Anda di halaman 1dari 7

12/9/2017

Objectives:

To emphasize the evolving role of the controller from a financial


Auditing and Internal Control fact recorder to a strategic financial business adviser.
know the difference between attest and advisory services
and be able to explain the relationship between the two;
Auditing in CIS Environment
explain the structure of an audit and have a firm grasp of
Tue 1-4pm the conceptual elements of the audit process;
Ronni Bulante explain internal control categories presented in the COSO
framework;
discuss the key features of section 302 and 404 of the
Sarbanes-Oxley Act; and
explain the relationship between general controls,
application controls, and financial data integrity.

Objectives

explain the risks of incompatible functions and how to


structure the IT function;
discuss the controls and precautions required to ensure
the security of an organizations computer facilities;
explain the key elements of a disaster recovery plan; and
discuss the benefits, risks, and audit issues related to IT
outsourcing.
explain the different approaches in data management; and
Understand the relationship between controlling and
auditing data management systems.

Auditing (AICPA) Role of Financial Controller

Auditing is a systematic process of objectively


obtaining evidence regarding assertions about
economic actions and events to ascertain the degree
of correspondence between these assertions and
established criteria and communicating the results to
interested users

https://www.huntercampbell.co.nz/changing-role-financial-
controller/

1
12/9/2017

Attest Function and Advisory Relationship: Management


Services assertions and Audit objectives
An independent review of an audit conducted by an accountant.
An attest function examines all the data used in the audit as well
as the finished audit report. Conducted by a certified public
accountant (CPA), it is intended to express an opinion on
the accuracy of a company's financial statements.

A range of consulting services provided by Certified Public


Accountants (CPA) and other financial advisors to businesses
and high net worth individuals who require specialized advice on
capital formation, cash flow and wealth management. Advisory
clients pay fees based on services provided or as a percent of
assets under management.

www.businessdictionary.com/definition/advisory-services.html

Audit : Structure and Elements of **


Test of Controls and Substantive Test
Process
Test of controls is an audit test to test the
effectiveness of the client's internal control
system. substantive procedures is an
audit test to test the reasonableness of items in the
financial statements. ... If the internal controls are
less effective, then the auditor will use more
on substantive tests.

COSO framework : Internal Control SOX : Sec 302 and 404


Section 302:
Corporate Responsibility for Financial Reports
The Committee of Sponsoring Organizations of the The essence of Section 302 of the Sarbanes-Oxley Act states that the CEO and CFO are
directly reponsible for the accuracy, documentation and submission of all financial
Treadway Commission (COSO) is a joint initiative to reports as well as the internal control structure to the SEC. Here is the direct excerpt
from the Sarbanes-Oxley Act of 2002 report:
combat corporate fraud. It was established in a. Regulations Required. The Commission shall, by rule, require, for each company
filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of
the United States by five private sector organizations, 1934, that the principal executive officer or officers and the principal financial officer
or officers, or persons performing similar functions, certify in each annual or quarterly
dedicated to guide executive management and report filed or submitted under either such section of such Act that--
governance entities on relevant aspects of 1. the signing officer has reviewed the report;
organizational governance, business ethics, internal 2. based on the officer's knowledge, the report does not contain any untrue
statement of a material fact or omit to state a material fact necessary in order to make
control, enterprise risk management, fraud, the statements made, in light of the circumstances under which such statements were
made, not misleading;
and financial reporting.
3. based on such officer's knowledge, the financial statements, and other financial
information included in the report, fairly present in all material respects the financial
condition and results of operations of the issuer as of, and for, the periods presented
in the report;

