CHAPTER 15 –AUDITING IT CONTROLS PART 1: SARBANES-OXLEY & IT GOVERNANCE
Overview of Auditing
External audit- is an independent attestation performed
by an expert called an auditor.
 It is performed by CPA who works for public
firms that are independent of the client org.
being audited.
 This is often referred to as financial audit.
Audit objective:
 To ensure always that financial statements are
fairly represented.
Securities Exchange Commission (SEC) - requires that all
the publicly traded companies must be subject to
financial audit annually.
 CPAs conducting this audit represent the
interests of the outsiders: stockholders,
creditors, government agencies and general
public.
 CPA’s role is to evaluate evidence thus render
opinion.
 Independence is a key concept in the auditing
process.
 External auditors follow strict rules that have
been defined by SEC, Financial Accounting
Standards Board (FASB), American Institute of
Certified Public Accountants (AICPA) and the
federal law Sarbanes Oxley Act of 2002 (SOX Act
of 2002) .
 Public Company Accounting Oversight (PCAOB)
– It was established by the congress and has
greater extent than FASB.
 SEC has the final authority over financial
auditing.
Financial Audit Components
 The product of the attestation function is a
formal written report that expresses an opinion
as to whether the FS are in conformity with
GAAP.
 Auditors are guided in their professional
responsibility by (GAAS) 10 Generally Accepted
Auditing Standards. (P.644)
Auditing Standards
 It is divided into 3 classes:
1. General Qualification standard
2. Tests of Controls
2. Field work standards
3. Reporting Standards
 Although GAAS establishes framework for
prescribing auditor performance, it is not
sufficiently detailed to provide meaningful
guidance in specific circumstances.
 AICPA issues Statements on Auditing Standards
(SASs) to provide specific guidance.
 1972- the year when the first SAS was issued by
AICPA
 SASs- are regarded as the authoritative
pronouncement because every member of the
profession must follow their recommendations
or be able to show why SAS is not applicable in
a given situation.
 Individual Auditor – has the burden of justifying
departures from SASs.
Structures of an Audit
 Conducting an audit – is a systematic and logical
process that consists of 3 conceptual phases:
1. Audit Planning
2. Tests of Controls
3. Substantive Testing
 IT Audit – It involves specialized procedures that
are directed to those aspect of the client’s
system where technology plays a material role
and thus injects an added degree of complexity
into an audit.
 IT Auditing – constitute a substantial
component of the overall financial audit.
1. Audit Planning
 What should be done
 What document should be review
 It is first phase of the audit.
 The auditor’s objective at this point is to obtain
sufficient information about the firm to plan the
other phases of the audit.
 The auditor attempts to understand the org.’s
policy, practice, and structure. He also identifies
the financially significant applications and
attempts to identify and understand the
controls over the transaction that are processed
by these apps.
 The techniques for gathering evidence at this
phase are: (AIRO)
1. Administering questionnaires
2. Interviewing management
3. Reviewing systems documentation
4. Observing day to day activities
 It is the 2nd phase of audit.
 The objective of this phase is to determine
whether adequate internal controls are in place
and functioning properly.
 Computer aided audit tools and techniques
(CAATTs) – are specialized audit computer
techniques used in evidence gathering.
 CHAPTER 15 –AUDITING IT CONTROLS PART 1: SARBANES-OXLEY & IT GOVERNANCE
 The auditor assesses the quality of internal
control by assigning a level of control risk.
3. Substantive Testing
 Auditors get samples.
 The third phase of the audit process focuses on
gathering evidence pertaining to financial data.
 It involves detailed investigation of specific
account balances and transactions through
Substantive test.
 Substantive tests tend to be physical, labor
intensive activities ex. Counting cash.
Management Assertions
 Management assertions are claims made by
management regarding the content of their
issued financial statements.
 Implicitly management asserts that their
account balances and underlying transactions
are free from material errors and complete,
valid and accurate.
 Through substantive procedures auditors gather
evidence to test the validity of management
assertions w/c fall in the general categories
below:
1. Assertions about classes of transactions and
events of the period under audit: 5 (OCACC)
 Occurrence
 Completeness
 Accuracy
 Cutoff
 Classification
2. Assertions about account balances at the
year-end: 4 (CREV)
 Completeness
 Rights and obligations
 Existence
 Valuation and allocation
3. Assertions about presentation and disclosure:
4 (COCA)
 Classification and Understandability
 Occurrence & Rights and Obligation
 Completeness
 Accuracy and Valuation
 The auditors develop audit objectives and
design audit procedures to gather evidence
corroborates (attests/support) or refutes
management assertions.
Audit Risks
 Audit Risk – it is the probability that the auditor
will render unqualified (clean) opinion on FS
that are in fact, materially misstated because of
undetected errors or irregularities or both.
