A systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users.
Examines the reliability and integrity of accounting records (both financial and operating information) and correlates with the first of the five scope standards.
Information Systems or Internal Control Audit
Reviews the controls of an AIS to assess its compliance with internal control policies and procedures and its effectiveness in safeguarding assets its scope roughly corresponds to the IIA's Second and third standards
Operational or Management Audit
Is concerned with the economical and efficient use of resources and the accomplishment of established goals and objectives. Its scope corresponds to the fourth and fifth standards.
Is the susceptibility to material risk in the absence of controls. Example a system that employs online processing, networks, database software, telecommunications and other forms of advanced technology has more inherent risk than a batch processing system.
Is the risk that a material misstatement will get through the internal control structure and into the financial statements. A company with weak internal controls has a higher control risk than one with strong controls. Can be determined by reviewing the control environment, testing internal controls and considering control weaknesses identified in prior audits and evaluating how they have been rectified.
Is the risk that auditors and their audit procedures will not detect a material error or misstatement.
What is and is not important in a given set of circumstances, is primarily a matter of judgment
Evaluating the control procedures reviewing system documentation and interviewing appropriate personnel to determine if the necessary procedures are in place
Test of Controls
Are conducted to determine if the procedures are satisfactorily followed. Examples are tests such as observing system operations, inspecting documents, records, and reports, checking samples of system inputs and outputs and tracing transactions through the system.
Uses verified copy of source code to detect changes in programs. The auditor uses the program to preprocess data and compare that output with the company's output.
Concurrent Audit Techniques
To continually monitor the system and collect audit evidence while live data are processed during regular operating hours.
Examines the way transactions are processing . Selected transactions are marked with a special code that triggers the snapshot process audit modules in the program record these transactions and their master file records before and after processing
System Control Audit Review File (SCARF)
Uses embedded audit modules to continuously monitor transaction activity and collect data on transaction with special audit significance
Data recorded in SCARF file including those transactions exceeding a specified dollar limit, involving inactive accounts, deviating from company policy, or containing write-downs of asset values.
Are audit routines that flag suspicious transactions. Example internal auditors at State Farm Insurance determined that their policyholder system was vulnerable to fraud every time a policy holder changed his or her name or address and subsequently withdrew funds from the policy. It designed audit hooks to tag records with a name or address change.
When audit hooks are used, auditors can be inform of questionable transactions as they occur.
Continuous and Intermittent Simulation (CIS)
Embeds an audit module in a database mgt. system (DBMS) . Examines all transactions that update the database using criteria similar to those of SCARF.
Automated Flowcharting Programs
Interpret program source code and generate a corresponding program flowchart
Search a program for occurrences of a specified variable name or other character combination
Identify unexecuted program code. This software could have uncovered the program code that an unscrupulous programmer inserted to erase all computer files when he was terminated
Sequentially prints all application program steps executed during a program run. List is intermingled with regular output so auditors can observe the precise sequence of events that unfold during the program execution.
Input Controls Matrix
Document the review of source data controls. The matrix shows the control procedures applied to each field of an input record