Auditing and

Internal Control
Chapter 1
Chapter 1

LEARNING OBJECTIVES
After studying this chapter, you should:

Know the difference Between attest services and advisory services and be able to explain the
relationship between the two.

Understand the structure Of an audit and have a firm grasp of the conceptual elements of the audit
process.

Understand internal control categories presented in the COSO framework.

Be familiar With the key features of Section 302 and 404 of the Sarbanes-Oxley Act

Understand the relationship between general controls, application controls, and financial data integrity
Chapter 1

Introduction
This chapter provides an overview of IT auditing. We begin by
describing the various types of audits that organizations
commission and distinguish between the auditor’s traditional
attestation responsibility and the emerging field of advisory
services.
OVERVIEWOf Auditing
 OVERVIEW OF AUDITING
Business organizations undergo different types of audits for
different purposes. The most common of these are:
● External (financial) audits
● Internal audits
● Fraud audits.
Each of these is briefly outlined in the following slides.
 External (Financial) Audits
An external audit is an independent attestation performed by an expert—
the auditor— who expresses an opinion regarding the presentation of
financial statements.
Attestation Service - is performed by Certified Public Accountants (CPA) who work for
public accounting firms that are independent of the client organization being audited. The
audit objective is always associated with assuring the fair presentation of financial
statements. These audits are, therefore, often referred to as financial audits.

The CPA’s role is similar in concept to a judge who collects and evaluates evidence and
renders an opinion. A key concept of this process is Independence.
 External (Financial) Audits

Advisory Services - are professional services offered by public accounting firms

to improve their client organizations’ operational efficiency and effectiveness. The
domain of advisory services is intentionally unbounded so that it does not inhibit
the growth of future services that are currently unforeseen

The advisory services units of public accounting firms responsible for providing
IT control-related client support have different names in different firms, but they
all engage in tasks known collectively as IT risk management.
Attestation Service VS Advisory Services

An important distinction needs to be made regarding the external auditor’s

traditional attestation service and the rapidly growing field of advisory
services, which many public accounting firms offer.
Attestation Service VS Advisory Services
• Attestation services require written assertions and
a practitioner’s written report.
• Attestation services require the formal
establishment of measurement criteria or their
description in the presentation.
• The levels of service in attestation engagements
are limited to examination, review, and application
of agreed-upon procedures
•Bookkeeping or other services related to the accounting
records or financial statements of the audit client.
•Financial information systems design and implementation.
• Appraisal or valuation services, fairness opinions, or
contribution-in-kind reports.
• Actuarial services.
• Internal audit outsourcing services.
•Management functions or human resources.
• Broker or dealer, investment adviser, or investment
banking services.
• Legal services and expert services unrelated to the audit .
• Any other service that the board determines, by regulation,
is impermissible.
 Internal Audits
The Institute of Internal Auditors (IIA) defines internal auditing as an
independent appraisal function established within an organization to examine
and evaluate its activities as a service to the organization.
Internal auditors perform a wide range of activities on behalf of the organization, including
conducting financial audits, examining an operation’s compliance with organizational
policies, reviewing the organization’s compliance with legal obligations, evaluating
operational efficiency, and detecting and pursuing fraud within the firm.

• An internal audit is typically conducted by auditors who work for the organization, but
this task may be outsourced to other organizations. Internal auditors are often certified as
a Certified Internal Auditor (CIA) or a Certified Information Systems Auditor (CISA).
 External VS Internal Auditors
The characteristic that conceptually distinguishes external auditors from
internal auditors is their respective constituencies:

While external auditors represent outsiders, internal auditors represent the

interests of the organization. Nevertheless, in this capacity, internal auditors
often cooperate with and assist external auditors in performing aspects of
financial audits.

The independence and competence of the internal audit staff determine the
extent to which external auditors may cooperate with and rely on work
performed by internal auditors.
 Fraud Audits
In recent years, fraud audits have, unfortunately, increased in popularity as a
corporate governance tool.

The objective of a fraud audit is to investigate anomalies and gather evidence of fraud
that may lead to criminal conviction. Sometimes fraud audits are initiated by
corporate management who suspect employee fraud.

