Product Image

Internal Control and IT: Reliable Reporting and Fraud Prevention

Author/Moderator: Glenn Helms, CPA, Ph.D., CISA, CIA
Publisher: AICPA
Availability: In Stock
See Below To Add To Cart
View Online Catalog
Add This Page

Description

While this course will not turn you into an information systems auditor, it will provide an overview of the key auditing standards, conceptual frameworks, IT infrastructures and auditing issues you are likely to face on medium to small company engagements. This course will benefit auditors of non-public companies as well as internal and external auditors working on internal control engagements under AS No. 5.

Objectives: 

  • Review applicable IT related auditing standards, COSO Internal Control concepts and IT frameworks such as CobIT
  • Learn about financial reporting and fraud controls in small and midsized IT systems involving end-user computing, miniframes, LANs, Data Base Management Systems (DBMS) and/or telecommunications
  • Gain a basic understanding of business-to-business e-commerce, including fraud risks and controls
  • Address how to audit in the electronic environment: what is evidence, how to test IT controls and what documentation is needed

Prerequisite:  Prior auditing experience and familiarity with COSO.

Table of Contents

  • Chapter 0 - Overview
    • Course Overview
    • Course Objectives
    • Organization of the Course
  • Chapter 1 - Information Technology, Internal Control, Audits, and Fraud
    • Learning Objectives
    • Introduction
    • Evolution of Professional Standards on IT and Internal Control
      • SAP No. 29
      • SAP No. 39
      • SAS No. 1
      • SAS No. 55
    • Evolution of Professional Auditing Standards Related to Information Technology
      • Audit “Around the Computerâ€?
      • Computer Control Guidelines
      • SAS No. 3
      • AU Section 324 (Previously Indexed as SAS No. 70)
      • AU Section 326 (Previously Indexed as SAS No. 106)
      • AU Section 339 (Previously Indexed as SAS No. 103)
      • Other Professional Guidance on Audit and Controls of IT Systems
      • Recent Pronouncements
    • The Evolution of Fraud and Error Prevention and Detection in IT Systems
      • Early 20th Century
      • Depression Era Changes
      • Treadway Commission
      • SAS No. 53 and AU Section 317 (Previously Indexed as SAS No. 54)
      • SAS No. 82
      • Panel on Audit Effectiveness
      • AU Section 316 (Previously Indexed as SAS No. 99)
    • Summary
  • Chapter 2 - Concepts of Internal Control over Financial Reporting
    • Learning Objectives
    • Introduction
    • Internal Control Components
      • Control Environment
      • Risk Assessment
      • Risk Assessment – Application to Small and Midsized Entities
      • Control Activities
      • Information and Communication
      • Monitoring
      • Summary – Internal Control/Context and Components
    • Effect of IT on Internal Control
      • Effect on COSO Components
      • Varied Affects on Transaction Processing
      • Benefits of IT for IC
      • Risks of IT for IC
    • Limitations of an Entity’s Internal Control
      • Errors and Mistakes
      • Fraud
    • Obtaining an Understanding of Internal Control
      • Extent of Understanding
      • IC Operating Effectiveness
      • Consideration of IT Risks
      • Specialized Skills
      • Procedures to Obtain an Understanding of Internal Control and Documentation
      • Assessing Control Risk
      • Performing Tests of Controls
    • Summary
  • Chapter 3 - Financial Reporting and Fraud Controls in Small and Midsized IT Systems
    • Learning Objectives
    • Introduction
    • Types of IT Controls
      • Application Controls
      • General Controls
    • IT General Controls
      • Organization and Operation Controls
      • Systems Development and Documentation Controls
      • Hardware and Systems Software Controls
      • Access Controls
      • Data and Procedural Controls
      • Physical Controls
    • Application Controls
      • Input Controls
      • Processing Controls
      • Output Controls
      • Audit Impact of a Weakness in Application Controls
    • Overview of Typical IT Systems in Small and Midsized Entities
      • Definitions
      • Typical IT Systems
      • Miniframes
      • Local Area Networks
      • End User Computing
      • Database Management Systems (DBMS)
      • Telecommunications
    • Summary
    • Appendix – COSO, AICPA IT Control Framework, and COBIT Frameworks
  • Chapter 4 - Electronic Evidence and Evolution of E-Commerce
    • Learning Objectives
    • Introduction
    • Financial Assertions and Evaluation of Evidence
      • Assertions
      • Nature of Evidence
      • Reliability of Audit Evidence
