are designed to improved the quality of information, both financial and nonfinancial, used by decision makers.Broader than attestation servicesIntended to help people make better decisions by improving informationOrganizational unit responsible for conducting IT audits is named either IT Risk Management, Information Systems Risk Management, or Operational Systems Risk Management (OSRM).Relationship Between Assurance Services and Attest Services

All attestation services are assurance services but not every assurance services is attestation services.A systematic processAn audit is a systematic and logical process that applies to all forms of information systems. Management assertions and audit objectivesASCERTAINING THE DEGREE OF CORRESPONDENCE WITH ESTABLISHED CRITERIACommunicating ResultsAuditors must communicate the results of their tests to interested users.An independent auditor renders a report to the audit committee of the board of directors or stockholders of a company.The audit report contains, among other things, an AUDIT OPINION.Obtaining evidence

AUDITRISKINHERENT RISKDETECTION RISKCONTROL RISKAudit risk the probability that the auditor will render an unqualified opinion on financial instruments that are, in fact, materially stated.

Control riskis the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts.

Quantity Unit Price Total

10 units Php 20 Php 2,000Detection risk is the risk that auditors are willing ton take that errors not detected or prevented by the control structure will not also be detected by the auditors.

AR = IR X CR X DR5% = 40% * 60% * DRDR = 4.8%5% = 40% * 40% * DRDR = 3.2% the higher the control risk; the higher the detection risk and; the lower the control risk; the lower the detection risk.

Audit committee it is made up of three (3) people and should be outsiders and at least one of them must be a financial expert.

Roles of audit committeeperform its fiduciary responsibility to the shareholders.assist the management in ensuring the integrity of financial reports and in deterring fraud.serve as guardians of public interest.serve as an independent check and balance for the internal audit function and liaison with external auditors.for entities that employ outside auditors, audit committee are responsible for deciding which external auditor to hire.

I.t. auditit focuses on the computer-based aspects of an organizations information system., it includes assessing the proper implementation, operation and control of computer sources.

Structure of an i.t. auditAudit planningthe auditors objective is to obtain sufficient information about the firm to plan the other phases of the audit. He attempts to understand the organizations policies, practices and structures.

Tests of control it aims to determine whether adequate internal controls are in place and functioning properly. At the end, he must able to assess the quality of the internal controls.

Substantive testing it involves detailed investigation of specific account balances and transactions. In an IT environment, IT auditors uses CAATTs to get the data to tell them about the datas integrity and reliability.Computer-Assisted Audit Tools and Techniques Audit technology tools facilitate more granular analysis of data and help to determine the accuracy of the information

INTERNAL CONTROLINTERNAL CONTROL SYSTEM comprises policies, practices, and procedures employed by the organization to achieve four broad objectives:To safeguard assets of the firm.To ensure accuracy and reliability of accounting records and information.To promote efficiency in the firms operation.To measure compliance with managements prescribed policies and procedures.Brief history of internal controlSEC Acts of 1933Objectives:1. Require that investors receive financial and other significant information concerning securities being offered for public sale.2. Prohibit deceit, misinterpretations, and other fraud in the sae of securities.

SEC Act 1934Created the Securities and Exchange Commission (SEC) and empowered it with broad authority overall aspects of the securities industry, which included authority regarding auditing standards.It required publicly traded companies to be audited by an independent auditor.Copy Right Law 1976- It is concerned to IT auditors because management is held personally liable for violations if raided by the software police, and sufficient evidence of impropriety is found. Requires companies registered with the SEC to do the following:Keep records that fairly and reasonably reflect the transactions of the firm and its initial position.Maintain a system of internal control that provides reasonable assurance that the organizations objective are met.

Foreign Corrupt Practices Act (FCPA) of 1977

Committee of Sponsoring Organizations 1192The organizations that sponsored , and do sponsor, this entity include Financial Executives International (FEI), the Institute of Management Accountants (IMA), the American Accounting Association (AAA), AICPA, and the IIA.Modifying assumptions of internal controlMANAGEMENT RESPONSIBILITYREASONABLE ASSURANCEMETHODS OF DATA PROCESSINGLIMITATIONSThe Possibility of ErrorCircumventionManagement OverrideChanging ConditionsExposures and risk

exposures

Deficiency RevenuesTypes of riskDestruction of assetsTheft of assetsCorruption of information or the information systemDisruption of the information system

The pdc modelPreventive Controls = reduce the frequency of occurrence of undesirable eventsDetective Controls = devices, techniques, and procedures designed to identify and expose undesirable events that elude preventive controls.Corrective Controls = fix the problem

Supervision in an IT EnvironmentThe action or process of watching and directing what someone does or how something is doneReasons why should Supervisory Control must be more elaborated in an IT Environment1.

The need for competent employees,possessing specialized skills. 2.

Trustworthiness of data processing personnel3.

Inadequately observing employees in an IT EnvironmentAccounting Records in an IT EnvironmentAudit Trail

Access Controls

Two forms of data threat

INDEPENDENT VERIFICATION