Auditing in a CIS Environment

Auditing requires an auditor to release a

If your Auditee uses software applications in written opinion.
their audit, you are auditing in a CIS
Environment. Agreed Upon Procedures
- Mini Auditing
Traditional Auditing Audit in CIS Environment - There is a specific item a client wants
to audit
 Manual  Software
- There is still a need to issue an opinion
Working Papers
- Also referred to as a non-assurance
service.
Chapter 1: Auditing and Internal
Control If you are the one preparing the financial
statements, you are not allowed to audit
Auditing the same. It is important to ensure this as to
- Assertion not impair independence and reliability.
- Attestation
Issues a written opinion Threat – Self review threat. Opinions are no
- Reliability of Managements Assertions longer reliable when you audit your own
 A Claim financial statements

An auditor is governed by a strict sense of Safeguard – does not eliminate the threat,
Standard. In the discovery of an error, an it only reduces it into an appropriate level.
auditor must assess whether or not the IF audit and accounting firm are the same,
error would result into a material change you can assign the bookkeeping to another
and inform the management immediately. person and audit yourself as a safeguard
against the self-review threat.
Unqualified Opinion – doesn't have any
kind of adverse comments and it doesn't External Audit Internal Audit
include any disclaimers about any clauses or An Audit Auditor is an employee
the audit process. performed by an of the entity. Internal to
external auditor the auditee
Qualified Opinion – a written statement by
a certified public accountant in an audit Scope: Only refers Scope: Anything under
report, stating that the financial statements to FS Audit. the sun. (I.E. Operations,
of a client are fairly presented, except for a Focused on FS HR, Quality Control)
specified issue
To retain independence,
Adverse Opinion – no compliance of Internal Audit Team will
Standard at all. not be directly reporting
to the Auditee but to an
Disclaimer – No statement to issue. No Audit Committee which
audit has been done. is a subcommittee of the
 BOD.
These phases must be followed in
chronological order.
BOD Management Team Planning Phase
 Elected  Appointed  Get to know the company
 Honorarium  Salary  Come up with Audit Program
 Stockholder  May not hold  Assess the Internal Risk
 Oversight shares of stock
 Day-to-day Testing Phase
Operations - Test of Internal Controls
- Determine whether adequate
Audit Committee internal controls are in place
- Subcommittee of BOD and functioning properly
Internal Controls:
Fraud Audit – performed as part of the a. Independent Verification
investigation that would lead to a criminal b. Transaction Authorization
prosecution. Usually comes in after c. Segregation of Duties
suspicion of irregularity, discrepancy, and or d. Supervision
fraud. e. Accounting Records
f. Access Controls
Why is there a misstatement?
1. Error (Mistake)
2. Irregularity (Intentional) General Rule: You should always
perform Test of Control before you perform
Auditing Standards on external audit only Substantive Test.
prescribes us to discover for misstatements
of errors not fraud. Substantive Testing Phase
- This process focuses on financial
data.
Audit Risk – risk that financial statements - Conduct different substantive
are materially incorrect. tests
Substantive Tests – involves a
Audit Risk Formula: detailed investigation of account
Inherent Risk x Control Risk x Detection balances and transactions.
Risk
CR DR Result/Effect
More ST
Inherent Risk Fewer ST
– Planning Phase
Control Risk Substantive Test Vs. Test of Controls
– Test of Control Phase  In test of controls, you do not care
Detection Risk about financial statements. You do
– Substantive Testing Phase care how accurate FS are.
  In substantive test, you investigate
thoroughly account balances and
transactions
Three Types of Internal Controls
Preventive Controls – first line of defense at
data entry level. They are proactive in that
they attempt to deter or prevent
undesirable events from occurring.
Detective Controls – provide evidence that
an error or irregularity has occurred.
Corrective Controls – put in place when
errors or irregularities have been detected.
COSO Internal Control Framework
1. Control Environment
The control environment seeks to make sure
that all business processes are based on the
use of industry-standard practices. This can
help ensure that the business is run in a
responsible way. It may also reduce an
organization's legal exposure if the
organization is able to prove that its
business processes are all based around
industry standard practices. Additionally,
the control environment can help with
making sure that an organization is adhering
to regulatory compliance requirements.
2. Risk Assessment and Management
Risk assessment and management -- which
is sometimes referred to as enterprise risk
management -- is based on the idea that
risk is an inherent part of doing business.
However, those same risks can sometimes
cause a business to suffer adverse
consequences. As such, organizations
commonly adopt risk management plans
that help them to identify risks and either
reduce or eliminate risks deemed to pose a
threat to the organization's well-being.
3. Information and Communication
Communications rules are put in place to
make sure that both internal and external
communications adhere to legal
requirements, ethical values and standard
industry practices. For example, private
sector organizations commonly adopt
privacy policies establishing how customer
data can be used.
4. Monitoring Activities
At a minimum, monitoring is performed by
an internal auditor who makes sure that
employees are adhering to established
internal controls. However, in the case of
public companies, it is relatively common
for an outside auditor to evaluate the
organization's regulatory compliance. In
either case, the audit results are usually
reported to the board of directors.
5. Control Activities
Control activities are also tied to the
concept of risk management. They are
essentially internal controls that are put into
place to make sure that business processes
are performed in a way that helps an
organization to meet its business objectives
without introducing unnecessary risks into
the process.
- Physical Controls
- IT Controls
 General
 Application
CHAPTER II: IT GOVERNANCE
Controls implemented by the client to
manage a company’s IT system.
 Three Major Issues
1. Organizational Structure of the IT
Function
2. Computer center operation
3. Disaster Recovery Planning

Centralized Organizational Chart

President

VP Marketing VP Finance VP IT Services VP Admin VP Operations

Systems
Database Data Processing
Development
Administrator Manager
Manager

New Systems Systems Data Computer

Data Library
Development Maintenance Conversion Operations

Distributed Data Processing – that of which

each Department has its own IT function.
Each data is stored locally in its respective
departments

Risk in DDP
1. Inefficient Use of Resources
a. Mismanagement of
organization-wide IT resources
by end users.
b. Increase Risk of operational
inefficiencies