Chapter 1: Auditing and Internal Attest Service vs.

Advisory Services

Control Attest Service – an engagement in which a

practitioner is engaged to issue, or does issue, a
Development in Information Technology created written communication that expresses a
an impact towards auditing. It promoted more conclusion about the reliability of a written
efficient operations and improved assertion that is the responsibility of another
communications with the entity and its party.
customers and suppliers.
Requirements of attestation services:
With these advancements, new techniques arose
 Written assertions and a practitioner’s
for evaluating controls and for assuring the
written report
security and accuracy of corporate data and the
 Formal establishment of measurement
information systems that produce it.
criteria or their description in their
Overview of Auditing presentation.
 The levels of service in attestation
External (Financial) Audits engagements are limited to examination,
 Independent attestation performed by an review, and application of agree-upon
expert called the auditor (CPA who works procedures.
at a public accounting firm independent
of the client organization) who expresses Advisory services – services offered by public
an opinion regarding the presentation of accounting firms to improve their client
financial statements. organizations’ operational efficiency and
 Also known as Attest Service effectiveness. (Examples: actuarial advice,
business advice, fraud investigation services,
 Audit objective: assure the fair
information system design and implementation,
presentation of financial statements.
and internal control assessments in compliance
 SEC requires all publicly traded
of SOX)
companies to be subject to a financial
audit. Accounting firms could provide advisory
 CPAs conducting such audits represents services concurrently to audit (attest) clients.
the interest of outsiders (stockholders,
creditors, government agencies, and the Non-audit services that auditors cannot render
general public) to audit clients:
 Key concept: independence (the auditor  Bookkeeping or other services related to
must maintain independence from the the accounting records or financial
client organization) statements of the audit client.
 Auditors must follow strict rules in  Financial information systems design and
conducting financial audits (defined by implementation
SEC, the Financial Accounting Standards  Appraisal or valuation services, fairness
Board (FASB), the American Institute of opinions, or contribution-in-kind reports
CPA (AICPA), and by federal law (SOX Act  Actuarial services
of 2002)  Internal audit outsourcing services
 SEC has final authority for financial  Management functions or human
auditing. resources
  Broker or dealer, investment adviser, or Standards, guidance, and certification of internal
investment banking services audits are governed mostly by the IIA, and to a
 Legal services and expert services related lesser degree, by Information Systems Audit, and
to the audit Control Association (ISACA).
 Any other service that the board
External versus Internal Auditors
determines, by regulation, is
impermissible External auditors – represent outsiders
IT Risk Management – provide non-audit Internal auditors – represent the interest of the
clients with IT advisory services and also work organization
with their firm’s financial audit staff to perform
IT-related tests of controls as part of the Internal auditors often cooperate with and assist
attestation function. external auditors in performing aspects of
financial audits. This cooperation is done to
*Purpose of the task, rather than the task itself, achieve audit efficiency and reduce audit fees.
defines the service being rendered.
The independence and competence of the
Internal Audits internal audit staff determine the extent to which
external auditors may cooperate with and rely
An independent appraisal function established
on work performed by internal auditors.
within an organization to examine and evaluate
its activities as a services to the organization Internal audit independence implies no
(Institute of Internal Auditors) subordination of judgment to another and arises
from an independent mental attitude that views
Internal audit includes:
events on a factual basis without influence from
- Conducting financial audits an organizational structure that subordinates the
- Examining an operation’s compliance internal audit function.
with organizational policies
Fraud Audits
- Reviewing the organization’s compliance
with legal obligations Objective: Investigate anomalies and gather
- Evaluating operational efficiency evidence of fraud that may lead to criminal
- Detecting and pursuing fraud within the conviction.
firm
Fraud auditors have earned the Certified Fraud
This task may be outsourced to other Examiner (CFE) certification, which is governed
organizations. by the Association of Certified Fraud Examiners
(ACFE).
Internal auditors are often certified as a Certified
Internal Auditor (CIA) or Certified Information The Role of Audit Committee
Systems Auditor (CISA).
Usually consist of three people who should be
Internal auditors self-impose independence to
outsiders (not associated with families of neither
perform their duties effectively, they represent
executive members nor former officers, etc.)
the interest of the organization. They answer to
executive management or the audit committee of One member must be a financial expert
board directors (if one exist). (Sarbanes – Oxley Act of 2002)
Serves as an independent “check and balance” Generally Accepted Auditing Standards
for the internal audit function and liaison with
external auditors. General Standards of Reporting
Standards Field Work Standards
SOX mandate that external auditors now report (the auditor
to the audit committee who hire and fire must)
Have adequate Audit work The auditor
auditors and resolve disputes.
