This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Auditing is often delineated by the role of the auditor: external (financial statement assessment), internal (examining the adequacy/effectiveness of controls in the business units and operations), public sector/governmental (ensuring effectiveness of controls to determine that services are being delivered properly). Information system auditing (or IT auditing) can be included in any of these roles and is becoming more prevalent in all areas. While historically IT auditing suggested a focus on general controls (overall IT environment, more technical in nature) and IS auditing suggested more of a focus on application controls (reviewing controls for activities in the various applications), now internal auditors, in particular, are involved with auditing both general and application controls. One does not have to be a "techno geek" to be an effective IT auditor, but should have an understanding of how systems work, understand the terminology, and be willing to work with technical people to develop solutions for business unit managers. For the most part, this class will take more of an internal audit approach to IT auditing, as internal auditors are more involved with providing a monitoring function for executive and business unit management. In general, the development, testing, and maintenance of controls should be the responsibility of the business unit manager. Internal auditing provides monitoring and consultative functions.
Often, you will hear that auditors should be "independent" (in "fact" and in "appearance") in their duties. This is especially relevant to external auditors (who are from outside the corporation), but is not really possible for the internal auditor. Since the internal auditor is paid directly by the corporation as an employee (and I'm assuming an in-house internal auditing function here), their role is to be objective. In this way, the internal auditor is becomes less of an adversary and more of a member of the same "team" as the business unit manager by providing an objective review of operations and providing solutions to issues raised by the manager or as the result of the audit. As Dr. Dan Kneer says, "your goal is to have your auditee not want you to leave."
Types of Audits
There are several types of audits that can be performed by auditors. Examples include:
Financial audits (generally performed by external auditors to verify information in the financial statements)
Operational audits (generally performed by internal/IT auditors to review the efficiency and effectiveness of business unit operations, to include IT)
General control audits (usually either operational or compliance audits to review the overall controls around the information processing function; these are performed by internal IT auditors, and sometimes are performed by external IT auditors if the controls have a direct effect on the financial statements)
Application audits (generally done by internal IT auditors to determine that current applications, applications under development, or the development process itself, are properly controlled)
Physical access audits (the objective here is to determine that assets-both physical and information assets-are properly safeguarded. These can be performed by internal and/or external auditors)
Logical access audits (IT auditors are concerned here with making sure that the rights assigned to an individual as far as access, maintenance, and change of data are assigned in accordance with job responsibilities).
Where Does Internal Auditing Fit In to the Corporate Structure?
Ideally, the internal audit function (specifically, the Chief Audit Executive) reports directly to the Audit Committee of the Board of Directors. The purpose of this is to allow the audit function to be somewhat independent of influence from other members of the "C Suite" (CEO, CFO, CIO, etc.) The Audit Committee is a sub-group of the Board of Directors and is responsible for overseeing the internal audit function, choosing the external auditors, and developing responses to audit findings.
The roles and responsibilities of the internal audit function are often outlined in a charter. The audit charter identifies the roles and responsibilities of the audit function. The charter is designed to define the relationships and responsibilities of internal audit function, the CEO, and the business unit managers. The charter is tailored to the specific needs of the organization and should include, at a minimum:
The definition of the role of internal (or in our case, IT) audit and the objectives of the audit function.
The reporting lines, and what things audit has a right to access (e.g., personnel, assets, records, etc.)
Specifics about the role of the CAE
Auditing (in general):
Auditing is a systematic, logical process governed by standards of fieldwork and reporting.
Several groups have provided "interpretations" of the basic standards; i.e., general standards (GAAS), fieldwork standards, and reporting standards-there are ISACA Audit Standards, Statements on Auditing Standards, the Public Company Accounting Oversight Board Statements, and even the Institute of Internal Auditors produce standards!
The first step in the planning process is to understand the business or process being audited, while identifying risks and potential exposures (e.g., loss potential) while doing so. Identification of the controls in place helps the auditor determine the extent of gathering evidence-through interview, observation, or substantive or analytical testing-to be done to evaluate the business or process.
Key to developing an audit opinion (recorded in the audit report) is the collection of evidence, which must be relevant, competent, and sufficient to support the opinion.
There are several types of audits (financial, internal, operational, etc.). They may have different goals, but the auditors that perform them must have professional skepticism, independence (or at least be objective if internal auditors), and maintain proper technical skills. They must perform proper planning, and develop reports based on the results of evidence collection.
The audit report contains the opinion of the auditor with regard to the fairness of the financial statements (external) or operations (internal) and internal control structure (both). An auditor's (or audit firm's) reputation is vested in that opinion, so sufficient, relevant evidence collection is essential to rendering a supportable opinion (the auditor doesn't want to be wrong in his/her assessments!)
The IT environment makes auditing more complex because, for example, unlike a manual environment, the audit trail may be entirely electronic.
Risk Definitions 
The auditor must assess the risk of expressing an incorrect opinion either because he/she: a) incorrectly identified a problem, or b) failed to identify a problem. To minimize this possibility, the auditor performs a structured risk analysis, and tests (e.g., statistical or analytical testing) based on this analysis to form an opinion. The types of risk generally associated with auditing include:
Audit risk is the risk of the financial auditor providing an inappropriate opinion on the financial statements. In other words, it is the risk of stating the financial statements present fairly the financial position of the entity, when in fact they do not. (Although significantly a lesser risk, audit risk also encompasses the risk of the auditor stating the financial statements do not present fairly the financial position of the entity, when in fact they do.) A way to mitigate this risk is to develop "pro-forma" audit programs, which are then modified to address the current business risks faced by the organization.