Typically, fraud auditors have earned the Certified Fraud Examiner (CFE)
certification, which is governed by the Association of Certified Fraud Examiners
(ACFE)
What are the role of the audit
committee?
THE ROLE OF THE AUDIT
COMMITTEE
• The board of directors of publicly traded companies form a subcommittee known as the audit
committee, which has special responsibilities regarding audits. This committee usually consists of
three people who should be outsiders

• With the advent of the Sarbanes-Oxley Act, at least one member of the audit committee must be a
“financial expert.” The audit committee serves as an independent “check and balance” for the internal
audit function and liaison with external auditors.

• To be effective, the audit committee must be willing to challenge the internal auditors (or the entity
performing that function) as well as management, when necessary. Part of its role is to look for ways
to identify risk. For instance, it might serve as a sounding board for employees who observe
suspicious behavior or spot fraudulent activities. In general, it becomes an independent guardian of the
entity’s assets by whatever means is appropriate
FINANCIAL AUDIT
COMPONENT
FINANCIAL AUDIT
COMPONENT
Auditing Standards
 A Systematic Process

Conducting an audit is a systematic and logical process that

applies to all forms of information systems. While important
in all audit settings, a systematic approach is particularly
important in the IT environment.
 Management Assertions and Audit Objectives
The organization’s financial statements reflect a set of management assertions about the financial health of the
entity.
 AUDIT RISK
Audit risk is the probability that the auditor will render
an unqualified (clean) opinion on financial statements
that are, in fact, materially misstated. Material
misstatements may be caused by errors or irregularities
or both.
Audit Risk Components
The auditor’s objective is to achieve a level of audit risk
that is acceptable to the auditor. Acceptable audit risk
(AR) is estimated based on the ex ante value of the
components of the audit risk model.

These are Inherent risk, Control risk, and Detection

risk.
Audit Risk Components
Inherent risk - is associated with the unique characteristics of the business
or industry of the client.
Control risk - is the likelihood that the control structure is flawed because
controls are either absent or inadequate to prevent or detect errors in the
accounts.
Detection risk - is the risk that auditors are willing to take that errors not
detected or prevented by the control structure will also not be detected by
the auditor.
INTERNAL CONTROL
Organization management is required by law to establish and maintain an
adequate system of internal control.

The establishment and maintenance of a system of internal control is an

important management obligation. A fundamental aspect of management’s
stewardship responsibility is to provide shareholders with reasonable
assurance that the business is adequately controlled. A
Audit Risk Model
Financial auditors use the audit risk components in a
model to determine the scope, nature, and timing of
substantive tests. The audit risk model is:
The Relationship Between Tests of
Controls and Substantive Tests
Tests of controls and Substantive tests
• Tests of controls and substantive tests are auditing
techniques used for reducing audit risk to an
acceptable level. The stronger the internal control
structure, as determined through tests of controls, the
lower the control risk and the less substantive testing
the auditor must do
 THE IT
AUDIT
The public expression of the auditor’s opinion is the culmination of a systematic financial audit process
that involves three conceptual phases: audit planning, tests of controls, and substantive testing. An IT
audit focuses on the computer-based aspects of an organization’s information system; and modern
systems employ significant levels of technology.
 INTERNAL CONTROL OBJECTIVES, PRINCIPLES,
AND MODELS
An organization’s internal control system comprises policies, practices, and
procedures to achieve four broad objectives:

1. To safeguard assets of the firm.

2. To ensure the accuracy and reliability of accounting records and

information.

3. To promote efficiency in the firm’s operations.

4. To measure compliance with management’s prescribed policies and

procedures
 Modifying Principles
Inherent in these control objectives are four modifying principles that guide
designers and auditors of internal control systems, which are:

• Management Responsibility

• Methods of Data Processing

• Limitations

• Reasonable Assurance
 Management Responsibility
This concept holds that the establishment and maintenance of a system of
internal control is a management responsibility