2
12/9/2017

SOX : Sec 302 and 404 SOX : Sec 302 and 404
4. the signing officers-- 4. the signing officers--
A. are responsible for establishing and maintaining internal controls; A. are responsible for establishing and maintaining internal controls;
B. have designed such internal controls to ensure that material information relating B. have designed such internal controls to ensure that material information relating
to the issuer and its consolidated subsidiaries is made known to such officers by others to the issuer and its consolidated subsidiaries is made known to such officers by others
within those entities, particularly during the period in which the periodic reports are within those entities, particularly during the period in which the periodic reports are
being prepared; being prepared;
C. have evaluated the effectiveness of the issuer's internal controls as of a date C. have evaluated the effectiveness of the issuer's internal controls as of a date
within 90 days prior to the report; and within 90 days prior to the report; and
D. have presented in the report their conclusions about the effectiveness of their D. have presented in the report their conclusions about the effectiveness of their
internal controls based on their evaluation as of that date; internal controls based on their evaluation as of that date;
5. the signing officers have disclosed to the issuer's auditors and the audit committee 5. the signing officers have disclosed to the issuer's auditors and the audit committee
of the board of directors (or persons fulfilling the equivalent function)-- of the board of directors (or persons fulfilling the equivalent function)--
A. all significant deficiencies in the design or operation of internal controls which A. all significant deficiencies in the design or operation of internal controls which
could adversely affect the issuer's ability to record, process, summarize, and report could adversely affect the issuer's ability to record, process, summarize, and report
financial data and have identified for the issuer's auditors any material weaknesses in financial data and have identified for the issuer's auditors any material weaknesses in
internal controls; and internal controls; and
B. any fraud, whether or not material, that involves management or other B. any fraud, whether or not material, that involves management or other
employees who have a significant role in the issuer's internal controls; and employees who have a significant role in the issuer's internal controls; and
6. the signing officers have indicated in the report whether or not there were 6. the signing officers have indicated in the report whether or not there were
significant changes in internal controls or in other factors that could significantly affect significant changes in internal controls or in other factors that could significantly affect
internal controls subsequent to the date of their evaluation, including any corrective internal controls subsequent to the date of their evaluation, including any corrective
actions with regard to significant deficiencies and material weaknesses. actions with regard to significant deficiencies and material weaknesses.

SOX : Sec 302 and 404 SOX


SOX Section 404 (Sarbanes-Oxley Act Section 404)
mandates that all publicly-traded companies must
establish internal controls and procedures for
financial reporting and must document, test and
maintain those controls and procedures to ensure
their effectiveness. The purpose of SOX is to reduce
the possibilities of corporate fraud by increasing the
stringency of procedures and requirements for
financial reporting.

General Controls, Application


Controls, & Financial Data Integrity
In an audit, general controls are controls that relate
to the overall information processing environment
and have a pervasive effect on the entity's computer
operations.
Application control is a security practice that blocks
or restricts unauthorized applications from executing
in ways that put data at risk.
Data integrity is the maintenance of, and the
assurance of the accuracy and consistency
of, data over its entire life-cycle, and is a critical
aspect to the design, implementation and usage of
any system which stores, processes, or retrieves data.

3
12/9/2017

Q1

Which statement is incorrect when auditing in a CIS environment? It relates to materiality of the financial statement
A CIS environment exists when a computer of any type or size is
involved in the processing by the entity of financial information assertions affected by the computer processing.
of significance to the audit, whether that computer is operated
by the entity or by a third party. Threshold
The auditor should consider how a CIS environment affects the Relevance
audit.
The use of a computer changes the processing, storage and Complexity
communication of financial information and may affect the
accounting and internal control systems employed by the entity. Significance
A CIS environment changes the overall objective and scope of an
audit.

Risk of fraud or error in on-line computer systems may be increased for the The following matters are of particular importance to the
following reasons, except
If workstations are located throughout the entity, the opportunity for auditor in an on-line computer system, except
unauthorized use of a workstation and the entry of unauthorized
transactions may increase. Authorization, completeness and accuracy of on-line
Workstations may provide the opportunity for unauthorized uses such as transactions.
modification of previously entered transactions or balances.
If on-line processing is interrupted for any reason, for example, due to Integrity of records and processing, due to on-line
faulty telecommunications, there may be a greater chance that access to the system by many users and programmers.
transactions or files may be lost and that the recovery may not be
accurate and complete. Changes in the performance of audit procedures
If transactions are processed immediately on-line, there is less risk that
they will be processed in the wrong accounting period. including the use of CAAT's.
Cost-benefit ratio of installing on-line computer system.

