CHAPTER 1

External (Financial) Audit is an independent

attestation performed by an expert the auditor
who expresses an opinion regarding the
presentation of financial statements.
Attest Service performed by CPAs who work
for public accounting firms that are independent
of the client organization being audited.
-an engagement in which a practitioner is
engaged to issue, or does issue, a written
communication, that expresses a conclusion
about the reliability of a written assertion that is
the responsibility of the other party.
Advisory Service professional services offered
by public accounting firms to improve their client
organizations
operational
efficiency
and
effectiveness.
Internal Audit independent appraisal function
established within the organization to examine
and evaluate its activities as a service to the
organization.
External Audit
vs Internal Audit
-Independent (CPA) -Auditor (CIA, CISA)
-SEC/S-OX/AICPA
-Employee
of
organization
-SEC-publicly traded -Optional

mgt
requirements
-Financial Audit
-Broader (operational
audit)
-Interests of outsiders
-Interests
of
organization
Standards, guidance, certification governed by:
-PICPA, FRSC, BOA
-IIA and ISACA
delegated by SEC
Fraud Audit objective: investigate anomalies
and gather evidence of fraud that may lead to
criminal conviction.
Certification: Certified Fraud Examiner (CFE)
Governed by: Association of Certified Fraud
Examiners (ACFE)
Role of Audit Committee
-Selected from Board of Directors, usually 3
members
-Outsiders (S-OX)
-Fiduciary responsibility to shareholders
-Serve as independent check and balance system
-Interact with internal auditors
-Hire, set fees, and interact with external auditors
-Resolve conflicts of GAAP between external
auditors and management

Generally Accepted Auditing Standards

General Standards
1. The auditor must have adequate training and
proficiency
2.
The auditor must have independence of
mental attitude
3. The auditor must exercise due professional
care in the performance of the audit and the
preparation of the report.

Standards of Field Work

1. Audit work must be adequately planned
2. The auditor must gain a sufficient
understanding of the internal control structure
3. The auditor must obtain sufficient, competent
evidence
Reporting Standards
1. The auditor must state in the report whether
financial statements were prepared in accordance
with generally accepted accounting principles.
2. The report must identify those circumstances
in which generally accepted accounting principles
were not applied.
3. The report must identify any items that do not
have adequate informative disclosures
4. The report shall contain an expression of the
auditors opinion on the financial statements as a
whole.
Management Assertions
1. Existence/Occurrence affirms that all
assets and equities contained in the balance
sheet exist and that all transactions in the income
statement actually occurred.
2. Completeness declares that no material
assets, equities, or transactions have been
omitted from the financial statements.
3. Rights and Obligations maintains that
assets appearing on the balance sheet are owned
by the entity and that the liabilities reported are
obligations
4. Valuation or Allocation assets and equities
are valued in accordance with GAAP and that
allocated amounts such as depreciation expense
are calculated on a systematic and rational basis
Audit Risk probability that the auditor will
render an unqualified opinion on financial
statements that are in fact, materially misstated.
Acceptable Audit Risk is estimated based
on the ex
ante value of the components of
the audit risk model.
AR = IR x CR x DR

Components of Audit Risk Model

Inherent Risk probability that material
misstatements have occurred
Control Risk probability that the internal
controls will fail to detect material misstatements
Detection Risk probability that audit
procedures
will
fail
to
detect
material
misstatements
IT Audit focuses on the computer based
aspects of an organizations information system
and modern systems employ significant level of
technology.

Structure of an IT Audit/IT Environment

1. Audit Planning first step in IT Audit.
Includes:
-Review of organizations policies, practices and
structures
-Review general controls and application controls
-Plan test of controls and substantive testing
procedure
2. Test of Controls determine whether
adequate internal controls are in place and
functioning properly
Includes:
-Perform test of controls
-Evaluate test results
-Determine degree of reliance on controls
3. Substantive Testing Phase detailed
investigation of specific amount balances and
transactions
Includes:
-Perform substantive tests
-Evaluate results and issue auditors report
CAATTs Computer Assisted Audit Tools and
Techniques
Internal
Control

policies,
procedures designed to:
-safeguard assets
-promote efficiency
-ensure accuracy and reliability
-measure compliance with policies