 Errors – are unintentional mistakes.
 Irregularities – are intentional
misrepresentations associated w/the
commission of fraud, such as misappropriation
of physical asset or attempts to deceive FS
users.
Audit Risk Components
 The auditor’s objective is to achieve a level
of audit risk that is acceptable to the
auditor.
 The auditor estimates the acceptable audit
risk based on EX ANTE VALUE of the
components of the audit risk model: 3 (ICD)
1. Inherent risk
2. Control risk
3. Detection risk
1. Inherent Risk (IR) – associated with the unique
characteristics of the business or industry of the
client. (Higher risks)
 Auditors cannot reduce the level of
inherent risk.
2. Control Risk (CR) – is the likelihood that the
control structure is flawed because of controls are
either absent or inadequate to prevent or detect
errors in the account.
 Auditors assess the level of control risk by
performing test of internal controls.
3. Detection Risk (DR) – is the risks that the auditors
are willing to take that errors not detected or
prevented by the control structure will also go
undetected by the auditor as he or she performs
substantive tests.
 Planned Detection Risk – predetermined by
the auditor as an acceptable level of
detection risk which influences the level of
substantive test that they must perform.
 The more reliable the internal controls, the
more planned detection risk the auditor can
assume and less substantive testing is
required.
Audit Risk Model
 Auditors used the audit risk component in the
audit risk model to determine the scope, nature
and timing of substantive test.
 AR = IR x CR x DR
 The stronger the internal control structure, as
determined through test of controls, the lower
the control risk the lower the less substantive
test the auditor must perform.
 CHAPTER 15 –AUDITING IT CONTROLS PART 1: SARBANES-OXLEY & IT GOVERNANCE
Audit Report
 Audit Report – it is the report submitted by the
auditor to the board of directors upon the
completion of the audit.
 Audit reports include an opinion on the fair
presentation of the FS and opinion on the
quality of the internal controls over financial
reporting.
Overview of SOX Sections 302 and 404
 SOX of 2002 established corporate governance
regulations and standards for public companies
registered w/SEC.
 Section 302 and 404 focuses concentrate on
internal control and audit responsibility.
Section 302
 Section 302 – It requires the corporate
management including the Chief Executive
Officer (CEO), to certify financial and other
information contained in the organization’s
quarterly and annual reports.
 This section also requires the corporate
management to certify the internal controls
over financial reporting.
 Certifying officers – are required to have
designed internal controls or to have caused
such controls to be designed and to provide
reasonable assurance as to the reliability of the
financial reporting process. They must also
disclose material changes in the company’s
internal control that have occurred in the most
recent fiscal year.
Section 404
 Section 404 – requires the management of
public companies to assess the effectiveness of
their organization’s internal control over
financial reporting process.
 Under this section of the act, the management
is required to providea an annual report
addressing to the following: (P.650)
 COSO (Committee of the Sponsoring
Organization of the Treadway Commission) –
According to SEC, it is the recommended
control framework. It was also endorsed by
PCAOB auditing standard no. 5 to be used for
control assessment.
Relationship between It controls and Financial Reporting
 COSO model identifies 2 broad groupings of IT
Controls:
1. Application Controls
2. General Controls
 Application Control – It ensures validity,
completeness and accuracy of financial
transactions. These controls are designed to be
application specific.
 IT General Controls/General Computer
Controls/Information Technology Control – are
so named because they are not application
specific, but rather apply to all systems. They
include control over IT governance, IT
infrastructure, network and operating system
security, database access, application
acquisition and development, and program
changes.
 Although General controls do not control
specific transactions, they have an effect on the
transaction integrity.
 General controls are needed to support the
environment in which application control
function and both are needed to ensure
accurate financial reporting.
Audit Implications of Section 302 and 404
 Prior to SOX, The audit primarily consists of
substantive test.
 SOX expand the role of the external mandating
that they attest the quality of internal controls.
 PCAOB Standard no. 5 – specifically requires
auditors to understand transaction flows
including controls pertaining to how
transactions are initiated, authorized, recorded
and reported.
 Compliance to Section 404 – requires
management to provide the external auditors
with documented evidence of the functioning of
controls related to selected material accounts in
its report in control effectiveness.
 SOX places responsibility on auditors to detect
fraudulent activity and emphasize the
importance of controls designed to prevent or
detect fraud that could lead to material
misstatement of financial statements.
Computer Fraud
 Fraud – denotes a false representation of a
material fact made by one party to another w/
the intent to deceive and induce the other party
to justifiably rely on the fact to his / her
detriment.
 In business environment, Fraud – It is an
intentional deception, misappropriation of
company’s asset or manipulation of company’s
 CHAPTER 15 –AUDITING IT CONTROLS PART 1: SARBANES-OXLEY & IT GOVERNANCE
financial data to the advantage of the
perpetrator.
