12/9/2017

Objectives:

To emphasize the evolving role of the controller from a financial

Auditing and Internal Control fact recorder to a strategic financial business adviser.
know the difference between attest and advisory services
and be able to explain the relationship between the two;
Auditing in CIS Environment
explain the structure of an audit and have a firm grasp of
Tue 1-4pm the conceptual elements of the audit process;
Ronni Bulante explain internal control categories presented in the COSO
framework;
discuss the key features of section 302 and 404 of the
Sarbanes-Oxley Act; and
explain the relationship between general controls,
application controls, and financial data integrity.

Objectives

explain the risks of incompatible functions and how to

structure the IT function;
discuss the controls and precautions required to ensure
the security of an organizations computer facilities;
explain the key elements of a disaster recovery plan; and
discuss the benefits, risks, and audit issues related to IT
outsourcing.
explain the different approaches in data management; and
Understand the relationship between controlling and
auditing data management systems.

Auditing (AICPA) Role of Financial Controller

Auditing is a systematic process of objectively

obtaining evidence regarding assertions about
economic actions and events to ascertain the degree
of correspondence between these assertions and
established criteria and communicating the results to
interested users

https://www.huntercampbell.co.nz/changing-role-financial-
controller/

1
 12/9/2017

Attest Function and Advisory Relationship: Management

Services assertions and Audit objectives
An independent review of an audit conducted by an accountant.
An attest function examines all the data used in the audit as well
as the finished audit report. Conducted by a certified public
accountant (CPA), it is intended to express an opinion on
the accuracy of a company's financial statements.

A range of consulting services provided by Certified Public

Accountants (CPA) and other financial advisors to businesses
and high net worth individuals who require specialized advice on
capital formation, cash flow and wealth management. Advisory
clients pay fees based on services provided or as a percent of
assets under management.

www.businessdictionary.com/definition/advisory-services.html

Audit : Structure and Elements of **

Test of Controls and Substantive Test
Process
Test of controls is an audit test to test the
effectiveness of the client's internal control
system. substantive procedures is an
audit test to test the reasonableness of items in the
financial statements. ... If the internal controls are
less effective, then the auditor will use more
on substantive tests.

COSO framework : Internal Control SOX : Sec 302 and 404

The Committee of Sponsoring Organizations of the
Treadway Commission (COSO) is a joint initiative to
combat corporate fraud. It was established in
the United States by five private sector organizations,
dedicated to guide executive management and
governance entities on relevant aspects of
organizational governance, business ethics, internal
control, enterprise risk management, fraud,
and financial reporting.
Section 302:
Corporate Responsibility for Financial Reports
The essence of Section 302 of the Sarbanes-Oxley Act states that the CEO and CFO are
directly reponsible for the accuracy, documentation and submission of all financial
reports as well as the internal control structure to the SEC. Here is the direct excerpt
from the Sarbanes-Oxley Act of 2002 report:
a. Regulations Required. The Commission shall, by rule, require, for each company
filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of
1934, that the principal executive officer or officers and the principal financial officer
or officers, or persons performing similar functions, certify in each annual or quarterly
report filed or submitted under either such section of such Act that--
1. the signing officer has reviewed the report;
2. based on the officer's knowledge, the report does not contain any untrue
statement of a material fact or omit to state a material fact necessary in order to make
the statements made, in light of the circumstances under which such statements were
made, not misleading;
3. based on such officer's knowledge, the financial statements, and other financial
information included in the report, fairly present in all material respects the financial
condition and results of operations of the issuer as of, and for, the periods presented
in the report;

