Product Image

Internal Control and IT: Reliable Reporting and Fraud Prevention

Author/Moderator: Glenn Helms, CPA, Ph.D., CISA, CIA
Publisher: AICPA
See Below To Add To Cart

Description

While this course will not turn you into an information systems auditor, it will provide an overview of the key auditing standards, conceptual frameworks, IT infrastructures and auditing issues you are likely to face on medium to small company engagements. This course will benefit auditors of non-public companies as well as internal and external auditors working on internal control engagements under AS No. 5.

Objectives: 

  • Review applicable IT related auditing standards, COSO Internal Control concepts and IT frameworks such as CobIT
  • Learn about financial reporting and fraud controls in small and midsized IT systems involving end-user computing, miniframes, LANs, Data Base Management Systems (DBMS) and/or telecommunications
  • Gain a basic understanding of business-to-business e-commerce, including fraud risks and controls
  • Address how to audit in the electronic environment: what is evidence, how to test IT controls and what documentation is needed

Prerequisite:  Prior auditing experience and familiarity with COSO.

Table of Contents

  • Overview
    • Course Overview
    • Course Objectives
    • Organization of the Course
  • Chapter 1 - Information Technology, Internal Control, Audits, and Fraud
    • Learning Objectives
    • Introduction
    • Evolution of Professional Standards on IT and Internal Control
      • SAP No. 29
      • SAP No. 39
      • SAS No. 1
      • SAS No. 55
    • Evolution of Professional Auditing Standards Related to Information Technology
      • Audit "Around the Computer"
      • Computer Control Guidelines
      • SAS No. 3
      • SAS No. 70
      • SAS No. 80
      • SAS No. 103
      • Other Professional Guidance on Audit and Controls of IT Systems
      • Recent Pronouncements
    • The Evolution of Fraud and Error Prevention and Detection in IT Systems
      • Early 20th Century
      • Depression Era Changes
      • Treadway Commission
      • SAS Nos. 53 and 54
      • SAS No. 82
      • Panel on Audit Effectiveness
      • SAS No. 99
    • Summary
  • Chapter 2 - Concepts of Internal Control over Financial Reporting
    • Learning Objectives
    • Introduction
    • Internal Control Components
      • Control Environment
      • Risk Assessment
      • Risk Assessment - Application to Small and Midsized Entities
      • Control Activities
      • Information and Communication
      • Monitoring
      • Summary - Internal Control/Context and Components
    • Effect of IT on Internal Control
      • Effect on COSO Components
      • Varied Affects on Transaction Processing
      • Benefits of IT for IC
      • Risks of IT for IC
    • Limitations of an Entity's Internal Control
      • Errors and Mistakes
      • Fraud
    • Obtaining an Understanding of Internal Control
      • Extent of Understanding
      • IC Operating Effectiveness
      • Consideration of IT Risks
      • Specialized Skills
      • Procedures to Obtain an Understanding of Internal Control and Documentation
      • Assessing Control Risk
      • Performing Tests of Controls
    • Summary
  • Chapter 3 - Financial Reporting and Fraud Controls in Small and Midsized IT Systems
    • Learning Objectives
    • Introduction
    • Types of IT Controls
      • Application Controls
      • General Controls
    • IT General Controls
      • Organization and Operation Controls
      • Systems Development and Documentation Controls
      • Hardware and Systems Software Controls
      • Access Controls
      • Data and Procedural Controls
      • Physical Controls
    • Application Controls
      • Input Controls
      • Processing Controls
      • Output Controls
      • Audit Impact of a Weakness in Application Controls
    • Overview of Typical IT Systems in Small and Midsized Entities
      • Definitions
      • Typical IT Systems
      • Miniframes
      • Local Area Networks
      • End User Computing
      • Database Management Systems (DBMS)
      • Telecommunications
    • Summary
