International Auditing Standards - Assignment Example

Running Head: International Auditing Standards International Auditing Standards 400, 401 and 402 International Standards on Auditing (ISA) 400 Description of the ISA ISA 400, Risk Assessments and Internal Control, provides guidance in the understanding of the "accounting and internal control systems and on audit risk and its components: inherent risk, control risk and detection risk" (ISA 400, par. 4). The main purpose of this is not to assess the effectiveness of the internal control system but to understand those procedures and controls that may impact the "nature, timing and extent of substantive procedures" (ISA 400, par. 9). The ISA stated that the auditor needs to obtain an understanding of those accounting and internal control systems that are "relevant to the financial statements assertions" (ISA par. 9) as these are the ones that will enable the auditor to determine which accounts in the financial statements may be materially misstated; what are the factors that has an effect on the risk of material misstatements and what audit procedures are appropriate to address the risk of material misstatements. ISA 400 provided a description of internal control and the types of internal controls, as well as the factors and procedures included in each type. Effect on the Work of the Auditor One of management's responsibilities is to ensure that there are adequate internal controls implemented in an entity. What is required of the auditor is to have a "sufficient understanding of the internal control" as such an understanding will mean a more efficient and effective audit planning and audit approach". According to Ricchiute (2003), in actual application, to obtain such an understanding, the auditor will need to perform the following: (1) perform a preliminary review of the internal control system through the "review of prior-year audit working papers", inquiries of management and personnel and observations; (2) document the internal controls found in the system and identify transaction cycles, either through a flowchart or a "narrative memorandum"; (3) perform a walk-through of a sample transaction; and, (4) identify controls that will reduce to an acceptable or low level the risk of material misstatements (Ricchiute, 2003, p. 214 - 220). In number 4, the auditor may opt to perform only a walkthrough of a transaction or a walkthrough of the transactions and the related controls and test of controls. The choice depends on the auditor's assessment of control risk. If the assessment is high, the auditor will just do a walkthrough of a sample transaction and go directly to substantive testing. If the assessment is low, the auditor will have to perform a more detailed walkthrough, not only of the transaction but also of the related controls, and test the controls the auditor thinks will support the lower risk assessment. The understanding of the internal control system and the subsequent walkthrough or testing is critical to the external auditor since this will dictate the substantive audit procedures that will be done subsequently. This is because a lower level of control risk assessment will decrease the level of detection risk of an auditor. This generally means less extensive and persuasive substantive audit procedures that could be done during the interim rather than during the year-end, resulting to earlier completion of the audit work (Ricchiute, 2003, p. 232). What about fraud concerns, as these is one of the purposes for setting up the internal control system, in the first place' An external auditor's procedures "cannot be expected to detect immaterial frauds". If a fraudulent transaction or event results to a material misstatement in the financial statements, the external auditor's audit procedures may discover the fraud incident. However, "there is certainly no guarantee of detection" as the "perpetrator(s) may go to extensive lengths to deceive the auditor and hide the defalcation" (Tedd). Lastly, one of the concerns regarding ISA 400 (and the other auditing standards) is that this may not apply or may be too tedious to apply for small and medium entities. This concern was recognized by the International Auditing and Assurance Standards Board or IAASB when it issued International Auditing Practice Statement (IAPS) 1005, The Special Considerations in the Audit of Small Entities. IAPS 1005 noted that small entities may not have sophisticated internal controls system, however, there is still "some degree of segregation of duties or other form of unsophisticated but effective internal controls" (IAPS 1005, par. 15). Thus, an auditor is still required to obtain an understanding of the small entities' internal control system. International Standards on Auditing (ISA) 401 Description of the ISA ISA 401, Auditing in a Computer Information Systems Environment, gives guidelines that should be followed by an auditor when auditing a "computer information systems (CIS) environment" (ISA 401, par. 1). According to ISA 401, there is a CIS environment when a computer, regardless of type or size, is being used in the "processing ' of financial information" (ISA 401, par. 1) which is relevant and important for the audit. This is true even if the computer is operated by another person or entity not related to the company being audited. This standard was put into place in consideration of those entities that have incorporated the computer in their accounting system. Although the "over-all objectives and scope of an audit has not change in a CIS environment, it has change the manner in which the entity process, store and communicate financial information and, thus, this may have an effect the "accounting and internal control systems employed by the entity" (ISA 401, par. 3). Effect on the Work of the Auditor The rapid changes and development that has taken place in the information technology (IT) system of various entities have a very material impact in the audit planning and procedures done by external auditors. According to James Hall and Tommie Singleton (2005): IT has resulted to the "reengineering of traditional businesses processes" to achieve more efficiency in the operations of an entity. The changes, however, have resulted to the need for new internal controls as they have created the necessity for "new techniques for evaluating controls and for assuring the security and accuracy of corporate data and the information systems that product it" (Hall, Singleton, 2005, p. 2). For the independent auditors, the entity's increasing use of information technology resulted to the need to obtain an understanding of the type and kind of technology used by the client-entity. According to David Ricchiute (2003), this is "partly to plan and execute the audit and partly to know when to engage specialists" (Ricchiute, 2003, p. 211) if and when the