Bangsamoro Autonomous Region in Muslim Mindanao

RC- AL KHWARIZMI INTERNATIONAL COLLEGE FOUNDATION, INC.

DEPARTMENT OF ACCOUNTANCY
National Highway Basak Malutlut, Marawi City, Lanao del Sur 9700

CHAPTER 1: AUDITING AND INTERNAL CONTROL

A Written Report
Presented to
FATIMA ZAYNAB ABDULZAMAD, CPA
Department of Accountancy

In Partial Fulfillment
Requirements for the Course
ACC 155 – Auditing in CIS Environment
2nd Trimester, A.Y. 2025-2026

ABDUL JABBAR, REHAN

ABDULMALIK, JEHAN P.
ABDULSAMAD,
ABUBACAR, FATIMA BEDORI D.
ALI, NOROUL AIN B.
AMEROL, GAMDI S.

February 2025
Book: Information Technology Auditing and Assurance
Authors: James A. Hall

OVERVIEW OF AUDITING
 External (Financial) Audits

- An independent attestation performed by an expert — the auditor— who expresses an opinion regarding the
presentation of financial statements.

- Performed by CPAs who work for public accounting firms that are independent of the client organization being
audited.

- OBJECTIVE: Assuring fair presentation of the financial statements.

- KEY CONCEPT: INDEPENDENCE.

Attest Services vs. Advisory Services

o Attest Services – an engagement which a practitioner is engaged to issue, or does issue, a written
communication that expresses a conclusion about the reliability of a written assertion that is the
responsibility of another party.

Examples: Audit & Reviews

o Advisory Services – professional services offered by public accounting firms to improve their client
organization’s operational efficiency and effectiveness.

Examples: Tax Planning & IT Advisory

 Internal Audits

- Independent appraisal function established within an organization to examine and evaluate its activities as a
service to the organization.

- Include examining an operation’s compliance with organizational policies, reviewing the organization’s compliance
with legal obligations, evaluating operational efficiency, and detecting and pursuing fraud WITHIN the firm.

External Audits vs. Internal Audits

Feature External Audit Internal Audit

Purpose Provides independent Improve internal controls,

assurance on FS risk management, and
operations
Conducted By Independent CPA In-house Audit Team or
Outsourced Professionals
Focus Accuracy of FS and Operational Efficiency, Risk
Compliance with standards Assessment, and Fraud
(GAAP, PFRS) Prevention
Reporting To Shareholders, Investors, Management and Board of
Creditors, and Other Directors
External Stakeholders

 Fraud Audits

- a specialized audit conducted to detect, investigate, and prevent fraud within an organization.

- OBJECTIVE: Investigate anomalies and gather evidence of fraud that may lead to criminal conviction.

THE ROLE OF THE AUDIT COMMITTEE

- The Board of Directors of publicly traded companies form a subcommittee known as the audit committee, which
has special responsibilities regarding audits.

- This committee usually of three people who should be outsiders.

- At least one member of the audit committee must be a “financial expert”.

FINANCIAL AUDIT COMPONENTS

- The product of the attestation function is a formal written report that expresses an opin-ion about the reliability of the assertions contained in
the financial statements.
- introduces the concept of an audit as a formal process resulting in a written report assessing the reliability of financial statemnet assertions.

Auditing Standards
- are divided into three classes: general qualification standards, field work standards, and reporting standards.
- it explains that GAAS provide framework but lack specific details.

2
Systematic Process
- Conducting an audit is a systematic and logical process that applies to all forms of information systems.

- A logical framework for conducting an audit in the IT environment is critical to help the auditor identify all-important processes and data files.

Management Assertions and Audit Objectives

- The organization's financial statements reflect a set of management assertions about the financial health of the entity.
- The task of the auditor is to determine whether the finan-cial statements are fairly presented.

five general categories:

The existence or occurrence assertion affirms that all assets and equities contained in the balance sheet exist and that all transactions in the
income statement actually occurred.

2. The completeness assertion declares that no material assets, equities, or transactions have been omitted from the financial statements.

3. The rights and obligations assertion maintains that assets appearing on the balance sheet are owned by the entity and that the liabilities
reported are obligations.

4. The valuation allocation assertion states that assets and equities are valued in accordance with GAAP and that allocated amounts such as
depreciation expense are calculated on a systematic and rational basis.

5. The presentation and disclosure assertion alleges that financial statement items are correctly classified (e.g., long-term liabilities will not
mature within one year) and that footnote disclosures are adequate to avoid misleading the users of financial statements.

Obtaining evidence
- Auditors seek evidential matter that corroborates management assertions.
- Evidence is collected by performing tests of controls, which establish whether in-ternal controls are functioning properly, and substantive
tests, which determine whether accounting databases fairly reflect the organization's transactions and account balances.

AUDIT RISK
- is the risk
that auditors issued the incorrect audit opinion to the audited financial statements.

3
- it is also defines as the probability that the auditor will issue an unqualified opinion on materially misstated financial statement.

Inherent risk - refers to the risk that could not be protected or detected by the entity’s internal control.
Control risk - is the risk that current internal control could not detect or fail to protect significant error or misstatement in the financial
statement.
Detection risk - is the risk that auditor fails to detect the material misstatement in the financial statements.