technical must be must state in
They must challenge the internal auditors (or the training and adequately the report
proficiency. planned. whether FS
entity performing that function) as well as
were prepared
management, when necessary. in accordance
with GAAP.
Part of its role is to look for ways to identify risk.
Have The auditor The report
It becomes an independent guardian of the independence must gain a must identify
entity’s assets by whatever means is appropriate. of mental sufficient those
attitude. understanding circumstances
Financial Audit Components of the internal in which GAAP
control were not
Product of attestation function: formal written structure. applied.
report that expresses an opinion about the Exercise due The auditor The report
reliability of the assertions contained in the professional must obtain must identify
financial statements (whether the financial care in the sufficient, any items that
statements are in conformity of GAAP) performance competent do not have
of the audit evidence. adequate
Users must be able to place their trust in the and the informative
auditor’s competence, professionalism, integrity, preparation of disclosures.
the report.
and independence.
The report
Auditors are guided by the 10 generally accepted shall contain
an expression
auditing standards.
of the
Auditing Standards auditor’s
opinion on the
Generally Accepted Auditing Standards (GAAS) – financial
prescribing auditor performance, but it is not statements as
a whole.
sufficiently detailed to provide meaningful
guidance in specific circumstances.
Systematic Process
Statements on Auditing Standards (SAS) – these
are authoritative interpretations of GAAS. It Conducting an audit is a systematic and logical
provides auditors with guidance on a spectrum process that applies to all forms of information
of topics, including methods of investigating new systems. IT environment necessarily uses
clients, procedures for collecting information systematic approach. Therefore, a logical
from attorneys regarding contingent liability framework for conducting an audit in the IT
claims against clients, and techniques for environment is critical to help the auditor to
obtaining background information on the client’s identify all-important processes and data files.
industry.
Management Assertions and Audit Objectives Existence or Inventories Observe the
occurrence listed on the counting of
Organization’s financial statements reflect a set balance sheet physical
of management assertions about the financial exist. inventory.
health of the entity. Completeness Accounts Compare
payable receiving
The task of the auditor: determine if the FS are include all reports,
fairly presented. obligations to supplier
vendors for invoices,
Ways to achieve the task: establishment of the period. purchase
audit objectives, designs procedures, and gathers orders, and
evidence that corroborates or refutes journal entries
management assertions. for the period
and the
These assertions fall into five general categories: beginning of
the next
 Existence and occurrence assertion - all period.
assets and equities contained in the Valuation or Accounts Review
balance sheet exist, and all transactions in allocation receivable are entity’s aging
stated at net of accounts,
the income statement actually occurred.
realizable and evaluate
 Completeness assertion – no material value. the adequacy
assets, equities, or transactions have been of the
omitted from the FS. allowance for
 Rights and obligations assertions – assets uncorrectable
appearing the balance sheet are owned by accounts.
the entity and the liabilities reported are Presentation Contingences Obtain
and disclosure not reporting information
obligations.
in financial from entity
 Valuation or allocation assertion – assets accounts are lawyers about
and equities are valued in accordance properly the status of
with GAAP, and that allocated amounts disclosed in litigation and
such as depreciation expense are footnotes. estimates of
calculated on a systematic and rational potential loss.
basis.
 Presentation and disclosure assertion – Obtaining evidence
FS items are correctly classified, and that
footnote disclosures are adequate to Auditors seek evidential matter to support the
avoid misleading the users of the FS. management assertions. In the IT environment,
this process involves gathering evidence relating
*Auditors develop their audit objectives and to the reliability of computer controls as well as
design audit procedures based on the preceding the contents of databases.
assertions.
Ascertaining Materiality
These are transactions and account balances that
directly impact financial reporting:  Based on auditor’s judgment
 Determining whether weakness in
Management Audit Audit internal controls and misstatements
assertion objective procedure
 found in transactions and accounts  Control Risk – likelihood that the
balances are material. internal control is flawed because
controls are either absent or inadequate
Communicating Results to prevent or detect errors in the
Auditors must communicate the results of their accounts.
test to interested users (audit committee of the
BOD or stockholders) through an audit opinion. This is the risk that the company's
internal controls over financial reporting
IT auditors often communicate their findings to are not effective in preventing or
internal and external auditors, who can then detecting material misstatements in the
integrate these findings with the non-IT aspects financial statements
of the audit.
 Detection Risk – this is the risk that the
Audit Risk auditor will not detect a material
 Refers to the risk that an auditor will misstatement that exist. Auditors set an
issue an incorrect or misleading audit acceptable level of detection risk that
opinion on a company's financial influences the level of substantive test
statements that are materially misstated. that they perform.

