Accounting Information Systems Controls Processes 3rd Edition Turner Solutions Manual

Accounting Information Systems Controls
Processes 3rd Edition Turner Solutions Manual
download pdf
https://testbankfan.com/product/accounting-information-systems-controls-
processes-3rd-edition-turner-solutions-manual/
Visit testbankfan.com to explore and download the complete
collection of test banks or solution manuals!

We believe these products will be a great fit for you. Click
the link to download now, or visit testbankfan.com
to discover even more!
Accounting Information Systems Controls Processes 3rd
Edition Turner Test Bank
https://testbankfan.com/product/accounting-information-systems-
controls-processes-3rd-edition-turner-test-bank/
Accounting Information Systems The Processes Controls 2nd
Edition Turner Solutions Manual
https://testbankfan.com/product/accounting-information-systems-the-
processes-controls-2nd-edition-turner-solutions-manual/
Accounting Information Systems The Processes and Controls
2nd Edition Turner Test Bank
https://testbankfan.com/product/accounting-information-systems-the-
processes-and-controls-2nd-edition-turner-test-bank/
Basic Technical Mathematics with Calculus SI Version
Canadian 10th Edition Washington Solutions Manual
https://testbankfan.com/product/basic-technical-mathematics-with-
calculus-si-version-canadian-10th-edition-washington-solutions-manual/

Science and Engineering of Materials SI Edition 7th
Edition Askeland Solutions Manual
https://testbankfan.com/product/science-and-engineering-of-materials-
si-edition-7th-edition-askeland-solutions-manual/
Shelly Cashman Series Microsoft Office 365 Excel 2016
Comprehensive 1st Edition Freund Test Bank
https://testbankfan.com/product/shelly-cashman-series-microsoft-
office-365-excel-2016-comprehensive-1st-edition-freund-test-bank/
Psychological Testing and Assessment An Introduction to
Tests and Measurement 8th Edition Cohen Test Bank
https://testbankfan.com/product/psychological-testing-and-assessment-
an-introduction-to-tests-and-measurement-8th-edition-cohen-test-bank/
Teaching for Diversity in Schools 2nd Edition Egbo
Solutions Manual
https://testbankfan.com/product/teaching-for-diversity-in-schools-2nd-
edition-egbo-solutions-manual/
Understanding Operating Systems 5th Edition McHoes Test
Bank
https://testbankfan.com/product/understanding-operating-systems-5th-
edition-mchoes-test-bank/

Gateways to Art Understanding the Visual Arts 2nd Edition
DeWitte Test Bank
https://testbankfan.com/product/gateways-to-art-understanding-the-
visual-arts-2nd-edition-dewitte-test-bank/

Chapter 7- Auditing Information
Technology-Based Processes
Instructor’s Manual

2 | P a g e
CHATPER 7: AUDITING INFORMATION TECHNOLOGY-BASED PROCESS
LEARNING OBJECTIVES:..........................................................................................................................................3
REAL WORLD: AURAFIN BRAND .............................................................................................................................3
INTRODUCTION TO AUDITING IT PROCESSES (STUDY OBJECTIVE 1) ........................................................4
TYPES OF AUDITS AND AUDITORS (STUDY OBJECTIVE 2) .......................................................................4
INFORMATION RISK AND IT-ENHANCED INTERNAL CONTROL(STUDY OBJECTIVE 3) ..........................6
AUTHORITATIVE LITERATURE USED IN AUDITING (STUDY OBJECTIVE 4) ...............................................6
MANAGEMENT ASSERTIONS AND AUDIT OBJECTIVES(STUDY OBJECTIVE 5)..............................................8
PHASES OF AN IT AUDIT (STUDY OBJECTIVE 6)...................................................................................................9
USE OF COMPUTERS IN AUDITS (STUDY OBJECTIVE 7) .........................................................................11
TESTS OF CONTROLS (STUDY OBJECTIVE 8) ..............................................................................................11
GENERAL CONTROLS ........................................................................................................................................11
APPLICATION CONTROLS..................................................................................................................................13
TESTS OF TRANSACTIONS AND TESTS OF BALANCES (STUDY OBJECTIVE 9) ...................................14
AUDIT COMPLETION/REPORTING (STUDY OBJECTIVE 10)..........................................................................15
OTHER AUDIT CONSIDERATIONS (STUDY OBJECTIVE 11 ) ......................................................................15
DIFFERENT ITENVIRONMENTS..........................................................................................................................15
CHANGES IN A CLIENT’S IT ENVIRONMENT ..................................................................................................17
SAMPLING VERSUS POPULATION TESTING......................................................................................................17
ETHICAL ISSUES RELATED TO AUDITING (STUDY OBJECTIVE 12) ..........................................................18
CHAPTER SUMMARY ............................................................................................................................................19

3 | P a g e
CHAPTER 7: AUDITING INFORMATION TECHNOLOGY-BASED PROCESS
LEARNING OBJECTIVES:
1. An introduction to auditing IT processes
2. The various types of audits and auditors
3. Information risk and IT-enhanced internal control
4. Authoritative literature used in auditing
5. Management assertions used in the auditing process and the related audit objectives
6. The phases of an IT audit
7. The use of computers in audits
8. Tests of controls
9. Tests of transactions and tests of balances
10. Audit completion/reporting
11. Other audit considerations
12. Ethical issues related to auditing
REAL WORLD: AURAFIN BRAND
• The Aurafin brand is renowned in the jewelry industry as the fashion leader in fine gold.
• Owned by Richline Group, Inc., a subsidiary of Berkshire Hathaway, Inc., the brand is sold by retail
giants like JCPenney, Macy’s, and many online outlets.
• Aurafin has overcome significant challenges in maintaining its customer relationships. Several years
ago, Aurafin began experiencing such severe problems with transaction fulfillment and delivery that
its customers were taking notice.
• JCPenney had implemented a supplier scorecard system, a type of vendor audit whereby companies,
which do business with JCPenney were evaluated on the basis of the quality of service provided. This
system brought to light some significant violations in Aurafin’s business processes, including
weaknesses in controls and inadequate computer systems.
Aurafin took quick action, undergoing a thorough IT audit which identified the specific causes of its process
failures. Aurafin acted swiftly upon the recommendations made by its auditors and implemented a more
reliable technology platform that empowered it to apply a variety of new audit and control techniques and to
get its systems in sync with its business goals. Aurafin credits the audit processes to its newfound success,
including its subsequent recognition as JCPenney’s “Vendor of the Year.” This chapter focuses on various
aspects of an IT audit, as well as the accountant’s techniques for evaluating information-technology processes,
and their importance in business processes.

4 | P a g e
INTRODUCTION TO AUDITING IT PROCESSES (STUDY OBJECTIVE 1)
Nearly all business organizations rely on computerized systems to assist in the accounting function.
Technological advances have transformed the business world by providing new ways for companies to do
business and maintain records. This boom in technological developments has increased the amount of
information that is readily available. Business managers, investors, creditors, and government agencies often
have a tremendous amount of data to use when making important business decisions. However, it is often a
challenge to verify the accuracy and completeness of the information.
Accountants have an important role in the business world because they are called upon to improve the quality
of information provided to decision makers. Accounting services that improve the quality of information are
called assurance services. Many types of services performed by accountants are considered assurance
services because they lend credibility to the underlying financial information. An audit is the most common
type of assurance service
TYPES OF AUDITS AND AUDITORS (STUDY OBJECTIVE 2)
The main purpose of the audit is to assure users of financial information about the accuracy and completeness
of the information. To carry out an audit, accountants collect and evaluate proof of procedures, transactions,
and/or account balances and compare the information with established criteria. The three primary types of
audits include:
• compliance audits,
• operational audits, and
• financial statement audits
Compliance audits determine whether the company has complied with regulations and policies established by
contractual agreements, governmental agencies, company management, or other high authority.
Operational audits assess operating policies and procedures for efficiency and effectiveness
Financial statement audits determine whether the company has prepared and presented its financial
statements fairly, and in accordance with established financial accounting criteria.
• financial statement audits are performed by certified public accountants who have extensive
knowledge of generally accepted accounting principles (GAAP) in the United States and/or
International Financial Reporting Standards (IFRS)

