Chapter 0 -
Overview
Course Overview
This course is helpful to CPAs, management, and internal auditors in industry, and also for CPAs
in public accounting who conduct audits of financial statements of both public and private
companies. The course addresses both traditional internal control frameworks (COSO) and IT
(information technology) control frameworks (e.g., CoBIT).
Numerous AICPA professional standards, including those on documentation, fraud, and IT,
require the external auditor of both public and private companies to increase his or her
competencies in the areas of forensic accounting, IT, and communications. Sarbanes-Oxley
legislation requires management, internal auditors, and external auditors of publicly held
companies to evaluate the effectiveness of internal control over financial reporting to prevent
fraud and errors. For those control specialists associated with public corporations, this course
will provide practical guidance on key aspects of implementing Sarbanes-Oxley Section 404.
For auditors of small and midsized businesses, this course will also provide practical guidance to
comply with various AICPA Statements on Auditing Standards (SAS) concerning fraud and IT.
This course addresses the types of IT and other controls that are needed in financial reporting
systems to comply with both professional standards and federal legislation. Additionally, the
course addresses common fraud techniques, methods to detect and prevent fraud, and forensic
tools used to investigate fraud.
Course Objectives
The course objectives include the following:
• Understand applicable IT-related auditing standards, and IT control frameworks such as
CoBIT.
• Identify the unique control and fraud risks and strengths of common business IT
environments.
• Understand how to address control evaluation and audit issues arising from IT
environments.
• Assess fraud risks to IT general and application controls.
• Understand end-user, LANs, DBMS, wireless, and e-commerce environments.
• Understand how much reliance to place on service organizations.
• Assess the competencies of electronic evidential matter.
• Obtain knowledge of traditional and emerging audit techniques.
Organization of the Course
This course has eight chapters. A summary of each chapter is presented below.
Chapter 1,
Information Technology, Internal Control, Audits, and Fraud, addresses the evolution
of professional standards on fraud and IT and the impact of these standards on practice. The
impact of IT, internal controls, and fraud on small and midsized businesses is addressed.
Historically, there has been an increased recognition by the profession for practitioners to
enhance their IT and forensic skills when auditing financial statements. The demand for auditors
with these skills currently far outweighs the supply.
Chapter 2,
Concepts of Internal Control over Financial Reporting, provides an overview of the
COSO and CoBIT control frameworks. The impact of IT on the COSO components of internal
controls is addressed in depth. Auditors of publicly held companies and members of
corporations who are involved with Sarbanes-Oxley Section 404 certifications of internal control
will benefit greatly from reading this chapter. Auditors of small and midsized entities will also
learn how COSO is applied in these types of environments.
Chapter 3,
Financial Reporting and Fraud Controls in Small and Midsized IT Systems, should be
of interest to those involved with internal control in both public and private companies. Even
large companies are composed of many smaller units and the control aspects in this chapter are
important to this audience as well. General and application computer controls are addressed in
this chapter and related to a variety of IT environments including LANs, DBMS,
telecommunications, and end user computing. The CoBIT framework is addressed and an
appendix shows the relationships between AICPA control concepts, the CoBIT framework, and
the COSO components.
Chapter 4,
Electronic Evidence and Evolution of E-Commerce, is important to both members of
management and control specialists who have e-commerce applications. There is an increasing
use of e-commerce over the Internet due to its being a cost-effective way to conduct business
transactions. An overview of e-commerce is provided in this section. Systems reliability
assurance and WebTrust services are addressed to provide the reader with knowledge of CPAprovided
services that enhance the integrity of electronic evidence and e-commerce. Also of
interest in this chapter is a discussion of the relative competencies of electronic evidence. This
discussion provides a conceptual framework of electronic evidence that can be applied to a
variety of environments.
Chapter 5,
Business-to-Business E-Commerce, addresses controls and risk concerns associated
with those external IT areas that interface with the entity’s internal IT systems. Many businesses
conduct e-commerce and other financial transactions over a private network using EDI and
Service Organizations. These entities might also use a virtual private network over the Internet
using an Internet service provider. This chapter also addresses the types of service auditor’s
reports that are issued by auditors on service organizations.
Chapter 6,
E-Commerce: Fraud Prevention, addresses the risks of fraud when businesses and
others employ the use of the Internet to conduct business transactions. However, the Internet is a
public network and, unlike private networks, there are numerous risks to businesses that use the
Internet. This chapter addresses the risks associated with public networks and controls to
mitigate those risks. Encryption, digital signatures, firewalls, and certificate authorities are
highlighted as controls that help ensure the integrity of e-commerce transactions and provide
protection over sensitive data.
