Saint Ferdinand College

Sta. Ana St. Bagumbayan, City of Ilagan, Isabela

COLLEGE OF ACCOUNTANCY

ONLINE CLASS COURSE MODULE IN COMPUTER 2

(Accounting Information Systems)

COURSE OUTLINE FOR PRELIM

Lesson 7 CHAPTER 7: INTRODUCTION TO AUDITING IT Week

PROCESSES 13
 Introduction to Auditing IT Processes
 Types of Audits and Auditors
 Information Risk and IT-Enhanced
 Internal Control
 Authoritative Literature Used in Auditing
 Management Assertions and Audit
 Objectives
 Phases of an IT Audit
o Audit Planning
 Use of Computers in Audits
 Tests of Controls
o General Controls
o Application Controls
 Tests of Transactions and Tests of Balances
 Audit Completion/Reporting
 Other Audit Considerations
o Different It Environments
o Changes In A Client’s It Environment
o Sampling
 Ethical Issues Related to Auditing

 Lesson: 7

Learning Outcome:

At the end of the lesson the students should be able to gain an understanding
of the following concepts:
1. An introduction to auditing IT processes
2. The various types of audits and auditors
3. Information risk and IT-enhanced internal control
4. Authoritative literature used in auditing
5. Management assertions used in the auditing process and the related audit
objectives
6. The phases of an IT audit
7. The use of computers in audits
8. Tests of controls
9. Tests of transactions and tests of balances
 10. Audit completion/reporting
11. Other audit considerations
12. Ethical issues related to auditing

 INTRODUCTION TO AUDITING IT PROCESSES

Nearly all business organizations rely on computerized systems to assist in

the accounting function. Technological advances have transformed the business
world by providing new ways for companies to do business and maintain records.
This boom in technological developments has increased the amount of
information that is readily available. Business managers, investors, creditors,
and government agencies often have a tremendous amount of data to use when
making important business decisions. However, it is often a challenge to verify
the accuracy and completeness of the information.

Accountants have an important role in the business world because they are
called upon to improve the quality of information provided to decision makers.
Accounting services that improve the quality of information are called assurance
services. Many types of services performed by accountants are considered
assurance services because they lend credibility to the underlying financial
information. An audit is the most common type of assurance service.

 TYPES OF AUDITS AND AUDITORS

An audit is a type of assurance service that involves accumulating and

analyzing support for information provided by others. The main purpose of the
audit is to assure users of financial information about the accuracy and
completeness of the information. To carry out an audit, accountants collect and
evaluate proof of procedures, transactions, and/or account balances and
compare the information with established criteria.

The three primary types of audits include compliance audits, operational

audits, and financial statement audits. Although all audits involve an
investigation of supporting information, each type of audit has a different
purpose.
 Compliance audits determine whether the company has complied
with regulations and policies established by contractual agreements,
governmental agencies, company management, or other high
authority.
 Operational audits assess operating policies and procedures for
efficiency and effectiveness.
 Financial statement audits determine whether the company has
prepared and presented its financial statements fairly, and in
accordance with established financial accounting criteria.

Audits are typically conducted by accountants who have knowledge of the

established criteria. For example, financial statement audits are performed by
certified public accountants (CPAs) who have extensive knowledge of generally
 accepted accounting principles (GAAP) in the United States and/or International
Financial Reporting Standards (IFRS).

There are different types of audit specialization that exist in business practice
today, including internal auditors, IT auditors, government auditors, and CPA
firms.
 An internal auditor is an employee of the company that he or she
audits. Most large companies have a staff of internal auditors who
perform compliance, operational, and financial audit functions at the
request of management. Some internal auditors achieve special
certification as certified internal auditors (CIAs).
 IT auditors specialize in information systems assurance, control, and
security, and they may work for CPA firms, government agencies, or
with the internal audit group for any type of business organization.
Some IT auditors achieve special certification as certified information
systems auditors (CISAs).
 Government auditors conduct audits of government agencies or
income tax returns. CPA firms represent the interests of the public by
performing independent audits of many types of business
organizations.

