JUNE 11, 2021 (1st Discussion)

UNIT 1 AUDITING, ASSURANCE, AND INTERNAL CONTROL

and its relationship to Information Technology

Audit Defined
“Auditing is a systematic process of objectively obtaining and evaluating evidence regarding
assertions about economic actions and events to ascertain the degree of correspondence
between those assertions and establishing criteria and communication the results to interested
users.”

Different Types of Audit

 Internal Audits – an independent appraisal function established within an organization to
examine and evaluate its activities as a service to the organizations.
 External Audits – also known as financial audit, it is associated with auditors who work
outside, or independent of, the organization being audited. The objective is always
associated with the presentation of financial statements – in particular, that in all material
respects, the statement are fairly presented.
 Fraud audits – auditors are hired by agreed-upon procedures, if external auditors, or by
contract, if an independent fraud audit unit, or by charge to the internal audit function. The
goal is not assurance but rather an investigation of anomalies – the gathering of evidence
of fraud, and the legal goal of a conviction.
 IT audit – associated with auditors who use technical skills and knowledge to audit
through the computer system, or provide audit services where processes or data, or both,
are embedded in technologies.

What is an IT Audit?
An IT audit focuses on the computer-based aspects of an organization’s information system. This
audit includes assessing the proper implementation, operation, and control of computer
resources.

The IT Environment
There has always been a need to for an effective internal control system to protect the integrity of
the accounting processes and data.

The design and oversight of that system has typically been the responsibility of accountants,
especially the auditors.
The Structure of an IT Audit

Audit Planning
 A major part of this phase of the audit is the analysis of audit risk.
 The auditor’s objective is to obtain sufficient information about the firm to plan the other
phases of the audit.
 The auditor also identifies the financially significant applications and attempts to
understand the controls over the primary transactions that are processed by these
applications.
 Techniques for gathering evidence at this phase include: conducting questionnaires,
interviewing management, reviewing system documentation, and observing activities.

Test of Controls
 To determine whether adequate internal controls are in place and functioning properly.
 The evidence-gathering techniques includes both manual and specialized computer audit
techniques.
 At the conclusion of this phase, the auditor must assess the quality of internal controls.

Substantive Testing
 Involves a detailed investigation of specific account balances and transactions.
 In an IT environment, the information needed to perform substantive tests is contained in
data files that often must be extracted using Computer-Assisted Audit Tools and
Techniques (CAATTs) software.

Internal Control
The internal control system comprises policies, practices, and procedures employed by the
organization to achieve four broad objectives:
 To safeguard assets of the firm
 To ensure the accuracy and reliability of accounting records and information
 To promote efficiency in the firm’s operations
 To measure compliance with management’s prescribed policies and procedures

Modifying Assumptions
Inherent in the control objectives are four modifying assumptions that guide designers and
auditors of internal control systems.
 Management Responsibility
 Reasonable Assurance
 Methods of Data Processing
 Limitations

Management Responsibility
o This concept holds that the establishment and maintenance of a system of internal
control is a management responsibility.
Reasonable Assurance
o The internal control system should provide reasonable assurance that the four
broad objectives of internal control are met
o No system of internal control is perfect and the cost of achieving improved control
should not outweigh its benefits.
Methods of Data Processing
o The internal control system should achieve the four broad objectives regardless of
the data processing method used.
o However, the specific techniques used to achieve these objectives will vary with
different types of technology
Limitations
o Every system of internal control has limitations on its effectiveness.
o These includes:
 The possibility of error
 Circumvention
 Management override
 Changing conditions

Risk and Exposure

 Risk is the potential threat to compromise use or value of organizational asset.
 Exposure is the absence or weakness of a control
 A weakness in internal control may expose the firm to one or more of the following types
of risks:
o Destruction of assets
o Theft of assets
o Corruption of information or the information system
o Disruption of the information system

The PDC Model

Internal control consists of three levels of control, namely:
 Preventive
 Detective
 Corrective

This approach is called the PDC control model

Preventive Controls
 It is the first line of defense in the control structure
 These are passive techniques designed to reduce the frequency of occurrence of
undesirable events
 Preventing errors and fraud is far more cost-effective than detecting and correcting
problems after they occur.

