Chapter 1: Auditing, Assurance, and Internal Control - PowerPoint PPT Presentation

1 / 31

About This Presentation

Title:

Chapter 1: Auditing, Assurance, and Internal Control

Description:

Risk Assessment. Risk assessment ... that are fairly presented in conformity with generally accepted accounting ... Tests of Controls Under the auditing ... – PowerPoint PPT presentation

Number of Views:933

Avg rating:3.0/5.0

Slides: 32

Provided by: Dr232032

Category:

more less

Transcript and Presenter's Notes

Title: Chapter 1: Auditing, Assurance, and Internal Control

1
Chapter 1Auditing, Assurance, and Internal
Control
2
IT AUDITS

IT audits provide audit services where processes
or data, or both, are embedded in technologies.
Subject to ethics, guidelines, and standards of
the profession (if certified)
CISA
Most closely associated with ISACA
Joint with internal, external, and fraud audits
Scope of IT audit coverage is increasing
Characterized by CAATTs
IT governance as part of corporate governance

3
FRAUD AUDITS

Fraud audits provide investigation services
where anomalies are suspected, to develop
evidence to support or deny fraudulent
activities.
Auditor is more like a detective
No materiality
Goal is conviction, if sufficient evidence of
fraud exists
CFE
ACFE

4
EXTERNAL AUDITS

External auditing Objective is that in all
material respects, financial statements are a
fair representation of organizations
transactions and account balances.
SECs role
Sarbanes-Oxley Act
FASB - PCAOB
CPA
AICPA

5
ATTEST vs. ASSURANCE

ASSURANCE
Professional services that are designed to
improve the quality of information, both
financial and non-financial, used by
decision-makers
IT Audit Groups in Big Four (e.g. Final Four)
IT Risk Management
I.S. Risk Management
Operational Systems Risk Management
Technology Security Risk Services
Typically a division of assurance services

ATTEST definition
Written assertions
Practitioners written report
Formal establishment of measurement criteria or
their description
Limited to
Examination
Review
Application of agreed-upon procedures

7
THE IT ENVIRONMENT

There has always been a need for an effective
internal control system.
The design and oversight of that system has
typically been the responsibility of accountants.
The I.T. Environment complicates the paper
systems of the past.
Concentration of data
Expanded access and linkages
Increase in malicious activities in systems vs.
paper
Opportunity that can cause management fraud
(i.e., override)

8
The IT Audit

An IT audit is the process of collecting and
evaluating evidence of an organization's
information systems, practices, and operations.
The evaluation of obtained evidence determines if
the information systems are safeguarding assets,
maintaining data integrity, and operating
effectively and efficiently to achieve the
organization's goals or objectives.

9
The IT Audit

These reviews may be performed in conjunction
with a financial statement audit, an internal
audit, or other form of attestation engagement.
External auditors can accept the result of an
internal audit only if the function reports to
the audit committee.
External auditors may use and rely upon a 3rd
party IT audit firm.

10
IT Audit Process 8 Steps

Plan the audit
Hold kickoff meeting
Gather data/test IT controls
Remediate identified deficiencies (organization)
Test remediated controls
Analyze and report findings
Respond to findings (organization)
Issue final report (auditor)

11
INTERNAL CONTROL

is policies, practices, procedures designed
to
safeguard assets
ensure accuracy and reliability
promote efficiency
measure compliance with policies

12
SAS 78

5 internal control components
Authorizations
Segregation of functions
Accounting records
Access controls
Independent verification

13
BRIEF HISTORY - FCPA

Foreign Corrupt Practices Act 1977
Accounting provisions
FCPA requires SEC registrants to establish and
maintain books, records, and accounts.
It also requires establishment of internal
accounting controls sufficient to meet
objectives.
Transactions are executed in accordance with
managements general or specific authorization.
Transactions are recorded as necessary to prepare
financial statements (i.e., GAAP), and to
maintain accountability.
Access to assets is permitted only in accordance
with management authorization.
The recorded assets are compared with existing
assets at reasonable intervals.
Illegal foreign payments

14
BRIEF HISTORY - COSO

Committee on Sponsoring Organizations - 1992
AICPA, AAA, FEI, IMA, IIA
Developed a management perspective model for
internal controls over a number of years
Is widely adopted

15
BRIEF HISTORY SOX

Sarbanes-Oxley Act - 2002
Section 404 Management Assessment of Internal
Control
Management is responsible for establishing and
maintaining internal control structure and
procedures.
Must certify by report on the effectiveness of
internal control each year, with other annual
reports.
Section 302 Corporate Responsibility for
Incident Reports
Financial executives must disclose deficiencies
in internal control, and fraud (whether fraud is
material or not).

