Sarbanes-Oxley and IT Governance

avatar
Created by
billy

Cards (77)

  • An __ is an independent attestation performed by an expert-the auditor-who expresses an opinion regarding the presentation of financial statements.
    External Audit
  • The CPA's role is to collect and evaluate evidence and thus render an opinion. A key concept in this process is independence.
  • The product of the attestation function is a formal written report that expresses an opinion as to whether the financial statements are in conformity with generally accepted accounting principles (GAAP).
  • __ of the financial statements are presumed to rely on the auditor's opinion about the reliability of financial statements in making decisions.
    External Users
  • Auditors are guided in their professional responsibility by the 10 generally accepted auditing standards (GAAS).
  • Generally Accepted Auditing Standards: (General Standards)
    1. The auditor must have adequate technical training and proficiency;
    2. The auditor must have independence of mental attitude;
    3. The auditor must exercise due professional care in the performance of the audit and the preparation of the report.
  • GAAS (Standards of Field Work):
    1. Audit work must be adequately planned;
    2. The auditor must gain a sufficient understanding of internal control structure;
    3. The auditor must obtain sufficient, competent evidence.
  • GAAS (Standards of Field Work):
    1. Audit work must be adequately planned;
    2. The auditor must gain a sufficient understanding of internal control structure;
    3. The auditor must obtain sufficient, competent evidence.
  • GAAS (Reporting Standards):
    1. The auditor must state in the report whether financial statements were prepared in accordance with generally accepted accounting principles;
    2. The report must identify those circumstances in which generally accounting principles were not applied;
    3. The report must identify any items that do not have adequate informative disclosures.
    4. The report shall contain an expression of the auditor's opinion on the financial statements as a whole.
  • To provide specific guidance the AICPA issues Statements on Auditing Standards (SASs) as authoritative interpretations of GAAS.
  • The first SAS was issued by the AICPA in 1972.
  • SASs are regarded as authoritative pronouncements because every member of the profession must follow their recommendations or be able to show why a SAS does not apply in a given situation.
  • Conducting an audit is a systematic and logical process that consists of three conceptual phases:
    1. Audit Planning;
    2. Tests of Controls; and
    3. Substantive Testing
  • The first phase of the audit is __. Before the auditor can determine the nature and extent of the tests to be performed, he or she must gain a thorough understanding of the client's business. The auditor's objective at this point is to obtain sufficient information about the firm to plan the other phases of the audit.
    Audit Planning
  • During the audit planning, the auditor attempts to understand the
    organization's policies, practices, and structure.
  • The objective of the tests of control phase is to determine whether adequate internal controls are in place and functioning properly.
  • The evidence-gathering techniques used in this phase include both manual techniques and specialized computer audit techniques known as computer-assisted audit tools and techniques (CAATTs)
  • At the conclusion of the tests-of-controls phase, the auditor assess the quality of the internal controls by assigning a level for control risk.
  • The third phase of the audit process focuses on gathering evidence pertaining to financial data. This phase involves a detailed investigation of specific account balances and transactions through what we are called substantive tests.
  • Substantive tests tend to be physical, labor-intensive activities such as counting cash, counting inventories in a warehouse, and verifying the existence of stock certificates in a safe.
  • Management assertions are claims made by management regarding the content of their issued financial statements.
  • Implicitly management asserts that account balances and underlying transactions are free from material errors and are complete, valid, and accurate.
  • The auditors develop audit objectives and design audit procedures to gather evidence that corroborates or refutes management's assertions.
  • Audit risk is the probability that the auditor will render an unqualified (clean) opinion on financial statements that are, in fact, materially misstated because of undetected errors or irregularities or both.
  • Errors are unintentional mistakes.
  • Irregularities are intentional misrepresentations associated with the commission of a fraud, such as misappropriation of physical assets and attempts to deceive financial statement users.
  • The auditor estimates acceptable audit risk (AR) based on the ex ante value of the components of the audit risk model - inherent risk, control risk, and detection risk.
  • Inherent risk is associated with the unique characteristics of the business or industry of the client.
  • Control risk is the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts.
  • Detection risk is the risk that auditors are willing to take that errors not detected or prevented by the control structure will also go undetected by the auditor as he or she performs substantive tests.
  • Upon completion of the audit, the auditor submits an audit report to the audit committee of the board of directors.
  • The audit report includes an opinion on the fair presentation of the financial statements and an opinion on the quality of internal controls over financial reporting.
  • A single material weakness in the internal controls requires the auditor to issue a qualified opinion regarding internal controls over financial reporting.
  • SOX of 2002 established corporate governance regulations and standards for public companies registered with the SEC.
  • Section 302 requires corporate management, including the CEO, to certify financial and other information contained in the organization's quarterly and annual reports.
  • Section 404 requires the management of public companies to assess the effectiveness of their organization's internal controls over financial reporting.
  • The PCAOB Auditing Standard No. 5 endorses the use of COSO as the framework for control assessment.
  • Application controls ensure the validity, completeless, and accuracy of financial transactions.
  • IT general controls are so named because they are not application-specific, but rather apply to all systems.
  • The topic of computer fraud falls within the management and audit responsibilities specified by SOX.