Академический Документы
Профессиональный Документы
Культура Документы
S1 Sistem Informasi
M. Rifki Shihab, M.Sc.
@rifkishihab
Objectives
Know difference between attest services and
advisory services
Understand the structure of an audit and have a
firm grasp of the conceptual elements of the audit
process
Understand internal control categories in the COSO
framework
Be familiar with the key features of Section 302 and
404 of the Sarbanes-Oxley Act.
Understand the relationship between general
controls, application controls, and financial data
integrity
AUDITING
Auditing is systematic process by which a
competent, independent person objectively obtains
and evaluates evidence regarding assertions about
an economic entity or event for the purpose of
forming an opinion about and reporting on the
degree to which the assertion conforms to an
identified set of standards
Auditing provides an independent and objective
assurance that:
Information is processed in a safe and sound manner
integrity
Operations are efficient and effective
Information assets are safeguarded - achieving
information goals
TYPES OF AUDIT
Financial audits relates to financial information integrity and
reliability.
Operational auditsexamination of IS controls, security controls, or
business controls to determine control existence and effectiveness,
examples: IS audits of application controls or logical security
systems
Integrated auditscombines financial and operational audit steps.
Administrative auditsoriented to assess issues related to the
efficiency of operational productivity within an organization.
Specialized auditsexamine areas such as services performed by
third parties.
Forensic auditsauditing specialized in discovering, disclosing and
following up on frauds and crimes. The primary purpose of such a
review is the development of evidence for review by law
enforcement and judicial authorities.
IS/IT Audit
INTERNAL AUDITS
Internal auditing: independent appraisal
function established within an organization to
examine and evaluate its activities as a service to
the organization
Forms: Financial Audits, Operational Audits,
Compliance Audits, Fraud Audits, IT Audits
Mostly performs monitoring function to evaluate
internal efficiency and effectiveness
EXTERNAL AUDITS
External auditing: Objective is that in all
material respects, financial statements are a fair
representation of organizations transactions and
account balances.
Known as attest service
The rules have been defined by
Securities and Exchange Commision (SEC)s role
Sarbanes-Oxley Act
FASB PCAOB (Financial Accounting Standard
Board PCA Oversight Board)
CPA (Certified Public Accountants)
AICPA (American Institute of CPA)
Internal auditing:
IT AUDITS
IT audits: provide audit services where processes
or data, or both, are embedded in technologies.
Subject to ethics, guidelines, and standards of the
profession (if certified)
CISA
Most closely associated with ISACA
FINANCIAL AUDITS
An independent attestation performed by an expert
(i.e., an auditor, a CPA) who expresses an opinion
regarding the presentation of financial statements
Key concept: Independence
{Should be} Similar to a trial by judge
Culmination of systematic process involving:
Familiarization with the organizations business
Evaluating and testing internal controls
Assessing the reliability of financial data
ATTEST vs ADVISORY
ATTEST definition
Written assertions
Practitioners written report
Formal establishment of measurement criteria or
their description in the presentation
Limited to:
Examination
Review
Application of agreed-upon procedures
ATTEST vs ADVISORY
ADVISORY
Professional services that are designed to improve
the quality of information, both financial and nonfinancial, used by decision-makers
IT Risk Management
IS Risk Management
Operational Systems Risk Management
Technology & Security Risk Services
Typically a division of assurance services
AUDIT COMPONENTS
Auditing standards
A systematic process
Management assertions & audit objectives
Obtaining evidence
Ascertaining materiality
Communicating results
AUDITING STANDARDS
Auditing standards
Set by AICPA (American Institute of CPA)
Authoritative
#1 = Ten Generally Accepted Auditing Standards
(GAAS)
Three categories:
General Standards
Standards of Field Work
Reporting Standards
A SYSTEMATIC PROCESS
Audit should be conducted in systematic and
logical process that applies to all forms of
information systems.
Avoid a high degree of complexity into the IT
Audit (e.g. the audit trail may be purely
electronic, in a digital form, and thus invisible to
those attemping to verify it)
Audit Objective
Audit Procedure
Existence or
Occurence
Completeness
Rights and
Obligations
Valuation or
Allocation
Presentation
and Disclosure
OBTAINING EVIDENCE
Auditors seek evidential matter that corroborates
management assertions
In the IT environment involves gathering evidence
relating to the reliability of:
Computer controls
Contents of databases that have been processed by
computer programs
Evidence collection:
Test of internal controls whether they are functioning
properly
Substantive test to determine whether accounting
database fairly reflect the organizations transactions
and account balances
ASCERTAINING MATERIALITY
Determine whether the weakness in internal
control and misstatements found in transactions
and account balances are material.
Judging by auditor
More complicated when using IT
COMMUNICATING RESULT
Auditors communicates the results of their tests
to interested users (e.g. Audit committee of the
board of directors of a company)
Audit report contains an audit opinion.
AUDIT RISK
DETECTION RISK:
The probability that the audit procedures will fail
to detect material misstatements
Influences level of substantive tests that must be
performed
The lower the %-age, the more substantive test
required
THE IT AUDIT
What is an IT Audit?
most accounting transactions to be in
electronic form without any paper
documentation because electronic storage is
more efficient. These technologies greatly
change the nature of audits, which have so long
relied on paper documents.
START
Audit Planning
Phase
Test of Controls
Phase
Substantive
Testing Phase
Review
organizations
policies, practices,
and structure
Perform tests of
controls
Perform substantive
tests
Review general
controls and
application control
Plan tests of
controls and
substantive test
procedures
Determine degree
of reliance on
controls
Audit report
INTERNAL CONTROL
is policies, practices, procedures designed to
safeguard assets
ensure accuracy and reliability
promote efficiency
measure compliance with policies
Modifying Principles
Management responsibility
Establishment and maintenance of a system
internal control is a management responsibility
Reasonable assurance
no internal control system is perfect
benefits => (greater than) costs
Modifying Assumptions
Limitations
Possibility of error
Possibility of circumvention
Management override
Changing conditions
Destruction of assets
Theft of assets
Corruption of information or the I.S.
Disruption of the I.S.
Predictive controls
SAS 78
(#1:Control Environment -- elements)
Describe how each one could adversely affect
internal control.
The integrity and ethical values
Structure of the organization
Participation of audit committee
Managements philosophy and style
Procedures for delegating
SAS 78
(#1:Control Environment -- elements)
Managements methods of assessing
performance
External influences
Organizations policies and practices for
managing human resources
SAS 78
(#1:Control Environment - Describe possible activity or tool for each.
techniques)
SAS 78
(#2:Risk Assessment)
Changes in environment
Changes in personnel
Changes in I.S.
New ITs
Significant or rapid growth
New products or services (experience)
Organizational restructuring
Foreign markets
New accounting principles
SAS 78
(#3:Information & Communication Initiate, identify, analyze, classify and record
elements)
SAS 78
(#3:Information & Communication Auditors obtain sufficient knowledge of I.S.s to
techniques)
understand:
SAS 78
(#4: Monitoring)
By separate procedures (e.g., tests of controls)
By ongoing activities (Embedded Audit Modules
EAMs and Continuous Online Auditing - COA)
SAS 78
Transaction authorization
Example:
Segregation of duties
Supervision
Independent verification
Management can assess:
IT Risks Model
Operations
Data management systems
New systems development
Systems maintenance
Electronic commerce (The Internet)
Computer applications