Republic of the Philippines

President Ramon Magsaysay State University

College of Accountancy and Business Administration
(Formerly Ramon Magsaysay Technological University)
Iba, Zambales, Philippines
Tel/Fax No.: (047) 811-1683

College/Department College of Accountancy and Business Administration

Course Code Pre5

Course Title Auditing in CIS

Place of the Course in the Program Major Subject

Semester & Academic Year Second Semester AY 2020-2021

AUDITING IN CIS
 CHAPTER 3
AUDITING AND INTERNAL CONTROL

Attest Service versus Advisory Services

An important distinction needs to be made regarding the external auditor's traditional attestation
service and the rapidly growing field of advisory services, which many public accounting firms
offer. The attest service is defined as:

an engagement in which a practitioner is engaged to issue, or does issue, a written

communication that expresses a conclusion about the reliability of a written assertion that is the
responsibility of another party. (SSAE No. I, AT Sec. 100.01)

The following requirements apply to attestation services:

 Attestation services require written assertions and a practitioner's written report.

 Attestation services require the formal establishment of measurement criteria or their
description in the presentation.
 The levels of service in attestation engagements are limited to examination, review, and
application of agreed-upon procedures.

Advisory services are professional services offered by public accounting firms to improve their
client organizations' operational efficiency and effectiveness. The domain of advisory services is
intentionally unbounded so that it does not inhibit the growth of future services that are currently
unforeseen. As examples, advisory services include actuarial advice, business advice, fraud
investigation services, information system design and implementation, and internal control
assessments for compliance with SOX.

It is now unlawful for a registered public accounting firm that is currently providing attest
services for a client to provide the following services:

• bookkeeping or other services related to the accounting records or financial statements

of the audit client
• financial information systems design and implementation
• appraisal or valuation services, fairness opinions, or contribution-in-kind reports
• actuarial services
• internal audit outsourcing services
• management functions or human resources
• broker or dealer, investment adviser, or investment banking services
• legal services and expert services unrelated to the audit
• any other service that the board determines, by regulation, is impermissible
Internal Audits

The Institute of Internal Auditors (IIA) defines internal auditing as an independent appraisal
function established within an organization to examine and evaluate its activities as a service to
the organization. Internal auditors perform a wide range of activities on behalf of the
organization, including conducting financial audits, examining an operation.

Management Assertions and Audit Objectives

The organization's financial statements reflect a set of management assertions about the
financial health of the entity. The task of the auditor is to determine whether the financial
statements are fairly presented. To accomplish this goal, the auditor establishes audit
objectives, designs procedures, and gathers evidence that corroborate or refute management's
assertions. These-assertions fall into five general categories:

1. The existence or occurrence assertion affirms that all assets and equities contained in
the balance sheet exist and that all transactions in the income statement actually

2. The completeness assertion declares that no material assets, equities, or transactions

have been omitted from the financial statements.

3. The rights and obligations assertion maintains that assets appearing on the balance
sheet are owned by the entity and that the liabilities reported are obligations.

4. The valuation or allocation assertion states that assets and equities are valued in
accordance with GAAP and that allocated amounts such as depreciation expense are
calculated on a systematic and rational basis.
5. The presentation and disclosure assertion alleges that financial statement items are
correctly classified (e.g., long-term liabilities will not mature within one year) and that footnote
disclosures are adequate to avoid misleading the users of financial statements.

Generally, auditors develop their audit objectives and design audit procedures based

Communicating the Result

Auditors must communicate the results of their test to interested users. An independent auditor
renders a report to the audit committee of the board of directors or stockholders of a company
the report contains, among other things, an audit opinion. This opinion is distributed along with
the financial report to interested parties both internal and external to the organization.

COMPUTER RISKS AND EXPOSURES

“Control” comprises all the elements of an organization (including its resources, systems,
processes, culture, structure and tasks) that, taken together, support people in the achievement
of the organization’s objectives. Control is “effective” to the extent that it provides reasonable
assurance that the organization will achieve its objectives reliably. Leadership involves making
choices in the face of uncertainty. “Risk” is the possibility that one or more individuals or
organizations will experience adverse consequences from those choices. Risk is the mirror
image of opportunity.

All businesses, products, and processes involve some degree of risk. Risk management
involves assessing a product, process, or business by:

■ Identifying processes
■ Identifying the types of risks associated with each process
■ Identifying the controls associated with each process
■ Evaluating the adequacy of the system of control in mitigating
risk
■ Determining the key controls associated with each process
■ Determining the effectiveness of the key controls

Three types of risk are normally considered when using a risk-based audit approach. They are
inherent risk, control risk, and audit risk.

