While this course will not turn you into an information systems auditor, it will provide an overview of the key auditing standards, conceptual frameworks, IT infrastructures and auditing issues you are likely to face on medium to small company engagements. This course will benefit auditors of non-public companies as well as internal and external auditors working on internal control engagements under AS No. 5.
Objectives:
Prerequisite: Prior auditing experience and familiarity with COSO.
732552
Overview
Course Overview
This course is important to CPAs, management and internal auditors in industry, and also for CPAs in public accounting who conduct audits of financial statements of both public and private companies. The course addresses both traditional internal control frameworks (COSO) and IT (information technology) control frameworks (e.g., CoBIT).
Numerous AICPA professional standards, including those on documentation, fraud, and IT, require the external auditor of both public and private companies to increase the auditor's competencies in the areas of forensic accounting, IT, and communications. Sarbanes-Oxley legislation requires management, internal auditors, and external auditors of publicly held companies to evaluate the effectiveness of internal control over financial reporting to prevent fraud and errors. For those control specialists associated with public corporations, this course will provide practical guidance on key aspects of implementing Sarbanes-Oxley Section 404. For auditors of small and midsized businesses, this course will also provide practical guidance to comply with various AICPA Statements on Auditing Standards (SAS) concerning fraud and IT.
This course addresses the types of IT and other controls that are needed in financial reporting systems to comply with both professional standards and federal legislation. Additionally, the course addresses common fraud techniques, methods to detect and prevent fraud, and forensic tools used to investigate fraud.
Course Objectives
The course objectives include the following:
Organization of the Course
This course has eight chapters. A summary of each chapter is presented below,
Chapter 1, Information Technology, Internal Control, Audits, and Fraud, addresses the evolution of professional standards on fraud and IT and the impact of these standards on practice. The impact of IT, internal controls, and fraud on small and midsized businesses is addressed. Historically, there has been an increased recognition by the profession for practitioners to enhance their IT and forensic skills when auditing financial statements. The demand for auditors with these skills currently far outweighs the supply.
Chapter 2, Concepts of Internal Control over Financial Reporting, provides an overview of the COSO and CoBIT control frameworks. The impact of IT on the COSO components of internal controls is addressed in depth. Auditors of publicly held companies and members of corporations who are involved with Sarbanes-Oxley Section 404 certifications of internal control will benefit greatly from reading this chapter. Auditors of small and midsized entities will also learn how COSO is applied in these types of environments.
Chapter 3, Financial Reporting and Fraud Controls in Small and Midsized IT Systems, should be of interest to those involved with internal control in both public and private companies. A large company is composed of many smaller units and the control aspects in this chapter are important to this audience. This author has visited many large companies who have numerous subsidiaries with varying levels of control structures. General and application computer controls are addressed in this chapter and related to a variety of IT environments including LANs, DBMS, Telecommunications, and End-user computing. The CoBIT framework is addressed and an appendix shows the relationships between AICPA control concepts, the CoBIT framework, and the COSO components.
Chapter 4, Electronic Evidence and Evolution of E-Commerce, is important to both members of management and control specialists that have e-commerce applications. There is an increasing use of e-commerce over the internet due to its being a cost-effective way to conduct business transactions. An overview of e-commerce is provided in this section. Systems reliability assurance and WebTrust services are addressed to provide the reader with knowledge of CPA provided services that enhance the integrity of electronic evidence and e-commerce. Also of interest in this chapter is a discussion of the relative competencies of electronic evidence. This discussion provides a conceptual framework of electronic evidence that can be applied to a variety of environments.
Chapter 5, Business-to-Business E-Commerce, addresses controls and risk concerns associated with those external IT areas that interface with the entity's internal IT systems. Many businesses conduct e-commerce and other financial transactions over a private network using EDI and Service Organizations. These entities might also use a virtual private network over the internet using an Internet Service Provider. This chapter also addresses the types of Service Auditor's reports that are issued by auditors on Service Organizations.
Chapter 6, E-Commerce: Fraud Prevention, addresses the risks of fraud when businesses and others employ the use of the internet to conduct business transactions. However, the internet is a public network and, unlike private networks, there are numerous risks to businesses that use the internet. This chapter addresses the risks associated with public networks and controls to mitigate the risks. Encryption, digital signatures, firewalls, and certificate authorities are highlighted as controls that help ensure the integrity of e-commerce transactions and provide protection over sensitive data.
Chapter 7, IT and Forensic Auditing Procedures, addresses both traditional and emerging IT methods to obtain evidence about financial statement assertions and suspicious fraudulent activity. An emphasis is placed on the audit of journal entries since both SAS No. 99 on fraud and recent fraud cases show the importance of an intense review of an entity's journal entries by external and internal auditors.
Chapter 8, Current and Emerging Fraud and IT Topics, addresses how to employ fraud detection techniques in an audit and/or forensic investigation. The role of the Internal Auditor in IT and in the overall control framework is discussed at length. The Internal Auditor provides an ongoing monitoring function in an entity and is seen as a valuable resource in preventing fraud. The implications of SAS No. 103 and IT on audit documentation are also discussed in addition to the AICPA's Top Ten Technologies.
Chapter 1 - Information Technology, Internal Control, Audits, and Fraud
Learning Objectives
After studying this unit you should be able to
Introduction
This course is directed towards managers, internal auditors, external auditors, and others associated with internal Information Technology (IT) controls of small to midsized businesses. Why should these individuals be interested in IT controls? Because the presence or absence of IT controls in many types of IT systems can either enhance or diminish the reliability of the financial reporting process. The benefits to businesses of producing accurate and reliable financial statements with a high degree of credibility has historically been associated with lower interest rates, increased supplier and customer confidence in the continuity of the business, the ability to attract and retain high quality personnel, and the opportunity to obtain capital in public financial markets.
Why should small and midsized businesses now be focused on IT controls? Because many small and midsized businesses have adopted systems that are predominately electronic in nature, and, in many instances, the traditional paper trail in the entity's subsystems has been eliminated. Small and midsized businesses are now facing IT control issues that larger organizations encountered over forty years ago.
Early IT systems were so expensive that they could only be purchased by large organizations. Some of the larger organizations achieved economies of scale by establishing service bureaus and sharing computing resources. Professional societies and government organizations soon established frameworks for IT controls over financial reporting for these larger organizations as these organizations were subject to strict regulatory guidelines. Small and midsized organizations did not adopt these standards as they either did not implement IT systems for major subsystems or the IT systems that they did adopt left an extensive paper trail. The external auditors adopted an "audit around" the computer approach with these types of systems.
732552