Each type of auditor may perform any of the three types of audits. Only CPA
firms can conduct financial statement audits of companies whose stock is sold in
public markets. An important requirement for CPA firms is that they must be neutral
with regard to the company being audited. This requirement of neutrality allows the
CPA firm to provide a completely unbiased opinion on the information it audits, and
it is the foundation of an external audit performed by CPAs.

An external audit is performed by independent auditors who are objective

and neutral with respect to the company and information being audited. To keep
their neutrality, CPA firms and their individual CPAs are generally prohibited from
having financial connections with client companies and from having personal ties to
those working for client companies. A CPA’s objectivity could be impaired by having
financial and personal relationships with a client company or with anyone having
the ability to influence the client’s decisions and financial reporting activities.

IT environment plays a key role in how auditors conduct their work in the
following areas:
 Consideration of risk
 Audit procedures used to obtain knowledge of the accounting and
internal control systems
 Design and performance of audit tests

 INFORMATION RISK AND IT-ENHANCED INTERNAL CONTROL

As business environments become more complex, the possibility of

receiving unreliable information increases. Information risk is the chance that
information used by decision makers may be inaccurate. Following are some
causes of information risk:
  The remoteness of information. Decision makers are typically forced
to rely on others for information. When the source of the
information is removed from the decision maker, the information
stands a greater chance of being misstated. A decision maker may
become detached from the source of important information due to
geographic distances, organizational layers, or other factors that
are often associated with a company’s growth.
 The volume and complexity of the underlying data. As a business
grows, the volume and complexity of its transactions increase. This
tends to increase the chance that misstated information may exist
undetected. The motive of the preparer. Those who prepare
information may have goals different from those of the decision
maker. As a result, the information may be slanted in favor of a
particular viewpoint or incentive, which impacts its presentation
and decision-making usefulness.

The most common way for decision makers to reduce information risk is to
rely upon information that has been audited by an independent party.
Because information users generally do not have the time or ability to verify
information for themselves, they depend on auditors for accurate and
unbiased judgments. Even if decision makers wanted to verify the
information, it may be difficult to do so when the financial information is
contained in computerized accounting systems. These are the main reasons
that a discussion of information-based processing and the related audit
function are included in the study of accounting information systems.

Various risks are created by the existence of IT-based business processes.

For example, because the details of transactions are often entered directly
into the computer system, there may be no paper documentation maintained
to support the transactions. This is often referred to as the loss of audit trail
visibility because there is a lack of physical evidence to visibly view. There is
also a greater likelihood that data may be lost or altered due to system
failure, database destruction, unauthorized access, or environmental
damage.

Despite the risks, there are important advantages to using IT-based

systems. Internal controls can actually be enhanced if care is exercised in
implementing these systems. Computer controls can compensate for the lack
of manual controls. In addition, if programs are tested properly before being
activated, the risk of human error (such as a mathematical and/or
classification mistake) is virtually eliminated because computers process all
information consistently.

In addition to internal control enhancements, IT-based processes provide

higher quality information to management. Information is higher quality when
it is supplied in a timely manner and administered effectively. When high-
quality information is used to make decisions, the result is more effective
management.

 AUTHORITATIVE LITERATURE USED IN AUDITING

 The work of an auditor must be conducted in accordance with several
sources of authoritative literature

Generally accepted auditing standards (GAAS) are broad guidelines for an

auditor’s professional responsibilities. These ten standards are divided into
three

categories that include general qualifications and conduct of an auditor

(general standards), guidelines for performing the audit (standards of
fieldwork), and requirements for the written report communicating the results
of the audit (standards of reporting).

