Question Preview:
Thisunitintroducesstudentstoinformationsystemsauditandassurance.Aninformationsystems(IS)auditispartoftheoverallauditprocessandisimportantforgoodcorporategovernance.ThisunitfurtherdevelopsanunderstandingofinternalandoperationalcontrolsaswellasknowledgeoftheorganisationasitrelatestoISauditandassurance.Studentswillexaminetherisksassociatedwithinformationsystemsusingframeworksthatprovideprofessionalstandards,guidelines,toolsandtechniquesforISauditandcontrol.
TheriskbasedapproachtoISauditisdevelopedsothatstudentshaveanunderstandingofinherentrisks,controlrisksanddetectionrisks.Studentswillhaveexp...
View Complete Question >>
Question Preview:
Thisunitintroducesstudentstoinformationsystemsauditandassurance.Aninformationsystems(IS)auditispartoftheoverallauditprocessandisimportantforgoodcorporategovernance.ThisunitfurtherdevelopsanunderstandingofinternalandoperationalcontrolsaswellasknowledgeoftheorganisationasitrelatestoISauditandassurance.Studentswillexaminetherisksassociatedwithinformationsystemsusingframeworksthatprovideprofessionalstandards,guidelines,toolsandtechniquesforISauditandcontrol.
TheriskbasedapproachtoISauditisdevelopedsothatstudentshaveanunderstandingofinherentrisks,controlrisksanddetectionrisks.Studentswillhaveexposuretocomputerauditingtoolsandtechniquesthatbothdirectlyandindirectlyexaminetheinternallogicofanorganisation'sapplications.Inthisunitstudentsdevelopgraduatecapabilitiesinarangeofareas,including:criticalanalysisskillsininformationmanagementandanalysis;problem‐solvingskillsinsourcingandidentifyingrelevantinformationandinterpretingoutputinamultidisciplinaryenvironment;andcommunicationandnegotiationskills.
PreparedbyDr.SavanidVatanasakdakul 3
Learningoutcomes
Havingcompletedthissubject,studentsshouldbeableto:
1.toevaluateanddemonstratetheimportanceofISAuditforISGovernancefororganisations. 2.toshowhowtheroleofanISauditoraddsvaluetoanorganisation 3.toassessISrisksandcontrolsandtheirimplicationsfororganisations 4.toexplainhowISauditobjectivesprovideeffectiveISGovernance 5.toevaluateandexplainISaudittoolsandtechniques 6.toexploreandexplainthekeytrendsofISauditandgovernanceandtheimplicationsforindividuals,organisationsandsociety.
PreparedbyDr.SavanidVatanasakdakul 4
Consultationtimes
• Consultationsstartfromweek3.Theconsultationtimetablewithallstaff’scontactdetailsandconsultationtimeswillbeavailableontheunit’swebsite.• Youareencouragedtoseekhelpatatimethatisconvenienttoyoufromastaffmemberteachingonthisunitduringtheirregularconsultationhours.Ordinarily,staffwouldnotexpecttobecontactedoutsidethesedesignatedhours.
PreparedbyDr.SavanidVatanasakdakul 5
TimeRequirement
• Asaguide,yourworkingweekforACCG358shouldconsistofthefollowingtimecommitments: • Lecture1.5hours • Tutorial1.5hour • Independentstudy6hours
PreparedbyDr.SavanidVatanasakdakul 6
Textbook
• Hall,JamesA.(2012),InformationTechnologyAuditing,InternationalEdition3e,SouthWesternCengageLearning
PreparedbyDr.SavanidVatanasakdakul 7
Tutorialattendance
Itisimportantthatyouattendthetutorialthatyouareenrolledin.Ifyouattendthetutorialthatyouarenotenrolledin,itwillnotbecountedtowardtheattendancerecord,withanexceptionoftutorialsheldontheweekofpublicholidays.
• Anychangestotutorialsmustbemadethroughe‐student.Youhavetofinaliseyourclassesbytheendofweek2afterwhichchangesarenolongerpossible.
• Noexceptionfortutorialattendancesandlateassignmentswillbegrantedforstudentswhoareenrolledlateinthissubject.
• Yourattendancemaynotbemarkedifyouarrivemorethan15minuteslatetoyourtutorials,unlessthereisanappropriatereasonprovidedtoyourtutors.
PreparedbyDr.SavanidVatanasakdakul 8
Satisfactoryperformance
• Specialconsiderationwillbedeterminedafterconsiderationofastudent’sperformanceinallaspectsofthecourse.• Forperformancetobeconsideredsatisfactoryforthisunit,studentsmusthavesubmittedallassessmenttasksandachieveatleast50percentofthetotalinternalassessmentmarks.
