GROUP 3
should make suggestions for prevention or correction of
TYPES OF DEFICIENCY IN INTERNAL CONTROL
1. CONTROL DEFICIENCY – A control is designed,
implemented or operated in such a way that it is unable
to prevent, or detect and correct misstatements in the
financial report on a timely basis.
– A control necessary to prevent, or detect and correct,
misstatements in the financial report on a timely basis is
missing.
2. SIGNIFICANT DEFICIENCY – is a deficiency, or a
combination of deficiencies, in internal control over
financial reporting, that is less severe than a material
weakness yet important enough to merit attention by
those responsible for oversight of the company’s
financial reporting.
3. MATERIAL WEAKNESS – is a deficiency, or
combination of significant deficiencies, that result in
more than a remote likelihood that a material
misstatement of the financial statements will not be
prevented or detected.
GROUP 4
AUDIT PROCESS
 Planning – Define audit objectives and methodology
 Fieldwork – Gather evidence to accomplish audit
objectives
 Reporting – Communicate audit results
 Follow-up – Review corrective action plan and result
INTERNAL AUDIT REPORT – Is a formal document
where internal audit summarizes its work on an audit
and report its findings and recommendations based on
that work.
DISCLOSE FINDINGS - Present findings both favorable
and unfavorable in a concise manner so that the
management is aware of the situation in an
operation/segment.
DESCRIPTION OF FINDINGS
 ADVERSE FINDINGS should be described in detail.
 Each Finding must be provable.
 Auditor beliefs, without proper documentation,
will not be carried to the report.
SUGGESTIONS AND RECOMMENDATIONS - The auditor
the deficiencies or gaps identified.
TYPES OF INTERNAL AUDIT REPORT
 ORAL REPORT
 INTERIM (INFORMAL) REPORT
 DESCRIPTIVE AUDIT REPORT
 DESCRIPTIVE AUDIT REPORT
COMPONENTS OF AN INTERNAL AUDIT REPORT
Background - A very brief explanation as to the rationale
for the audit is provided in this section.
Inherent Risk: A risk that an event will occur which may
negatively affect the achievement of organization's
objectives, assuming there are no controls in place.
Residual Risk: The risk remains after controls are taken
into account
Objective of audit - The objective of the audit should
answer the question “Why was this department/area
audited?
Nature and scope of audit - This section should answer
the question “What was audited?
Methodology/ Audit Approach
This section describes the audit program that was
developed to conduct the fieldwork.
 Substantive Procedures Audit Approach
This approach generally uses where the financial
reporting system or internal controls over financial
reporting are not reliable.
 Balance Sheet Audit Approach
This approach, the auditor will focus their testing on high
values balance sheet items, and transaction in the
income statements will be less focused on.
 System Based Approach
 Risk Based Audit Approach
The most use of approach.
Attributes tested - This section of the audit report will
discuss the individual issues or areas that we decided to
test.
Conclusion - The final section of the audit report is the
conclusion where the audit opinion is expressed.
Appendices - This section is a compilation of all the
recommendations made in the audit report, and includes
all of the management responses, who the responsible
person is for implementing each recommendation and
the time frame.
AUDIT FOLLOW UP PROCESS
1.Internal Auditors determine whether the management
has taken action or implemented recommendations.
2. Follow up is a process by which internal auditors
evaluate adequacy, effectiveness, and timeliness of
actions taken by management on reported observations
and recommendations.
3. The Chief Audit Executive is responsible for scheduling
follow-up activities.
4.Follow up activity should be appropriately
documented.
TYPES OF EXTERNAL AUDIT REPORT
 UNQUALIFIED AUDIT OPINION – is an
independent auditor’s judgment that a
company’s financial statements are fairly and
appropriately presented, without any
exceptions, and in compliance with accounting
standards.
 QUALIFIED AUDIT OPINION – Is a statement
issued after an audit. Is completed by
professional auditor, suggesting that the
information provided is limited in scope and/or
the company being audited has not maintained
GAAP accounting principles.
