CHAPTER 1: AUDITING AND INTERNAL CONTROL P1

Charles Jaojao · 26問 · 1年前

通報

問題一覧

have had a tremendous impact on the field of auditing.

Information Technology

Different types of audits

1. external (financial audit) 2. internal audits 3. fraud audits

is an independent attestation performed by an expert—the auditor— who expresses an opinion regarding the presentation of financial statements.

external audit

is performed by Certified Public Accountants (CPA) who work for public accounting firms that are independent of the client organization being audited.

attest service/ external audit

These audits are, therefore, often referred to as financial audits.

external audit

requires all publicly traded companies be subject to a financial audit annually.

SEC

CPAs conducting such audits represent the interests of outsiders: (4)

1. stockholders 2. creditors 3. government agencies 4. the general public

A key concept in this process is

independence

The external auditor must follow strict rules in conducting financial audits. These authoritative rules have been defined by: (4)

1. SEC 2. FASB 3. AICPA 4. Sarbanes-Oxley Act of 2002

which has to a great extent replaced the function served by the FASB, and some of the functions of the AICPA

Public Company Accounting Oversight Board (PCAOB)

an engagement in which a practitioner is engaged to issue, or does issue, a writ- ten communication that expresses a conclusion about the reliability of a written as- sertion that is the responsibility of another party.

attest service

following requirements apply to attestation services: (3)

1. require written assertions and a practitioner’s written report. 2. require the formal establishment of measurement criteria or their description in the presentation. 3. The levels of service in attestation engagements are limited to examination, review, and application of agreed-upon procedures.

are professional services offered by public accounting firms to im- prove their client organizations’ operational efficiency and effectiveness.

advisory services

advisory services include: (5)

1. Actuarial advice 2. business advice 3. fraud investigation 4. information system design and implementation 5. internal control assessments for compliance with SOX

It is now unlawful for a registered public accounting firm that is currently providing attest services for a client to provide the following services: (8)

1. bookkeeping or other services related 2. financial information systems design and implementation 3. appraisal or valuation services 4. actuarial services 5. internal audit outsourcing services 6. management functions or human resources 7. broker or dealer 8. legal services and expert services related to the audit.

The advisory services units of public accounting firms responsible for providing IT control-related client support have different names in different firms, but they all engage in tasks known collectively as:

IT risk management

These groups often play a dual role within their respective firms; they provide nonaudit clients with IT advisory services and also work with their firm’s financial audit staff to perform IT-related tests of controls as part of the attestation function.

IT risk management

The Institute of Internal Auditors (IIA) defines_____as an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization.

internal auditing

Internal auditors perform a wide range of activities on behalf of the organization, including: (5) (CERED)

1. conducting financial audits 2. examining an operations compliance with organizational policies 3. reviewing the organization’s compliance with legal obligations 4. evaluating operational efficiency 5. detecting and pursuing fraud with the firm

is typically conducted by auditors who work for the organization, but this task may be outsourced to other organizations:

internal audit

Internal auditors are often: (2)

1. Certified Internal Auditor (CIA) 2. Certified Information Systms auditor (CISA)

These auditors generally answer to executive management of the organization or the audit committee of the board of directors, if one exists.

internal auditors

The standards, guidance, and certification of internal audits are governed mostly by the: (2)

1. Institute of Internal Auditors (IIA) 2. Information Systems Audit and Control Association (ISACA)

The characteristic that conceptually distinguishes external auditors from internal auditors is their respective

constituencies

Represent Outsiders

external auditors

Represents the interest of the organization

external auditors

have, unfortunately, increased in popularity as a corporate governance tool. They have been thrust into prominence by a corporate environment in which both employee theft of assets and major financial frauds by management (e.g., Enron, WorldCom, etc.)

