10-1 auditing. 10-2 auditing aaa’s definition: auditing is a systematic process of objectively...
TRANSCRIPT
![Page 1: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/1.jpg)
10-1
AUDITING
![Page 2: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/2.jpg)
10-2
Auditing
AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users.
My Definition: To examine and assure
![Page 3: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/3.jpg)
10-3
Auditing
2 broad categories of audits:
1. Internal Auditing (R&S focus)
2. External Auditing
![Page 4: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/4.jpg)
10-4
Internal Auditing
Who does it? Internal employees (outsource)
For whom? Management
What? employee adherence to company policies and procedures – efficiency and effectiveness
![Page 5: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/5.jpg)
10-5
Internal Auditing -Types
Information systems: review AIS controls to assess compliance with internal control policies/procedures & effectiveness in safeguarding assets
Operational/management: reviews company resources and operations – for efficiency, effectiveness, as planned
Compliance: ensure compliance with laws, rules, and regulations
![Page 6: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/6.jpg)
10-6
External Auditing (FS Audit)
Who does it? Independent, external auditors For whom? SEC, investors What?
Examination of a client’s FS for the purpose of deciding whether or not the FS are fairly presented according to GAAP.
Attest function: give an opinion on the fairness of the FS wrt GAAP applying GAAS. Reliability and integrity of accounting records
![Page 7: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/7.jpg)
10-7
5 Step Audit Process(for all audit types)
(1) Audit Planning: Establish audit objectives, identify risks, Audit program
(2) Collect audit evidence: interviews, examinations, recalculations, sampling
(3) Evaluate evidence: materiality(4) Arrive at an opinion –
FS: standard unqualified, unqualified with explanatory paragraph, qualified, adverse, disclaimer
(5) Communicate Audit ResultsFS: audit report
IDEA, ACL
![Page 8: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/8.jpg)
10-8
Auditing Around vs Through the Computer
THROUGH
AROUND
INPUT
OUTPUT
PROCESSING
![Page 9: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/9.jpg)
10-9
Auditing Around the Computer
Ignores the controls and computer processing - assumes accurate output = proper processing
Auditor examines, on a sample basis, inputs to the computer and corresponding outputs
Suitable only if the following conditions are met:1. computer processing is relatively simple
2. Audit trail is clearly visible
3. A substantial amount of up-to-date documentation exists about how the system works.
![Page 10: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/10.jpg)
10-10
Audit Trail in Computer-Based System Visibility of audit trail is diminished In relational database systems, foreign keys
that link related tables form an electronic audit trail.
Example:I/S Revenue
Sale invoice
Customer Table
Customer ID
Invoice No.
![Page 11: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/11.jpg)
10-11
Auditing Through the Computer Auditor follows the audit trail through the
internal computer operations; attempts to verify that the processing controls are functioning correctly
Directly tests the computer controls and verifies the accuracy of computer-based processing of input data.
Tests controls that, if functioning properly would prevent errors from occurring.
![Page 12: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/12.jpg)
10-12
Which approach is best?
Let’s look at the audit guidelines…..
![Page 13: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/13.jpg)
10-13
Auditing Standards
Statement on Auditing Standards (SAS) 94 “The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit” Auditor’s must have sufficient understanding (and
document) of each of the 5 components of the IC when planning the audit (2C RIM)
Addresses the effects of IT on IC May need to design tests of controls in addition to
substantive tests (of balances)
![Page 14: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/14.jpg)
10-14
AUDIT BENEFITS OF THE IT ENVIRONMENT (SAS 94)
Consistent processing large volumes of transactions or data
Enhanced information timeliness, availability, and accuracy
Facilitation of the additional analysis of information Enhanced ability to monitor the performance of
activities, policies, and procedures Reduction in the risk that controls will be
circumvented, if IT system controls are effective
![Page 15: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/15.jpg)
10-15
RISKS OF THE IT ENVIRONMENT (SAS 94)
Incorrectly processing data or consistently processing inaccurate data
Unauthorized access to data that might be destroyed or improperly changed
Unauthorized changes to computer programs Failure to make necessary changes to computer programs Inappropriate manual intervention Potential loss of data
Increase in potential loss resulting from computer fraud relative to manual fraud (increase of 10X).
![Page 16: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/16.jpg)
10-16
Which is the best approach?
Auditing Through the computer
![Page 17: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/17.jpg)
10-17
Auditing Through the Computer
1. Testing Computer Programs Test data: exception data, compare
processed info to predetermined answers ITF (Integrated Test Facility): process
transaction to update dummy records (TEST DATA IN REAL SYSTEM!!!)
Parallel Simulation:live data in program written by auditor (COSTLY!!!)
