Review Questions - Review Questions 1. What is the purpose of an I...

Chapter 1 Auditing and Internal Control

Review Questions

• What is the purpose of an IT audit?

Response: The purpose of an IT audit is to provide an independent assessment of some technology- or systems-related object, such as proper IT implementation, or controls over computer resources. Because most modern accounting information systems use IT, IT plays a significant role in a financial (external audit), where the purpose is to determine the fairness and accuracy of the financial statements.

• Discuss the concept of independence within the context of a financial audit. How is

independence different for internal auditors?Response: The auditor cannot be an advocate of the client, but must independently attest to whether GAAP and other appropriate guidelines have been adequately met. Independence for internal auditors is different because they are employed by the organization, and cannot be as independent as the external auditor. Thus internal auditors must use professional judgment and independent minds in performing IA activities.

• What are the conceptual phases of an audit? How do they differ between general

auditing and IT auditing?Response: The three conceptual phases of auditing are:

• Audit planning,

ii. Tests of internal controls, and iii. Substantive tests.Conceptually, no difference exists between IT auditing and general auditing. IT auditing is typically a subset of the overall audit; the portion that involves computer technology is the subset.

• Distinguish between the internal and external auditors.

Response: External auditors represent the interests of third-party stakeholders in the organization, such as stockholders, creditors, and government agencies. External auditing is conducted by certified public accountants who are independent of the organization’s management. Internal auditors represent the interests of management. Internal auditing tasks include conducting financial audits, examining an operation’s compliance with legal obligations, evaluating operational efficiency, detecting and pursuing fraud within the firm, and conducting IT audits. External auditors also conduct IT audits as a subset of financial audits.

• What are the four primary elements described in the definition of auditing?

Response:

• auditing standards
• systematic process

c.management assertions and audit objectives

• obtaining evidence

• Explain the concept of materiality.

Response: Materiality refers to the size of the effect of a transaction. From a cost-benefit point of view, a threshold is set above which the auditor is concerned with the correct recording and effects of transactions. Rather than using standard formulas, auditors use their professional judgment to determine materiality.

(Information Technology Auditing 3e James A. Hall) (Solution Manual, For Complete File, Download link at the end of this File) 1 / 4

• How does the Sarbanes-Oxley Act of 2002 affect management’s responsibility for

internal controls?Response: The Sarbanes-Oxley Act (S-OX) specifically holds management responsible for internal controls. S-OX requires an annual report on internal controls that is the responsibility of management; external auditors must attest to the integrity of the report. Management must assess the effectiveness of the internal control structure and procedures for financial reporting as of the end of the most recent fiscal year and identify any control weaknesses. An attestation by external auditors reports on management’s assessment statement.

• What are the four broad objectives of internal control?

Response:

• to safeguard the assets of the firm
• to ensure the accuracy and reliability of accounting records and information
• to promote efficiency in the firm’s operations
• to measure compliance with management’s prescribed policies and procedures

• What are the four modifying assumptions that guide designers and auditors of

internal control systems?Response: Management responsibility, reasonable assurance, methods of data processing, and limitations.

• Give an example of a preventive control.

Response: Locked doors, passwords, and data-entry controls for each field (e.g., range checks).

• Give an example of a detective control.

Response: A log of users, a comparison with computer totals and batch totals.

• Give an example of a corrective control.

Response: Manual procedures to correct a batch that is not accepted because of an incorrect social security number. A clerical worker would need to investigate and determine either the correct hash total or the correct social security number that should be entered. A responsible party is then needed to read exception reports and follow up on anomalies.

• What are the five internal control components described in the COSO framework?

Response:

• Control Environment
• Risk Assessment
• Information and Communication
• Monitoring
• Control Activities

• What are the six broad classes of control activities defined by COSO?

Response: The six broad classes of control activities defined by COSO are:

• transaction authorization,
• segregation of duties,
• supervision,
• accounting records,
• access control, and
• independent verification.
• / 4

• Give an example of independent verification.

Response:

• the reconciliation of batch totals at periodic points during transaction processing
• the comparison of physical assets with accounting records
• the reconciliation of subsidiary accounts with control accounts
• reviews by management of reports that summarize business activity
• periodic audits by independent external auditors
• periodic audits by internal auditors

• Differentiate between general and application controls. Give two examples of each.

