Auditing is a systematic process by which a competent, independent person objectively obtains and

evaluates evidence regarding assertions about economic actions and events to ascertain the degree
of correspondence between those assertions and established criteria and communicating the results
to interested users.

Objective: To enable the auditor to express an opinion whether the financial statements are
prepared, in all material respects, in accordance with an applicable financial reporting framework.

A CIS environment exists when a computer of any type or size is involved in the processing by the
entity of financial information whether the computer is operated by the entity or by a third party.

Computer Hardware
CPU
 Main storage unit
 Arithmetic and logic unit
 Control unit
 Input device
 Output device

Computer Software - series of programs or routines that provide instructions for operating the
computer

TWO BROAD CATEGORIES:

1. Application programs
2. Systems software

Nature of an IT Audit
• A CIS environment may affect:
a. The procedures followed in obtaining a sufficient understanding of the accounting
and internal control systems.
b. The consideration of the inherent and control risk
c. The design and performance of test of controls and substantive procedure

Characteristics
1. Lack of transaction trails
2. Uniform processing of transactions
3. Lack of segregation of functions
4. Potential for errors and irregularities
Impact of IT to Audit Examination
Transaction trails exist for shorter periods Auditors may have limited ability to
of time or only in electronic form examine some forms of documentary
evidence

Errors in IT environment are uniform Auditors can restrict their test to one
across all transactions transaction or occurrence of a
potential error

Input errors are unique to IT Auditors must test the operating

effectiveness of controls designed to
prevent and detect input errors.

Transactions are processed centrally in an Auditor should examine the

IT department in a computerized system. operations of the IT department to
Thus, an individual who has access to verify the appropriate segregation of
computer programs, processing or data duties
may be in a position to perform
incompatible functions.

Permanent information is easier to alter Auditors should periodically verify the

without being detected in an IT accuracy of permanent information in
environment an IT environment

Computerized System vs. Manual

Computerized Manual

Lack of visible transaction trail

Data can be entered directly into the computer Follow a transaction through the system
system without supporting documents by examining source documents, entity’s
records, and financial reports.

Consistency of performance

CIS performs functions exactly as programmed. Human intervention

- Clerical error is eliminated

Ease of Access to Data and Computer Programs

Data and computer programs may be accessed Cannot be easily altered.

and altered by unauthorized person leaving no
visible evidence

Concentration of Duties
 Incompatible combination of functions may be
combined without weakening the internal control Proper segregation of duties
provided appropriate compensating controls are
put in place.

System generated transactions

Certain transactions may be initiated by the CIS Manually inputed.

itself without the need for an input documents.

Vulnerability of data and program storage

media

The information can be easily changed, leaving The record are written in ink on
no trace of the original content. substantial paper.

Centralized Data Processing Distributed Data Processing

One or more large computers house at a The computer services function is reorganized
central site that serve users throughout the into small information processing units that are
organization perform all data processing distributed to end users and placed under their
control

Concentrated processing prowler for handling User satisfaction due to control over processing
all processing needs

Lower computer hardware costs, due to a sole Better responsiveness to processing needs of
large computer and likely economies of scale users

Better control security and coordination over More efficient use of computer resources and
processing and data storage functions balancing of their processing loads

Facilitation of the data base approach, since Built-in computer system back-us due to
complexities of distributed data are avoided multiple computers

Standardized planning, procedures and Flexibility and adaptability

documentation

Availability of highly skilled information system

professionals who are attracted to larger
centralized installation

Batch systems assemble transactions into groups for processing resulting to a time lag between the
point at which an economic event occurs and the point at which it is reflected in the entity’s
account.
Three key points:
a. Transactions flow through the system in batches. In any particular batch, transactions may
add, change, or delete information in the master file.
b. If CRTs are used in batch processing , it may appear to the user that changes are occurring
immediately to the master file. Often a temporary batch file is set up and the transactions
are processed later in the day.
c. Batch processing normally leaves a relatively easy to follow audit trail

Real-time system process transactions individually at the moment the economic event occurs. No
time lags between occurrence and recording .

