Professional Documents
Culture Documents
Ch1 - IT Auditing and Assurance
Ch1 - IT Auditing and Assurance
AUDITING
Auditing is a systematic process of
objectively obtaining and evaluating
evidence regarding assertions about
economic actions and events to ascertain
the degree of correspondence between
those assertions and establishing criteria
and communicating the results to
interested users.
INTERNAL AUDITS
Internal auditing: independent appraisal function
established within an organization to examine
and evaluate its activities as a service to the
organization
Financial Audits
Operational Audits
Compliance Audits
Fraud Audits
IT Audits
CIA
IIA
IT AUDITS
IT audits: provide audit services where
processes or data, or both, are embedded in
technologies.
Subject to ethics, guidelines, and standards of the
profession (if certified)
CISA
Most closely associated with ISACA
Joint with internal, external, and fraud audits
Scope of IT audit coverage is increasing
Characterized by CAATTs
IT governance as part of corporate governance
FRAUD AUDITS
Fraud audits: provide investigation services
where anomalies are suspected, to develop
evidence to support or deny fraudulent
activities.
Auditor is more like a detective
No materiality
Goal is conviction, if sufficient evidence of fraud
exists
CFE
ACFE
EXTERNAL AUDITS
External auditing: Objective is that in all material
respects, financial statements are a fair
representation of organizations transactions
and account balances.
SECs role
Sarbanes-Oxley Act
FASB - PCAOB
CPA
AICPA
Internal auditing:
FINANCIAL AUDITS
An independent attestation performed by an expert (i.e.,
an auditor, a CPA) who expresses an opinion regarding
the presentation of financial statements
Key concept: Independence
{Should be} Similar to a trial by judge
Culmination of systematic process involving:
Familiarization with the organizations business
Evaluating and testing internal controls
Assessing the reliability of financial data
ATTEST definition
Written assertions
Practitioners written report
Formal establishment of measurement criteria or their
description
Limited to:
Examination
Review
Application of agreed-upon procedures
AUDITING STANDARDS
Auditing standards
Set by AICPA
Authoritative
#1 = Ten Generally Accepted Auditing Standards
(GAAS)
Three categories:
General Standards
Standards of Field Work
Reporting Standards
# 2 = Statements on Auditing Standards (SASs)
SAS #1 issued by AICPA in 1972
AUDITS
Systematic process
Five primary management assertions, and
correlated audit objectives and procedures
[Table 1-1]
Existence or Occurrence
Completeness
Rights & Obligations
Valuation or Allocation
Presentation or Disclosure
AUDITS
Phases [Figure 1-3]
1. Planning
2. Obtaining evidence
Tests of Controls
Substantive Testing
CAATTs
Analytical procedures
3. Ascertaining reliability
MATERIALITY
4. Communicating results
Audit opinion
What is an IT Audit?
most accounting transactions to be in
electronic form without any paper
documentation because electronic
storage is more efficient. These
technologies greatly change the nature of
audits, which have so long relied on paper
documents.
THE IT ENVIRONMENT
There has always been a need for an effective
internal control system.
The design and oversight of that system has
typically been the responsibility of accountants.
The I.T. Environment complicates the paper
systems of the past.
Concentration of data
Expanded access and linkages
Increase in malicious activities in systems vs. paper
Opportunity that can cause management fraud (i.e.,
override)
THE IT ENVIRONMENT
Audit planning
Tests of controls
Substantive tests
CAATTs
INTERNAL CONTROL
is policies, practices, procedures
designed to
safeguard assets
ensure accuracy and reliability
promote efficiency
measure compliance with policies
Modifying Assumptions
1. Management responsibility
2. Reasonable assurance
no I.C.S. is perfect
benefits => costs
3. Methods of data processing
Objectives same regardless of DP method
Specific controls vary w/different
technologies
Modifying Assumptions
4. Limitations
Possibility of error
Possibility of circumvention
Management override
Changing conditions
Predictive controls
SAS 78
(#1:Control Environment -- elements)
Describe how each one could adversely
affect internal control.
SAS 78
(#1:Control Environment -- elements)
Managements methods of assessing
performance
External influences
Organizations policies and practices for
managing human resources
SAS 78
(#1:Control Environment -- techniques)
Describe possible activity or tool for each.
Assess the integrity of organizations
management
Conditions conducive to management fraud
Understand clients business and industry
Determine if board and audit committee are
actively involved
Study organization structure
SAS 78
(#2:Risk Assessment)
Changes in environment
Changes in personnel
Changes in I.S.
New ITs
Significant or rapid growth
New products or services (experience)
Organizational restructuring
Foreign markets
New accounting principles
SAS 78
(#3:Information & Communication-elements)
Initiate, identify, analyze, classify and record
economic transactions and events.
SAS 78
(#3:Information & Communication-techniques)
SAS 78
(#4: Monitoring)
By separate procedures (e.g., tests of
controls)
By ongoing activities (Embedded Audit
Modules EAMs and Continuous Online
Auditing - COA)
SAS 78
(#5: Control Activities)
Segregation of duties
Examples of incompatible duties:
Authorization vs. processing [e.g., Sales vs. Auth. Cust.]
Custody vs. recordkeeping [e.g., custody of inventory vs.
DP of inventory]
Fraud requires collusion [e.g., separate various steps in
process]
Supervision
Serves as compensating control when lack of segregation
of duties exists by necessity
Independent verification
Management can assess:
The performance of individuals
The integrity of the AIS
The integrity of the data in the records
Examples
IT Risks Model
Operations
Data management systems
New systems development
Systems maintenance
Electronic commerce (The Internet)
Computer applications