Response: General controls apply to a wide range of exposures that systematically threaten the integrity of all applications processed within the IT environment. Some examples of general controls would be controls against viruses and controls to protect the hardware from vandalism.Application controls are narrowly focused on risks within specific systems. Some examples of application controls would be a control to make sure that each employee receives only one paycheck per pay period and a control to ensure that each invoice gets paid only once.

• Distinguish between tests of controls and substantive testing.

Response: The tests of controls phase involves determining whether internal controls are in place and whether they function properly. The substantive testing phase involves a detailed investigation of specific account balances and transactions.

• Define audit risk.

Response: Audit risk is the probability that the auditor will render an unqualified (clean) opinion on financial statements that are, in fact, materially misstated.

• Distinguish between errors and irregularities. Which do you think concern auditors

the most?Response: Errors are unintentional mistakes whereas irregularities are intentional mis- representations to perpetrate a fraud or mislead the users of financial statements. Errors are a concern if they are numerous or sizable enough to cause the financial statements to be materially misstated. All processes that involve human actions are highly susceptible to some amount of human error. Computer processes should contain errors only if the programs are erroneous, if systems operating procedures are not being closely and competently followed, or if some unusual system malfunction has corrupted data. Errors are typically much easier to uncover than misrepresentations. Thus auditors typically are more concerned about whether they have uncovered any and all irregularities. Also, due to SAS No. 99 and Sarbanes-Oxley, auditors are much more concerned with fraud (irregularities) than before.

• Distinguish between inherent risk and control risk. How do internal controls affect

inherent risk and control risk, if at all? What is the role of detection risk?Response: Inherent risk is associated with the unique characteristics of the business or industry of the client. Firms in declining industries are considered to have more inherent risk than firms in stable or thriving industries. Auditors cannot reduce inherent risk, which is not affected by internal controls. Even in a system protected by excellent controls, financial data can be misstated.Control risk is the likelihood that the control structure is flawed because internal controls are either absent or inadequate to prevent or detect errors in the accounts. Auditors assess the level of control risk by performing tests of internal controls. Internal control does, however, directly impact control risk. The more effective the internal controls that are in place, the lower the level of assessed control risk. 3 / 4

Detection risk is the risk that auditors are willing to take that errors not detected or prevented by the control structure will also not be detected by the auditors. Typically, detection risk will be lower for firms with higher inherent risk and control risk.

• What is the relationship between tests of controls and substantive tests?

Response: The relationship between tests of controls and substantive tests is directly related the auditor’s risk assessment. The stronger the internal controls, the less substantive testing the auditor must do.

• SOX contains many sections. Which sections does this chapter focus on?

Response: This chapter concentrates on internal control and audit responsibilities pursuant to SOX Sections 302 and 404.

• What control framework does the PCAOB recommend?

Response: The PCAOB recommends the use of COSO as the framework for control

assessment.

• COSO identifies two broad groupings of information system controls. What are

they?Response: The two broad groupings of information system controls identified by COSO are application controls and general controls.

• What are the objectives of application controls?

Response: The objectives of application controls are to ensure the validity, completeness, and accuracy of financial transactions.

• Give three examples of application controls?

Response: Examples include:

• A cash disbursements batch-balancing routing that verifies the total payments to vendors

reconciles with the total postings to the accounts payable subsidiary ledger.

• An account receivable check digit procedure that validates customer account numbers

on sales transactions.

• A payroll system limit check that identifies employee time card records with reported

hours work in excess of the predetermined normal limit.

• Define general controls.

Response: General controls apply to all systems. They are not application specific.General controls include controls over IT governance, the IT infrastructure, security and access to operation systems and databases, application acquisition and development, and program changes.

• What is the meaning of the term attest services?

Response: The attest service is an engagement in which a practitioner is engaged to issue a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party (SSAE No. 1, AT Sec. 100.01).

• List four general control areas.

Response: The following are examples of general control areas:

• It Govenance controls,
• Security (data management controls),
• Security (operating system and network controls),
• systems development and program change controls,
• / 4