![Page 18: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/18.jpg)
10-18
Auditing Through the Computer
2. Validate Computer Programs Test of program change control: make sure
IC procedures exists and are followed Program comparison:compare production
program with archived old version (trojan horse, salami)
Surprise audits and surprise use of programs: compare accounting application programs unexpectedly with authorized version
![Page 19: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/19.jpg)
10-19
Auditing Through the Computer
3. Review of systems software Operating systems software Utility programs that do basic
“housekeeping” chores such as sorting and copying
Program library software that controls and monitors storage of programs
Access control software that controls logical access to programs and data files
![Page 20: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/20.jpg)
10-20
Auditing Through the Computer
4. Continuous Auditing:
Audit tools installed within the IS Audit hooks Continuous and intermittent simulation Embedded audit modules Exception reporting SCARF Snapshot technique Transaction tagging
Match these terms
With their definitions
On the next slides
![Page 21: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/21.jpg)
10-21
Auditing Through the Computer
Embedded audit modules: Application subroutine that captures
data for audit purposes
Write to a special log file called SCARF (systems control audit review file)
Ex: transactions affecting inactive accounts, deviating from company policy, write-downs of asset values
![Page 22: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/22.jpg)
10-22
Auditing Through the Computer
audit hooks:
audit routine that flags suspicious transactions (real-time notification)
Exception reporting:
mechanisms that reject certain transactions that fall outside predefined specifications
![Page 23: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/23.jpg)
10-23
Auditing Through the Computer
Transaction taggingPlace a special identifier on transactions so that they
can be recorded as they pass through the IS.
EX: tag an employee’s transaction records, manually calculate & compare
Snapshot technique
audit modules record selected transactions before and after processing. Auditor reviews to make sure all processing steps performed properly.
![Page 24: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/24.jpg)
10-24
Auditing Through the Computer
Continuous and intermittent simulation (CIS)
- audit module in DBMS
- examines all transactions that update the DBMS. If a transaction has special audit significance, the audit module independently processes the data, records the results and compares them with the DBMS results. If discrepancies, written to an audit log for subsequent review OR may stop DBMS from executing the update process.
![Page 25: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/25.jpg)
10-25
Auditing With the Computer
Additional Computer-assisted techniques (CAATS) Help auditor complete audit General use software: productivity tools (Word,
Excel, project management, ACCESS, SQL)Automated workpaper softwareGeneralized audit software (GAS): software
designed for auditor• Read, manipulate client’s computer-based data • Independent evidence about the validity of transactions
and balances
![Page 26: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/26.jpg)
10-26
How do auditors put it all together?
![Page 27: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/27.jpg)
10-27
Risk-based Audit Approach
GOAL: Provide a clear understanding of the errors and irregularities that can occur and the related risks and exposures
1. Determine the threats (errors, irregularities)2. Identify the needed control procedures 3. Evaluate the control procedures4. Evaluate weaknesses to determine effect
on nature, timing, and extent of auditing procedures. Compensating Controls?
![Page 28: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/28.jpg)
10-28
Risk-based Audit Approach
Evaluate Control Procedures System review – are procedures in place?
EX: review docs, interviews Tests of controls = compliance testing – are
the controls in place and working as prescribed?
Ex: observe operations, check samples of input, verify use, trace transactions
![Page 29: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/29.jpg)
10-29
Audit Risk Model
Used in audit planning: AR = audit risk: likelihood that the FS
are materially misstated AR = IR x CR x DR
Auditor
Cannot
reduce
Auditor can control this
Assesses general
and application controls
applicable to each FS assertion;
Tests of controls =Compliance tests
![Page 30: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/30.jpg)
10-30
Audit Risk Model
IR = inherent risk: susceptibility of an account or class of transactions to material error
CR = control risk = likelihood that the IC control structure will fail to prevent/detect a material error
DR = detection risk = likelihood that the auditor’s procedures will not uncover material errors More auditing procedures = lower DR Inversely related to CR: if CR is high, then an
auditor sets DR low and performs more substantive tests (detail tests of transactions and account balances)
![Page 31: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/31.jpg)
10-31
Audit Risk Model
Example Assume controls over the revenue
cycle are not effective and cannot be relied upon. The auditor is worried about the correctness of the A/R balance. To lower detection risk, what would the auditor do?
![Page 32: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/32.jpg)
10-32
Audit Risk Model
Example Assume controls over the revenue cycle
are not effective and cannot be relied upon. The auditor is worried about the correctness of the A/R balance. To lower detection risk, what would the auditor do?
Increase substantive testing of the A/R balance – send out lots of confirmation letters to customers.
![Page 33: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/33.jpg)
10-33
Generalized Audit Software 2 main computer auditing software packages: ACL
(Audit Command Language) and IDEA (Interactive Data Extraction and Analysis).
In this class, we will be using IDEA to audit several different general ledger accounts and look for employee fraud.
Clients: American Express, BDO Seidman, Grant Thorton, KPMG, McGladrey and Pullen LLP, PriceWaterhouseCoopers, FDIC, GAO, US Departments of Commerce, Education, Interior, Labor, Transportation, EPA, Treasury, Dow Chemical, Chicago Board of Trade, Exxon Company USA, Revlon
![Page 34: 10-1 AUDITING. 10-2 Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions](https://reader036.vdocuments.site/reader036/viewer/2022062516/56649d9e5503460f94a87bdc/html5/thumbnails/34.jpg)
10-34
General Functions ofComputer Audit Software– reformatting– file manipulation– calculation– data selection– data analysis– file processing– statistics– report generation– sampling
- data retrieval
- apply edit checks
- file operations (join, merge, sort)