lOMoARcPSD|43129994

CIS - Chapter 1 Notes - INFORMATION TECHNOLOGY

AUDITING and ASSURANCE THIRD EDITION
by JAMES A. HALL
BS accountancy (University of Cebu)

Scan to open on Studocu

Studocu is not sponsored or endorsed by any college or university

Downloaded by Kyla Varilla ([email protected])
 lOMoARcPSD|43129994

CHAPTER 1: AUDITING AND INTERNAL THE ROLE OF AUDIT COMMITTEE

CONTROL
Audit committee – subcommittee form by the board of
directors which has special responsibilities regarding audits.

OVERVIEW OF AUDITING - Consists of 3 people who are outsiders with at least,

one member must be a financial expert.
External (Financial) Audits - Serves as independent check balance for the
internal audit function and liaison with external
External audit – an independent attestation performed by
auditors.
an expert – the auditor
- SOX mandates that external auditors report to
Auditor – who expresses an opinion regarding the audit committee who hire and fire auditors and
presentation of financial statements. resolve disputes.
- Audit committee must be willing to challenge the
*This task is known as the attest service, performed by internal auditors and management, when
CPA necessary.
- Part of its role is to look for ways to identify risk.
The audit objective is always associated with assuring the - Corporate fraud has something to do with audit
fair presentation of financial statements. *referred to as committee failures, such as lack of independence,
financial audits inactive, total absence, and inexperienced
SOX – Sarbanes-Oxley Act of 2002 FINANCIAL AUDIT COMPONENTS
Attest Service versus Advisory Services Product of attestation function is a formal written report
Attest Service – an engagement in which practitioner is that expresses an opinion about the reliability of the
engaged to issue, or does issue, a written assertions
communication that expresses a conclusion about the 1) Auditing standards
reliability of a written assertion that is the responsibility of 1. General standards
another party. (SSAE No. 1, AT Sec. 100.01) a. Must have adequate Technical training and
Requirements to attestation services: proficiency
b. Must have Independence of mental attitude
• Written assertions and practitioner’s written report
c. Must exercise due Professional care in the
• Formal establishment of measurement criteria or performance of audit and preparation of
their description in the presentation report
• Levels of service are limited to examination, review, 2. Standards of Fieldwork
and application of agreed-upon procedures. a. Audit work must be adequately Planned
b. Must gain sufficient understanding of the
Advisory Service – professional services offered by public
Internal control structure
accounting firms to improve their client organizations’
c. Must obtain sufficient, competent Evidence
operational efficiency and effectiveness.
3. Reporting standards
- Intentionally unbounded to not inhibit the growth a. Must state if fs was prepared according to
of future services that are currently unforeseen. GAAP
b. Must identify circumstance of
- Advisory services units of public accounting firms
Inconsistency
are responsible for providing IT control-related
c. Must identify items that do not have
client support, known as IT risk management
informative Disclosure
Internal audits d. Report shall contain an expression of
auditor’s Opinion
- An independent appraisal function established 2) A Systematic Process
within an organization to examine and evaluate its - Conducting an audit is a systematic and logical
activities as a service to the organization (Institute of process
internal auditors (IIA)) - Systematic approach is particularly important to IT
- Performs financial audit, examining operations’ environment. Logical framework for conducting an
compliance to organization policy, reviewing IT audit is critical to help auditor identify all-
compliance to legal obligations, evaluating important processes and data files
operational efficiency and detecting and pursuing 3) Management Assertions and Audit Objectives
fraud within firm - Five general categories of assertions
a. Existence and Occurrence – all assets and equities
External vs Internal Auditors in FP exist and all transactions in IS occurred
b. Completeness – no material asset, equity, or
External represents outsiders transactions has been omitted
Internal represents the interest of organization c. Rights and obligations – assets on FS are owned
bu the entities and liabilities reported are obligations
Fraud Audits
d. Valuation or allocation – assets & equity are
The objective of fraud audit is to investigate anomalies valued in accordance to GAAP and allocated
and gather evidence of fraud that may lead to criminal amounts are calculated on systematic and rational
conviction. basis
e. Presentation and disclosure – all items are
correctly classified and disclosures are adequate

Downloaded by Kyla Varilla ([email protected])

 lOMoARcPSD|43129994

4) Obtaining evidence Audit Risk Model

- Auditors seek evidential matter that corroborates
management assertions. AR = IR x CR x DR
- In IT environment, this process involves gathering DR = AR/ IR x CR
evidence relating to the reliability of computer
The Relationship Between Test of Controls and
controls and contents of databases.
Substantive Test
- Evidence is collected by performing TOC and
substantive tests - More reliable internal controls, lower CR
- Test of controls – establish if internal control is probability, lower DR, fewer substantive tests
functioning properly
- Substantive test – determine if accounting THE IT AUDIT
databases fairly reflect the transactions and account
balances The structure of an IT Audit
5) Ascertaining Materiality
- auditor must determine if weaknesses in internal
control and misstatements found are material.
- Assessing materiality is based on auditor judgement.
6) Communication Results
- Auditors must communicate the results to interested
users
- Renders report to the audit committee

AUDIT RISK

Audit risk – the probability that the author will render an

unqualified opinion on FS that are, in fact, materially
misstated, caused by errors or irregularities or both

Errors – unintentional mistakes Audit planning – must gain a thorough understanding