Methods of Data Processing

The internal control system should achieve the four broad objectives
regardless of the data processing method used. Although objectives will vary
with different technologies.
Limitations
Every system of internal control has limitations on its effectiveness.
These include
1. The possibility of error.
2. Circumvention.
3. Management override.
4. changing conditions
 Reasonable
Assurance
The internal control system should provide reasonable assurance that the four broad objectives of internal control
are met. This reasonableness means that the cost of achieving improved control should not outweigh its benefits
The PDC
Model
 The PDC
Model
Preventive Controls Prevention is the first line of defense in the control structure. Preventive controls
are passive techniques designed to reduce the frequency of occurrence of undesirable events.
Preventive controls force compliance with prescribed or desired actions and thus screen out aberrant
events

Detective Controls Detection of problems is the second line of defense. Detective controls are
devices, techniques, and procedures designed to identify and expose undesirable events that elude
preventive controls

Corrective Controls Corrective actions must be taken to reverse the effects of detected errors.
Corrective controls actually fix the problem. For any detected error, there may be more than one
feasible corrective action, but the best course of action may not always be obvious.
Coso Internal Control Framework
Consists of five components:
• The control environment
• Risk assessment
• Information and communication
• Monitoring
• Control activities.
 The Control Environment
The control environment is the foundation for the other four control
components. The control environment sets the tone for the
organization and influences the control awareness of its management
and employees.
 Risk Assessment

Risk Assessment Organizations must perform a risk assessment to

identify, analyze, and manage risks relevant to financial reporting
 Information and Communication
The accounting information system consists of the records and
methods used to initiate, identify, analyze, classify, and record the
organization’s transactions and to account for the related assets and
liabilities.
 Monitoring

Management must determine that internal controls are functioning as

intended. Monitoring is the process by which the quality of internal
control design and operation can be assessed
 Control Activities
Control activities are the policies and procedures used to ensure that
appropriate actions are taken to deal with the organization’s identified
risks. Control activities can be grouped into two distinct categories:
physical controls and information technology (IT) controls
 Control Activities
Physical Controls This class of
controls relates primarily to the
human activities employed in
accounting systems. These
activities may be purely manual,
such as the physical custody of
assets, or they may involve the
physical use of computers to
record transactions or update
accounts.
 Transaction Authorization.
The purpose of transaction authorization is to ensure that all material transactions
processed by the information system are valid and in accordance with
management’s objectives. Authorizations may be general or specific
 Segregation of Duties.
One of the most important control activities is the segregation of employee duties
to minimize incompatible functions. Segregation of duties can take many forms,
depending on the specific duties to be controlled.
 Supervision.
Implementing adequate segregation of duties requires that a firm employ a
sufficiently large number of employees. Achieving adequate segregation of duties
often presents difficulties for small organizations

Accounting Records
The accounting records of an organization consist of source documents, journals,
and ledgers. These records capture the economic essence of transactions and
provide an audit trail of economic events.
 Access Control.
The purpose of access controls is to ensure that only authorized personnel have
access to the firm’s assets. Unauthorized access exposes assets to
misappropriation, damage, and theft

Independent Verification.
Verification procedures are independent checks of the accounting system to
identify errors and misrepresentations. Verification differs from supervision
because it takes place after the fact, by an individual who is not directly involved
with the transaction or task being verified
 IT Controls
Information technology drives the financial reporting processes of modern organizations. Automated systems
initiate, authorize, record, and report the effects of financial transactions.

COSO identifies two broad groupings of IT controls: Application controls and General controls.

Application controls - to ensure the validity, completeness, and accuracy of financial transactions. These controls
are designed to be application-specific.

General controls - general controls do not control specific transactions, they have an effect on transaction integrity.
For example, consider an organization with poor database security controls.
 Audit Implications of SOX
Prior to the passage of SOX, external auditors were not required to test internal
controls as part of their attest function. They were required to be familiar with
the client organization’s internal controls, but had the option of not relying on
them and thus not performing tests of controls. Therefore the audit could, and
often did, consist primarily of substantive tests.

SOX legislation dramatically expands the role of external auditors by

mandating that they attest to the quality of their client organizations’
internal controls.
 Management
responsible for implementing such controls, and auditors are expressly
required to test them. Because computers lie at the heart of the modern
organizations’ accounting and financial reporting systems, the topic of
computer fraud falls within the management and audit responsibilities
imposed by SOX.
the scene is set for viewing control
techniques and tests of controls that
might be required under SOX.
PCAOB Auditing Standard No. 5
emphasizes that management and
auditors use a risk-based approach
rather than a onesize-fits-all approach
in the design and assessment of
controls
 Instructions for use
If you have a free account, in order to use this template, you must credit Slidesgo by keeping the Thanks slide. Please
refer to the next slide to read the instructions for premium users.