5 | P a g e
There are different types of audit specialization that exist in business practice today, including:
• An internal auditor is an employee of the company that he or she audits. Most large companies have
a staff of internal auditors who perform compliance, operational, and financial audit functions at the
request of management. Some internal auditors achieve special certification as certified internal
auditors (CIAs).
• IT auditors specialize in information systems assurance, control, and security, and they may work for
CPA firms, government agencies, or with the internal audit group for any type of business
organization. Some IT auditors achieve special certification as certified information systems auditors
(CISAs).
• Government auditors conduct audits of government agencies or income tax returns.
• CPA firms represent the interests of the public by performing independent audits of many types of
business organizations.
Only CPA firms can conduct financial statement audits of companies whose stock is sold in public markets
such as the New York Stock Exchange. An important requirement for CPA firms is that they must be neutral
with regard to the company being audited. The neutrality requirement allows CPA firms to provide an
unbiased opinion on the information it audits, and it is the foundation of an external audit performed by CPAs.
An external audit is performed by independent auditors who are objective and neutral with respect to the
company and information being audited. To keep their neutrality, CPA firms and their individual CPAs are
generally prohibited from having financial and managerial connections with client companies and from having
personal ties to those working for client companies. A CPA’s objectivity could be impaired by having these
types of relationships with a client company or with anyone having the ability to influence the client’s
decisions and financial reporting activities.
• Performing financial statement audits is a main service of CPA firms.
• Because many audited companies use sophisticated IT systems to prepare financial statements, it is
important for auditors to enhance the quality of their services in auditing those systems.
• IT auditing is a part of the financial statement audit that evaluates a company’s computerized
accounting information systems.
• An auditor must gain a sufficient understanding of the characteristics of a company’s IT system.
• Use of computers may significantly change the way a company processes and communicates
information, and it may affect the underlying internal controls. Therefore, the IT environment plays a
key role in how auditors conduct their work in the following areas:
o Consideration of risk
o Audit procedures used to obtain knowledge of the accounting and internal control systems
o Design and performance of audit tests

6 | P a g e
INFORMATION RISK AND IT-ENHANCED INTERNAL CONTROL
(STUDY OBJECTIVE 3)
Information risk is the chance that information used by decision makers may be inaccurate. Following are
some causes of information risk:
• the remoteness of information
• the volume and complexity of the underlying data
• the motive of the preparer
The most common way for decision makers to reduce information risk is to rely upon information that has
been audited by an independent party. Various risks are created by the existence of IT-based business
processes. For example, because the details of transactions are often entered directly into the computer
system, there may be no paper documentation maintained to support the transactions. This is often referred
to as the loss of audit trail visibility because there is a lack of physical evidence to visibly view.
Advantages of using IT-based systems:
• Internal controls can actually be enhanced if care is exercised in implementing these systems
• Computer controls can compensate for the lack of manual controls
• If programs are tested properly the risk of human error is virtually eliminated
• Provide higher quality information to management
AUTHORITATIVE LITERATURE USED IN AUDITING
(STUDY OBJECTIVE 4)
Generally accepted auditing standards (GAAS) are broad guidelines for an auditor’s professional
responsibilities. These ten standards are divided into three categories that include general qualifications and
conduct of an auditor (general standards), guidelines for performing the audit (standards of fieldwork), and
requirements for the written report communicating the results of the audit (standards of reporting).

7 | P a g e
General Standards StandardsofFieldwork Standards ofReporting
1. The audit is to be performed by
a person or persons having
adequate technicaltraining
and proficiency as anauditor.
2. Independence in mental attitude
is to be maintained in all matters
related to the audit engagement.
3. Due professional care is to be
exercised in all phases of the
audit process.
1. The audit is to be adequately planned
and supervised.
2. An understanding of internalcontrol
is to be obtained as part of the
planning process for the purpose of
determining the nature, timing, and
extent of tests to beperformed.
3. Evidence is to be obtained through
inspection, inquiries, observation, and
confirmations in order to provide a
reasonable basis for forming an
overall opinion on the audit.
1. The written report must state whether
the financial statements are presented in
accordance with the establishedcriteria.
2. The written report identifies any
circumstances in which established
principles have not been consistently
applied in the current period in relation
to the priorperiod.
3. The financial statements are assumed
to contain adequate informative disclo-
sures unless otherwise indicated in the
written report.
4. The written report expresses an opinion
on the fairness of the financial
statements as a whole, or an assertion
to the effect that an opinion cannot be
expressed (and the reasons therefor).
The report also describes the character
of the auditor’s work and the degree of
responsibilityassumedbytheauditor.

8 | P a g e
The Public Company Accounting Oversight Board (PCAOB) was organized in 2003 for the purpose of establishing
auditing standards for public companies in the United States
• The PCAOB was established by the Sarbanes–Oxley Act, which was created in response to several major
corporate accounting scandals, including those affecting Enron, WorldCom, and others
• Prior to the PCAOB, standard-setting was the responsibility of the Auditing Standards Board (ASB) of the
American Institute of CPAs (AICPA)
• The International Auditing and Assurance Standards Board (IAASB) was established by the International
Federation of Accountants (IFAC) to set International Standards on Auditing (ISAs) that contribute to the uniform
application of auditing practices on a worldwide basis.
ISAs are similar to SASs; however, ISAs tend to extend SASs because of their usefulness in audits of multinational
companies. Although auditors have a primary responsibility to comply with standards issued within their own countries,
ISAs are useful in expanding those requirements in order to meet different needs in other countries where the audited
information may also be used. The Institute of Internal Auditors (IIA) established the Internal Auditing Standards Board
(IASB) to issue standards that pertain to attributes of internal audit activities, performance criteria, and implementation
guidance. The Information Systems Audit and Control Association (ISACA) issues Information Systems Auditing
Standards (ISASs) that provide guidelines for conducting the IT audit. These standards address audit issues unique to a
company’s information systems environment, including control and security issues.
MANAGEMENT ASSERTIONS AND AUDIT OBJECTIVES (STUDY OBJECTIVE 5)
Management assertions are claims regarding the condition of the business organization in terms of its operations,
financial results, and compliance with laws and regulations.
The role of the auditors is to analyze the underlying facts to decide whether information provided by management is
fairly presented. Auditors design audit tests to analyze information in order to determine whether management’s
assertions are valid. To accomplish this, audit tests are created to address general audit objectives. Each audit objective
relates to one of management’s assertions.
The following diagram illustrates management assertions and the corresponding audit objective:

9 | P a g e
Auditors must think about how the features of a company’s IT systems influence management’s assertions and the
general audit objectives. These matters have a big impact on the choice of audit methodologies used.
PHASES OF AN IT AUDIT (STUDY OBJECTIVE 6)
There are four primary phases of the audit:
• planning,
• tests of controls,
• substantive tests, and
• audit completion/reporting
Through each phase of an audit, evidence is accumulated as a basis for supporting the conclusions reached by the
auditors. Audit evidence is proof of the fairness of financial information. The techniques used for gathering evidence
include the following:
• Physically examining or inspecting assets or supporting documentation
• Obtaining written confirmation from an independent source
• Reperforming tasks or recalculating information
• Observing the underlying activities
• Making inquiries of company personnel
• Analyzing financial relationships and making comparisons to determine reasonableness

10 | P a g e
During the planning phase of an audit, the auditor must gain a thorough understanding of the company’s business and
financial reporting systems. In doing so, auditors review and assess the risks and controls related to the business,
establish materiality guidelines, and develop relevant tests addressing the assertions and objectives
• tasks of assessing materiality and audit risk are very subjective and are therefore typically performed by
experienced auditors
• Determining materiality, auditors estimate the monetary amounts that are large enough to make a difference in
decision making
• Materiality estimates are then assigned to account balances so that auditors can decide how much evidence is
needed
• Below materiality limits are often considered insignificant
• Some accounts with immaterial balances may still be audited, though, especially if they are considered areas of
high risk
• Risk- refers to the likelihood that errors or fraud may occur
• Risk can be inherit or it may be caused by weak internal controls
A big part of the audit planning process is the gathering of evidence about the company’s internal controls
• Auditors typically gain an understanding of internal controls by interviewing key members of management and
the IT staff
• They observe policies and procedures and review IT user manuals and system flowcharts
• They often prepare narratives or memos to summarize the results of their findings
• Company personnel generally complete a questionnaire about the company’s accounting systems, including its
IT implementation and operations, the types of hardware and software used, and control of computer resources
• The understanding of internal controls provides the basis for designing appropriate audit tests to be used in the
remaining phases of the audit
In recognition of the fact that accounting records and files often exist in both paper and electronic form, auditing
standards address the importance of understanding both the automated and manual procedures that make up an
organization’s internal controls. In addition, many large and medium-size businesses are capturing an abundance of
data. The availability of Big Data sets in auditing may complicate an auditor’s judgment. Yet auditors must always
consider how misstatements may occur, including the following:
• How data is captured and used
• How standard journal entries are initiated, recorded, and processed
• How nonstandard journal entries and adjusting entries are initiated, recorded, and processed
IT auditors may be called upon to consider the effects of computer processing on the audit or to assist in testing those
automated procedures.

