AUDITING 10 1 Auditing AAAs Definition Auditing is

  • Slides: 34
Download presentation
AUDITING 10 -1

AUDITING 10 -1

Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence

Auditing AAA’s Definition: Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users. ¢ My Definition: To examine and assure ¢ 10 -2

Auditing 2 broad categories of audits: 1. Internal Auditing (R&S focus) 2. External Auditing

Auditing 2 broad categories of audits: 1. Internal Auditing (R&S focus) 2. External Auditing 10 -3

Internal Auditing ¢ Who does it? Internal employees (outsource) ¢ For whom? Management ¢

Internal Auditing ¢ Who does it? Internal employees (outsource) ¢ For whom? Management ¢ What? employee adherence to company policies and procedures – efficiency and effectiveness 10 -4

Internal Auditing -Types Information systems: review AIS controls to assess compliance with internal control

Internal Auditing -Types Information systems: review AIS controls to assess compliance with internal control policies/procedures & effectiveness in safeguarding assets ¢ Operational/management: reviews company resources and operations – for efficiency, effectiveness, as planned ¢ Compliance: ensure compliance with laws, rules, and regulations ¢ 10 -5

External Auditing (FS Audit) Who does it? Independent, external auditors ¢ For whom? SEC,

External Auditing (FS Audit) Who does it? Independent, external auditors ¢ For whom? SEC, investors ¢ What? ¢ Examination of a client’s FS for the purpose of deciding whether or not the FS are fairly presented according to GAAP. l Attest function: give an opinion on the fairness of the FS wrt GAAP applying GAAS. Reliability and integrity of accounting records l 10 -6

5 Step Audit Process (for all audit types) (1) (2) (3) (4) (5) Audit

5 Step Audit Process (for all audit types) (1) (2) (3) (4) (5) Audit Planning: Establish audit objectives, identify risks, Audit program Collect audit evidence: interviews, examinations, recalculations, sampling IDEA, ACL Evaluate evidence: materiality Arrive at an opinion – FS: standard unqualified, unqualified with explanatory paragraph, qualified, adverse, disclaimer Communicate Audit Results FS: audit report 10 -7

Auditing Around vs Through the Computer ¢ INPUT PROCESSING THROUGH OUTPUT AROUND 10 -8

Auditing Around vs Through the Computer ¢ INPUT PROCESSING THROUGH OUTPUT AROUND 10 -8

Auditing Around the Computer ¢ ¢ ¢ Ignores the controls and computer processing -

Auditing Around the Computer ¢ ¢ ¢ Ignores the controls and computer processing - assumes accurate output = proper processing Auditor examines, on a sample basis, inputs to the computer and corresponding outputs Suitable only if the following conditions are met: 1. 2. 3. computer processing is relatively simple Audit trail is clearly visible A substantial amount of up-to-date documentation exists about how the system works. 10 -9

Audit Trail in Computer. Based System ¢ ¢ ¢ Visibility of audit trail is

Audit Trail in Computer. Based System ¢ ¢ ¢ Visibility of audit trail is diminished In relational database systems, foreign keys that link related tables form an electronic audit trail. Example: I/S Revenue Invoice No. Sale invoice Customer ID Customer Table 10 -10

Auditing Through the Computer ¢ ¢ ¢ Auditor follows the audit trail through the

Auditing Through the Computer ¢ ¢ ¢ Auditor follows the audit trail through the internal computer operations; attempts to verify that the processing controls are functioning correctly Directly tests the computer controls and verifies the accuracy of computer-based processing of input data. Tests controls that, if functioning properly would prevent errors from occurring. 10 -11

Which approach is best? Let’s look at the audit guidelines…. . 10 -12

Which approach is best? Let’s look at the audit guidelines…. . 10 -12

Auditing Standards ¢ Statement on Auditing Standards (SAS) 94 “The Effect of Information Technology

Auditing Standards ¢ Statement on Auditing Standards (SAS) 94 “The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit” l l l Auditor’s must have sufficient understanding (and document) of each of the 5 components of the IC when planning the audit (2 C RIM) Addresses the effects of IT on IC May need to design tests of controls in addition to substantive tests (of balances) 10 -13

