1 / 49

Auditing, Assurance, Internal Control

Auditing, Assurance, Internal Control. Institute of Southern Punjab Multan. Contents . Attestation & assurance Services Financial audit Auditing standards External vs. internal auditing Information technology audit Internal control. Attest Services.

mariae
Télécharger la présentation

Auditing, Assurance, Internal Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Auditing, Assurance, Internal Control Institute of Southern Punjab Multan

  2. Contents • Attestation & assurance Services • Financial audit • Auditing standards • External vs. internal auditing • Information technology audit • Internal control

  3. Attest Services • An engagement in which a practitioner is engaged to issue, or does issue, • a written communication that expresses a conclusion about the • reliability of a written assertion that is the responsibility of another party. Attest: To affirm to be correct, true, or genuine

  4. Requirements applied to attestation services • Attestation services require written assertions and a practitioner’s written report. • Attestation services require the formal establishment of measurement criteria or their description in the presentation. • The levels of service in attestation engagements are limited to examination, review, and application of agreed-upon procedures.

  5. Assurance Services • Broader than attestation • Professional services designed to improve the quality of information, both financial and non-financial, used by decision-makers. • Intended to help people make better decisions by improving information. Assurance: A statement or indication that inspires confidence; a guarantee or pledge

  6. Audits • An audit is an objective examination and evaluation of the financial statements of an organization to • make sure that the records are a fair and accurate representation of the transactions they claim to represent.

  7. Financial Audit • An independent attestation performed by an expert, the auditor, who expresses an opinion regarding the presentation of financial statements. • Auditor’s role is similar in concept to a judge who collects and evaluates evidence and renders an opinion.

  8. Auditor’s Report • Product of attestation function is a formal written report that expresses an opinion about the reliability of the assertions contained in financial statements • Auditor’s report expresses an opinion as to whether the financial statements are in conformitygenerally accepted accounting principles

  9. Auditing Standards • Auditors are guided in their professional responsibility by the ten generally accepted auditing standards (GAAS) • GAAS establishes a framework for prescribing auditor performance, but it is not sufficiently detailed to provide meaningful guidance in specific circumstances

  10. Auditing Standards • To provide specific guidance, American Institute of Certified Public Accountants (AICPA) issues Statements on Auditing Standards (SASs) as authoritative interpretations of GAAS. • SASs are often referred to as auditing standards, or GAAS, although they are not the ten generally accepted auditing standards.

  11. SAS • First issued by AICPA American Institute of Certified Public Accountants in 1972 • Since then, many SASs have been issued to provide auditors w/ guidance on a spectrum of topics, including methods of investigating new clients, techniques for obtaining background information on client’s industry.

  12. External vs. Internal Auditing • External auditing is often called independent auditing because it is done by certified public accountants who are independent of the organization being audited. • External auditors represent the interests of third-party stakeholders in the organization, such as stockholders, creditors, and government agencies. • Because the focus of external audit is on financial statements, this type of audit is called financial audit

  13. External vs. Internal Auditing • Institute of Internal Auditors defines internal auditing as an independent appraisal function established within an organization to examine and evaluate its activities.

  14. External vs. Internal Auditing • Internal auditors perform a wide range of activities on behalf of the organization, Including • conducting financial audits, • examining an operation’s compliance with organizational policies, • reviewing the organization’s compliance with legal obligations, • evaluating operational efficiency, • detecting and pursuing fraud within the firm, and conducting IT audits.

  15. External vs. Internal Auditing • While external auditors represent outsiders, internal auditors represent the interests of the organization. • Internal auditors often cooperate with and assist external auditors in performing financial audits. • This is done to achieve audit efficiency and reduce audit fees. For example, a team of internal auditors can perform tests of computer controls under the supervision of a single external auditor.

  16. Information Technology (IT) Audit • Focus on the computer-based aspects of an organization’s information system • This includes assessing the proper implementation, operation, and control of computer resources.

  17. Definition of Auditing • Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users.

  18. Elements of auditing • A systematic process • Management assertions and audit objectives • Obtaining evidence • Ascertaining the degree of correspondence between established criteria • Communicating results

  19. 5 Categories of Management Assertions • Existence or occurrence assertion • Completeness assertion • Rights and obligations assertion • Valuation or allocation assertion • Presentation and disclosure assertion Auditors develop their audit objectives and design audit procedures based on preceding assertions.

  20. Structure of IT Audit • IT audit is divided into three phases: audit planning, tests of controls, and substantive testing

  21. Internal Control • The establishment and maintenance of a system of internal control is an important management obligation. • A fundamental aspect of management’s stewardship responsibility is to provide shareholders with reasonable assurance that the business is adequately controlled. • Additionally, management has a responsibility to furnish shareholders and potential investors with reliable financial information on a timely basis. • An adequate system of internal control is necessary to management’s discharge of these obligations. - Securities and Exchange Commission

  22. Internal Control in Concept • Internal control system comprises policies, practices, and procedures employed by the organization to achieve four broad objectives: • To safeguard assets of the firm. • To ensure the accuracy and reliability of accounting records and information. • To promote efficiency in the firm’s operations. • To measure compliance with management’s prescribed policies and procedures

  23. 3 Levels of Control • Preventive controls, detection controls, and corrective controls.

