Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
85 Cards in this Set
- Front
- Back
Key Components of Managing the Audit Function
|
1. Purpose, authority & responsibility s/b formalized (e.g. a “charter”)
2. Policies & procedures (“tailored”) 3. Quality assurance—(good mgmt., also std.) 4. Planning (risk key factor, others in govt. ) 5. Staffing (selection, development, CPE’s) 6. Marketing the audit function (how?) 7. Mission, role/outcome in government |
|
Topics included in audit policies and procedures:
|
charter
code of ethics standards to be followed audit phases details on personnel, administration |
|
Basic steps of an external quality, or peer, review.
|
review of over-all processes
in-depth review of selected audits ends in written report |
|
Internal Audit Quality Assurance review requires what?
|
Supervision to:
assuring qualifications instructing reviewing working papers |
|
Audit Managements Overall Role in Planning
|
Setting up audit function
Authorizing appropriate resources Establishing goals & functions Selecting functional areas for audit Audit work schedules What areas to audit & when (budget) IIA emphasizes risk-based planning Role of risk assessment |
|
What is the purpose of written policies and procedures?
|
Help ensure consistent performance of audit function.
|
|
Inherent Risk (def)
|
Risk is inherent in any activity, regardless of existence or effectiveness of controls.
Interent risk is uncertainty or exposure, assuming no controls are in place. Inherence risks are the possible adverse effects based solely on the type of activity, the type of resources, amount of assets or complexity of transactions. |
|
Control Risk (def)
|
Control risk is the extent of uncertainty remaining after the mitigating effects of the control system are in place.
The extent to which an organization has implemented controls to minimize actual occurence of risk determines the vulnerability to the riskactually occuring is the "control risk". |
|
The Risk Analysis Process Involves:
|
ID auditable activities
ID relevant risks assess significance & likelihood prioritize & manage risks |
|
Staffing Role of Audit Head
|
- Plan personnel needs, review recruiting & selection
- Includes administration, e.g., job descriptions, evaluation, corrective discipline, etc. - Consider all skills needed - Staff development, including training, continuing education - Consider E & E, may be outsourced |
|
Three Types of Audit Customers
|
Primary - audit sponsors
Secondary - Use audit reports Beneficiaries - general public |
|
Benefits of Governmant Auditing
|
accountability to public
assurance for oversight bodies help government achieve goals presence deters F,W, A |
|
Types of Audit Services
|
Governance, risk & control of general interest
Financial statement audits Performance/Value-for-money audits(influence of performance initiatives) Financial systems: audits and services Information & technology: audits & Service Consulting/assistance services (non-audit) Integrity services (e.g., FWA) |
|
Explain Compliance Audits
|
1. Test conformance with a requirement
* law, contract, grant, policy, procedure 2. Attributes of effective compliance system * requirements documented and communicated * properly assigned & qualified personnel 3. Can be partially a performance audit |
|
Purpose of a Financial Statement Audit
|
To issue an opinion about whether an entities financial statements are presented fairly in all material respects in conformity with an applicable financial reporting framework.
|
|
Types of Financial Statememnt Opinions
|
Unqualified
Qualified Adverse Disclaimer |
|
Unqualified Opinion (def)
|
Clean - no material misstatements
|
|
Qualified Opinion (def)
|
Fairly presented, except for identified items
|
|
Adverse Opinion (def)
|
Statements DO NOT fairly present
|
|
Disclaimer Opinion (def)
|
No opinion expressed
|
|
Two key ideas in financial statement audits
|
1. consideration of material line items and accounts in deciding the focus of the audit.
