Auditing, Assurance,

and Internal Control

Faradillah, S.Si., M.Kom

Email: [email protected]
S1 Sistem Informasi Universitas Indo Global Mandiri
Objectives
• Know difference between attest services and advisory services
• Understand the structure of an audit and have a firm grasp of the
conceptual elements of the audit process
• Understand internal control categories in the COSO framework
• Be familiar with the key features of Section 302 and 404 of the Sarbanes-
Oxley Act.
• Understand the relationship between general controls, application
controls, and financial data integrity
OVERVIEW OF AUDITING
AUDITING
• Auditing is systematic process by which a competent, independent person
objectively obtains and evaluates evidence regarding assertions about an
economic entity or event for the purpose of forming an opinion about and
reporting on the degree to which the assertion conforms to an identified
set of standards
• Auditing provides an independent and objective assurance that:
▫ Information is processed in a safe and sound manner – integrity
▫ Operations are efficient and effective
▫ Information assets are safeguarded - achieving information goals
TYPES OF AUDIT

• Financial audits – relates to financial information integrity and reliability.

• Operational audits—examination of IS controls, security controls, or
business controls to determine control existence and effectiveness,
examples: IS audits of application controls or logical security systems
• Integrated audits—combines financial and operational audit steps.
• Administrative audits—oriented to assess issues related to the efficiency
of operational productivity within an organization.
• Specialized audits—examine areas such as services performed by third
parties.
• Forensic audits—auditing specialized in discovering, disclosing and
following up on frauds and crimes. The primary purpose of such a review
is the development of evidence for review by law enforcement and
judicial authorities.
• IS/IT Audit
INTERNAL AUDITS

 Internal auditing: independent appraisal function established within an

organization to examine and evaluate its activities as a service to the
organization
 Forms: Financial Audits, Operational Audits, Compliance Audits, Fraud
Audits, IT Audits
 Mostly performs monitoring function to evaluate internal efficiency and
effectiveness
EXTERNAL AUDITS

• External auditing: Objective is that in all material respects, financial

statements are a fair representation of organization’s transactions and
account balances.
• Known as attest service
• The rules have been defined by
▫ Securities and Exchange Commision (SEC)’s role
▫ Sarbanes-Oxley Act
▫ FASB – PCAOB (Financial Accounting Standard Board – PCA Oversight Board)
 CPA (Certified Public Accountants)
 AICPA (American Institute of CPA)
EXTERNAL vs. INTERNAL
• External auditing:
▫ Independent auditor (CPA)
▫ Independence defined by SEC/S-OX/AICPA
▫ Required by SEC for publicly-traded companies
▫ Referred to as a “financial audit”
▫ Represents interests of outsiders, “the public” (e.g., stakeholders)
▫ Standards, guidance, certification governed by AICPA, FASB, PCAOB; delegated by SEC
who has final authority
• Internal auditing:
▫ Auditor (often a CIA or CISA)
▫ Is an employee of organization imposing independence on self
▫ Optional per management requirements
▫ Broader services than financial audit; (e.g., operational audits)
▫ Represent interests of the organization
▫ Standards, guidance, certification governed by IIA and ISACA
IT AUDITS

 IT audits: provide audit services where processes or data, or both, are

embedded in technologies.
 Subject to ethics, guidelines, and standards of the profession (if certified)
 CISA
 Most closely associated with ISACA

 Joint with internal, external, and fraud audits

 Scope of IT audit coverage is increasing
 Characterized by CAATTs
 IT governance as part of corporate governance
FINANCIAL AUDITS

• An independent attestation performed by an expert (i.e., an auditor, a

CPA) who expresses an opinion regarding the presentation of financial
statements
• Key concept: Independence
• {Should be} Similar to a trial by judge
• Culmination of systematic process involving:
▫ Familiarization with the organization’s business
▫ Evaluating and testing internal controls
▫ Assessing the reliability of financial data
• Product is formal written report that expresses an opinion about the
reliability of the assertions in financial statements; in conformity with
GAAP (Generally Accepted Accounting Principles)
ATTEST vs ADVISORY

