Chapter 1: Auditing and Internal Control

Monday, 12 September 2022 4:45 am

External (Financial) Audits

• Attest service
○ performed by CPA who work for public accounting firms that are independent of the client
organization being audited.
 A key concept in this process is independence.
 the independent auditor collects and evaluates evidence and renders an opinion based
on the evidence.
○ The following requirements apply to attestation services:
 require written assertions and a practitioner’s written report.
 require the formal establishment of measurement criteria or their description in the
presentation.
 The levels of service in attestation engagements are limited to examination, review, and
application of agreed-upon procedures.

• Advisory services
○ professional services offered by public accounting firms to improve their client organizations’
operational efficiency and effectiveness.
○ advisory services units of public accounting firms responsible for providing IT control-related
client support have different names in different firms, but they all engage in tasks known
collectively as IT risk management.

Internal Audits
• internal auditing
○ as an independent appraisal function established within an organization to examine and
evaluate its activities as a service to the organization.
○ typically conducted by auditors who work for the organization, but this task may be
outsourced to other organizations.

External auditors vs Internal auditors

External Auditor Internal Auditor
• Represent outsiders • represent the interests of the
• prohibited by professional standards organization
from relying on evidence provided by • often cooperate with and assist external
the internal auditors. auditors in performing aspects of
• can rely in part on evidence gathered financial audits.
by internal audit departments that are • They report directly to the controller.
organizationally independent and
report to the board of directors’ audit
committee

Fraud Audits
• Its objective is to investigate anomalies and gather evidence of fraud that may lead to criminal
conviction.
• Fraud auditors have earned the Certified Fraud Examiner (CFE) certification, which is governed by
the Association of Certified Fraud Examiners (ACFE).

Audit Committee
• has special responsibilities regarding audits.
• Usually consists of three people who should be outsiders.
 • at least one member of the audit committee must be a “financial expert.”
• Corporate frauds often have some bearing on audit committee failures.

FINANCIAL AUDIT COMPONENTS

• product of the attestation function is a formal written report that expresses an opinion about the
reliability of the assertions contained in the financial statements.
• Si auditor mage-express ng opinion if the FS is under conformity with GAAP. Dahil si EXTERNAL USERS
ay nakadepende sa auditor's opinion about sa reliability ng FS to make decision.

1. Auditing Standards

2. A Systematic Process
○ particularly important in the IT environment.
○ Conducting an audit is a systematic and logical process that applies to all forms of information
systems.

3. Management Assertions and Audit Objectives

○ management assertions about the financial health of the entity.
○ audit objectives, designs procedures, and gathers evidence that corroborate or refute
management's assertions.
○ These assertions fall into five general categories:
 The existence or occurrence assertion affirms that all assets and equities contained in
the balance sheet exist and that all transactions in the income statement actually
occurred.
 The completeness assertion declares that no material assets, equities, or transactions
have been omitted from the financial statements.
 The rights and obligations assertion maintains that assets appearing on the balance
sheet are owned by the entity and that the liabilities reported are obligations.
 The valuation or allocation assertion states that assets and equities are valued in
accordance with GAAP and that allocated amounts such as depreciation expense are
calculated on a systematic and rational basis.
 The presentation and disclosure assertion alleges that financial statement items are
correctly classified (e.g., long-term liabilities will not mature within one year) and that
footnote disclosures are adequate to avoid misleading the users of financial statements.
 4. Obtaining Evidence
○ Auditors seek evidential matter that corroborates management assertions.

5. Ascertaining Materiality
○ Must determine whether weaknesses in internal controls and misstatements found in
transactions and account balances are material.
○ In an IT environment = decision is complicated further by technology and a sophisticated
internal control structure.

6. Communicating Results
○ Auditors must communicate the results of their tests to interested users.
○ IT auditors often communicate their findings to internal and external auditors, who can then
integrate these findings with the non-IT aspects of the audit

AUDIT RISK - is the probability that the auditor will render an unqualified (clean) opinion on financial
statements that are, in fact, materially misstated.
• Acceptable audit risk (AR) is estimated based on the ex ante value of the components of the audit
risk model.
○ INHERENT RISK
 associated with the unique characteristics of the business or industry of the client.
 Firms in declining industries have greater inherent risk than firms in stable or thriving
industries
 Auditors cannot reduce the level of inherent risk.
○ CONTROL RISK
 the likelihood that the control structure is flawed because controls are either absent or
inadequate to prevent or detect errors in the accounts.
 Auditors assess the level of control risk by performing tests of internal controls
○ DETECTION RISK
 the risk that auditors are willing to take that errors not detected or prevented by the
control structure will also not be detected by the auditor.
 Auditors set an acceptable level of detection risk (planned detection risk) that influences
the level of substantive tests that they perform.
○ Audit Risk Model
AR= IR × CR × DR
 Tests of controls and substantive tests are auditing techniques used for reducing audit risk
to an acceptable level.
 stronger the internal control structure = lower the control risk and the less substantive
testing.
 weaker the internal control structure = greater the control risk and the more substantive
 testing.
 NOTE: IR (di napapalitan), CR (must be lower para si DR is mataas) = it will result as
Stronger ICS.

