Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 1: Auditing, Assurance, and Internal Control

Published byAlexandrina Johnston Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 1: Auditing, Assurance, and Internal Control"— Presentation transcript:

1 Chapter 1: Auditing, Assurance, and Internal Control

2 Syllabus Course Description Textbooks Course Objectives Exams
Research Papers Assignments Class Schedule Performance Evaluation

3 Syllabus (cont.) Class Format Blackboard and Class Website
Lecture and Discussion In-Class Assignments Short Presentations Blackboard and Class Website stpt.usf.edu/gkearns/acg6936 Academic Dishonesty Disruption of the Academic Process

4 IT AUDITS IT audits: provide audit services where processes or data, or both, are embedded in technologies. Subject to ethics, guidelines, and standards of the profession (if certified) CISA Most closely associated with ISACA Joint with internal, external, and fraud audits Scope of IT audit coverage is increasing Characterized by CAATTs IT governance as part of corporate governance

5 FRAUD AUDITS Fraud audits: provide investigation services where anomalies are suspected, to develop evidence to support or deny fraudulent activities. Auditor is more like a detective No materiality Goal is conviction, if sufficient evidence of fraud exists CFE ACFE

6 EXTERNAL AUDITS External auditing: Objective is that in all material respects, financial statements are a fair representation of organization’s transactions and account balances. SEC’s role Sarbanes-Oxley Act FASB - PCAOB CPA AICPA

7 ATTEST vs. ASSURANCE ASSURANCE
Professional services that are designed to improve the quality of information, both financial and non-financial, used by decision-makers IT Audit Groups in “Big Four” (e.g. Final Four) IT Risk Management I.S. Risk Management Operational Systems Risk Management Technology & Security Risk Services Typically a division of assurance services

8 ATTEST definition Written assertions Practitioner’s written report
Formal establishment of measurement criteria or their description Limited to: Examination Review Application of agreed-upon procedures

9 THE IT ENVIRONMENT There has always been a need for an effective internal control system. The design and oversight of that system has typically been the responsibility of accountants. The I.T. Environment complicates the paper systems of the past. Concentration of data Expanded access and linkages Increase in malicious activities in systems vs. paper Opportunity that can cause management fraud (i.e., override)

10 IT Investigative and Forensic Techniques for Auditors
Purpose To assist auditors in developing the knowledge, skills, and abilities to provide reasonable assurance for the security, availability, integrity and management of information systems and resources.

11 The IT Audit An IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives.

12 The IT Audit These reviews may be performed in conjunction with a financial statement audit, an internal audit, or other form of attestation engagement. External auditors can accept the result of an internal audit only if the function reports to the audit committee. External auditors may use and rely upon a 3rd party IT audit firm.

13 IT Audit Process: 8 Steps
Plan the audit Hold kickoff meeting Gather data/test IT controls Remediate identified deficiencies (organization) Test remediated controls Analyze and report findings Respond to findings (organization) Issue final report (auditor)

14 INTERNAL CONTROL is … policies, practices, procedures … designed to …
safeguard assets ensure accuracy and reliability promote efficiency measure compliance with policies

15 BRIEF HISTORY - SEC SEC acts of 1933 and 1934
All corporations that report to the SEC are required to maintain a system of internal control that is evaluated as part of the annual external audit.

16 BRIEF HISTORY - Copyright
Federal Copyright Act 1976 Protects intellectual property in the U.S. Has been amended numerous times since Management is legally responsible for violations of the organization U.S. government has continually sought international agreement on terms for protection of intellectual property globally vs. nationally Auditing (Guy) – p

17 Foreign Corrupt Practices Act 1977
BRIEF HISTORY - FCPA Foreign Corrupt Practices Act 1977 Accounting provisions FCPA requires SEC registrants to establish and maintain books, records, and accounts. It also requires establishment of internal accounting controls sufficient to meet objectives. Transactions are executed in accordance with management’s general or specific authorization. Transactions are recorded as necessary to prepare financial statements (i.e., GAAP), and to maintain accountability. Access to assets is permitted only in accordance with management authorization. The recorded assets are compared with existing assets at reasonable intervals. Illegal foreign payments

