Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.

Slides:



Advertisements
Similar presentations
Internal Control in a Financial Statement Audit
Advertisements

Federal Information System Controls Audit Manual (FISCAM)
Auditing Concepts.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley The CPA Profession Chapter 2.
Assurance Services and Auditing Research Chapter 8.
Assurance Services and Auditing Research Chapter 8.
Association of Government Accountants
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Pertemuan 5-6 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
Auditing A Risk-Based Approach To Conducting A Quality Audit
Internal Control in a Financial Statement Audit
Internal Audits, Governmental Audits, and Fraud Examinations
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
The CPA Profession Chapter 2.
INTERNAL CONTROL OVER FINANCIAL REPORTING
Financial Audit Autonomous Bodies Internal Control and Risk Assessment Session Internal Control and Risk Assessment.
Learning Objectives LO1 Distinguish between management and auditor’s responsibilities regarding an auditee organization’s internal controls. LO2 Explain.
Information Technology Audit
Planning an Internal Audit JM García Merced. Brainstorm.
D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.
The CPA Profession Chapter 2 By Arens et. al. Learning Objective 1 Describe the nature of CPA firms, what they do, and their structure.
Company LOGO Auditing Information Technology - Financial System Issues Bruce Headrick Program Manager AFAA/FSD.
Audit objectives, Planning The Audit
Auditing Internal Control over Financial Reporting
New Auditing Standards Laurie Ball, CPA Swenson Advisors, LLP (Murrieta) Audit Director Accounting Day May 12, 2008.
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
Chapter 5 Internal Control over Financial Reporting
Internal Control in a Financial Statement Audit
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
Auditing Sept. 24, Audit Standards Page 38.
NO FRAUD LEFT BEHIND The Effect of New Risk Assessment Auditing Standards on Schools Runyon Kersteen Ouellette.
Internal Control in a Financial Statement Audit
SAS Update GFOA Western Pa – January 2008 Presented by Rob Lent, CPA, CGFM.
Appendix E – Checklist for Review of Performance Audits Presented by: Ashton Coleman Department of Defense Office of the Inspector General August 16, 2012.
[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.1 Control Risk,
IIA_Tampa_ Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee
Learning Objectives LO5 Illustrate how business risk analysis is used to assess the risk of material misstatement at the financial statement level and.
Chapter 8: Client Risk Profile and Documentation
Evaluation of Internal Control System
S14: Analytical Review and Audit Approaches. Session Objectives To define analytical review To define analytical review To explain commonly used analytical.
Copyright © 2007 Pearson Education Canada 1 Chapter 1: The Demand for Auditing and Assurance Services.
Chapter 6 Internal Control in a Financial Statement Audit Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.1 Internal.
ISSAI 400 Compliance Auditing
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 6-1 Chapter Six Internal Control in a Financial Statement Audit.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 7-1 Chapter Seven Auditing Internal Control over Financial Reporting.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.
Analytical Review and Audit Approaches
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
ICAJ/PAB - Improving Compliance with International Standards on Auditing Planning an audit of financial statements 19 July 2014.
Collaboration Process 1. IC Objectives and Risk Tolerances Define, document, and implement top-down internal control objectives and risk tolerances: 
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.
AUDIT STAFF TRAINING WORKSHOP 13 TH – 14 TH NOVEMBER 2014, HILTON HOTEL NAIROBI AUDIT PLANNING 1.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
 Planning an audit of cost statements, records and other related documents is considered necessary to ensure achievement of audit objectives with available.
Internal Control Chapter 7. McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, Inc., All Rights Reserved. 7-2 Summary of Internal Control Definition.
Auditing Concepts.
The CPA Profession Chapter 2.
Internal Control in a Financial Statement Audit
Question 4-1 Which of the following statements concerning noncompliance by clients is correct?    A.  An auditor's responsibility to detect noncompliance.
PLANNING, MATERIALITY AND ASSESSING THE RISK OF MISSTATEMENT
Developing the Overall Audit Plan and Audit Program
BASIC AUDITING CONCEPTS: MATERIALITY, RISK ASSESSMENT, AND EVIDENCE
LATIHAN MID SEMINAR AUDIT hiday.
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie E. Gray & David B. Hayes U.S. Government Accountability Office

IS Controls – Audit Objectives IS Support is Required to Identify, Quantify and Respond to: Control Risk – opinion/reporting on internal control Audit Risk – compliance with evidence standards & design of audit procedures

Managing Audit Risk Audit Risk = Risk of Material Misstatement X Detection Risk Audit Risk is a combination of Risk of Material Misstatement and Detection Risk. Risk of Material Misstatement is the auditor’s combined assessment of inherent risk and control risk (SAS No. 107). Detection Risk is the risk that the auditor will not detect a material misstatement that exists in an assertion.