2. limiting or minimizing audit risk |
|
Five Management Assertions that are reviewed in Financial Statement Audits are
|
1. Existence/Occurrence – actually exists
2. Completeness – does not omit anything 3. Valuation – proper amounts 4. Rights & obligations—e.g., ownership 5. Presentation & disclosure—e.g., GAAP |
|
Two internal control weaknesses cited in financial statement audits
|
Significant deficiency
Material Weakness |
|
Significant Deficiency (def)
|
Less severe than a material weakness, yet important enough to merit attention by those charged with giovernance.
|
|
Material Weakness (def)
|
A significant deficiency, or combination of significant deficiencies, that results in more than a remote likliehood that a material misstatement of the financial statements will not be prevented or detected.
|
|
Describe Performance Audits
|
1. vide assurance or conclusions based on evaluation of “sufficient, appropriate”* evidence against criteria
2. vide objective analysis for management, & those in governance and oversight 3. Can lead to improved programs, reduced costs, better accountability |
|
Ways Performance Auditors Assist Government Policymakers
|
1. Provide key information
2. Offer conclusions on E, E & E 3. Questions for oversight hearings 4. Evaluating new or proposed programs 4. Forecasting potential program results 5. Performing/assisting investigations |
|
GAGAS Definition of Economy and Efficiency Performance Audits
|
right resources, amount, time, costs
maximum output for lowest input (quality) compliance with E &E laws, requirements |
|
GAGAS Definition of Program Performance Audits
|
achieving objectives, outputs, outcomes
compliance with mandated results |
|
INTOSAI's Definition of a Performance Audit
|
Concerned witrh economu, efficiency, and effectiveness.
|
|
The focus of process and controls based performance auditing
|
examining the adequacy of how things are done to achieve one or more aspects of performance.
Assess controls as the condition finding element |
|
The focus of measurement based performance auditing
|
measuring and assessing the adequacy of results being achieved for one or more aspects of performance
|
|
The focus of impact based performance auditing
|
evaluating the change attributable (at least in part) to an intervention (a new process, program, etc.)
Assess controls as possible cause finding element |
|
What is a targeted (narrow-scope) approach to performance auditing?
|
when audit objective targets a specific control weakness
|
|
What is a comprehensive approach to performance auditing?
|
when audit objective is to review how adequately the auditee performs a function, service, or activity
more elaborate approach, starting with a vulnerability assessment. |
|
Three types of attestations
|
1. Examiniation
2. Review 3. Agreed-upon Proceedures |
|
Examination Attestation (def)
|
An opinion on all material respects
|
|
Review Attestation (def)
|
Essentially negative assuraqnce, i.e. nothing came to the auditrs attention.
|
|
Agreed-Upon Proceedures Attestation (def)
|
Specific proceedures on a subject matter
|
|
Criteria for Effective Controls
|
1. Directiveness
2. Magnitude of exception 3. Method of Application 4. Follow-up |
|
What IT audits do (two kinds)
|
1. Evaluate the reliability of computerized information that supports reporting in financial, performance or other areas
2. Look at the how effective controls are to reduce the potential for adverse consequences from fraud, errors, security breaches, and disasters. |
|
IT Issues of Concern for Auditors
|
1. Information & Process Integrity
2. Disaster Contingency Planning 3. Controls: General and Applications * Input * Processing * Output 4. Systems Development Processes 5. Many other possibilities |
|
Three Useful IT References for Auditors
|
1. US GAO’s Federal Information Systems Control Manual (FISCAM)
2. IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance Control Professionals, ISACA 3. The IIA’S Global Technology Audit Guides (GTAGs) & Guide to Assessment of IT Risk (GAIT) |
|
Elements of Information and Process Integrity (According to COBIT Report)
|
Authorized
Accurate Complete Timely Recorded, processed, & reported timely Secure |
|
Elements of Information and Process Integrity
Authorized (def) |
An element of information, from a transaction to an entire system, is appropriately entered, developed, changed, or used with proper authority.
|
|
Elements of Information and Process Integrity
Accurate (def) |
The information and associated processes are correct and may be used as intended.
|
|
Elements of Information and Process Integrity
Complete (def) |
No required information is missing. Conversely, information is not duplicated. Rejected transactions are identified, controlled, and reentered as appropriate.
|
|
Elements of Information and Process Integrity
Timely (def) |
The work (e.g. transactions, processes) is promptly processed and customer service levels are maintained.
|
|
Elements of Information and Process Integrity
Recorded (def) |
Appropriate period and other cutoff dates are followed.
|
|
Elements of Information and Process Integrity
Secure (def) |
The information and processes are protected from unauthorized access, update, disclosure, or destruction.