    • Appendix - COSO, AICPA IT Control Framework, and COBIT Frameworks
  • Chapter 4 - Electronic Evidence and Evolution of E-Commerce
    • Learning Objectives
    • Introduction
    • Financial Assertions and Evaluation of Evidence
      • Assertions
      • Nature of Evidence
      • Competence of Evidence
      • Sufficiency of Evidence
    • Evidence in the Electronic Environment
      • Evidence Defined
      • Electronic Evidence Defined
      • Auditor's Use of Electronic Evidence
    • Overview of E-Commerce
      • Definition
      • E-Commerce Attributes
      • E-Commerce Risks
      • E-Commerce and Audits of Financial Statements
      • Emerging Assurance for E-Commerce Services
      • Non-CPA E-Commerce Assurance Services
    • Summary
  • Chapter 5 - Business-to-Business E-Commerce
    • Learning Objectives
    • Introduction
    • EDI Overview
      • Effect on Workflow
      • Risk Assessment
      • Testing Approach
      • EDI Transmission Phases
      • Types of Application Interfaces
      • Types of Data Communications Interfaces
      • Standard Formats
      • Typical EDI Transaction
      • EDI Benefits and Risks
      • Audit Planning Issues
      • EDI Compared to Traditional Computer Environments
    • Business-to-Business Exchanges
    • Transaction Processing by Service Organizations
      • Audit and Management Considerations if the Entity Uses a Service Organization
      • Types of Service Auditor's Reports
      • Service Organization's Description of Controls
      • Information Provided by the Service Auditor
      • Other Matters
    • Summary
    • Questions
    • Appendix - Get Ready for the World of B2B
      • Executive Summary
      • B2B Volume Will Grow - But How Much, How Fast?
      • Covering the Basics
      • Helping Small Businesses Move Ahead
      • What Bigger Clients Need to Know
      • Back When B2B Was Cool
  • Chapter 6 - E-Commerce: Fraud Prevention
    • Learning Objectives
    • Introduction
    • Business-to-Consumer E-Commerce
      • Online Banking
      • Consumer Payments
      • Digital Cash
      • Other Popular Payment Methods
    • Fraud Risks and Controls
      • Risks
      • Controls
    • Summary
    • Case 6-1 - Jean's Cookie Company
      • Requirements
      • Narrative
      • Audit and Internal Control Implications
  • Chapter 7 - IT and Forensic Auditing Procedures
    • Learning Objectives
    • Introduction
    • Methods to Enhance Effectiveness and Efficiency in an Audit of Financial Statements
      • Planning
      • Consideration of Internal Control and Substantive Tests
      • Testing Controls
      • Reporting
    • Planning a CAAT Application
      • Accessing Client Data
    • Types of CAATs
      • Generalized Audit Software
      • Microsoft Office Programs
      • Automated Workpaper Software, Spreadsheet Software, and Database Management Systems
    • Testing IT Controls
      • Techniques for Program Analysis
      • Techniques for Program Testing
      • Techniques for Continuous Testing
      • Techniques for Review of Operating Systems and Other Systems Software
      • Analytical Review Procedures
      • Journal Entries
      • Documentation
    • Summary
  • Chapter 8 - Current and Emerging Fraud and IT Topics
    • Learning Objectives
    • Introduction
    • Internal Auditing
      • Understanding the Internal Audit Function
    • Assurance Services
    • Impact of Information Technology to Prevent Fraud
    • Wireless Technology
    • Documentation - Risks to CPAs in Industry and Public Accounting
      • SAS No. 103
      • Retention of Electronic Documentation
      • Electronic Documentation - Confidentiality and Access
    • Outsourcing
    • Top Ten Technologies
    • Honorable Mention
    • Summary
  • Chapter 9 - Ethics Focus: Accounting and Auditing
    • Ethics Overview
    • Recent Developments
    • Spotlight on Independence
    • Key Ethical Dilemmas
    • Addressing Ethical Dilemmas
    • Available Resources
  • Chapter 10 - Latest Developments
  • Appendix A - Consideration of Internal Control in a Financial Statement Audit
  • Appendix B- Evidential Matter
  • Appendix C - Case Study: Fawn Exercise Products, Inc.