11 | P a g e
USE OF COMPUTERS IN AUDITS (STUDY OBJECTIVE 7)
If the use of IT systems does not have a great impact on the conduct of the audit, since the auditor can perform audit
testing in the same manner as would be done for a manual system the practice is referred to as auditing around the
computer because it does not require evaluation of computer controls.
• Auditing around the computer merely uses and tests output of the computer system in the same manner as the
audit would be conducted if the information had been generated manually
• Because this approach does not consider the effectiveness of computer controls, auditing around the computer
has limited usefulness.
Auditing through the computer involves directly testing the internal controls within the IT system, whereas auditing
around the computer does not
• sometimes referred to as “the white box approach,” because it requires auditors to understand the computer
system logic
• This approach requires auditors to evaluate IT controls and processing so that they can determine whether the
information generated from the system is reliable
• Auditing through the computer is necessary under the following conditions:
o The auditor wants to test computer controls as a basis for evaluating risk and reducing the amount of
substantive audit testing required.
o The author is required to report on internal controls in connection with a financial statement audit of a
public company.
o Supporting documents are available only in electronic form.
Auditors can use their own computer systems and audit software to help conduct the audit. This approach is known as
auditing with the computer.
• A variety of computer-assisted audit techniques (CAATs) are available for auditing with the computer
• CAATs are useful audit tools because they make it possible for auditors to use computers to test more evidence
in less time.
TESTS OF CONTROLS (STUDY OBJECTIVE 8)
The tests of controls involve audit procedures designed to evaluate both general controls and application controls.
During audit planning, auditors must learn about the types of controls that exist within their client’s IT environment.
Then they may test those controls to determine whether they are reliable as a means of reducing risk. Tests of controls
are sometimes referred to as “compliance tests,” because they are designed to determine whether the controls are
functioning in compliance with management’s intentions.
GENERAL CONTROLS
General controls MUST be tested before application controls. General controls are the automated controls that affect all
computer applications. The reliability of application controls is considered only after general controls are deemed
reliable.

12 | P a g e
The effectiveness of general controls is the foundation for the IT control environment. If general controls are not
functioning as designed, auditors will not devote attention to the testing of application controls; rather, they will
reevaluate the audit approach with reduced reliance on controls.
There are two broad categories of general controls that relate to IT systems:
• IT administration and the related operating systems development and maintenance processes
• Security controls and related access issues
IT Administration
Related audit tests include review for the existence and communication of company policies regarding the following
important aspects of administrative control:
• Personal accountability and segregation of incompatible responsibilities
• Job descriptions and clear lines of authority
• Computer security and virus protection
• IT systems documentation
Security Controls
Auditors are concerned about whether a company’s computer system has controls in place to prevent unauthorized
access to or destruction of information within the accounting information systems. Unauthorized access may occur
internally when employees retrieve information that they should not have, or externally when unauthorized users (or
hackers) outside the company retrieve information that they should not have. Access risks tend to escalate as companies
embrace newer technologies and allow sensitive data to be shared via smart devices, Web and mobile applications, and
social networks. Destruction of information may occur as a result of natural disasters, accidents, and other environ-
mental conditions. Controls that protect the company from these risks include:
• various access controls,
• physical controls,
• environmental controls, and
• business continuity policies
In order to test internal access controls, auditors should determine that the company has properly segregated IT duties
or compensated for a lack of segregation by improving supervisory reviews. The company’s authority table should be
tested to find out whether access to programs and data files is limited to authorized employees. Auditors should
perform authenticity tests for valid use of the company’s computer system, according to the authority tables.
In order to test external access controls, auditors may perform the following procedures:
• Authenticity tests
• Penetration tests

13 | P a g e
• Vulnerability assessments
• Review access logs to identify unauthorized users or failed access attempts
Physical controls include:
• locks,
• security guards,
• alarms,
• cameras, and
• card keys.
Physical controls not only limit access to the company’s computers, but also are important for preventing damage to
computer resources. In addition to assessing physical controls, auditors should evaluate the IT environment to
determine that proper temperature control is maintained, fireproofing systems are installed, and an emergency power
supply is in place.
APPLICATION CONTROLS
Application controls are computerized controls over application programs. Since any company may use many different
computer programs in its day-today business, there may be many different types of application controls to consider in
an audit.
Input Controls
Auditors perform tests to verify the correctness of information input to software programs. Auditors are concerned
about whether errors are being prevented and detected during the input stage of data processing. Auditors observe
controls that the company has in place and perform the comparisons on a limited basis to determine their effectiveness.
These tests can be performed manually or by electronic methods.
Processing Controls
IT audit procedures typically include a combination of data accuracy tests, whereby the data processed by computer
applications are reviewed for correct dollar amounts or other numerical values. For example, limit tests, described
previously as an input control, can also be an effective processing control. Run-to-run totals involve the recalculation of
amounts from one process to the next to determine whether data have been lost or altered during the process.
Balancing tests involve a comparison of different items that are expected to have the same values, such as comparing
two batches or comparing actual data against a predetermined control total. Mathematical accuracy tests verify
whether system calculations are correct. Completeness tests and redundancy tests, introduced earlier, check for
inclusion of the correct data.
Benford’s Law, also known as the first-digit law, was named for a physicist, Frank Benford, who discovered a specific,
but nonuniform pattern in the frequency of digits occurring as the first number in a list of numbers

14 | P a g e
The test data method is an audit and control technique often used to test the processing accuracy of software
applications. Test data are fictitious information developed by auditors and entered in the company’s application
system. Test data are processed under the company’s normal operating conditions. The results of the test are compared
with predicted results to determine whether the application is functioning properly
A slight variation of the test data method involves the auditor testing fictitious data, using a copy of the company’s
application. The test data may be processed through the application on a different (nonclient) computer. Under these
conditions, an auditor can also use another test data method, program tracing, whereby bits of actual data are followed
through the application in order to verify the accuracy of its processing. Program mapping, on the other hand, counts
the number of times each program statement is executed, so it can identify whether program code has been bypassed.
An integrated test facility (ITF) may be used to test application controls without disrupting the client’s operations.
Parallel simulation- is an audit technique that processes company data through a controlled program designed to
resemble the company’s application
Embedded audit module- involves placing special audit testing programs within the company’s operating system
Output Controls
Regardless of whether the results are printed or retained electronically, auditors may perform the following procedures
to test application outputs:
• Reasonableness tests compare the reports and other results with test data or other criteria.
• Audit trail tests trace transactions through the application to ensure that the reporting is a correct reflection of
the processing and inputs.
• Rounding errors tests determine whether significant errors exist due to the way amounts are rounded and
summarized.
Reconciliation- a detailed report assessing the correctness of an account balance or transaction record that is consistent
with supporting documentation and the company’s policies and procedures.
At the conclusion of the controls testing phase of the audit, an auditor must determine the overall reliability of the
client’s internal controls. Auditors strive to rely on internal controls as a way to reduce the amount of evidence needed
in the remaining phases of the audit. They can be reasonably sure that information is accurate when it comes from a
system that is proven to have strong controls. Therefore, once the general and application controls are tested and found
to be effective, the amount of additional evidence needed in the next phase of the audit can be minimized
TESTS OF TRANSACTIONS AND TESTS OF BALANCES (STUDY OBJECTIVE 9)
Audit tests of the accuracy of monetary amounts of transactions and account balances are known as substantive testing
• Substantive tests verify whether information is correct, whereas control tests determine whether the
information is managed under a system that promotes correctness
• Some level of substantive testing is required regardless of the results of control testing.