      • Sufficiency of Evidence
    • Evidence in the Electronic Environment
      • Evidence Defined
      • Electronic Evidence Defined
      • Auditor’s Use of Electronic Evidence
    • Overview of E-Commerce
      • Definition
      • E-Commerce Attributes
      • E-Commerce Risks
      • E-Commerce and Audits of Financial Statements
      • Emerging Assurance for E-Commerce Services
      • Non-CPA E-Commerce Assurance Services
    • Summary
  • Chapter 5 - Business-to-Business E-Commerce
    • Learning Objectives
    • Introduction
    • EDI Overview
      • Effect on Workflow
      • Risk Assessment
      • Testing Approach
      • EDI Transmission Phases
      • Types of Application Interfaces
      • Types of Data Communications Interfaces
      • Standard Formats
      • Typical EDI Transaction
      • EDI Benefits and Risks
      • Audit Planning Issues
      • EDI Compared to Traditional Computer Environments
    • Business-to-Business Exchanges
      • Service Organizations
      • Audit and Management Considerations if the Entity Uses a Service Organization
      • Additional Considerations in Using a Service Auditor’s Report
      • Service Auditor’s Responsibilities
      • Types of Service Auditor’s Reports
      • Responsibility of Service Organizations and Service Auditors with Respect to Subsequent Events
      • Written Representations of the Service Organization’s Management
      • Reporting on Substantive Procedures
    • Summary
    • Questions
  • Chapter 6 - E-Commerce: Fraud Prevention
    • Learning Objectives
    • Introduction
    • Business-to-Consumer E-Commerce
      • Online Banking
      • Consumer Payments
      • Digital Cash
      • Other Popular Payment Methods
    • Fraud Risks and Controls
      • Risks
      • Controls
    • Summary
    • Case 6-1 – Jean’s Cookie Company
      • Requirements
      • Narrative
      • Audit and Internal Control Implications
  • Chapter 7 - IT and Forensic Auditing Procedures
    • Learning Objectives
    • Introduction
    • Methods to Enhance Effectiveness and Efficiency in an Audit of Financial Statements
      • Planning
      • Consideration of Internal Control and Substantive Tests
      • Testing Controls
      • Reporting
    • Planning a CAAT Application
      • Accessing Client Data
    • Types of CAATs
      • Generalized Audit Software
      • Microsoft Office Programs
      • Automated Workpaper Software, Spreadsheet Software, and Database Management Systems
    • Testing IT Controls
      • Techniques for Program Analysis
      • Techniques for Program Testing
      • Techniques for Continuous Testing
      • Techniques for Review of Operating Systems and Other Systems Software
      • Analytical Review Procedures
      • Journal Entries
      • Documentation
    • Summary
  • Chapter 8 - Current and Emerging Fraud and IT Topics
    • Learning Objectives
    • Introduction
    • Internal Auditing
      • Understanding the Internal Audit Function
    • Assurance Services
    • Impact of Information Technology to Prevent Fraud
    • Wireless Technology
    • Documentation – Risks to CPAs in Industry and Public Accounting
      • AU Section 339
      • Retention of Electronic Documentation
      • Electronic Documentation – Confidentiality and Access
    • Outsourcing
    • Top Ten Technologies - Honorable Mention
    • Summary
  • Chapter 9 - Latest Developments
  • Appendix A - AU Section 314, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
  • Appendix B - AU Section 326, Audit Evidence

732554

Excerpts

Chapter 0 - Overview

Course Overview

This course is helpful to CPAs, management, and internal auditors in industry, and also for CPAs in public accounting who conduct audits of financial statements of both public and private companies. The course addresses both traditional internal control frameworks (COSO) and IT (information technology) control frameworks (e.g., CoBIT).

Numerous AICPA professional standards, including those on documentation, fraud, and IT, require the external auditor of both public and private companies to increase his or her competencies in the areas of forensic accounting, IT, and communications. Sarbanes-Oxley legislation requires management, internal auditors, and external auditors of publicly held companies to evaluate the effectiveness of internal control over financial reporting to prevent fraud and errors. For those control specialists associated with public corporations, this course will provide practical guidance on key aspects of implementing Sarbanes-Oxley Section 404. For auditors of small and midsized businesses, this course will also provide practical guidance to comply with various AICPA Statements on Auditing Standards (SAS) concerning fraud and IT.