 MANAGEMENT ASSERTIONS AND AUDIT OBJECTIVES

Responsibility for operations, compliance, and financial reporting lies with

management of the company. A company’s various reports are assumed to
represent a set of management assertions. Management assertions are
claims regarding the condition of the business organization in terms of its
operations, financial results, and compliance with laws and regulations. The
role of the auditors is to analyze the underlying facts to decide whether
information provided by management is fairly presented. Auditors design
audit tests to analyze information in order to determine whether
management’s assertions are valid.
 A unique set of audit tests determines whether each general objective is met for
each major account or type of transaction. For example, a test for completeness of
notes payable involves the review of minutes to determine whether additional
borrowing arrangements exist that are not recorded.

 PHASES OF AN IT AUDIT (STUDY OBJECTIVE

An IT audit generally follows the same pattern as a typical financial statement

audit. There are four primary phases of the audit: planning, tests of controls,
substantive tests, and audit completion/reporting.
Through each phase of an audit, evidence is accumulated as a basis for
supporting the conclusions reached by the auditors. Audit evidence is proof of
the fairness of financial information. The techniques used for gathering evidence
include the following:
 Physically examining or inspecting assets or supporting documentation
 Obtaining written confirmation from an independent source
  Reperforming tasks or recalculating information
 Observing the underlying activities
 Making inquiries of company personnel
 Analyzing financial relationships and making comparisons to determine
reasonableness

The various phases of the audits typically include a combination of these

techniques.

o Audit Planning
During the planning phase of an audit, the auditor must gain a thorough
understanding of the company’s business and financial reporting systems. In
doing so, auditors review and assess the risks and controls related to the
business, establish materiality guidelines, and develop relevant tests

addressing the assertions and objectives.

The tasks of assessing materiality and audit risk are very subjective and
are therefore typically performed by experienced auditors. In determining
materiality, auditors estimate the monetary amounts that are large enough to
make a difference in decision making. Materiality estimates are then assigned
to account balances so that auditors can decide how much evidence is
needed. Transactions and account balances that are equal to or greater than
the materiality limits will be carefully tested.
Risk refers to the likelihood that errors or fraud may occur. Risk can be
inherent in the company’s business (due to such things as the nature of
operations, the economy, or management’s strategies), or it may be caused
by weak internal controls. Auditors need to perform risk assessment to
carefully consider the risks and the resulting problems to which the company
may be susceptible.
 A big part of the audit planning process is the gathering of evidence about
the company’s internal controls. Auditors typically gain an understanding of
internal controls by interviewing key members of management and the IT
staff. They also observe policies and procedures and review IT user manuals
and system flowcharts. They often prepare narratives or memos to
summarize the results of their findings.

The process of evaluating internal controls and designing meaningful audit

tests is more complex for automated systems than for manual systems. Using
just human eyes, an auditor cannot easily spot the controls that are part of
an automated (computer) system. In recognition of the fact that accounting
records and files often exist in both paper and electronic form, auditing
standards address the importance of understanding both the automated and
manual procedures that make up an organization’s internal controls. Auditors
must consider how misstatements may occur, including the following:
 How transactions are entered into the computer
 How standard journal entries are initiated, recorded, and processed
 How nonstandard journal entries and adjusting entries are initiated,
recorded, and processed
IT auditors may be called upon to consider the effects of computer
processing on the audit or to assist in testing those automated
procedures.

