Internal Audit and Board Responsibilities

Questions and Answers

What is the primary responsibility of the Internal Audit (IA) function within an organization?

• Developing new IT systems and applications.
• Managing the organization's cybersecurity defenses.
• Creating financial reports for external stakeholders.
• Ensuring management-authorized controls are effectively implemented. (correct)

To whom does the Chief Audit Executive (CAE) typically report?

• Directly to the Audit Committee and the Chief Executive Officer (CEO). (correct)
• Only to the Audit Committee of the Board of Directors.
• To the Chief Financial Officer (CFO).
• Only to the Chief Executive Officer (CEO).

Which task is typically the responsibility of the Audit Committee of the Board of Directors?

• Overseeing day-to-day IT operations.
• Approving the compensation of the Chief Audit Executive (CAE). (correct)
• Handling employee grievances related to IT policies.
• Conducting routine security audits of IT infrastructure.

What is a key function of the Audit Committee in relation to the internal audit plan?

To understand, discuss, and approve the company’s risk assessment and internal audit plan results. (B)

What is the purpose of holding executive sessions with the company's chief audit executive?

To foster open and honest communication between the audit committee and the CAE. (D)

Which activity falls under the purview of the audit committee?

Designing and providing control, governance, and ethics training to employees. (B)

What is a key aspect of the external auditor's role?

Evaluating the reliability and validity of systems controls in all forms. (A)

Which action falls under the purview of the Audit Committee of the Board of Directors regarding Internal Audit (IA)?

Directing IA to perform special reviews, including fraud investigations. (D)

What is the primary goal of evaluating internal controls in the context of financial statement audits?

To minimize the amount of substantial auditing or testing of transactions needed to form an opinion. (A)

Which of the following is primarily responsible for assessing the reliability of a client's IT systems during an audit?

External auditors with specialized IT audit skills and experience. (A)

What is the 'attest function' primarily concerned with in the context of external audits?

Rendering an audit opinion on the fairness of the financial statements. (C)

Which factor contributed to the initial rise and importance of IT auditing?

Auditors recognizing the impact of computers on their ability to perform the attestation function. (A)

Why do corporate management emphasize the need for control and auditability of computer systems?

To manage computers as key resources for competition, similar to other valuable assets. (B)

What is a key role of an IT auditor in an advisory capacity?

Developing policies and procedures for safeguarding information and ensuring auditability . (B)

For an IT auditor to effectively perform their role, what combination of expertise is essential?

Familiarity with the audit attest function combined with substantial IT audit experience. (A)

What is the primary reason that IT auditing became an integral part of the overall audit function?

To support the auditor’s judgment on the quality of information processed by computer systems. (A)

When an entity extensively uses IT in accounting estimates, which controls are LEAST likely to be identified under the control activities component?

Physical security controls over tangible assets. (B)

What is a critical risk addressed by controls when diverse IT applications process complex transactions and lack automated interfaces?

The risk of inconsistencies and errors due to the absence of automated reconciliation processes. (D)

Which aspect of models used in accounting estimates should be periodically evaluated, according to the content?

The design and calibration of the models. (B)

What is the primary concern related to data extraction for accounting estimates from an entity’s records or external sources?

Ensuring the complete and accurate extraction of the data. (C)

When using external information sources for accounting estimates, what specific data-related risks should be addressed?

Risks related to processing or recording the data from the external source. (D)

What control objective is MOST important regarding access, change, and maintenance of individual models used in accounting estimates?

Maintaining a strong audit trail of accredited model versions. (A)

What is the primary control objective when transferring information relating to accounting estimates into the general ledger?

Ensuring appropriate controls exist over journal entries. (A)

Why is understanding an entity's IT environment relevant to the information system important for an auditor?

To identify risks arising from the entity's use of IT. (A)

What is the central focus when an auditor seeks to understand an entity's utilization of Information Technology (IT)?

Identifying and understanding the specific IT applications and other aspects of the IT environment relevant to the flows of transactions. (D)

How might changes in the flow of transactions or information within an information system occur?

Through program changes to IT applications or direct changes to data in databases involved in processing or storing those transactions or information. (A)

What is the definition of Business Ethics?

The principles of conduct individuals use in making choices and guiding their behavior in situations that involve the concepts of right and wrong. (A)

Which of the following best describes the scope of computer ethics?

The analysis of the nature and social impact of computer technology and the corresponding formulation of policies for the ethical use of such technology. (A)

What is the definition of employee fraud?

The performance fraud by nonmanagement employees generally designed to directly convert cash or other assets to the employee’s personal benefit. (D)

What typically motivates management fraud?