Modifying Principles that guide designers

and auditors of internal control system
1.
Management
Responsibility

establishment and maintenance of a system of

internal control is management responsibility
2. Reasonable Assurance that 4 broad
objectives of internal control (spem) are met
-CoBA, benefits > costs
3. Methods of Data Processing 4 broad
objectives of internal control (spem) are achieved
regardless of methods of data processing
4. Limitations
-Possibility of Error
-Possibility of Circumvention
-Management Override
-Changing conditions
Exposure absence or weakness of a control
Risk potential threat to compromise use or
value of organizational assets
PDC Model
Prevention Control 1st line of defense in the
control structure
-passive techniques designed to reduce the
frequency of occurrence of undesirable events
Detective Control 2nd line of defense.
-devices, techniques, and procedures designed to
identify and expose undesirable events that elude
preventive controls
Corrective Controls actions taken to reverse
the effect of detective errors, actually fix the
problems

practices,

COSO Committee on Sponsoring Organizations

-developed a management perspective model for
internal controls over a number of years which is
widely adopted
Sarbanes-Oxley Act 2002

Sec 404 Management is responsible for

establishing and maintaining internal control
structure and procedures
Sec 302 Financial executives must disclose
deficiencies in internal control and fraud (material
or not)

COSO Framework: IC Five Components

1. Control Environment foundation. Sets the
tone for the organization and influences the
control awareness of its management and its
employees.
2. Risk Assessment identify, analyze and
manage risks relevant to financial reporting.
3. Information and Communication auditors
obtain sufficient knowledge of Information
System to understand
4. Monitoring process by which the internal
control design and operation are assessed.
EAM Embedded Audit Modules
COA Continuous Online Auditing

5. Control Activities policies and procedures

used to ensure that appropriate actions are taken
to deal with the organizations identified risks.
Computer/IT Controls General and
Application
Physical Controls
General apply to all systems
Application designed to application-specific.
Objective:
ensure
validity,
accuracy
and
completeness financial transactions
Physical Controls relates primarily to human
activities employed in accounting systems. Types
of Physical Controls:
Transaction Authorization ensure that all
material
transactions
processed
by
the
information system are valid and in accordance
with managements objectives
General Authority granted to operations
personnel
to perform day-to-day activity
Segregation of Duties
separate from processing;
separate from record-keeping

Data Processing management of the

computer resources used to perform the day-today processing of transactions. 3 organizational
functions: data conversion, computer operations
and data library
Data Conversion transcribes transaction data
from hard-copy source documents into computer
input
Computer Operations processing by the
central computer of the electronic files produces
in data conversion
Data Library room adjacent to computer
center that provides safe storage for the off-line
data files.
System Development
responsible for
analyzing user needs for designing new systems
to satisfy those needs

Authorization is
Asset Custody

System Maintenance making changes to

program logic to accommodate shifts in user
needs over time

Supervision small companies compensation

for absence of segregation of duties

Participants:
IS Professionals gather facts about the users
problem, analyze the facts and formulate a
solution
End Users those for whom the system is built
Stakeholders individuals in/outside the firm
who have an interest in the system
Auditors

Accounting Records source documents,

journals and ledgers
Audit Trail enables the auditor to trace
any
transaction
through
all
phases
of
processing
Access Control ensure that only authorized
personnel have access to companys assets
Independent
Verification

independent
checks of the accounting systems to identify
errors and misinterpretations
CHAPTER 2
IT Governance relatively new subset of
corporate governance that focuses on the
management and assessment of strategic IT
Sources
Centralized Data Processing all data
processing is performed by one or more large
computers housed at a central site that serves
users throughout the organization
Database Administrator (DBA) responsible
for security and integrity of the database

Segregation of Incompatible IT Functions

Separating
Systems
Development
and
Operations Activities Systems Development
and Maintenance Professionals should create
systems for user and should have no involvement
in entering data or running applications.
Operations staff should run these systems and
have involvement in their design
Separating DBA from other functions DBA
is organizationally independent of operations,
systems development and maintenance.
Segregate
Systems
Analysis
from
Programming
Inadequate Documentation control problem
which is considered a chronic problem because it
is not interesting to do and may threaten job
security

