ATTESTATION VS ADVISORY SERVICES

• Attestation services require written assertions and a practitioner’s written

report.
• Attestation services require the formal establishment of measurement
criteria or their description in the presentation.
• The levels of service in attestation engagements are limited to
examination, review,
and application of agreed-upon procedures.

ADVISORY SERVICES
- professional services offered by public accounting firms to improve their
client organizations’ operational efficiency and effectiveness. The domain
of advisory services is intentionally unbounded so that it does not inhibit
the growth of future services that are currently unforeseen.

Examples:
1. actuarial advice
2. business advice
3. fraud investigation services
4. information system design and implementation
5. internal control assessments for compliance with SOX.

RESTRICED NON-AUDIT SERVICES FOR AUDIT CLIENT

• bookkeeping or other services related to the accounting records or
financial statements of the audit client
• financial information systems design and implementation
• appraisal or valuation services, fairness opinions, or contribution-in-kind
reports
• actuarial services
• internal audit outsourcing services
• management functions or human resources
• broker or dealer, investment adviser, or investment banking services
• legal services and expert services unrelated to the audit
• any other service that the board determines, by regulation, is
impermissible

STRUCTURE OF AUDIT
• Auditing Standards
• GAAP
• SAS
GENERALLY ACCEPTED AUDITING STANDARDS
General Standards Standards of Field Work Reporting Standards
1. The auditor must have 1. Audit work must be 1. The auditor must state in
adequate technical training adequately planned the report whether financial
and proficiency statements were prepared in
accordance with generally
accepted accounting
principles
2. The auditor must have 2. The auditor must gain a 2. The report must identify
independence of mental sufficient understanding of those circumstances in
attitude the internal control which generally accepted
structure accounting principles were
not applied
3. The auditor must 3. The auditor must obtain 3. The report must identify
exercise due professional sufficient, competent any items that do not have
care in the performance of evidence adequate informative
the audit and the disclosures
preparation of the report
4. The report shall contain
an expression of the
auditor’s opinion on the
financial statements as a
whole

STRUCTURE OF AUDIT
- a systematic process

AUDIT OBJECTIVES AND AUDIT PROCEDURES BASED ON

MANAGEMENT ASSERTIONS
Management Assertion Audit Objective Audit Procedure
Existence of Occurrence Inventories listed on the Observe the counting of
balance sheet exist physical inventory
Completeness Accounts payable include Compare receiving reports,
all obligations to vendors supplier invoices, purchase
for the period orders, and journal entries
for the period and the
beginning of the next period
Rights and obligations Plant and equipment listed Review purchase
in the balance sheet are agreements, insurance
owned by the entity policies, and related
documents
Valuation or Allocation Accounts receivables are Review entity’s aging of
stated at net realizable accounts and evaluate the
value adequacy of the allowance
for uncorrectable accounts
Presentation and Contingencies not Obtain information from
disclosure reported in financial entity lawyers about the
accounts are properly status of litigation and
disclosed in footnotes estimates of potential loss

• Obtaining evidence
Auditors seek evidential matter that corroborates management
assertions. Auditors seek evidential matter that corroborates management
assertions.
• Ascertaining materiality
The auditor must determine whether weaknesses in internal controls
and misstatements found in transactions and account balances are material.

• Communicating results
Auditors must communicate the results of their tests to interested
users. An independent auditor renders a report to the audit committee of
the board of directors or stockholders of a company. The audit report
contains, among other things, an audit opinion. This opinion is distributed
along with the financial report to interested parties both internal and
external to the organization. IT auditors often communicate their findings
to internal and external auditors, who can then integrate these findings
with the non-IT aspects of the audit.

AUDIT RISK
Audit risk is the probability that the auditor will render an unqualified
(clean) opinion on financial statements that are, in fact, materially
misstated. Material misstatements may be caused by errors or irregularities
or both. Errors are unintentional mistakes. Irregularities are intentional
misrepresentations associated with the commission of a fraud such as the
misappropriation of physical assets or the deception of financial statement
users.

Inherent Risk
Control Risk
Detention Risk
AR Model - AR = IRxCRxDR

TEST OF CONTROLS and SUBSTANTIVE TESTS

- the stronger the internal conrol structure, as determined through tests of
controls, the lower the control risk and the less substantive testing the
auditor must do

↑ internal control structure

↓ substantive testing

IT AUDIT
COSO INTERNAL CONTROL FRAMEWORK

Components of COSO Framework

• Control Activities - there should be control over technology in order to
achieve organizational objectives
• Risk Assessment
• Information and Communication - organizations should require
• Monitoring
• Environment (Control Environment)