AREA BATCH REAL-TIME

Information time frame Lags exist between time frame Processing takes place when
when the economic event occurs the economic event occur
and when it is recorded

Resources Generally, fewer resources More resources are required

(hardware, programming and than for batch processing
training) are required

Efficiency Large numbers of transactions are Greater resource commitment

processed with fewer resources is required per unit of output
committed

Audit implications Error correction can be complex, Auditors relies heavily on the
creating the danger those errors entity’s controls; auditing
will not be corrected properly, the needs to be conducted more
correction will not be made at all, continuously
or the correction will be made
more than once

Internet commerce or I-commerce - Defined as the use of Internet to conduct electronic data
interchange among trading partners

Electronic commerce or E-commerce - a broader concept, pertains to the use of all types of network,
including the internet, to aid a firm in performing its responsibilities

Applications:
POS (Point-of-sale)
EFT (Electronic Funds Transfers)
 EDI (Electronic Data Interchanges)
TWO COMPONENTS:
A. Database
- Is a collection of data that is shared and used by a number of different users for different purposes
B. Database Management System (DBMS)
- Software that is used to create, maintain and operate the database

LESSON 2 AUDITING & INTERNAL CONTROL

Auditing
- Information Technology (IT) developments have had a tremendous impact on auditing.
- Business organizations undergo different types of audits for different purposes.
- Most common are external (financial audits, internal audits and fraud audits)

External (Financial) Audits

• Independent attestation performed by an expert—the auditor— who expresses an opinion
regarding the presentation of financial statements
• Required by SEC for all public companies
• Key concept is INDEPENDENCE:
 Similar to a trial by judge
 Auditor collects evidence and renders opinion
 Basis of public confidence in financial statements

Attest service vs. Advisory service

Requirements of attention services:
 Written assertions and practitioner’s written report
 Formal establishment of measurement criteria
 Limited to examination, review and application of agreed-upon procedures

Advisory services are offered to improve client’s operational effectiveness and efficiency.
SOX greatly restricts the types of non-audit services auditors may render to audit clients.
 Unlawful to provide many accounting, financial, internal audit, management, human
resource or legal services unrelated to the audit.

Internal Audits
Internal auditing is an independent appraisal function to examine and evaluate activities within, and
as a service to, an organization.
Internal auditors perform a wide variety of activities including financial, operational, compliance and
fraud audits.
Auditors may work for the organization or task may be outsourced.  Independence is self-imposed,
but auditors represent the interests of the organization.

External vs. Internal auditors

 External auditors represent outsiders while internal auditors represent organization’s interests.
 Internal auditors often cooperate with and assist external auditors in some aspects of financial
audits.  Extent of cooperation depends upon the independence and competence of the internal
audit staff.
 External auditors can rely in part on evidence gathered by internal audit departments that are
organizationally independent and report to the board of director’s audit committee.

Fraud Audits
 Recent increase in popularity as a corporate governance tool.
 Objective to investigate anomalies and gather evidence of fraud that may lead to criminal
convictions.  May be initiated by management who suspect employee fraud or the board of
directors who suspect executive fraud.

Role of the Audit Committee

The board of directors of publicly traded companies form a subcommittee known as the audit
committee
 Three members who are outsiders
 SOX requires at least one member must be a ‘financial expert’
The audit committee serves as an independent “check and balance” for the internal audit function
and liaison with external auditors
SOX mandates that external auditors report to the audit committee;
 Committee hires and fires auditors and resolve disputes.

Auditing Standards
 Three classes of auditing standards:
(1) GENERAL QUALIFICATION,
(2) FIELD WORK and
(3) REPORTING.
Specific guidance provided by AICPA Statements on Auditing Standards (SASs) as authoritative
interpretations of GAAS.
  First one issued in 1972.
 If recommendations are not followed, auditor must be able to show why a SAS does not
apply to a given situation.
 Conducting and audit is a systematic and logical process that applies to all forms of
information systems.

