Presentation is loading. Please wait.

Presentation is loading. Please wait.

Effects of IT on Consideration of Internal Control in a Financial Statement Audit Dr. Donald McConnell Jr. 12/1/2018.

Published byDarcy West Modified over 6 years ago

Similar presentations

Presentation on theme: "Effects of IT on Consideration of Internal Control in a Financial Statement Audit Dr. Donald McConnell Jr. 12/1/2018."— Presentation transcript:

1 Effects of IT on Consideration of Internal Control in a Financial Statement Audit
Dr. Donald McConnell Jr. 12/1/2018

2 The Following Materials Are from Recently Issued SAS No. 94
The Following Materials Are from Recently Issued SAS No This Information Has a High Probability of Appearing on the CPA Exam in May 2002 and Thereafter. 12/1/2018

3 Introductory Concepts
In obtaining an understanding of internal control [IC], the auditor considers how use of information technology [IT] and manual procedures may affect controls relevant to the audit The auditor must assess control risk for the assertions embodied in account balances or transaction types (319.02) 12/1/2018

4 Assessing Control Risk at Less Than Maximum
Assessing control risk below maximum is ordinarily more effective and efficient than performing only substantive tests This is called a “controls reliance” audit “Controls rely” audits characteristically: Result in relatively lower audit fees Allow the auditor to perform more work at interim 12/1/2018

5 Assessing Control Risk at Maximum
In assessing control risk at maximum: Controls are effectively ignored The auditor performs only substantive tests However, it may may not be practical or possible to restrict detection risk to an acceptable level by performing only substantive tests (319.03) Where evidence of initiation, recording, or processing of data exists only in electronic form, the auditor’s ability to obtain desired assurances only from substantive tests significantly diminishes 12/1/2018

6 Some Controls May Relate to Objectives Irrelevant to the Audit
Though important to the entity, these ordinarily do not relate to the audit process Consequently, these need not be ordinarily considered by the auditor Examples would include: Controls concerning management decision-making processes, e.g. pricing or capital expenditure (cap ex) decisions Sophisticated IT controls to maintain an airline’s flight scheduling (319.12) 12/1/2018

7 Characteristics of Manual Systems (311.17)
Entity uses manual procedures and records in paper format: Mperanually reported sales orders on paper forms or journals Credit authorization, shipping reports, individuals post A/R Controls are also manual: Manual approvals and reviews Manual reconciliations and follow-up 12/1/2018

8 Characteristics of IT Based Systems (319.17)
Automated procedures to initiate, record, process, and report transactions Records in electronic format replace paper purchase orders, invoices, shipping documents, and other records Controls characteristically consist of a combination of automated controls (embedded in programs) and manual controls Manual controls in IT systems may: Be independent of IT Use IT produced information Be limited to monitoring of functioning of IT effectiveness 12/1/2018

9 Benefits of IT on Internal Controls (319.18)
Consistently applied predefined business rules and performance of complex calculations in large volumes of data Enhanced timeliness, availability, and accuracy of information Facilitates additional analysis of information Enhanced ability to monitor performance of activities, policies, and procedures Reduced risk of controls circumvention Enhanced ability to effectively segregate duties through security controls 12/1/2018

10 Controls Risks Relating to IT (319.19)
Systems or programs inaccurately processing data, processing inaccurate data, or both Unauthorized data access may cause: Data destruction or loss unauthorized or nonexistent transactions Inaccurately recorded transactions Unauthorized changes to master files Unauthorized changes to systems or programs Failure to make necessary system or program changes Inappropriate manual intervention 12/1/2018

11 Inherent Limitations of Internal Controls: IT Perspectives (319.21-22)
Errors may occur in designing, maintaining, or monitoring automated controls Errors may occur in use of information produced by IT Program edit routines flagging transactions exceeding certain limits may be overridden or disabled IT personnel may not completely understand how an order entry system should function. Changes may be correctly designed, but improperly coded by programmers Automated controls may report dollar limit violations for management review; however, reviewers may not understand the purpose of such and may fail to properly investigate unusual items. 12/1/2018

12 Extent of Understanding of Controls Activities Component (311.26)
May need only be a limited understanding in auditing a non complex entity with significant owner-manager approval and review May require greater understanding for an entity with a large volume of revenue transactions relying on IT to measure and bill services in a complex, changing rate structure 12/1/2018