Fraud Audit

The objective of a fraud audit is to: (2)

1. investigate anomalies 2. gather evidence of fraud

Typically, fraud auditors have earned the: (2)

1. Certified Fraud Examiner certification (CFE) 2. Association of Certified Fraud Examiners (ACFE)

The board of directors of publicly traded companies form a subcommittee known as the: _____ which has special responsibilities regarding audits.

audit committee

This committee usu- ally consists of three people who should be outsiders (not associated with the families of executive management nor former officers, etc.

audit committee

With the advent of the Sarbanes-Oxley Act, at least one member of the audit committee must be a:

financial expert

serves as an independent “check and balance” for the internal audit function and liaison with external auditors.

audit committee

often have some bearing on audit committee failures. These include lack of independence of audit committee members, inactive audit committees, total absence of an audit committee, and lack of experienced members on the audit committee.

corporate fraud

The product of the attestation function is a ______ that expresses an opin- ion about the reliability of the assertions contained in the financial statements.

formal written report

expresses an opinion as to whether the financial statements are in conformity with generally accepted accounting principles (GAAP)

auditor’s report

external users of financial state- ments are presumed to rely on the auditor’s opinion about the reliability of financial statements in making decisions. To do so, users must be able to place their trust in the auditor’s: (4)

1. competence 2. professionalism 3. integrity 4. independence

Auditing standards are divided into three classes:

1. general qualification standards 2. fieldwork standards 3. reporting standards

establishes a framework for prescribing auditor performance, but it is not sufficiently detailed to provide meaningful guidance in specific circumstances.

GAAS

issues Statements on Auditing Standards (SASs) as authori- tative interpretations of GAAS.

American Institute of Certified Public Accountants (AICPA)

are often referred to as auditing standards, or GAAS, although they are not the ten generally accepted auditing standards.

SASs

General Standards

1. Technical training and proficiency 2. Independence 3. Professional due care

Standards of Field Work

1. Planning 2. Internal control consideration 3. Evidential matter

Reporting Standards

1. GAAP 2. Inconsistency 3. Disclosure 4. Opinion

are regarded as authoritative pronouncements be- cause every member of the profession must follow their recommendations or be able to show why a SAS does not apply in a given situation. The burden of justifying departures from the SASs falls upon the individual auditor.

Statements on Auditing Standards (SASs)

Conducting an audit is a ________process that applies to all forms of information systems.

systematic and logical

The organization’s financial statements reflect a set of _________about the financial health of the entity. The task of the auditor is to determine whether the finan- cial statements are fairly presented.

Management assertions

To accomplish this goal, the auditor establishes_______ that corroborate or refute management’s assertions that corroborate or refute manage- ment’s assertions. (3)

1. audit objectives 2. designs procedures 3. gather evidence

These assertions fall into five general categories: (5)

1. existence or occurence 2. completeness 3. rights and obligations 4. valuation or allocation 5. presentation and disclosure

assertion affirms that all assets and equities contained in the balance sheet exist and that all transactions in the income statement actually occurred.

existence or occurence

assertion declares that no material assets, equities, or transactions have been omitted from the financial statements.

completeness

assertion maintains that assets appearing on the balance sheet are owned by the entity and that the liabilities reported are obligations.

rights and obligations

assertion states that assets and equities are valued in accordance with GAAP and that allocated amounts such as depreciation expense are calculated on a systematic and rational basis.

valuation or allocation

assertion alleges that financial statement items are correctly classified (e.g., long-term liabilities will not mature within one year) and that footnote disclosures are adequate to avoid misleading the users of financial statements.

presentation and disclosure

Audit objectives may be classified into two general categories. (2)

1. relate to transactions and account balances 2. pertains to information system itself

Evidence is collected by performing_______which establish whether in- ternal controls are functioning properly and ________which determine whether accounting databases fairly reflect the organization’s transactions and account balances.

tests of controls substantive tests

The audit report contains, among other things, an

opinion

is distributed along with the financial report to interested parties both internal and external to the organization.

audit opinion

is the probability that the auditor will render an unqualified (clean) opinion on financial statements that are, in fact, materially misstated.

audit risk

may be caused by errors or irregularities or both.

material misstatements

are unintentional mistakes.

errors

are intentional misrepresentations associated with the commission of a fraud such as the misappropriation of physical assets or the deception of financial statement users.

irregularities

is estimated based on the ex ante value of the components of the audit risk model.

