Attest services involve auditors providing an independent opinion on the reliability of a client's financial statements. Auditors must maintain independence and follow standards of field work, which include adequately planning the audit, understanding internal controls, and obtaining sufficient evidence. The audit process assesses audit risk, which is the risk of an unqualified opinion being issued on materially misstated financial statements. Audit risk has three components - inherent, control, and detection risk.
Attest services involve auditors providing an independent opinion on the reliability of a client's financial statements. Auditors must maintain independence and follow standards of field work, which include adequately planning the audit, understanding internal controls, and obtaining sufficient evidence. The audit process assesses audit risk, which is the risk of an unqualified opinion being issued on materially misstated financial statements. Audit risk has three components - inherent, control, and detection risk.
Attest services involve auditors providing an independent opinion on the reliability of a client's financial statements. Auditors must maintain independence and follow standards of field work, which include adequately planning the audit, understanding internal controls, and obtaining sufficient evidence. The audit process assesses audit risk, which is the risk of an unqualified opinion being issued on materially misstated financial statements. Audit risk has three components - inherent, control, and detection risk.
Attest service, is performed by Certified Public Accountants
(CPA) who work for public accounting firms that are independent of the client organization being audited. - an engagement in which a practitioner is engaged to issue, or does issue, a written communication that expresses a conclusion about the reliability of a written assertion that is the responsibility of another party. Independence - Throughout the audit process, the auditor must maintain independence from the client organization. Public confidence in the reliability of the companys internally produced financial statements rests directly on an evaluation of them by an independent auditor. Sarbanes-Oxley [SOX] Act of 2002 Advisory services are professional services offered by public accounting firms to improve their client organizations operational efficiency and effectiveness. Internal auditing as an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization. First SAS (SAS 1) was issued by the AICPA in 1972. General Standards 1. The auditor must have adequate technical training and proficiency. 2. The auditor must have independence of mental attitude. 3. The auditor must exercise due professional care in the performance of the audit and the preparation of the report. Standards of Field Work 1. Audit work must be adequately planned. 2. The auditor must gain a sufficient understanding of the internal control structure.
3. The auditor must obtain sufficient, competent evidence.
Reporting Standards 1. The auditor must state in the report whether financial statements were prepared in accordance with generally accepted accounting principles. 2. The report must identify those circumstances in which generally accepted accounting principles were not applied. 3. The report must identify any items that do not have adequate informative disclosures. 4. The report shall contain an expression of the auditors opinion on the financial statements as a whole. Management Assertions 1. The existence or occurrence assertion affirms that all assets and equities contained in the balance sheet exist and that all transactions in the income statement actually occurred. 2. The completeness assertion declares that no material assets, equities, or transactions have been omitted from the financial statements. 3. The rights and obligations assertion maintains that assets appearing on the balance sheet are owned by the entity and that the liabilities reported are obligations. 4. The valuation or allocation assertion states that assets and equities are valued in accordance with GAAP and that allocated amounts such as depreciation expense are calculated on a systematic and rational basis. 5. The presentation and disclosure assertion alleges that financial statement items are correctly classified (e.g., long-term liabilities will not mature within one year) and that footnote disclosures are adequate to avoid misleading the users of financial statements. Audit risk is the probability that the auditor will render an unqualified (clean) opinion on financial statements that are, in fact, materially misstated. Audit Risk Components These are inherent risk, control risk, and detection risk.
Inherent risk is associated with the unique characteristics of the
business or industry of the client. Control risk is the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errors in the accounts. Detection risk is the risk that auditors are willing to take that errors not detected or prevented by the control structure will also not be detected by the auditor. The Structure of an IT Audit Audit Planning Tests of Controls - The objective of the tests of controls phase is to determine whether adequate internal controls are in place and functioning properly. Substantive Testing - This phase involves a detailed investigation of specific account balances and transactions INTERNAL CONTROL OBJECTIVES 1. To safeguard assets of the firm. 2. To ensure the accuracy and reliability of accounting records and information. 3. To promote efficiency in the firms operations. 4. To measure compliance with managements prescribed policies and procedures INTERNAL CONTROL PRINCIPLES Management Responsibility Methods of Data Processing Limitations (1) the possibility of error (2) circumvention (3) management override (4) changing conditions Reasonable Assurance - This reasonableness means that the cost of achieving improved control should not outweigh its benefits. PDC Control Model
Preventive Controls - passive techniques designed to reduce the
frequency of occurrence of undesirable events. Detective Controls - devices, techniques, and procedures designed to identify and expose undesirable events that elude preventive controls. Corrective Controls - fix the problem Coso Internal Control Framework Five components: the control environment, risk assessment, information and communication, monitoring, and control activities. The Control Environment Control environment is the foundation for the other four control components. The control environment sets the tone for the organization and influences the control awareness of its management and employees. Risk Assessment Organizations must perform a risk assessment to identify, analyze, and manage risks relevant to financial reporting. Information and Communication The accounting information system consists of the records and methods used to initiate, identify, analyze, classify, and record the organizations transactions and to account for the related assets and liabilities. The quality of information that the accounting information system generates impacts managements ability to take actions and make decisions in connection with the organizations operations and to prepare reliable financial statements. Monitoring Monitoring The process by which the quality of internal control design and operation can be assessed. Control Activities Policies and procedures used to ensure that appropriate actions are taken to deal with the organizations identified risks. Control
activities can be grouped into two distinct categories: physical
controls and information technology (IT) controls. Physical Controls - This class of controls relates primarily to the human activities employed in accounting systems. These activities may be purely manual, such as the physical custody of assets, or they may involve the physical use of computers to record transactions or update accounts. Six categories of physical control activities: transaction authorization, segregation of duties, supervision, accounting records, access control, and independent verification. Transaction Authorization The purpose of transaction authorization is to ensure that all material transactions processed by the information system are valid and in accordance with managements objectives. Segregation of Duties Objective 1. The segregation of duties should be such that the authorization for a transaction is separate from the processing of the transaction. Objective 2. Responsibility for asset custody should be separate from the recordkeeping responsibility. Objective 3. The organization should be structured so that a successful fraud requires collusion between two or more individuals with incompatible responsibilities. Supervision Accounting Records The accounting records of an organization consist of source documents, journals, and ledgers. Access Control The purpose of access controls is to ensure that only authorized personnel have access to the firms assets. Independent Verification Verification procedures are independent checks of the accounting system to identify errors and misrepresentations.