Auditing, Assurance, and Internal Control

S1 Sistem Informasi
M. Rifki Shihab, M.Sc.
@rifkishihab

Objectives
Know difference between attest services and
advisory services
Understand the structure of an audit and have a
firm grasp of the conceptual elements of the audit
process
Understand internal control categories in the COSO
framework
Be familiar with the key features of Section 302 and
404 of the Sarbanes-Oxley Act.
Understand the relationship between general
controls, application controls, and financial data
integrity

AUDITING
Auditing is systematic process by which a
competent, independent person objectively obtains
and evaluates evidence regarding assertions about
an economic entity or event for the purpose of
forming an opinion about and reporting on the
degree to which the assertion conforms to an
identified set of standards
Auditing provides an independent and objective
assurance that:
Information is processed in a safe and sound manner
integrity
Operations are efficient and effective
Information assets are safeguarded - achieving
information goals

TYPES OF AUDIT
Financial audits relates to financial information integrity and
reliability.
Operational auditsexamination of IS controls, security controls, or
business controls to determine control existence and effectiveness,
examples: IS audits of application controls or logical security
systems
Integrated auditscombines financial and operational audit steps.
Administrative auditsoriented to assess issues related to the
efficiency of operational productivity within an organization.
Specialized auditsexamine areas such as services performed by
third parties.
Forensic auditsauditing specialized in discovering, disclosing and
following up on frauds and crimes. The primary purpose of such a
review is the development of evidence for review by law
enforcement and judicial authorities.
IS/IT Audit

INTERNAL AUDITS
Internal auditing: independent appraisal
function established within an organization to
examine and evaluate its activities as a service to
the organization
Forms: Financial Audits, Operational Audits,
Compliance Audits, Fraud Audits, IT Audits
Mostly performs monitoring function to evaluate
internal efficiency and effectiveness

EXTERNAL AUDITS
External auditing: Objective is that in all
material respects, financial statements are a fair
representation of organizations transactions and
account balances.
Known as attest service
The rules have been defined by
Securities and Exchange Commision (SEC)s role
Sarbanes-Oxley Act
FASB PCAOB (Financial Accounting Standard
Board PCA Oversight Board)
CPA (Certified Public Accountants)
AICPA (American Institute of CPA)

EXTERNAL vs. INTERNAL

External auditing:

Independent auditor (CPA)

Independence defined by SEC/S-OX/AICPA
Required by SEC for publicly-traded companies
Referred to as a financial audit
Represents interests of outsiders, the public (e.g., stakeholders)
Standards, guidance, certification governed by AICPA, FASB,
PCAOB; delegated by SEC who has final authority

Internal auditing:

Auditor (often a CIA or CISA)

Is an employee of organization imposing independence on self
Optional per management requirements
Broader services than financial audit; (e.g., operational audits)
Represent interests of the organization
Standards, guidance, certification governed by IIA and ISACA

IT AUDITS
IT audits: provide audit services where processes
or data, or both, are embedded in technologies.
Subject to ethics, guidelines, and standards of the
profession (if certified)
CISA
Most closely associated with ISACA

Joint with internal, external, and fraud audits

Scope of IT audit coverage is increasing
Characterized by CAATTs
IT governance as part of corporate governance

FINANCIAL AUDITS
An independent attestation performed by an expert
(i.e., an auditor, a CPA) who expresses an opinion
regarding the presentation of financial statements
Key concept: Independence
{Should be} Similar to a trial by judge
Culmination of systematic process involving:
Familiarization with the organizations business
Evaluating and testing internal controls
Assessing the reliability of financial data

Product is formal written report that expresses an

opinion about the reliability of the assertions in
financial statements; in conformity with GAAP
(Generally Accepted Accounting Principles)

ATTEST vs ADVISORY
ATTEST definition
Written assertions
Practitioners written report
Formal establishment of measurement criteria or
their description in the presentation
Limited to:
Examination
Review
Application of agreed-upon procedures

