TUTORIAL: BAP 71 AIS DISCUSSION QUESTIONS

Lecture Week: 10 Chapter 13: Auditing & Governance

DISCUSSION QUESTIONS:

13.1 Explain the importance of an audit to corporate governance.

Corporate governance is the responsibility of the board of directors. Corporate governance is

the framework of processes, systems and relationships between the stakeholders in an
organisation. To be able to effectively execute their duties as directors, the board must have
information about an organisation’s business processes, controls, risks and management
practices. Audits can provide independent information and advice about the effectiveness and
efficiency of an organisation’s operations.

13.2 Discuss the two broad areas of risk management.

Corporate governance drives the management risk agenda. The risk management system
involves two broad areas of responsibility:

1. Responsibility of the Board, Audit Committee and Management

• Define objectives, scope and priorities
• Formulate overall risk classifications
• Understand business life cycles, business processes, and critical success factors
• Identify and classify risks

2. Audit assurance related

• Assess probability of risk and potential consequences
• Compare and analyse risk tolerance and mitigation strategies
• Evaluate existing and new controls, costs and effectiveness of monitoring procedures
• Assess exposure, report position and recommend insurance (if necessary)

Managing risk is an important responsibility of the Board and Management. Understanding

the organisation’s risk profile and having adequate controls to manage risk is on-going and
should be frequently re-evaluated.

13.3 How does internal audit contribute to good corporate governance?

Internal audit is an independent and objective evaluation of risk, controls and corporate
governance. Internal audit evaluates organisational data and business processes to assess the
reliability of financial reporting, investigation of fraud, adequacy of controls in information
systems, compliance with organisational policy and procedures as well as legislative
requirements. The issues raised in an internal audit report alerts the board and management to
the actions required to reduce the risks identified.

1
13.4 What is the relationship between the internal and the external auditors?

The external auditors can use the work of an internal auditor subject to guidelines outlined in
the Auditing Standard ASA 610 Using the Work of Internal Auditors. The guidelines relate to
the level of objectivity associated with the internal audit function, the level of technical
competence and whether the activities of the internal audit function has been properly planned,
reviewed, supervised and documented.

13.5 Explain the role of the audit committee in an organisation

The audit committee is a subcommittee of the board of directors. The audit committee has the
responsibility for monitoring and overseeing the organisations audit processes including
internal control activities. This oversight includes:
• Internal and external reporting (financial and, in limited areas, non-financial)
• Oversight of risk management activities
• Internal and external audit
• Internal control framework including policies and procedures as they apply to
financial reporting compliance with applicable laws and regulations
• Oversight of activities to control and report on fraud.

The term audit committee is dated because the audit committee, although originally set up to
oversight accounting and financial reporting, has a mandate to cover a wide range of assurance
activities including those not related to financial reporting. For example, the audit committee
is responsible for considering the effectiveness of the company's internal control system,
including information technology security and control.

13.6 Outline the influences on an auditor.

There are a number of influences on an auditor:

• Auditing standards come under the control of the Auditing and Assurance Standards
Board (AUASB).
• Benchmarks and Best Practice

These influences need to be carefully analysed so that the auditor understands their
responsibilities.

13.7 Describe the objectives of a financial audit.

The objectives of a financial audit are to provide reasonable assurance that the financial
statements provide a give a true and fair view, have been prepared in accordance with the
relevant accounting and other requirements.

2
13.8 What skills and capabilities do AIS auditors need to effectively undertake IS
audits?

AIS auditors require technology skills. The Information Systems Auditor (CISA) and the
Certified Information Security Manager® (CISM®) qualifications demonstrate knowledge and
competence in IT audit and control as well as security management. In addition to these skills
AIS auditors should have knowledge about business processes and organisational objectives
that provide the background to the AIS audit. That is, AIS auditors should have qualifications
and skills in both information systems and business processes.

13.9 How is an audit program developed?

An AIS audit broadly comprises five distinct phases:

• planning the audit
• field work
• analysis
• completion, review and reporting
• monitoring and review.

1. Planning. Includes deciding on the scope of the audit, identifying what is to be audited
and what the principal focus of the audit is and developing the audit program accordingly.

2. Performing the audit (Fieldwork). Includes carrying out the tests identified in the
planning stage and analysing the test outcomes and other documentation with a view to
assessing the effectiveness of the client’s internal control.

3. Analysis involves a careful study of the test outcomes, the interview notes and the
documentation accrued from fieldwork. While fieldwork and analysis are depicted as two
sequential steps they are often iterative; insights gained from analysis may demonstrate a
need for further fieldwork. An important analysis process is evaluating the system’s
internal control.

4. Completion, review and reporting. A review of all the test results and discussions held
with client over problems identified during the audit is carried out by a partner or senior
staff member and any significant unresolved issues are identified. At this point a check is
made to ensure that any corrections or changes that the client has agreed to carry out have
in fact been done. The audit report is prepared and issued, and all files are closed and saved
ready for the next period audit.

5. Monitoring, reviewing and closure. This phase includes ensuring that any dummy data
created during the audit is removed from the client’s active system and that all the audit
files are properly closed. It also includes preparing detailed notes ready for the next audit.
The reviewing activities largely comprise ensuring that management have, in fact, made
the changes to the system that they had earlier promised to do. The monitoring activities
ensure that the changes are in place and working as designed.

Reporting
The last step in the review process is to report to those to whom the terms of engagement
have specified. In the case of the external audit, the report is nominally addressed to the
shareholders but is, in practice, presented first to the directors. The auditor is required to
state whether or not, in their opinion, the accounts give a true and fair view of the
3
 company’s activities for the period under review, and whether or not the accounts have
been prepared in accordance with generally accepted accounting principles (GAAP)

13.10 What are the tools and techniques used by AIS auditors?

Audit tools fall into two categories: internal control frameworks and computer auditing tools
and techniques, generally known as CATTs. COSO and COBIT 5 are examples of control
frameworks. COSO is used primarily for financial controls and COBIT 5 is used for IT
controls. Both of these frameworks are discussed in detail in chapter 8. Computer assisted
auditing tools (CAATs) are tools and techniques employed by auditors to extract and analyse
client data. CAATs may enhance audit effectiveness and efficiency. For example, auditors may
be able to test 100 per cent of the population instead of a sample. However, recent research has
shown that auditors do not frequently and systematically use CAATs. These frameworks are
important for auditors to understand so that they can effectively apply them when developing
effective and meaningful audit procedures.

13.11 What do you consider to be the principal advantage of using an internal control
questionnaire?

An internal control questionnaire (ICQ) is a standard form used by the audit firm, and is a
checklist of questions for each business process.
The ICQ is useful for obtaining information in a structured way to evaluate business processes
and controls. An internal control questionnaire is a checklist of questions for each business
process. By using such a list and analysing the responses the auditor is prompted to consider
all the possible relevant issues.

13.12 Explain the use of a systems control and review file (SCARF).

This involves continuous scanning of all the transactions passing through the client’s system,
flagging exceptions and writing them to a file accessible only by the auditors for their later
review. The auditor sets a series of parameters to identify transactions warranting further
investigation in advance; for example all new or changed salary or wage payments over
$10,000 per month. The software will write all details of the transaction to an audit file,
including the date and time, the before and after images of records updated, and the User ID of
the person entering the transaction and the work station ID of the terminal used. The auditor
can then examine the transaction, compare it to the underlying records, in this case a payroll
change authorisation form, to ensure that the transaction has been correctly entered and has the
required authorisation approval signatures.