PreparedbyDr.SavanidVatanasakdakul 9
Chapter1
Auditing, Assurance, and Internal Control
PreparedbyDr.SavanidVatanasakdakul 10
Objectives
• toevaluateanddemonstratetheimportanceofISAuditforISGovernancefororganisations. • toshowhowtheroleofanISauditoraddsvaluetoanorganisation • tounderstandthestructureofanauditandhaveafirmgraspoftheconceptualelementsoftheauditprocess • tounderstandtheCOSOframework
PreparedbyDr.SavanidVatanasakdakul 11
Auditing
• Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and establishing criteria and communicating the results to interested users.
PreparedbyDr.SavanidVatanasakdakul 12
InternalAudits
Internal auditing: independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization
Financial Audits Operational Audits Compliance Audits Fraud Audits
PreparedbyDr.SavanidVatanasakdakul 13
ExternalAudit
External auditing: Objective is that in all material respects, financial statements are a fair representation of organization’s transactions and account balances. SEC’s role (United States Securities and Exchange Commission) Sarbanes-Oxley Act
PreparedbyDr.SavanidVatanasakdakul 14
ExternalvsInternalAudit
• Comparingthekeydifferencesandsimilaritybetweenexternalauditandinternalaudit
– Roleandresponsibilityofexternalauditorsvs internalauditors – Qualification– Scopeofwork – Auditperiod– etc
PreparedbyDr.SavanidVatanasakdakul 15
AttestServices
Requirements of attestation services
Written assertions and practitioner’s written report
Formal establishment of measurement criteria
Limited to examination, review, and application of agreed-upon procedures
PreparedbyDr.SavanidVatanasakdakul 16
AdvisoryServices
Advisory services Professional services offered by public accounting firms to improve their client organizations’ operational efficiency and effectiveness Services include: Actuarial advice Business advice Fraud investigation services Information system design and implementation Internal control assessments for compliance with SOX
PreparedbyDr.SavanidVatanasakdakul 17
Financialaudit
An independent attestation performed by an expert (i.e., an auditor, a CPA) who expresses an opinion regarding the presentation of financial statements Key concept: Independence Culmination of systematic process involving: Familiarization with the organization’s business Evaluating and testing internal controls Assessing the reliability of financial data Product is formal written report that expresses an opinion about the reliability of the assertions in financial statements; in conformity with GAAP GAAP=GenerallyAcceptedAccountingPrinciplesrefertothestandardframeworkofguidelinesforfinancialaccountingusedinanygivenjurisdiction;generallyknownasaccountingstandards
PreparedbyDr.SavanidVatanasakdakul 18
IS/ITaudit
IT audits: provide audit services where processes or data, or both, are embedded in technologies. Subject to ethics, guidelines, and standards of the profession (if certified) CISA Most closely associated with ISACA Joint with internal, external audits Scope of IT audit coverage is increasing Characterized by CAATTs IT governance as part of corporate governance
PreparedbyDr.SavanidVatanasakdakul 19
RoleofAuditCommittee
Selected from board of directors Usually three members Outsiders (S-OX now requires it) Fiduciary responsibility to shareholders Serve as independent check and balance system Interact with internal auditors Hire, set fees, and interact with external auditors Resolved conflicts of GAAP between external auditors and management
Auditingstandard
Auditing standards Set by the America Institute of Certified Public Accountants (AICPA) Authoritative
1) Ten Generally Accepted Auditing Standards (GAAS) A framework for prescribing auditor performance but it is not sufficiently detailed to provide meaningful guidance in specific circumstances.
Three categories: General Standards Standards of Field Work Reporting Standards
2) Statements on Auditing Standards (SASs) The first SAS issued by AICPA in 1972 It is interpretation on GAAS
PreparedbyDr.SavanidVatanasakdakul 21
GeneralStandards StandardsofFieldWork ReportingStandards
1.Theauditormusthaveadequatetechnicaltrainingandproficiency.
1.Auditworkmustbeadequatelyplanned.
1.Theauditormuststateinthereportwhetherfinancialstatementswerepreparedinaccordancewithgenerallyacceptedaccountingprinciples.
2.Theauditormusthaveindependenceofmentalattitude.
2.Theauditormustgainasufficientunderstandingoftheinternalcontrolstructure.
2.Thereportmustidentifythosecircumstancesinwhichgenerallyacceptedaccountingprincipleswerenotapplied.
3.Theauditormustexercisedueprofessionalcareintheperformanceoftheauditandthepreparationofthereport.
3.Theauditormustobtainsufficient,competentevidence.
3.Thereportmustidentifyanyitemsthatdonothaveadequateinformativedisclosures.
4.Thereportshallcontainanexpressionoftheauditor’sopiniononthefinancialstatementsasawhole.