Inherent Risk

Inherent risk is the likelihood of a significant loss occurring before taking into account any risk-
reducing factors. In evaluating inherent risk, the auditor must consider what are the types of and
nature of risks as well as what factors indicate a risk exists. To achieve this the auditor must be
familiar with the environment in which the entity operates.

Control Risk

Control risk measures the likelihood that the control processes established to limit or manage
inherent risk are ineffective. In order to ensure that internal audit evaluates the controls properly,
the auditor must understand how to measure which controls are effective. This will involve
identifying those controls that provide the greatest degree of assurance to minimize risks within
the business. Control effectiveness is strongly impacted by the quality of work and control
supervision.

Audit Risk

Audit risk is the risk that audit coverage will not address significant business exposures. Pro-
forma audit programs may be developed in order to reduce audit risk. These provide guidance
as to which key controls should exist to address the risk, and the recommended compliance
and/or substantive test steps to be performed. These programs should be used with care and
modified to reflect the current business risk profile.

Detection Risk

Detection risk is the risk that the auditors are willing to take that errors not detected or prevented
by control structure will also not be detected by the auditor. Auditors set an acceptable level of
detection risk (planned detection risk) that influences the level of substantive test that they
perform.

Risks themselves are commonly categorized based on the organization’s response, thus:

■ Controllable risks. Risks that exist within the processes of an organization and that are wholly
in the hands of the organization to mitigate.

■ Uncontrollable risks. Risks that can arise externally to the organization and that cannot be
directly controlled or influenced but that nevertheless call for a risk position to be taken by the
organization.
■ Influenceable risks. Risks that arise externally to the organization but that can be influenced
by the organization

AUDIT EVIDENCE

IS Auditors are frequently expected to express an opinion on the adequacy and effectiveness of
internal controls in mitigating risk. For this the auditor must gather audit evidence. Evidence may
be defined as information intended to prove or support a belief. Individually, items of evidence
may be flawed by a personal bias or by a potential error of measurement and each piece may
be less competent than desirable so the auditor will look in total at the “body of evidence,” which
should provide a factual basis for audit opinions.

RELIABILITY OF AUDIT EVIDENCE

Audit evidence may be classified as:

 Sufficient. Factual, adequate and convincing such that a prudent person would reach the
same conclusions as the auditor
 Competent. Reliable and the best attainable through the use of appropriate audit
techniques
 Relevant. Supports audit findings and recommendations and is consistent with the
objectives for the audit
 Useful. Helps the organization meet its goals.

Evidence, for the IS Auditor, is frequently thought of as being obtained by direct interrogation of
computer data files. Although this is a common technique, evidence may also be obtained by
observing conditions, interviewing people, and examining records. Such evidence is typically
classified as:

■ Physical evidence. Generally obtained by observation of people, property, or events, and may
be in the form of photographs, maps, and so on. Where the evidence is from observation, it
should be supported by documented examples or, if not possible, by corroborating observation.

■ Testimonial evidence. May take the form of letters, statements in response to inquiries, or
interviews, and are not conclusive in themselves because they are only another person’s
opinion. They should be supported by documentation where possible.

■ Documentary evidence. The most common form of audit evidence and includes letters,
agreements, contracts, directives, memoranda, and other business documents. Such
documented evidence may also be derived from computerized records using the appropriate
audit tools and techniques. The source of the document will affect its reliability and

the trust we place on it. The quality of internal control procedures will also be taken into account.
■ Analytical evidence. Commonly derived from computations, comparisons to standards, past
operations, and similar operations. Once again, in this area, computerized tools will normally
prove a highly effective aid to the auditor. Regulations and common reasoning will also produce
such evidence.

It is worth noting that a common concept within the gathering of evidence, namely “materiality,”
may differ among the varying types of audit. For financial auditing, materiality is generally taken
to be a sum of money and is used to determine levels of significance in assessing audit
evidence. From an internal audit perspective, materiality relates rather to weaknesses or failures
within the internal control structures of the organization. Any evidence, however small, indicating
a failure within a major control relied upon by management would be deemed significant
evidence.

The auditor relies heavily on gathering evidence. This is done in a variety of ways and follows
the Audit Program. The Audit Program is a set of detailed steps that the auditor will follow in
order to gain the appropriate evidence and, for the IS Auditor, may well include the use of
computerized techniques, although this is not always the case.