 USE OF COMPUTERS IN AUDITS

 Many companies design their IT systems so that important information such
as purchase and sales orders, shipping and receiving reports, and invoices can
be retrieved from the system in readable form. This kind of supporting
documentation, as well as journals and ledgers, can be printed from the
computer system to serve as evidence for auditors. Under these conditions,
auditors can compare documents used to input data into the system with reports
generated from the system, without gaining extensive knowledge of the
computer system logic. In such cases, the use of IT systems does not have a
great impact on the conduct of the audit, since the auditor can perform audit
testing in the same manner as would be done for a manual system. This practice
is known as auditing around the computer because it does not require
evaluation of computer controls. Sometimes it is also referred to as “the black
box approach,” because it does not involve detailed knowledge of the computer
programs.
Auditing through the computer involves directly testing the internal
controls within the IT system, whereas auditing around the computer does not.
Auditing through the computer is sometimes referred to as “the white box
approach,” because it requires auditors to understand the computer system
logic. This approach requires auditors to evaluate IT controls and processing so
that they can determine whether the information generated from the system is
reliable. Auditing through the computer is necessary under the following
conditions:
 The auditor wants to test computer controls as a basis for evaluating
risk and reducing the amount of substantive audit testing required.
 The author is required to report on internal controls in connection with
a financial statement audit of a public company.
 Supporting documents are available only in electronic form.
Auditors can use their own computer systems and audit software to help
conduct the audit. This approach is known as auditing with the computer. A
variety of computer-assisted audit techniques (CAATs) are available for auditing
with the computer. CAATs are useful audit tools because they make it possible for
auditors to use computers to test more evidence in less time. (CAATs) are
available for auditing with the computer. CAATs are useful audit tools because
they make it possible for auditors to use computers to test more evidence in less
time.

 TESTS OF CONTROLS
The tests of controls involve audit procedures designed to evaluate both
general controls and application controls. During audit planning, auditors must
learn about the types of controls that exist within their client’s IT environment.
Then they may test those controls to determine whether they are reliable as a
means of reducing risk. Tests of controls are sometimes referred to as
“compliance tests,” because they are designed to determine whether the controls
are functioning in compliance with management’s intentions.

 General Controls
General controls must be tested before application controls are. Since
general controls are the automated controls that affect all computer
applications, the reliability of application controls is considered only after general
 controls are deemed reliable. In other words, even when application controls are
believed to be strong, misstatements may still exist as a result of weak general
controls. For example, if there were a lack of physical controls, a company’s
hardware and software could be accessed by an unauthorized user who could
alter the data or the programs. So even if the application controls were working
as designed, the general control deficiency could result in errors in the
underlying information. Accordingly, the effectiveness of general controls is the
foundation for the IT control environment. If general controls are not functioning
as designed, auditors will not devote attention to the testing of application
controls; rather, they will reevaluate the audit approach with reduced reliance on
controls.
There are two broad categories of general controls that relate to IT systems:
o IT administration and the related operating systems development and
maintenance processes
o Security controls and related access issues

 IT Administration
IT departments should be organized so that an effective and efficient
workplace is created and supported. Auditors should verify that the company’s
management promotes high standards with regard to controlling its IT
environment. Related audit tests include review for the existence and
communication of company policies regarding the following important aspects of
administrative control:
o Personal accountability and segregation of incompatible responsibilities
o Job descriptions and clear lines of authority
o Computer security and virus protection
o IT systems documentation

 Security Controls
Auditors are concerned about whether a company’s computer system has
controls in place to prevent unauthorized access to or destruction of information
within the accounting information systems. Unauthorized access may occur
internally when employees retrieve information that they should not have, or
externally when unauthorized users (or hackers) outside the company retrieve
information that they should not have. Access risks tend to escalate as
companies embrace newer technologies and allow sensitive data to be shared
via smart devices, Web and mobile applications, and social networks.
Destruction of information may occur as a result of natural disasters, accidents,
and other environmental conditions.

In order to test external access controls, auditors may perform the following
procedures:
o Authenticity tests, as previously described.
o Penetration tests, which involve various methods of entering the
company’s system to determine whether controls are working as
intended. For example, auditors may search for weaknesses in a
company’s firewall by attempting unauthorized access to the system.
o Vulnerability assessments, which analyze a company’s control
environment for possible weaknesses. For example, auditors may send
test messages through a company’s system to find out whether
 encryption of private information is occurring properly. Special software
programs are available to help auditors identify weak points in a
company’s security measures.
o Review access logs to identify unauthorized users or failed access
attempts. Discuss with IT managers the factors involved in rejecting
unauthorized access, and verify the consistency of the managers’
explanations with documented policies.

