Chapter 1 Auditing and Internal Control Independence is self -imposed but auditors represent the interests of the organization.

External (Financial Audits External versus Internal Auditor

An external audit is an independent attestation performed by an expert—the auditor—who External auditors represent outsiders, internal represents organization’s interest.
expresses an opinion regarding the presentation of financial statements.
Internal often cooperate and assist external in some aspect of financial audit.
This task is known as the attest service, is performed by Certified Public Accountants (CPA)
who work for public accounting firms that are independent of the client organization being Fraud Audits
audited.
Recent increase in popularity as a corporate governance tool.
Their objective is to assure the fair presentation of financial statements.
Objective to investigate anomalies and gather evidence of fraud that may lead to criminal
The Securities and Exchange Commission (SEC) requires all publicly traded companies be convictions.
subject to a financial audit annually.
Sometimes fraud audits are initiated by corporate management who suspect employee
A key concept in this process is independence. fraud.

The external auditor must follow strict rules in conducting financial audits. These Typically, fraud auditors have earned the Certified Fraud Examiner (CFE) certification, which
authoritative rules have been defined by the SEC, the Financial Accounting Standards Board is governed by the Association of Certified Fraud Examiners
(FASB), the AICPA, and by federal law (Sarbanes-Oxley [SOX] Act of 2002).
THE ROLE OF THE AUDIT COMMITTEE
Attest Service versus Advisory Services
This committee usually consists of three people who should be outsiders (not associated with
The attest service is defined as an engagement in which a practitioner is engaged to issue, or the families of executive management nor former officers, etc.). executive management nor
does issue, a written communication that expresses a conclusion about the reliability of a former officers, etc.).
written assertion that is the responsibility of another party.
With the advent of the Sarbanes-Oxley Act, at least one member of the audit committee
The following requirements apply to attestation services: must be a “financial expert.”

• Attestation services require written assertions and a practitioner’s written report. The audit committee serves as an independent “check and balance” for the internal audit
function and liaison with external auditors.
• Attestation services require the formal establishment of measurement criteria or their
description in the presentation. Auditing Standards

• The levels of service in attestation engagements are limited to examination, review, and Auditing standards are divided into three classes: general qualification standards, field work
application of agreed-upon procedures. standards, and reporting standards.

Advisory services To provide specific guidance, the American Institute of Certified Public Accountants (AICPA)
issues Statements on Auditing Standards (SASs) as authoritative interpretations of GAAS.
Are professional services offered by public accounting firms to improve their client SASs are often referred to as auditing standards, or GAAS, although they are not the ten
organizations’ operational efficiency and effectiveness. generally accepted auditing standards.

As examples, advisory services include actuarial advice, business advice, fraud investigation The first SAS (SAS 1) was issued by the AICPA in 1972.
services, information system design and implementation.
Statements on Auditing Standards are regarded as authoritative pronouncements because
Internal Audits every member of the profession must follow their recommendations or be able to show why
a SAS does not apply in a given situation.
Internal Auditor is an independent appraisal function to examine and evaluate activities
within as to service to an organization. A Systematic Process

