A.I.S. Class 11: Outline I Learning Objectives for Chapter 10 I - - PowerPoint PPT Presentation

a i s class 11 outline
SMART_READER_LITE
LIVE PREVIEW

A.I.S. Class 11: Outline I Learning Objectives for Chapter 10 I - - PowerPoint PPT Presentation

Jan 18, 2023 258 likes •610 views

A.I.S. Class 11: Outline I Learning Objectives for Chapter 10 I Controls I Misstatements I Internal Control Structure I Control Objectives and Audit Objectives I COBIT I Events and Event Risks I Group Work for Chapter 10 I Mid-term Examination Dr.

slide-1
SLIDE 1

October 12, 2005

  • Dr. Peter R Gillett

1

A.I.S. Class 11: Outline

I Learning Objectives for Chapter 10 I Controls I Misstatements I Internal Control Structure I Control Objectives and Audit Objectives I COBIT I Events and Event Risks I Group Work for Chapter 10 I Mid-term Examination

slide-2
SLIDE 2

October 12, 2005

  • Dr. Peter R Gillett

2

Learning Objectives for Chapter 10

I After studying this chapter you should be able to:

N provide a definition of controls N explain the concepts of exposure and reasonable assurance as

they relate to controls

N explain the difference between preventive, detective, and

corrective controls

N describe and discuss a number of risks that could be found in

computer based systems

N discuss the essence of Sarbanes-Oxley and its impact on

internal controls

N discuss Statement on Auditing Standards (SAS) No. 55 and 78

and their implications for controls in information systems

N provide a basic distinction between general and application

controls as categories of controls

slide-3
SLIDE 3

October 12, 2005

  • Dr. Peter R Gillett

3

Learning Objectives for Chapter 10

N describe general control procedures for database oriented

systems environments

N describe application controls that can be incorporated into a

database AIS

N indicate some control procedures that can be instituted only in

  • n line database systems

N explain how entity integrity and referential integrity contribute to

better control in a database AIS

N explain the hierarchical nature of the relationship between the

control environment, the accounting system, general and application control procedures

N briefly describe the COBIT control framework released by the

Information Systems Audit and Control Association

slide-4
SLIDE 4

October 12, 2005

  • Dr. Peter R Gillett

4

Controls

I Controls are mechanisms to prevent or detect

errors and irregularities

I Risk is the likelihood that an information system

will experience errors or irregularities

I Exposure is the amount of loss that could occur

if a risk is realized

I Controls are designed to provide reasonable

assurance that data are error free

slide-5
SLIDE 5

October 12, 2005

  • Dr. Peter R Gillett

5

Controls

I Preventive v. detective

Corrective procedures N are corrective N but are not really controls

I Manual v. programmed I General v. application I Compensating controls

Controls in one place remediate absence of controls in others

I Key controls

Subset of controls on which auditors plan to rely

slide-6
SLIDE 6

October 12, 2005

  • Dr. Peter R Gillett

6

Misstatements

I Errors

unintentional mistakes

I Irregularities

intentional alteration or misstatement of data

I Fraud (defalcation) I Management fraud

slide-7
SLIDE 7

October 12, 2005

  • Dr. Peter R Gillett

7

Exposures and Risks

I Exposures may arise from

N Erroneous record keeping N Unacceptable accounting N Business interruption N Erroneous management decisions N Fraud and embezzlement N Statutory sanctions N Excessive costs N Loss or destruction of assets N Competitive disadvantage

slide-8
SLIDE 8

October 12, 2005

  • Dr. Peter R Gillett

8

Exposures and Risks

I Risks

N Errors in data N Irregularities in data N Loss of data N Natural disasters N Computer crime

slide-9
SLIDE 9

October 12, 2005

  • Dr. Peter R Gillett

9

Internal Controls and Sarbanes-Oxley

I Sarbanes-Oxley Act 2002

In response to Enron, World-Com, etc.