This course addresses the types of IT and other controls that are needed in financial reporting systems to comply with both professional standards and federal legislation. Additionally, the course addresses common fraud techniques, methods to detect and prevent fraud, and forensic tools used to investigate fraud.

Course Objectives


The course objectives include the following:
• Understand applicable IT-related auditing standards, and IT control frameworks such as CoBIT.

• Identify the unique control and fraud risks and strengths of common business IT environments.

• Understand how to address control evaluation and audit issues arising from IT environments.

• Assess fraud risks to IT general and application controls.

• Understand end-user, LANs, DBMS, wireless, and e-commerce environments.

• Understand how much reliance to place on service organizations.

• Assess the competencies of electronic evidential matter.

• Obtain knowledge of traditional and emerging audit techniques.
Organization of the Course

This course has eight chapters. A summary of each chapter is presented below.

Chapter 1, Information Technology, Internal Control, Audits, and Fraud, addresses the evolution of professional standards on fraud and IT and the impact of these standards on practice. The impact of IT, internal controls, and fraud on small and midsized businesses is addressed. Historically, there has been an increased recognition by the profession for practitioners to enhance their IT and forensic skills when auditing financial statements. The demand for auditors with these skills currently far outweighs the supply.

Chapter 2, Concepts of Internal Control over Financial Reporting, provides an overview of the COSO and CoBIT control frameworks. The impact of IT on the COSO components of internal controls is addressed in depth. Auditors of publicly held companies and members of corporations who are involved with Sarbanes-Oxley Section 404 certifications of internal control will benefit greatly from reading this chapter. Auditors of small and midsized entities will also learn how COSO is applied in these types of environments.

Chapter 3, Financial Reporting and Fraud Controls in Small and Midsized IT Systems, should be of interest to those involved with internal control in both public and private companies. Even large companies are composed of many smaller units and the control aspects in this chapter are important to this audience as well. General and application computer controls are addressed in this chapter and related to a variety of IT environments including LANs, DBMS, telecommunications, and end user computing. The CoBIT framework is addressed and an appendix shows the relationships between AICPA control concepts, the CoBIT framework, and the COSO components.

Chapter 4, Electronic Evidence and Evolution of E-Commerce, is important to both members of management and control specialists who have e-commerce applications. There is an increasing use of e-commerce over the Internet due to its being a cost-effective way to conduct business transactions. An overview of e-commerce is provided in this section. Systems reliability assurance and WebTrust services are addressed to provide the reader with knowledge of CPAprovided services that enhance the integrity of electronic evidence and e-commerce. Also of interest in this chapter is a discussion of the relative competencies of electronic evidence. This discussion provides a conceptual framework of electronic evidence that can be applied to a variety of environments.

Chapter 5, Business-to-Business E-Commerce, addresses controls and risk concerns associated with those external IT areas that interface with the entity’s internal IT systems. Many businesses conduct e-commerce and other financial transactions over a private network using EDI and Service Organizations. These entities might also use a virtual private network over the Internet using an Internet service provider. This chapter also addresses the types of service auditor’s reports that are issued by auditors on service organizations.

Chapter 6, E-Commerce: Fraud Prevention, addresses the risks of fraud when businesses and others employ the use of the Internet to conduct business transactions. However, the Internet is a public network and, unlike private networks, there are numerous risks to businesses that use the Internet. This chapter addresses the risks associated with public networks and controls to mitigate those risks. Encryption, digital signatures, firewalls, and certificate authorities are highlighted as controls that help ensure the integrity of e-commerce transactions and provide protection over sensitive data.

Chapter 7, IT and Forensic Auditing Procedures, addresses both traditional and emerging IT methods to obtain evidence about financial statement assertions and suspicious fraudulent activity. An emphasis is placed on the auditing of journal entries, since both AU Section 316 (previously indexed as SAS No. 99) and recent fraud cases show the importance of an intense review of an entity’s journal entries by external and internal auditors.

