Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
37 Cards in this Set
- Front
- Back
External auditors are primarily responsible to
|
shareholders and investors.
|
|
The American Accounting Association (AAA) defines auditing as:
|
A systematic process of objectively obtaining and evaluating evidence.
Regarding assertions about economic actions and events. |
|
Auditing involves
|
collecting, reviewing, and documenting audit evidence.
|
|
According to the IIA, the purpose of an internal audit is to:
|
Evaluate the adequacy and effectiveness of a company’s internal control system; and
Determine the extent to which assigned responsibilities are carried out. |
|
The IIA’s five audit scope standards outline the internal auditor’s responsibilities:
|
Review the reliability and integrity of operating and financial information and how it is identified, measured, classified, and reported.
Determine if the systems designed to comply with these policies, plans, procedures, laws, and regulations are being followed. Review how assets are safeguarded, and verify their existence. Examine company resources to determine how effectively and efficiently they are used. Review company operations and programs to determine if they are being carried out as planned and if they are meeting their objectives. |
|
Five different types of audits are commonly performed.
|
financial, internal control, operational, information systems, management
|
|
Financial audit
|
Examines reliability and integrity of accounting records (financial and operating).
|
|
Information systems audit
|
Reviews the controls of an AIS to assess:
Compliance with internal control policies and procedures; and Effectiveness in safeguarding assets. |
|
Operational or management audit
|
Concerned with economical and efficient use of resources and accomplishment of established goals and objectives.
|
|
All audits follow a similar sequence of activities and may be divided into four stages:
|
Planning
Collecting evidence Evaluating evidence Communicating audit results |
|
Audit planning
|
Purpose: Determine why, how, when, and by whom the audit will be performed.
|
|
The first step in audit planning is to establish the
|
scope and objectives of the audit.
|
|
There are three types of risk when conducting an audit
|
Inherent risk
Control risk Detection risk |
|
The following are among the most commonly used evidence collection methods:
|
Observation
Review of documentation Discussions Physical examination Confirmation Re-performance Vouching |
|
An audit designed to evaluate AIS internal controls would make greater use of:
|
Observation
Review of documentation Discussions Re-performance |
|
An audit of financial information would focus on:
|
Physical examination
Confirmation Vouching Analytical review Re-performance |
|
A risk-based audit approach is a four-step approach to internal control evaluation that provides a logical framework for carrying out an audit. Steps are:
|
Determine the threats (errors and irregularities) facing the AIS.
Identify control procedures implemented to minimize each threat by preventing or detecting such errors and irregularities. Evaluate the control procedures. Evaluate weaknesses (errors and irregularities not covered by control procedures) to determine their effect on the nature, timing, or extent of auditing procedures and client suggestions. |
|
IT Auditing Objective
|
Review & evaluate internal controls that protect the AIS.
|
|
6 Objectives of IT Auditing
|
Objective 1: Overall Security
Objective 2: Software Development and Acquisition Objective 3: Software Modification Objective 4: Computer Processing Objective 5: Source Data Objective 6: Data Files |
|
IT Auditing – Objective 1: Overall Security Threats include
|
Hardware & files – theft, damage, unauthorized access
Software & Data – theft, destruction, modification, unauthorized access Interruption of business activities Disclosure of confidential data |
|
IT Auditing – Objective 2: Software Dvlp. & Acq. Threats include
|
Errors due to misunderstanding AIS specifications
Careless programming Unauthorized instruction codes inserted into legitimate programs |
|
IT Auditing – Objective 3: Software Modification Threats include
|
Careless programming
Unauthorized program codes Unauthorized access to programming codes |
|
IT Auditing – Objective 4: Computer Processing Threats include
|
Inability to flag bad data during processing
Inability to correct bad data after identification The updating of programs introduces errors into data Improper distribution of processed data |
|
IT Auditing – Objective 5: Source Data
Threats include |
Inaccurate source data
Unauthorized source data (e.g., ghost employees and vendors) |
|
IT Auditing – Objective 6: Data Files
Threats include |
Data loss due to hardware or software malfunction
Data loss due to accidental deletion Data loss due to intentional acts |
|
P =
|
Time it takes an attacker to break through the organization’s preventive controls.
|
|
D =
|
Time it takes to detect that an attack is in progress.
|
|
C =
|
Time to respond to the attack.
|
|
Effective segregation of accounting duties is achieved when the following functions are separated:
|
Authorization
Recording Custody |
|
segregation of accounting duties
Authorization |
Approving transactions and decisions.
|
|
Recording
|
Preparing source documents; maintaining journals, ledgers, or other files; preparing reconciliations; and preparing performance reports.
|
|
Custody
|
Handling cash, maintaining an inventory storeroom, receiving incoming customer checks, writing checks on the organization’s bank account.
|
|
CUSTODIAL FUNCTIONS
|
Handling cash
Handling inventories, tools, or fixed assets Writing checks Receiving checks in mail |
|
RECORDING FUNCTIONS
|
Preparing source documents
Maintaining journals, ledgers, or other files Preparing reconciliations Preparing performance reports |
|
EXAMPLE OF PROBLEM: A person who has custody of cash receipts and the recording for those receipts can steal some of the cash and falsify accounts to conceal the theft.
|
SOLUTION: The pink fence (segregation of custody and recording) prevents employees from falsifying records to conceal theft of assets entrusted to them.
|
|
EXAMPLE OF PROBLEM: A person who has custody of checks for transactions that he has authorized can authorize fictitious transactions and then steal the payments.
|
SOLUTION: The green fence (segregation of custody and authorization) prevents employees from authorizing fictitious or inaccurate transactions as a means of concealing a theft.
|
|
AUTHORIZATION FUNCTIONS
|
Authorization of transactions
|