To inflate earnings or forestall the recognition of either insolvency or a decline in earnings. (B)

What is a key characteristic of fraud?

It is the false representation of a material fact made by one party to another party, with the intent to deceive. (D)

When may an auditor identify IT applications and supporting IT infrastructure?

Concurrently with the auditor’s understanding of how information relating to significant classes of transactions (B)

What is the primary goal of placing a strong emphasis on fraud prevention and deterrence?

To reduce opportunities for fraud and dissuade individuals from committing fraud. (C)

Which action exemplifies oversight by those charged with governance in the context of financial reporting?

Considering the possibility of management overriding controls to manipulate financial results. (A)

According to ISAs, what level of assurance does an auditor provide regarding material misstatements in financial statements?

Reasonable assurance that the financial statements are free from material misstatement. (D)

Why is the risk of not detecting material misstatements due to fraud higher than that of errors?

Fraud often involves deliberate concealment through sophisticated schemes. (C)

Which factor most significantly impairs an auditor's ability to detect fraud?

Collusion among multiple individuals to conceal the fraud. (B)

Which of the following actions taken by management demonstrates a commitment to creating a culture of honesty and ethical behavior?

Establishing a confidential ethics hotline for employees to report suspected wrongdoing. (A)

When performing an audit, what should an auditor do to detect and prevent earnings management?

Consider the qualitative aspects of the entity's accounting practices and potential management bias. (D)

Even with a properly planned and executed audit in accordance with ISAs, why is there an unavoidable risk of not detecting some material misstatements?

Audits inherently rely on selective testing and professional judgment. (D)

Why do auditors typically adopt a risk-based approach during an audit?

To minimize the risk of providing an inappropriate audit opinion while efficiently focusing on areas with higher potential for material misstatement. (A)

What is the potential consequence of ineffective IT audit risk management?

Significant financial losses, reputational damage, legal consequences, or regulatory non-compliance. (B)

Which of the following best describes the purpose of an internal control system?

To safeguard assets, ensure reliable accounting records, promote efficiency, and measure compliance with established policies. (A)

According to the content provided, who bears the primary responsibility for establishing and maintaining a system of internal control?

Management (A)

What level of assurance is provided by an effective internal control system?

Reasonable assurance that the objectives of internal control are met in a cost-effective manner. (C)

An internal control designed to reduce the frequency of undesirable events is referred to as which type of control?

Preventive control (D)

What should auditors focus on when utilizing a risk-based approach?

Key risks (significant risks) where errors are likely to cause material misstatement. (B)

What is a characteristic of 'preventive controls'?

They are designed to reduce the frequency of undesirable events. (D)

Flashcards

Internal Audit (IA) Function

Ensures that management-approved controls are effectively applied and monitored.

Chief Audit Executive (CAE)

Leads the IA department and reports to both the Audit Committee and CEO.

Audit Committee Responsibilities

Oversees the internal audit function, including approvals and evaluations.

Risk Assessment

The process of identifying and evaluating risks to the organization.

Internal Audit Plan

A documented plan outlining audit activities and frequency for the organization.

Executive Sessions

Private meetings between the audit committee and the CAE for strategic discussions.

Funding for Internal Audit

Evaluation of the budget necessary for the internal audit function's operations.

External Audit

Evaluates the reliability and validity of systems controls in all forms.

Purpose of External Auditors

To minimize the substantial testing of transactions for financial opinions.

The Big Four

The four largest public accounting firms: Deloitte, Ernst & Young, PricewaterhouseCoopers, and KPMG.

External Auditor Responsibilities

Testing the reliability of client IT systems and understanding audit attest functions.

Attest Function

Activities associated with rendering an audit opinion on financial statements' fairness.

Need for IT Audit

Evolved from traditional auditing to control computer-based processes.

Impact of Computers on Auditing

Computers influence auditors' ability to attest to financial statements.

Roles of IT Auditors

Acting as counselors in organizations to improve policies and standards for information security.

Integration of IT Auditing

IT auditing supports auditors' judgment on computer-processed information quality.

General IT Controls

Controls that manage the overall IT environment to ensure data integrity and reliability.

Information Processing Controls

Specific controls for ensuring accurate processing of transactions and data.

Risk of Data Processing

Potential issues that arise from IT's capability to handle data.

Reconciliations

Regular checks to ensure consistency between different IT application systems.

Model Calibration

Regular evaluation of the design and function of financial models used in accounting.

Data Extraction Accuracy

Ensuring complete and accurate retrieval of data from records or external sources.