Chapter 8, Current and Emerging Fraud and IT Topics, addresses how to employ fraud detection techniques in an audit and/or forensic investigation. The role of the Internal Auditor in IT and in the overall control framework is discussed at length. The Internal Auditor provides an ongoing monitoring function in an entity and is seen as a valuable resource in preventing fraud. The implications of AU Section 339 (previously indexed as SAS No. 103) and IT on audit documentation are also discussed in addition to the AICPA’s Top Ten Technologies.

Chapter 1 - Information Technology, Internal Control, Audits, and Fraud

Learning Objectives

After reading this chapter you should be able to
• Understand the evolution of auditing standards on internal control.

• Understand the evolution of auditing standards related to information technology.

• Understand the evolution of fraud and error prevention and detection in IT systems.
Introduction

This course is directed towards managers, internal auditors, external auditors, and others associated with internal Information Technology (IT) controls of small to midsized businesses. Why should these individuals be interested in IT controls? Because the presence or absence of IT controls in many types of IT systems can either enhance or diminish the reliability of the financial reporting process. The benefits to businesses of producing accurate and reliable financial statements with a high degree of credibility has historically been associated with increased supplier and customer confidence in the continuity of the business, the ability to attract and retain high quality personnel, and the opportunity to obtain capital in public financial markets.

Why should small and midsized businesses now be focused on IT controls? Because many small and midsized businesses have adopted systems that are predominately electronic in nature, and, in many instances, the traditional paper trail in the entity’s subsystems has been eliminated. Small and midsized businesses are now facing IT control issues that larger organizations have had for the past forty years or so.

Early IT systems were so expensive that they could only be purchased by large organizations. Some of the larger organizations achieved economies of scale by establishing service bureaus and sharing computing resources. Professional societies and government organizations soon established frameworks for IT controls over financial reporting for these larger organizations as these organizations were subject to strict regulatory guidelines. Small and midsized organizations did not adopt these standards as they either did not implement IT systems for major subsystems or the IT systems that they did adopt left an extensive paper trail. External auditors “audited around” the computer approach with these types of systems.

The conceptual frameworks for IT controls for large organizations were focused primarily on IT systems that consisted of large mainframes that were physically secured from outsiders by the use of strong physical controls. These systems also were logically secured from outsiders as they were not connected to exterior networks. These systems were characterized by large amounts of batch processing. Other characteristics of these systems for large organizations are addressed later in this course, as many entities still have these types of IT systems. However, it must be stressed, the early IT control framework over financial reporting for most of the last century was based upon a large organization with in-house processing. This is not the case for many small and midsized businesses that use local area networks that are connected by gateways to the Internet. This is also not the case for other small businesses that are using a midsized computer within their company that is not connected to the Internet but which, unlike the older mainframe systems, is not batch-oriented and does not leave the traditional paper audit trail.

This course will address IT control frameworks for traditional, current, and emerging IT systems. The objective of this course is to present as many variants of IT systems that exist in small and midsized businesses and then address the controls that should enhance the reliability of financial reporting in these different types of systems. Some small businesses might have a general ledger system that is not integrated with major subsystems and requires journal entries to be made manually and then entered into the system. Other entities could have an e-commerce application that is integrated with the financial reporting process but have payroll outsourced to a third party service provider. This course will address the major IT controls for a myriad of types of systems that exist in small and midsized businesses.

This course will also address fraud concepts and fraud standards and how they relate to IT. It will be shown that controls that aid in establishing a strong internal control system also help mitigate fraud risk. Audit procedures and controls that aid in detecting and preventing fraud will be addressed.

The objective of this chapter is to provide an introduction and overview of the major topics addressed in this course. Additionally, an historical overview of internal control, IT controls, and fraud standards will be presented to show how these topics have evolved to be some of the most important topics to the profession today.

732554

Videocourse Details

NASBA Field of Study: Accounting and Auditing
Level: Intermediate
Recommended CPE Credit: 10 (Accounting-8, Auditing-2)
INTERNAL CONTROL AND IT: RELIABLE REPORTING TX09
Text
Product# 732554
Availability: In Stock
Regular:$186.25
AICPA Member:$149.00
Your Price:$186.25
To receive your AICPA member discount, Sign In now, or Register using your AICPA membership number.
Choose the Standing Order Option and get these discounts on your initial purchase:

Publications--10% discount
CPE Self-Study--20% discount

Each new future annual edition will then be automatically shipped to you at a 10% discount.