  24. Preventive Controls • First line of defense in the control structure • Passive techniques designed to reduce the frequency of occurrence of undesirable events • Preventing errors and fraud is far more cost-effective than detecting and correcting problems after they occur • In information security: firewall

  25. Preventive Controls • For example, a well-designed data entry screen is an example of a preventive control • Not all problems can be anticipated and prevented.

  26. Detective Controls • Second line of defense • Devices, techniques, and procedures designed to identify and expose undesirable events that elude preventive controls • In information security: Intrusion detection

  27. Types of IDS • OSSEC OSSEC is an open source host intrusion-detection system (HIDS) that does more than detect intrusions. OpenWIPS OpenWIPS is a free wireless IDS/IPS that relies on a server, sensors and interfaces. Bro IDS Bro IDS is similar to Security Onion in that it uses more than IDS rules to determine where attacks are coming from. Security Onion is actually an Ubuntu-based Linux distribution for IDS and network security monitoring (NSM)

  28. Corrective Controls • Corrective actions taken to reverse the effects of detected errors • Detective controls identify undesirable events and draw attention to the problem; corrective controls fix the problem.

  29. Control Activities • Policies and procedures used to ensure appropriate actions are taken to deal w/ organization’s identified risks

  30. Control Activities • Can be grouped into two categories: • Computer controls • General control • Application control • Physical controls • transaction authorization • segregation of duties • supervision • accounting records • access control • independent verification

  31. Computer Controls/General Controls • Fall into two broad groups: general controls and application controls • General controls pertain to entity-wide concerns such as controls over data center, organization databases, systems development, and program maintenance

  32. Application Controls • Application controls ensure the integrity of specific systems such as sales order processing, accounts payable, and payroll applications.

  33. Physical Controls • Relates primarily to traditional accounting systems that employ manual procedures • Six traditional categories of physical control activities: transaction authorization, segregation of duties, supervision, accounting records, access control, and independent verification

  34. Transaction Authorization • Ensure that all material transactions processed by information systems are valid and in accordance w/ management’s objectives • Authorizations may be general or specific

  35. General Authorization • Granted to operations personnel to perform day-to-day operations • Example is procedure to authorize purchase of inventories from designated vendor only when inventory levels fall to their predetermined reorder points. This is called programmed procedure

  36. Specific Authorization • Deal with case-by-case decisions associated w/ non-routine transactions. • Example is the decision to extend a particular customer’s credit limit beyond the normal amount • In an IT environment, the responsibility for achieving control objectives of transaction authorization rests directly on accuracy and consistency of computer programs that perform these tasks.

  37. Segregation of Duties • To minimize incompatible functions • Authorization for a transaction is separate from processing of the transaction. For example, purchases should not be initiated by purchasing department until authorized by inventory control department

  38. Segregation of Duties • Responsibility for custody of assets should be separate from recordkeeping responsibility. For example, the department that has physical custody of finished goods inventory should not keep official inventory records. Accounting for finished goods inventory is performed by inventory control, an accounting function.

  39. Segregation of Duties • 3 objectives provide general guidelines applicable to most organizations • Organization should be structured so that a successful fraud requires collusion between two or more individuals with incompatible responsibilities. In other words, no single individual should have sufficient access to assets and supporting records to do a fraud.

  40. Segregation of Duties in IT • Computer errors are programming errors that are, in fact, human errors; no computer has ever perpetrated a fraud unless programmed to do so by a human • Separating computer processing functions, therefore, serves no purpose

  41. Segregation of Duties in IT • Segregation of duties still plays a role in IT environment • Once proper functioning of a program is established at system implementation, its integrity must be preserved throughout the application’s life cycle. • The activities of program development, program operations, and program maintenance are critical IT functions that must be adequately separated.

  42. Supervision • Achieving adequate segregation of duties often presents difficulties for small organization. • In small organizations or in functional areas that lack sufficient personnel, management must compensate for absence of segregation controls with close supervision. • For this reason, supervision is also called compensating control.

  43. Accounting Records • Source documents, journals, and ledgers capture economic essence of transactions and provide an audit trail of economic events • Audit trail enables auditor to trace any transaction through all phases of its processing from initiation of event to financial statements

  44. Access Controls • Ensure that only authorized personnel have access to firm’s assets • Access control in IT environment includes provisions for physical security of computer facilities. • Database security and authorization is important access control mechanism in modern organizations.

  45. Access Control in IT Environment • Limit personnel access authority • Restrict access to computer programs • Provide physical security for data processing center • Ensure adequate backup for data files • Provide disaster recovery capability

  46. Audit Risk • Probability that auditor will render an unqualified opinion on financial statements that are, in fact, materially misstated • Auditor’s objective is to minimize audit risk by performing tests of controls and substantive tests. • 3 components of audit risk are inherent risk, control risk, and detection risk

  47. Inherent Risk • Associated with unique characteristics of the business or industry of the client • Firms in declining industries have greater inherent risk than firms in stable or thriving industries. • Auditors can not reduce level of inherent risk.

  48. Control Risk • is the likelihood that control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts • Auditors reduce level of control risk by performing tests of internal controls, e.g., running test transactions and seeing if erroneous transactions can be detected

  49. Detection Risk • is the risk that auditors are willing to take that errors not detected or prevented by control structure will also not be detected by the auditor • Lower planned detection risk requires more substantive testing

More Related