Audit Trail

A record of who accessed or changed financial models and when.

Control over Journal Entries

Rules governing the transfer of accounting estimates into the general ledger.

IT Environment

The setting involving IT applications and infrastructure relevant to transactions and information processing.

Changes in Transaction Flow

Modifications in how transactions and information are processed due to IT system updates.

Business Ethics

Principles guiding individual choices in situations of right and wrong.

Computer Ethics

Analysis of the impact of computer technology and policies for its ethical use.

Fraud

False representation of a material fact to deceive another party.

Employee Fraud

Fraud committed by non-management employees to benefit personally from assets.

Management Fraud

Fraudulent practices by management to inflate earnings or hide financial issues.

Internal Controls

Processes to ensure the integrity of financial and accounting information.

Fraud Prevention

Strategies to reduce opportunities for fraud.

Fraud Deterrence

Measures to discourage potential fraudsters through detection likelihood.

Culture of Honesty

An organizational environment promoting ethical behavior.

Oversight by Governance

Supervision by governing bodies to ensure ethical financial practices.

Material Misstatement

Errors or fraud in financial statements that impact decisions.

ISA 200

International auditing standard addressing inherent limitations in audits.

Detecting Fraud Risk

Challenges auditors face in identifying fraudulent activities.

Collusion

Secret cooperation between individuals to commit fraud.

Risk-Based Approach in Auditing

A method focusing on significant risks to minimize audit misstatements.

Statement of Comprehensive Income

A financial report detailing an entity's revenues and expenses.

Key Risks in Auditing

Significant risks where errors are likely to lead to misstatements.

IT Audit Risks

Potential negative events affecting an organization's IT systems.

Internal Control System

Policies designed to safeguard assets and ensure accurate records.

Management Responsibility

Management's duty to establish and maintain internal controls.

Reasonable Assurance in Internal Controls

A guarantee that control systems meet objectives effectively.

Preventive Controls

Techniques aimed at reducing the occurrence of undesirable events.

Study Notes

Module I - Introduction to IT Auditing, Fraud, and Internal Controls

• Learning Objectives: Define basic auditing and IT terms, explain basic concepts and procedures, differentiate attest and advisory services related to info systems, discuss internal controls, describe the relationship among general/application controls & financial data integrity, identify business ethics issues, describe fraudulent behavior, discuss fraud schemes, explain fraud motivating forces, and explore fraud detection techniques.

The IT Environment and Basic Concepts

• IT Environment: Refers to the infrastructure, hardware, software, and systems a business uses daily with IT.
• Components:
  • Hardware: Physical components like monitors, CPUs, keyboards, mice, personal computers, servers, and data centers.
  • Software: Instructions that enable hardware to perform tasks, including web servers & applications.
  • Networking: Interconnected computing devices that exchange data/share resources (e.g., routers, switches, hubs, firewalls, cables).
• Importance: Organizations must integrate IT with their business strategies to achieve objectives, obtain value from information, capitalize on available technology, address IT governance, security and privacy, and ensure control of public and organizational information.
• Organization Strategies: viewed as an enabler of their strategy, and now regarded as an integral part of that strategy in terms of profitability and service.

The Auditing Profession

• Financial Auditing: Examines financial statements to determine if they're fair. Scope encompasses equipment/procedures used in processing significant data.
• IT Auditing: Formal, objective examination of an organization's IT infrastructure. Focuses on verifying whether activities (procedures, controls) involved in data gathering, processing, storing, and distribution comply with guidelines, protect assets, maintain data integrity, and operate efficiently, to achieve organizational goals. Provides reasonable but not absolute assurance of accuracy/completeness of application-generated information.

Types of Audit Functions

• Internal Audit (IA): An independent, objective assurance and consulting activity. Improves operations, risk management, and governance. Plays a critical role in IT audits. Monitors IT activities (controls).
• External Audit: Evaluates systems controls, minimizes substantial auditing, and renders an opinion on financial statements, and the reliability of IT systems. Specialized experience/knowledge required. "Big Four" accounting firms often perform these audits.

Roles and Responsibilities of Audit Committees

• Audit Committees are responsible for approving audit charters, evaluating the internal audit function, setting compensation for the CAE/Chief Audit Executive, reviewing ongoing activities of the internal audit function, and providing a mechanism for escalation of findings. They also play a key role in control governance and ethics training.

Information Systems (IS) vs. Information Technology (IT)

• Information Systems (IS): The formal procedure for gathering, processing, and distributing data into information to users.
• Information Technology (IT): Involves integrating hardware, software, networking, or other facilities to support/manage data.

