ISACA ITAF (Appendix C: Terms & Definitions) Flashcards
Assurance Engagement vs. Audit Engagement
Assurance engagement: An objective examination of evidence for the purpose of providing an assessment on risk management, control or governance processes for the enterprise.
Examples may include financial, performance, compliance and system security engagements.
Audit engagement: A specific audit assignment, task or review activity, such as an audit, control self-assessment review, fraud examination or consultancy.
An audit engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives.
3 Types of Opinions
Unqualified opinion: Notes no exceptions or none of the exceptions noted aggregate to a significant deficiency.
Qualified opinion: Notes exceptions aggregated to a significant deficiency (but not a material weakness).
Adverse opinion: Notes one or more significant deficiencies aggregating to a material weakness.
Irregularity
Violation of an established management policy or regulatory requirement.
It may consist of deliberate misstatements or omission of information concerning the area under audit or the enterprise as a whole, gross negligence or unintentional illegal acts.
Integrity
The guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
Material Weakness vs. Significant Deficiency
Material weakness: A deficiency or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis. Weakness in control is considered ‘material’ if the absence of the control results in failure to provide reasonable assurance that the control objective will be met.
A weakness classified as material implies that:
• Controls are not in place and/or controls are not in use and/or controls are inadequate
• Escalation is warranted
Note: There is an inverse relationship between materiality and the level of audit risk acceptable to the IS audit or assurance professional, i.e., the higher the materiality level, the lower the acceptability of the audit risk, and vice versa.
Note: A material weakness is a significant deficiency or a combination of significant deficiencies that results in more than a remote likelihood of an undesirable event(s) not being prevented or detected.
Note: Disclosed in company’s financial statements, and reported to company management and the Audit Committee.
- IF EXECUTE MANAGEMENT (I.E. CEO) COMMITTED FRAUD, IT’S AUTOMATICALLY A MATERIAL WEAKNESS.
Significant deficiency: A deficiency or a combination of deficiencies, in internal control, that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight.
- Both are types of control deficiencies.
- Determining to classify a control deficiency as a significant deficiency vs. material weakness requires some professional judgement.
Materiality & “Tolerable Error”
An auditing concept regarding the importance of an item of information with regard to its
impact or effect on the functioning of the entity being audited.
An expression of the relative significance or importance of a particular matter in the context of the enterprise as a whole.
IMPORTANT: Relevant to SUBSTANTIVE testing:
- For substantive tests, the “Tolerable Error” is related to a professional’s judgement about materiality.
- However, this is not relevant to COMPLIANCE testing, where the “Tolerable Error” is the maximum rate of deviation from a prescribed control procedures that is acceptable.
“Ingredients of Materiality” include 2 things:
(1) Benchmark: the key number used to compute materiality - i.e. total revenue, total assets, net income, etc. (depends on the intended users of the financial statements normally focus on).
(2) Percentage: % of benchmark applied to overall materiality (the benchmark). Requires judgement and is sometimes based on the benchmark (i.e. maybe 1% for net income; 5% for total revenue, etc.).
- The above “ingredients” get you to “Overall Financial Statement Materiality” - but there’s another component - “Performance Materiality”.
- This also helps determine what areas to audit (i.e. if Prepaid Assets are only worth $20,000, they’re not material, but Accounts Receivable i.e. $2 million, would be material and therefore an area included in the audit).
Performance Materiality: Materiality used at the transaction/account balance level. Applied when assessing risk at the assertion level (i.e. cash, debt, receivables, etc.)
- Here, you’re bringing down the Overall Materiality (i.e. if it’s $100,000 then Performance Materiality may be $75,000). This is the threshold you’ll use at the assertion-level (i.e. transaction/account balance level) during walkthroughs and testing.
- Again, this requires some judgement.
- You do this because of “Aggregate Risk” - if we used $100,000 as the materiality level for each assertion, you may be allowing misstatements to occur because errors at each assertion level can aggregate to exceed the $100,000 Overall Materiality threshold.
HIGHER RISK = LOWER PERFORMANCE MATERIALITY
“Other Expert”
Internal or external to an enterprise.
“Other Expert” could refer to:
• An IT auditor from an external firm
• A management consultant
• An expert in the area of the engagement who has been appointed by top management or by the team
Professional Competency
Proven level of ability.
Often linked to qualifications issued by relevant professional bodies and compliance with their codes of practice and standards.
Reasonable Assurance
A level of comfort short of a guarantee, but considered adequate given the costs of the control and the likely benefits achieved.
Subject Matter
The specific information subject to an IS auditor’s report and related procedures, which can include things such as the design or operation of internal controls and compliance with privacy practices or standards or specified laws and regulations (area of activity).
Substantive Testing
Obtaining audit evidence on the (1) completeness, (2) accuracy or (3) existence of activities or transactions during the audit period.
“Sufficiency” in evidence/information
Sufficient evidence: The measure of the quantity of audit evidence; supports all material questions to the audit objective and scope.
Sufficient information: Information is sufficient when evaluators have gathered enough of it to form a reasonable conclusion. For information to be sufficient, however, it must first be suitable.
Sufficiency is all about the AMOUNT/QUANTITY OF EVIDENCE/INFORMATION NEEDED TO SUPPORT OBJECTIVES/CONCLUSIONS.
