Chapter 1

An external audit is an independent

attestation performed by an expertthe
auditor who expresses an opinion
regarding the presentation of financial
statements attest service by CPA
 The attest service is defined as:
... an engagement in which a practitioner is
engaged to issue, or does issue, a written
communication that expresses a conclusion
about the reliability of a written assertion that
is the responsibility of another party. (SSAE
No. 1, AT Sec. 100.01)
 Advisory services are professional services
offered by public accounting firms to improve
their client organizations operational
efficiency and effectiveness
 IIA defines internal auditing as an independent
appraisal function established within an
organization to examine and evaluate its
activities as a service to the organization
Activities :
conducting financial audits
examining an operations compliance with
organizational policies
reviewing the organizations compliance with legal
obligations,
evaluating operational efficiency, and
detecting and pursuing fraud within the firm.
 The objective of a fraud audit is to investigate
anomalies and gather evidence of fraud that
may lead to criminal conviction
fraud auditors have earned the Certified
Fraud Examiner (CFE) certification, which is
governed by the Association of Certified
Fraud Examiners (ACFE)
 consists of three people who should be
outsiders (not associated with the families of
executive management nor former officers,
etc.)
at least one member of the audit committee
must be a financial expert.
The audit committee serves as an
independent check and balance for the
internal audit function and liaison with
external auditors
 Generally Accepted Auditing Standards.docx
A Systematic Process
Management Assertions and Audit Objectives
5 assertions
Obtaining Evidence
Ascertaining Materiality
Communicating Results
 Audit risk is the probability that the auditor
will render an unqualified (clean) opinion on
financial statements that are, in fact,
materially misstated
Acceptable audit risk (AR) is estimated based
on the ex ante value of the components of
the audit risk model
 Inherent risk is associated with the unique
characteristics of the business or industry of
the client
Control risk is the likelihood that the control
structure is flawed because controls are
either absent or inadequate to prevent or
detect errors in the accounts.
Detection risk is the risk that auditors are
willing to take that errors not detected or
prevented by the control structure will also
not be detected by the auditor
 Audit Risk Model
AR = IR CR DR
The Relationship Between Tests of Controls
and Substantive Tests The stronger the
internal control structure, as determined
through tests of controls, the lower the
control risk and the less substantive testing
the auditor must do
 An IT audit focuses on the computer-based
aspects of an organizations information
system; and modern systems employ
significant levels of technology
 The Structure of an IT Audit
Audit planning
Test of controls
Substantive test (fig 1.1)
 Review Organizations Policies, Practices, and
Structure
Review General Controls and Application
Controls
Plan Tests of Controls and Substantive
Testing Procedures
 Perform Tests of Controls
Evaluate Test Results
Determine Degree of Reliance on Controls
 Perform Substantive Tests
Evaluate Results and Issue Auditor's Report
 SEC Acts of 1933 and 1934
Copyright Law1976
Foreign Corrupt Practices Act (FCPA) of 1977
Committee of Sponsoring Organizations
1992
Sarbanes-Oxley Act of 2002
 An organizations internal control system
comprises policies, practices, and procedures
to achieve four broad objectives:
1. To safeguard assets of the firm.
2. To ensure the accuracy and reliability of
accounting records and information.
3. To promote efficiency in the firms
operations.
4. To measure compliance with
managements prescribed policies and
procedures.
 Management Responsibility establishment and
maintenance of a system of internal control
Methods of Data Processing
Limitations
(1) the possibility of errorno system is perfect,
(2) circumventionpersonnel may circumvent the system
through collusion or other means,
(3) management override management is in a position to
override control procedures by personally distorting
transactions or by directing a subordinate to do so, and
(4) changing conditionsconditions may change over
time so that existing effective controls may become
ineffectual
Reasonable Assurance (see fig 1.2) the cost of achieving
improved control should not outweigh its benefits.
 Preventive Controls
passive techniques designed to reduce the
frequency of occurrence of undesirable events
Detective Controls
devices, techniques, and procedures designed to
identify and expose undesirable events that elude
preventive controls
Corrective Controls
actually fix the problem
 The Control Environment
Risk Assessment
Information and communication
Monitoring
Control Activities
 the foundation for the other four control
components
Elements :
The integrity and ethical values of management.
The structure of the organization
The participation of the organizations board of directors
and the audit committee, if one exists.
Managements philosophy and operating style.
The procedures for delegating responsibility and
authority.
Managements methods for assessing performance.
External influences, such as examinations by regulatory
agencies.
The organizations policies and practices for managing
its human resources.
 to identify, analyze, and manage risks
relevant to financial reporting.
Risks can arise or change from circumstances
such as:
Changes in the operating environment that impose
new or changed competitive pressures on the firm.
New personnel who have a different or inadequate
understanding of internal control.
New or reengineered information systems that
affect transaction processing.
Significant and rapid growth that strains existing
internal controls.
 The implementation of new technology into the
production process or information system that impacts
transaction processing.
The introduction of new product lines or activities with
which the organization has little experience.
Organizational restructuring resulting in the reduction
and/or reallocation of personnel such that business
operations and transaction processing are affected.
Entering into foreign markets that may impact
operations (that is, the risks associated with foreign
currency transactions).
Adoption of a new accounting principle that impacts the
preparation of financial statements
 An effective accounting information system
will:
Identify and record all valid financial transactions.
Provide timely information about transactions in
sufficient detail to permit proper classification and
financial reporting.
Accurately measure the financial value of
transactions so their effects can be recorded in
financial statements.
Accurately record transactions in the time period in
which they occurred
 the process by which the quality of internal
control design and operation can be assessed
Ongoing monitoring may be achieved by
integrating special computer modules into
the information system that capture key data
and/or permit tests of controls to be
conducted as part of routine operations
 the policies and procedures used to ensure
that appropriate actions are taken to deal
with the organizations identified risks
Control is divided by two : physical and IT
controls (see fig 1.4)
 relates primarily to the human activities
employed in accounting systems.
These activities may be purely manual, such
as the physical custody of assets, or they may
involve the physical use of computers to
record transactions or update accounts
 Transaction authorization
Segregation of duties
Supervision
Accounting records
Access control
Independent verification
 application controls are to ensure the validity,
completeness, and accuracy of financial
transactions
General controls include controls over IT
governance, IT infrastructure, security and
access to operating systems and databases,
application acquisition and development, and
program change procedures.
 Understand the flow of transactions, including IT
aspects, in sufficient detail to identify points at which
a misstatement could arise.
Using a risk-based approach, assess both the design
and operating effectiveness of selected internal
controls related to material accounts.
Assess the potential for fraud in the system and
evaluate the controls designed to prevent or detect
fraud.
Evaluate and conclude on the adequacy of controls
over the financial statement reporting process
Evaluate entity-wide (general) controls that
correspond to the components of the COSO
framework.