attestation performed by an expertthe auditor who expresses an opinion regarding the presentation of financial statements attest service by CPA The attest service is defined as: ... an engagement in which a practitioner is engaged to issue, or does issue, a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party. (SSAE No. 1, AT Sec. 100.01) Advisory services are professional services offered by public accounting firms to improve their client organizations operational efficiency and effectiveness IIA defines internal auditing as an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization Activities : conducting financial audits examining an operations compliance with organizational policies reviewing the organizations compliance with legal obligations, evaluating operational efficiency, and detecting and pursuing fraud within the firm. The objective of a fraud audit is to investigate anomalies and gather evidence of fraud that may lead to criminal conviction fraud auditors have earned the Certified Fraud Examiner (CFE) certification, which is governed by the Association of Certified Fraud Examiners (ACFE) consists of three people who should be outsiders (not associated with the families of executive management nor former officers, etc.) at least one member of the audit committee must be a financial expert. The audit committee serves as an independent check and balance for the internal audit function and liaison with external auditors Generally Accepted Auditing Standards.docx A Systematic Process Management Assertions and Audit Objectives 5 assertions Obtaining Evidence Ascertaining Materiality Communicating Results Audit risk is the probability that the auditor will render an unqualified (clean) opinion on financial statements that are, in fact, materially misstated Acceptable audit risk (AR) is estimated based on the ex ante value of the components of the audit risk model Inherent risk is associated with the unique characteristics of the business or industry of the client Control risk is the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts. Detection risk is the risk that auditors are willing to take that errors not detected or prevented by the control structure will also not be detected by the auditor Audit Risk Model AR = IR CR DR The Relationship Between Tests of Controls and Substantive Tests The stronger the internal control structure, as determined through tests of controls, the lower the control risk and the less substantive testing the auditor must do An IT audit focuses on the computer-based aspects of an organizations information system; and modern systems employ significant levels of technology The Structure of an IT Audit Audit planning Test of controls Substantive test (fig 1.1) Review Organizations Policies, Practices, and Structure Review General Controls and Application Controls Plan Tests of Controls and Substantive Testing Procedures Perform Tests of Controls Evaluate Test Results Determine Degree of Reliance on Controls Perform Substantive Tests Evaluate Results and Issue Auditor's Report SEC Acts of 1933 and 1934 Copyright Law1976 Foreign Corrupt Practices Act (FCPA) of 1977 Committee of Sponsoring Organizations 1992 Sarbanes-Oxley Act of 2002 An organizations internal control system comprises policies, practices, and procedures to achieve four broad objectives: 1. To safeguard assets of the firm. 2. To ensure the accuracy and reliability of accounting records and information. 3. To promote efficiency in the firms operations. 4. To measure compliance with managements prescribed policies and procedures. Management Responsibility establishment and maintenance of a system of internal control Methods of Data Processing Limitations (1) the possibility of errorno system is perfect, (2) circumventionpersonnel may circumvent the system through collusion or other means, (3) management override management is in a position to override control procedures by personally distorting transactions or by directing a subordinate to do so, and (4) changing conditionsconditions may change over time so that existing effective controls may become ineffectual Reasonable Assurance (see fig 1.2) the cost of achieving improved control should not outweigh its benefits. Preventive Controls passive techniques designed to reduce the frequency of occurrence of undesirable events Detective Controls devices, techniques, and procedures designed to identify and expose undesirable events that elude preventive controls Corrective Controls actually fix the problem The Control Environment Risk Assessment Information and communication Monitoring Control Activities the foundation for the other four control components Elements : The integrity and ethical values of management. The structure of the organization The participation of the organizations board of directors and the audit committee, if one exists. Managements philosophy and operating style. The procedures for delegating responsibility and authority. Managements methods for assessing performance. External influences, such as examinations by regulatory agencies. The organizations policies and practices for managing its human resources. to identify, analyze, and manage risks relevant to financial reporting. Risks can arise or change from circumstances such as: Changes in the operating environment that impose new or changed competitive pressures on the firm. New personnel who have a different or inadequate understanding of internal control. New or reengineered information systems that affect transaction processing. Significant and rapid growth that strains existing internal controls. The implementation of new technology into the production process or information system that impacts transaction processing. The introduction of new product lines or activities with which the organization has little experience. Organizational restructuring resulting in the reduction and/or reallocation of personnel such that business operations and transaction processing are affected. Entering into foreign markets that may impact operations (that is, the risks associated with foreign currency transactions). Adoption of a new accounting principle that impacts the preparation of financial statements An effective accounting information system will: Identify and record all valid financial transactions. Provide timely information about transactions in sufficient detail to permit proper classification and financial reporting. Accurately measure the financial value of transactions so their effects can be recorded in financial statements. Accurately record transactions in the time period in which they occurred the process by which the quality of internal control design and operation can be assessed Ongoing monitoring may be achieved by integrating special computer modules into the information system that capture key data and/or permit tests of controls to be conducted as part of routine operations the policies and procedures used to ensure that appropriate actions are taken to deal with the organizations identified risks Control is divided by two : physical and IT controls (see fig 1.4) relates primarily to the human activities employed in accounting systems. These activities may be purely manual, such as the physical custody of assets, or they may involve the physical use of computers to record transactions or update accounts Transaction authorization Segregation of duties Supervision Accounting records Access control Independent verification application controls are to ensure the validity, completeness, and accuracy of financial transactions General controls include controls over IT governance, IT infrastructure, security and access to operating systems and databases, application acquisition and development, and program change procedures. Understand the flow of transactions, including IT aspects, in sufficient detail to identify points at which a misstatement could arise. Using a risk-based approach, assess both the design and operating effectiveness of selected internal controls related to material accounts. Assess the potential for fraud in the system and evaluate the controls designed to prevent or detect fraud. Evaluate and conclude on the adequacy of controls over the financial statement reporting process Evaluate entity-wide (general) controls that correspond to the components of the COSO framework.