15 | P a g e
• If weak internal controls exist or if important controls are missing, extensive substantive testing will be required.
• If controls are found to be effective, the amount of substantive testing required is significantly lower, because
there is less chance of error in the underlying records
Most auditors use generalized audit software (GAS) or data analysis software (DAS) to perform audit tests on
electronic data files taken from commonly used database systems. These computerized auditing tools make it possible
for auditors to be much more efficient in performing routine audit tests such as the following:
• Mathematical and statistical calculations
• Data queries
• Identification of missing items in a sequence
• Stratification and comparison of data items
• Selection of items of interest from the data files
• Summarization of testing results into a useful format for decision making
GAS and DAS are evolving to handle larger and more diverse data sets, which allow auditors to use more types of
unstructured data evidence and to perform more creative analytical procedures and predictive analyses.
AUDIT COMPLETION/REPORTING (STUDY OBJECTIVE 10)
After the tests of controls and substantive audit tests have been completed, auditors evaluate all the evidence that has
been accumulated and draw conclusions based on this evidence. This phase is the audit completion/reporting phase.
The completion phase includes many tasks that are needed to wrap up the audit. For many types of audits, the most
important task is obtaining a letter of representations from company management. The letter of representations is
often considered the most significant single piece of audit evidence, because it is a signed acknowledgment of
management’s responsibility for the reported information. In this letter, management must declare that it has provided
complete and accurate information to its auditors during all phases of the audit.
Four types of reports that are issued:
1. Unqualified opinion, which states that the auditors believe the financial statements are fairly and consistently
presented in accordance with GAAP or IFRS
2. Qualified opinion, which identifies certain exceptions to an unqualified opinion
3. Adverse opinion, which notes that there are material misstatements presented
4. Disclaimer of opinion, which states that the auditors are unable to reach a conclusion.
OTHER AUDIT CONSIDERATIONS (STUDY OBJECTIVE 11 )
DIFFERENT ITENVIRONMENTS
Most companies use microcomputers or personal computers (PCs) in their accounting processes. General controls
covering PCs are often less advanced than those covering the mainframe and client–server systems. Following are some
audit techniques used to test controls specifically in the use of PCs:

16 | P a g e
• Make sure that PCs and removable hard drives are locked in place to ensure physical security. In addition,
programs and data files should be password protected to prevent online misuse by unauthorized persons.
• Make sure that computer programmers do not have access to systems operations, so that there is no
opportunity to alter source code and the related operational data. Software programs loaded on PCs should not
permit the users to make program changes. Also ascertain that computer-generated reports are regularly
reviewed by management.
• Compare dates and data included on backup files with live operating programs in order to determine the
frequency of backup procedures.
• Verify the use of antivirus software and the frequency of virus scans
In addition to, or as an alternative to using PCs, companies’ IT environments may involve networks, database
management systems, e-commerce systems, cloud computing, and/or other forms of IT outsourcing. All of the risks and
audit procedures that apply to a PC environment may also exist in networks, but the potential for loss is much greater.
Since network operations typically involve a large number of computers, many users, and a high volume of data
transfers, any lack of network controls could cause widespread damage. Auditors must apply tests over the entire
network. It is especially important to test the software that manages the network and controls access to the servers.
Security risks always exist in companies that use e-commerce, because their computer systems are linked online with
the systems of their business partners.
As a result, the reliability of a company’s IT system depends upon the reliability of its customers’ and/or suppliers’
systems. The audit procedures used to assess controls in e-commerce environments were addressed earlier in this
chapter in the discussion on external access controls. In addition, auditors often
• Inspect message logs to identify the points of remote access, verify proper sequencing of transactions, and
review for timely follow up on unsuccessful transmissions between business partners
• Verify that the company has evaluated the computer systems of its business partners prior to doing business
over the Internet
• Reprocess transactions to see whether they are controlled properly
Some companies may rely on external, independent computer service providers to handle all or part of their IT needs.
This is known as IT outsourcing. IT outsourcing creates a challenge for auditors, who must gain an adequate under-
standing of risks and controls that are located at an independent service center.
It is important for a company and its auditors to carefully consider whether all relevant risks have been identified and
controlled. Below are some sample questions for auditors to consider when evaluating a cloud computing environment:
Security Risks:
• What damage could result if an unauthorized user accessed the company’s data?
• How and when are data encrypted?
• How does the cloud service provider handle internal security?

17 | P a g e
Availability Risks:
• What damage could result if the company’s data were unavailable during peak times or for an extended period?
• How does the cloud service provider segregate information between clients?
• What disaster recovery and business continuity plans are in place?
Processing Risks:
• How are response times and other aspects of operating performance monitored?
• How does the service provider monitor its capacity for data storage and usage?
• Is the service provider’s system flexible enough to accommodate the company’s anticipated growth?
Compliance Risks:
• What compliance standards does the cloud service provider meet?
• What third-party assurance documentation is in place?
• What additional documentation is available to help the company maintain compliance with applicable laws and
regulations?
CHANGES IN A CLIENT’S IT ENVIRONMENT
When a company changes the type of hardware or software used or otherwise modifies its IT environment, its auditors
must consider whether additional audit testing is needed. During its period of change, data may be taken from different
systems at different times. As a result, auditors should consider applying tests of controls at multiple times throughout
the period in order to determine the effectiveness of controls under each of the systems. Specific audit tests include
verification of the following items:
• An assessment of user needs
• Proper authorization for new projects and program changes
• An adequate feasibility study and cost–benefit analysis
• Proper design documentation, including revisions for changes made via updates, replacements, or maintenance
• Proper user instructions, including revisions for changes made via updated versions, replacements, or
maintenance
• Adequate testing before the system is put into use
SAMPLING VERSUS POPULATION TESTING
Auditors often rely on sampling, whereby they choose and test a limited number of items or transactions and then draw
conclusions about the information as a whole on the basis of the results. Since many audit tests do not cover all items in
the population, there is some risk that a sample, or subset, of the population may not represent the balance as a whole.
Auditors try to use sampling so that a fair representation of the population is evaluated.
As businesses evolve, they are more likely to possess Big Data sets, and auditors may transition from using sampling
strategies toward population testing, where continuous auditing techniques are used to evaluate 100% of the
population, often in real time.

18 | P a g e
ETHICAL ISSUES RELATED TO AUDITING (STUDY OBJECTIVE 12)
All types of auditors must follow guidelines promoting ethical conduct. For financial statement auditors, the
PCAOB/AICPA has established a Code of Professional Conduct, commonly called its code of ethics. This code of ethics is
made up of two sections, the principles and the rules.
Six Principles of the code:
1. Responsibilities
2. The Public Interest
3. Integrity
4. Objectivity and Independence
5. Due Care
6. Scope and Nature of Services
The Sarbanes–Oxley Act:
• placed restrictions on auditors by prohibiting certain types of services historically performed by auditors for
their clients
• increased management’s responsibilities regarding the fair presentation of the financial statements
• requires public companies to have an audit committee as a subcommittee of the board of directors
• requires top management to verify in writing that the financial statements are fairly stated and that the
company has adequate internal controls over financial reporting
In fulfilling their ethical responsibilities, auditors must practice professional skepticism during the audit. Professional
skepticism means that the auditors should not automatically assume that their clients are honest, but must have a
questioning mind and a persistent approach to evaluating evidence for possible misstatements.
It is important for auditors to consider the conditions under which fraud could be committed, including the possible
pressures, opportunities, and rationalization for committing dishonest acts. In the context of a client’s IT systems, audi-
tors should also think about the possibility that computer programs could be altered to report information in a manner
that is favorable for the company.
Accountants are sometimes called upon to perform a specialized type of assurance service called forensic auditing.
Forensic auditing is designed specifically for finding and preventing fraud and is used for companies where fraud is
known or believed to exist. Some accountants who work on forensic audits become certified fraud examiners (CFEs) and
are considered experts in the detection of fraud. Some CFEs specialize in computer forensics, which involves the
detection of abuses within computer systems. IT auditors may play an instrumental role in gathering and analyzing data
needed to perform or assist in a forensic audit.