Material Misstatements Audit Risk Model

Errors – unintentional mistakes It is used to determine the scope, nature, and

timing of substantive tests. It is based on
Irregularities – intentional misrepresentations statistics from the experience of the auditor.
associated with the commission of a fraud. (Ex.
Misappropriation of Physical Assets or Deception AR = IR x CR x DR
of FS users) The IT Audit
Auditor’s Objective: achieve a level of audit risk Focuses on computer-based aspects of an
that is acceptable to the auditor or to reduce organization’s information system; and modern
audit risk to a lower level by increasing the systems employ significant levels of technology.
assurance level provided by the procedures
performed. The three conceptual phases of an IT Audit: Audit
Planning, Test of Controls, and Substantive
AR is based on the estimated value of the Testing.
components of the audit risk model.
Audit Planning (OBTAIN SUFFICIENT
Audit Risk Components INFORMATION ABOUT THE FIRM TO PLAN THE
 Inherent Risk – this is the risk that there OTHER PHASES OF AUDIT)
are material misstatements in the  Gaining a thorough understanding of the
financial statements due to factors such client’s business.
as complexity of the company's  Analysis of Audit Risk
operations. It cannot be reduced the level  Identification of significant applications
of inherent risk even in a system and attempts to understand the controls
protected by excellent controls.
 over the primary transactions that are  Evidence of weak controls forces the
processed by these applications. auditor to extend substantive testing to
 Questionnaires, interviewing search for misstatements.
management, reviewing systems  Substantive test are labor intensive and
documentation, and observing activities. time consuming, higher audit costs. This,
 Auditor must identify the principal management’s best interests are served
exposures and the controls that attempt by having a stronger internal control.
to reduce these exposures.
Internal Control
Test of Controls (DETERMINE WHETHER
ADEQUATE INTERNAL CONTROLS ARE IN Establishment and maintenance is required by
PLACE AND FUNCTIONING PROPERLY) the law.

 Various tests of controls The establishment and maintenance of a system

 Evidence gathering technique: manual of internal control is an important management
and specialized computer audit obligation. A fundamental aspect of
techniques management’s stewardship responsibility is to
 Assessing the quality of internal controls provide shareholders with reasonable assurance
by assigning a level for control risk that the business is adequately controlled.
Additionally, management has a responsibility to
The degree of reliance that the auditor can ascribe furnish shareholders and potential investors
to internal controls will affect the nature and with reliable financial information on a timely
extent of substantive testing that needs to be basis. (Securities and Exchange Commission)
performed.
Brief History of Internal Control
Substantive Testing (FOCUSES ON FINANCIAL
Legislation
DATA)
SEC Acts of 1933 and 1934
 Detailed investigation of the specific
account balances and transactions Due to stock market crash of 1929, and a
 The auditor selects a sample of AR worldwide financial fraud by Ivar Kreugar.
balances and traces these back to the
sources to determine if the amount stated Securities Act of 1933 objectives:
is owned by the correct customer.  Require that investors receive financial
 Auditors use Computer-Assisted Audit and other significant information
Tools and Techniques (CAATTs) software concerning securities being offered for
to verify the accuracy of each account. public sale
Relationship between test of controls and  Prohibit deceit, misrepresentations, and
substantive tests other fraud in the sale of securities.
 Requires all publicly traded companies to
 These are used for reducing audit risk to be audited by an independent auditor
an acceptable level.  Maintain a system of internal control that
 The stronger the internal control is evaluated as part of the annual external
structure (using test of controls), the audit
lower the control risk and less
substantive testing the auditor must do.
Copyright Law 1976 effective model for internal controls (COSO
Model).
Software and other intellectual properties are
now protected by the copyright protection laws. Sarbanes – Oxley Act of 2002