732552

Excerpts

Overview

Course Overview

This course is important to CPAs, management and internal auditors in industry, and also for CPAs in public accounting who conduct audits of financial statements of both public and private companies. The course addresses both traditional internal control frameworks (COSO) and IT (information technology) control frameworks (e.g., CoBIT).

Numerous AICPA professional standards, including those on documentation, fraud, and IT, require the external auditor of both public and private companies to increase the auditor's competencies in the areas of forensic accounting, IT, and communications. Sarbanes-Oxley legislation requires management, internal auditors, and external auditors of publicly held companies to evaluate the effectiveness of internal control over financial reporting to prevent fraud and errors. For those control specialists associated with public corporations, this course will provide practical guidance on key aspects of implementing Sarbanes-Oxley Section 404. For auditors of small and midsized businesses, this course will also provide practical guidance to comply with various AICPA Statements on Auditing Standards (SAS) concerning fraud and IT.

This course addresses the types of IT and other controls that are needed in financial reporting systems to comply with both professional standards and federal legislation. Additionally, the course addresses common fraud techniques, methods to detect and prevent fraud, and forensic tools used to investigate fraud.

Course Objectives

The course objectives include the following:

  • Understand applicable IT related auditing standards, and IT control frameworks such as CoBIT.
  • Identify the unique control and fraud risks and strengths of common business IT environments.
  • Understand how to address control evaluation and audit issues arising from IT environments.
  • Assess fraud risks to IT general and application controls.
  • Understand end-user, LANs, DBMS, wireless and E-commerce environments.
  • Understand how much reliance to place on service organizations.
  • Assess the competencies of electronic evidential matter.
  • Obtain knowledge of traditional and emerging audit techniques.

Organization of the Course

This course has eight chapters. A summary of each chapter is presented below,

Chapter 1, Information Technology, Internal Control, Audits, and Fraud, addresses the evolution of professional standards on fraud and IT and the impact of these standards on practice. The impact of IT, internal controls, and fraud on small and midsized businesses is addressed. Historically, there has been an increased recognition by the profession for practitioners to enhance their IT and forensic skills when auditing financial statements. The demand for auditors with these skills currently far outweighs the supply.

Chapter 2, Concepts of Internal Control over Financial Reporting, provides an overview of the COSO and CoBIT control frameworks. The impact of IT on the COSO components of internal controls is addressed in depth. Auditors of publicly held companies and members of corporations who are involved with Sarbanes-Oxley Section 404 certifications of internal control will benefit greatly from reading this chapter. Auditors of small and midsized entities will also learn how COSO is applied in these types of environments.

Chapter 3, Financial Reporting and Fraud Controls in Small and Midsized IT Systems, should be of interest to those involved with internal control in both public and private companies. A large company is composed of many smaller units and the control aspects in this chapter are important to this audience. This author has visited many large companies who have numerous subsidiaries with varying levels of control structures. General and application computer controls are addressed in this chapter and related to a variety of IT environments including LANs, DBMS, Telecommunications, and End-user computing. The CoBIT framework is addressed and an appendix shows the relationships between AICPA control concepts, the CoBIT framework, and the COSO components.

Chapter 4, Electronic Evidence and Evolution of E-Commerce, is important to both members of management and control specialists that have e-commerce applications. There is an increasing use of e-commerce over the internet due to its being a cost-effective way to conduct business transactions. An overview of e-commerce is provided in this section. Systems reliability assurance and WebTrust services are addressed to provide the reader with knowledge of CPA provided services that enhance the integrity of electronic evidence and e-commerce. Also of interest in this chapter is a discussion of the relative competencies of electronic evidence. This discussion provides a conceptual framework of electronic evidence that can be applied to a variety of environments.