19 | P a g e
CHAPTER SUMMARY
➢ Introduction to Auditing IT Processes. Most businesses rely upon computerized systems to assist in the accounting
function. Advancements in technology have brought huge increases in the amount of information that is readily
available for decision-makers. Accountants play an important role in the business world because they are called
upon to improve the quality of information. Accountants provide assurance services, which help to verify the
accuracy and completeness of financial information, thereby improving the quality and lending credibility to this
information. An audit is the most common type of assurance service.
➢ Types of Audits and Auditors. The main purpose of an audit is to assure users of financial information about the
accuracy and completeness of the information by evaluating evidence supporting the underlying procedures,
transactions, and/or account balances. This evidence is compared to established criteria. There are three primary
types of audits, including (1) compliance audits, (2) operational audits, and (3) financial statement audits. Although
each type of audit involves an investigation of supporting evidence, each type has a different objective.
○ Compliance audits determine whether the client has complied with regulations and policies established by
contractual agreements, governmental agencies, company management, or other high authority.
○ Operational audits assess operating policies and procedures for efficiency and effectiveness.
○ Financial statement audits determine whether the company has prepared and presented its financial statements
fairly, and in accordance with generally-accepted accounting principles (GAAP) or some other financial
accounting criteria.
Internal auditors, IT auditors, and governmental auditors typically conduct compliance audits and operational audits.
Certified public accountants (CPAs) may conduct any type of audit, but CPA firms tend to concentrate on financial
statement audits and other financial assurance services. It is important that CPAs be independent, or objective and
neutral, with respect to their audit clients and the financial information being audited. Because many companies
use sophisticated IT accounting systems to support their financial statements, it is increasingly important for
auditors to understand the impact of information technology on their clients’ accounting systems and internal
controls. The IT environment plays a key role in how auditors conduct their work related to the consideration of risk
in the audit, understanding the underlying systems, and the related design and performance of audit tests.
➢ Information Risk and IT-Enhanced Internal Control. Information risk is the chance that information used by
decision-makers may be inaccurate. Information risk may be caused by:
• The remoteness of information, or the extent to which the source of the information is removed from the
decision-maker.
• The volume and complexity of the underlying data.
• The motive, goals, or viewpoint of the preparer of the information.
The most common way to reduce information risk is to rely upon information that has been audited by an
independent party. This is why a chapter on information-based processing and the related audit function is included
in the study of accounting information systems.
IT-based processes generally provide high quality information to management, which aids in effective decision-
making. Information is high quality when it is provided in a timely manner and administered effectively. IT systems
are also advantageous because they often include computerized controls to enhance the company’s internal
controls, and they eliminate the risk of human errors such as mathematical or classification mistakes. On the other

20 | P a g e
hand, IT systems present various risks, including loss of audit trail visibility, lost/destroyed data, system failures, and
unauthorized access.
➢ Authoritative Literature Used in Auditing. The work of an auditor must be conducted in accordance with several
sources of authoritative literature, including:
○ Generally accepted auditing standards (GAAS), which are broad guidelines for an auditor’s professional
responsibilities in the areas of general qualifications and conduct (general standards), performance of the audit
(standards of fieldwork), and written communication of results (standards of reporting). Exhibit 7-1 presents the
ten generally accepted auditing standards.
○ The Public Company Accounting Oversight Board (PCAOB) establishes auditing standards (AS) for public
companies. Prior to the PCAOB, accounting standards were established by the Auditing Standards Board (ASB) of
the American Institute of CPAs (AICPA) through the issuance of Statements on Auditing Standards (SASs). The
ASB is still serves as the standard-setting body for non-public companies.
○ The International Auditing and Assurance Standards Board (IAASB) issues international standards on auditing
(ISAs) and contributes to the uniform application of auditing practices on a worldwide basis.
○ The International Internal Auditing Standards Board (IASB) to issue standards that pertain to attributes of
internal audit activities, performance criteria, and implementation guidance.
○ The Information Systems Audit and Control Association (ISACA) issues information systems auditing standards
(ISASs) that address control and security issues and provide relevant guidelines for conducting and IT audit.
Although SASs, ISAs, and ISASs each provide detailed guidance that supports GAAS, they still do not furnish auditors
with detailed directions regarding the types of audit tests to use and the manner in which conclusions should be
drawn. Industry guidelines and other resources such as CPA firm’s own policies and procedures are needed for such
specific guidelines.
➢ Management Assertions and Audit Objectives. Management assertions are claims regarding the financial condition
of the business organization and its results of in terms of its operations, financial results, and compliance with
applicable laws and regulations. Management assertions relate to existence/occurrence, valuation and allocation,
accuracy, classification, cutoff, completeness, rights and obligations, and presentation and disclosure. These
assertions and related audit objectives are presented in Exhibit 7-2. Auditors recognize that management of the
company is primarily responsible for the preparation and presentation of the financial statements. Accordingly,
auditors analyze information supporting the financial statements in order to determine whether management’s
assertions are valid. Audit tests should be documented in an audit program and should be uniquely developed for
each audit client to address management’s assertions.
➢ Phases of an IT Audit. Exhibit 7-4 provides an overview of the four primary phases of the audit: planning, tests of
controls, substantive tests, and audit completion/reporting. Through each phase of the audit, evidence is
accumulated as a basis for supporting the conclusions reached by the auditors. Auditors use combinations of various
techniques to collect evidence, including physically examining and inspecting assets or supporting documentation,
obtaining written confirmation from an independent source, rechecking or recalculating information, observing
activities, making inquiries of client personnel, and analyzing financial relationships and trends.
o Audit Planning. Auditors must gain a thorough understanding of the company’s business and financial reporting
systems during the planning phase of the audit. In doing so, auditors review and assess the risks and controls
related to the business, establish materiality guidelines, and develop relevant tests addressing the objectives.
Risk assessment involves careful consideration of the likelihood that errors or fraud may occur. Risk may be

21 | P a g e
inherent in the business or it may be caused by weak internal controls. Accordingly, a big part of the audit
planning process involves gaining an understanding of internal controls. In determining materiality, auditors
estimate the monetary amounts that are large enough to make a difference in decision making. Materiality
estimates are then assigned to account balances so that auditors can decide how much evidence in needed in
the testing phases of the audit. If the company has adopted IFRS or is in the process of convergence, changes in
the audit approach should be anticipated.
➢ Use of Computers in Audits. The audit planning tasks of evaluating internal controls and designing meaningful audit
tests is more complex for automated accounting systems than for manual systems. In recognition of the fact that
accounting records and files often exists in both paper and electronic form, auditing standards address the
importance of understanding both the automated and manual procedures that make up an organization’s internal
control. Misstatements may occur through the data entry and processing functions of the system. Auditors must
consider the effects of such computer processing on the audit. Three options may exist for the auditor in deciding
upon a testing approach for a client’s automated process, including auditing around the computer, auditing through
the computer, and auditing with the computer.
• Auditing around the computer is commonly known as the “black box” approach because auditors are not
required to gain detailed knowledge about the company’s computer system; rather, documents used to
input data into the system can be compared with reports generated from the system. Computer controls are
not considered.
• Auditing through the computer is commonly known as the “white box” approach because it involves directly
testing the internal controls within the IT system. It requires the auditors to understand the computer
system logic and related IT controls. Auditing through the computer is necessary when the auditor wants to
test computer controls as a basis for reducing the amount of substantive testing required, when the auditor
is required to report on internal controls of a public company, and when supporting documents are available
only in electronic form.
• Auditing with the computer involves the auditors’ use of their own computer systems and audit software to
perform audit testing. A variety of computer assisted audit techniques (CAATs) are available for auditing
with the computer.
➢ Tests of Controls. After auditors have learned about the types of controls that exist within their client’s IT
environment, they may then test those controls to determine whether they are reliable as a means of reducing risk.
Test of controls are sometimes referred to as “compliance tests”, because they are designed to determine whether
the controls are functioning in compliance with management’s intentions. Both general controls and application
controls must be considered.
General Controls. The effectiveness of general controls is the foundation of the IT control environment because
general controls affect all computer applications. If general controls are not functioning as designed, auditors will
not devote attention to the testing of application controls; rather, they will reevaluate the audit approach with
reduced reliance on controls. There are two broad categories of general controls that relate to IT systems: IT
administration and the related operating systems development and maintenance processes, and security controls
and related access issues.
• IT administration. IT departments should be organized so that an effective and efficient workplace is
created and supported. The important aspects of administrative control include personal accountability and
segregation of incompatible responsibilities, job descriptions and clear lines of authority, computer security