Management is held liable for violations such as Mandated after the Enrol, WorldCom, and
software piracy if raided by the software police Adelphia large financial frauds and the resulting
and sufficient evidence of impropriety is found. losses are suffered by stockholders. SOX Act of
2002 is made to protect the public from such
Foreign Corrupt Practices Act (FCPA) of 1977
events.
US business executives use organization’s funds
SOX requires the implementation of an adequate
to bribe foreign officials, having internal control
system of internal controls over their financial
issues, formerly of little interest to stockholders.
reporting process
The FCPA requires the companies registered
Section 302 requires:
with SEC to:
 Corporate management (including the
 Keep records that fairly and reasonably
CEO) is required to certify the
reflect the transactions of the firm and its
organization’s internal controls on a
financial position.
quarterly and annual basis.
 Maintain a system of internal control that
provides reasonable assurance that the
 External auditors must perform the
organization’s objectives are met. following procedures quarterly to identify
*Violation of the FCPA could lead to heavy fines any material modifications in controls
and imprisonment. that may impact financial reporting:
o Interview management regarding
Committee of Sponsoring Organizations any significant changes in the
(COSO) – 1992 design or operation of internal
control that occurred subsequent
Savings and Loans Scandals of the 1980s
to the preceding annual audit or
A committee to address these frauds (Formerly prior review of interim financial
called as Treadway to COSO) information
o Evaluate the implications of
Sponsoring Organizations misstatements identified by the
 Financial Executives International (FEI) auditor as part of the interim
 Institute of Management Accountants review that relate to effective
(IMA) internal controls
 American Accounting Association (AAA) o Determine whether changes in
 American Institute of Certified Public internal controls are likely to
Accountants (AICPA) materially affect internal control
 Institute of Internal Auditors (IIA) over financial reporting