I Created Public Company Accounting Oversight

Board (PCAOB)

Overseen by SEC

I Previously, Statements of Auditing Standards

(SAS) published by the AICPA’s Auditing Standards Board

I Now, PCAOB has the right to adopt, amend,

modify, repeal or reject auditing standards

slide-10
SLIDE 10

October 12, 2005

  • Dr. Peter R Gillett

10

Internal Controls and Sarbanes-Oxley

I Title I

PCAOB regulates audits and auditors of public

companies

I Title II

Auditor independence provisions and audit

committees

I Title III

New responsibilities regarding financial reporting

I Title IV

New disclosures

slide-11
SLIDE 11

October 12, 2005

  • Dr. Peter R Gillett

11

Internal Controls and Sarbanes-Oxley

I In April 2003, PCAOB asserted authority over

auditing standards

I Existing standards were “grandfathered” until

they can be replaced

I Four new standards have been issued so far I Auditing Standard No 2:

An Audit of Internal Control Over Financial Reporting

Conducted in Conjunction With An Audit of Financial Statements

slide-12
SLIDE 12

October 12, 2005

  • Dr. Peter R Gillett

12

Internal Controls and Sarbanes-Oxley

I Sarbanes-Oxley Act Section 404

Management responsible for

N Establishing and maintaining adequate internal controls over

financial reporting

N Assessment of the effectiveness of controls N Documenting and testing internal controls over financial

reporting and reporting their conclusions to the auditor

Auditors must attest and report on management’s

assertions regarding internal controls

N This significantly extends the amount of work that would

previously have been required

slide-13
SLIDE 13

October 12, 2005

  • Dr. Peter R Gillett

13

Internal Controls and Sarbanes-Oxley

I Sarbanes-Oxley Act Section 404

Last year, compliance for the first time was a huge

expense for public companies and a huge logistical problem for auditor firms who were struggling to meet the demand

Soon even more (smaller) companies will be subject

to Section 404!

Last year 11% of public companies capitalized at over

$75M disclosed control deficiencies

This represented 6-8% of firms audited by Big 4 and

15% of firms audited by Grant Thornton and BDO

slide-14
SLIDE 14

October 12, 2005

  • Dr. Peter R Gillett

14

Internal Controls and Sarbanes-Oxley

I Under the Act, COSO has been adopted

by the SEC as the acceptable internal control framework

I COSO is already incorporated into existing

auditing standards (SAS 55, etc.)

I Auditing of controls at Public Companies

now ruled by Auditing Standard No 2

slide-15
SLIDE 15

October 12, 2005

  • Dr. Peter R Gillett

15

General Systems Model

I Every system has

Inputs Processes Outputs Boundary Environment

I Control systems

Sensors Standards Control comparisons Activating units

slide-16
SLIDE 16

October 12, 2005

  • Dr. Peter R Gillett

16

Internal Control Structure

I SAS 55, COSO, SAS 78, SAS 94

Internal Control is a process effected by an entity’s

board of directors, and other personnel, that is designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

N effectiveness and efficiency of operations N reliability of financial reporting N compliance with applicable laws and regulations

slide-17
SLIDE 17

October 12, 2005

  • Dr. Peter R Gillett

17

Internal Control Structure

I SAS 55, COSO, SAS 78

Control Environment Management’s Risk Assessment Information System and Communication Control Activities Monitoring

slide-18
SLIDE 18

October 12, 2005

  • Dr. Peter R Gillett

18

Control Environment

I Integrity and ethical values I Commitment to competence I Board of directors or audit committee I Management’s philosophy and operating

style

I Organizational structure I Assignment of authority and responsibility I Human resource policies and practices

slide-19
SLIDE 19

October 12, 2005

  • Dr. Peter R Gillett

19

Management’s Risk Assessment

I Risk assessment for financial reporting is

the identification, analysis, and management of risks relevant to the preparation of financial statements that are fairly presented in conformity with GAAP

slide-20
SLIDE 20

October 12, 2005

  • Dr. Peter R Gillett

20

Risk Assessment

I Risks may arise from

N Changes in the operating environment N New personnel N New or revamped information systems N Rapid growth N New technology N New lines, products or activities N Corporate restructuring N Foreign operations N Accounting pronouncements

slide-21
SLIDE 21

October 12, 2005

  • Dr. Peter R Gillett

21

Information System

I Procedures aimed at identifying,

assembling, analyzing, classifying recording and reporting an entity’s transactions

I Maintain accountability for the related

assets and liabilities

slide-22
SLIDE 22

October 12, 2005

  • Dr. Peter R Gillett

22

Control Activities

I Policies and guidelines that management has

established to provide reasonable assurance that specific entity objectives will be met