|
|
Selection's Impact on Data Integrity
|
How much data to obtain, retain, and process.
|
|
Collections impacto on data integrity
|
Effectiveness of input controls
|
|
Classifictaion's impact on data integrity
|
helps control risks associated with alteration and disclosure.
|
|
Reporting's impact on data integrity
|
Appropriate dissemination
|
|
Storing's impact on data integrity
|
securely store backup data
|
|
IT General Access Controls Auditors Should Be Concerned With
|
1. Administration
2. Computer Operations 3. Security Controls 4. Security Administration 5. Syetem Programmers 6. Telecommunications Systems 7. Systems Software |
|
General Access Control - Administration Controls (def)
|
procedures necessary to ensure thta resources are used efficiently and in accordance with management intentions.
|
|
General Access Control - Computer Operations (def)
|
Must ensurer that processing meets specifications by requiring rge logginf of all actions initiated by computer operators and actions performed by computer software.
|
|
General Access Control - Security Administration(def)
|
Security over the computer facility, including all aspects of physical and data security.
|
|
General Access Control - System Programmers (def)
|
Control the operation of teh computer system and are responsible for the efficient use of computer resources.
|
|
General Access Control - Telecommunciations Systems (def)
|
Control The transmission of messages between users and the computer.
|
|
General Access Control - Systems Softwaren (def)
|
Programs and routines that control computer processing.
|
|
Three Types of IT Application Access Controls
|
Input
Processing Output |
|
Input Controls (def)
|
Accuracy and completeness of data entered into an application.
|
|
Examples of Edit Controls
|
Field Test, Validity, Reasonableness, completenes checks, check digit tests, and transaction logs.
|
|
Processing Controls (def)
|
concerned with the proper processing of data entered into an application. Examples - record counts, header/footer info, escho checks.
|
|
Output Controls (def)
|
Concerned with the verification and proper distribution of computer output.
|
|
Three examples of controls over Systems Development
|
1. Appropriate standards, policies, and procedures to control systems and programming functions
2. Standards to assure proper authorization, testing, review, documentation, implementation, & approval 3. User & management participation |
|
Categories of Integrity Ciolations
|
Fraud
Noncompliance Waste Irregularities Abuse (may be hard to define) |
|
Auditors Involvement in Fraud, Waste, and Abuse
|
* Auditors have key role
* Must consider possible integrity issues in planning audits, but not guaranteed * Significance includes $$$ and public perception * If possibilities exist, more audit steps may be required. |
|
Documenting Evidence in Integrity Audits
|
- Sufficient, competent, reliable evidence even more important than in other engagements
- Awareness that management could be involved - Know proper techniques for obtaining, documenting & securing evidence |
|
Factors to Consider when Chosing Performance Audit Subjects
|
Risk
Significance/materiality Oversight body interest Public interest Statutes & requests Past problems still uncorrected Time since last audit |
|
Objectives (def)
|
what the audit is to accomplish
|
|
Audit Scope (def)
|
time period, locations, people, need for expertise, & other considerations
|
|
Audit Methodology (def)
|
work in data gathering and analysis (e.g., use of sampling)
|
|
Well Stated Objectives Identify:
|
- subject (organization, program, activity, function)
- performance aspect(s) to be audited - potential finding and reporting elements to be pursued |
|
Categories of Risk and Control Assessment
|
Preventative
Detective Corrective Directive |
|
Categories of Evidence
|
Primary or direct (I saw)
Secondary (I was told) Corroborative (supporting) |
|
Classifications of Evidence
|
Documentary
Analytical Testimonial Physical |
|
Qualities of Evidence
|
Sufficiency
Relevency Appropriateness Reasonableness and Usefulness |
|
Elements of A Finding
|
Condition (what is)
Criteria (what shoudl be) Cause (why) Effect (so what) |
|
Role of Working Papers
|
support report
manage audit progress quality reviews |
|
Ways to test validity of evidence
|
Corroborate evidence – with another source
Verify evidence – to its source Validate evidence – with objective reality Obtain additional evidence |
|
Type of finding that has only the condition element
|
Descriptive
|
|
Type of finding that has only the condition and criteria elements
|
Normative
|