18 Committee on Sponsoring Organizations - 1992
BRIEF HISTORY - COSO Committee on Sponsoring Organizations AICPA, AAA, FEI, IMA, IIA Developed a management perspective model for internal controls over a number of years Is widely adopted

19 BRIEF HISTORY – S-OX Sarbanes-Oxley Act - 2002
Section 404: Management Assessment of Internal Control Management is responsible for establishing and maintaining internal control structure and procedures. Must certify by report on the effectiveness of internal control each year, with other annual reports. Section 302: Corporate Responsibility for Incident Reports Financial executives must disclose deficiencies in internal control, and fraud (whether fraud is material or not).

20 EXPOSURES AND RISK Exposure (definition) Risks (definition)
Types of risk Destruction of assets Theft of assets Corruption of information or the I.S. Disruption of the I.S. EXPOSURE: Absence or weakness of a control RISK: Potential threat to compromise use or value of organizational assets

21 THE P-D-C MODEL Preventive controls Detective controls
Corrective controls Which is most cost effective? Which one tends to be proactive measures? Can you give an example of each? Predictive controls

22 COSO (Treadway Commission)
The five components of internal control are: The control environment Risk assessment Information & communication Monitoring Control activities Control Environment. According to the COSO Report, the control environment “sets the tone of an organization and influences the control consciousness of its people.” It provides structure and discipline, and forms the foundation for all other components of internal control. Risk Assessment. Risk assessment refers to the “identification, analysis, and management of risks relevant to the preparation of financial statements that are fairly presented in conformity with generally accepted accounting principles [GAAP] (or another comprehensive basis of accounting).” Control Activities. Control activities are the policies and procedures that help ensure that management’s directives are carried out. Information and Communication. The identification, capture and exchange of information in a form and timeframe that enables people to carry out their responsibilities. Monitoring. In relation to the COSO report and SAS 78, monitoring refers to the process used to assess the quality of internal control performance over time. Adequate internal control is a key defense (but no guarantee) against fraud, errors and program abuse.

23 SAS 78 The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) incorporated the components of internal control presented in the COSO Report in its Statement on Auditing Standards No. 78 (SAS 78), entitled “Consideration of Internal Control in a Financial Statement Audit.”

24 SAS 78 (#1:Control Environment -- elements)
Describe how each one could adversely affect internal control. The integrity and ethical values Structure of the organization Participation of audit committee Management’s philosophy and style Procedures for delegating Page 13

25 SAS 78 (#1:Control Environment -- elements)
Management’s methods of assessing performance External influences Organization’s policies and practices for managing human resources

26 SAS 78 (#1:Control Environment -- techniques)
Describe possible activity or tool for each. Assess the integrity of organization’s management Conditions conducive to management fraud Understand client’s business and industry Determine if board and audit committee are actively involved Study organization structure

27 SAS 78 (#2:Risk Assessment)
Changes in environment Changes in personnel Changes in I.S. New IT’s Significant or rapid growth New products or services (experience) Organizational restructuring Foreign markets New accounting principles

28 SAS 78 (#3:Information & Communication-elements)
Initiate, identify, analyze, classify and record economic transactions and events. Identify and record all valid economic transactions Provide timely, detailed information Accurately measure financial values Accurately record transactions

29 SAS 78 (#3:Information & Communication-techniques)
Auditors obtain sufficient knowledge of I.S.’s to understand: Classes of transactions that are material Accounting records and accounts used Processing steps:initiation to inclusion in financial statements (illustrate) Financial reporting process (including disclosures)

30 SAS 78 (#4: Monitoring) By separate procedures (e.g., tests of controls) By ongoing activities (Embedded Audit Modules – EAMs and Continuous Online Auditing - COA)