Adequate separation of duties Proper authorization of transactions Adequate documents and records Physical control over assets and records Independent checks on performance

slide-23
SLIDE 23

October 12, 2005

  • Dr. Peter R Gillett

23

Control Activities

I General control procedures

Organizational controls Systems development and amendment Hardware and systems software controls Security and access controls Operations controls Data backup and recovery

slide-24
SLIDE 24

October 12, 2005

  • Dr. Peter R Gillett

24

Control Activities

I Application control procedures

Input controls

N field tests N range tests N length tests N validity tests N valid combinations tests N closed loop verification N completeness tests N prompting N system generated data N entity integrity N referential integrity

slide-25
SLIDE 25

October 12, 2005

  • Dr. Peter R Gillett

25

Control Activities

I Application control procedures

Processing controls

N internal label tests N sequence checks N control total verification

Output controls User control procedures

slide-26
SLIDE 26

October 12, 2005

  • Dr. Peter R Gillett

26

Control Objectives

I Completeness

All transactions that occurred are entered and accepted for processing

I Accuracy

All transactions are recorded

N at the correct amount N in the proper account N in the proper period

I Validity

All recorded transactions

N actually occurred N relate to the company N were approved / authorized

I Restricted Access

Data is protected against unauthorized amendments

slide-27
SLIDE 27

October 12, 2005

  • Dr. Peter R Gillett

27

Monitoring

I A process that assesses the quality of

internal control over time

I It involves assessment by appropriate

personnel of the design and operation of controls on a timely basis and the taking of necessary action

slide-28
SLIDE 28

October 12, 2005

  • Dr. Peter R Gillett

28

COBIT

I Control Objectives for Information and related

Technology

I Information Systems Audit and Control Association I Management “best practices” I 34 high level control objectives I IT processes in four domains

Planning & organization Acquisition & implementation Delivery & support Monitoring

slide-29
SLIDE 29

October 12, 2005

  • Dr. Peter R Gillett

29

Events and Event Risks

I The risks considered in our professional

standards, and the controls to mitigate them, are substantially aimed at safeguarding information processes dealing with

Recording Maintaining Reporting

I Arguably, these risks and controls are of most

importance to the accountant who is concerned with the quality of financial and management information

slide-30
SLIDE 30

October 12, 2005

  • Dr. Peter R Gillett

30

Events and Event Risks

I From the business perspective, however, it may

be more important to ensure that we can avoid

Business events occurring at the wrong time or sequence Business events occurring without proper authorization Business events involving the wrong internal agent Business events involving the wrong external agent Business events involving the wrong resource Business events involving the wrong amount of resource Business events occurring at the wrong location

slide-31
SLIDE 31

October 12, 2005

  • Dr. Peter R Gillett

31

Events and Event Risks

I You may find it helpful, therefore, to consider these

event by event; e.g.,

Customer Order N Accepting an order from an undesirable customer N Accepting an order for an unavailable product N Allowing an unauthorized person to take an order Transferring goods from warehouse to shipping N Moving goods without authorization N An unauthorized agent moving goods N Moving incorrect inventory or amount to shipping N Moving goods to an unauthorized location N Improper or inadequate physical safeguards over access to the

inventory, fire or other disasters, and inventory counts

slide-32
SLIDE 32

October 12, 2005

  • Dr. Peter R Gillett

32

Events and Event Risks

Shipping goods N An unauthorized person shipping the goods N Having inventory stolen from the shipping area N Shipping to the wrong customer or an unauthorized location N Shipping the wrong product or amount N Shipping without proper authorization N Shipping poorly packaged products N Selecting a poor carrier or route N Losing sales because of untimely shipments Receiving customer payments N Theft of cash N Failing to deposit cash into the company’s bank accounts N Lapping

slide-33
SLIDE 33

October 12, 2005

  • Dr. Peter R Gillett

33

Group Work for Chapter 10

I Discussion Questions I Problems 6 & 7 for next class I We will go over Chapter 9 problems then

slide-34
SLIDE 34

October 12, 2005

  • Dr. Peter R Gillett

34

Mid-Term Examination

I Main features

250 points Five main sections N 30 or so multiple-choice questions (similar to quizzes) worth 3

points each

N Some definitions & abbreviations (2 points each) N Short questions and problems including some flowcharting

questions

N An REA modeling problem (40 - 50 points) N A short essay (30 points) 80 minutes total time: 8:10 – 9:30 next Wednesday night in Beck Constrained by time not difficulty . . . 3 points per minute . . . . . . so you will be penalized for turning in late