Lord, make me an instrument of your peace.

Where there is hatred, let me sow love.

Where there is injury, pardon.
Where there is doubt, faith.
Where there is despair, hope.
Where there is darkness, light.
Where there is sadness, joy.
O Lord, grant that I may not so much seek;
to be consoled, as to console;
to be understood, as to understand;
to be loved, as to love.
For it is in giving that we receive.
It is in forgiving that we are forgiven,
and it is in dying that we are born to Eternal Life.
Amen.
 Auditing is a systematic process of
objectively obtaining and evaluating
evidence regarding assertions about
economic actions and events to ascertain
the degree of correspondence between
those assertions and establishing criteria
and communicating the results to
interested users.
 Internal auditing: independent appraisal function
established within an organization to examine
and evaluate its activities as a service to the
organization
 Financial Audits
 Operational Audits
 Compliance Audits
 Fraud Audits
 IT Audits
 CIA
 IIA
 IT audits: provide audit services where
processes or data, or both, are embedded in
technologies.
 Subject to ethics, guidelines, and standards of the
profession (if certified)
 CISA
 Most closely associated with ISACA
 Joint with internal, external, and fraud audits
 Scope of IT audit coverage is increasing
 Characterized by CAATTs
 IT governance as part of corporate governance
 Fraud audits: provide investigation services
where anomalies are suspected, to develop
evidence to support or deny fraudulent
activities.
 Auditor is more like a detective
 No materiality
 Goal is conviction, if sufficient evidence of fraud
exists
 CFE
 ACFE
 External auditing: Objective is that in all material
respects, financial statements are a fair
representation of organization’s transactions
and account balances.
 SEC’s role
 Sarbanes-Oxley Act
 FASB - PCAOB
 CPA
 AICPA
 External auditing:
 Independent auditor (CPA)
 Independence defined by SEC/S-OX/AICPA
 Required by SEC for publicly-traded companies
 Referred to as a “financial audit”
 Represents interests of outsiders, “the public” (e.g.,
stockholders)
 Standards, guidance, certification governed by AICPA, FASB,
PCAOB; delegated by SEC who has final authority
 Internal auditing:
 Auditor (often a CIA or CISA)
 Is an employee of organization imposing independence on self
 Optional per management requirements
 Broader services than financial audit; (e.g., operational audits)
 Represent interests of the organization
 Standards, guidance, certification governed by IIA and ISACA
 An independent attestation performed by an expert
(i.e., an auditor, a CPA) who expresses an opinion
regarding the presentation of financial statements
 Key concept: Independence
 {Should be} Similar to a trial by judge
 Culmination of systematic process involving:
 Familiarization with the organization’s business
 Evaluating and testing internal controls
 Assessing the reliability of financial data
 Product is formal written report that expresses an
opinion about the reliability of the assertions in financial
statements; in conformity with GAAP
 ATTEST definition
 Written assertions
 Practitioner’s written report
 Formal establishment of measurement criteria or their
description
 Limited to:
 Examination
 Review
 Application of agreed-upon procedures
 ASSURANCE
 Professional services that are designed to improve the
quality of information, both financial and non-financial,
used by decision-makers
 IT Audit Groups in “Big Four”
 IT Risk Management
 I.S. Risk Management
 Operational Systems Risk Management
 Technology & Security Risk Services
 Typically a division of assurance services
 Auditing standards
 Set by AICPA
 Authoritative
 #1 = Ten Generally Accepted Auditing Standards
(GAAS)
 Three categories:
General Standards
Standards of Field Work
Reporting Standards
 # 2 = Statements on Auditing Standards (SASs)
SAS #1 issued by AICPA in 1972
 Systematic process
 Five primary management assertions, and
correlated audit objectives and procedures
[Table 1-1]
 Existence or Occurrence
 Completeness
 Rights & Obligations
 Valuation or Allocation
 Presentation or Disclosure
 Phases [Figure 1-3]
1. Planning
2. Obtaining evidence
 Tests of Controls
 Substantive Testing
 CAATTs
 Analytical procedures
3. Ascertaining reliability
 MATERIALITY
4. Communicating results
 Audit opinion
AUDIT RISK:
The probability that the auditor
will give an inappropriate opinion
on the financial statements: that
is, that the statements will contain
materials misstatement(s) which
the auditor fails to find
 INHERENT RISK:
The probability that material
misstatements have occurred
Material vs. Immaterial
Includes economic conditions, etc.
Relative risk (e.g., cash)
CONTROL RISK:
The probability that the internal controls
will fail to detect material misstatements
DETECTION RISK:
The probability that the audit procedures
will fail to detect material misstatements
Substantive procedures
 AUDIT RISK MODEL:
 AR = IR * CR * DR
 example inventory with:
IR=40%, CR=60%, AR=5% (fixed)
.05 = .4 * .6 * DR
... then DR=4.8%
 Why is AR = 5%?
 What is detection risk?
 Can CR realistically be 0?
 Relationship between DR and substantive
procedures
 Relationshipbetween tests of controls and
substantive tests
 Illustrate higher reliability of the internal controls and
the Audit Risk Model
 What happens if internal controls are more reliable than last
audit?
 Last year: .05 = .4 * .6 * DR [DR = 4.8]
 This year: .05 = .4 * .4 * DR [DR = 3.2]
 The more reliable the internal controls, the lower the CR
probability; thus the lower the DR will be, and fewer
substantive tests are necessary.
 Substantive tests are labor intensive
 Selected from board of directors
 Usually three members
 Outsiders (S-OX now requires it)
 Fiduciary responsibility to shareholders
 Serve as independent check and balance
system
 Interact with internal auditors
 Hire, set fees, and interact with external
auditors
 Resolved conflicts of GAAP between external
auditors and management
… most accounting transactions to be in
electronic form without any paper
documentation because electronic
storage is more efficient. … These
technologies greatly change the nature of
audits, which have so long relied on
paper documents.
 There has always been a need for an effective
internal control system.
 The design and oversight of that system has
typically been the responsibility of accountants.
 The I.T. Environment complicates the paper
systems of the past.
 Concentration of data
 Expanded access and linkages
 Increase in malicious activities in systems vs. paper
 Opportunity that can cause management fraud (i.e.,
override)
 Audit planning
 Tests of controls
 Substantive tests
CAATTs
 is … policies, practices, procedures
… designed to …
 safeguard assets
 ensure accuracy and reliability
 promote efficiency
 measure compliance with policies
 SEC acts of 1933 and 1934
 “Ivar Kreuger’s Contribution to U.S.
Financial Reporting,” Accounting Review,
Flesher & Flesher
 All corporations that report to the SEC are
required to maintain a system of internal
control that is evaluated as part of the
annual external audit.
 Federal Copyright Act 1976
1. Protects intellectual property in the U.S.
2. Has been amended numerous times since
3. Management is legally responsible for violations of
the organization
4. U.S. government has continually sought
international agreement on terms for protection of
intellectual property globally vs. nationally
 Foreign Corrupt Practices Act 1977
1. Accounting provisions
 FCPA requires SEC registrants to establish and maintain books,
records, and accounts.
 It also requires establishment of internal accounting controls
sufficient to meet objectives.
1. Transactions are executed in accordance with management’s
general or specific authorization.
2. Transactions are recorded as necessary to prepare financial
statements (i.e., GAAP), and to maintain accountability.
3. Access to assets is permitted only in accordance with management
authorization.
4. The recorded assets are compared with existing assets at
reasonable intervals.
2. Illegal foreign payments
Committee on Sponsoring Organizations - 1992