 ADVERSE AUDIT OPINION –Financial statements
are misrepresented, misstated and do not
accurately reflect its financial performance and
health.
 Gross misstatement and possibly fraud.
 DISCLAIMER AUDIT OPINION - No opinion is
being given.
Internal Auditors are not responsible for the
execution of company activities; they advise
Management and the Board of Directors regarding
how to better execute their responsibilities.
Internal Auditors perform audit to evaluate whether the
control components are present and operating
effectively, and if not, provide recommendations for
improvement.
Management is responsible for design and
implementation of internal controls.
Executive Management - all appointed officers of the
Corporation above the level of Vice-President.
- consists of high ranking employees that work
together to manage a company or corporation.
External Auditors - performs an audit, in accordance
with specific laws or rules, of the financial statements of
a company, government entity, other legal entity,
or organization, and is independent of the entity being
audited.
GROUP 5
SOFTWARE
• set of instructions, data or programs used to
operate computers and execute specific tasks
• generic term used to refer to applications &
programs that run on a device
OPERATING, APPLICATION, SYSTEM
APPLICATION SOFTWARE - software designed to
perform a group of coordinated functions, tasks, or
activities for the benefit of the user.
ACCOUNTING SOFTWARE - describes a type of
application software that records and processes
accounting transactions within function modules.
DATABASE MANAGEMENT SYSTEM (DBMS)
• It manages the data efficiently and allow users to
perform multiple tasks on it with ease.
• It is a software for creating and managing
databases.
• It provides users with a systematic way to create,
retrieve, update and manage data.
• was designed to solve the fundamental problems
associated with storing, managing, accessing,
securing and auditing data in traditional file
systems.
IT CONTROLS
TWO CATEGORIES OF IT SYSTEMS
 GENERAL CONTROL
 APPLICATION CONTROL
GENERAL CONTROL apply to all aspects of IT function
before transactions are processed.
BACK UP AND CONTINGENCY - Power failures, fire
excessive heat or humidity, water damage or even
sabotage consequence to business using IT.
 Battery backups or on-site generators
HARDWARE CONTROLS - Built into computer by
manufacturers to detect and report equipment failures.
APPLICATION CONTROL - Designed for each software
application.
CONTROLS MAY BE MANUAL OR AUTOMATED AND
INCLUDE THE FOLLOWING.
 INPUT CONTROL
 PROCESSING CONTROL
 OUTPUT CONTROLS
INPUT CONTROL - Designed to that the information
entered is authorized, accurate and complete.
Garbage in = Garbage out.
CONTROL SPECIFIC TO IT.
• Management authorization
• Check digit- purpose of the check digit is to verify
that the information of the barcode has been
entered correctly. (1359)
 Edit check- Automated controls programmed
into an application to help prevent invalid or
unreasonable data from, being entered.
(Numbers or text files only).
PROCESSING CONTROL
 Prevent and detect errors while transaction data
are processed
 Specific application processing controls are often
programmed into software to prevent, detect,
and correct processing errors.
OUTPUT CONTROLS
 Focus on detecting errors after processing is
completed.
Common control for detecting errors in output.
 Reconcile computer produce to manual control
total.
 compare the numbers of unit process to the
numbers of units submitted for processing.
SNAPSHOTS - This technique involves taking a picture of
a transaction as a flows through the computer systems.
SYSTEMS CONTROL AUDIT REVIEW FILES (SCARF) - This
involves embedding audit software modules within an
application system to provide continuous monitoring of
the systems transaction.
IT GOVERNANCE - Provides the framework to ensure
that IT can support the organization’s overall business
needs.
TYPES OF RISKS
• Business Risk – The possibility that a company
will have lower than anticipated profits, or that
will experience a loss rather than profit.
• Continuity Risk – The possibility that a company
will not be able to continue its operations due to
weakness in control.
IT RISKS - The potential that a given threat will exploit
vulnerabilities of an assets and thereby cause harm to
the organization.
Categories:
• IT service delivery risk – associated with the
performance and availability of IT services.