 ATTEST definition
 Written assertions
 Practitioner’s written report
 Formal establishment of measurement criteria or their description in the
presentation
 Limited to:
 Examination
 Review
 Application of agreed-upon procedures
ATTEST vs ADVISORY

 ADVISORY
 Professional services that are designed to improve the quality of information,
both financial and non-financial, used by decision-makers
 IT Audit Groups in “Big Four”
 IT Risk Management
 IS Risk Management
 Operational Systems Risk Management
 Technology & Security Risk Services
 Typically a division of assurance services
 AUDIT COMPONENTS
Auditing standards
A systematic process
Management assertions & audit objectives
Obtaining evidence
Ascertaining materiality
Communicating results
AUDITING STANDARDS

 Auditing standards
 Set by AICPA (American Institute of CPA)
 Authoritative
 #1 = Ten Generally Accepted Auditing Standards (GAAS)
 Three categories:
 General Standards
 Standards of Field Work
 Reporting Standards

 # 2 = Statements on Auditing Standards (SASs)

 SAS #1 issued by AICPA in 1972
A SYSTEMATIC PROCESS

 Audit should be conducted in systematic and logical process that applies

to all forms of information systems.
 Avoid a high degree of complexity into the IT Audit (e.g. the audit trail
may be purely electronic, in a digital form, and thus invisible to those
attemping to verify it)
MANAGEMENT ASSERTIONS AND AUDIT
OBJECTIVES
• Existence or Occurrence: affirm that all assets and equities contained in
the balance sheet exist and that all transactions in the income statement
actually occured.
• Completeness: declares that no material assets, equities, or transactions
have been omitted from financial statements
• Rights & Obligations: maintains that assets appearing on the balance
sheet (neraca) are owned by the entity and the liabilities reported are
obligations
• Valuation or Allocation: states that assets and equities are valued in
accordance with GAAP and that allocated amounts such as depreciation
expense are calculated on a systematic and rational basis
• Presentation or Disclosure: alleges that financial statement items are
correctly classified and that footnote disclosures are adequate to avoid
misleading the users of financial statements
 MANAGEMENT ASSERTIONS AND AUDIT
OBJECTIVES
Management Audit Objective Audit Procedure
Assertion

Existence or Inventories listed in the balance Observe the counting of physical inventory
Occurence sheet exist

Completeness Acoount payable include all Compare receiving reports, supplier

obligations to vendors forthe period invoices, purchase orders, and journal
entries for the period and the beginning of
the next period

Rights and Plant and equipment listed in the Review purchase agreements, insurance
Obligations balance sheet are owned by the policies, and related documents
entity

Valuation or Accounts receivable are stated at Review entity’s aging of accounts and
Allocation net realizable value evaluate the adequacy of the allowance for
uncorrectable accounts

Presentation and Contingencies not reported in Obtain information from entity lawyers
Disclosure financial accounts are properly about the status of litigation and estimates
disclosed in footnotes of potential loss
OBTAINING EVIDENCE

• Auditors seek evidential matter that corroborates management assertions

• In the IT environment involves gathering evidence relating to the
reliability of:
▫ Computer controls
▫ Contents of databases that have been processed by computer programs
• Evidence collection:
▫ Test of internal controls whether they are functioning properly
▫ Substantive test to determine whether accounting database fairly reflect the
organization’s transactions and account balances
ASCERTAINING MATERIALITY

 Determine whether the weakness in internal control and misstatements

found in transactions and account balances are material.
 Judging by auditor
 More complicated when using IT
COMMUNICATING RESULT

 Auditors communicates the results of their tests to interested users (e.g.

Audit committee of the board of directors of a company)
 Audit report contains an audit opinion.
AUDIT RISK
Audit Risk Formula

 AUDIT RISK:
 The probability that the auditor will give an inappropriate opinion on the
financial statements: that is, that the statements will contain materials
misstatement(s) which the auditor fails to find
Audit Risk Formula

 INHERENT RISK:
 Associated with the unique characteristic of the business or industry of the
client
 Example: declining industries have greater risk than stable/thriving firms

 Includes economic conditions, etc.

