*Chapter 1:Auditing, Assurance, and Internal Control

*SyllabusCourse DescriptionTextbooksCourse ObjectivesExamsResearch PapersAssignmentsClass SchedulePerformance Evaluation

*Syllabus (cont.)Class FormatLecture and DiscussionIn-Class AssignmentsShort PresentationsBlackboard and Class Websitestpt.usf.edu/gkearns/acg6936Academic DishonestyDisruption of the Academic Process

*IT AUDITSIT audits: provide audit services where processes or data, or both, are embedded in technologies.Subject to ethics, guidelines, and standards of the profession (if certified) CISA Most closely associated with ISACAJoint with internal, external, and fraud auditsScope of IT audit coverage is increasingCharacterized by CAATTsIT governance as part of corporate governance

*FRAUD AUDITSFraud audits: provide investigation services where anomalies are suspected, to develop evidence to support or deny fraudulent activities.Auditor is more like a detectiveNo materialityGoal is conviction, if sufficient evidence of fraud exists CFE ACFE

*EXTERNAL AUDITSExternal auditing: Objective is that in all material respects, financial statements are a fair representation of organizations transactions and account balances.SECs roleSarbanes-Oxley ActFASB - PCAOB CPA AICPA

*ATTEST vs. ASSURANCEASSURANCEProfessional services that are designed to improve the quality of information, both financial and non-financial, used by decision-makersIT Audit Groups in Big Four (e.g. Final Four)IT Risk ManagementI.S. Risk ManagementOperational Systems Risk ManagementTechnology & Security Risk ServicesTypically a division of assurance services

*ATTEST definition Written assertionsPractitioners written reportFormal establishment of measurement criteria or their descriptionLimited to:ExaminationReviewApplication of agreed-upon procedures

*THE IT ENVIRONMENTThere has always been a need for an effective internal control system.The design and oversight of that system has typically been the responsibility of accountants.The I.T. Environment complicates the paper systems of the past.Concentration of dataExpanded access and linkagesIncrease in malicious activities in systems vs. paperOpportunity that can cause management fraud (i.e., override)

*IT Investigative and Forensic Techniques for AuditorsPurposeTo assist auditors in developing the knowledge, skills, and abilities to provide reasonable assurance for the security, availability, integrity and management of information systems and resources.

*The IT AuditAn IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives.

*The IT AuditThese reviews may be performed in conjunction with a financial statement audit, an internal audit, or other form of attestation engagement. External auditors can accept the result of an internal audit only if the function reports to the audit committee.External auditors may use and rely upon a 3rd party IT audit firm.

*IT Audit Process: 8 StepsPlan the auditHold kickoff meetingGather data/test IT controlsRemediate identified deficiencies (organization)Test remediated controlsAnalyze and report findingsRespond to findings (organization)Issue final report (auditor)

*INTERNAL CONTROLis policies, practices, procedures designed to safeguard assetsensure accuracy and reliabilitypromote efficiencymeasure compliance with policies

*BRIEF HISTORY - SECSEC acts of 1933 and 1934

All corporations that report to the SEC are required to maintain a system of internal control that is evaluated as part of the annual external audit.

*BRIEF HISTORY - CopyrightFederal Copyright Act 1976

Protects intellectual property in the U.S.Has been amended numerous times sinceManagement is legally responsible for violations of the organizationU.S. government has continually sought international agreement on terms for protection of intellectual property globally vs. nationally

*BRIEF HISTORY - FCPAForeign Corrupt Practices Act 1977Accounting provisionsFCPA requires SEC registrants to establish and maintain books, records, and accounts.It also requires establishment of internal accounting controls sufficient to meet objectives.Transactions are executed in accordance with managements general or specific authorization.Transactions are recorded as necessary to prepare financial statements (i.e., GAAP), and to maintain accountability.Access to assets is permitted only in accordance with management authorization.The recorded assets are compared with existing assets at reasonable intervals.Illegal foreign payments

*BRIEF HISTORY - COSOCommittee on Sponsoring Organizations - 1992

AICPA, AAA, FEI, IMA, IIADeveloped a management perspective model for internal controls over a number of yearsIs widely adopted

*BRIEF HISTORY S-OXSarbanes-Oxley Act - 2002Section 404: Management Assessment of Internal ControlManagement is responsible for establishing and maintaining internal control structure and procedures.Must certify by report on the effectiveness of internal control each year, with other annual reports.Section 302: Corporate Responsibility for Incident ReportsFinancial executives must disclose deficiencies in internal control, and fraud (whether fraud is material or not).

*EXPOSURES AND RISKExposure (definition)Risks (definition)Types of riskDestruction of assetsTheft of assetsCorruption of information or the I.S.Disruption of the I.S.

*THE P-D-C MODELPreventive controlsDetective controlsCorrective controlsWhich is most cost effective?Which one tends to be proactive measures?Can you give an example of each?Predictive controls

*COSO (Treadway Commission)

The five components of internal control are:The control environmentRisk assessmentInformation & communicationMonitoringControl activities

*SAS 78The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) incorporated the components of internal control presented in the COSO Report in its Statement on Auditing Standards No. 78 (SAS 78), entitled Consideration of Internal Control in a Financial Statement Audit.