Acceptable audit risk (AR)

AR= IR x CR x DR

inherent risk control risk detection risk

is associated with the unique characteristics of the business or industry of the client.

inherent risk

is the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts.

control risk

is the risk that auditors are willing to take that errors not detected or prevented by the control structure will also not be detected by the auditor.

detection risk

The audit risk model

AR= IR X CR X DR

are auditing techniques used for reducing audit risk to an acceptable level.

tests of controls and substantive tests

are labor intensive and time-consuming, they drive up audit costs and exacerbate the disruptive effects of an audit.

substantive test

is the culmination of a systematic financial audit process that involves three conceptual phases: audit planning, tests of controls, and substantive testing.

auditor’s opinion

The first step in the IT audit is

audit planning

The techniques for gathering evidence at this phase include: (4)

1. conducting questionnaires 2. interviewing management 3. reviewing systems documentation 4. observing activities

phase is to determine whether adequate internal controls are in place and functioning properly.

test of controls

The evidence-gathering techniques used in this phase may include both: (2)

manual techniques specialized computer audit techniques

The third phase of the audit process focuses on financial data. This phase involves a de- tailed investigation of specific account balances and transactions through what are called

substantive tests

Some substantive tests are physical, labor-intensive activities, such as: (3)

1. counting cash 2. counting inventories in the warehouse 3. verifying the existence of stock certificates

In an IT environment, the data needed to perform substantive tests (such as ac- count balances and names and addresses of individual customers) are contained in data files that often must be extracted using:

Computer-Assisted Audit Tools and Techniques (CAATTs) software

is required by law to establish and maintain an adequate sys- tem of internal control.

organization management

which had two main objectives: (1) require that investors receive financial and other significant information concerning securities being offered for public sale; and (2) prohibit deceit, misrepresentations, and other fraud in the sale of securities.

Securities Act of 1933

The second act, the ________ created the Securi- ties and Exchange Commission (SEC) and empowered it with broad authority over all aspects of the securities industry, which included authority regarding auditing standards.

securities and exchange act of 1934

This law, which has had multiple revisions, added software and other intellectual proper- ties into the existing copyright protection laws.

Corporate management has not always lived up to its internal control responsibility. With the discovery that U.S. business executives were using their organizations’ funds to bribe foreign officials, internal control issues, formerly of little interest to stockholders, quickly became a matter of public concern.

Foreign Corrupt Practices Act of 1977 (FCPA)

Following the series of S&L scandals of the 1980s, a committee was formed to address these frauds. Originally, the committee took the name of its chair, Treadway, but eventu- ally the project became known as

COSO (Committee of Sponsoring Organizations)

The sponsoring organizations included: (5)

1. Financial Executives International (FEI), 2. Institute of Management Accountants (IMA) 3. American Accounting Association (AAA) 4.AICPA 5. IIA.

As a result of several large financial frauds (e.g., Enron, Worldcom, Adelphia, etc.) and the resulting losses suffered by stockholders, pressure was brought by the U.S. Congress to protect the public from such events. This led to the passage of the

Sarbanes Oxley Act of 2002

requires that corporate management (including the CEO) certify their organization’s internal controls on a quarterly and annual basis. Section 302 also carries significant auditor implications.

Section 302

Specifically, external auditors must perform the follow- ing procedures quarterly to identify any material modifications in controls that may im- pact financial reporting:

1. Interview management regarding any significant changes in the design or operation of internal control that occurred subsequent to the preceding annual audit or prior review of interim financial information. 2. Evaluate the implications of misstatements identified by the auditor as part of the interim review that relate to effective internal controls. 3. Determine whether changes in internal controls are likely to materially affect inter- nal control over financial reporting.

requires the management of public companies to assess the effectiveness of their organization’s internal controls.

