This site is 100% ad supported. Please add an exception to adblock for this site.

ACC 3331-Review for Final Exam


undefined, object
copy deck
Findings and Recommendations Report
includes most reviews that would be considered "consulting" or "advisory" services. A summary of the work performed in connection with the engagement.
Assessing materiality
done during the planning phase of the IT audit life cycle; establishes the benchmark by which the auditor gauges the importance of exceptions.
SAS 70 audit
an audit provided to a service organization (for example an application service provider) that provides services to a large number of users. The audit focuses on the internal controls around that business process for a period of at least six months.
Database Administrator Duties
Manages the database resources; includes database planning, database design, database implementation, operation, and maintanence, and database growth and change; also creates and maintains the data dictionary and evaluates database users' needs
SAS 94
examines the role of technology in a client organization and how technology affects the auditor's assessment of control risk within the financial statement audit
Extensible Business Reporting Language (XBRL)
a specialized set of XML tags for the accounting and finance industry to facilitate business reporting on the internet
Forensic Auditor's Toolkit
Screwdriver and pliers, Magnetic tape, DVD-R, Digital camera, Software utilities, Disk wiping, Disk imaging, Hash calculating, Searching, File and data recovery, e.g., EnCase
Benford's Law
in a large sample of naturally occurring numbers, such as invoice amounts, the left-most digit will follow an exponential distribution wherein the number 1 will appear approximately 30.1 percent of the time, the number 2 will appear approximately 17.6 percent of the time, and so on. The number 9 will appear approximately 4.6 percent of the time. This is used to examine the possibility of fraud in a sample of financial data
something you know
An act by an official or fiduciary who unlawfully and wrongly uses their position to obtain some benefit; Bribery, Conflicts of Interest ,Illegal Gratuities, Economic Extortion~13% of all fraud, x10 greater $$$ loss than misappropriation of assets
Wells Report 2002
"2002 Report to the Nation on Occupational Fraud and Abuse;" The National Association of Certified Fraud Examiners fraud report. It is based on 663 known occupational fraud cases reported by certified fraud examiners who investigated those cases. The report discusses five main areas relevant to fraud.
SAS 78
Consideration of Internal Control in a Financial Statement Audit: An Amendment to SAS No. 55 (1996)—revised SAS No. 55 to conform COSO internal control definition and components. Required auditors to obtain a sufficient understanding of internal control.
a generalized audit software program used for data access, analysis, and reporting functions
Advantages of ACL
Unbiased decision making, Incorporation of expertise of multiple experts, and Constant availability
Generalized Audit Software (GAS)
software used to increase the efficiency of the audit, such as ACL, expert systems, utility software, and statistical software
Fraudulent Statements
Management fraud; Must provide a benefit to the perpetrator; e.g., understating liabilities/expenses to increase stock price; Only 5% of all fraud, but x10 greater $$$ loss than corruption
Fraud Triangle
the three factors present when fraud occurs—opportunity, incentive or pressure, and attitude or rationalization
any crime committed through the use of a computer.
The purpose of the audit is not to detect fraud but to determine whether the company has followed ______________ in the preparation of its financial statements.
Five Components of COSO
(1.) Control Environment— "tone at the top"(2.) Risk Assessment— identify, measure, evaluate, and respond to risk(3.) Control Activities— specific internal control procedures and policies(4.) Information and Communication— the need for organzations to make sure they obtain and communicate the information needed to carry out management strategies and objectives. (5.) Monitoring— regular audits, evaluation, and constant attention to internal control violations
a service provided by an auditor whereby the auditor provides assurance on something for which the client is responsible.
Impose extremely strict controls (totally eliminate possibility of fraud) for a period of time to see what is different
Many people - suspects and peripheral individuals - look for tips; Be non-threatening, get their guard down; Examine verbal and non-verbal clues; Changes in speech patterns, no contractions, feigned unconcern, selective memory, swearing; Breaking eye contact, shifting body positions, crossing and re-crossing arms and legs, removing eyeglasses
Electronic working papers
software that automates the audit workpaper process
a tagging or markup language that facilitates the transmission and manipulation of information across the internet. Unlike HTML, these tags are expandable and describe the data rather than the data format
Segregating IT duties
- When locating the IT function you must consider the segregation of incompatible duties, which requires that the following responsibilities be vested in different people: authorizing transactions, recording transactions, and maintaining custody of assets.
Time and Billing Software
can ease the formerly onerous process of accounting for chargeable hours and compiling and preparing bills accordingly
Integrated Test Facility (ITF)
a method for testing fabricated data (test data) through the client's live system along with normal data processing
Electronic Business Extensible Markup Language (ebXML)
an industry-specific language of XML under development to enhance the use of global electronic business information
Refers collectively to two categories: 1.)software used to increase an auditor's personal productivity and to perform data extraction and analysis; and 2.) techniques used to increase the efficiency and effectiveness of the audit, such as routines used to analyze data once it has been extracted
Expert Systems
software based on a series of if-then rules that assists auditors in making structured decisions