1. AICPA, AAA, FEI, IMA, IIA

2. Developed a management perspective model
for internal controls over a number of years
3. Is widely adopted
 Sarbanes-Oxley Act - 2002
1. Section 404: Management Assessment of Internal
Control
 Management is responsible for establishing and maintaining
internal control structure and procedures.
 Must certify by report on the effectiveness of internal control
each year, with other annual reports.
2. Section 302: Corporate Responsibility for Incident
Reports
 Financial executives must disclose deficiencies in internal
control, and fraud (whether fraud is material or not).
1. Management responsibility
2. Reasonable assurance
 no I.C.S. is perfect
 benefits => costs
3. Methods of data processing
 Objectives same regardless of DP method
 Specific controls vary w/different
technologies
4. Limitations
 Possibility of error
 Possibility of circumvention
 Management override
 Changing conditions
 Exposure (definition)
 Risks (definition)
 Types of risk
Destruction of assets
Theft of assets
Corruption of information or the I.S.
Disruption of the I.S.
 Preventive controls
 Detective controls
 Corrective controls
 Which is most cost effective?
 Which one tends to be proactive measures?
 Can you give an example of each?
 Predictive controls
 COSO
The control environment
Risk assessment
Information & communication
Monitoring
Control activities
 The integrity and ethical values
 Structure of the organization
 Participation of audit committee
 Management’s philosophy and style
 Procedures for delegating
 Management’s methods of assessing
performance
 External influences
 Organization’s policies and practices for
managing human resources
 Assess the integrity of organization’s
management
 Conditions conducive to management fraud
 Understand client’s business and industry
 Determine if board and audit committee are
actively involved
 Study organization structure
 Changes in environment
 Changes in personnel
 Changes in I.S.
 New IT’s
 Significant or rapid growth
 New products or services (experience)
 Organizational restructuring
 Foreign markets
 New accounting principles
 Initiate, identify, analyze, classify and record
economic transactions and events.
 Identifyand record all valid economic
transactions
 Provide timely, detailed information
 Accurately measure financial values
 Accurately record transactions
 Auditors obtain sufficient knowledge of
I.S.’s to understand:
 Classes of transactions that are material
 Accounting records and accounts used
 Processing steps:initiation to inclusion in
financial statements (illustrate)
 Financial reporting process (including
disclosures)
 By separate procedures (e.g., tests of
controls)
 By ongoing activities (Embedded Audit
Modules – EAMs and Continuous Online
Auditing - COA)
#5: Control Activities
 #5: Control Activities
 Physical Controls (1-3)
 Transaction authorization
 Example:
Sales only to authorized customer
Sales only if available credit limit
 Segregation of duties
 Examples of incompatible duties:
Authorization vs. processing [e.g., Sales vs. Auth. Cust.]
Custody vs. recordkeeping [e.g., custody of inventory vs. DP of
inventory]
Fraud requires collusion [e.g., separate various steps in process]
 Supervision
 Serves as compensating control when lack of segregation of
duties exists by necessity
 #5: Control Activities
 Physical Controls (4-6)
 Accounting records (audit trails; examples)
 Access controls
 Direct (the assets)
 Indirect (documents that control the assets)
 Fraud
 Disaster Recovery
 Independent verification
 Management can assess:
The performance of individuals
The integrity of the AIS
The integrity of the data in the records
Examples
 Operations
 Data management systems
 New systems development
 Systems maintenance
 Electronic commerce (The Internet)
 Computer applications