Irregularities – intentional misrepresentations associated about the firm to plan other phases of audit
with the commission of fraud - Major part of this phase is analysis of audit risk
- Risk analysis incorporates an overview of the org’s
Auditor’s objective is to achieve a level of audit risk that internal controls.
is acceptable to the auditor - Techniques for gathering evidence at this phase:
- Questionnaires
Audit risk components - Interview management
1. Inherent risk – associated with the unique - Review systems documentation
characteristic of the business or industry of the - Observing activities
client.
Test of Controls – its objective is to determine whether
- Auditors cannot reduce the level of
adequate internal controls are in place and functioning
inherent risk
properly.
2. Control risk – is the likelihood that the control
structure is flawed because controls are either absent - Evidence-gathering technique includes both manual
or inadequate to prevent or detect errors in the and specialized computer audit
accounts. - At the end, auditor assess the quality of internal
- Auditors assess the level of control risk by control by assigning level for control risk.
performing test of control Substantive Testing – audit process that focuses on
3. Detection risk – risk that the auditor are willing to financial data.
take that errors not detected or prevented.
- Detailed investigation of specific account balances
- Auditors set an acceptable level of detection and transactions
risk that influences the level of substantive
- Includes counting cash, counting inventories,
test.
verifying existence
- Computer-assisted audit tools and techniques
(CAATTs) is used to extract IT info

Downloaded by Kyla Varilla ([email protected])

 lOMoARcPSD|43129994

INTERNAL CONTROL 4. Reasonable assurance – should provide

reasonable assurance that the four broad objectives
Brief History of internal control are met.
Securities Acts of 1933 PDC Model - 3 levels of control:
- Objectives: 1. Preventive Controls – passive techniques designed
1. Require investors to receive financial and other to reduce the frequency of occurrence of
significant information concerning securities undesirable events
being offered for public sale 2. Detective Controls – devices, techniques, and
2. Prohibit deceit, misinterpretations, and other procedure designed to identify and expose
fraud in the sale of securities undesirable events that elude preventive controls
3. Corrective Controls – corrective action executed to
Securities Acts of 1934 fix the problem
- created the Securities and Exchange Commission
COSO Internal Control Framework
Copyright Law – 1976
Components:
- Added software and other intellectual properties
into the existing copyright protection laws 1. Control environment – foundation for other
control components
Foreign Corrupt Practices Act (FCPA) of 1977 - Sets tone for the organization and
- Requires companies register with SEC to: influences control awareness of its
1. Keeps records that fairly and reasonably reflect management and employees.
the transaction of the firm and its financial - Elements:
position ▪ Integrity and ethical values
2. Maintain system of internal control that ▪ Structure of org
provides assurance that the org’s objectives are ▪ Participation of BOD and Audit
met committee
▪ Managements’ philosophy and
Committee of Sponsoring Organizations – 1992
operating style
- Focus on an effective model for internal controls
▪ Procedure for delegating
from management perspective – COSO Model
responsibility and authority
- AICPA adopted the model into auditing standards ▪ Managements’ method for
Sarbanes-Oxley Act of 2002 assessing performance
- July 30, 2002 ▪ External influences
▪ Org’s policies and practices for
- Supports efforts to increase public confidence in
managing human resources
capital markets by seeking to improve corporate
2. Risk assessment – should be performed to
governance, internal controls, and audit quality
identify, analyze and manage risk relevant to
- Requires management of public companies to
financial reporting
implement an adequate system of internal controls
3. Information and communication
over their financial reporting process.
- Accounting information system consist of
- Section 302 requires the corporate management to
the records and methods used to initiate,
certify their internal controls on quarterly and
identify, analyze, classify, and record the
annual basis
organization’s transactions and to account
- Section 404 requires management of public for the related assets and liabilities
companies to assess effectiveness of their internal 4. Monitoring – is the process by which the quality of
control internal control design and operation can be
Objectives, Principles and Models assessed.
5. Control activities – are the policies and procedure
Objectives: used to ensure that appropriate actions are taken to
1. To safeguard assets of the firm deal with the organization’s identified risks.
2. To ensure the accuracy and reliability of
accounting records and information
3. To promote efficiency in the firm’s operations
4. To measure compliance with management’s
prescribed policies and procedures

Modifying principles
1. Management responsibility – the
establishment and maintenance of a system of
internal control is a management responsibility
2. Methods of Data Processing – internal
control system should achieve the four broad
objectives of the data processing method.
3. Limitations – includes:
a. Possibility of error
b. Circumvention
c. Management override
d. Changing conditions

Downloaded by Kyla Varilla ([email protected])

 lOMoARcPSD|43129994

Categories of control activities

1. Physical controls – related primarily to the human

activities employed in accounting systems which
involve manual or physical use of computers
Categories:
a. Transaction Authorization – ensure that
all material transactions processed by the
information system are valid and in
accordance with management’s objectives
b. Segregation of Duties- to minimize
incompatible functions. Objectives:

c. Supervision – compensating control

d. Accounting record – consist of source
documents, journals and ledgers that
capture the economic essence of
transactions and provide audit trail of
economic events.
e. Access control – to ensure that only
authorized personnel have the access to the
firm’s assets
f. Independent verification – are
independent checks of the accounting
system to identify errors and
misrepresentations.

2. Information technology controls

a. Application controls – ensure the validity,
completeness, and accuracy of financial
transactions. Controls are designed to be
application-specific
b. General controls (general computer
controls/information technology controls)
– include controls over IT governance, IT
infrastructure, security and access to
operating systems and data bases,
application acquisition and development,
and program change procedures

Audit implication of SOX

- Mandates auditor to attest the quality of their client

organizations’ internal control.
- This constitutes the issuance of a separate audit
opinion on the internal controls and opinion on the
fairness of the financial statement
- PCAOB Standard No. 5 specifically requires
auditors to understand transaction flows.
- Auditors has the responsibility to detect fraudulent
activity and emphasizes the importance of controls
- Management is implementing controls but auditors
are expressly required to test them.

Downloaded by Kyla Varilla ([email protected])