auditor assesses that there is a need to engage one. As mentioned in the previous page, auditing an IT environment has the same audit objectives as an audit of a manual system. However, there are basic differences and additions to the audit steps when an auditor is auditing an IT environment. Some of these differences can be found in the planning and understanding phase of the audit. In the audit planning phase, there are four additional steps in incorporating the considerations of the IT environment in the audit plan. According to Rehage, Hunt & Nikitin (2008), the auditor needs to: (1) "understand how existing business operations and IT service functions support the organization"; (2) "define the IT universe", (3) "perform the risk assessment" based on the results of steps 1 and 2 and (4) formalizing the audit plan, incorporating what the auditor has gleaned from understanding the IT environment of the entity (Rehage, Hunt & Nikitin, 2008, p. 2). Another difference between the audit of the IT environment and the audit of a manual system is the computer-assisted test of controls for fully automated computer systems or the computer-assisted audit techniques (CAATS), which is only applicable for the audit of IT environment. These CAATS will assist the auditor in testing those controls that are "internal to the computer and therefore not directly attributable" (Ricchiute, 2003, p. 223). International Standards on Auditing (ISA) 402 Description of the ISA ISA 402, Audit Considerations Relating to Entities Using Service Organizations, requires an auditor to assess the effect of an "entity's use of a service organization" on an "entity's internal controls" (ISA 402, par. 2). Based on this assessment, the auditor will then analyze the risk of material misstatements. The result of this analysis may give rise to the performance of more audit procedures to address the risk. This ISA considers the audit implications of an entity's use of service organizations in the execution of transactions and retention of certain accountability or in the recording of transactions and processing of data. In such cases, "certain policies, procedures and records maintained by the service organization" may be of relevance to the financial statement audit (ISA 402, par. 3). Effect on the Work of the Auditor According to the practice alert (How the Use of a Service Organization Affects Internal Control Consideration) issued by the American Institute of Certified Public Accountants (AICPA), auditing standards such as ISA 400 require that "the auditor obtain an understanding of an entity's internal controls sufficient to plan the audit". This requirement may "extend beyond the controls in place at the entity's physical environment and may extend to other organizations who perform services on behalf of the entity to assist it in the recording, processing, summarizing and reporting of information in its financial statements". According to AU No. 324, a service organization is one that "provides services to a user organization that are part of the user organization's information system" (AU No. 324, p. 395). Examples of such service organizations are trust departments of banks; mortgage bankers and IT service providers (AU No. 324, p. 396). The level of service provided by a service organization and the degree of accountability it maintains will have an effect on the audit strategy of the auditor. Paragraph 4 of IAS 402 outlines how the policies and procedures of a service organization hired by the entity may be tied up to the internal control system of the entity. If the services provided are of a limited nature and the entity is still the one responsible for authorizing the transactions and retaining accountability of the transactions, the entity will be able to "implement effective policies and procedures". However, if the service organization is the one doing the execution and has the accountability over the entity's transactions, the entity may rely on the service organization's internal control system. The latter case may have an impact on the audit procedures of an auditor. The auditor will need to consider several factors before deciding the relevance of the activities of the service organization to the entity's internal control system and to the audit procedures that will be done by the auditor. If the auditor decides that there is a need to consider the controls of the service organization, the auditor will then "obtain sufficient information to understand the accounting and internal controls systems and to assess control risk" (ISA 402, par. 7). One way of obtaining such information from the service organization is through a "third-party report of the service organization's auditor" (ISA 402, par. 9). If the auditor will obtain such a report then the auditor needs to consider the professional competence of the service organization's auditor and the "nature and content of the report" (ISA 402, par. 11). The type of report obtained by the auditor will depend on how, if at all, the auditor will use the report to reduce the auditor's assessment of control risk. REFERENCES Avey, Tedd. Internal Controls and "Fraudproofing". 2002. New York. American Institute of Certified Public Accountants. from http://fvs.aicpa.org/Resources/ Antifraud+Forensic+Accounting/CPAs+and+Others+Performing+Fraud+Consulting+Services/Programs+and+Controls/Designing+Effective+and+Efficient+Programs+and+Controls/Internal+Controls+and+Fraudproofing.htm#4. International Standards on Auditing 402, Audit Considerations Relating to Entities Using Service Organizations. http://web.ifac.org/download/2008_Auditing_ Handbook_A115_ISA_402.pdf Hall, James A., Singleton, Tommie. (2005). Information Technology Auditing and Assurance. (2nd edition). Singapore: Thomson Learning. Weber, John and Goldstein, Ellen J. (ed.) How the Use of a Service Organization Affects Internal Control Considerations. July/August 1999. The American Institute of Certified Public Accountants. from http://www.aicpa.org/pubs/cpaltr/pracalrt.htm. International Auditing Practice Statement 1005. The Special Considerations in the Audit of Small Entities. International Auditing and Assurance Standards Board. from http://web.ifac.org/download/2008_Auditing_Handbook_ A230_IAPS_1005.pdf. Philippine Standards on Auditing & Philippine Auditing Practice Statements. Compilation 2. November 30, 2003. Metro Manila. Auditing Standards and Practices Council. Rehage, Kirk, Hunt, Steve and Nikitin, Fernando. Developing the IT Plan. July 2008. Global Technology Audit Guide. Florida: The Institute of Internal Auditors. from http://www.theiia.org/guidance/technology/gtag/gtag11/. Ricchiute, David N. Auditing and Assurance Services. 7th edition. Singapore: Thomson Learning. 2003. Service Organizations. AU Section 324. from http://www.aicpa.org/download/members/ div/auditstd/AU-00324.PDF. Read More