• IT solution delivery/realization risk – associated
with the contribution of IT to new or improved
business solutions, usually in the form of projects
and programs.
• IT benefit realization risk – associated with
opportunities to use technology to improve
efficiency and effectiveness to business
processes.
RISK MANAGEMENT – The process which aims to help
organizations to understand, evaluate, and take action
on all their risks with a view to increasing the probability
of success and reducing the failure.
COMPUTER ASSISTED AUDITING TOOLS AND
TECHNIQUES
• It is the practice of using computers to automate
the IT processes.
• It is a fundamental tool used by the auditors to
make search of the irregularities from given data.
• Refer to any computer program utilized to
improve the audit process.
TEST DATA – Used to confirm the expected results, when
a test data is entered, the expected result should come.
- It also verifies the software behavior to invalid
input data.
INTEGRATED TEST FACILITY (ITF) – techniques place a
small set of fictitious records in the master files, and then
the auditor compares processing with expected results
to verify that the system and its controls are operating
correctly.
PARALLEL SIMULATION – is a process of simulating data
(from a client) to compare the results of simulation with
that of client’s system results.
COMMON TYPES OF REGULATORY AND LEGAL ISSUES
Legal Contract -an agreement between or among two or
more persons or entities to do, or abstain from doing
something in return for an exchange of consideration.
Elements in Contract
 Offer-nature or subject of agreement
 Consideration-states what the offeror
expects in return from the offeree
 Acceptance – clearly identify the offeror and
offeree, and both must sign and date the
contract
TYPES OF LEGAL CONTRACT
• Employee Contract - Special type of contract
between employer and employee.
• Confidentiality Agreement - a legal contract that
outlines confidential material, knowledge or
information that the parties wish to share with
one another for a certain purpose but wish to
restrict access to third parties
• Trade Secret Agreements - a contract that
protects secret, such as formula, pattern,
compilation, method, technique or process that
derives independent economic value
• Discovery Agreement - agreement between
employer and employee which allows the
transfer of ownership of discovery to the
employer.
• Non-compete Agreement - also known as
covenant not compete, it is an agreement from
the employee about not to enter into or start
similar business in competition against employer
• Trading Partner Contracts -written agreement
between companies and their trading partners,
e.g. customers and suppliers
• Computer Crime - also known as cybercrime,
refers to direct or indirect use of computer and
communication technologies to perpetrate a
criminal act
KINDS OF COMPUTER CRIME
• Hacking - refers to the practice of modifying or
altering computer software and hardware to
accomplish a goal that differs from the original
purpose of the system
• Keylogger - a technology that tracks and records
consecutive key strokes on keyboard. Because
consecutive information such as username and
passwords are often entered on a keyboard, a
keylogger can be a very dangerous technology
• Phising - is the fraudulent act of acquiring private
and sensitive information such as credit card
numbers, personal identification, and account
usernames and passwords
• Spoofing - A technique used to gain
unauthorized access to computers, whereby the
intruder sends messages to a computer with an
IP address indicating that the message is coming
from a trusted host
• Skimming -the illegal copying of information
from the magnetic strips found on credit and
debit cards. Card skimming is considered a more
direct version of a phishing scam
• Intellectual Property - refers to the valuable
creations of the human mind.
GROUP 6
CODES OF ETHICS
1. INTEGRITY - the principle of integrity imposes an
obligation on all professional accountants to be
straightforward and honest in all professional
and business relationships.
2. CONFIDENTIALITY - the principle of
confidentiality is not only to keep information
confidential, but also to take all reasonable steps
to preserve confidentiality.
3. OBJECTIVITY - the principle of objectivity
imposes an obligation on all professional
accountants not to compromise their
professional or business judgement because of
bias, conflict of interest or undue influence of
others
4. PROFESSIONAL BEHAVIOR – Must comply in
accordance to applicable laws and regulations,
and avoid any action that discredits the
profession.
5. PROFESSIONAL COMPETENCE AND DUE CARE -
You must have necessary skills, knowledge and
expertise about the profession.