CHAPTER 1 Generally Accepted Auditing Standards

External (Financial) Audit – is an independent General Standards

attestation performed by an expert – the auditor – 1. The auditor must have adequate training and
who expresses an opinion regarding the proficiency
presentation of financial statements. 2. The auditor must have independence of
mental attitude
Attest Service – performed by CPAs who work 3. The auditor must exercise due professional
for public accounting firms that are independent care in the performance of the audit and the
of the client organization being audited. preparation of the report.
-an engagement in which a practitioner is
engaged to issue, or does issue, a written
communication, that expresses a conclusion Standards of Field Work
about the reliability of a written assertion that is 1. Audit work must be adequately planned
the responsibility of the other party. 2. The auditor must gain a sufficient
understanding of the internal control structure
Advisory Service – professional services offered 3. The auditor must obtain sufficient, competent
by public accounting firms to improve their client evidence
organizations’ operational efficiency and
effectiveness. Reporting Standards
1. The auditor must state in the report whether
Internal Audit – independent appraisal function financial statements were prepared in accordance
established within the organization to examine with generally accepted accounting principles.
and evaluate its activities as a service to the 2. The report must identify those circumstances
organization. in which generally accepted accounting principles
were not applied.
External Audit vs Internal Audit 3. The report must identify any items that do not
-Independent (CPA) -Auditor (CIA, CISA) have adequate informative disclosures
-SEC/S-OX/AICPA -Employee of 4. The report shall contain an expression of the
organization auditor’s opinion on the financial statements as a
-SEC-publicly traded -Optional – mgt whole.
requirements
-Financial Audit -Broader (operational Management Assertions
audit) 1. Existence/Occurrence – affirms that all
-Interests of outsiders -Interests of assets and equities contained in the balance
organization sheet exist and that all transactions in the income
Standards, guidance, certification governed by: statement actually occurred.
-PICPA, FRSC, BOA -IIA and ISACA 2. Completeness – declares that no material
delegated by SEC assets, equities, or transactions have been
omitted from the financial statements.
Fraud Audit – objective: investigate anomalies 3. Rights and Obligations – maintains that
and gather evidence of fraud that may lead to assets appearing on the balance sheet are owned
criminal conviction. by the entity and that the liabilities reported are
Certification: Certified Fraud Examiner (CFE) obligations
Governed by: Association of Certified Fraud 4. Valuation or Allocation – assets and equities
Examiners (ACFE) are valued in accordance with GAAP and that
allocated amounts such as depreciation expense
Role of Audit Committee are calculated on a systematic and rational basis
-Selected from Board of Directors, usually 3
members Audit Risk – probability that the auditor will
-Outsiders (S-OX) render an unqualified opinion on financial
-Fiduciary responsibility to shareholders statements that are in fact, materially misstated.
-Serve as independent check and balance system Acceptable Audit Risk is estimated based
-Interact with internal auditors on the ex ante value of the components of
-Hire, set fees, and interact with external auditors the audit risk model.
-Resolve conflicts of GAAP between external
auditors and management AR = IR x CR x DR
Components of Audit Risk Model Sec 404 – Management is responsible for
Inherent Risk – probability that material establishing and maintaining internal control
misstatements have occurred structure and procedures
Control Risk – probability that the internal Sec 302 – Financial executives must disclose
controls will fail to detect material misstatements deficiencies in internal control and fraud (material
Detection Risk – probability that audit or not)
procedures will fail to detect material
misstatements Modifying Principles that guide designers
and auditors of internal control system
IT Audit – focuses on the computer based 1. Management Responsibility –
aspects of an organization’s information system establishment and maintenance of a system of
and modern systems employ significant level of internal control is management responsibility
technology. 2. Reasonable Assurance – that 4 broad
objectives of internal control (spem) are met
-CoBA, benefits > costs
3. Methods of Data Processing – 4 broad
Structure of an IT Audit/IT Environment objectives of internal control (spem) are achieved
1. Audit Planning – first step in IT Audit. regardless of methods of data processing
Includes: 4. Limitations
-Review of organization’s policies, practices and -Possibility of Error
structures -Possibility of Circumvention
-Review general controls and application controls -Management Override
-Plan test of controls and substantive testing -Changing conditions
procedure
Exposure – absence or weakness of a control
2. Test of Controls – determine whether Risk – potential threat to compromise use or
adequate internal controls are in place and value of organizational assets
functioning properly
Includes: PDC Model
-Perform test of controls Prevention Control – 1st line of defense in the
-Evaluate test results control structure
-Determine degree of reliance on controls -passive techniques designed to reduce the
frequency of occurrence of undesirable events
3. Substantive Testing Phase – detailed
investigation of specific amount balances and Detective Control – 2nd line of defense.