 Auditor cannot reduce the level of inherent risk
Audit Risk Formula

• CONTROL RISK:
▫ The probability that the internal controls will fail to detect material
misstatements
▫ For example: Capability of system to detect wrong total price
• DETECTION RISK:
▫ The probability that the audit procedures will fail to detect material
misstatements
▫ Influences level of substantive tests that must be performed
▫ The lower the %-age, the more substantive test required
Audit Risk Formula

• AUDIT RISK MODEL:

▫ AR = IR * CR * DR
▫ example inventory with:
IR=40%, CR=60%, AR=5% (fixed)
.05 = .4 * .6 * DR
... then DR=4.8%
▫ Why is AR = 5%?  95% confidence level in statistics
▫ What is detection risk?
▫ Can CR realistically be 0?
▫ Relationship between DR and substantive procedures
Audit Risk Model

• Relationship between tests of controls and substantive tests

▫ Illustrate higher reliability of the internal controls and the Audit Risk Model
 What happens if internal controls are more reliable than last audit?
 Last year: .05 = .4 * .6 * DR [DR = 0.2]
 This year: .05 = .4 * .4 * DR [DR = 0.31]
 The more reliable the internal controls, the lower the CR probability; thus the higher
the DR will be, and fewer substantive tests are necessary.

▫ Substantive tests are labor intensive

THE IT AUDIT
What is an IT Audit?

 … most accounting transactions to be in electronic form without any paper

documentation because electronic storage is more efficient. … These
technologies greatly change the nature of audits, which have so long
relied on paper documents.


 IT Audit focuses on the computer-based aspects of an organization’s

information system
THE STRUCTURE OF AN IT AUDIT
Audit Planning Test of Controls Substantive
Phase Phase Testing Phase
Review Perform tests of Perform substantive
organization’s controls tests
START
policies, practices,
and structure

Review general Evaluate test results Evaluate results and

controls and issue auditor’s
application control report

Plan tests of Determine degree Audit report

controls and of reliance on
substantive test controls
procedures
THE STRUCTURE OF AN IT AUDIT

 Audit planning: thorough understanding of the client’s business

 Tests of controls: determine whether adequate internal controls are on
place and functioning properly
 Substantive tests: detailed investigation of specific account balances and
transaction
 CAATTs
INTERNAL CONTROL
HISTORY
BRIEF HISTORY - SEC

 SEC (Securities and Exchange Commission) acts of 1933 and 1934

 “Ivar Kreuger’s Contribution to U.S. Financial Reporting,” Accounting Review,

Flesher & Flesher

 All corporations that report to the SEC are required to maintain a system of
internal control that is evaluated as part of the annual external audit.
BRIEF HISTORY - Copyright

 Federal Copyright Act 1976

 Protects intellectual property in the U.S.

 Has been amended numerous times since
 Management is legally responsible for violations of the organization
 U.S. government has continually sought international agreement on terms for
protection of intellectual property globally vs. nationally
BRIEF HISTORY - FCPA

• Foreign Corrupt Practices Act 1977

▫ Accounting provisions
 FCPA requires SEC registrants to establish and maintain books, records, and accounts.
 It also requires establishment of internal accounting controls sufficient to meet
objectives.
 Transactions are executed in accordance with management’s general or specific authorization.

 Transactions are recorded as necessary to prepare financial statements (i.e., GAAP), and to
maintain accountability.

 Access to assets is permitted only in accordance with management authorization.

 The recorded assets are compared with existing assets at reasonable intervals.

▫ Illegal foreign payments

BRIEF HISTORY - COSO

 Committee on Sponsoring Organizations - 1992

 AICPA, AAA, FEI, IMA, IIA

 Developed a management perspective model for internal controls over a
number of years
 Is widely adopted
BRIEF HISTORY – S-OX

• Sarbanes-Oxley Act - 2002

▫ Section 404: Management Assessment of Internal Control
 Management is responsible for establishing and maintaining internal control structure
and procedures.
 Must certify by report on the effectiveness of internal control each year, with other
annual reports.