SOX ACT OF 2002

Section 302 - requires that corporate management certify their
organization’s internal controls on a quarterly and annual basis.
• External Auditors should perform the following:
• Interview management regarding any significant changes in the
design or operation of internal control that occurred subsequent to the
preceding annual audit or prior review of interim financial information
• Evaluate the implications of misstatements identified by the auditor
as part of the interim review that relate to effective internal controls
• Determine whether changes in internal controls are likely to
materially affect internal control over financial reporting

Section 404 - requires the management of public companies to assess the

effectiveness of their organization’s internal conrols
• This entails providing an annual report addressing the following points:
• Understand the flow of transactions, including IT aspects, in
sufficient detail to identify points at which misstatement could arise
• Using a risk-based approach, assess both the design and operating
effectiveness of selected internal controls

GENERAL CONTROLS, APPLICATION CONTROLS, AND

FINANCIAL DATA INTEGRITY

• General Controls/General Computer Controls/ IT Technology

Controls
• IT Governance
• IT Infrastructure
• Security and access to operating systems and databases
• Application acquisitions and developments
• Program change procedures

• Application Controls
• Cash disbursement batch balancing
• Accounts receivable check digit procedure
• Payroll system limit check
QUIZ COVERAGE (ADDITIONAL TOPICS)
40 items Chapter 1 (tentative)

1. Types of Management
a. Operations Management. Directly responsible for controlling
day-to-day operations
b. Middle Management. Accountable for the short-term planning
and coordination of activities necessary to accomplish
organizational objective
c. Top Management. Responsible for long-term planning and
setting organizational objectives

2. Subsystem Interdependency
- a system’s ability to achieve its goal depends on the effective
functioning and harmonious interaction of its subsystems
- if a vital subsystem fails or becomes defective and can no longer
meet its specific objective, the overall system will fail to meet its
objective
 Control – should be provided on a cost-benefit basis
 Backup – essential when excessive negative consequences
result from a subsystem failure

3. Value of Information → determined by its reliability

a. Relevance – the contents must serve a purpose
- only relevant data should be presented

b. Timeliness – information must be no older than the time of the action it

supports

c. Accuracy – information must be free from material errors

- in some cases, information MUST be perfectly accurate; in some, level
of accuracy MAY be lower
 Material error – exists when the amount of inaccuracy in information
causes the user to make poor decisions or to fail to make necessary
decisions
 We sometimes must sacrifice absolute accuracy to obtain timely
information
 Often, perfect information is not available within the user’s decision time
frame

4. Financial and Non-financial Transactions

Transaction – an event that affects or is of interest to the organization and
is processed by its information system as a unit of work (both financial
and nonfinancial)
o Financial Transaction – economic event that affects the assets
and equities of the organization, is reflected in its accounts, and is
measured in monetary terms

o Nonfinancial Transactions – events that do not meet the narrow

definition of a financial transaction
5. AIS Subsystem
 Accounting Information System (financial)
- process financial and nonfinancial transactions that directly affect
the processing of financial transactions

Major Subsystems:
a. Transaction Processing System (TPS)
- converting economic events into financial transactions
- recording financial transactions in the accounting records
- distributing essential financial information to operations
personnel to support their daily operations
- supports daily business operations with numerous reports,
documents, and messages for users throughout the organization

b. General Ledger/Financial Reporting System (GL/FRS)

- produces the traditional financial statements (IS, BS, SCF, Tax
Returns, other others required by law)
-
c. Management Reporting System – provides internal
management with special-purpose financial reports and
information needed for decision making (budgets, variance
reports, and responsibility reports)

 Management Information System (financial and nonfinancial)

- processes nonfinancial transactions that are not normally
processed by traditional AIS

6. Major difference of FRS and MRS

 FRS – external
 MRS – internal/management

7. Financial Transactions
Examples:
 Sale of products to customers
 Purchases of inventory from vendors
 Cash disbursements

8. Data Collection Processing → the first operational stage in information

system; most important stage
- Objective: Ensure that event data entering the system are valid, complete,
and free from material errors
- Two rules: Relevance and efficiency
- Avoid: Redundancy

9. Data Attribute - most basic element of a useful data

- a logical and relevant characteristic of an entity about which the firm
captures data
* Record - definition of complete set of attributes for a single
occurrence within an entity class

10. Database Management Tasks - storage, retrieval, deletion

 Storage – assigns keys to new records and stores them in their proper
location in the database
 Retrieval – locating and extracting an existing record from the
database for processing
 After processing is complete, the storage task restores the updated
record to its place in the database
 Deletion – permanently removing obsolete or redundant records from
the database

11. Finance Functions

- managing the financial resources of the firm through
 banking and treasury activities
 portfolio management
 credit evaluation
 cash disbursements and cash receipts

12. Accounting Functions

- manages the financial information resource of the firm
 capturing and recording the financial effects of the firm’s
transactions
 distributing the information to operations personnel to coordinate
many of their key tasks