2
 12/9/2017

SOX : Sec 302 and 404
4. the signing officers--
A. are responsible for establishing and maintaining internal controls;
B. have designed such internal controls to ensure that material information relating
to the issuer and its consolidated subsidiaries is made known to such officers by others
within those entities, particularly during the period in which the periodic reports are
being prepared;
C. have evaluated the effectiveness of the issuer's internal controls as of a date
within 90 days prior to the report; and
D. have presented in the report their conclusions about the effectiveness of their
internal controls based on their evaluation as of that date;
5. the signing officers have disclosed to the issuer's auditors and the audit committee
of the board of directors (or persons fulfilling the equivalent function)--
A. all significant deficiencies in the design or operation of internal controls which
could adversely affect the issuer's ability to record, process, summarize, and report
financial data and have identified for the issuer's auditors any material weaknesses in
internal controls; and
B. any fraud, whether or not material, that involves management or other
employees who have a significant role in the issuer's internal controls; and
6. the signing officers have indicated in the report whether or not there were
significant changes in internal controls or in other factors that could significantly affect
internal controls subsequent to the date of their evaluation, including any corrective
actions with regard to significant deficiencies and material weaknesses.
SOX : Sec 302 and 404
4. the signing officers--
A. are responsible for establishing and maintaining internal controls;
B. have designed such internal controls to ensure that material information relating
to the issuer and its consolidated subsidiaries is made known to such officers by others
within those entities, particularly during the period in which the periodic reports are
being prepared;
C. have evaluated the effectiveness of the issuer's internal controls as of a date
within 90 days prior to the report; and
D. have presented in the report their conclusions about the effectiveness of their
internal controls based on their evaluation as of that date;
5. the signing officers have disclosed to the issuer's auditors and the audit committee
of the board of directors (or persons fulfilling the equivalent function)--
A. all significant deficiencies in the design or operation of internal controls which
could adversely affect the issuer's ability to record, process, summarize, and report
financial data and have identified for the issuer's auditors any material weaknesses in
internal controls; and
B. any fraud, whether or not material, that involves management or other
employees who have a significant role in the issuer's internal controls; and
6. the signing officers have indicated in the report whether or not there were
significant changes in internal controls or in other factors that could significantly affect
internal controls subsequent to the date of their evaluation, including any corrective
actions with regard to significant deficiencies and material weaknesses.

SOX : Sec 302 and 404 SOX

SOX Section 404 (Sarbanes-Oxley Act Section 404)
mandates that all publicly-traded companies must
establish internal controls and procedures for
financial reporting and must document, test and
maintain those controls and procedures to ensure
their effectiveness. The purpose of SOX is to reduce
the possibilities of corporate fraud by increasing the
stringency of procedures and requirements for
financial reporting.

General Controls, Application

Controls, & Financial Data Integrity
In an audit, general controls are controls that relate
to the overall information processing environment
and have a pervasive effect on the entity's computer
operations.
Application control is a security practice that blocks
or restricts unauthorized applications from executing
in ways that put data at risk.
Data integrity is the maintenance of, and the
assurance of the accuracy and consistency
of, data over its entire life-cycle, and is a critical
aspect to the design, implementation and usage of
any system which stores, processes, or retrieves data.

3
 12/9/2017

Q1

Which statement is incorrect when auditing in a CIS environment? It relates to materiality of the financial statement
A CIS environment exists when a computer of any type or size is
involved in the processing by the entity of financial information assertions affected by the computer processing.
of significance to the audit, whether that computer is operated
by the entity or by a third party. Threshold
The auditor should consider how a CIS environment affects the Relevance
audit.
The use of a computer changes the processing, storage and Complexity
communication of financial information and may affect the
accounting and internal control systems employed by the entity. Significance
A CIS environment changes the overall objective and scope of an
audit.

Risk of fraud or error in on-line computer systems may be increased for the
following reasons, except
If workstations are located throughout the entity, the opportunity for
unauthorized use of a workstation and the entry of unauthorized
transactions may increase.
Workstations may provide the opportunity for unauthorized uses such as
modification of previously entered transactions or balances.
If on-line processing is interrupted for any reason, for example, due to
faulty telecommunications, there may be a greater chance that
transactions or files may be lost and that the recovery may not be
accurate and complete.
If transactions are processed immediately on-line, there is less risk that
they will be processed in the wrong accounting period.
The following matters are of particular importance to the
auditor in an on-line computer system, except
Authorization, completeness and accuracy of on-line
transactions.
Integrity of records and processing, due to on-line
access to the system by many users and programmers.
Changes in the performance of audit procedures
including the use of CAAT's.
Cost-benefit ratio of installing on-line computer system.