22 | P a g e
and virus protection, and thorough documentation about the internal logic of computer systems and
surrounding controls.
• Security controls. Auditors must be concerned about whether a company’s computer system has controls
in place to prevent unauthorized access that may result in the destruction or alteration of information
within the accounting information systems. Unauthorized access may be from an internal or external source,
and can be controlled internally through the use of various access controls, including authenticity tests,
passwords and security tokens, and other techniques that were described in Chapter 4. External access
controls may include authenticity tests, penetration tests, vulnerability assessments, and monitoring of
access logs and other security reports. Physical controls such as locks, security alarms, etc. are also used to
protect and limit access to a company’s computer resources. In addition, a disaster recovery plan, backup
procedures, virus protection, and adequate insurance coverage should all be in place in order to protect the
company’s computer systems and data.
Application Controls. Since companies tend to use many different computer programs in their day-to-day
business, there may be different types of application controls to consider in an audit. However, application
controls are considered only if general controls have already been tested and found to be operating effectively.
It would not be worthwhile to test application controls if the auditor already knew that the underlying general
controls were weak.
The three main functions of computer applications include input, processing, and output. Each of these
functions should be tested by the auditor.
• Auditors are concerned about whether errors are being prevented or detected during the input of data into
a computerized system. The most widely used tests of input controls include financial totals, hash totals,
completeness or redundancy tests, limit tests, validation checks, and field checks. Companies may
implement these tests as internal control measures, and auditors may perform the same type of test to
determine their effectiveness.
• Data accuracy tests are typically performed to evaluate the processing integrity of a company’s computer
systems. Limit tests, balancing tests, run-to-run totals, mathematical accuracy tests, and completeness or
redundancy tests can each be performed to test for the possibility of lost, altered, or unprocessed data.
When evaluating financial information, auditors can often use Benford’s Law to help discover whether
errors or fraud may exist in a data set. Benford’s Law applies to large data sets of naturally-occurring
numbers, and is therefore useful to auditors in evaluating possible errors or fraud in sales and accounts
receivable balances, accounts payable and disbursements balances, income tax data, and more. Audit
procedures that apply Benford’s Law can be carried out using spreadsheet programs or special applications
of audit software. Exhibit 7-8 presents a comparison of several CAATs for testing applications controls,
including the test data method, program tracing, an integrated test facility, parallel simulation, and
embedded audit modules.
• Audit tests that evaluate general controls over access and backup procedures may also be used in the
testing of specific computer application outputs. Regardless of whether the outputs are printed or retained
electronically, auditors may perform reasonableness tests, audit trail tests, and/or rounding errors tests to
verify the accuracy of system outputs.
At the conclusion of the controls testing phase of the audit, auditors must determine the overall reliability of the
company’s internal controls. Auditors may rely on internal controls as a way to reduce the amount of evidence
needed in the remaining phases of the audit. They can be reasonably sure that financial information is accurate
when it comes from a system that is proven to have strong controls.

23 | P a g e
➢ Tests of Transactions and Tests of Balances. When auditors test the accuracy of monetary amounts of transactions
and account balances, this is known as substantive testing. Substantive testing therefore determines whether
financial information is accurate, whereas control tests determine whether the financial information is managed
under a system that promotes accuracy. Some level of substantive testing is required on all financial statement
audits, however, the results of the tests of controls will determine the extent of substantive testing. There is an
inverse relationship between the two: the stronger the internal controls, the less substantive testing is required,
and vice versa.
Some testing strategies used to test controls can also be used to perform substantive testing. For instance, parallel
simulations, the test data method, the embedded audit module, and the integrated test facility can be used for both
controls and substantive testing. Recent trends such as advances in automated controls, new compliance
requirements, integration of governance, risk management, and compliance (GRC) activities, and real-time financial
reporting have created the need for continuous auditing. Continuous auditing, or continuous monitoring, is a
process of constant evidence gathering and analysis to provide assurance on the information as soon as it occurs or
shortly thereafter. Continuous monitoring of internal controls is important so that control deficiencies can be
detected before they become significant. The SEC, PCAOB, and AICPA also approve of the use of continuous
auditing. Continuous auditing helps auditors stay involved in their client’s business and perform audit testing in a
more thorough manner. This requires that the auditors have online access to the company’s systems so that data
can be obtained on an ongoing basis. Then the data are downloaded and tested by auditors within a very short
timeframe. Most CPA firms used generalized audit software (GAS) or data analysis software (DAS) to perform audit
tests on electronic files taken from commonly used database systems. These computerized audit tools assist
auditors in the performance of mathematical and statistical computations, data queries, identification of missing
information in a sequence, stratification and comparison of data items, selection of items of interest from the data
files, and summarization of testing results into a useful format for decision-making.
➢ Audit Completion/Reporting. The final phase of the audit involves overall evidence accumulation and drawing final
conclusions. The auditors must determine whether the financial statements are presented fairly and whether all of
the evidence supports the financial information presented. The auditors must also consider whether the extent of
testing has been adequate in light of the risks and controls identified during the planning phase versus the results of
procedures performed in the testing phases.
A letter of representation must be obtained during the final phase of the audit. This is often considered the single
most important piece of audit evidence because it includes management’s acknowledgment of responsibility for the
fair presentation of the financial statements.
Auditors have four choices from which to select a report that communicates the final conclusions of the audit. The
four types of reports include an unqualified opinion, which states that the financial statements are fairly stated; a
qualified opinion, which sets forth limited exceptions; an adverse opinion, which warns that the financial statements
are not fairly stated; or a disclaimer, which explains that an opinion cannot be formed. When reporting on the
effectiveness of internal controls, auditors must choose between an unqualified, adverse, or disclaimer opinion.
➢ Other Audit Considerations.
o Different IT Environments. Auditors are responsible for understanding how information is managed so that it is
reliable. A company’s computer systems may include mainframe and client-server systems, microcomputers and

24 | P a g e
personal computers (PCs), networks, database management systems, and/or e-commerce systems. PCs may
face a greater risk of loss and therefore require strong controls such as locked hard drives, password protection,
separation of operating and programming functions, backup procedures, and virus protection. All of the risks
and audit procedures that apply to PCs are also likely to exist in networks, but the potential for loss is much
greater because of the larger number of computers, users, and information involved in network operations. For
database operations, it is especially important that a database administrator monitors access to the company’s
data on a regular basis. In addition, since many users and many applications will share information in the
database, the data must be organized and controlled consistently. Finally, companies that use e-commerce
depend upon the reliability of other companies’ systems; external access controls are critical in such systems.
An increasing number of companies use IT outsourcing, which places reliance upon an external, independent
computer service center to handle all or part of the IT needs. Auditors must still gain an understanding of the
internal controls surrounding such computer applications, which can be accomplished by testing controls at the
service center or by testing around the computer.
When companies use cloud computing, their auditors need to thoroughly understand the underlying
technologies and related risks and controls. In addition to merely identifying the threats inherent in a cloud
computing environment, it is particularly difficult to estimate their potential costs and overall impact. Exhibit 7-
11 presents the general areas of risk assessment that should be addressed by auditors, and some sample
questions for each area. Useful guidance in conducting audit procedures for cloud computing is available from
ISACA’s IT Assurance Framework, the International Organization for Standardization (ISO) user guides, and the
AICPA’s Service Organization Controls (SOC) Framework.
Auditors can perform their own testing, or they can rely upon SOC reports from a service provider’s auditors.
The SOC 1 report addresses internal controls over financial reporting. A SOC 1 Type I report contains
management’s assessment and the auditor’s opinion on the operating design of internal controls over financial
reporting. A SOC 1 Type II report is an extension of the Type I report in that it also evaluates the operating
effectiveness of those internal controls. A SOC 2 report considers controls over compliance and operations,
including the Trust Services Principles of security, availability, processing integrity, confidentiality, and privacy of
a service provider’s systems. Similar to the SOC 1 reports, the SOC 2 reporting options also allow for a Type I or
Type II conclusion depending upon whether the auditor considers suitability of design or operating effectiveness
of those controls, respectively. Finally, a SOC 3 report is an unaudited report that is available to the general
public containing a CPA firm’s conclusion on the elements of the Trust Services Principles.
o Changes in a Client’s IT Environment. When a company changes the type of hardware or software used or
otherwise modifies its IT environment, auditors should consider applying tests of controls at multiple times
throughout the period in order to determine the effectiveness of controls under each of the systems. Auditors
must evaluate a client’s procedures for developing, implementing, and maintaining new systems or changes in
existing systems.
o Sampling versus Population Testing. Auditors must rely on sampling to test a limited number of items and then
use these limited tests to draw conclusions about the overall control effectiveness and accuracy of transactions
and account balances. There is always some risk that a sample may not represent the population as a whole. The
rise in Big Data and increased use of continuous auditing techniques has led to auditors increasingly testing
100% of a population.