Audit Risk Model

Financial auditors use the audit risk components in a model to determine the scope, nature, and timing of substantive tests. The audit risk model is

FORMULA : AR=IR X CR X DR

Example:

AUDIT RISK 5% 5%
INHERENT RISK 100% 50%
CONTROL RISK 100% 50%
DETECTION RISK 5% 20%

THE IT AUDIT
The public expression of the auditor’s opinion is the culmination of a systematic financial audit process that involves three
conceptual phases: audit planning, tests of controls, and substantive testing. An IT audit focuses on the computer-based aspects
of an organization’s information system; and modern systems employ significant levels of technology. For example, transaction
processing is automated and performed in large part by computer programs. Similarly source documents, journals, and ledgers that
traditionally were paper-based are now digitized and stored in relational databases. As we will see later, the controls over these
processes and databases become central issues in the financial audit process.

THE STRUCTURE OF AN IT AUDIT

Audit Planning
The first step in the IT audit is audit planning. Before the auditor can determine the nature and extent of the tests to perform, he or
she must gain a thorough understanding of the client’s business. A major part of this phase of the audit is the analysis of audit risk.
The auditor’s objective is to obtain sufficient information about the firm to plan the other phases of the audit. The risk analysis
incorporates an overview of the organization’s internal controls.

Tests of Controls
The objective of the tests of controls phase is to determine whether adequate internal controls are in place and functioning
properly. To accomplish this, the auditor performs various tests of controls. The evidence-gathering techniques used in this phase
may include both manual techniques and specialized computer audit techniques.

At the conclusion of the tests-of-controls phase, the auditor must assess the quality of the internal controls by assigning a level for
control risk. As previously explained, the degree of reliance that the auditor can ascribe to internal controls will affect the nature
and extent of substantive testing that needs to be performed.

Substantive Testing
The third phase of the audit process focuses on financial data. This phase involves a detailed investigation of specific account
balances and transactions through what are called substantive tests. For example, a customer confirmation is a substantive test
sometimes used to verify account balances. The auditor selects a sample of accounts receivable balances and traces these back
to their source the customers to determine if the amount stated is in fact owed by a bona fide customer. By so doing, the auditor
can verify the accuracy of each account in the sample. Based on such sample findings, the auditor is able to draw conclusions
about the fair value of the entire accounts receivable asset.

Some substantive tests are physical, labor-intensive activities, such as counting cash, counting inventories in the warehouse, and
verifying the existence of stock certificates in a safe. In an IT environment, the data needed to perform substantive tests (such as
account balances and names and addresses of individual customers) are contained in data files that often must be extracted using

4
Computer-Assisted Audit Tools and Techniques (CAATTs) software.

INTERNAL CONTROL
Organization management is required by law to establish and maintain an adequate system of internal control. Consider the
following Securities and Exchange Commission statement on this matter:
The establishment and maintenance of a system of internal control is an important management obligation. A fundamental aspect
of management’s stewardship responsibility is to provide shareholders with reasonable assurance that the business is adequately
controlled. Additionally, management has a responsibility to furnish shareholders and potential investors with reliable financial
information on a timely basis.
(internal control is system of policies, procedures, and processes implemented by an organization to ensure operational efficiency,
financial accuracy, regulatory compliance, and risk management. It helps safeguard assets, prevent fraud, and enhance the
reliability of financial reporting.)

INTERNAL CONTROL OBJECTIVES, PRINCIPLES, AND MODELS

An organization’s internal control system comprises policies, practices, and procedures to achieve four broad objectives:

1. To safeguard assets of the firm.

2. To ensure the accuracy and reliability of accounting records and information.
3. To promote efficiency in the firm’s operations.
4. To measure compliance with management’s prescribed policies and procedures.

MODIFYING PRINCIPLES

1. MANAGEMENT RESPONSIBILITY
2. METHODS OF DATA PROCESSING
3. LIMITATIONS
4. REASONABLE ASSURANCE

1. MANAGEMENT RESPONSIBILITY
- This concept holds that the establishment and maintenance of a system of internal control is a management responsibility.

2. METHODS OF DATA PROCESSING

-The internal control system should achieve the four broad objectives regardless of the data processing method used (whether
manual or computer based).

3. LIMITATIONS
-Every system of internal control has limitations on its effectiveness. These include (1) the possibility of error—no system is
perfect, (2) circumvention—personnel may circumvent the system through collusion or other means, (3) management override—
management is in a position to override control procedures by personally distorting transactions or by directing a subordinate to do
so, and (4) changing conditions—conditions may change over time so that existing effective controls may become ineffectual.

4. REASONABLE ASSURANCE
- The internal control system should provide reasonable assurance that the four broad objectives of internal control are met. This
reasonableness means that the cost of achieving improved control should not outweigh its benefits.

THE PDC MODEL

1. PREVENTIVE CONTROLS

5
2. DETECTIVE CONTROLS
3. CORRECTIVE CONTROLS

1. PREVENTIVE MODELS
-Prevention is the first line of defense in the control structure. Preventive controls are passive techniques designed to reduce the
frequency of occurrence of undesirable events.

2. DETECTIVE CONTROLS
- Detection of problems is the second line of defense. Detective controls are devices, techniques, and procedures designed to
identify and expose undesirable events that elude preventive controls

3. CORRECTIVE CONTROLS
- Corrective actions must be taken to reverse the effects of detected errors. Detective controls identify undesirable events and
draw attention to the problem; corrective controls actually fix the problem.