Information Systems Audit and Controls Association (ISACA)

• An international professional association focused on IT governance. Offers certifications like the Certified Information Systems Auditor (CISA).

International Standards of Auditing (ISA) 315

• IT in Accounting Estimates: Management's use of IT in making accounting estimates affects the design and implementation of IT controls.
• Risks: IT applications/environments may cause risks affecting the capability to process large data volumes, complex calculations, and the accuracy/extraction of data from systems and external sources.
• Significant Issues: Access, changing, and maintaining data models, transferring data accurately, and controls over journal entries for accounting estimates.

Business Ethics, Fraud and Internal Controls

• Ethics: Principles guide behavior in situations involving right/wrong conduct.
• Computer Ethics: Analysis of computer technology. Impacts of technology and policies for ethical computer use.
• Fraud: False representation of a material fact to induce reliance for personal benefit.
• Types of Fraud:
  • Employee Fraud: Non-management employees directly misappropriating assets.
  • Management Fraud: Deceptive practices to inflate earnings/conceal insolvency.

The Fraud Triangle

• Incentive: Motivation for committing fraud.
• Opportunity: Presence of conditions that facilitate fraud.
• Rationalization: Actions rationalized to justify fraud.

Concepts of Computer Fraud

• Computer Fraud: Theft, misuse, or misappropriation of assets, altering computer-readable records, illegally using computer-readable information, and intentional destruction of computer resources.
• Computer Crime: Illegal acts using computers.
• Examples involving computer fraud/crime include phishing, altering electronic data, spreading misinformation, unauthorized computer usage and botnet crimes.

Roles of an IT Auditor

• Counselor (Advisory): Assist organizations in developing policies, procedures, and standards, in safeguarding info assets.
• IT Auditor (Part of Senior Management): Provide independent assessments of IT decisions impact, evaluate solutions/alternatives and needs, provide verification that all risks have been assessed accurately, business requirements are met, costs are reasonable.
• Investigator: Specialist role in the field of computer forensics, which assists in understanding specific system or network related issues quickly.

Other Forms of Computer Crimes

• Business Email Compromise (BEC): Sophisticated scams targeting businesses.
• Ransomware: Malware that encrypts data.
• Tech Support Fraud: Fraudulent technical support claims.
• E-mail/Government Impersonation: Posing as government officials for theft of information.
• Intimidation/Extortion: Gaining assets and data using threats.
• Confidence/Romance Frauds: Scams that look for partnerships, friendships via online resources.

Responsibility for Fraud Prevention and Detection (ISA)

• Primary Responsibility: rests with both those charged with governance and entity management. They must place strong emphasis on fraud prevention and create a culture of honesty/ethical behavior.

Anti-Fraud Detection Techniques

• Traditional Methods: Rule-based systems, manual reviews. Inefficient/slow with evolving fraud. Generate many false alerts.
• Modern Methods: AI, machine learning, predictive analytics, and data modeling. More adaptable; detect anomalies in real-time.

Audit Risk

• Definition: Risk auditor expresses an inappropriate audit opinion when financial statements contain material misstatements.
• Material Misstatement/Detection Risk: A function of the risk.
• Importance: Auditors can't check every transaction. Hence the importance of the risk-based approach.

Risks Applicable to IT Audits

• IT System Risks: Probability of negative events, financial losses, and reputational damage. Arise from internal control weaknesses/inadequate/insufficient security measures and disaster recovery plans.

Concepts of Internal Controls

• Internal Control System (ICS): Policies a firm employs to safeguard assets, ensure accurate records, and promote efficiency.
• Objectives: Ensure accurate accounting, safeguard assets, promote efficiency, and compliance with policies.
• Modifying Assumptions: Management maintains responsibility/establishes & maintains the internal control system. Reasonable assurance (by the system) that the four broad objectives of internal control (above) are met cost-effectively.

Types of IT Controls

• General Controls (ITGC): Controls over the IT infrastructure, systems, and applications. (e.g., security, change management, and business continuity).
• Application Controls: Specific to a particular application. Verify data accuracy, completeness, and validity of the processing of transactions.

IT Entity-Level Controls

• Impact: Broad impact on the entire IT environment (not limited to a specific application).
• Management Oversight: Controls driven by management, setting standards.
• Components: Affect the entire control environment, risk assessment, control activities, information & communication, and monitoring (COSO framework).
• Examples: Access controls, change management, data backup & recovery, incident response plans, IT governance frameworks, etc.