System characteristics that may result from the


The undesirable characteristics of on-line computer nature of CIS processing include, except
systems least likely include
Data are usually subjected to immediate validation Absence of input documents.
checks. Lack of visible transaction trail.
Unlimited access of users to all of the functions in a
particular application. Lack of visible output.
Possible lack of visible transaction trail. Difficulty of access to data and computer
Potential programmer access to the system. programs.

4
12/9/2017

Which statement is incorrect regarding the review of general CIS


controls and CIS application controls?
The auditor should consider how these general CIS controls
General CIS controls may include, except: affect the CIS applications significant to the audit.
General CIS controls that relate to some or all applications
Organization and management controls. are typically interdependent controls in that their operation is
Delivery and support controls. often essential to the effectiveness of CIS application
controls.
Development and maintenance controls. Control over input, processing, data files and output may be
carried out by CIS personnel, by users of the system, by a
Controls over computer data files. separate control group, or may be programmed into
application software.

It may be more efficient to review the design of the


application controls before reviewing the general controls.

The applications of auditing procedures using the Which statement is incorrect regarding the evaluation of
general CIS controls and CIS application controls?
computer as an audit tool refer to The general CIS controls may have a pervasive effect on
Integrated test facility the processing of transactions in application systems.
Auditing through the computer If general CIS controls are not effective, there may be a
risk that misstatements might occur and go undetected
Data-based management system in the application systems.
Computer assisted audit techniques Manual procedures exercised by users may provide
effective control at the application level.
Weaknesses in general CIS controls cannot preclude
testing certain CIS application controls.

Which one of the following represents a lack of internal An employee in the receiving department keyed in a
control in a computer-based information system? shipment from a remote terminal and inadvertently
The design and implementation is performed in omitted the purchase order number. The best
accordance with managements specific authorization.
systems control to detect this error would be
Any and all changes in application programs have the
authorization and approval of management. Batch total
Provisions exist to protect data files from unauthorized Sequence check
access, modification, or destruction.
Completeness test
Both computer operators and programmers have
unlimited access to the programs and data files. Reasonableness test

5
12/9/2017

The most critical aspect regarding separation of An auditor anticipates assessing control risk at a low
duties within information systems is between level in a computerized environment. Under these
Project leaders and programmers circumstances, on which of the following procedures
Programmers and systems analysts would the auditor initially focus?
Programmers and computer operators Programmed control procedures
Data control and file librarians Output control procedures
Application control procedures
General control procedures

Internal control is ineffective when computer From an audit viewpoint, which of the following
department personnel represents a potential disadvantage associated with
the widespread use of microcomputers?
Participate in computer software acquisition
decisions. Their portability.
Their ease of access by novice users.
Design documentation for computerized systems.
Their easily developed programs using
Originate changes in master file. spreadsheets which do not have to be
Provide physical security for program files. documented.
All of the above

Which of the following statements best describes a


weakness often associated with computers? An auditor is preparing test data for use in the audit of a computer
Computer equipment is more subject to systems error based accounts receivable application. Which of the following
items would be appropriate to include as an item in the test data?
than manual processing is subject to human error.
A transaction record which contains an incorrect master file
Computer equipment processes and records similar control total
transactions in a similar manner. A master file record which contains an invalid customer
Control activities for detecting invalid and unusual identification number
transactions are less effective than manual control A master file record which contains an incorrect master file
activities. control total
Functions that would normally be separated in a manual A transaction record which contains an invalid customer
identification number
system are combined in a computer system.

6
12/9/2017

To ensure that goods received are the same as those The completeness of computer-generated sales
shown on the purchase invoice, a computerized figures can be tested by comparing the number of
system should: items listed on the daily sales report with the number
Match selected fields of the purchase invoice to of items billed on the actual invoices. This process
goods received uses
Maintain control totals of inventory value Check digits
Calculate batch totals for each input Control totals
Use check digits in account numbers Validity tests
Process tracing data

Which of the following audit techniques most likely


would provide an auditor with the most assurance
about the effectiveness of the operation of an
internal control procedure?
Inquiry of client personnel
Recomputation of account balance amounts
Observation of client personnel
Confirmation with outside parties