They performed a wide variety of activities including financial, operational, compliance and Conducting an audit is a systematic and logical process that applies to all forms of
fraud risk. information systems. While important in all audit settings, a systematic approach is
particularly important in the IT environment.
Management Assertions and Audit Objectives of a company. The audit report contains, among other things, an audit opinion. This opinion
is distributed along with the financial report to interested parties both internal and external
The organization’s financial statements reflect a set of management assertions about the to the organization. IT auditors often communicate their findings to internal and external
financial health of the entity. The task of the auditor is to determine whether the financial auditors, who can then integrate these findings with the non-IT aspects of the audit.
statements are fairly presented. To accomplish this goal, the auditor establishes audit
objectives, designs procedures, and gathers evidence that corroborate or refute AUDIT RISK
management’s assertions. These assertions fall into five general categories:
Audit risk is the probability that the auditor will render an unqualified (clean) opinion on
1. The existence or occurrence assertion affirms that all assets and equities contained financial statements that are, in fact, materially misstated. Material misstatements may be
in the balance sheet exist and that all transactions in the income statement actually caused by errors or irregularities or both. Errors are unintentional mistakes. Irregularities are
occurred. intentional misrepresentations associated with the commission of a fraud such as the
2. The completeness assertion declares that no material assets, equities, or misappropriation of physical assets or the deception of financial statement users.
transactions have been omitted from the financial statements.
3. The rights and obligations assertion maintains that assets appearing on the balance Audit Risk Components
sheet is owned by the entity and that the liabilities reported are obligations.
The auditor’s objective is to achieve a level of audit risk that is acceptable to the auditor.
4. The valuation or allocation assertion states that assets and equities are valued in
Acceptable audit risk (AR) is estimated based on the ex-ante value of the components of the
accordance with GAAP and that allocated amounts such as depreciation expense
audit risk model. These are inherent risk, control risk, and detection risk.
are calculated on a systematic and rational basis.
5. The presentation and disclosure assertion alleges that financial statement items Inherent Risk
are
correctly classified (e.g., long-term liabilities will not mature within one year) and Inherent risk is associated with the unique characteristics of the business or industry of the
that footnote disclosures are adequate to avoid misleading the users of financial client. Firms in declining industries have greater inherent risk than firms in stable or thriving
statements. industries. Likewise, industries that have a heavy volume of cash transactions have a higher
level of inherent risk than those that do not. Auditors cannot reduce the level of inherent
Generally, auditors develop their audit objectives and design audit procedures based on the risk. Even in a system protected by excellent controls, financial data and, consequently,
preceding assertions. Audit objectives may be classified into two general categories. The first financial statements, can be materially misstated.
one relates to transactions and account balances that directly impact financial reporting. The
second category pertains to the information system itself. This category includes the audit Control risk is the likelihood that the control structure is flawed because controls are either
objectives for assessing controls over manual operations and computer technologies used in absent or inadequate to prevent or detect errors in the accounts.
transaction processing.
Detection risk is the risk that auditors are willing to take that errors not detected or
Obtaining Evidence prevented by the control structure will also not be detected by the auditor.

Auditors seek evidential matter that corroborates management assertions. In the IT The Relationship Between Tests of Controls and Substantive Tests
environment, this process involves gathering evidence relating to the reliability of computer
controls as well as the contents of databases that have been processed by computer Tests of controls and substantive tests are auditing techniques used for reducing audit risk to
programs. Evidence is collected by performing tests of controls, which establish whether an acceptable level. The stronger the internal control structure, as determined through tests
internal controls are functioning properly, and substantive tests, which determine whether of controls, the lower the control risk and the less substantive testing the auditor must do.
accounting databases fairly reflect the organization’s transactions and account balances. This relationship is true because the likelihood of errors in the accounting records is reduced
when controls are strong. In other words, when controls are in place and effective, the
Ascertaining Materiality auditor may limit substantive testing. In contrast, the weaker the internal control structure,
the greater the control risk and the more substantive testing the auditor must perform to
The auditor must determine whether weaknesses in internal controls and misstatements reduce total audit risk.
found in transactions and account balances are material. In all audit environments, assessing
materiality is an auditor judgment. In an IT environment, however, this decision is THE IT AUDIT
complicated further by technology and a sophisticated internal control structure.
Audit process that involves three conceptual phases: audit planning, tests of controls, and
Communicating Results substantive testing.

Auditors must communicate the results of their tests to interested users. An independent The Structure of an IT Audit
auditor renders a report to the audit committee of the board of directors or stockholders
Audit Planning

The first step in the IT audit is audit planning. Before the auditor can determine the nature
and extent of the tests to perform, he or she must gain a thorough understanding of the
client’s business. A major part of this phase of the audit is the analysis of audit risk. The
auditor’s objective is to obtain sufficient information about the firm to plan the other phases
of the audit.

Tests of Controls

The objective of the tests of controls phase is to determine whether adequate internal
controls are in place and functioning properly. To accomplish this, the auditor performs
various tests of controls.

Substantive Testing

The third phase of the audit process focuses on financial data. This phase involves a detailed
investigation of specific account balances and transactions through what are called
substantive tests.

INTERNAL CONTROL

Internal control re the mechanisms, rules, and procedures implemented by a company to

INTERNAL CONTROL OBJECTIVES, PRINCIPLES, AND MODELS

An organization’s internal control system comprises policies, practices, and procedures to

1. To safeguard assets of the firm.

2. To ensure the accuracy and reliability of accounting records and information.

3. To promote efficiency in the firm’s operations.

4. To measure compliance with management’s prescribed policies and procedures

Modifying Principles

Inherent in these control objectives are four modifying principles that guide designers

and auditors of internal control systems.