Understanding Risk – Auditor’s Perspective An auditor can (MUST) control detection risk by changing the nature, timing, and extent of audit procedures. An auditor cannot control the risk of material misstatement. However, an auditor MUST assess the risk of material misstatement. Assessing the risk of material misstatement (the risk assessment process) allows the auditor to gather information and to design further audit procedures that reduce audit risk to an acceptable low level.

Important Auditing Standards that Should be Consulted when Planning & Performing IS Audit Procedures SAS-108 – Planning and Supervision SAS-106 – Audit Evidence SAS-109 – Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement SAS-110 – Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained SAS-115 – Communicating Internal Control Matters Identified in an Audit AT-501 – An Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Government Auditing Standards (Yellow Book)

Objectives of this Session Include IS in engagement designs so that objectives are achieved Determine skill sets and resources needed for the engagement team Identify elements of an effective audit approach Introduce the FISCAM methodology for engagements that include IS work

Different Types of Engagements Financial Audits (including Attestations) - Express an opinion on financial statements (or selected information) Performance Audits - Determine the reliability of performance measures of a specific program or activity

Comparison of Standards for Performance and Financial Audits How do the audit standards compare? Based on the audit standards, material = significant. Financial auditors “obtain sufficient appropriate audit evidence…to afford a reasonable basis for an opinion” Performance auditors “provide reasonable assurance that evidence is sufficient and appropriate to support…conclusions” Standards for assessment of risk, evaluation of internal controls, understanding of the entity and quality of evidence are the same Source: Government Auditing Standards GAO-07-731G

Planning the Engagement What is needed to achieve objectives? Multi-discipline teams - auditors, specialists, contractors Strong auditor leadership - control and management of teams and their members An approach that is inclusive of automation

Preliminary Steps for IS Work What approach, inclusive of automation, will achieve adequate information system (IS) coverage? Develop an understanding of the process Understand the information and IS infrastructure Identify and assess risks

Take Advantage of the COSO Internal Control Framework Develop an understanding of the process, including components of internal control. Control Environment Information & Communication Risk Assessment Monitoring Control Activities

FISCAM – A Structured IS Audit Methodology How is the approach implemented? Federal Information System Controls Audit Manual (FISCAM), GAO-09-232G - February 2009 Methodology for performing IS control audits involving federal information and/or federal funds Designed such that GAGAS will be achieved Risk-based and efficient approach to assessing the effectiveness of IS controls

FISCAM Structure Top-down, risk-based approach that considers materiality/significance Evaluation of entity-wide controls & effect on audit risk Evaluation of general controls & effect on application controls Evaluation of security management at all levels - entitywide, system, and business process application levels. Control hierarchy - control categories, critical elements, control activities, and control techniques

What are IS Controls? Internal controls that are dependent on information systems processing and include: general controls business process application controls user controls

IS Control Types General controls and business process application controls are always IS controls. User controls* can be IS controls. * User controls are manual controls -- controls that are performed by people interacting with IS controls and are IS controls if their effectiveness depends on information systems processing or reliability of information processed by information systems.

General & Application Controls General Controls - policies and procedures that apply to all or a large segment of an entity’s information systems and help ensure the proper operation of information systems by creating the environment for proper operation of application controls. Business Process Application Controls - controls that are incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of transactions and data during application processing.

General Control Categories Security Management Access Control Configuration Management Segregation of Duties Contingency Planning

Application Control Categories Application Security (application level general controls) Business process controls Interface controls Data management system controls

Relationship Between Controls Effective general controls can support the effectiveness of business process application controls, while Ineffective general controls generally render business process application controls ineffective.

Audit Guidance What General Controls are being relied upon? Typical Agency Network Map Source: Unnamed Agency

FISCAM – A Tool for Auditors A structured, standards-based approach for planning and conducting IS work An efficient, risk-based approach to conduct IS work with limited audit resources An organized approach that will support the collection and organization of audit documentation and promote effective reporting

Achieving Objectives Using FISCAM can help achieve the overall objectives needed in all audit engagements that involve IS work: Identify, Assess and Report on Control Risk Manage Audit Risk

Contact Information Mickie E. Gray – GAO Financial Management and Assurance Team graym@gao.gov David B. Hayes – GAO Applied Research and Methods Team hayesd@gao.gov

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.