25 | P a g e
➢ Ethical Issues Related To Auditing.
The AICPA has established a Code of Professional Conduct to provide the foundation for ethical behavior
expected of CPAs. The six principles of the Code include:
• Responsibilities
• The Public Interest
• Integrity
• Objectivity and Independence
• Due Care
• Scope and Nature of Services
It is most important that auditors maintain objectivity and independence with respect to their client companies.
Accordingly, they should not become too friendly with their clients or develop any financial relationships with
them that could create bias.
Internal auditors and IT auditors must abide by ethical standards established by the IIA and ISACA, respectively.
The IIA Code of Ethics is founded on the principles of integrity, objectivity, confidentiality, and competency.
Similarly, ISACA’s Code of Professional Ethics recognizes due diligence, objectivity, competency, communication,
maintaining privacy and confidentiality, and serving in the interests of stakeholders.
The Sarbanes-Oxley Act places restrictions on auditors by limiting the types of services they can provide for their
audit clients. This is intended to promote objectivity in the conduct of their work by prohibiting the types of
services that involve accounting work that is subject to an audit and other services that put auditors in a role of
managerial decision making. The Sarbanes-Oxley Act also increased public companies’ responsibilities regarding
the fair presentation of financial statements by requiring the following:
• reporting on the effectiveness of internal controls.
• management’s written verification of the fair presentation of the financial statements.
• establishment of an audit committee to promote independence of the audit function.
In fulfilling their ethical responsibilities, auditors must practice professional skepticism, which means that they
should maintain a questioning attitude and persistent approach to evaluating evidence. This is important in
order to increase the chances of detecting fraud, which may be especially difficult to find if perpetrated by
managers who can override internal controls. Forensic audit testing performed by certified fraud examiners
(CFEs) may be used in cases where fraud is suspected or is known to exist.
Also in practicing professional skepticism, auditors should be careful about balancing the mix of audit
procedures between tests of controls and substantive tests. Emphasis on computer processes and internal
controls may lead to an over-reliance on the accounting system, which could be circumvented by management.
Therefore, it is important to also perform substantive procedures that focus on the actual transactions and
account balances that make up the financial statements.
Accountants are sometimes called upon to perform a specialized type of assurance service called forensic
auditing. Forensic auditing involves audit testing specifically for finding and preventing fraud, and is used for
companies where fraud is known or believed to exist.

Exploring the Variety of Random
Documents with Different Content

1.C. The Project Gutenberg Literary Archive Foundation (“the
Foundation” or PGLAF), owns a compilation copyright in the
collection of Project Gutenberg™ electronic works. Nearly all the
individual works in the collection are in the public domain in the
United States. If an individual work is unprotected by copyright
law in the United States and you are located in the United
States, we do not claim a right to prevent you from copying,
distributing, performing, displaying or creating derivative works
based on the work as long as all references to Project
Gutenberg are removed. Of course, we hope that you will
support the Project Gutenberg™ mission of promoting free
access to electronic works by freely sharing Project Gutenberg™
works in compliance with the terms of this agreement for
keeping the Project Gutenberg™ name associated with the
work. You can easily comply with the terms of this agreement
by keeping this work in the same format with its attached full
Project Gutenberg™ License when you share it without charge
with others.
1.D. The copyright laws of the place where you are located also
govern what you can do with this work. Copyright laws in most
countries are in a constant state of change. If you are outside
the United States, check the laws of your country in addition to
the terms of this agreement before downloading, copying,
displaying, performing, distributing or creating derivative works
based on this work or any other Project Gutenberg™ work. The
Foundation makes no representations concerning the copyright
status of any work in any country other than the United States.
1.E. Unless you have removed all references to Project
Gutenberg:
1.E.1. The following sentence, with active links to, or other
immediate access to, the full Project Gutenberg™ License must
appear prominently whenever any copy of a Project
Gutenberg™ work (any work on which the phrase “Project

Gutenberg” appears, or with which the phrase “Project
Gutenberg” is associated) is accessed, displayed, performed,
viewed, copied or distributed:
This eBook is for the use of anyone anywhere in
the United States and most other parts of the
world at no cost and with almost no restrictions
whatsoever. You may copy it, give it away or re-
use it under the terms of the Project Gutenberg
License included with this eBook or online at
www.gutenberg.org. If you are not located in the
United States, you will have to check the laws of
the country where you are located before using
this eBook.
1.E.2. If an individual Project Gutenberg™ electronic work is
derived from texts not protected by U.S. copyright law (does not
contain a notice indicating that it is posted with permission of
the copyright holder), the work can be copied and distributed to
anyone in the United States without paying any fees or charges.
If you are redistributing or providing access to a work with the
phrase “Project Gutenberg” associated with or appearing on the
work, you must comply either with the requirements of
paragraphs 1.E.1 through 1.E.7 or obtain permission for the use
of the work and the Project Gutenberg™ trademark as set forth
in paragraphs 1.E.8 or 1.E.9.
1.E.3. If an individual Project Gutenberg™ electronic work is
posted with the permission of the copyright holder, your use and
distribution must comply with both paragraphs 1.E.1 through
1.E.7 and any additional terms imposed by the copyright holder.
Additional terms will be linked to the Project Gutenberg™
License for all works posted with the permission of the copyright
holder found at the beginning of this work.

1.E.4. Do not unlink or detach or remove the full Project
Gutenberg™ License terms from this work, or any files
containing a part of this work or any other work associated with
Project Gutenberg™.
1.E.5. Do not copy, display, perform, distribute or redistribute
this electronic work, or any part of this electronic work, without
prominently displaying the sentence set forth in paragraph 1.E.1
with active links or immediate access to the full terms of the
Project Gutenberg™ License.
1.E.6. You may convert to and distribute this work in any binary,
compressed, marked up, nonproprietary or proprietary form,
including any word processing or hypertext form. However, if
you provide access to or distribute copies of a Project
Gutenberg™ work in a format other than “Plain Vanilla ASCII” or
other format used in the official version posted on the official
Project Gutenberg™ website (www.gutenberg.org), you must,
at no additional cost, fee or expense to the user, provide a copy,
a means of exporting a copy, or a means of obtaining a copy
upon request, of the work in its original “Plain Vanilla ASCII” or
other form. Any alternate format must include the full Project
Gutenberg™ License as specified in paragraph 1.E.1.
1.E.7. Do not charge a fee for access to, viewing, displaying,
performing, copying or distributing any Project Gutenberg™
works unless you comply with paragraph 1.E.8 or 1.E.9.
1.E.8. You may charge a reasonable fee for copies of or
providing access to or distributing Project Gutenberg™
electronic works provided that:
• You pay a royalty fee of 20% of the gross profits you derive
from the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,

but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive
Foundation.”
• You provide a full refund of any money paid by a user who
notifies you in writing (or by e-mail) within 30 days of receipt
that s/he does not agree to the terms of the full Project
Gutenberg™ License. You must require such a user to return or
destroy all copies of the works possessed in a physical medium
and discontinue all use of and all access to other copies of
Project Gutenberg™ works.
• You provide, in accordance with paragraph 1.F.3, a full refund of
any money paid for a work or a replacement copy, if a defect in
the electronic work is discovered and reported to you within 90
days of receipt of the work.
• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.
1.E.9. If you wish to charge a fee or distribute a Project
Gutenberg™ electronic work or group of works on different
terms than are set forth in this agreement, you must obtain
permission in writing from the Project Gutenberg Literary
Archive Foundation, the manager of the Project Gutenberg™
trademark. Contact the Foundation as set forth in Section 3
below.
1.F.