ATTEST vs ADVISORY
ADVISORY
Professional services that are designed to improve
the quality of information, both financial and nonfinancial, used by decision-makers

IT Audit Groups in Big Four

IT Risk Management
IS Risk Management
Operational Systems Risk Management
Technology & Security Risk Services
Typically a division of assurance services

AUDIT COMPONENTS
Auditing standards
A systematic process
Management assertions & audit objectives
Obtaining evidence
Ascertaining materiality
Communicating results

AUDITING STANDARDS
Auditing standards
Set by AICPA (American Institute of CPA)
Authoritative
#1 = Ten Generally Accepted Auditing Standards
(GAAS)
Three categories:
General Standards
Standards of Field Work
Reporting Standards

# 2 = Statements on Auditing Standards (SASs)

SAS #1 issued by AICPA in 1972

A SYSTEMATIC PROCESS
Audit should be conducted in systematic and
logical process that applies to all forms of
information systems.
Avoid a high degree of complexity into the IT
Audit (e.g. the audit trail may be purely
electronic, in a digital form, and thus invisible to
those attemping to verify it)

MANAGEMENT ASSERTIONS AND AUDIT

OBJECTIVES
Existence or Occurrence: affirm that all assets and equities
contained in the balance sheet exist and that all transactions
in the income statement actually occured.
Completeness: declares that no material assets, equities, or
transactions have been omitted from financial statements
Rights & Obligations: maintains that assets appearing on the
balance sheet (neraca) are owned by the entity and the
liabilities reported are obligations
Valuation or Allocation: states that assets and equities are
valued in accordance with GAAP and that allocated amounts
such as depreciation expense are calculated on a systematic
and rational basis
Presentation or Disclosure: alleges that financial statement
items are correctly classified and that footnote disclosures are
adequate to avoid misleading the users of financial statements

MANAGEMENT ASSERTIONS AND AUDIT

OBJECTIVES
Management
Assertion

Audit Objective

Audit Procedure

Existence or
Occurence

Inventories listed in the balance

sheet exist

Observe the counting of physical

inventory

Completeness

Acoount payable include all

obligations to vendors forthe
period

Compare receiving reports, supplier

invoices, purchase orders, and journal
entries for the period and the beginning
of the next period

Rights and
Obligations

Plant and equipment listed in

the balance sheet are owned by
the entity

Review purchase agreements, insurance

policies, and related documents

Valuation or
Allocation

Accounts receivable are stated at

net realizable value

Review entitys aging of accounts and

evaluate the adequacy of the allowance
for uncorrectable accounts

Presentation
and Disclosure

Contingencies not reported in

financial accounts are properly
disclosed in footnotes

Obtain information from entity lawyers

about the status of litigation and
estimates of potential loss

OBTAINING EVIDENCE
Auditors seek evidential matter that corroborates
management assertions
In the IT environment involves gathering evidence
relating to the reliability of:
Computer controls
Contents of databases that have been processed by
computer programs

Evidence collection:
Test of internal controls whether they are functioning
properly
Substantive test to determine whether accounting
database fairly reflect the organizations transactions
and account balances

ASCERTAINING MATERIALITY
Determine whether the weakness in internal
control and misstatements found in transactions
and account balances are material.
Judging by auditor
More complicated when using IT

COMMUNICATING RESULT
Auditors communicates the results of their tests
to interested users (e.g. Audit committee of the
board of directors of a company)
Audit report contains an audit opinion.

AUDIT RISK

Audit Risk Formula

AUDIT RISK:
The probability that the auditor will give an
inappropriate opinion on the financial statements:
that is, that the statements will contain materials
misstatement(s) which the auditor fails to find

Audit Risk Formula

INHERENT RISK:
Associated with the unique characteristic of the
business or industry of the client
Example: declining industries have greater risk than
stable/thriving firms

Includes economic conditions, etc.

