AUDITING AND

INTERNAL CONTROL
 Definition of Auditing
 Auditing Standards
 Sarbanes-Oxley Act of 2002
 Internal Control
 COSO Internal Control Framework
Auditing
American Accounting Association Definition:
• Auditing is a systematic process of objectively obtaining
and evaluating evidence regarding assertions about
economic actions and events to ascertain the degree of
correspondence between the assertions and established
criteria and communication the results to interested
users. (AAA Committee on Basic Auditing Concepts)
Roles of Audit

1.ASSURANCE
2.CONSULTING
Types of Audit:
• Financial
• Operational
• Administrative
• IS
• Forensic
Auditing Standards
• Generally Accepted Auditing Standards (GAAS)
• General Qualification Standards
• Field work standards
• Reporting Standards
• Statements on Auditing Standards (SASs) –
authoritative interpretations of GAAS issued by AICPA
 Generally Accepted Auditing Standards (GAAS)
General Standards
1. The auditor must have
adequate technical training
and proficiency
2. The auditor must have
independence of mental
attitude
3. The auditor must
exercise due professional
care in the performance of
the audit and the
preparation of the report
Standards of Fieldwork
1. Audit work must be
adequately planned
2. The auditor must gain a
sufficient understanding of
the internal control structure which GAAP were not
3. The auditor must obtain
sufficient, competent
evidence
Reporting Standards
1. The auditor must state in
the report whether financial
statements were prepared
in accordance with GAAP
2. The report must identify
those circumstances in
applied
3. The report must identify
any items that do not have
adequate informative
disclosures
4. The report shall contain
an expression of the
auditor’s opinion on the
financial statements as a
whole
IT Controls: Sarbanex-Oxley Act of 2002
• Sarbanes-Oxley, Sarbox, SOX
• United States Federal Law enacted on July 30, 2002
• In response to a number or major corporate and
accounting scandals which shook investor confidence in
financial statements
• 2 Key Provisions:
1. Section 302 – requires senior management to certify their internal
controls quarterly and annually, external auditors to perform quarterly
procedures to identify material modifications in controls over financial
reporting
2. Section 402 – requirement that management and auditors establish
internal controls and reporting methods on the adequacy of those
controls
IT Controls: Sarbanex-Oxley Act of 2002
• AUDIT IMPLICATION:
• SOX legislation mandates external auditors to attest to
management’s assessment of internal controls:
• issue a separate audit opinion in addition to the fairness of financial
statements and
• perform quarterly procedures to identify any material modifications
in controls over financial reporting:
• Interview Management regarding any significant changes in the design
and operation of internal control that occurred subsequent to preceding
annual audit or prior review of interim financial information
• Evaluate the implications of misstatements identified by the auditor as
part of the interim review that relate to effective internal controls
• Determine whether changes in internal controls are likely to materially
affect internal control over financial reporting
IT Controls: Sarbanex-Oxley Act of 2002
• AUDIT IMPLICATION:
• SOX places responsibility on auditors to detect fraudulent
activity
• PCAOB Standard No. 5 specifically requires auditors to
understand transaction flows, including controls pertaining
to how transactions are initiated, authorized, recorded,
and reported.
Internal Controls
A process that helps an entity achieve its objectives:
1. To safeguard assets of the firm
2. To ensure accuracy and reliability of accounting records and
information
3. To promote efficiency in the firm’s operation’s
4. To measure compliance with management’s prescribed
policies and procedures

4 Modifying Principles:
• Management Responsibility
• Data Processing
• Limitations – error, circumvention, management override,
changing conditions
• Reasonable Assurance
Internal Controls

• The PDC Control Model

• Preventive – keep undesirable events from occurring
• Detective – identify and expose undesirable events
• Corrective – address undesirable event after its occurrence
COSO
• COSO – Committee on Sponsoring Organizations of the
Treadway Commission is a joint initiative of 5 private
sector organizations (AAA, AICPA, FEI, IMA, IIA)
• Dedicated to the development of frameworks and
guidance of enterprise risk management, internal control
and fraud deterrence
COSO 2013 Framework
COSO 2013 Framework
• The original framework was first published in 1992
• Standard framework for designing, implementing, and
conducting internal controls
• Was updated in May 2013 to account for the ongoing
changes in the business environment
• Most significant change was the addition of the 17
principles and 77 focus areas which further define the
five core areas/components
COSO 2013 Framework

COSO Objectives

Components of
Internal Control
COSO 2013 Framework: The Five Components
1. Control Environment – the culture of internal controls
at the organization
2. Risk Assessment – an activity whereby all of the
activities, and associated risks, in an organization are
looked at and each considered on a spectrum of either
low risk or high risk.
3. Control Activities – procedures and controls put in
place to mitigate risks
4. Information and communication – how management
communicates the culture of compliance and the
specific policies individuals need to follow
5. Monitoring – ongoing evaluations, separate
evaluations, or some combination of both to ascertain
each component are present and functioning
COSO 2013 Framework: Objectives
1. Operations Objectives – related to the effectiveness and efficiency of
entity’s operations, including operational and financial performance
and goals, and safeguarding assets against loss
2. Reporting Objectives – related to the internal and external reporting
to the stakeholders, which would encompass reliability, timeliness,
transparency, or other terms as established by regulators, standard
setters, or the entity’s policies.
3. Compliance Objectives – related to adhering to laws and regulations
that the entity must follow
COSO 2013 Framework
COSO 2013 Framework
Google Company
COSO Objective: Operations
Threat to the objective: Loss of employee morale
Control Objective: To employees stay positive and motivated

Internal Control Element (COSO) Evidence Control objective is met

Management implements sound hiring and training
Control Environment policies for employees

Management carries out stress risk assessment using a

Risk Assessment certified detailed questionnaire and form which suggests
ways to mitigate risks

Management establishes employee-friendly workplace

Control Activities polices such as allowing work away from the worksite

Management to engage with the employee in counseling

Information and Communications sessions

Management uses mobile or cloud-based tech tools to

Monitoring
track employees’ moods
COSO Internal Control Framework
GROUP ACTIVITY
Internal Control From an Internal Auditor Perspective
Objective: To understand concepts surrounding internal
auditors’ role in evaluating internal controls so that their
employer meets the objectives using the COSO approach as the
basis for control matrix development
Directions:
1. Identify threats to meeting the COSO objectives
2. Discuss Control objectives necessary to see that the threats
are contained
3. Match the five components of a good internal control system
to meet the control objectives with a control activity that
management could have in place
4. Identify steps to be taken by the auditor to assure that control
objectives are met