In order to maintain good controls, a company’s managers should not rely on

their auditors to test for computer access violations, but should also monitor the
systems on their own on an ongoing basis.
One of the most effective ways a company can protect its computer system is
to place physical and environmental controls in the computer center. Physical
controls include locks, security guards, alarms, cameras, and card keys. Physical
controls not only limit access to the company’s computers, but also are
important for preventing damage to computer resources. In addition to assessing
physical controls, auditors should evaluate the IT environment to determine that
proper temperature control is maintained, fireproofing systems are installed, and
an emergency power supply is in place.

 Application Controls
Application controls are computerized controls over application programs.
Since any company may use many different computer programs in its day-today
business, there may be many different types of application controls to consider
in an audit. Auditors test the company’s systems documentation to be sure that
adequate details exist for all application programs. The details should include a
list of all applications critical to the information being audited, along with
supporting source code that is kept up to date in the IT library. Backup copies
should be stored off-site. In addition to testing systems documentation, auditors
should test the three main functions of the computer applications, including
input, processing, and output.

o Input Controls
Auditors perform tests to verify the correctness of information input to
software programs. Auditors are concerned about whether errors are
being prevented and detected during the input stage of data processing.
o Processing Controls
IT audit procedures typically include a combination of data accuracy
tests, whereby the data processed by computer applications are reviewed
for correct dollar amounts or other numerical values. For example, limit
tests, described previously as an input control, can also be an effective
processing control. Run-to-run totals involve the recalculation of
amounts from one process to the next to determine whether data have
been lost or altered during the process. Balancing tests involve a
comparison of different items that are expected to have the same values,
such as comparing two batches or comparing actual data against a
predetermined control total. Mathematical accuracy tests verify
whether system calculations are correct.
o Output Controls
 Audit tests that evaluate general controls over access and backup
procedures may also be used in the testing of specific computer
application outputs. It is important that auditors test for proper control of
financial information resulting from applications processing. Regardless of
whether the results are printed or retained electronically, auditors may
perform the following procedures to test application outputs:
 Reasonableness tests compare the reports and other results with
test data or other criteria.
 Audit trail tests trace transactions through the application to
ensure that the reporting is a correct reflection of the processing and
inputs.
 Rounding errors tests determine whether significant errors exist
due to the way amounts are rounded and summarized.

 TESTS OF TRANSACTIONS AND TESTS OF BALANCES

The auditor’s tests of the accuracy of monetary amounts of transactions and
account balances are known as substantive testing. Substantive testing is
very different from testing controls. Substantive tests verify whether information
is correct, whereas control tests determine whether the information is managed
under a system that promotes correctness. Some level of substantive testing is
required regardless of the results of control testing. If weak internal controls exist
or if important controls are not in place, extensive substantive testing will be
required. On the other hand, if controls are found to be effective, the amount of
substantive testing required is significantly lower, because there is less chance
of error in the underlying records.
In an IT environment, the evidence needed to determine the correctness of
transactions and account balances is contained in electronic data files within the
computer system, from where it may be pulled by specialized audit techniques.
Some techniques used to test controls can also be used to test transactions and
financial statement balances. For example, parallel simulations, the test data
method, the embedded audit module, and the integrated test facility can be
used for both control testing and substantive testing.
 Most auditors use generalized audit software (GAS) or data analysis software
(DAS) to perform audit tests on electronic data files taken from commonly used
database systems. These computerized auditing tools make it possible for
auditors to be much more efficient in performing routine audit tests such as the
following:
 Mathematical and statistical calculations
 Data queries
 Identification of missing items in a sequence
 Stratification and comparison of data items
 Selection of items of interest from the data files
 Summarization of testing results into a useful format for decision
making
The use of GAS or DAS is especially useful when there are large volumes of
data and when there is a need for correct information. These programs allow
audit tests to be completed quickly, accurately, and thoroughly, therefore
providing auditors with a way to meet the growing needs of decision makers who
expect precise, immediate information.