Detective Controls
 Detection of problems is the second line of defense
 These are devices, techniques, and procedures designed to identify and expose undesirable
events that elude preventive controls.
 These reveal specific types of errors by comparing actual occurrences to preestablished
standards.

Corrective Controls
 Actions that must be taken to reverse the effects of detected errors
 These identify undesirable events and draw attention to the problem; corrective controls
actually fix the problem.

Components of Internal Control

The five components of internal control:
1. The control environment
2. Risk assessment
3. Information and communication
4. Monitoring
5. Control activities

The Control Environment

 It is the foundation for other four control components.
 It sets the tone for the organization and influences the control awareness of its
management and employees.

Techniques that may be used to obtain an understanding of the control environment:

 Auditors should assess the integrity of the organization’s management and may use
investigative agencies to report on the backgrounds
 Auditors should be aware of conditions that would predispose the management of an
organization to commit fraud
 Auditors should understand understand a client’s business and industry and should be
aware of conditions peculiar to the industry that may affect the audit.
 Auditors should determine if the organization’s board of directors is actively involved in
establishing business policy and if it monitors management and organization operations.
 From organizational charts and job descriptions, auditors can assess whether segregation
between organizational functions is adequate.
Risk Assessment
Organizations must perform a risk assessment to identify, analyze, and manage risks relevant to
financial reporting.

Auditors must obtain sufficient knowledge of the organization’s risk assessment procedures to
understand how management identifies, prioritizes, and manages the risks related to financial
reporting.

Information and Communication

The accounting information system consists of the records and methods used to initiate, identify,
analyze, classify, and record the organization’s transactions and to account for the related assets
and liabilities.

Monitoring
It is the process by which the quality of internal control and design and operation can be
assessed.
Ongoing monitoring may be achieved by integrating special computer modules into the
information system that capture key data and/or permit tests of controls to be conducted as part
of routine operations.
Another technique for achieving ongoing monitoring is the judicious use of management reports.

Control Activities
These are the policies and procedures used to ensure that appropriate actions are taken to deal
with the organization’s identified risks.

Control activities can be divided into:

 Computer controls
 Physical controls

COMPUTER CONTROLS

General Controls
- General controls pertain to entity-wide concerns such as controls over data center,
organization databases, system access, system development, and program maintenance.
- General controls apply to a wide range of risks that systematically threaten the integrity of
all applications processed within the IT environment.

Application Controls
 - Application controls ensure the integrity of specific systems such as sales order
processing, accounts payable, and payroll applications.
- Application controls are narrowly focused on risks associated with specific systems.

PHYSICAL CONTROLS
- These relate primarily to traditional accounting systems that employ manual procedures
- However, an understanding of these control concepts also gives insights to the risks and
control concerns associated with IT environment.
- Six traditional categories of physical control includes: transaction authorization,
segregation of duties, supervision, accounting records, access control, and independent
verification.

Transaction Authorization
The purpose of transaction authorization is to ensure that all material transactions processed by
the information system are valid and in accordance with management’s objectives.
- General authority is granted to operation personnel to perform day-to-day operations
- Special authority is usually a management responsibility.

In an IT environment, transaction authorization may consist of coded rules embedded within

computer programs.
Transactions may be initiated automatically and without human involvement. These may pose
difficulty for auditors to assess whether these transactions are in compliance with management’s
objectives.
In an IT environment, the responsibility for achieving the control objectives of transaction
authorization rests directly on the accuracy and consistency (integrity) of the computer
programs that perform these tasks.

Segregation of Duties
The following are the three objectives that serve as guidelines for segregation of duties:
 The segregation of duties should be such that authorization for a transaction is separate
from the processing of the transaction.
 Responsibility for the custody of assets should be separate from the recording
responsibility.
 The organization should be structured so that a successful fraud requires collusion
between two or more individuals with incompatible responsibilities.

Supervision
In an IT environment, supervisory control must be more elaborate than in manual systems for
three reasons:
 The first relates to the problem of attracting competent employees.
 The second reflects management’s concern over the trustworthiness of data processing
personnel in high-risk areas.
 The third reason is management’s inability to adequately observe employees in an IT
environment.

Accounting Records
Traditional accounting records of an organization consist of source documents, journals, and
ledgers. These records capture the economic essence of transactions and provide an audit trail of
economic events.