Chapter 7,
IT and Forensic Auditing Procedures, addresses both traditional and emerging IT
methods to obtain evidence about financial statement assertions and suspicious fraudulent
activity. An emphasis is placed on the auditing of journal entries, since both AU Section 316
(previously indexed as SAS No. 99) and recent fraud cases show the importance of an intense
review of an entity’s journal entries by external and internal auditors.
Chapter 8,
Current and Emerging Fraud and IT Topics, addresses how to employ fraud detection
techniques in an audit and/or forensic investigation. The role of the Internal Auditor in IT and in
the overall control framework is discussed at length. The Internal Auditor provides an ongoing
monitoring function in an entity and is seen as a valuable resource in preventing fraud. The
implications of AU Section 339 (previously indexed as SAS No. 103) and IT on audit
documentation are also discussed in addition to the AICPA’s Top Ten Technologies.
Chapter 1 -
Information Technology,
Internal Control, Audits, and Fraud
Learning Objectives
After reading this chapter you should be able to
• Understand the evolution of auditing standards on internal control.
• Understand the evolution of auditing standards related to information technology.
• Understand the evolution of fraud and error prevention and detection in IT systems.
Introduction
This course is directed towards managers, internal auditors, external auditors, and others
associated with internal Information Technology (IT) controls of small to midsized businesses.
Why should these individuals be interested in IT controls? Because the presence or absence of
IT controls in many types of IT systems can either enhance or diminish the reliability of the
financial reporting process. The benefits to businesses of producing accurate and reliable
financial statements with a high degree of credibility has historically been associated with
increased supplier and customer confidence in the continuity of the business, the ability to attract
and retain high quality personnel, and the opportunity to obtain capital in public financial
markets.
Why should small and midsized businesses now be focused on IT controls? Because many small
and midsized businesses have adopted systems that are predominately electronic in nature, and,
in many instances, the traditional paper trail in the entity’s subsystems has been eliminated.
Small and midsized businesses are now facing IT control issues that larger organizations have
had for the past forty years or so.
Early IT systems were so expensive that they could only be purchased by large organizations.
Some of the larger organizations achieved economies of scale by establishing service bureaus
and sharing computing resources. Professional societies and government organizations soon
established frameworks for IT controls over financial reporting for these larger organizations as
these organizations were subject to strict regulatory guidelines. Small and midsized
organizations did not adopt these standards as they either did not implement IT systems for
major subsystems or the IT systems that they did adopt left an extensive paper trail. External
auditors “audited around” the computer approach with these types of systems.
The conceptual frameworks for IT controls for large organizations were focused primarily on IT
systems that consisted of large mainframes that were physically secured from outsiders by the
use of strong physical controls. These systems also were logically secured from outsiders as they
were not connected to exterior networks. These systems were characterized by large amounts of
batch processing. Other characteristics of these systems for large organizations are addressed
later in this course, as many entities still have these types of IT systems. However, it must be
stressed, the early IT control framework over financial reporting for most of the last century was
based upon a large organization with in-house processing. This is not the case for many small
and midsized businesses that use local area networks that are connected by gateways to the
Internet. This is also not the case for other small businesses that are using a midsized computer
within their company that is not connected to the Internet but which, unlike the older mainframe
systems, is not batch-oriented and does not leave the traditional paper audit trail.
This course will address IT control frameworks for traditional, current, and emerging IT systems.
The objective of this course is to present as many variants of IT systems that exist in small and
midsized businesses and then address the controls that should enhance the reliability of financial
reporting in these different types of systems. Some small businesses might have a general ledger
system that is not integrated with major subsystems and requires journal entries to be made
manually and then entered into the system. Other entities could have an e-commerce application
that is integrated with the financial reporting process but have payroll outsourced to a third party
service provider. This course will address the major IT controls for a myriad of types of systems
that exist in small and midsized businesses.
This course will also address fraud concepts and fraud standards and how they relate to IT. It
will be shown that controls that aid in establishing a strong internal control system also help
mitigate fraud risk. Audit procedures and controls that aid in detecting and preventing fraud will
be addressed.
The objective of this chapter is to provide an introduction and overview of the major topics
addressed in this course. Additionally, an historical overview of internal control, IT controls,
and fraud standards will be presented to show how these topics have evolved to be some of the
most important topics to the profession today.
732554
0
Customer Service
Customer Service
Customer Service
Back to Browsing Products