Believes that best deterrent to fraud was strong Section 404 requires the management to assess
internal controls. Therefore, they focus on an the effectiveness of their organization’s internal
controls. This means they must provide an Modifying Procedures
annual report addressing the following:
Four modifying principles that guide designers
 Understand the flow of transactions, and auditors of internal control systems:
including IT aspects, in sufficient detail to
 Management responsibility –
identify points at which a misstatement
establishment and maintenance of a
could arise.
system of internal control is a
 Using a risk-based approach, assess both
management responsibility.
the design and operating effectiveness of
 Methods of Data Processing – the internal
selected internal controls related to
control system should achieve the four
material accounts
broad objectives regardless of the data
 Assess the potential fraud in the system
processing method used (manual or
and evaluate the controls designed to
computer based). The specific techniques
prevent and detect fraud
used to achieve these objectives will vary
 Evaluate and conclude on the adequacy of
with different types of technology.
controls over the FS reporting process.
 Limitations – every system of internal
 Evaluate entity-wide (general) controls
control has limitations on its
that correspond to the components of the
effectiveness.
COSO framework.
(1) Possibility of error - No system is
Recommended model of SEC: COSO Framework perfect
(2) Circumvention – personnel may
 PCAOB (Public Company Accounting
circumvent the system through
Oversight Board) Auditing Standard No. 5
collision or other means
endorses COSO as the framework for
(3) Management override – management
control assessment.
is in position to override control
 There are other suitable frameworks that
procedures by personally distorting
have been published; any framework
transactions or by directing a
shall encompass all of COSO’s general
subordinate to do so
themes.
(4) Changing conditions – conditions may
Internal Control Objectives, Principles, change over time so that existing
effective controls may become
and Models
ineffectual.
An organization’s internal control system  Reasonable Assurance – internal control
comprises policies, practices, and procedures to system should provide reasonable
achieve four broad objectives: assurance that the four broad objectives
are met.
1. To safeguard assets of the firm o The cost should not outweigh the
2. To ensure the accuracy and reliability of benefits.
accounting records and information
3. To promote efficiency of the firm’s The PDC Model
operations
Preventive controls
4. To measure compliance with
management’s prescribed policies and  First line of defense in the control
procedures structure.
  Designed to reduce the frequency of  Procedures of delegating responsibility
occurrence of undesirable events. and authority
 Preventing errors and fraud is more cost-  Management methods for assessing
effective than detecting and correcting performance.
the problems after they occur.  External influences
 Organization’s policies and practices for
Detective Controls
managing its human resources.
 Second line of defense
SAS 109 requires that auditors obtain sufficient
 Designed to identify and expose
knowledge to assess the attitude and awareness
undesirable events that elude preventive
of the organization’s management, BOD, and
controls.
owners regarding internal control.
 Reveals specific type of errors by
comparing actual occurrences to pre- Risk Assessment
established standards.
Organizations must perform a risk assessment to
Corrective Controls identify, analyze, and manage risks relevant to
financial reporting.
 Must be taken to reverse the effects of
detected errors. SAS 109 requires that auditors obtain sufficient
 Corrective controls actually fix the knowledge of the organization’s risk assessment
problem exposed by detective controls. procedures to understand how management
 For any detected error, there may be identifies, prioritizes, and manages the risks
more than one feasible corrective action, related to financial reporting.
but the best course of actions may not
Information and Communication
always be obvious.
The accounting information system consists of
COSO Internal Control Framework
the records and methods used to initiate,
The Control Environment identify, analyze, classify, and record the
organization’s transactions and to account for
 Foundation for other four control
the related assets and liabilities.
components
 Sets the tone for the organization and The quality of information that the accounting
influences the control awareness of its information system generates impacts the
management and employees. management’s ability to take actions and make
decisions.
Important elements of the control environment:
SAS 109 requires that auditors obtain sufficient
 Integrity and ethical values of
knowledge of the organization’s information
management
system to understand:
 Structure of the organization
 Participation of the organization’s board  Classes of transactions that are material
of directors and the audit committee, if and how those transactions are initiated.
one exist.  Accounting records and accounts that are
 Management’s philosophy and operating used in the processing of material
style transactions.
  Processing steps involved from initiation day-to-day activities. (Example:
of a transaction to its inclusion in the Programmed procedure in
financial statements. ordering inventories)
 The financial reporting process used to o Specific authorizations – case-by-
prepare FS, disclosures, and accounting case decisions associated with
estimates. non-routine transactions. This is
usually a management
Monitoring
responsibility.
Management must determine that internal  Segregation of Duties – segregation of
controls are functioning as intended. employee duties to minimize
incompatible functions. (The
Monitoring is the process by which the quality of authorization for a transaction is separate
internal control design and operation can be from the processing of the transaction,
assessed. responsibility of asset custody should be
separate from the record-keeping
This may be achieved by integrating special
responsibility, and the organization
computer modules in the information system
should be structured so that a successful
that capture key data and/or permit tests of
fraud requires collision between two or
controls to be conducted as part of routine
more individuals with incompatible
operations.
responsibilities)
Another method is through timely reports. Well-  Supervision – management must
designed management reports provide evidence compensate for the absence of
of internal control function or malfunction segregation controls with close
supervision (compensating control)
Control Activities – policies and procedures  Accounting records – accounting records
used to ensure that appropriate actions are consist of source documents, journals,
taken to deal with the organization’s identified and ledgers. These records capture the
risks. Grouped into two: economic essence of transactions and
Physical Controls – primarily human activities provide an audit trail of economic events.
employed in accounting systems.  Access control – ensure that only
authorized personnel have access to the
 May be purely manual or they may firm’s assets. Indirect access control is
involve physical use of computers to accomplished by controlling the use of
record transactions or update accounts. documents and records and by
 Human activities that trigger and utilize segregating the duties of those who must
the results of those tasks. access and process these records.
 Independent verification – verification
Six categories of physical control:
procedures are independent checks of the
 Transaction authorization – ensure that accounting system to identify errors and
all material transactions processed by IS misrepresentations. This takes place after
are valid and in accordance with the fact, by an individual who is not
management’s objectives. directly involved with the transaction or
o General authority – granted to task being verified.
operations personnel to perform
 May occur several times an hour or weak over financial reporting to be
several times a day. In some cases, weak, but conclude through
verification may occur daily, weekly, substantive tests that the
monthly, or annually. weaknesses did not cause the FS to
be materially misstated.
IT Controls
PCAOB Standard No. 5
Applications controls – are to ensure the validity,
completeness, and accuracy of financial Requires auditors to understand transaction
transactions. flows, including the controls pertaining to how
transactions are initiated, authorized, recorded,
General controls (also known as general
and reported
computer controls and information technology
controls) – not application-specific, but rather,  Select accounts that have material
apply to all systems. They include controls over implications for financial reporting.
IT governance, IT infrastructure, security and  Identify the application controls related
access to operating systems and databases, to these accounts.
application acquisition and development, and
The reliability of application controls rests on
program change procedures.
the effectiveness of the general controls that
*General controls are needed to support the support them.
functioning of application controls, and both are
Upon SOX Legislation:
needed to ensure accurate financial reporting.
 Auditors are responsible on detecting
Audit Implications of SOX
fraudulent activity and emphasize the
Prior SOX: importance of controls designed to
prevent or detect fraud that could lead to
 External auditors were not required to
material misstatement of financial
test internal controls as part of their
statements.
attest function. They were required to be
familiar with the client organization’s *Management = implementation of controls
internal control, but had the option of not
*Auditors = Test these controls
relying on them and thus not performing
tests of controls. PCAOB Standard No. 5
Upon SOX Legislation: Management and auditors must use a risk-based
approach rather than one-size-fits-all approach
 Attest the quality of the client
in the design and assessment of controls. (size
organizations’ internal controls.
and complexity of the organization needs to be
 Issuance of a separate audit opinion on
considered in determining the nature and extent
the internal controls and opinion on the
of controls)
fairness of the financial statements.
 Qualified audit opinion on internal
controls and unqualified opinion on the
FS is possible.
o It is technically possible for
auditors to find internal controls