It must be clearly understood that the primary responsibility for the prevention and detection of
all frauds, including IS frauds, is the responsibility of operational management. Nevertheless,
the auditor has a role to play in assisting management in establishing a control environment in
which fraud is unlikely to occur, but where it does occur, it will be quickly detected.

Audit Planning

The first step in the IT audit is audit planning. Before the auditor can determine the nature and
extent of the tests to perform, he or she must gain a thorough understanding of the client's
business. A major part of this phase of the audit is the analysis of audit risk. The auditor's
objective is to obtain sufficient information about the firm to plan the other phases of the audit.
The risk analysis incorporates an overview of the organization's internal controls. During the
review of controls, the auditor attempts to understand the organization's policies, practices, and
structure. In this phase of the audit, the auditor also identifies the financially significant
applications and attempts to understand the controls over the primary transactions that are
processed by these applications.

The techniques for gathering evidence at this phase include conducting questionnaires,
interviewing management, reviewing systems documentation, and observing activities. During
this process, the IT auditor must identify the principal exposures and the controls that attempt to
reduce these exposures. Having done so, the auditor proceeds to the next phase, where he or
she tests the controls for compliance with preestablished standards.
Tests of Controls
The objective of the tests of controls phase is to determine whether adequate internal controls
are in place and functioning properly. To accomplish this, the auditor performs various tests of
controls. The evidence-gathering techniques used in this phase may include both manual
techniques and specialized computer audit techniques.
At the conclusion of the tests of controls phase, the auditor must assess the quality of the
internal controls by assigning a level for control risk. As previously explained, the degree of
reliance that the auditor can ascribe to internal controls will affect the nature and extent of
substantive testing that needs to be performed.

Substantive Testing
The third phase of the audit process focuses on financial data. This detailed investigation of
specific account balances and transactions through what substantive tests. For example, a
customer confirmation is a substantive used to verify account balances. The auditor selects a
sample of accounts receivable balances and traces these back to their source—the customers
—to determine if the amount stated is in fact owed by a bona fide customer. By so doing, the
auditor can verify the accuracy of each account in the sample. Based on such sample findings,
the auditor able to draw conclusions about the fair value of the entire accounts receivable asset.
Some substantive tests are physical, labor-intensive activities, such as counting cash, counting
inventories in the warehouse, and verifying the. existence of stock certificates in a safe. In an IT
environment, the data needed to perform substantive tests (such as account balances and
names and addresses of individual customers) are contained in data files that often must be
extracted using Computer-Assisted Audit Tools and Techniques (CAATs) software.
INTERNAL CONTROL
Organization management is required by law to establish and maintain an adequate system of
internal control. Consider the following Securities and Exchange Commission statement on this
matter:
The establishment and maintenance of a system of internal control is an important management
obligation. A fundamental aspect of managements stewardship responsibility is to provide
shareholders with reasonable assurance that the business is adequately controlled.
Additionally, management has a responsibility to furnish shareholders and potential investors
with reliable financial information on a timely basis.

Brief History of Internal Control Legislation

Foreign Corrupt Practices Act (FCPA) of 1977

Corporate management has not always lived up to its internal control responsibility. With the
discovery that U.S. business executives were using their organizations' funds to bribe foreign
officials, Internal control issues, formerly of little interest to stockholders, quickly became a
matter of public concern. From this issue came the passage of the Foreign Corrupt Practices
Act of 1977 (FCPA). Among its provisions, the FCPA requires companies registered with the
SEC to do the following:
I. Keep records that fairly and reasonably reflect the transactions of the firm and its financial
position.
2. Maintain a system of internal control that provides reasonable assurance that the
organization's objectives are met.
The FCPA has had a significant impact on organization management. With the knowledge that
violation of the FCPA could lead to heavy fines and imprisonment, managers have developed a
deeper concern for control adequacy.

Committee of Sponsoring Organizations—1992

Following the series of S&L scandals of the 1980s, a committee was formed to address these
frauds. Originally, the committee took the name of its chair, Treadway, but eventually the project
became known as COSO. The sponsoring organizations included Financial Executives
International (FEI), the Institute of Management Accountants (IMA), the American Accounting
Association (AAA), AICPA, and the IIA. The Committee spent several years promulgating a
response. Because it was determined early on that the best deterrent to fraud was strong
internal controls, the committee decided to focus on an effective model for internal controls from
a management perspective. The result was the COSO Model. The AICPA adopted the model
into auditing standards and published SAS No. 78—Consideration of Internal Control in a
Financial Statement Audit.
Sarbanes-Oxley Act of 2002