 AUDIT COMPLETION/REPORTING
After the tests of controls and substantive audit tests have been completed,
auditors evaluate all the evidence that has been accumulated and draw
conclusions based on this evidence. This phase is the audit completion/reporting
phase.
In forming a conclusion, auditors must consider whether the evidence
supports the information presented. All of the evidence from all phases of the
audit and covering all types of accounts and transactions must be considered
collectively so that the auditors can make an overall decision on the fairness of
the information.
The completion phase includes many tasks that are needed to wrap up the
audit. For many types of audits, the most important task is obtaining a letter of
representations from company management. The letter of representations is
often considered the most significant single piece of audit evidence, because it is
a signed acknowledgment of management’s responsibility for the reported
information. In this
letter,
management
must declare
that it has
provided complete and
accurate information to
its auditors during all
phases of the audit.

1. Unqualified opinion,
which states that the
auditors believe the
financial statements are fairly and consistently presented in accordance with GAAP
or IFRS
2. Qualified opinion, which identifies certain exceptions to an unqualified opinion
3. Adverse opinion, which notes that there are material misstatements presented
4. Disclaimer, which states that the auditors are unable to reach a conclusion.
When reporting on the effectiveness of internal controls auditors must choose
between an unqualified, adverse, or disclaimer opinion. Communication is key to
the proper conclusion of an audit.

 OTHER AUDIT CONSIDERATIONS

 Different IT Environments
Most companies use microcomputers or personal computers (PCs) in their
accounting processes. General controls covering PCs are often less advanced
than those covering the mainframe and client–server systems. As a result,
PCs may face a greater risk of loss due to unauthorized access, lack of
segregation of duties, lack of backup control, and computer viruses. Following
are some audit techniques used to test controls specifically in the use of PCs:
o Make sure that PCs and removable hard drives are locked in place to
ensure physical security. In addition, programs and data files should be
password protected to prevent online misuse by unauthorized persons.
o Make sure that computer programmers do not have access to systems
operations, so that there is no opportunity to alter source code and the
related operational data. Software programs loaded on PCs should not
permit the users to make program changes. Also ascertain that
computer-generated reports are regularly reviewed by management.
o Compare dates and data included on backup files with live operating
programs in order to determine the frequency of backup procedures.
o Verify the use of antivirus software and the frequency of virus scans.

Security risks always exist in companies that use e-commerce, because

their computer systems are linked online with the systems of their business
partners.
As a result, the reliability of a company’s IT system depends upon the
reliability of its customers’ and/or suppliers’ systems. The audit procedures
used to assess controls in e-commerce environments were addressed earlier
in this chapter in the discussion on external access controls. In addition,
auditors often
 Inspect message logs to identify the points of remote access, verify
proper sequencing of transactions, and review for timely follow up on
unsuccessful transmissions between business partners
 Verify that the company has evaluated the computer systems of its
business partners prior to doing business over the Internet
 Reprocess transactions to see whether they are controlled properly
Because of the difficulty of testing all possible points of access in an online
system, auditors sometimes find it more cost effective to perform substantive
tests rather than extensive tests of controls.
In addition to merely identifying the threats inherent in a cloud computing
environment, it is particularly difficult to estimate their potential costs and
overall impact. However, they may be far-reaching, to say the least. It is
 therefore more important than ever for a company and its auditors to
carefully consider whether all relevant risks have been identified and
controlled. Below are some sample questions for auditors to consider when
evaluating a cloud computing environment:

Security Risks:
o What damage could result if an unauthorized user accessed the
company’s data?
o How and when are data encrypted?
o How does the cloud service provider handle internal security?
Availability Risks:
o What damage could result if the company’s data were unavailable
during peak times or for an extended period?
o How does the cloud service provider segregate information between
clients?
o What disaster recovery and business continuity plans are in place?

Processing Risks:
o How are response times and other aspects of operating performance
monitored?
o How does the service provider monitor its capacity for data storage
and usage?
o Is the service provider’s system flexible enough to accommodate the
company’s anticipated growth?

