Documente Academic
Documente Profesional
Documente Cultură
ATTEST definition
Written assertions
Practitioner’s written report
Formal establishment of measurement criteria or their description in the
presentation
Limited to:
Examination
Review
Application of agreed-upon procedures
ATTEST vs ADVISORY
ADVISORY
Professional services that are designed to improve the quality of information,
both financial and non-financial, used by decision-makers
IT Audit Groups in “Big Four”
IT Risk Management
IS Risk Management
Operational Systems Risk Management
Technology & Security Risk Services
Typically a division of assurance services
AUDIT COMPONENTS
Auditing standards
A systematic process
Management assertions & audit objectives
Obtaining evidence
Ascertaining materiality
Communicating results
AUDITING STANDARDS
Auditing standards
Set by AICPA (American Institute of CPA)
Authoritative
#1 = Ten Generally Accepted Auditing Standards (GAAS)
Three categories:
General Standards
Standards of Field Work
Reporting Standards
Existence or Inventories listed in the balance Observe the counting of physical inventory
Occurence sheet exist
Rights and Plant and equipment listed in the Review purchase agreements, insurance
Obligations balance sheet are owned by the policies, and related documents
entity
Valuation or Accounts receivable are stated at Review entity’s aging of accounts and
Allocation net realizable value evaluate the adequacy of the allowance for
uncorrectable accounts
Presentation and Contingencies not reported in Obtain information from entity lawyers
Disclosure financial accounts are properly about the status of litigation and estimates
disclosed in footnotes of potential loss
OBTAINING EVIDENCE
AUDIT RISK:
The probability that the auditor will give an inappropriate opinion on the
financial statements: that is, that the statements will contain materials
misstatement(s) which the auditor fails to find
Audit Risk Formula
INHERENT RISK:
Associated with the unique characteristic of the business or industry of the
client
Example: declining industries have greater risk than stable/thriving firms
• CONTROL RISK:
▫ The probability that the internal controls will fail to detect material
misstatements
▫ For example: Capability of system to detect wrong total price
• DETECTION RISK:
▫ The probability that the audit procedures will fail to detect material
misstatements
▫ Influences level of substantive tests that must be performed
▫ The lower the %-age, the more substantive test required
Audit Risk Formula
All corporations that report to the SEC are required to maintain a system of
internal control that is evaluated as part of the annual external audit.
BRIEF HISTORY - Copyright
Transactions are recorded as necessary to prepare financial statements (i.e., GAAP), and to
maintain accountability.
The recorded assets are compared with existing assets at reasonable intervals.
Management responsibility
Establishment and maintenance of a system internal control is a management
responsibility
Reasonable assurance
no internal control system is perfect
benefits => (greater than) costs
Methods of data processing
Objectives same regardless of DP method
Specific controls vary w/different technologies
Modifying Assumptions
Limitations
Possibility of error
Possibility of circumvention
Management override
Changing conditions
EXPOSURES AND RISK
Exposure (definition)
Risks (definition)
Types of risk
Destruction of assets
Theft of assets
Corruption of information or the I.S.
Disruption of the I.S.
THE P-D-C MODEL
Preventive controls
Detective controls
Corrective controls
Which is most cost effective?
Which one tends to be proactive measures?
Can you give an example of each?
Predictive controls
SAS 78: Consideration of Internal Control
in a Financial Statement Audit
COSO (Treadway Commission)
The control environment
Risk assessment
Information & communication
Monitoring
Control activities
SAS 78
(#1:Control Environment -- elements)
Describe how each one could adversely affect internal control.
The integrity and ethical values
Structure of the organization
Participation of audit committee
Management’s philosophy and style
Procedures for delegating
SAS 78
(#1:Control Environment -- elements)
Management’s methods of assessing performance
External influences
Organization’s policies and practices for managing human resources
SAS 78
(#1:Control Environment -- techniques)
Describe possible activity or tool for each.
Assess the integrity of organization’s management
Conditions conducive to management fraud
Understand client’s business and industry
Determine if board and audit committee are actively involved
Study organization structure
SAS 78
(#2:Risk Assessment)
Changes in environment
Changes in personnel
Changes in I.S.
New IT’s
Significant or rapid growth
New products or services (experience)
Organizational restructuring
Foreign markets
New accounting principles
SAS 78
(#3:Information & Communication-elements)
Initiate, identify, analyze, classify and record economic transactions and
events.
Identify and record all valid economic transactions
Provide timely, detailed information
Accurately measure financial values
Accurately record transactions
SAS 78
(#3:Information & Communication-
techniques)
Auditors obtain sufficient knowledge of I.S.’s to understand:
▫ Segregation of duties
Examples of incompatible duties:
Authorization vs. processing [e.g., Sales vs. Auth. Cust.]
▫ Supervision
Serves as compensating control when lack of segregation of duties exists by necessity
• Physical Controls (4-6)
▫ Accounting records (audit trails; examples)
▫ Access controls
Direct (the assets)
Indirect (documents that control the assets)
Fraud
Disaster Recovery
▫ Independent verification
Management can assess:
The performance of individuals
Examples
IT Risks Model
Operations
Data management systems
New systems development
Systems maintenance
Electronic commerce (The Internet)
Computer applications
Role of Audit Committee