System characteristics that may result from the

The undesirable characteristics of on-line computer nature of CIS processing include, except
systems least likely include
Data are usually subjected to immediate validation Absence of input documents.
checks. Lack of visible transaction trail.
Unlimited access of users to all of the functions in a
particular application. Lack of visible output.
Possible lack of visible transaction trail. Difficulty of access to data and computer
Potential programmer access to the system. programs.

4

General CIS controls may include, except:
Organization and management controls.
Delivery and support controls.
Development and maintenance controls.
Controls over computer data files.
The applications of auditing procedures using the
computer as an audit tool refer to
Integrated test facility
Auditing through the computer
Data-based management system
Computer assisted audit techniques
Which one of the following represents a lack of internal
control in a computer-based information system?
The design and implementation is performed in
accordance with managements specific authorization.
Any and all changes in application programs have the
authorization and approval of management.
Provisions exist to protect data files from unauthorized
access, modification, or destruction.
Both computer operators and programmers have
unlimited access to the programs and data files.
12/9/2017
Which statement is incorrect regarding the review of general CIS
controls and CIS application controls?
The auditor should consider how these general CIS controls
affect the CIS applications significant to the audit.
General CIS controls that relate to some or all applications
are typically interdependent controls in that their operation is
often essential to the effectiveness of CIS application
controls.
Control over input, processing, data files and output may be
carried out by CIS personnel, by users of the system, by a
separate control group, or may be programmed into
application software.
It may be more efficient to review the design of the
application controls before reviewing the general controls.
Which statement is incorrect regarding the evaluation of
general CIS controls and CIS application controls?
The general CIS controls may have a pervasive effect on
the processing of transactions in application systems.
If general CIS controls are not effective, there may be a
risk that misstatements might occur and go undetected
in the application systems.
Manual procedures exercised by users may provide
effective control at the application level.
Weaknesses in general CIS controls cannot preclude
testing certain CIS application controls.
An employee in the receiving department keyed in a
shipment from a remote terminal and inadvertently
omitted the purchase order number. The best
systems control to detect this error would be
Batch total
Sequence check
Completeness test
Reasonableness test
5

The most critical aspect regarding separation of
duties within information systems is between
Project leaders and programmers
Programmers and systems analysts
Programmers and computer operators
Data control and file librarians
Internal control is ineffective when computer
department personnel
Participate in computer software acquisition
decisions.
Design documentation for computerized systems.
Originate changes in master file.
Provide physical security for program files.
Which of the following statements best describes a
weakness often associated with computers?
Computer equipment is more subject to systems error
than manual processing is subject to human error.
Computer equipment processes and records similar
transactions in a similar manner.
Control activities for detecting invalid and unusual
transactions are less effective than manual control
activities.
Functions that would normally be separated in a manual
system are combined in a computer system.
12/9/2017
An auditor anticipates assessing control risk at a low
level in a computerized environment. Under these
circumstances, on which of the following procedures
would the auditor initially focus?
Programmed control procedures
Output control procedures
Application control procedures
General control procedures
From an audit viewpoint, which of the following
represents a potential disadvantage associated with
the widespread use of microcomputers?
Their portability.
Their ease of access by novice users.
Their easily developed programs using
spreadsheets which do not have to be
documented.
All of the above
An auditor is preparing test data for use in the audit of a computer
based accounts receivable application. Which of the following
items would be appropriate to include as an item in the test data?
A transaction record which contains an incorrect master file
control total
A master file record which contains an invalid customer
identification number
A master file record which contains an incorrect master file
control total
A transaction record which contains an invalid customer
identification number
6
 12/9/2017

To ensure that goods received are the same as those The completeness of computer-generated sales
shown on the purchase invoice, a computerized figures can be tested by comparing the number of
system should: items listed on the daily sales report with the number
Match selected fields of the purchase invoice to of items billed on the actual invoices. This process
goods received uses
Maintain control totals of inventory value Check digits
Calculate batch totals for each input Control totals
Use check digits in account numbers Validity tests
Process tracing data

Which of the following audit techniques most likely

would provide an auditor with the most assurance
about the effectiveness of the operation of an
internal control procedure?
Inquiry of client personnel
Recomputation of account balance amounts
Observation of client personnel
Confirmation with outside parties