Compliance Risks:
o What compliance standards does the cloud service provider meet?
o What third-party assurance documentation is in place?
o What additional documentation is available to help the company
maintain compliance with applicable laws and regulations?

Once an auditor has considered all the aspects of risk, an audit in a cloud
computing environment can be carried out according to a typical audit approach.
However, because there is no such thing as a standard cloud, it is not possible to
standardize a risk assessment process and audit procedures for a cloud
computing environment. Therefore, tests of controls must be specifically
designed to determine whether identified risks are being properly mitigated, and
substantive tests are used in areas where controls are deemed to be lacking.

 Changes In A Client’s IT Environment

When a company changes the type of hardware or software used or
otherwise modifies its IT environment, its auditors must consider whether
additional audit testing is needed. During its period of change, data may be
taken from different systems at different times. As a result, auditors should
consider applying tests of controls at multiple times throughout the period in
order to determine the effectiveness of controls under each of the systems.
Specific audit tests include verification of the following items:
o An assessment of user needs
o Proper authorization for new projects and program changes
 o An adequate feasibility study and cost–benefit analysis
o Proper design documentation, including revisions for changes made via
updated versions, replacements, or maintenance
o Proper user instructions, including revisions for changes made via
updated versions, replacements, or maintenance
o Adequate testing before the system is put into use
Overall, auditors need to evaluate the company’s procedures for developing,
implementing, and maintaining new systems or changes in existing systems.

 Sampling
Auditors cannot possibly evaluate every aspect of every item that impacts
reported information. Auditors rely on sampling, whereby they choose and
test a limited number of items or transactions and then draw conclusions
about the information as a whole on the basis of the results. Since audit tests
do not cover all items in the population, there is some risk that a sample, or
subset, of the population may not represent the balance as a whole. Auditors
try to use sampling so that a fair representation of the population is
evaluated. Computerized software is often employed to help auditors select
samples. Random numbers can be generated by software programs. A
sample is random if each item in the population has an equal chance of being
chosen. The use of computer programs ensures that there is no bias in
selecting the test items. Auditors may also use electronic spreadsheets to
generate random numbers or to choose sample items by other methods, such
as a selection based on item size. The choice of an appropriate sampling
technique is very subjective, and different auditors tend to have different
policies for using and selecting samples.

 ETHICAL ISSUES RELATED TO AUDITING

All types of auditors must follow guidelines promoting ethical conduct. For
financial statement auditors, the PCAOB/AICPA has established a Code of
Professional Conduct, commonly called its code of ethics. This code of ethics is
made up of two sections, the principles and the rules. The principles are the
foundation for the honorable behavior expected of CPAs while performing
professional duties, whereas the rules provide more detailed guidance. Following
are the six principles of the code:
1. Responsibilities. In carrying out their professional duties, CPAs should
exercise sensitive professional and moral judgments in all their activities.
2. The Public Interest. CPAs should act in a way that will serve the public
interest, honor the public trust, and demonstrate commitment to
professionalism.
3. Integrity. To maintain and broaden public confidence, CPAs should perform
their professional duties with the highest sense of integrity.
4. Objectivity and Independence. CPAs should maintain objectivity and be
free of conflicts of interest in the performance of their professional duties.
CPAs in public practice should be independent in fact and appearance
when providing auditing and other attestation services.
5. Due Care. CPAs should observe the profession’s technical and ethical
standards, strive continually to improve competence and the quality of
services, and discharge professional responsibility to the best of their
ability.
 6. Scope and Nature of Services. CPAs in public practice should observe the
principles of the Code of Professional Conduct in determining the scope
and nature of services to be provided.

Internal auditors and IT auditors must abide by ethical standards

established by the IIA and ISACA, respectively. The IIA Code of Ethics is founded
on the principles of integrity, objectivity, confidentiality, and competency.
Similarly, SACA’s Code of Professional Ethics recognizes due diligence,
objectivity, competency, communication, maintaining privacy and
confidentiality, and serving in the interests of stakeholders.