As a Free user, you are allowed to:

- Modify this template.
- Use it for both personal and commercial projects.

You are not allowed to:

- Sublicense, sell or rent any of Slidesgo Content (or a modified version of Slidesgo Content).
- Distribute Slidesgo Content unless it has been expressly authorized by Slidesgo.
- Include Slidesgo Content in an online or offline database or file.
- Offer Slidesgo templates (or modified versions of Slidesgo templates) for download.
- Acquire the copyright of Slidesgo Content.

For more information about editing slides, please read our FAQs or visit Slidesgo School:
https://slidesgo.com/faqs and https://slidesgo.com/slidesgo-school
 Instructions for use (premium users)
As a Premium user, you can use this template without attributing Slidesgo or keeping the "Thanks" slide.

You are allowed to:

● Modify this template.
● Use it for both personal and commercial purposes.
● Hide or delete the “Thanks” slide and the mention to Slidesgo in the credits.
● Share this template in an editable format with people who are not part of your team.

You are not allowed to:

● Sublicense, sell or rent this Slidesgo Template (or a modified version of this Slidesgo Template).
● Distribute this Slidesgo Template (or a modified version of this Slidesgo Template) or include it in a database or in
any other product or service that offers downloadable images, icons or presentations that may be subject to
distribution or resale.
● Use any of the elements that are part of this Slidesgo Template in an isolated and separated way from this
Template.
● Register any of the elements that are part of this template as a trademark or logo, or register it as a work in an
intellectual property registry or similar.

For more information about editing slides, please read our FAQs or visit Slidesgo School:
https://slidesgo.com/faqs and https://slidesgo.com/slidesgo-school
 Fonts & colors used

This presentation has been made using the following fonts:

Anek Latin
(https://fonts.google.com/specimen/Anek+Latin)

#ffffff #4fffb6 #5a5a63 #000000

 Storyset

Create your Story with our illustrated concepts. Choose the style you like the most, edit its colors, pick
the background and layers you want to show and bring them to life with the animator panel! It will boost
your presentation. Check out how it works.

Pana Amico Bro Rafiki Cuate

 Use our editable graphic resources...

You can easily resize these resources without losing quality. To change the color, just ungroup the resource
and click on the object you want to change. Then, click on the paint bucket and select the color you want.
Group the resource again when you’re done. You can also look for more infographics on Slidesgo.
 JANUARY FEBRUARY MARCH APRIL MAY JUNE

PHASE 1

Task 1

Task 2

PHASE 2

Task 1

Task 2

JANUARY FEBRUARY MARCH APRIL

PHASE
1

Task 1

Task 2
 ...and our sets of editable icons

You can resize these icons without losing quality.

You can change the stroke and fill color; just select the icon and click on the paint bucket/pen.
In Google Slides, you can also use Flaticon’s extension, allowing you to customize and add even more icons.
Educational Icons Medical Icons
Business Icons Teamwork Icons
Help & Support Icons Avatar Icons
Creative Process Icons Performing Arts Icons
Nature Icons
SEO & Marketing Icons
 Premium infographics

Text 1 Text 2 Text 3

“Mercury is closest “Despite being red,
planet to the Sun Mars is actually a
and the smallest” very cold place”

Add the title here 2016 2017 2018 2019 2020

“Venus is the
“Neptune is the “Saturn is a gas
second planet from
farthest-known giant and has
the Sun and is
planet from the Sun” several rings”
terribly hot”

Text 4 Text 5 Text 6

 Premium infographics

75% “Mercury is closest

planet to the Sun
and the smallest”

75%
“Mercury is closest
TITLE 1 planet to the Sun
and the smallest”

“Mercury is closest
planet to the Sun and
the smallest”
“Mercury is closest
planet to the Sun
and the smallest”
Premium Icons

Digital Marketing
Premium Icons

Online Learning
Premium Icons

Laboratory
Premium Icons

Goals & Results

Premium Icons

Infographic Elements