transactions -devices, techniques, and procedures designed to
Includes: identify and expose undesirable events that elude
-Perform substantive tests preventive controls
-Evaluate results and issue auditor’s report
CAATTs – Computer Assisted Audit Tools and Corrective Controls – actions taken to reverse
Techniques the effect of detective errors, actually fix the
problems
Internal Control – policies, practices,
procedures designed to: COSO Framework: IC Five Components
-safeguard assets 1. Control Environment – foundation. Sets the
-promote efficiency tone for the organization and influences the
-ensure accuracy and reliability control awareness of its management and its
-measure compliance with policies employees.
2. Risk Assessment – identify, analyze and
COSO – Committee on Sponsoring Organizations manage risks relevant to financial reporting.
-developed a management perspective model for 3. Information and Communication – auditors
internal controls over a number of years which is obtain sufficient knowledge of Information
widely adopted System to understand
4. Monitoring – process by which the internal
Sarbanes-Oxley Act – 2002 control design and operation are assessed.
EAM – Embedded Audit Modules
COA – Continuous Online Auditing
5. Control Activities – policies and procedures
used to ensure that appropriate actions are taken
to deal with the organization’s identified risks.
Computer/IT Controls – General and
Application
Physical Controls
General – apply to all systems
Application – designed to application-specific.
Objective: ensure validity, accuracy and
completeness financial transactions
Physical Controls – relates primarily to human
activities employed in accounting systems. Types
of Physical Controls:
Transaction Authorization – ensure that all
material transactions processed by the
information system are valid and in accordance
with management’s objectives
General Authority – granted to operations
personnel to perform day-to-day activity
Segregation of Duties – Authorization is
separate from processing; Asset Custody
separate from record-keeping
Supervision – small companies’ compensation
for absence of segregation of duties
Accounting Records – source documents,
journals and ledgers
Audit Trail – enables the auditor to trace
any transaction through all phases of
processing
Access Control – ensure that only authorized
personnel have access to company’s assets
Independent Verification – independent
checks of the accounting systems to identify
errors and misinterpretations
CHAPTER 2
IT Governance – relatively new subset of
corporate governance that focuses on the
management and assessment of strategic IT
Sources
Centralized Data Processing – all data
processing is performed by one or more large
computers housed at a central site that serves
users throughout the organization
Database Administrator (DBA) – responsible
for security and integrity of the database
Data Processing – management of the
computer resources used to perform the day-to-
day processing of transactions. 3 organizational
functions: data conversion, computer operations
and data library
Data Conversion – transcribes transaction data
from hard-copy source documents into computer
input
Computer Operations – processing by the
central computer of the electronic files produces
in data conversion
Data Library – room adjacent to computer
center that provides safe storage for the off-line
data files.
System Development – responsible for
analyzing user needs for designing new systems
to satisfy those needs
System Maintenance – making changes to
program logic to accommodate shifts in user
needs over time
Participants:
IS Professionals – gather facts about the user’s
problem, analyze the facts and formulate a
solution
End Users – those for whom the system is built
Stakeholders – individuals in/outside the firm
who have an interest in the system
Auditors
Segregation of Incompatible IT Functions
Separating Systems Development and
Operations Activities – Systems Development
and Maintenance Professionals should create
systems for user and should have no involvement
in entering data or running applications.
Operations staff should run these systems and
have involvement in their design
Separating DBA from other functions – DBA
is organizationally independent of operations,
systems development and maintenance.