Auditor cannot reduce the level of inherent risk

Audit Risk Formula

CONTROL RISK:
The probability that the internal controls will fail
to detect material misstatements
For example: Capability of system to detect wrong
total price

DETECTION RISK:
The probability that the audit procedures will fail
to detect material misstatements
Influences level of substantive tests that must be
performed
The lower the %-age, the more substantive test
required

Audit Risk Formula

AUDIT RISK MODEL:
AR = IR * CR * DR
example inventory with:
IR=40%, CR=60%, AR=5% (fixed)
.05 = .4 * .6 * DR
... then DR=4.8%
Why is AR = 5%? 95% confidence level in
statistics
What is detection risk?
Can CR realistically be 0?
Relationship between DR and substantive
procedures

Audit Risk Model

Relationship between tests of controls and
substantive tests
Illustrate higher reliability of the internal controls
and the Audit Risk Model
What happens if internal controls are more reliable
than last audit?
Last year: .05 = .4 * .6 * DR [DR = 0.2]
This year: .05 = .4 * .4 * DR [DR = 0.31]
The more reliable the internal controls, the lower the
CR probability; thus the higher the DR will be, and
fewer substantive tests are necessary.

Substantive tests are labor intensive

THE IT AUDIT

What is an IT Audit?
most accounting transactions to be in
electronic form without any paper
documentation because electronic storage is
more efficient. These technologies greatly
change the nature of audits, which have so long
relied on paper documents.

IT Audit focuses on the computer-based

aspects of an organizations information system

THE STRUCTURE OF AN IT AUDIT

START

Audit Planning
Phase

Test of Controls
Phase

Substantive
Testing Phase

Review
organizations
policies, practices,
and structure

Perform tests of
controls

Perform substantive
tests

Review general
controls and
application control

Evaluate test results

Evaluate results and

issue auditors
report

Plan tests of
controls and
substantive test
procedures

Determine degree
of reliance on
controls

Audit report

THE STRUCTURE OF AN IT AUDIT

Audit planning: thorough understanding of the
clients business
Tests of controls: determine whether adequate
internal controls are on place and functioning
properly
Substantive tests: detailed investigation of
specific account balances and transaction
CAATTs

INTERNAL CONTROL HISTORY

BRIEF HISTORY - SEC

SEC (Securities and Exchange Commission) acts
of 1933 and 1934
Ivar Kreugers Contribution to U.S. Financial
Reporting, Accounting Review, Flesher & Flesher
All corporations that report to the SEC are
required to maintain a system of internal control
that is evaluated as part of the annual external
audit.

BRIEF HISTORY - Copyright

Federal Copyright Act 1976
Protects intellectual property in the U.S.
Has been amended numerous times since
Management is legally responsible for violations
of the organization
U.S. government has continually sought
international agreement on terms for protection of
intellectual property globally vs. nationally

BRIEF HISTORY - FCPA

Foreign Corrupt Practices Act 1977
Accounting provisions
FCPA requires SEC registrants to establish and maintain
books, records, and accounts.
It also requires establishment of internal accounting
controls sufficient to meet objectives.
Transactions are executed in accordance with managements
general or specific authorization.
Transactions are recorded as necessary to prepare financial
statements (i.e., GAAP), and to maintain accountability.
Access to assets is permitted only in accordance with
management authorization.
The recorded assets are compared with existing assets at
reasonable intervals.

Illegal foreign payments

BRIEF HISTORY - COSO

Committee on Sponsoring Organizations - 1992
AICPA, AAA, FEI, IMA, IIA
Developed a management perspective model for
internal controls over a number of years
Is widely adopted

BRIEF HISTORY S-OX

Sarbanes-Oxley Act - 2002
Section 404: Management Assessment of Internal
Control
Management is responsible for establishing and
maintaining internal control structure and
procedures.
Must certify by report on the effectiveness of internal
control each year, with other annual reports.

Section 302: Corporate Responsibility for Incident

Reports
Financial executives must disclose deficiencies in
internal control, and fraud (whether fraud is
material or not).