Section 304

This entails providing an annual report addressing the following points:

1. Understand the flow of transactions, including IT aspects, in sufficient detail to identify points at which a misstatement could arise. 2. Using a risk-based approach, assess both the design and operating effectiveness of selected internal controls related to material accounts.5 3. Assess the potential for fraud in the system and evaluate the controls designed to prevent or detect fraud. 4. Evaluate and conclude on the adequacy of controls over the financial statement re- porting process. 5. Evaluate entity-wide (general) controls that correspond to the components of the COSO framework.

An organization’s internal control system comprises policies, practices, and procedures to achieve four broad objectives:

1. To safeguard assets of the firm. 2. To ensure the accuracy and reliability of accounting records and information. 3. To promote efficiency in the firm’s operations. 4. To measure compliance with management’s prescribed policies and procedures.

This concept holds that the establishment and maintenance of a system of internal con- trol is a management responsibility.

management responsibility

The internal control system should achieve the four broad objectives regardless of the data processing method used (whether manual or computer based). However, the specific techniques used to achieve these objectives will vary with different types of technology.

methods of data processing

Every system of internal control has limitations on its effectiveness. These include: (4)

1. the posibility of error 2. circumvention 3. management override 4. changing condition

The internal control system should provide _______ that the four broad objectives of internal control are met.

reasonable assurance

Three levels of control:

1. preventive 2. detective 3. corrective

is the first line of defense in the control structure.

prevention

are passive techniques designed to reduce the frequency of occurrence of undesirable events.

preventive controls

are devices, tech- niques, and procedures designed to identify and expose undesirable events that elude preventive controls.

detective controls

100

must be taken to reverse the effects of detected errors.

corrective actions

HBO

HBO

26問 • 1年前

government accounting

government accounting

Charles Jaojao · 68問 · 1年前

government accounting part 2

government accounting part 2

68問 • 1年前

Charles Jaojao · 39問 · 1年前

government accounting part 3

government accounting part 3

39問 • 1年前

Charles Jaojao · 69問 · 1年前

hbo

hbo

69問 • 1年前

Charles Jaojao · 20問 · 1年前

statistics

statistics

20問 • 1年前

Charles Jaojao · 52問 · 1年前

management

management

52問 • 1年前

management 2

management 2

Charles Jaojao · 13問 · 1年前

management 3

management 3

13問 • 1年前

theology

theology

Charles Jaojao · 11問 · 1年前

theology 2

theology 2

11問 • 1年前

Charles Jaojao · 44問 · 1年前

government accounting

government accounting

44問 • 1年前

Charles Jaojao · 27問 · 1年前

fundamentals

fundamentals

27問 • 1年前

Charles Jaojao · 31問 · 1年前

motivation

motivation

31問 • 1年前

Charles Jaojao · 48問 · 1年前

communication

communication

48問 • 1年前

Charles Jaojao · 22問 · 1年前

partnership

partnership

22問 • 1年前

Charles Jaojao · 18問 · 1年前

Financial Ratios

Financial Ratios

18問 • 1年前

Charles Jaojao · 46問 · 1年前

premidterm examination

premidterm examination

46問 • 1年前

Charles Jaojao · 25問 · 1年前

Pre-midterm examination part 1

Pre-midterm examination part 1

25問 • 1年前

Charles Jaojao · 36問 · 1年前

CHAPTER 1: AUDITING AND INTERNAL CONTROL P2

CHAPTER 1: AUDITING AND INTERNAL CONTROL P2

36問 • 1年前

Charles Jaojao · 57問 · 1年前

CHAPTER 2: AUDITING IT GOVERNANCE CONTROLS P1

CHAPTER 2: AUDITING IT GOVERNANCE CONTROLS P1

57問 • 1年前

CHAPTER 1

CHAPTER 1

Charles Jaojao · 22問 · 1年前

CHAPTER 1 P2

CHAPTER 1 P2

22問 • 1年前