1.F.1. Project Gutenberg volunteers and employees expend
considerable effort to identify, do copyright research on,
transcribe and proofread works not protected by U.S. copyright
law in creating the Project Gutenberg™ collection. Despite these
efforts, Project Gutenberg™ electronic works, and the medium
on which they may be stored, may contain “Defects,” such as,
but not limited to, incomplete, inaccurate or corrupt data,
transcription errors, a copyright or other intellectual property
infringement, a defective or damaged disk or other medium, a
computer virus, or computer codes that damage or cannot be
read by your equipment.
1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGES - Except
for the “Right of Replacement or Refund” described in
paragraph 1.F.3, the Project Gutenberg Literary Archive
Foundation, the owner of the Project Gutenberg™ trademark,
and any other party distributing a Project Gutenberg™ electronic
work under this agreement, disclaim all liability to you for
damages, costs and expenses, including legal fees. YOU AGREE
THAT YOU HAVE NO REMEDIES FOR NEGLIGENCE, STRICT
LIABILITY, BREACH OF WARRANTY OR BREACH OF CONTRACT
EXCEPT THOSE PROVIDED IN PARAGRAPH 1.F.3. YOU AGREE
THAT THE FOUNDATION, THE TRADEMARK OWNER, AND ANY
DISTRIBUTOR UNDER THIS AGREEMENT WILL NOT BE LIABLE
TO YOU FOR ACTUAL, DIRECT, INDIRECT, CONSEQUENTIAL,
PUNITIVE OR INCIDENTAL DAMAGES EVEN IF YOU GIVE
NOTICE OF THE POSSIBILITY OF SUCH DAMAGE.
1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If you
discover a defect in this electronic work within 90 days of
receiving it, you can receive a refund of the money (if any) you
paid for it by sending a written explanation to the person you
received the work from. If you received the work on a physical
medium, you must return the medium with your written
explanation. The person or entity that provided you with the
defective work may elect to provide a replacement copy in lieu

of a refund. If you received the work electronically, the person
or entity providing it to you may choose to give you a second
opportunity to receive the work electronically in lieu of a refund.
If the second copy is also defective, you may demand a refund
in writing without further opportunities to fix the problem.
1.F.4. Except for the limited right of replacement or refund set
forth in paragraph 1.F.3, this work is provided to you ‘AS-IS’,
WITH NO OTHER WARRANTIES OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR ANY PURPOSE.
1.F.5. Some states do not allow disclaimers of certain implied
warranties or the exclusion or limitation of certain types of
damages. If any disclaimer or limitation set forth in this
agreement violates the law of the state applicable to this
agreement, the agreement shall be interpreted to make the
maximum disclaimer or limitation permitted by the applicable
state law. The invalidity or unenforceability of any provision of
this agreement shall not void the remaining provisions.
1.F.6. INDEMNITY - You agree to indemnify and hold the
Foundation, the trademark owner, any agent or employee of the
Foundation, anyone providing copies of Project Gutenberg™
electronic works in accordance with this agreement, and any
volunteers associated with the production, promotion and
distribution of Project Gutenberg™ electronic works, harmless
from all liability, costs and expenses, including legal fees, that
arise directly or indirectly from any of the following which you
do or cause to occur: (a) distribution of this or any Project
Gutenberg™ work, (b) alteration, modification, or additions or
deletions to any Project Gutenberg™ work, and (c) any Defect
you cause.

Section 2. Information about the Mission
of Project Gutenberg™
Project Gutenberg™ is synonymous with the free distribution of
electronic works in formats readable by the widest variety of
computers including obsolete, old, middle-aged and new
computers. It exists because of the efforts of hundreds of
volunteers and donations from people in all walks of life.
Volunteers and financial support to provide volunteers with the
assistance they need are critical to reaching Project
Gutenberg™’s goals and ensuring that the Project Gutenberg™
collection will remain freely available for generations to come. In
2001, the Project Gutenberg Literary Archive Foundation was
created to provide a secure and permanent future for Project
Gutenberg™ and future generations. To learn more about the
Project Gutenberg Literary Archive Foundation and how your
efforts and donations can help, see Sections 3 and 4 and the
Foundation information page at www.gutenberg.org.
Section 3. Information about the Project
Gutenberg Literary Archive Foundation
The Project Gutenberg Literary Archive Foundation is a non-
profit 501(c)(3) educational corporation organized under the
laws of the state of Mississippi and granted tax exempt status
by the Internal Revenue Service. The Foundation’s EIN or
federal tax identification number is 64-6221541. Contributions
to the Project Gutenberg Literary Archive Foundation are tax
deductible to the full extent permitted by U.S. federal laws and
your state’s laws.
The Foundation’s business office is located at 809 North 1500
West, Salt Lake City, UT 84116, (801) 596-1887. Email contact

links and up to date contact information can be found at the
Foundation’s website and official page at
www.gutenberg.org/contact
Section 4. Information about Donations to
the Project Gutenberg Literary Archive
Foundation
Project Gutenberg™ depends upon and cannot survive without
widespread public support and donations to carry out its mission
of increasing the number of public domain and licensed works
that can be freely distributed in machine-readable form
accessible by the widest array of equipment including outdated
equipment. Many small donations ($1 to $5,000) are particularly
important to maintaining tax exempt status with the IRS.
The Foundation is committed to complying with the laws
regulating charities and charitable donations in all 50 states of
the United States. Compliance requirements are not uniform
and it takes a considerable effort, much paperwork and many
fees to meet and keep up with these requirements. We do not
solicit donations in locations where we have not received written
confirmation of compliance. To SEND DONATIONS or determine
the status of compliance for any particular state visit
www.gutenberg.org/donate.
While we cannot and do not solicit contributions from states
where we have not met the solicitation requirements, we know
of no prohibition against accepting unsolicited donations from
donors in such states who approach us with offers to donate.
International donations are gratefully accepted, but we cannot
make any statements concerning tax treatment of donations
received from outside the United States. U.S. laws alone swamp
our small staff.

Please check the Project Gutenberg web pages for current
donation methods and addresses. Donations are accepted in a
number of other ways including checks, online payments and
credit card donations. To donate, please visit:
www.gutenberg.org/donate.
Section 5. General Information About
Project Gutenberg™ electronic works
Professor Michael S. Hart was the originator of the Project
Gutenberg™ concept of a library of electronic works that could
be freely shared with anyone. For forty years, he produced and
distributed Project Gutenberg™ eBooks with only a loose
network of volunteer support.
Project Gutenberg™ eBooks are often created from several
printed editions, all of which are confirmed as not protected by
copyright in the U.S. unless a copyright notice is included. Thus,
we do not necessarily keep eBooks in compliance with any
particular paper edition.
Most people start at our website which has the main PG search
facility: www.gutenberg.org.
This website includes information about Project Gutenberg™,
including how to make donations to the Project Gutenberg
Literary Archive Foundation, how to help produce our new
eBooks, and how to subscribe to our email newsletter to hear
about new eBooks.

Welcome to our website – the perfect destination for book lovers and
knowledge seekers. We believe that every book holds a new world,
offering opportunities for learning, discovery, and personal growth.
That’s why we are dedicated to bringing you a diverse collection of
books, ranging from classic literature and specialized publications to
self-development guides and children's books.
More than just a book-buying platform, we strive to be a bridge
connecting you with timeless cultural and intellectual values. With an
elegant, user-friendly interface and a smart search system, you can
quickly find the books that best suit your interests. Additionally,
our special promotions and home delivery services help you save time
and fully enjoy the joy of reading.
Join us on a journey of knowledge exploration, passion nurturing, and
personal growth every day!
testbankfan.com

Accounting Information Systems Controls Processes 3rd Edition Turner Solutions Manual

More Related Content

Similar to Accounting Information Systems Controls Processes 3rd Edition Turner Solutions Manual (20)

Recently uploaded (20)

Accounting Information Systems Controls Processes 3rd Edition Turner Solutions Manual