Title Details

Tommie Singleton is the Marshall Scholar and Associate Professor of Accounting at the University of Alabama in Birmingham (UAB). He also is the Director of Forensic Accounting Program at UAB. Prior to obtaining his Ph.D. in Accountancy from the University of Mississippi in 1995, Singleton was president of a small value-added dealer of accounting information systems using microcomputers for 11 years. His education and experience are a mix of information systems and accounting. He has published numerous articles and co-authored books on internal auditing, IT auditing, and fraud. He has made many presentations on the same subjects, including CPE seminars. Singleton teaches IT auditing, forensic accounting, and information systems courses at UAB.
Singleton is a member of the AICPA, ASCPA, ACFE, IIA, ISACA, AAA and other professional organizations related to audit and IT. Singleton was awarded the "1998-1999 Innovative User of Technology Award" by the Alabama Society of CPAs, was the president of the Birmingham Chapter of the ASCPA (2008-2009), and served on the ASCPA council (2009-2011). Singleton also served on the ASCPA Education Committee (1997-2008; chair 2004-2007). Singleton was appointed to the AICPA's Information Technology Executive Committee for 2008-2011.

Singleton serves as a scholar-in-residence for Carr Riggs & Ingram, a large regional public accounting firm. His duties involve forensic accounting, IT auditing, and service organization controls assurance.

1.1 TYPES OF RISK ASSESSMENT 3

1.1.1 Risk Assessment Life Cycle Methodology 3

1.1.2 Enterprise Risk Assessment 7

1.1.3 Financial Statement Risk Assessment 8

1.1.4 IT Risk Assessment 9

1.1.5 Security Risk Assessment (audits) 13

1.2 UNDERSTANDING BUSINESS ENVIRONMENT AND BUSINESS PROCESSES 14

1.2.1 Executive Management Functions 14

1.2.2 Complexity of Business Entities 19

1.2.3 Automated Business Processes 20

1.3 AUDIT RISK MODEL FOR FINANCIAL REPORTING 21

1.3.1 Assessing Inherent Risk 22

1.3.2 Assessing Control Risk 23

1.3.3 Risk of Material Misstatement 25

1.4 DEVELOP A WALKTHROUGH PLAN 27

1.4.1 Determine Relevant Business Processes and Controls to Review 28

1.5 DRAFT RISK ASSESSMENT REPORT 29

1.5.1 Based on Evidence from Walkthroughs 29

1.5.2 Based on Other Applied Procedures 29

1.5.3 Usefulness of Best Practices 29

FRAUD CONSIDERATIONS

2.0 INTRODUCTION 44

2.1 DESCRIPTION & CHARACTERISTICS OF FRAUD 44

2.1.1 Definition of Fraud 45

2.1.2 Fraud Tree 45

2.1.3 Fraud Triangle 47

2.1.4 Scope of Fraud 49

2.1.5 Profile of the Executive Perpetrator 49

2.2 SAS No. 99 & ASSESSING RMM DUE TO FRAUD 49

2.2.1 The Importance of Exercising Professional Skepticism 50

2.2.2 Fraud Risk Factors 50

2.2.3 Behavioral Red Flags of Executive Fraudsters 52

2.2.4 Management Override of Controls 53

2.2.5 The SAS No. 99 Process – Assessing the RMM Due to Fraud 53

2.3 PREVENTION & DETERRENCE 58

2.4 DETECTION & INVESTIGATION 59

2.4.1 Use of IT Skills in Fraud Investigations 59

2.4.2 Use of IT in Fraud Investigations 62

2.4.3 Regulatory Standards 65

2.5 DIGITAL EVIDENCE 67

2.5.1 Legal Rules & Procedures 67

2.5.2 E-discovery Rules & Procedures 68

2.5.3 Federal & State Laws 68

INTERNAL CONTROL & INFORMATION TECHNOLOGY GENERAL CONTROLS

3.0 INTRODUCTION 82

3.1 INTERNAL CONTROLS 82

3.1.1 Understanding of Internal Controls 82

3.1.2 Management Considerations for Evaluating Internal Controls 95

3.2 IT GENERAL CONTROLS 95

3.2.1 Control Environment 96

3.2.2 Change Management 104

3.2.3 Logical Access 117

3.2.4 Backup & Recovery 123

3.2.5 Service Organizations 127

3.3 APPLICATION CONTROLS 129

3.4 INFORMATION SECURITY 130

3.4.1 Understanding IT Policies, Procedures, and Standards to Ensure Information/Data Security 130

3.4.2 Understanding Hardware and Physical Controls to Ensure Information/Data Security 130

3.4.3 Understanding Software and Other Process Controls to Ensure Information/Data Security 131

3.4.4 Understanding Concepts of Security Authorization and Authentication 132

3.4.5 Understanding Concepts of Encryption 132

3.5 PREPARING AN IT AUDIT PLAN 133

3.5.1 Scoping of the IT Audit or Review 133

EVALUATE, TEST, AND REPORT

4.0 INTRODUCTION 148

4.1 TYPES OF AUDIT & ASSURANCE SERVICES 148

4.1.1 Financial Statement Audit 148

4.1.2 Assurance Services for Service Organizations 169

4.1.3 Other IT Assurance Services and IT Reviews 173

4.2 AUDITING TECHNIQUES & PROCEDURES 176

4.2.1 Planning for Tests of Controls 177

4.2.2 Evidence Gathering 179

4.2.3 Sampling Considerations 180

4.2.4 Technical Tools and Techniques (CAATs) 182

4.3 ASSESSMENT OF CONTROLS 185

4.3.1 Deficiency Evaluation of IT-Related Controls 186

4.3.2 Materiality/Impact to the Entity 187

4.3.3 Assessment Reporting 187

4.4 INFORMATION ASSURANCE 189

4.4.1 Information Quality 189

4.4.2 Information Presentation 189

4.4.3 Information Timeliness 190

4.4.4 Information Auditability 190

INFORMATION MANAGEMENT & BUSINESS INTELLIGENCE Dimension 5

5.0 INTRODUCTION 204

5.1 INFORMATION MANAGEMENT 204

5.1.1 Information Lifecycle Management 204

5.1.2 Compliance 207

5.1.3 Information and Data Modeling 209

5.2 BUSINESS PROCESS IMPROVEMENT 216

5.2.1 Business Process Management 216

5.2.2 Systems Solution Management 219

5.2.3 Application Integration Management 223

5.3 DATA ANALYSIS & REPORTING TECHNIQUES 224

5.3.1 Infrastructure/Platforms Typically Employed 225

5.3.2 Data Preparation 227

5.3.3 Available Functions, Tools, and Approaches 229

5.3.4 Tool Selection Process 233

5.4 PERFORMANCE MANAGEMENT 233

5.4.1 Budget & Profitability Management 234

5.4.2 Performance Metrics and Reporting 236