16
EXPOSURES AND RISK

Exposure (definition)
Risks (definition)
Types of risk
Destruction of assets
Theft of assets
Corruption of information or the I.S.
Disruption of the I.S.

17
THE P-D-C MODEL

Preventive controls
Detective controls
Corrective controls
Which is most cost effective?
Which one tends to be proactive measures?
Can you give an example of each?
Predictive controls

18
COSO (Treadway Commission)

The five components of internal control are
The control environment
Risk assessment
Information communication
Monitoring
Control activities

19
What is COBIT

COBIT supports IT governance by providing a
framework to ensure

Strategic Alignment IT is aligned with the
business
Value Delivery IT delivers the promised
benefits against the strategy
Resource Management Optimal investment and
management ofIT resources
Risk Management IT risks aremanaged
appropriately
Performance Measurements Track and monitor all
areas of IT

20
Why COBIT?

Managers, Auditors, and users benefit from the
development of COBIT because it helps them
understand their IT systems and decide the level
of security and control that is necessary to
protect their companies assets through the
development of an IT governance model.

21
Benefits of implementing COBIT

A better alignment of business and IT strategies
A view, understandable to management, of what IT
does
Clear ownership and responsibilities of processes
General acceptability with regulators and 3rd
parties
Shared understanding among all stakeholders,
based on a common language
Fulfillment of the COSO requirements for the IT
control environment

22
COBIT Defined IT Activities

In a general process model, IT activities fall
into four domains
Plan Organize IT Activities to support the
business
Acquire Implement IT resources and strategies
Deliver Support those resources and strategies
Monitor Evaluate IT resources and strategies

23
4 Domains ? 34 Processes

Plan Organize
PO1 Define a Strategic IT Plan
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organization and
Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects

Deliver Support
DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations

Acquire Implement
AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology
Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes
AI7 Install and Accredit Solutions and Changes

Monitor Evaluate
ME1 Monitor and Evaluate IT Performance
ME2 Monitor and Evaluate Internal Control
ME3 Ensure Regulatory Compliance
ME4 Provide IT Governance

24
Plan and Organize (PO)

Are IT and the business strategy aligned?
Is the enterprise achieving optimum use of its
resources?
Does everyone in the organization understand the
IT objectives?
Are IT risks understood and being managed?
Is the quality of IT systems appropriate for
business needs?

25
Acquire and Implement (AI)

Are new projects likely to deliver solutions that
meet business needs?
Are new projects likely to be delivered on time
and within budget?
Will the new systems work properly when
implemented?
Will changes be made without upsetting current
business operations?

26
Deliver and Support (DS)

Are IT services being delivered in line with
business priorities?
Are IT costs optimized?
Is the workforce able to use the IT systems
productively and safely?
Are adequate confidentiality, integrity and
availability in place?

27
Monitor and Evaluate (ME)

Is ITs performance measured to detect problems
before it is too late?
Does management ensure that internal controls are
effective and efficient?
Can IT performance be linked back to business
goals?
Are risk, control, compliance and performance
measured and reported?

28
SAS 94The Effect of Information Technology on
the Auditors Consideration of Internal Control
in a Financial Statement Audit

Provides auditors with guidance on ITs effect on
internal control and on the auditors
understanding of internal control and the
assessment of control risk.
Requires the auditor to consider how an
organizations IT use affects his or her audit
strategy.
Where a significant amount of information is
electronic, the auditor may decide it is not
practical or possible to limit detection risk to
an acceptable level by performing only
substantive tests for one or more financial
statement assertions. In such cases, the auditor
should gather evidence about the effectiveness of
both the design and operation of controls
intended to reduce the assessed level of control
risk.