13. Accounting Independence

- separation of duties
- record-keeping and custody should be separate

14. Distributed Data Processing Approach

- involves reorganizing the IT function into small information processing
units (IPUs) that are distributed to end users and placed under their control
- IPUs may be distributed according to business function, geographic
location, or both

Advantages
 cost savings
 increased user satisfaction
 improved operational efficiency

Disadvantages
 loss of control
 inefficient use of resources
 destruction of audit trails
 inadequate segregation of duties
 increased potential for programming errors and systems failures
 lack of standards

15. Data Control Group

Traditionally: Responsible for receiving batches of transaction documents
for processing from end users and then distributing computer output
(documents and reports) back to the users
Today: Automated and distributed back to end users

16. Independent Auditing (external auditor should perform)

17. Appraisal function within the organization (internal auditor may

perform)

18. System Development Life Cycle (SDLC)

- end-user, accountant, system professionals (IT), etc.
 (1)Systems Strategy → (2)Project Initiation → (3)In-House
Systems Development → (4)Commercial Packages →
(5)Maintenance and Support

19. Advantages of Database System

Database System – a special software system that is programmed to know

which data elements each user is authorized to access

Advantages
 Elimination of data redundancy
 Single update
 Current values

20. Enterprise Resource Planning – an information system model that

enables an organization to automate and integrate its key processes
- accounting system
- human resource system
- general ledger
- cost control
- inventory control system
THE INFORMATION ENVIRONMENT
 Operations Management. Directly responsible for controlling
day-to-day operations
 Middle Management. Accountable for the short-term planning
and coordination of activities necessary to accomplish
organizational objective
 Top Management. Responsible for long-term planning and
setting organizational objectives

Information Flows
 Horizontal Flow – supports operations-level tasks with highly
detailed information about the many business transactions
affecting the firm
→ sale and shipment of goods, use of labor and materials in the
production process, internal transfers of resources from one
department to another

 Vertical Flow – distributes information downward form senior

managers to junior managers and operations personnel
→ instructions, quotas, budgets
→ information pertaining to operations and other activities flow
upward to managers at all levels

 Exchanges between the organization and users in the external

environment
→ external users:
a) trading partners
- customer sales and billing information, purchase information for
suppliers, inventory receipts information
b) stakeholders
- entities outside (inside) the organization with a direct or indirect
interest in the firm
- financial statements, tax returns, stock transaction information
- inside stockholders: accountants and internal auditors

WHAT IS A SYSTEM?
A group of two or more interrelated components or subsystems
that serve a common purpose.

System Decomposition
- process of dividing the system into smaller subsystem parts
- can present the overall system as a hierarchy and view the
relationships between subordinate and higher-level subsystems

Subsystem Interdependency
- a system’s ability to achieve its goal depends on the effective
functioning and harmonious interaction of its subsystems
- if a vital subsystem fails or becomes defective and can no longer
meet its specific objective, the overall system will fail to meet its
objective
 Control – should be provided on a cost-benefit basis
 Backup – essential when excessive negative consequences
result from a subsystem failure

AN INFORMATION SYSTEMS FRAMEWORKS

Information System – set of formal procedures by which data are

collected, processed into information, and distributed to users

 Accounting Information System

- process financial and nonfinancial transactions that directly affect
the processing of financial transactions

Major Subsystems:
a. Transaction Processing System (TPS)
- converting economic events into financial transactions
- recording financial transactions in the accounting records
- distributing essential financial information to operations
personnel to support their daily operations
- supports daily business operations with numerous reports,
documents, and messages for users throughout the organization

b. General Ledger/Financial Reporting System (GL/FRS)

- produces the traditional financial statements (IS, BS, SCF, Tax
Returns, other others required by law)

c. Management Reporting System – provides internal management

with special-purpose financial reports and information needed for
decision making (budgets, variance reports, and responsibility
reports)

 Management Information System

- processes nonfinancial transactions that are not normally
processed by traditional AIS

MIS Applications in Functional Areas

 Finance
- portfolio management systems
- capital budgeting systems

 Marketing
- market analysis
- new product development
- production analysis

 Distribution
- warehouse organization and scheduling
- delivery scheduling
- vehicle loading and allocation models
Transaction – an event that affects or is of interest to the organization and
is processed by its information system as a unit of work (both financial
and nonfinancial)

o Financial Transaction – economic event that affects the assets

and equities of the organization, is reflected in its accounts, and is
measured in monetary terms

o Nonfinancial Transactions – events that do not meet the narrow

definition of a financial transaction

- Buying high and selling low is not against the law, but it’s bad for
business

Data – facts, which may or may not be processed (edited, summarized, or

refined) and have no direct effect on the user
Information – causes the user to take action that he or she otherwise could
not have taken
 Information is determined by its effect, not by its physical form