1 / 68

Auditing, Assurance, Internal Control

Auditing, Assurance, Internal Control. Contents . Attestation & assurance Services Financial audit Auditing standards External vs. internal auditing Information technology audit Internal control SAS 78. Attest Services.

kali
Download Presentation

Auditing, Assurance, Internal Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Auditing, Assurance, Internal Control

  2. Contents • Attestation & assurance Services • Financial audit • Auditing standards • External vs. internal auditing • Information technology audit • Internal control • SAS 78

  3. Attest Services • An engagement in which a practitioner is engaged to issue, or does issue, a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party. Attest: To affirm to be correct, true, or genuine

  4. Requirements applied to attestation services • Attestation services require written assertions and a practitioner’s written report. • Attestation services require the formal establishment of measurement criteria or their description in the presentation. • The levels of service in attestation engagements are limited to examination, review, and application of agreed-upon procedures.

  5. Assurance Services • Broader than attestation (Fig. 1-1) • Professional services designed to improve the quality of information, both financial and non-financial, used by decision-makers. • Intended to help people make better decisions by improving information. Assurance: A statement or indication that inspires confidence; a guarantee or pledge

  6. Assurance Services • Evolution of accounting profession is expected to follow the assurance services model. • All “Big Five” professional services firms have renamed their traditional audit functions “Assurance Services.” • Organizational unit responsible for conducting IT audits is named either IT Risk Management, Information Systems Risk Management, or Operational Systems Risk Management (OSRM)

  7. Financial Audit • An independent attestation performed by an expert, the auditor, who expresses an opinion regarding the presentation of financial statements. • Auditor’s role is similar in concept to a judge who collects and evaluates evidence and renders an opinion.

  8. Financial Audit • Key concept in this process is independence; Judge must remain independent in his or her deliberation. • Judge cannot be advocate of either party in the trial, but must apply law impartially based on evidence presented. • Likewise, independent auditor collects and evaluates evidence and renders an opinion based on evidence.

  9. Financial Audit • Throughout audit process, auditor must maintain his or her independence from client organization. • Public confidence in the reliability of the company’s internally produced financial statements rests directly on their being evaluated by an independent expert audit.

  10. Financial Audit • Systematic audit process involves three conceptual phases: • Familiarization w/ organization’s business • Evaluating and testing internal control • Assessing the reliability of financial data

  11. Auditor’s Report • Product of attestation function is a formal written report that expresses an opinion about the reliability of the assertions contained in financial statements • Auditor’s report expresses an opinion as to whether the financial statements are in conformity w/ generally accepted accounting principles

  12. Auditing Standards • Auditors are guided in their professional responsibility by the ten generally accepted auditing standards (GAAS) Fig. 1-2 • GAAS establishes a framework for prescribing auditor performance, but it is not sufficiently detailed to provide meaningful guidance in specific circumstances

  13. Auditing Standards • To provide specific guidance, American Institute of Certified Public Accountants (AICPA) issues Statements on Auditing Standards (SASs) as authoritative interpretations of GAAS. • SASs are often referred to as auditing standards, or GAAS, although they are not the ten generally accepted auditing standards.

  14. SAS • First issued by AICPA in 1972 • Since then, many SASs have been issued to provide auditors w/ guidance on a spectrum of topics, including methods of investigating new clients, techniques for obtaining background information on client’s industry.

  15. External vs. Internal Auditing • External auditing is often called independent auditing because it is done by certified public accountants who are independent of the organization being audited. • External auditors represent the interests of third-party stakeholders in the organization, such as stockholders, creditors, and government agencies. • Because the focus of external audit is on financial statements, this type of audit is called financial audit

  16. External vs. Internal Auditing • Institute of Internal Auditors defines internal auditing as an independent appraisal function established within an organization to examine and evaluate its activities

  17. External vs. Internal Auditing • Internal auditors perform a wide range of activities on behalf of the organization, including conducting financial audits, examining an operation’s compliance with organizational policies, reviewing the organization’s compliance with legal obligations, evaluating operational efficiency, detecting and pursuing fraud within the firm, and conducting IT audits.

  18. External vs. Internal Auditing • While external auditors represent outsiders, internal auditors represent the interests of the organization. • Internal auditors often cooperate with and assist external auditors in performing financial audits. • This is done to achieve audit efficiency and reduce audit fees. For example, a team of internal auditors can perform tests of computer controls under the supervision of a single external auditor.

  19. External vs. Internal Auditing • While external auditors represent outsiders, internal auditors represent the interests of the organization. • Internal auditors often cooperate with and assist external auditors in performing financial audits. • This is done to achieve audit efficiency and reduce audit fees. For example, a team of internal auditors can perform tests of computer controls under the supervision of a single external auditor.

  20. Information Technology (IT) Audit • Focus on the computer-based aspects of an organization’s information system • This includes assessing the proper implementation, operation, and control of computer resources

  21. Definition of Auditing • Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users

  22. Elements of auditing • A systematic process • Management assertions and audit objectives • Obtaining evidence • Ascertaining the degree of correspondence between established criteria • Communicating results See Pages 5~7

  23. 5 Categories of Management Assertions (page 6) • Existence or occurrence assertion • Completeness assertion • Rights and obligations assertion • Valuation or allocation assertion • Presentation and disclosure assertion Auditors develop their audit objectives and design audit procedures based on preceding assertions. See Table 1-1

  24. Structure of IT Audit • IT audit is divided into three phases: audit planning, tests of controls, and substantive testing (See Figure 1-3)

