University of Phoenix
April 5, 2010
Control procedures are important in the efficient operation of an accounting information system (AIS). Organizations have audits to ensure procedures are functioning properly and there is no need for additional controls. This research of internal, external, financial, risk assessment, and information technology audits will examine and ensure that internal controls have been correctly placed and properly functioning. Kudler Fine Foods can use audits for their systems??™ processes, as they involve information technology (Bergranoff, Nancy (2008)).
Types of audits
Internal or external audit concerns employee adherence to company policies, procedures, and development of internal controls. Audits on information technology involve the evaluation of the computer??™s role in achieving audit and control objectives. These audits encompass the components of the computer-based AIS: people, procedures, hardware, data communications, software, and databases. They are broad in scope and include auditing for fraud and ensuring that employees are not copying software programs. The four types of information technology (IT) audits are: Attestation, Findings and Recommendations, SAS 70 Audit, and SAS 94 Audit.
The three types of IT audits that will be used at Kudler Fine Foods will be Attestation, SAS 94, and Financial Audit. IT auditors can use the Attestation and Financial Audits for accounts payable, accounts receivable, and payroll as they confirm that numbers on the financial statements are correct, internal procedures are compliant with COSO, and check sales contracts with third parties. For the inventory and payroll departments the SAS 94 Audit can be used as it helps auditors gain an understanding of how recurring and nonrecurring journal entries are initiated, entered, and processed through the companies information system and the IT components evaluated are: physical and environment review, system administration review, application software review, network security review, business continuity review, and data integrity review (Bergranoff, Nancy (2008).
Attestation audits provide assurance for which the client is responsible, such as verifying that internal controls are effectively using the standards of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The auditor will perform an examination, review, or agreed-upon the procedure (AUP); provide a written report often called ???Report to Management??? based on the findings. Typically, AUP is a negative assurance report in which the auditor states what it was done, what was found or lack of and provides feedback to the user of the report. Standards for Attestation Engagements (SSAE 10) specifically identify COSO as suitable criteria. Commission agreement reviews is another type of attest procedures in which the auditor verify that a clients commission agreement is being properly accounted for and it includes the review of contracts between clients and third party. WebTrust engagement objective is to evaluate a companys website according to AICPA/CICA standards. SysTrust engagements evaluate the reliability of the companys business information. Financial projections include financial statement forecast and proforma financial information. Auditors are only involved to the extent the auditor needs to use special software to perform projections (Bagranoff, Nancy (2008).
SAS 94 Audit
A SAS 94 Audit is performed by an auditor when a company undergoes a financial audit; requires the auditor to consider the effect of the company??™s information technology on its assessment of control risk. Specifically, when a company has a significant amount of transactions processed electronically that the auditor cannot restrict detention risk to an acceptable level by performing only substantive tests. This audit requires the auditor to consider how a client??™s IT processes affects internal control, evidential matter, and the assessment of control risk; gain an understanding of how transactions are initiated, entered, and processed during the clients information system. The SAS 94 Audit helps auditors gain an understanding of how recurring and nonrecurring journal entries are initiated, entered, and processed through the companys information system. SAS 94 applies to most companies undergoing an audit in which both the financial and IT components are evaluated and involves: physical and environment review, system administration review, application software review, network security review, business continuity review, and data integrity review.
Financial Statement Audits
In the audit of financial statements, the auditors ensures that the preparation of financial statements are in conformity with general accepted accounting principles (GAAP) or a comprehensive basis other than GAAP. The main objective of the risk assessment audit approach is to review the system control procedures to evaluate the risks associated with any control weaknesses to the integrity of the accounting data in the financial reports. This approach provides auditors with a good understanding of the errors and irregularities that can occur in a company??™s AIS environment, related risks and exposure, and ensure that the cost of control procedures do not outweigh their value. The risks relevant to financial reporting include external and internal events that may affect adversely the entity??™s ability to initiate, record, process, and report financial data. Risks can arise or change because of circumstances such as the following: changes in operating systems, new personnel, new or revamped information systems, and rapid growth. To avoid these risks systems and programs may include controls related to the corresponding assertions for significant accounts or may be critical to the effective functioning of manual controls that depend on information technology (IT) (AU Section 319) (Bergranoff, Nancy (2008)).