31 SAS 94 The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit Provides auditors with guidance on IT’s effect on internal control and on the auditor’s understanding of internal control and the assessment of control risk. Requires the auditor to consider how an organization’s IT use affects his or her audit strategy. Where a significant amount of information is electronic, the auditor may decide it is not practical or possible to limit detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions. In such cases, the auditor should gather evidence about the effectiveness of both the design and operation of controls intended to reduce the assessed level of control risk. SAS No. 94 and Tests of Controls Under the auditing standards (SAS Nos. 48, 55 and 78) relevant to computer-based systems issued prior to SAS No. 94, a large percentage of auditors assessed control risk at the maximum and performed only substantive tests of account balances and classes of transactions to gather evidence about financial statement assertions. SAS No. 94 recognizes that this approach may not be viable in complex IT environments. When evidence of a firm's initiation, recording and processing of transactions exists only in electronic form, the auditor's ability to obtain the desired assurance only from substantive tests is significantly diminished. SAS No. 94 does not change the requirement to perform substantive tests on significant amounts, but states that "it is not practical or possible to restrict detection risk to an acceptable level by performing only substantive tests."3 When assessing the effectiveness of the design and operation of controls in complex IT environments, it is necessary for the auditor to test these controls. The decision to test controls is not related to the size of the firm but to the complexity of the IT environment.

32 SAS 78 (#5: Control Activities)

33 Physical Controls (1-3) Transaction authorization
Example: Sales only to authorized customer Sales only if available credit limit Segregation of duties Examples of incompatible duties: Authorization vs. processing [e.g., Sales vs. Auth. Cust.] Custody vs. recordkeeping [e.g., custody of inventory vs. DP of inventory] Fraud requires collusion [e.g., separate various steps in process] Supervision Serves as compensating control when lack of segregation of duties exists by necessity

34 Physical Controls (4-6) Accounting records (audit trails; examples)
Access controls Direct (the assets) Indirect (documents that control the assets) Fraud Disaster Recovery Independent verification Management can assess: The performance of individuals The integrity of the AIS The integrity of the data in the records Examples

35 IT Risks Model Operations Data management systems
New systems development Systems maintenance Electronic commerce (The Internet) Computer applications

36 End Ch. 1

Download ppt "Chapter 1: Auditing, Assurance, and Internal Control"

Similar presentations

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Auditing Concepts.

Auditing Concepts.
Sept. 16, 2004 John White, PhD, CPA 1 Sarbanes-Oxley Act from an Accounting Point of View Or “Is There Anything About SOX That I Have Not Heard Before?”

Sept. 16, 2004 John White, PhD, CPA 1 Sarbanes-Oxley Act from an Accounting Point of View Or “Is There Anything About SOX That I Have Not Heard Before?”
AUDITING CHAPTER 7 Audit Process & Detecting Fraud By David N. Ricchiute.

AUDITING CHAPTER 7 Audit Process & Detecting Fraud By David N. Ricchiute.
Internal Control.

Internal Control.
INTERNAL CONTROL COMPONENT Pertemuan_6 Mata Kuliah: CSP402, IT Governance Tahun Akademik : 2012/2013 SAS 78 / COSO Describes the relationship between the.

INTERNAL CONTROL COMPONENT Pertemuan_6 Mata Kuliah: CSP402, IT Governance Tahun Akademik : 2012/2013 SAS 78 / COSO Describes the relationship between the.
The Islamic University of Gaza

The Islamic University of Gaza
Chapter 1: Auditing, Assurance, and Internal Control

Chapter 1: Auditing, Assurance, and Internal Control
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 1 - 1 The Demand for Audit and Other Assurance Services Chapter 1.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
1 Sarbanes-Oxley Section 404 June 29, 2005. 2  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.

1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.

Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Similar presentations

Ads by Google