13 Determining Whether an IT Audit Professional Is Needed (319.30-31)
Specialized IT skills may be needed in the audit: To determine effects of IT on the audit To understand IT controls To design and perform tests of IT controls, and substantive testing Cannot turn a generic audit senior loose in a complex DP environment excavation! And client DP professional jargon and other IT gibberish! 12/1/2018

14 Factors to Consider in Determining Need for IT Auditor (319.31-32)
Complexity of IT system and related controls Significance of system changes, or new system implementation Extent to which data is shared among systems Extent of electronic commerce transacted Entity use of emerging technologies Significance of audit evidence available only electronically 12/1/2018

15 IT Controls May Be Viewed As Application Controls and General Controls (319.43-46)
Application controls apply to processing of individual applications Examples include edit checks, numerical sequence checks and manual review of exception reports With manual reviews, controls effectiveness depends on both user review and accuracy of report information 12/1/2018

16 IT Controls May Be Viewed As Application Controls and General Controls (con.)
Relate to many applications Are therefore pervasive controls, supporting effective functioning of application controls Examples include: data center and network operations controls System software acquisition and maintenance Access security Segregation of duties often achieved by implementing security controls 12/1/2018

17 Information and Communication IT Issues (319.50-51)
Automated processes & controls: May reduce risk of inadvertent error Do not overcome risk of inappropriate override by persons Their may be little or no visible evidence of system intervention IT non-standard journal entries: May exist only in electronic form May be more difficult to identify than would be the case with printed or paper documents and journals 12/1/2018

18 Monitoring IT Issues (319.54-55)
Characteristically much information used in monitoring produced by IT system Management should not assume data used for monitoring is accurate! [GIGO] GIGO can lead to incorrect management conclusions concerning monitoring 12/1/2018

19 Documenting Controls Understanding (319.61)
Means for documenting controls of complex IT systems where large volumes of data are electronically processed: Flowcharts Questionnaires (ICQ’s) Decision tables Memorandums may be sufficient in documenting controls where little or no use of IT; or where few transactions are could usuallyprocessed 12/1/2018

Download ppt "Effects of IT on Consideration of Internal Control in a Financial Statement Audit Dr. Donald McConnell Jr. 12/1/2018."

Similar presentations

Auditing Concepts.

Auditing Concepts.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
MODERN AUDITING 7th Edition

MODERN AUDITING 7th Edition
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.

Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
Chapter 9 The Study of Internal Control and Assessment of Control Risk

Chapter 9 The Study of Internal Control and Assessment of Control Risk
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Sales & Cash Receipts Transactions By David N. Ricchiute

Sales & Cash Receipts Transactions By David N. Ricchiute
Audit Sampling: An Overview and Application to Tests of Controls

Audit Sampling: An Overview and Application to Tests of Controls
Cash and Financial Investments. McGraw-Hill/Irwin © 2004 The McGraw-Hill Companies, Inc., All Rights Reserved. 10-2 Internal Control Over --Cash Receipts.

Cash and Financial Investments. McGraw-Hill/Irwin © 2004 The McGraw-Hill Companies, Inc., All Rights Reserved Internal Control Over --Cash Receipts.
Chapter 5 Internal Control Evaluation. Chapter 2 Professional Standards.

Chapter 5 Internal Control Evaluation. Chapter 2 Professional Standards.
Copyright © 2007 Pearson Education Canada 1 Chapter 12: Audit Sampling Concepts.

Copyright © 2007 Pearson Education Canada 1 Chapter 12: Audit Sampling Concepts.
1 Designing Substantive Procedures The auditor “must plan and perform the audit to reduce the audit risk to an acceptably low level that is consistent.

1 Designing Substantive Procedures The auditor “must plan and perform the audit to reduce the audit risk to an acceptably low level that is consistent.
Considering Internal Control

Considering Internal Control
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Audit Risk. Audit risk means the risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated Audit.

Audit Risk. "Audit risk" means the risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated Audit.
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
9 - 1 ©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 9.

9 - 1 ©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 9.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 1 Internal Control and Control Risk Chapter 10.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 10.
Copyright © 2007 Pearson Education Canada 1 Chapter 13: Audit of the Sales and Collection Cycle: Tests of Controls.

Copyright © 2007 Pearson Education Canada 1 Chapter 13: Audit of the Sales and Collection Cycle: Tests of Controls.

Similar presentations

Ads by Google