AUDIT BENEFITS OF THE IT ENVIRONMENT (SAS 94) ¢ ¢ ¢ Consistent processing large

AUDIT BENEFITS OF THE IT ENVIRONMENT (SAS 94) ¢ ¢ ¢ Consistent processing large volumes of transactions or data Enhanced information timeliness, availability, and accuracy Facilitation of the additional analysis of information Enhanced ability to monitor the performance of activities, policies, and procedures Reduction in the risk that controls will be circumvented, if IT system controls are effective 10 -14

RISKS OF THE IT ENVIRONMENT (SAS 94) ¢ ¢ ¢ ¢ Incorrectly processing data

RISKS OF THE IT ENVIRONMENT (SAS 94) ¢ ¢ ¢ ¢ Incorrectly processing data or consistently processing inaccurate data Unauthorized access to data that might be destroyed or improperly changed Unauthorized changes to computer programs Failure to make necessary changes to computer programs Inappropriate manual intervention Potential loss of data Increase in potential loss resulting from computer 10 -15 fraud relative to manual fraud (increase of 10 X).

Which is the best approach? Auditing Through the computer 10 -16

Which is the best approach? Auditing Through the computer 10 -16

Auditing Through the Computer 1. Testing Computer Programs ¢ Test data: exception data, compare

Auditing Through the Computer 1. Testing Computer Programs ¢ Test data: exception data, compare processed info to predetermined answers ¢ ITF (Integrated Test Facility): process transaction to update dummy records (TEST DATA IN REAL SYSTEM!!!) ¢ Parallel Simulation: live data in program written by auditor (COSTLY!!!) 10 -17

Auditing Through the Computer 2. Validate Computer Programs ¢ Test of program change control:

Auditing Through the Computer 2. Validate Computer Programs ¢ Test of program change control: make sure IC procedures exists and are followed ¢ Program comparison: compare production program with archived old version (trojan horse, salami) ¢ Surprise audits and surprise use of programs: compare accounting application programs unexpectedly with authorized version 10 -18

Auditing Through the Computer 3. Review of systems software ¢ Operating systems software ¢

Auditing Through the Computer 3. Review of systems software ¢ Operating systems software ¢ Utility programs that do basic “housekeeping” chores such as sorting and copying ¢ Program library software that controls and monitors storage of programs ¢ Access control software that controls logical access to programs and data files 10 -19

Auditing Through the Computer 4. Continuous Auditing: Audit tools installed within the IS ¢

Auditing Through the Computer 4. Continuous Auditing: Audit tools installed within the IS ¢ Audit hooks ¢ Continuous and intermittent simulation ¢ Embedded audit modules Match these terms ¢ Exception reporting With their definitions ¢ SCARF On the next slides ¢ Snapshot technique ¢ Transaction tagging 10 -20

Auditing Through the Computer ¢ Embedded audit modules: Application subroutine that captures data for

Auditing Through the Computer ¢ Embedded audit modules: Application subroutine that captures data for audit purposes Write to a special log file called SCARF (systems control audit review file) Ex: transactions affecting inactive accounts, deviating from company policy, write-downs of asset values 10 -21

Auditing Through the Computer audit hooks: audit routine that flags suspicious transactions (real-time notification)

Auditing Through the Computer audit hooks: audit routine that flags suspicious transactions (real-time notification) ¢ Exception reporting: mechanisms that reject certain transactions that fall outside predefined specifications ¢ 10 -22

Auditing Through the Computer ¢ Transaction tagging Place a special identifier on transactions so

Auditing Through the Computer ¢ Transaction tagging Place a special identifier on transactions so that they can be recorded as they pass through the IS. EX: tag an employee’s transaction records, manually calculate & compare ¢ Snapshot technique audit modules record selected transactions before and after processing. Auditor reviews to make sure all processing steps performed properly. 10 -23

Auditing Through the Computer Continuous and intermittent simulation (CIS) - audit module in DBMS