As a result of several large financial frauds (e.g., Enron, WorldCom, Adelphia) and the resulting
losses suffered by stockholders, pressure was brought by the U.S. Congress to protect the
public from such events. This led to the passage of the Sarbanes-Oxley Act (SOX) on July 30,
2002. In general, the law supports efforts to increase public confidence in capital markets by
seeking to improve corporate governance, internal controls, and audit quality.
In particular, SOX requires management of public companies to implement an adequate system
of internal controls over their financial reporting process. This includes controls over transaction
processing systems that feed data to the financial reporting systems. Management's
responsibilities for this are codified in Sections 302 and 404 of SOX.
Section 302 requires that corporate management (including the CEO) certify their organization's
internal controls on a quarterly and annual basis. Section 302 also carries significant auditor
implications. Specifically, external auditors must perform the following procedures quarterly to
identify any material modifications in controls that may impact financial reporting:
• Interview management regarding any significant changes in the design or operation of
internal control that occurred subsequent to the preceding annual audit or prior review of interim
financial information.
• Evaluate the implications of misstatements identified by the auditor as part of the interim
review that relate to effective internal controls.
• Determine whether changes in internal controls are likely to materially affect internal
control over financial reporting.
In addition, Section 404 requires the management of public companies to assess the
effectiveness of their organization's internal controls. This entails providing an annual report
addressing the following points:
1. Understand the flow of transactions, including IT aspects, in sufficient detail to identify
points at which a misstatement could arise.
2. Using a risk-based approach, assess both the design and operating effectiveness of
selected internal controls related to material accounts.
3. Assess the potential for fraud in the system and evaluate the controls designed to
prevent or detect fraud.
4. Evaluate and conclude on the adequacy of controls over the financial statement
reporting process.
5. Evaluate entity-wide (general) controls that correspond to the components Of the COSO
framework.
Regarding the control framework, the SEC has made specific reference to COSO as a
recommended model. Furthermore, the PCAOB Auditing Standard No. 5 endorses the use of
COSO as the framework for control assessment.
INTERNAL CONTROL OBJECTIVES, PRINCIPLES, AND MODELS
An organization's internal control system comprises policies, practices, and procedures to
achieve four broad objectives:
1. To safeguard assets of the firm.
2. To ensure the accuracy and reliability of accounting records and information.
3. To promote efficiency in the firm's operations.
4. To measure compliance with management's prescribed policies and procedures.

Modifying Principle'
Inherent in these control objectives are four modifying principles that guide designers and
auditors of internal control systems.
Management Responsibility
This concept holds that the establishment and maintenance of a system of internal control is a
management responsibility. Although the FCPA supports this principle, SOX legislation makes it
law!
Methods of Data Processing
The internal control system should achieve the four broad objectives regardless of the data
processing method used (whether manual or computer based). However, the specific
techniques used to achieve these objectives will vary with different types of technology.
Limitations
Every system of internal control has limitations on its effectiveness. These include (1) the
possibility of error—no system is perfect, (2) circumvention—personnel may circumvent the
system through collusion or other means; (3) management override—management is in a
position to override control procedures by personally distorting transactions or by directing a
subordinate to do so, and (4) changing conditions—conditions may change over time so that
existing effective controls may become ineffectual.
Reasonable Assurance
The internal control system should provide reasonable assurance that the four broad objectives
of internal control are met. This reasonableness means that the cost of achieving improved
control should not outweigh its benefits.

The PDC Model

Figure 1.3 illustrates that the internal control shield represented in Figure 1.2 actually consists of
three levels of control: preventive controls, detective controls, and corrective controls. This is
called the PDC control model.

Preventive Controls
Prevention is the first line of defense in the control structure. Preventive controls are passive
techniques designed to reduce the frequency of occurrence of undesirable events. Preventive
controls force compliance with prescribed or desired actions and thus screen out aberrant
events. When designing internal control systems, an ounce of prevention is most certainly worth
a pound of cure. Preventing errors and fraud is far more cost-effective than detecting and
correcting problems after they occur. The vast majority of undesirable events can be blocked at
this first level.

Detective Controls
Detective controls are devices, techniques and procedures designed to identify and expose
undesirable events that elude preventive controls. Detective controls reveal specific types of
error by comparing actual occurrences to preestablished standards. When the detective controls
identify a departure from standards, it sounds an alarm to attract an attention to the problem.

Corrective controls
Corrective actions must be taken to reverse the effects of detected errors. There us an
important distinction between detective and corrective controls. Detective controls identify
undesirable events and draw attention to the problem; corrective controls actually fix the
problem.