CHAPTER 1:

AUDITING, ASSURANCE, & INTERNAL CONTROL

 AUDITING
Auditing is a systematic process of
objectively obtaining and evaluating
evidence regarding assertions about
economic actions and events to ascertain
the degree of correspondence between
those assertions and establishing criteria
and communicating the results to
interested users.
 INTERNAL AUDITS
 Internal auditing: independent appraisal function
established within an organization to examine
and evaluate its activities as a service to the
organization
 Financial Audits
 Operational Audits
 Compliance Audits
 Fraud Audits
 IT Audits
 CIA
 IIA
 IT AUDITS
 IT audits: provide audit services where
processes or data, or both, are embedded in
technologies.
 Subject to ethics, guidelines, and standards of the
profession (if certified)
 CISA
 Most closely associated with ISACA
 Joint with internal, external, and fraud audits
 Scope of IT audit coverage is increasing
 Characterized by CAATTs
 IT governance as part of corporate governance
 FRAUD AUDITS
 Fraud audits: provide investigation services
where anomalies are suspected, to develop
evidence to support or deny fraudulent
activities.
 Auditor is more like a detective
 No materiality
 Goal is conviction, if sufficient evidence of fraud
exists
 CFE
 ACFE
 EXTERNAL AUDITS
 External auditing: Objective is that in all material
respects, financial statements are a fair
representation of organization’s transactions
and account balances.
 SEC’s role
 Accountancy Act of 2004
 PRC-BOA
 CPA
 EXTERNAL vs. INTERNAL
 External auditing:
 Independent auditor (CPA)
 Independence defined by SEC/S-OX/AIC
 Required by SEC for publicly-traded companies
 Referred to as a “financial audit”
 Represents interests of outsiders, “the public” (e.g.,
stockholders)
 Standards, guidance, certification governed by PICPA, PRC-
BOA, SEC; delegated by SEC who has final authority
 Internal auditing:
 Auditor (often a CIA or CISA)
 Is an employee of organization imposing independence on self
 Optional per management requirements
 Broader services than financial audit; (e.g., operational audits)
 Represent interests of the organization
 Standards, guidance, certification governed by IIA and ISACA
 FINANCIAL AUDITS
 An independent attestation performed by an expert
(i.e., an auditor, a CPA) who expresses an opinion
regarding the presentation of financial statements
 Key concept: Independence
 {Should be} Similar to a trial by judge
 Culmination of systematic process involving:
 Familiarization with the organization’s business
 Evaluating and testing internal controls
 Assessing the reliability of financial data
 Product is formal written report that expresses an
opinion about the reliability of the assertions in financial
statements; in conformity with GAAP
 ATTEST definition
 Written assertions
 Practitioner’s written report
 Formal establishment of measurement criteria or their
description
 Limited to:
 Examination
 Review
 Application of agreed-upon procedures
 AUDITS
 Systematic process
 Five primary management assertions, and
correlated audit objectives and procedures
[Table 1-1]
 Existence or Occurrence
 Completeness
 Rights & Obligations
 Valuation or Allocation
 Presentation or Disclosure
 AUDITS
 Phases [Figure 1-3]
1. Planning
2. Obtaining evidence
 Tests of Controls
 Substantive Testing
 CAATTs
 Analytical procedures
3. Ascertaining reliability
 MATERIALITY
4. Communicating results
 Audit opinion
 Audit Risk Formula

AUDIT RISK:
The probability that the auditor
will give an inappropriate opinion
on the financial statements: that
is, that the statements will contain
materials misstatement(s) which
the auditor fails to find
 Audit Risk Formula

 INHERENT RISK:
The probability that material
misstatements have occurred
Material vs. Immaterial
Includes economic conditions, etc.
Relative risk (e.g., cash)
 Audit Risk Formula

CONTROL RISK:
The probability that the internal controls
will fail to detect material misstatements
 Audit Risk Formula

DETECTION RISK:
The probability that the audit procedures
will fail to detect material misstatements
Substantive procedures
 Audit Risk Formula
 AUDIT RISK MODEL:
 AR = IR * CR * DR
 example inventory with:
IR=40%, CR=60%, AR=5% (fixed)
.05 = .4 * .6 * DR
... then DR=4.8%
 Why is AR = 5%?
 What is detection risk?
 Can CR realistically be 0?
 Relationship between DR and substantive
procedures
 Audit Risk Model

 Relationshipbetween tests of controls and

substantive tests
 Illustrate higher reliability of the internal controls and
the Audit Risk Model
 What happens if internal controls are more reliable than last
audit?
 Last year: .05 = .4 * .6 * DR [DR = 4.8]
 This year: .05 = .4 * .4 * DR [DR = 3.2]
 The more reliable the internal controls, the lower the CR
probability; thus the lower the DR will be, and fewer
substantive tests are necessary.
 Substantive tests are labor intensive
 Role of Audit Committee
 Selected from board of directors
 Usually three members
 Outsiders (SEC now requires it)
 Fiduciary responsibility to shareholders
 Serve as independent check and balance
system
 Interact with internal auditors
 Hire, set fees, and interact with external
auditors
 Resolved conflicts of GAAP between external
auditors and management
 What is an IT Audit?

