AUDITING

Auditing in a CIS
Environment
(Understanding the Client and Its Environment Including Internal Control)

Sir Ali
V.1
Diagram of the Audit
Plan Audit Perform Test of Controls

Obtain Understanding of Client Complete the Audit

and Its Environment Including
Internal Control

Perform Substantive Procedures Issue Audit Report

Note: Computer processing (historically referred to as Electronic Data Processing or EDP) does not
necessitate modification of the diagram.
I. Auditors Consideration of Internal Control
When a Computer is Present
Auditor’s consideration of internal control may be affected in that computer systems may
a. Result in transaction trails that exist for a short period of time or only in computer readable
form.
b. Include program errors that cause uniform mishandling of transactions.
c. Include computer controls that need to be tested in addition to segregation of duties.
d. Involve increased difficulty in detecting unauthorized access.
e. Allow increased management supervisory.
f. Include less documentation of initiation and execution of transactions.
g. Include computer controls that affect the effectiveness of related manual control activities
that use computer output.
Test of Operating Effectiveness of Internal Control

At maximum level or above

Do not perform TOC

Control Risk
Below maximum level

Perform TOC
QUESTION!
What are the audit procedures to test the operating effectiveness of general and specific
application controls?

GENERAL APPLICATION CONTROLS SPECIFIC APPLICATION CONTROLS

1. Inquiry 1. Reperformance techniques
2. Observation (ex: program analysis, program testing,
3. Inspection continuous testing, review of operating
systems and other computer software)
Definition of Internal Control
A process, effected by an entity’s board of directors, management, and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives in the
following categories:
a. Reporting
b. Operations
c. Compliance

The controls generally most relevant to audits are those that pertain to the entity’s objective
of preparing financial statements for external reporting.
Major Components of Internal Control
a. Control Environment – set the tone of an organization.
Control Environment Factors (I CHAMBO)
I – Integrity and ethical values
C – Commitment to competence
H – Human resource policies
A – Assignment of authority and responsibility
M – Management’s philosophy and operating style
B – Board of directors or audit committee participation
O – Organizational structure
Major Components of Internal Control
b. Risk Assessment – identification, analysis, and management of risks relevant to the
preparation of financial statements following GAAP or some other comprehensive basis.

1. Changes in the operating environment

2. New personnel
3. New information systems
4. Rapid growth
5. New technology
6. New lines, products, or activities
7. Corporate restructuring
8. Foreign operations
9. Accounting pronouncements
Major Components of Internal Control
c. Control Activities – various policies and procedures that help ensure that
necessary actions are taken to address risks to achieving the entity’s objectives.
(PIPS)

P – Performance reviews
I – Information processing
P – Physical controls
S – Segregation of duties
Major Components of Internal Control
d. Information and Communication – includes the accounting system, consisting of
the methods and records established to record, process, summarize, and report entity
transactions and to maintain accountability of the related assets and liabilities.

1. Identify and record all valid transactions

2. Describe on a timely basis
3. Measure the value properly
4. Record in the proper time period
5. Properly present and disclose
6. Communicate responsibilities to employees
Major Components of Internal Control

e. Monitoring – assesses the quality of internal control over time. Monitoring

activities may be ongoing, separate evaluation, or a combination thereof.

Ongoing monitoring – recurring activities.

Separate evaluation – communication of information about strengths and

weaknesses and recommendations.
Select the best answer.

1. Which of the following is not a financial statement assertion relating

to account balances?
a. Completeness
b. Existence
c. Rights and Obligations
d. Valuation and Competence
2. Relationship between control risk and detection risk is ordinarily
a. Parallel
b. Inverse
c. Direct
d. Equal
3. Inherent risk and control risk differ from detection risk in that they
a. Arise from the misapplication of auditing procedures.
b. May be assessed in either quantitative or nonquantitative
terms.
c. Exist independently of the financial statement audit.
d. Can be changed at the auditor’s discretion.
4. Which of the following would be least likely to be considered an audit
planning procedure
a. Use an engagement letter.
b. Develop the overall audit strategy.
c. Perform risk assessment.
d. Develop the audit plan.
5. Which of the following factors would most likely cause a CPA to decide not to
accept a new audit engagement?
a. The CPA’s lack of understanding of the prospective client’s internal
auditor’s computer-assisted audit techniques.
b. Management’s disregard of its responsibility to maintain an
adequate internal control environment.
c. The CPA’s inability to determine whether related-party transactions were
consummated on terms equivalent to arm’s- length transactions.
d. Management’s refusal to permit the CPA to perform substantive tests
before the year end.
6. To obtain an understanding of a continuing client’s business, an auditor
most likely would
a. Perform test of details of transactions and balances.
b. Review prior year working papers and the permanent file for
the client.
c. Read current issues of specialized industry journals.
d. Reevaluate the client’s internal control environment.
7. An auditor should design the audit plan so that
a. All material transactions will be selected for substantive testing.
b. Substantive tests prior to the balance sheet date will be minimized.
c. The audit procedures selected will achieve specific audit
objectives.
d. Each account balance will be tested under either tests of
controls or tests of transactions.
8. Professional skepticism requires that an auditor assume that
management is
a. Honest, in the absence of fraud risk factors.
b. Dishonest until completion of the audit tests.
c. Neither honest nor dishonest.
d. Offering reasonable assurance of honesty.
9. The most difficult type of misstatements to detect is fraud based on
a. The over recording of transactions.
b. The non recording of transactions.
c. Recorded transactions in subsidiaries.
d. Related-party receivables.
10. Which of the following is most likely to be an example of fraud?
a. Defalcations occurring due to invalid electronic approvals.
b. Mistakes in the application of accounting principles.
c. Mistakes in processing data.
d. Unreasonable accounting estimate arising from oversight.
11. Under Statements on Auditing Standards, which of the following would
be classified as an error?
a. Misappropriation of assets for the benefit of management
b. Misinterpretation by management of facts that existed when the
financial statements were prepared.
c. Preparation of records by employees to cover a fraudulent
scheme.
d. Intentional omission of the recording of a transaction to benefit
a third party.
12. Because of the risk of material misstatement, an audit of financial
statements in accordance with generally accepted auditing standards
should be planned and performed with an attitude of
a. Objective judgement.
b. Independent integrity.
c. Professional skepticism.
d. Impartial conservatism.
13. Analytical procedures used during risk assessment in an audit should
focus on
a. Reducing the scope of tests of controls and substantive tests.
` b. Providing assurance that potential material misstatements
will be identified.
c. Enhancing the auditor’s understanding of the client’s business.
d. Assessing the adequacy of the available evidence.
14. A primary purpose of performing analytical procedures as risk
assessment procedures is to identify the existence of
a. Unusual transactions and events.
b. Illegal acts that went undetected because of internal control
weaknesses.
c. Related-party transactions.
d. Recorded transactions that were not properly authorized.
15. Which of the following is not a component of audit risk?
a. Control risk
b. Detection risk
c. Fraud risk
d. Inherent risk
Key Answers
1. D 11. B
2. B 12. C
3. C 13. C
4. C 14. A
5. B 15. C
6. B
7. C
8. C
9. B
10. A