Chapter 5, Business-to-Business E-Commerce, addresses controls and risk concerns associated with those external IT areas that interface with the entity's internal IT systems. Many businesses conduct e-commerce and other financial transactions over a private network using EDI and Service Organizations. These entities might also use a virtual private network over the internet using an Internet Service Provider. This chapter also addresses the types of Service Auditor's reports that are issued by auditors on Service Organizations.

Chapter 6, E-Commerce: Fraud Prevention, addresses the risks of fraud when businesses and others employ the use of the internet to conduct business transactions. However, the internet is a public network and, unlike private networks, there are numerous risks to businesses that use the internet. This chapter addresses the risks associated with public networks and controls to mitigate the risks. Encryption, digital signatures, firewalls, and certificate authorities are highlighted as controls that help ensure the integrity of e-commerce transactions and provide protection over sensitive data.

Chapter 7, IT and Forensic Auditing Procedures, addresses both traditional and emerging IT methods to obtain evidence about financial statement assertions and suspicious fraudulent activity. An emphasis is placed on the audit of journal entries since both SAS No. 99 on fraud and recent fraud cases show the importance of an intense review of an entity's journal entries by external and internal auditors.

Chapter 8, Current and Emerging Fraud and IT Topics, addresses how to employ fraud detection techniques in an audit and/or forensic investigation. The role of the Internal Auditor in IT and in the overall control framework is discussed at length. The Internal Auditor provides an ongoing monitoring function in an entity and is seen as a valuable resource in preventing fraud. The implications of SAS No. 103 and IT on audit documentation are also discussed in addition to the AICPA's Top Ten Technologies.

Chapter 1 - Information Technology, Internal Control, Audits, and Fraud

Learning Objectives

After studying this unit you should be able to

  • Understand the evolution of auditing standards on internal control.
  • Understand the evolution of auditing standards related to Information Technology.
  • Understand the evolution of fraud and error prevention and detection in IT systems.

Introduction

This course is directed towards managers, internal auditors, external auditors, and others associated with internal Information Technology (IT) controls of small to midsized businesses. Why should these individuals be interested in IT controls? Because the presence or absence of IT controls in many types of IT systems can either enhance or diminish the reliability of the financial reporting process. The benefits to businesses of producing accurate and reliable financial statements with a high degree of credibility has historically been associated with lower interest rates, increased supplier and customer confidence in the continuity of the business, the ability to attract and retain high quality personnel, and the opportunity to obtain capital in public financial markets.

Why should small and midsized businesses now be focused on IT controls? Because many small and midsized businesses have adopted systems that are predominately electronic in nature, and, in many instances, the traditional paper trail in the entity's subsystems has been eliminated. Small and midsized businesses are now facing IT control issues that larger organizations encountered over forty years ago.

Early IT systems were so expensive that they could only be purchased by large organizations. Some of the larger organizations achieved economies of scale by establishing service bureaus and sharing computing resources. Professional societies and government organizations soon established frameworks for IT controls over financial reporting for these larger organizations as these organizations were subject to strict regulatory guidelines. Small and midsized organizations did not adopt these standards as they either did not implement IT systems for major subsystems or the IT systems that they did adopt left an extensive paper trail. The external auditors adopted an "audit around" the computer approach with these types of systems.

732552

Videocourse Details

NASBA Field of Study: Auditing
Level: Intermediate
Recommended CPE Credit: 10
Important Information on Your CPE Credit
INTERNAL CONTROL AND IT: RELIABLE REPORTING TX07
Text
Product# 732553
Regular:$181.25
AICPA Member:$145.00
Your Price:$181.25
To receive your AICPA member discount, Sign In now, or Register using your AICPA membership number.
Choose the Standing Order Option and get these discounts on your initial purchase:

Publications--10% discount
CPE Self-Study--20% discount

Each new future annual edition will then be automatically shipped to you at a 10% discount.