How audits will be conducted
Regardless the types of audit, auditors use a defined life cycle, which is called the IT Audit Life Cycle. This cycle provides the basic procedures for any audit to be conducted. To conduct an audit certain standards have to be abide and taken into consideration. These standards include the ???Statements of Auditing Standards, the IS Audit Standards, Guidelines, and Procedures of the Information Systems Audit and Control Association (ISACA), the AICPA??™s Statement on Standards for Attestation Engagements (SSAE), the International Auditing Standards of the international Federation of Accountants (IFAC), and the ISACA??™s Control Objectives for Information and Related Technology (Cobit)??? (Hunton, Bryant, and Bagranoff, 2004). While understanding and following each standard, auditor use the Audit Life Cycle as a guideline, which steps include: ???strategic planning, risk assessment, preparing the audit program, gathering audit evidence, forming conclusions based on the evidence obtained, preparing the audit opinion, and following up??? (Hunton, Bryant, & Bagranoff, (2004)).
The Audit Life Cycle
Planning. The first step of the Audit Life Cycle entails planning the audit project. Auditors have to determining what the risks are, familiarizing themselves with the audit client and the client??™s environment, and laying out a plan for conducting the audit. This involves defining who will staff the audit and how the audit will generally be conducted. ISACA Standard 050.010, ???Audit Planning,??? states: ???The information systems auditor is to plan the information systems audit work to address the audit objectives and to comply with applicable professional auditing standards??? (Hunton, Bryant, & Bagranoff, (2004)). When planning the project, an auditor must also define the scope and control objectives, set materiality, and determine if company wants to outsource to a third party. According to Hunton, Bryant, & Bagranoff, the scope of the audit determines the nature and extent of testing to be performed in the audit (2004). Setting the level of materiality is also done within the planning stage. The level of materiality establishes the scale auditors use to gauge the importance of exceptions. Generally, materiality is represented as the percentage of total sales or total assets.
Risk Assessment, or ???What Can Go Wrong.??? According to Hunton, Bryant, & Bagranoff, auditors use a risk-based audit approach to conduct an audit. This assessment entails asking the question of ???What can go wrong??? Auditors focus on ???determining what the critical support processes are for a given audit process??? (Hunton, Bryant, & Bagranoff, 2004). This enables auditor clearly to identify the controls that should be in place to safeguard the integrity of the process under an audit. The risk-based approach involves the client, the industry and environment in which the client operates, and the nature of the clients business processes (Hunton, Bryant, & Bagranoff, (2004)). Hunton, Bryant, and Bagranoff state that without a thorough understanding, the auditor may fail correctly to identify the critical business processes and corresponding internal controls that he should evaluate (2004). Materiality also plays an important part in risk assessment because ???if a control is absent, [then] how material is that control??? (Hunton, Bryant, & Bagranoff, (2004)). Auditors may not test minor processes for control, after that the benefits will not outweigh the value.
The Audit Program. The audit program includes the several components: the ???audit scope, objectives, procedures, and administrative details, such as planning and reporting??? (Hunton, Bryant, & Bagranoff, (2004)). This program should document the workpapers because it serves as a template for the work to be performed. After the audit is completed, ???the audit program provides documentation as to who performed individual audit procedures and references to the workpapers where the results of each test and audit step can be viewed??? (2004). The Audit Program enables the audit to be tracked from planning to report. Auditors can use the template to distinctively define the audit projects scope, objectives, procedures, and administrative details.
Gathering Evidence. Gathering evidential matter is the essential part of the audit. It provides the foundation for the audit opinion. According to Hunton, Bryant, & Bagranoff, the ISACA Guideline 060.020.030 identifies several types of evidence (2004). Auditors can use the following but not limited to, as field work evidence: ???Observed processes and existence of physical items such as computer operations or data backup procedures, documentary evidence such as program change logs, system access logs, and
authorization tables, and representations such as client-provided flowcharts, narratives, and written policies and procedures??? (Hunton, Bryant, & Bagranoff, 2004). Auditors may request more information from the client if sufficient evidence is not retrieved to satisfy a given objective. If the auditor cannot obtain the sufficient evidence, he/she must give consideration of the materiality of the evidence and the effect on the scope of the audit (Hunton, Bryant, & Bagranoff, (2004)). Auditor must realize that not all evidence is created equal.