… most accounting transactions to be in

electronic form without any paper
documentation because electronic
storage is more efficient. … These
technologies greatly change the nature of
audits, which have so long relied on
paper documents.
 THE IT ENVIRONMENT

 There has always been a need for an effective

internal control system.
 The design and oversight of that system has
typically been the responsibility of accountants.
 The I.T. Environment complicates the paper
systems of the past.
 Concentration of data
 Expanded access and linkages
 Increase in malicious activities in systems vs. paper
 Opportunity that can cause management fraud (i.e.,
override)
 THE IT ENVIRONMENT

 Audit planning
 Tests of controls
 Substantive tests
CAATTs
 INTERNAL CONTROL
 is … policies, practices, procedures
… designed to …
 safeguard assets
 ensure accuracy and reliability
 promote efficiency
 measure compliance with policies
 BRIEF HISTORY - COSO
Committee on Sponsoring Organizations - 1992

1. AICPA, AAA, FEI, IMA, IIA

2. Developed a management perspective model
for internal controls over a number of years
3. Is widely adopted
 EXPOSURES AND RISK
 Exposure (definition)
 Risks (definition)
 Types of risk
Destruction of assets
Theft of assets
Corruption of information or the I.S.
Disruption of the I.S.
 THE P-D-C MODEL
 Preventive controls
 Detective controls
 Corrective controls
 Which is most cost effective?
 Which one tends to be proactive measures?
 Can you give an example of each?
 Predictive controls
Consideration of Internal Control in a
Financial Statement Audit
COSO
The control environment
Risk assessment
Information & communication
Monitoring
Control activities
 #1:Control Environment --
elements

 The integrity and ethical values

 Structure of the organization
 Participation of audit committee
 Management’s philosophy and style
 Procedures for delegating
#1:Control Environment -- elements

 Management’s methods of assessing

performance
 External influences
 Organization’s policies and practices for
managing human resources
#1:Control Environment -- Techniques

 Assess the integrity of organization’s

management
 Conditions conducive to management fraud
 Understand client’s business and industry
 Determine if board and audit committee are
actively involved
 Study organization structure
 #2:Risk Assessment
 Changes in environment
 Changes in personnel
 Changes in I.S.
 New IT’s
 Significant or rapid growth
 New products or services (experience)
 Organizational restructuring
 Foreign markets
 New accounting principles
#3:Information & Communication-
Elements
 Initiate, identify, analyze, classify and record
economic transactions and events.
 Identifyand record all valid economic
transactions
 Provide timely, detailed information
 Accurately measure financial values
 Accurately record transactions
#3:Information & Communication-Techniques

 Auditors obtain sufficient knowledge of

I.S.’s to understand:
 Classes of transactions that are material
 Accounting records and accounts used
 Processing steps:initiation to inclusion in
financial statements (illustrate)
 Financial reporting process (including
disclosures)
 #4: Monitoring
 By separate procedures (e.g., tests of
controls)
 By ongoing activities (Embedded Audit
Modules – EAMs and Continuous Online
Auditing - COA)
#5: Control Activities
 #5: Control Activities
 Physical Controls (1-3)
 Transaction authorization
 Example:
 Sales only to authorized customer
 Sales only if available credit limit
 Segregation of duties
 Examples of incompatible duties:
 Authorization vs. processing [e.g., Sales vs. Auth. Cust.]
 Custody vs. recordkeeping [e.g., custody of inventory vs. DP of
inventory]
 Fraud requires collusion [e.g., separate various steps in process]
 Supervision
 Serves as compensating control when lack of segregation of
duties exists by necessity
 #5: Control Activities
 Physical Controls (4-6)
 Accounting records (audit trails; examples)
 Access controls
 Direct (the assets)
 Indirect (documents that control the assets)
 Fraud
 Disaster Recovery
 Independent verification
 Management can assess:
 The performance of individuals
 The integrity of the AIS
 The integrity of the data in the records
 Examples
 IT Risks Model
 Operations
 Data management systems
 New systems development
 Systems maintenance
 Electronic commerce (The Internet)
 Computer applications