Program Fraud involves making unauthorized

changes to program modules for the purpose of
committing an illegal act.
Salami Slicing division of a fraud into series of
small illegal actions because it is difficult to
perform all at once
Trapdoors fraud wherein the programmer
writes code into the program that allows him to
work around any or all controls in the system and
thus makes it easy to commit fraud
Segregate
System
Development
Maintenance
Better Documentation Standards
Deters Fraud

from

Segregate Data Library from Operations

For Physical Security of Offline Data Files
Real Time Data Processing involves
continual input, process and output of data. Data
must be processed in same time data is received
Batch Data Processing involves collecting
and storing a number of related transactions
before processing them simultaneously
Distributed Data Processing (DDP) data
processing model that involves recognizing the
central IT function into small IT units that are
placed under the control of end users
Risks Associated with DDP
Inefficient Use of Resources mismanagement of
resources by end-sures
Destruction of Audit Trails
Inadequate Segregation of Duties
Hiring Qualified Professionals difficult to attract
qualifies professionals
Lack of Standards every end user has their own
standard
Advantages of DDP
Cost Reductions application complexity reduced
Improved Cost Control Responsibility
Improved User Satisfaction increased morale
and productivity
Backup Flexibility excess capacity for DRP
Controlling the DDP Environment
Central Systems Development - testing and
implementation of Commercial Software and
Hardware

User Services help desk, technical support,

FAQs
Standard Setting Body establishing central
guideline
Personnel Review evaluate technical credentials
of systems professionals
Computer Center:
Physical Location - should be away from human
made and natural hazards
Construction ideally: single story building,
underground utilities, windowless and air filtration
system
Access limited to operators and other
employees who work there. Physical controls:
locked doors, cameras. Manual: access log of
visitors
Air Conditioning amount of heat must be
even
Fire Suppression Fire is the most serious
threat
Fire Alarm
Automatic Fire Extinguishing System
Manual Fire Extinguishers
Power Supply uninterrupted, clean power
Fault Tolerance ability of the system to
continue operation when part of the system fails
because of hardware failure, application program
error or operator error
RAID Redundant Arrays of Independent
Disks parallel
disks
that
contain
redundant elements of data applications
Uninterruptible Power Supplies backup
power
Disaster
Recovery
Plan
(DRP)

comprehensive statement of all actions to be

taken before, during, and after a disaster, along
with documented, tested procedures that will
ensure the continuity of operations.
Second Site Backup
Mutual Aid Pact agreement between two or
more organizations (with compatible computer
facilities) to aid each other with data processing
needs in event of a disaster
Empty Shell (cold site) buys or leases a
building that will serve as a data center
Recovery Operations Center (hot site) fully
equipped backup data center
Internally Provided Backup company built its
own remote mirrored data center
Operating System Back up back up of
operating system
Application Backup create copies of current
versions of critical applications

Backup Data Files databases should be

copied daily to CDs, etc
Backup
Documentation

system
documentation for critical applications should be
backed up and stored off site along with the
applications
Backup Supplies and Source Documents
create back up inventories if supplies and source
documents
used
in
processing
critical
transactions
Testing the DRP most neglected aspect of
contingency planning
System Wide Controls
Password Control tool designed to allow
helpdesk staff to reset user password
Reusable Password same password for all
One time password password valid for only
one transaction
Email Risks
Spoofing forgery of an email header so that
the message appears to have originated from
someone other than the actual source
Spamming sent to thousands of users
Chain Letters letters convincing users to pass
them on another user

Urban Legends myth, folklore

Hoax Virus Warnings warning a recipient of a
non-existing virus threat
Flaming writers attacks another participant
overly harsh
Malicious Attachments viruses
Malicious Objects Risk
Virus malware that when executed infects
other programs
Worm malware that replicate itself to spread to
other computers or programs
Logic Bomb triggered by some event at a
certain date or time
Trapdoor
Trojan Horse disguised as a legitimated
software