Segregate Systems Analysis from
Programming
Inadequate Documentation – control problem
which is considered a chronic problem because it
is not interesting to do and may threaten job
security
Program Fraud – involves making unauthorized
changes to program modules for the purpose of
committing an illegal act.
Salami Slicing – division of a fraud into series of
small illegal actions because it is difficult to
perform all at once
Trapdoors – fraud wherein the programmer
writes code into the program that allows him to
work around any or all controls in the system and
thus makes it easy to commit fraud
Segregate System Development from
Maintenance
Better Documentation Standards
Deters Fraud
Segregate Data Library from Operations
For Physical Security of Offline Data Files
Real Time Data Processing – involves
continual input, process and output of data. Data
must be processed in same time data is received
Batch Data Processing – involves collecting
and storing a number of related transactions
before processing them simultaneously
Distributed Data Processing (DDP) – data
processing model that involves recognizing the
central IT function into small IT units that are
placed under the control of end users
Risks Associated with DDP
Inefficient Use of Resources – mismanagement of
resources by end-sures
Destruction of Audit Trails
Inadequate Segregation of Duties
Hiring Qualified Professionals – difficult to attract
qualifies professionals
Lack of Standards – every end user has their own
standard
Advantages of DDP
Cost Reductions – application complexity reduced
Improved Cost Control Responsibility
Improved User Satisfaction – increased morale
and productivity
Backup Flexibility – excess capacity for DRP
Controlling the DDP Environment
Central Systems Development - testing and
implementation of Commercial Software and
Hardware
User Services – help desk, technical support,
FAQs
Standard Setting Body – establishing central
guideline
Personnel Review – evaluate technical credentials
of systems professionals
Computer Center:
Physical Location - should be away from human
made and natural hazards
Construction – ideally: single story building,
underground utilities, windowless and air filtration
system
Access – limited to operators and other
employees who work there. Physical controls:
locked doors, cameras. Manual: access log of
visitors
Air Conditioning – amount of heat must be
even
Fire Suppression – Fire is the most serious
threat
Fire Alarm
Automatic Fire Extinguishing System
Manual Fire Extinguishers
Power Supply – uninterrupted, clean power
Fault Tolerance – ability of the system to
continue operation when part of the system fails
because of hardware failure, application program
error or operator error
RAID – Redundant Arrays of Independent
Disks – parallel disks that contain
redundant elements of data applications
Uninterruptible Power Supplies – backup
power
Disaster Recovery Plan (DRP) –
comprehensive statement of all actions to be
taken before, during, and after a disaster, along
with documented, tested procedures that will
ensure the continuity of operations.
Second Site Backup
Mutual Aid Pact – agreement between two or
more organizations (with compatible computer
facilities) to aid each other with data processing
needs in event of a disaster
Empty Shell (cold site) – buys or leases a
building that will serve as a data center
Recovery Operations Center (hot site) – fully
equipped backup data center
Internally Provided Backup – company built its
own remote mirrored data center
Operating System Back up – back up of
operating system
Application Backup – create copies of current
versions of critical applications
Backup Data Files – databases should be Urban Legends – myth, folklore
copied daily to CDs, etc Hoax Virus Warnings – warning a recipient of a
Backup Documentation – system non-existing virus threat
documentation for critical applications should be Flaming – writers attacks another participant
backed up and stored off site along with the overly harsh
applications Malicious Attachments – viruses
Backup Supplies and Source Documents –
create back up inventories if supplies and source Malicious Objects Risk
documents used in processing critical Virus – malware that when executed infects
transactions other programs
Testing the DRP – most neglected aspect of Worm – malware that replicate itself to spread to
contingency planning other computers or programs
Logic Bomb – triggered by some event at a
System Wide Controls certain date or time
Password Control – tool designed to allow Trapdoor
helpdesk staff to reset user password Trojan Horse – disguised as a legitimated
Reusable Password – same password for all software
One time password – password valid for only
one transaction

Email Risks
Spoofing – forgery of an email header so that
the message appears to have originated from
someone other than the actual source
Spamming – sent to thousands of users
Chain Letters – letters convincing users to pass
them on another user