the primary responsibility to detect fraud lies with the __________.
Types of audit evidence
ISACA Guideline 060.020.030 identifies several types of this that IT auditors will gather as part of fieldwork: Observed processes and existence of physical items such as computer operations or data backup procedures. Documentary evidence such as program change logs, system access logs, and authorization tables. Representations such as client-provided flowcharts, narratives, and written policies and procedures. Analysis such as CAATs procedures run on client-provided data files
typically comes from personal circumstances.
Information Systems Audit and Control Association (ISACA)
the professional organization for IT auditors. They lisence certified information systems auditors. The professional association also established the IT Governance Institute, which recently published the third edition of CobiT.
SAS 70
an audit provided to a service organization (for example an application service provider) that provides services to a large number of users. The audit focuses on the internal controls around that business process for a period of at least six months.
Audit Productivity Software
e.g. groupware, electronic workpapers, time and billing, reference libraries
Fraud detection by functional area
Auditors who need to design CAATs to detect fraud often "re-create the wheel" for different clients in different industries. However, the CAATs performed to detect fraud have several commanalities and can be grouped according to functional area.
Attribute Sampling
test internal controls around critical processes then count # of deviations and document % compliance
something you are
Criminal proof
proof beyond reasonable doubt 95%
the employee finds a way within his/her conscience to justify the theft
smart card
something you have
exists when internal controls are not sufficient or when collusion exists so that perpetrators can circumvent the controls
could examine 100% of all data files (sampling)
SAS 99
Consideration of Fraud in a F/S Audit; Evaluation of Audit Tests; Determine if any misstatements are likely due to fraud; Determing if mistatement is material; If so, or undetermined; Consider implications for the audit as a whole; Discuss with senior management, management at least one level above suspected act, and audit committee; Gather additional evidence to determine how material; If appropriate, suggest client talk to legal counsel; If not material, does a systematic problem exist; Consider withdrawing from the audit engagement
Risk based audit approach
in this type of audit, risk assessment revolves around the question: What can go wrong? That is, IT auditors focus on first determining what the critical support processes are for a given audit process. Next, they ask themselves what can possibly go wrong within those support processes. This helps the auditor identify the controls that should be in place to safeguard the integrity of the process under audit.
Reusable password
most common; use random letters, numbers, and characteristics
routines used to increase the efficiency and effectiveness of the audit, such as routines used to analyze data once it has been extracted
Interviewing suspects
during the evidence gathering phase, the investigator will likely interview many people in the company.
sometimes not possible to examine 100%, have to examine this
Civil proof
guilty by a reasonable preponderance of the evidence 51%
any act involving the use of deception to obtain an illegal advantage
Embedded Audit Module (EAM)
a form of continuous auditing technique; This screens data and runs batch programs to detect anamoulous data as they occur, as opposed to perhaps several months after the transaction has been entered into the accounting records. One can think of these as like a virus-scanning program. They run in the background looking for unusual or high-risk transactions based on models the auditor has provided.
Indirect methods of proof
Look at suspect's financial profile, debts, salary, credit rating, lifestyle
Steps in the Fraud Investigation
1.) develop fraud theory, 2.) gathering evidence, 3.)interviewing, 4.) invigilation, 5.) indirect methods of proof, 6.)Prosecution
Types of IT Audits
attestation, findings and recommendations report, sas 70, sas 94
Reference Libraries
used to locate company-specific policies and procedures, and to search for authority when researching a particularly thorny problem
Parallel Simulation
creating a replica of the client's application, running live data through the system, and comparing the results with data actually run through the client's system in normal data processing
Evaluation of audit tests
Once the audit test has been conducted, the auditor must evaluate the test results again and consider whether the evidence gathered in aggregate affects the initial assessment of the risk of material misstatement. See SAS 99 for the procedure on evaluating audit tests.
IT Governance
the process for controlling an organization's IT resources. The objectives are to use IT to promote organizational objectives and enable business processes and also to manage and control IT-related risks
software that facilitates sharing of information across firms and between the auditor and the client, including multiuser calendaring, scheduling, and file sharing
Social Engineering
a form of manipulation and trickery that relies on human behaviors
Auditor prohibited activities
The law lists eight non-audit services that audit firms are specifically prohibited from providing, plus one additional generic service.
Disadvantages of Audit Expert Systems
Difficulty in eliciting the decision making process and criteria from the expert, Difficulty in updating the knowledge base and rules contained therein, Time required to develop and test the system, Expense to develop and maintain the system, Difficulty in modeling uncertainty in decisions, Mechanical adherence to the process—no room for intuition or human reason
Risk assessment
what can go wrong? What are the critical support processesfor a given audit process? What can go wrong with these support processes? Is it material? These controls need to be tested

Deck Info