Management Assertions and Audit Objectives

Auditors develop audit objectives and design audit procedures based on these assertions.
1. The existence or occurrence assertion affirms that all assets and equities contained in the
balance sheet exist and that all transactions in the income statement actually occurred.

2. The completeness assertion declares that no material assets, equities, or transactions have
been omitted from the financial statements.

3. The rights and obligations assertion maintains that assets appearing on the balance sheet
are owned by the entity and that the liabilities reported are obligations.

4. The valuation or allocation assertion states that assets and equities are valued in
accordance with GAAP and that allocated amounts such as depreciation expense are
calculated on a systematic and rational basis.

5. The presentation and disclosure assertion alleges that financial statement items are
correctly classified (e.g., long-term liabilities will not mature within one year) and that
footnote disclosures are adequate to avoid misleading the users of financial statements

 Auditors seek evidential matter that corroborates assertions.

 Auditors must determine whether internal control weaknesses and misstatements are material.
 Auditors must communicate the results of their tests, including an audit opinion.
Audit Risk
 Probability that the auditor may render and inappropriate opinion on the financial statement.
INHERENT RISK (IR) is the risk that the auditor may deliberately conclude that the financial
statements are misstated.
CONTROL RISK (CR) is the likelihood the control structure is flawed because controls are either
absent or inadequate to prevent or detect errors.
DETECTION RISK (DR) is the risk auditors are willing to take that errors not detected or prevented by
the control structure will not be detected by the auditors.

Audit Risk Model: AR = IR x CR x DR

Detection Risk: AR / (IR x CR)

Tests of controls and substantive tests are auditing techniques used for reducing audit risk to an
acceptable level.
The stronger the internal control structure, the lower the control risk probability that leads to a
lower DR, which will lead to fewer substantive tests being required

PHASES OF AN IT AUDIT

INTERNAL CONTROL
Organization management is required by law to establish and maintain an adequate system of
internal control
Brief history of internal control legislation:
SEC Acts of 1933 and 1934
Securities Act of 1933 - (1) require that investors receive financial and other significant information
concerning securities being offered for public sale; and (2) prohibit deceit, misrepresentations, and
other fraud in the sale of securities

Copyright Law—1976
Foreign Corrupt Practices Act (FCPA) of 1977
1. Keep records that fairly and reasonably reflect the transactions of the firm and its financial
position.
2. Maintain a system of internal control that provides reasonable assurance that the organization’s
objectives are met.

Committee of Sponsoring Organizations 1992 – committee to address frauds

Sarbanes–Oxley Act of 2002 - requires management of public companies to implement adequate
internal control system over their financial reporting process
Under Section 302:
Managers must certify organization’s internal controls quarterly and annually.
External auditors must perform certain procedures quarterly to identify any material modifications
that may impact financial reporting.

Section 404 requires management of public companies to access the effectiveness of their internal
control in an annual report

INTERNAL CONTROL SYSTEM

Internal control system comprises policies, practices, and procedures to achieve four broad
objectives:
 Safeguard assets of the firm.
 Ensure accuracy and reliability of accounting records and information.
 Promote efficiency in the firm’s operations.
 Measure compliance with management’s prescribed policies and procedures.
Preventive Controls - passive techniques designed to reduce the frequency of occurrence of
undesirable events.
Detective Controls - devices, techniques, and procedures designed to identify and expose
undesirable events that elude preventive controls
Corrective Controls - reverse the effects of detected errors. There is an important distinction
between detective controls and corrective controls

COSO Internal Control Framework

The control environment is the foundation for the other four control components and includes:
Management integrity and ethical values, organizational structure, board of director participation
and management’s philosophy and operation style.
A risk assessment must be performed to identify, analyze and manage financial reporting risks.

An effective accounting information system will:

Identify and record all valid financial transactions, provide timely information and adequately
measure and record transactions.
Monitoring is the process by which the quality of internal control design and operation can be
assessed.
 Control activities are policies and procedures to ensure actions to deal with identified risk.
 Physical controls relate primarily to human activities employed in accounting systems.
 Information technology controls

CATEGORIES OF CONTROL ACTIVITIES