*SAS 78(#1:Control Environment -- elements)Describe how each one could adversely affect internal control.The integrity and ethical valuesStructure of the organizationParticipation of audit committeeManagements philosophy and styleProcedures for delegating

*Managements methods of assessing performanceExternal influencesOrganizations policies and practices for managing human resourcesSAS 78 (#1:Control Environment -- elements)

*Describe possible activity or tool for each.Assess the integrity of organizations managementConditions conducive to management fraudUnderstand clients business and industryDetermine if board and audit committee are actively involvedStudy organization structureSAS 78 (#1:Control Environment -- techniques)

*Changes in environmentChanges in personnelChanges in I.S.New ITsSignificant or rapid growthNew products or services (experience)Organizational restructuringForeign marketsNew accounting principlesSAS 78 (#2:Risk Assessment)

*Initiate, identify, analyze, classify and record economic transactions and events.Identify and record all valid economic transactionsProvide timely, detailed informationAccurately measure financial valuesAccurately record transactionsSAS 78 (#3:Information & Communication-elements)

*Auditors obtain sufficient knowledge of I.S.s to understand:Classes of transactions that are materialAccounting records and accounts usedProcessing steps:initiation to inclusion in financial statements (illustrate)Financial reporting process (including disclosures)SAS 78(#3:Information & Communication-techniques)

*By separate procedures (e.g., tests of controls)By ongoing activities (Embedded Audit Modules EAMs and Continuous Online Auditing - COA)SAS 78(#4: Monitoring)

*SAS 94The Effect of Information Technology on the Auditors Consideration of Internal Control in a Financial Statement Audit

Provides auditors with guidance on ITs effect on internal control and on the auditors understanding of internal control and the assessment of control risk. Requires the auditor to consider how an organizations IT use affects his or her audit strategy. Where a significant amount of information is electronic, the auditor may decide it is not practical or possible to limit detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions. In such cases, the auditor should gather evidence about the effectiveness of both the design and operation of controls intended to reduce the assessed level of control risk.

*SAS 78 (#5: Control Activities)

*Physical Controls (1-3)Transaction authorizationExample: Sales only to authorized customerSales only if available credit limitSegregation of dutiesExamples of incompatible duties:Authorization vs. processing [e.g., Sales vs. Auth. Cust.]Custody vs. recordkeeping [e.g., custody of inventory vs. DP of inventory]Fraud requires collusion [e.g., separate various steps in process]SupervisionServes as compensating control when lack of segregation of duties exists by necessity

*Physical Controls (4-6)Accounting records (audit trails; examples)Access controlsDirect (the assets)Indirect (documents that control the assets)Fraud Disaster RecoveryIndependent verificationManagement can assess:The performance of individualsThe integrity of the AISThe integrity of the data in the recordsExamples

*OperationsData management systemsNew systems developmentSystems maintenanceElectronic commerce (The Internet)Computer applicationsIT Risks Model

*End Ch. 1

***************Auditing (Guy) p.234-235****EXPOSURE: Absence or weakness of a controlRISK: Potential threat to compromise use or value of organizational assets**Control Environment. According to the COSO Report, the control environment sets the tone of an organization and influences the control consciousness of its people. It provides structure and discipline, and forms the foundation for all other components of internal control.Risk Assessment. Risk assessment refers to the identification, analysis, and management of risks relevant to the preparation of financial statements that are fairly presented in conformity with generally accepted accounting principles [GAAP] (or another comprehensive basis of accounting).Control Activities. Control activities are the policies and procedures that help ensure that managements directives are carried out.Information and Communication. The identification, capture and exchange of information in a form and timeframe that enables people to carry out their responsibilities.Monitoring. In relation to the COSO report and SAS 78, monitoring refers to the process used to assess the quality of internal control performance over time.Adequate internal control is a key defense (but no guarantee) against fraud, errors and program abuse. **Page 13*******SAS No. 94 and Tests of ControlsUnder the auditing standards (SAS Nos. 48, 55 and 78) relevant to computer-based systems issued prior to SAS No. 94, a large percentage of auditors assessed control risk at the maximum and performed only substantive tests of account balances and classes of transactions to gather evidence about financial statement assertions. SAS No. 94 recognizes that this approach may not be viable in complex IT environments. When evidence of a firm's initiation, recording and processing of transactions exists only in electronic form, the auditor's ability to obtain the desired assurance only from substantive tests is significantly diminished. SAS No. 94 does not change the requirement to perform substantive tests on significant amounts, but states that "it is not practical or possible to restrict detection risk to an acceptable level by performing only substantive tests."3 When assessing the effectiveness of the design and operation of controls in complex IT environments, it is necessary for the auditor to test these controls. The decision to test controls is not related to the size of the firm but to the complexity of the IT environment.*****