▫ Section 302: Corporate Responsibility for Incident Reports

 Financial executives must disclose deficiencies in internal control, and fraud (whether
fraud is material or not).
INTERNAL CONTROL OBJECTIVES, PRINCIPLES
AND MODELS
INTERNAL CONTROL

 is … policies, practices, procedures … designed to …

 safeguard assets
 ensure accuracy and reliability
 promote efficiency
 measure compliance with policies
Modifying Principles

 Management responsibility
 Establishment and maintenance of a system internal control is a management
responsibility

 Reasonable assurance
 no internal control system is perfect
 benefits => (greater than) costs
 Methods of data processing
 Objectives same regardless of DP method
 Specific controls vary w/different technologies
Modifying Assumptions

 Limitations
 Possibility of error
 Possibility of circumvention
 Management override
 Changing conditions
EXPOSURES AND RISK

 Exposure (definition)
 Risks (definition)
 Types of risk
 Destruction of assets
 Theft of assets
 Corruption of information or the I.S.
 Disruption of the I.S.
THE P-D-C MODEL

 Preventive controls
 Detective controls
 Corrective controls
 Which is most cost effective?
 Which one tends to be proactive measures?
 Can you give an example of each?
 Predictive controls
SAS 78: Consideration of Internal Control
in a Financial Statement Audit
 COSO (Treadway Commission)
 The control environment
 Risk assessment
 Information & communication
 Monitoring
 Control activities
SAS 78
(#1:Control Environment -- elements)
 Describe how each one could adversely affect internal control.
 The integrity and ethical values
 Structure of the organization
 Participation of audit committee
 Management’s philosophy and style
 Procedures for delegating
SAS 78
(#1:Control Environment -- elements)
 Management’s methods of assessing performance
 External influences
 Organization’s policies and practices for managing human resources
SAS 78
(#1:Control Environment -- techniques)
 Describe possible activity or tool for each.
 Assess the integrity of organization’s management
 Conditions conducive to management fraud
 Understand client’s business and industry
 Determine if board and audit committee are actively involved
 Study organization structure
SAS 78
(#2:Risk Assessment)
 Changes in environment
 Changes in personnel
 Changes in I.S.
 New IT’s
 Significant or rapid growth
 New products or services (experience)
 Organizational restructuring
 Foreign markets
 New accounting principles
SAS 78
(#3:Information & Communication-elements)
 Initiate, identify, analyze, classify and record economic transactions and
events.
 Identify and record all valid economic transactions
 Provide timely, detailed information
 Accurately measure financial values
 Accurately record transactions
SAS 78
(#3:Information & Communication-
techniques)
 Auditors obtain sufficient knowledge of I.S.’s to understand:

 Classes of transactions that are material

 Accounting records and accounts used
 Processing steps:initiation to inclusion in financial statements (illustrate)
 Financial reporting process (including disclosures)
SAS 78
(#4: Monitoring)
 By separate procedures (e.g., tests of controls)
 By ongoing activities (Embedded Audit Modules – EAMs and Continuous
Online Auditing - COA)
SAS 78
(#5: Control Activities)
• Physical Controls (1-3)
▫ Transaction authorization
 Example:
 Sales only to authorized customer

 Sales only if available credit limit

▫ Segregation of duties
 Examples of incompatible duties:
 Authorization vs. processing [e.g., Sales vs. Auth. Cust.]

 Custody vs. recordkeeping [e.g., custody of inventory vs. DP of inventory]

 Fraud requires collusion [e.g., separate various steps in process]

▫ Supervision
 Serves as compensating control when lack of segregation of duties exists by necessity
• Physical Controls (4-6)
▫ Accounting records (audit trails; examples)
▫ Access controls
 Direct (the assets)
 Indirect (documents that control the assets)
 Fraud
 Disaster Recovery

▫ Independent verification
 Management can assess:
 The performance of individuals

 The integrity of the AIS

 The integrity of the data in the records

 Examples
IT Risks Model

 Operations
 Data management systems
 New systems development
 Systems maintenance
 Electronic commerce (The Internet)
 Computer applications
Role of Audit Committee

 Selected from board of directors

 Usually three members
 Outsiders (S-OX now requires it)
 Fiduciary responsibility to shareholders
 Serve as independent check and balance system
 Interact with internal auditors
 Hire, set fees, and interact with external auditors
 Resolved conflicts of GAAP between external auditors and management