The audit trail enables the auditor to trace any transaction through all phases of its processing
from the initiation of the event to the financial statements.
Organization must maintain audit trail for two reasons:
 This information is needed for conducting day-to-day operations.
 The audit trail plays an essential role on the financial audit of the firm.

The obligation to maintain an audit trail exists in an IT environment just as it is in a manual

setting.
Audit trail may take the form of pointers, hashing techniques, indexes, or embedded keys that
link record fragments between and among the database tables.
In the IT environment, part or all of the audit trails is in digital form. Thus, it is imperative in the
IT environment that programmers and analysts understand the importance of logs, and how to
capture a sufficient amount of data for audit trail purposes.

Access Controls
The purpose of access controls is to ensure that only authorized personnel have access to the
firm’s assets.
Unauthorized access exposes assets to misappropriation, damage, and theft.
In the IT environment, accounting records are often concentrated within the data processing
center on mass storage devices. Data consolidation exposes the organization to two forms of
threat: (1) computer fraud and (2) losses from disaster.

Another problem to the IT environment is controlling access to computer programs.

During the development phase, computer applications come under a great deal of scrutiny and
testing intended to expose logic errors. However, concern or application integrity should not
cease when systems are implemented.

Access controls in an IT environment cover many levels of risk.

Controls that address these risks include techniques designed to limit personnel access authority,
restrict access to computer programs, provide physical security for the data processing center,
ensure adequate backup for data files, and provide disaster recovery capability.
Independent Verification
These are independent checks of the accounting system to identify errors and
misrepresentations.
Through independent verification procedures, management can assess:
 The performance of individuals,
 The integrity of transactions processing system, and
 The correctness of data contained in accounting records.

The timing of verification depends on the technology employed in the accounting system and the
task under review.
Independent verification control is needed in the manual environment because employees
sometimes makes mistakes or forget to perform necessary tasks. In an IT environment, computer
programs perform many routine tasks.
Still, most of the concern rest with application integrity.

In the IT environment, IT auditors perform an independent verification function by evaluating

controls over systems development and maintenance activities and occasionally by reviewing the
internal logic of programs.

QUIZ
Question
1/10
Which of the following is defined as a "systematic process of objectively obtaining and evaluating
evidence regarding assertions about economic actions and events to ascertain the degree of
correspondence between those assertions and establishing criteria and communicating the
results to interested users"?

Select your answer.

 Auditing
 Accounting
 Accounting Information System
 Information System

Question
2/10
Which of the following is an audit associated with auditors who use technical skills and
knowledge to audit through the computer system, or provide audit services where processes or
data, or both, are embedded in technologies?

Select your answer.

 IT audit
 External audit
 Internal audit
 Fraud audit
Question
3/10
Which of the following audit aims to investigate anomalies through gathering evidences of fraud
and has a legal goal of conviction of individuals?

Select your answer.

 IT audit
 Fraud audit
 External audit
 Internal audit

Question
4/10
IT audit is generally divided into three phases as follows, except

Select your answer.

 Systems analysis
 Audit planning
 Substantive testing
 Test of controls

Question
5/10
The major part of this phase of IT audit is the analysis of audit risk. What phase is this?

Select your answer.

 Systems design
 Audit planning
 Systems analysis
 Test of controls

Question
6/10
In an IT environment, the information needed to perform substantive tests is contained in data
files that often must be extracted using

Select your answer.

 Computer-Assisted Audit Tools and Techniques

 System architecture
 Mnemonic codes
 Accounting Information System
Question
7/10
Internal controls has limitations on its effectiveness brought by the following, except

Select your answer.

 Management override
 Employee fraud
 Circumvention of controls
 The possibility of error

Question
8/10
Internal control consists of three levels of control, as follows except

Select your answer.

 Detective
 Predictive
 Corrective
 Preventive

Question
9/10
This pertains to entity-wide concerns such as controls over data center, organization databases,
system access, system development, and program maintenance. What is it?

Select your answer.

 Data controls
 General controls
 Internal controls
 Application controls

Question
10/10
These controls ensure the integrity of specific systems such as sales order processing, accounts
payable, and etc.

Select your answer.

 Access controls
 Application controls
 Physical controls
 General controls