Forming Conclusions. After all the audit evidence is gathered, ???it is the auditor??™s job to evaluate the evidence and form conclusions about whether the audit objectives were met and the sufficient??? (Hunton, Bryant, & Bagranoff, (2004)). This conclusion is based on the procedures performed in arriving at an audit opinion. The auditor should also identify reportable conditions, which are ???any situation that comes to the attention of the auditor that represents a substantial control weakness??? (Hunton, Bryant, & Bagranoff, 2004). The auditor conclusions will never be astonished to management personnel because auditors are to bring any anomalies to the attention of management when they are discovered. The auditor??™s top priority is to identify to management any substantial weaknesses in internal control with material misstatements in the financial statements.
The Audit Opinion. No standard audit report, just as it is no standard audit program. ISACA Guideline 070.010.010 provides guidance for items to be included in the audit report. The audit report may include, but no limited to items as: ???the name of the organization audited, title, signature, date, statement of the objectives of the audit and whether the audit met these objectives, and scope of the audit, including ???the functional audit area, the audit period covered and the information systems, applications or processing environments audited??™ ??? (Hunton, Bryant, & Bagranoff, (2004)).These items will enable the audit opinion to be thorough and conclusive for a follow-up.
Following Up. The final stage of the Audit Life Cycle is follow-up. According to Hunton, Bryant, & Bagranoff, after the auditor communicates audit results to the client and delivers the audit opinion to the client, the auditor will make provisions to follow-up with the client on any reportable conditions or deficiencies the audit uncovered during the course of the audit (2004). It may take longer for the client to reconcile when there are deficiencies, but auditor and client will agree on the extent and timing of the follow-up procedure during the exit interview. The follow-up may take the form of the following: a telephone call to management and subsequent documentation of the conversation, or the auditor may schedule additional audit procedures to satisfy all parties that management has corrected a material internal control weakness. Each of these six steps enables the auditor to conduct an effective audit.
Events that ???might??? prevent reliance on auditing through computer
IT auditing around the computer involves arriving at an audit opinion through examining and evaluating managements internal controls and them the input and output controls only for application systems. This may be cost effective to audit around the computer when IT systems are simple, clear audit trail exists, and high reliance is placed on user internal controls. Auditing through the computer is costly because you are reviewing the processing logic and internal controls that exist within the system, the records produced by the system, perform compliance test of the computer controls, and perform substantive test of account balances. By auditing through the computer auditors have the power to test an application control system more effectively. The objectives of application controls are to ensure completeness and accuracy of accounting records and the validity of entries made resulting from both manual and programmed processing. Challenges of working through the computer system could be lack of visible evidence and systematic errors, lack of internal controls, lack of the availability of accurate data, and the length of time it is retained in a readily usable form. General controls are developed, maintained and operated, and which are therefore applicable to all of the applications. If there is a lack of general controls within a system, then the auditor can perform test data, integrated test facility, and a parallel simulation to contribute to the assurance of a specific general control because the application controls and the general controls are inter-related.
An auditing proposal consists of specific guidelines required to complete an Information System (IS) Audit. By conducting specific audits for each of the processing programs, Kudler Fine Foods can appropriately change any internal or external control issue that can create inaccurate data, untimely data and evaluate the risk associated with running the newly implemented computer automated systems.
AU Section 319. (2007). Consideration of Internal Control in a Financial Statement audit.
Bergranoff, Nancy. (2008). Information technology auditing.
Retrieved from the University of Phoenix Library website:
Bergranoff, Nancy. (2008). Computer controls for organizations and accounting information
Systems. Retrieved from the University of Phoenix Library website:
Bergranoff, Nancy. (2008). Core concepts of accounting information systems.
Retrieved from the University of Phoenix Library website:
Hunton, J. A., Bryant, S. M., & Bagranoff, N. A. (2004). Core concepts of information technology auditing. New York: Wiley & Sons. Retrieved from https://ecampus.phoenix.edu/content/eBookLibrary2/content/eReader.aspx