GenerallyAcceptedAuditingStandards
Audits
Systematic process Five primary management assertions, and correlated audit objectives and procedures [Table 1-2]: Existence or Occurrence Completeness Rights and Obligations Valuation or Allocation Presentation and Disclosure
Audits
Phases: 1. Planning 2. Obtaining evidence Tests of Controls Substantive Testing CAATTs Analytical procedures 3. Ascertaining reliability MATERIALITY = Auditors must determine whether weakness in internal controls and misstatements found in transactions and account balances are material. The assessment of what is material is a matter of professional judgment. 4. Communicating results Audit opinion
AuditRisk
The probability that the auditor will give an inappropriate opinion on the financial statements: that is, that the statements will contain materials misstatement(s) which the auditor fails to find
Acceptable audit risk (AR) = level of audit risk that is acceptable to the auditor.
AuditRiskComponents
Inherent Risk: Unique characteristic of the business or industry of the client. The probability that material misstatements have occurred Relative risk (e.g., cash)
AuditRiskComponents
Control Risk: The probability that the internal controls will fail to detect material misstatements Auditors assess the level of control risk by performing test of internal controls.
AuditRiskComponents
Detection Risk: Is the risk that auditors are willing to take errors not detected or prevented by the control structure will also not be detected by the auditor. The probability that the audit procedures will fail to detect material misstatements Auditors set an acceptable level of detection risk that influences the level of substantive test that they perform.
AuditRiskFormula
AUDIT RISK MODEL: AR = IR * CR * DR Example IR=40%, CR=60%, AR=5% (fixed)
.05 = .4 * .6 * DR DR = .05/.24 DR = .20
WhatisanITAudit?
…most accounting transactions to be in electronic form without any paper documentation because electronic storage is more efficient. … These technologies greatly change the nature of audits, which have so long relied on paper documents.
TheITEnvironment
There has always been a need for an effective internal control system. The design and oversight of that system has typically been the responsibility of accountants. The I.T. Environment complicates the paper systems of the past. Concentration of data Expanded access and linkages Increase in malicious activities in systems vs. paper Opportunity that can cause management fraud (i.e., override)
TheITEnvironment
Audit planning Tests of controls
Substantive tests CAATTs
InternalControlSystem
• Comprisespolicies,practices,andprocedurestoachievefourbroadobjectives: – Tosafeguardassetsofthefirm – Toensuretheaccuracyandreliabilityofaccountingrecordsandinformation – Topromoteefficiencyinthefirm’soperations – Tomeasurecompliancewithmanagement’sprescribedpoliciesandprocedures.
Modifying Principles
1. Management responsibility 2. Methods of data processing Objectives same regardless of DP method Specific controls vary with different technologies 3. Limitations 4. Reasonable assurance No control system is perfect Benefits => costs
Modifying Principles
Limitations: Possibility of error Possibility of circumvention Management override Changing conditions
ExposuresandRisk
Exposure: absence or weakness of a control Risks: potential threat to compromise use or value of organizational assets Types of risk Destruction of assets Theft of assets Corruption of information or the I.S. Disruption of the I.S.
ThePDCModel
Preventive controls Detective controls Corrective controls Which is most cost effective? Which one tends to be proactive measures? Can you give an example of each?
COSOInternalControlFramework
• COSO (Treadway Commission) The control environment Risk assessment Information & communication Monitoring Control activities
TheControlEnvironment
Describe how each one could adversely affect internal control. The integrity and ethical values Structure of the organization Participation of audit committee Management’s philosophy and style Procedures for delegating
TheElementsoftheControlEnvironment
Integrity and ethical values of management Structure of the organization Participation of the organization’s board of directors and the audit committee Management’s philosophy and operating style Procedures for delegating responsibility and authority Management’s methods for assessing performance External influences Organization’s policies and practices for managing human resources
TechniquesUsedtoUnderstandtheControlEnvironment
Describe possible activity or tool for each. Assess the integrity of organization’s management Conditions conducive to management fraud Understand client’s business and industry Determine if board and audit committee are actively involved Study organization structure
RiskAssessment
Changes in environment Changes in personnel Changes in I.S. New IT’s Significant or rapid growth New products or services (experience) Organizational restructuring Foreign markets New accounting principles
ElementsofInformationandCommunication Initiate, identify, analyze, classify and record economic transactions and events. Identify and record all valid economic transactions Provide timely, detailed information Accurately measure financial values Accurately record transactions
TechniquesUsedtoUnderstandInformationandCommunicationStructures Auditors obtain sufficient knowledge of I.S.’s to understand: Classes of transactions that are material Accounting records and accounts used Processing steps: initiation to inclusion in financial statements (illustrate) Financial reporting process (including disclosures)
Monitoring
By separate procedures (e.g., tests of controls) By ongoing activities (Embedded Audit Modules – EAMs and Continuous Online Auditing - COA)
View Less >>