  25. Internal Control • The establishment and maintenance of a system of internal control is an important management obligation. • A fundamental aspect of management’s stewardship responsibility is to provide shareholders with reasonable assurance that the business is adequately controlled. • Additionally, management has a responsibility to furnish shareholders and potential investors with reliable financial information on a timely basis. (Sarbanes-Oxley act) • An adequate system of internal control is necessary to management’s discharge of these obligations. - Securities and Exchange Commission

  26. Internal Control in Concept • Internal control system comprises policies, practices, and procedures employed by the organization to achieve four broad objectives: • To safeguard assets of the firm. • To ensure the accuracy and reliability of accounting records and information. • To promote efficiency in the firm’s operations. • To measure compliance with management’s prescribed policies and procedures

  27. Exposure and Risk • Internal control shield (Figure 1-4) to protect firms from numerous undesirable events • Attempts at unauthorized access to firm’s assets (including information) • Fraud perpetrated by persons both in and outside the firm • Errors due to employee incompetence, faulty computer programs, corrupted input data

  28. Exposure and Risk • Internal control shield (Figure 1-4) to protect firms from numerous undesirable events • Mischievous acts, such as unauthorized access by computer hackers and threats from computer viruses that destroy programs and databases

  29. Exposure and Risk • Absence or weakness of a control is called exposure • Exposures increase firm’s risk to financial loss or injury from undesirable events.

  30. Exposure and Risk • A weakness in internal control may expose the firm to one or more of the following types of risks: • Destruction of assets (both physical assets and information) • Theft of assets • Corruption of information or the information system (containing errors or alterations) • Disruption of information system (to break or burst; rupture )

  31. 3 Levels of Control • Preventive controls, detection controls, and corrective controls (Fig. 1-5)

  32. Preventive Controls • First line of defense in the control structure • Passive techniques designed to reduce the frequency of occurrence of undesirable events • Preventing errors and fraud is far more cost-effective than detecting and correcting problems after they occur • In information security: firewall

  33. Preventive Controls • For example, a well-designed data entry screen is an example of a preventive control • Not all problems can be anticipated and prevented.

  34. Detective Controls • Second line of defense • Devices, techniques, and procedures designed to identify and expose undesirable events that elude preventive controls • In information security: Intrusion detection

  35. Corrective Controls • Corrective actions taken to reverse the effects of detected errors • Detective controls identify undesirable events and draw attention to the problem; corrective controls fix the problem.

  36. Statement on Auditing Standards No. 78 (SAS 78) • Current authoritative document for specifying internal control objectives and techniques. • Conforms to the recommendations of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) • Consists of five components: control environment, risk assessment, information and communication, monitoring, and control activities

  37. Control Environment • Foundation for the other control components • Important elements: • Integrity and ethical values of management • Structure of organization • Participation of organization’s board of directors and audit committee • Management’s philosophy and operating style • … see page 13

  38. Control Environment • SAS 78 requires that auditors obtain sufficient knowledge to assess the attitude and awareness of organization’s management, board of directors, and owners regarding internal control. • See page 13 for examples of techniques that may be used to obtain an understanding of control environment

  39. Risk Assessment • Identify, analyze, and manage risks relevant to financial reporting • See page 14 for risks that can rise out of changes in circumstances • SAS 78 requires that auditors obtain sufficient knowledge of organization’s risk assessment procedures to understand how management identifies, prioritizes, and manages risks related to financial reporting.

  40. Information and Communication • Accounting information system consists of records and methods used to initiate, identify, analyze, classify, and record organization’s transactions and to account for related assets and liabilities. • Quality of information generated by AIS impacts management’s ability to take actions and make decisions in connection with organization’s operations and to prepare reliable financial statements.

  41. Effective AIS • Identify and record all valid financial transactions • Provide timely information about transactions in sufficient detail to permit proper classification and financial reporting • Accurately measure financial value of transactions so their effects can be recorded in financial statements • Accurately record transactions in time period in which they occur

  42. Effective AIS • SAS 78 requires that auditors obtain sufficient knowledge of organization’s information systems to understand • Classes of transactions that are material to financial statements and how those transactions are initiated • Accounting records and accounts that are used in processing of material transactions

  43. Effective AIS • SAS 78 requires that auditors obtain sufficient knowledge of organization’s information systems to understand • Transaction processing steps involved from initiation of economic event to its inclusion in financial statements • Financial reporting process used to prepare financial statements, disclosures, and accounting estimates

  44. Monitoring • Process by which quality of internal control design and operation can be assessed • May be accomplished by separate procedures or by ongoing activities • Internal auditors may monitor entity’s activities in separate procedures. They gather evidence of control adequacy by testing controls, then communicate control strengths and weaknesses to management

  45. Monitoring • Ongoing monitoring may be achieved by integrating special computer modules into information system that capture key data and/or permit tests of control to be conducted as part of routine operations • Such embedded audit modules (EAMs) allow management and auditors to maintain constant surveillance over functioning of internal controls

  46. Control Activities • Policies and procedures used to ensure appropriate actions are taken to deal w/ organization’s identified risks

  47. Control Activities • Can be grouped into two categories: • Computer controls • General control • Application control • Physical controls • transaction authorization • segregation of duties • supervision • accounting records • access control • independent verification

  48. Computer Controls/General Controls • Fall into two broad groups: general controls and application controls • General controls pertain to entity-wide concerns such as controls over data center, organization databases, systems development, and program maintenance

  49. Application Controls • Application controls ensure the integrity of specific systems such as sales order processing, accounts payable, and payroll applications

  50. Control Activities • Can be grouped into two categories: • Computer controls • General control • Application control • Physical controls • transaction authorization • segregation of duties • supervision • accounting records • access control • independent verification

More Related