Inherent risk represents the auditor's assessment that there may be a material misstatement relating to an assertion in the financial statements, without taking into account the effectiveness of the related internal controls. If the auditor concludes that there is a high likelihood of such a misstatement, ignoring internal controls, the auditor would conclude that the inherent risk is high. Internal controls are ignored in setting inherent risk because they are considered separately in the audit risk model as control risk. It is an area that requires professional judgment on the part of an auditor and requires that the auditor have extensive knowledge of the organization's environment. For example, the valuation of inventory consisting of diamonds is more complex than inventory consisting of bicycles, and hence more risky.
Control risk represents the auditor's assessment of the likelihood that a material misstatements relating to an assertion in the financial statements will not be prevented or detected (on a timely basis) by the client's internal control system. Determining the control risks includes an assessment of whether a client's internal controls are effective for preventing or detecting misstatements, as well as the auditor's intention to make that assessment at a level below the maximum (99 percent) as part of the audit plan. This requires that the auditor understand how to measure the effectiveness of controls.
Detection risk is defined as the likelihood that a material misstatement relating to an assertion will be not detected by the auditor's substantive testing (e.g., interview of personnel, observation of operations, statistical testing). It is important to note that the detection risk indicates the risk that the auditor is willing to "live with" given the desired audit risk and assessment of inherent and control risks (and incorporating the assessment of the control environment). This means that if the detection risk is high, the auditor will do less substantive testing as compared to a situation where the detection risk is low.
Residual risk (or acceptable audit risk) is a measure of how willing the external auditor is to accept that the financial statements may be materially misstated after the audit is completed and an unqualified (or clean) opinion was issued. If the auditor decides to lower audit risk, the auditor wants to be more certain that the financial statements are not materially misstated, and will most likely do more substantive testing. The product of inherent risk and control risk is referred to as the Risk of Material Misstatement. It is allowable to make a combined assessment of inherent and control risk, called Risk of Material Misstatement.
Audit Risk = IR * CR * DR Given the explanations of the relevant terms above, the purpose of this equation is to determine detection risk, which then indicates to the auditor how much substantive testing he has to do to arrive at the desired audit risk.
Obviously, some risks are controllable (i.e., can be mitigated) and some are uncontrollable (e.g., external to the organization and cannot be influenced by the organization). Management should identify their risk response (discussed in the second class) after identifying controllable and uncontrollable risks.
The internal control structure of a client (external auditor) or the company (internal auditor) is essential to determining the extent of testing to be completed during the audit. During the planning process, the auditor(s) reviews the internal control structure and performs a risk assessment prior to audit testing/evidence collection.
Internal controls are a process designed to provide reasonable assurance that management objectives are being met. These objectives relate to the quality of data, the effectiveness/efficiency of operations, and compliance with laws/regulations.
Note that internal controls are a PROCESS and provide REASONABLE ASSURANCE (not a guarantee). In situations involving collusion (e.g., Enron), abuse of the management override, or changing organization or economic conditions, the effectiveness of the control system could be limited.
The objectives of internal controls are to: SAFEGUARD ASSETS, ENSURE THE ACCURACY/RELIABILITY OF ACCOUNTING INFORMATION, PROMOTE EFFICIENCY, and ENSURE COMPLIANCE WITH LAWS/REGULATIONS.
There are a number of frameworks for internal control systems, including the COSO and ERM frameworks that are typically used by SEC-reporting companies who must certify their internal control systems. The Sarbanes-Oxley Act of 2002 also discussed the necessity of a framework for developing an internal control system.
Note that management is ultimately responsible for the establishment, maintenance, and testing of the internal control system (see SOX section 404).
Controls can be preventive, detective, corrective, or predictive. Compensating controls can be used when segregation of duties not possible or not economically feasible.
Control activities (COSO framework) include things like segregation of duties (separate custody, recordkeeping, and authorization functions), proper supervision/authorization, accountability, isolation (e.g., limited access to cash and computer center), and independent verification (e.g., surprise audits on cash or inventory).
The IT environment changes the types of control activities somewhat by addressing transaction authorization, the separation of the program development, operations, and maintenance functions, supervision (particularly where segregation of duties is impossible or not practical), access controls, and independent verification.
This includes identifying the risks (threats) and potential exposures (if the control is weak or absent)
Management should also determine their risk response to the identified risks (e.g., avoid, reduce, share, accept)
In the IT environment, general and application controls are what we are most concerned with.
Sufficient: audit evidence must be factual and as objective as possible. The evidence should be convincing enough that another person would reach the same conclusion after reviewing the evidence (e.g., results of a random sample of 100 purchase orders that reflect the population would be sufficient to conclude whether or not purchases are properly approved).
Relevant: audit evidence that is consistent with the objectives for the audit. An example would be tracing a sample of shipping documents to sales invoices to determine that sales are being properly billed.
Competent: audit evidence that is reliable and was obtained through proper audit techniques. For example, an auditor's physical count of inventory is more competent than just taking the client's word as to the inventory count.
Useful: audit evidence that helps meet the objectives of the organization and the audit-for example, useful or timely evidence would be evidence collected reflecting activity during the audit period.
Existence (e.g., inventory exists)
Completeness (e.g., all payables are recorded)
Rights and obligations (e.g., all fixed assets are owned by the company)
Valuation or allocation (e.g., accounts receivable allowance is reasonable)
Presentation and disclosure (e.g., operating leases are disclosed properly in footnotes)
Examples of Auditing Procedures (related to above objectives)
Existence: count inventory
Completeness: compare documentation (receiving reports, vendor invoices, purchase orders, transaction entries)
Right and obligations: review purchase agreements, insurance policies
Valuation: review aging of accounts receivable and allowable
Presentation: review notes to financial statements