Auditing
Introduction to Auditing IT process
Assurance services - accounting services that improve the quality of information
Audit is most common
Types of Audits and Auditors
Main purpose of the audit is to assure users of financial information about the accuracy and completeness of the information
4 primary types of audits:
Compliance
Operational
Financial statement
Information systems (IT) audits
Types of Audits and Auditors
Auditors are typically conducted by accountants
CPA
Internal auditor - rotational and serve 2 - 3 years
IT auditors
IT environment plays key role in how auditors conduct their work in following areas:
Consideration of risk
Audit procedures used to obtain knowledge of accounting and interal control systems
Design and performance of audit tests
Government auditors
Risk and IT-Enhanced Internal Control
Information risk is the chance that ifnomraiton used by decision markers may by inaccurate
Following are some causes of information risk:
Remoteness of information
Volumn and complexity of underlying data
Motive of the preparer
Authoritative Literature used in Auditing
Sources of authoritative literature
Generally accepted auditing standards (GAAS)
Public company accounting oversight board (PCAOB)
Auditing standards board (ASB)
International Audit and assurance standards board (IAASB)
Internal auditing standards board (IASB)
Information systems Audit and Control association (ISACA)
Management Assertions and Audit Objectives
Responsibility for operations, compliance, and financial reporting lies with management of the company
Management assertions are claims regarding the condition of the business in terms of its operations, financial results, and compliance with laws and regulations
Audit tests developed for an audit client are documented in an audit program
Phases of an IT audit
There are four primary phases to an IT audit:
Planning
Test of controls
Substantive tests
Audit completion/reporting
Audit Planning:
Auditors gain a through understanding of the company’s busienss and financial reporting systems
Auditors review and assess the risks and controls, establish material guidelines, and develop relevant tests addressing the objectives
In determining materiality, auditors estimate the monetary amounts that are large enough to make a difference in decision making
Audit evidence:
Is proff of the fairness of financial information. Techniques for gathering evidence:
Physically examining or inspecting assets or supporting documentation
Obtaining written confirmations from an independent source
Repoerforming tasks or recalculating information
Observing the underlying activities
Making inquiries of company personnel
Controls Testing
Tests of controls can be developed to evaluate whether the controls are actually performing effectively
Substantive testing
The auditor's evaluations of monetary amounts
Transactions
Account balances
Audit Completion/Reporting
Auditors evaluative all of the evidence that has been accumulated and analyzed
Draw conclusions
Use of Computers in Audits
Auditing around the computer
Auditing through the computer
Auditing with the computer
Computer assisted audit techniques
Tests of Controls
Involve audit procedures designed to evaluate both general controls and application controls
General controls
Two broad categories of general controls taht relate to IT systems
IT administration and related operaeting systems development and maintenance processes
security controls and related access issues
IT administration
Audit tests include review for the existence and communication of company policies regarding:
Personal accountablity and segregation of incompatable responsibilities
Job descriptions and clear lines of authority
Computer security and virus protection
Security controls
To test external access controls, auditors may perform:
Authenticity tests
Penetration tests
Vulnerability assessments
Review access logs to identify unauthroized users or failed access attempts
Application Controls
Compterized controls over application programs
Auditors should test:
Systems documentation
Main faunctions of the computer applications
Input controls
Financial totals, such as control totals and batch totals
Has totals
Completeness or redundancy tests, record counts and sequence checks
Limit tests
Validation checks
Field checks
Processing cotrnols
Test data method
Prgram tracing and tagging
Prgram mapping
Integrated test facility
Parallel simulation
Embedded audit modules
Output controls
Reasonableness tests
Audit retail tests
Rounding error test
Tests of Transactions and Balances
Substantive testing - tests of accuracy of monetary amounts of transactions and account balances
Computerized auditing tools make it possible for more efficient audit tests such as:
Mathematical and statistical caulcations
Data queries
Identification of mising items in a sequence
Stratification and comparaison of data items
Selection of items of interest from the data files
Summarization of testing results into a useful format for decision making
Robotic Process Automation (RPA)
Automation of structured, repetitive processes
AI
Decision making
Problem solving
Visual perception tasks
Audit completion/reporting
Four basic types of reports:
Unqualified opinion
Qualified opinion
Adverse opinion
Disclaimer
Most important task is obtaining a letter of representations from client management
Other Audit Considerations
Different IT environments:
Some audit techniques used to test controls specifically in the use of PCs:
Make sure that PCs and removable hard drives are locked in place to ensure physical security
Prgrams and data field should be password protected
Make sure computer programmers do not have access to systems operations
Some audit techniques used to test controls specifically in the use of PCs:
Software programs should not permit the users to make program changes
Ascertain that computer generated reports are regularly reviewed by management
Determine the frequency of backup procedures
Verify the use of antivirus software and the frequency of virus scans
Using PCs, companies may use IT environments that involve
Networks
Database management systems
E-commerce systems
Cloud computing and/or
Other forms of IT outsourcing
Changes in a Client’s IT environment
Auditors must consider whether additional audit testing is needed. Specific audit tests include verification of:
Assessment of user needs
Authorization for new programs and progam changes
Adequate feasibility study and cost benefit analysis
Proper design documentation
Proper user instructions
Adequate testing before system is put into use
Sampling
Test a limited number of items or transactions and then draw conclousins about the balance as a whole on the basis of the results
Auditors try to use sampling so that a fair representation of the population is evaluated
Choosing an appropriate sampling technique is very subjective
Population testing
Evaluate entire populations sng continuous auditing
Ethical Issues Related to Auditing
PCAOB/AICPA six principles of code:
Responsibilities
Public interest
Integrity
Objectivity and independence
Due care
Scope and nature of services
SoX act placed restrictions on auditors by prohibiting certain types of services:
Auditors can no longer perform IT design and implementation services for companies which are also audit clients
Requires public companies to have an audit committee as a subcommittee of the board of directors
Requires top management to verify in writing that the financial statements are daily stated and that the company has adequate internal controls over financial reporting
Auditors must practice professional skepticism
Professional skepticism - auditors should not automatically assume that their clients are honest, but must have a questioning mind and a persistence approach to evaluating evidence for possible misstatements
Auditors should:
Examine financial reporting for unauthroized or unusual entries
Review estimated information and changes in fincnail reporting for possible biases
Determine a reasonable business purpose for all significant transactions