INTERNAL CONTROL OBJECTIVES, PRINCIPLES

AND MODELS

INTERNAL CONTROL
is policies, practices, procedures designed to

safeguard assets
ensure accuracy and reliability
promote efficiency
measure compliance with policies

Modifying Principles
Management responsibility
Establishment and maintenance of a system
internal control is a management responsibility

Reasonable assurance
no internal control system is perfect
benefits => (greater than) costs

Methods of data processing

Objectives same regardless of DP method
Specific controls vary w/different technologies

Modifying Assumptions
Limitations

Possibility of error
Possibility of circumvention
Management override
Changing conditions

EXPOSURES AND RISK

Exposure (definition)
Risks (definition)
Types of risk

Destruction of assets
Theft of assets
Corruption of information or the I.S.
Disruption of the I.S.

THE P-D-C MODEL

Preventive controls
Detective controls
Corrective controls
Which is most cost effective?
Which one tends to be proactive measures?
Can you give an example of each?

Predictive controls

SAS 78: Consideration of Internal

Control in a Financial Statement Audit
COSO (Treadway Commission)

The control environment

Risk assessment
Information & communication
Monitoring
Control activities

SAS 78
(#1:Control Environment -- elements)
Describe how each one could adversely affect
internal control.
The integrity and ethical values
Structure of the organization
Participation of audit committee
Managements philosophy and style
Procedures for delegating

SAS 78
(#1:Control Environment -- elements)
Managements methods of assessing
performance
External influences
Organizations policies and practices for
managing human resources

SAS 78
(#1:Control Environment - Describe possible activity or tool for each.
techniques)

Assess the integrity of organizations

management
Conditions conducive to management fraud
Understand clients business and industry
Determine if board and audit committee are
actively involved
Study organization structure

SAS 78
(#2:Risk Assessment)

Changes in environment
Changes in personnel
Changes in I.S.
New ITs
Significant or rapid growth
New products or services (experience)
Organizational restructuring
Foreign markets
New accounting principles

SAS 78
(#3:Information & Communication Initiate, identify, analyze, classify and record
elements)

economic transactions and events.

Identify and record all valid economic
transactions
Provide timely, detailed information
Accurately measure financial values
Accurately record transactions

SAS 78
(#3:Information & Communication Auditors obtain sufficient knowledge of I.S.s to
techniques)
understand:

Classes of transactions that are material

Accounting records and accounts used
Processing steps:initiation to inclusion in financial
statements (illustrate)
Financial reporting process (including
disclosures)

SAS 78
(#4: Monitoring)
By separate procedures (e.g., tests of controls)
By ongoing activities (Embedded Audit Modules
EAMs and Continuous Online Auditing - COA)

SAS 78

 Physical Controls (1-3)

Transaction authorization
Example:

Sales only to authorized customer

Sales only if available credit limit

Segregation of duties

Examples of incompatible duties:

Authorization vs. processing [e.g., Sales vs. Auth. Cust.]

Custody vs. recordkeeping [e.g., custody of inventory vs. DP
of inventory]
Fraud requires collusion [e.g., separate various steps in
process]

Supervision

Serves as compensating control when lack of segregation

of duties exists by necessity

 Physical Controls (4-6)

Accounting records (audit trails; examples)
Access controls

Direct (the assets)

Indirect (documents that control the assets)
Fraud
Disaster Recovery

Independent verification
Management can assess:

The performance of individuals

The integrity of the AIS
The integrity of the data in the records
Examples

IT Risks Model

Operations
Data management systems
New systems development
Systems maintenance
Electronic commerce (The Internet)
Computer applications

Role of Audit Committee

Selected from board of directors

Usually three members
Outsiders (S-OX now requires it)
Fiduciary responsibility to shareholders
Serve as independent check and balance system
Interact with internal auditors
Hire, set fees, and interact with external auditors
Resolved conflicts of GAAP between external
auditors and management