Auditing Through the Computer Continuous and intermittent simulation (CIS) - audit module in DBMS - examines all transactions that update the DBMS. If a transaction has special audit significance, the audit module independently processes the data, records the results and compares them with the DBMS results. If discrepancies, written to an audit log for subsequent review OR may stop DBMS from executing the update process. ¢ 10 -24

Auditing With the Computer ¢ Additional Computer-assisted techniques (CAATS) Help auditor complete audit General

Auditing With the Computer ¢ Additional Computer-assisted techniques (CAATS) Help auditor complete audit General use software: productivity tools (Word, Excel, project management, ACCESS, SQL) l Automated workpaper software l Generalized audit software (GAS): software designed for auditor l • Read, manipulate client’s computer-based data • Independent evidence about the validity of transactions and balances 10 -25

How do auditors put it all together? 10 -26

How do auditors put it all together? 10 -26

Risk-based Audit Approach GOAL: Provide a clear understanding of the errors and irregularities that

Risk-based Audit Approach GOAL: Provide a clear understanding of the errors and irregularities that can occur and the related risks and exposures 1. Determine threats (errors, irregularities) 2. Identify the needed control procedures 3. Evaluate the control procedures 4. Evaluate weaknesses to determine effect on nature, timing, and extent of auditing procedures. Compensating Controls? 10 -27

Risk-based Audit Approach Evaluate Control Procedures § System review – are procedures in place?

Risk-based Audit Approach Evaluate Control Procedures § System review – are procedures in place? EX: review docs, interviews § Tests of controls = compliance testing – are the controls in place and working as prescribed? Ex: observe operations, check samples of input, verify use, trace transactions 10 -28

Audit Risk Model Used in audit planning: ¢ AR = audit risk: likelihood that

Audit Risk Model Used in audit planning: ¢ AR = audit risk: likelihood that the FS are materially misstated ¢ AR = IR x CR x DR ¢ Auditor can control this Auditor Assesses general Cannot and application controls reduce applicable to each FS assertion; Tests of controls =Compliance tests 10 -29

Audit Risk Model ¢ ¢ ¢ IR = inherent risk: susceptibility of an account

Audit Risk Model ¢ ¢ ¢ IR = inherent risk: susceptibility of an account or class of transactions to material error CR = control risk = likelihood that the IC control structure will fail to prevent/detect a material error DR = detection risk = likelihood that the auditor’s procedures will not uncover material errors l l More auditing procedures = lower DR Inversely related to CR: if CR is high, then an auditor sets DR low and performs more substantive tests (detail tests of transactions and account balances) 10 -30

Audit Risk Model Example ¢ Assume controls over the revenue cycle are not effective

Audit Risk Model Example ¢ Assume controls over the revenue cycle are not effective and cannot be relied upon. The auditor is worried about the correctness of the A/R balance. To lower detection risk, what would the auditor do? 10 -31

Audit Risk Model Example ¢ Assume controls over the revenue cycle are not effective

Audit Risk Model Example ¢ Assume controls over the revenue cycle are not effective and cannot be relied upon. The auditor is worried about the correctness of the A/R balance. To lower detection risk, what would the auditor do? ¢ Increase substantive testing of the A/R balance – send out lots of confirmation letters to customers. 10 -32

Generalized Audit Software ¢ ¢ ¢ 2 main computer auditing software packages: ACL (Audit

Generalized Audit Software ¢ ¢ ¢ 2 main computer auditing software packages: ACL (Audit Command Language) and IDEA (Interactive Data Extraction and Analysis). In this class, we will be using IDEA to audit several different general ledger accounts and look for employee fraud. Clients: American Express, BDO Seidman, Grant Thorton, KPMG, Mc. Gladrey and Pullen LLP, Price. Waterhouse. Coopers, FDIC, GAO, US Departments of Commerce, Education, Interior, Labor, Transportation, EPA, Treasury, Dow Chemical, Chicago Board of Trade, Exxon Company USA, Revlon 10 -33

General Functions of Computer Audit Software – – – – – reformatting file manipulation

General Functions of Computer Audit Software – – – – – reformatting file manipulation calculation data selection data analysis file processing statistics report generation sampling - data retrieval - apply edit checks - file operations (join, merge, sort) 10 -34