THE STRUCTURE OF AN IT AUDIT

• Audit Planning
○ Review Organization’s Policies, Practices, and Structure
○ Review General Controls and Application Controls
○ Plan Tests of Controls and Substantive Testing Procedures
• Test of Controls
○ phase is to determine whether adequate internal controls are in place and functioning
properly.
○ The evidence-gathering techniques used in this phase may include both manual techniques
and specialized computer audit techniques.
○ the conclusion of the tests-of-controls phase, the auditor must assess the quality of the internal
controls by assigning a level for control risk.
• Substantive Testing
○ It focuses on financial data.
○ Detailed investigation of specific account balances and transactions.
○ Some substantive tests are physical, labor-intensive activities, such as counting cash, counting
inventories in the warehouse, and verifying the existence of stock certificates in a safe.

INTERNAL CONTROL
• An organization’s internal control system comprises policies, practices, and procedures to achieve
four broad objectives:
a. To safeguard assets of the firm.
b. To ensure the accuracy and reliability of accounting records and information.
c. To promote efficiency in the firm’s operations.
d. To measure compliance with management’s prescribed policies and procedures.
• LIMITATIONS
a. the possibility of error—no system is perfect
b. circumvention—personnel may circumvent the system through collusion or other means
c. management override— management is in a position to override control procedures by
personally distorting transactions or by directing a subordinate to do so
d. changing conditions—conditions may change over time so that existing effective controls may
become ineffectual.
• The PDC Model
○ Preventive controls - are passive techniques designed to reduce the frequency of occurrence of
undesirable events. Preventing errors and fraud is far more cost-effective than detecting and
correcting problems after they occur.
○ Detective controls - are devices, techniques, and procedures designed to identify and expose
undesirable events that elude preventive controls. Detective controls reveal specific types of
errors by comparing actual occurrences to preestablished standards.
○ Corrective actions - actually fix the problem.
• Coso Internal Control Framework
○ control environment - the foundation for the other four control components and sets the tone
for the organization and influences the control awareness of its management and employees.
Important elements of the control environment are:
 The integrity and ethical values of management.
 The structure of the organization.
 The participation of the organization’s board of directors and the audit committee, if one
exists.
 Management’s philosophy and operating style.
 The procedures for delegating responsibility and authority.
 Management’s methods for assessing performance.
  External influences, such as examinations by regulatory agencies.
 The organization’s policies and practices for managing its human resources.
○ Risk assessment - to identify, analyze, and manage risks relevant to financial reporting.
 Changes in the operating environment that impose new or changed competitive
pressures on the firm.
 New personnel who have a different or inadequate understanding of internal control.
 New or reengineered information systems that affect transaction processing.
 Significant and rapid growth that strains existing internal controls.
 The implementation of new technology into the production process or information
system that impacts transaction processing.
 The introduction of new product lines or activities with which the organization has little
experience.
 Organizational restructuring resulting in the reduction and/or reallocation of personnel
such that business operations and transaction processing are affected.
 Entering into foreign markets that may impact operations (that is, the risks associated
with foreign currency transactions).
 Adoption of a new accounting principle that impacts the preparation of financial
statements

• Transaction Authorization - to ensure that all material transactions processed by the information
system are valid and in accordance with management’s objectives.
• Segregation of Duties. - to minimize incompatible functions.
○ Objective 1. The segregation of duties should be such that the authorization for a transaction is
separate from the processing of the transaction.
○ Objective 2. Responsibility for asset custody should be separate from the record-keeping
responsibility.
○ Objective 3. The organization should be structured so that a successful fraud requires collusion
between two or more individuals with incompatible responsibilities.
• Supervision. - is often called a compensating control.
• Accounting Records. - of an organization consist of source documents, journals, and ledgers.
• Access Control. - is to ensure that only authorized personnel have access to the firm’s assets.
• Independent Verification.- are independent checks of the accounting system to identify errors and
misrepresentations.