 Computer fraud includes:
1. Theft, misuse, or misappropriation of assets
by altering computer readable records and files.
2. Theft, misuse, or misappropriation of assets
by altering the logic of computer software.
3. Theft or illegal use of computer readable
information.
4. Theft, corruption, illegal copying or
intentional destruction of computer software
5. Theft, misuse, or misappropriation of
computer hardware.
 Each stage in the General for accounting
information model –
1. Data collection
2. Data processing
3. Database management
4. Information generation
**are potential areas of risk for certain types of
computer fraud.
 1. Data Collection – first operational stage in the
information system. It is the most important
stage in the system.
 Data Collection is the most common
access point for perpetrating computer
fraud.
 Fraud of this type requires no computer
skills or little on the part of the
fraudster.
 Control Objective: To ensure that the
event entering the system are valid,
complete and free from material errors.
 Network Systems – It expose the
organization to transaction fraud from
remote location.
 There are 3 fraud techniques:
1. Masquerading
2. Piggybacking
3. Hacking
 Masquerading -It involves a perpetrator
gaining access to the system from the
remote site by pretending to be an
authorized user. Usually requires first
gaining authorized access to password.
 Piggybacking – It is a technique in which
the perpetrator at the remote site taps
in to the telecommunication lines and
latches on to an authorized user who is
logging into the system.
 Hacking – may involve piggybacking or
masquerading techniques.
 Hackers – their motive is not to
defraud for financial gain instead
they are challenge of breaking
into the system rather than theft
of assets. They have caused
intensive damage and loss to
organization by destroying and
corrupting corporate data.
 Computer Criminals – motivated
by financial gain in committing
fraud.
 2. Data Processing - It include mathematical
algorithm used for production scheduling
application, statistical techniques for sales
forecasting and posting and summarizing
procedures used for accounting applications.
 Data processing fraud fall into two
classes:
1. Program Fraud
2. Operations Fraud
 Program Fraud – It includes the ff. techniques
(1) creating illegal programs that can access
data files to alter, delete, or insert values into
accounting records.
(2) Destroying and corrupting program’s logic
using a computer virus.
(3) Altering the program logic to cause the
application to process data incorrectly.
 Salami Fraud – a form of program fraud that
involves modifying the rounding logic of the
program so that it no longer adds the one cent
randomly. Instead the modified program,
always adds the plus cent to the perpetrator’s
account but it stills add the minus cent
randomly.
 Operations Fraud – It is misuse or theft of the
firm’s computer resources. It often involves
using the computer to conduct personal
business.
 3. Database Management
 Database is the physical repository for
financial and non-financial data.
 Database Management Fraud – includes
altering, deleting, corrupting,
destroying or stealing organizations
data. Usually done by disgruntled
employees
 Access to database files – is essential
element of Database management
fraud.
 CHAPTER 15 –AUDITING IT CONTROLS PART 1: SARBANES-OXLEY & IT GOVERNANCE

 Logic Bomb- destructive routine that monitoring database usage, and

erases the files that the program planning future expansions.
accesses.  Separating the DBA from Systems
 4. Information Generation – It is the process of development
compiling, arranging, formatting and presenting 3.) Separating New Systems Development from
information to users. Maintenance
 A common form of computer fraud at  Inadequate Documentation
the information generation stage is to  Reasons for Poor documentation
steal, misdirect or misuse computer 1. Documenting is not as interesting as
output. designing, testing and implementing
 Scavenging – It is a one low tech but them.
effective technique that involves 2. Job Security
searching through the trash of the  Program Fraud
computer center for discarded output.
 Solution Paper Shredding
 Eavesdropping – It is another form of
fraud that involves listening to output
transmissions over telecommunication
lines.
 PCAOB Auditing Standards No.5 –
emphasizes that management and
auditors used a risk based approach
rather than one size fits all approach to
the design and assessment of controls.
IT Governance Controls
 It is a broad concept relating to the decision
rights and accountability for encouraging
desirable behaviour in the use of IT.
Organizational Structure Controls
 Operational tasks should be separated to :
1. Segregate all the task of transaction
authorization from transaction processing.
2. Segregate record keeping from asset custody.
3. Divide transaction processing tasks among
individuals so that fraud will require collusion
between two or more individuals.
 Consolidation of activities is the tendency of IT
environment.
 Two generic models :
1. Centralized Model
2. Distributed Model
Segregation of Duties within the Centralized Firm
1.) Separating systems development from Computer
Operations
2.) Separating the Database Administrator from other
functions
 Database Administrator (DBA) is
responsible for a number of critical
tasks pertaining to database security
including creating the database schema,
creating user views(Subschema),
assigning access to authority to users,