Chapter 7 Before You Go Ons

Develop a general outline of what might be included in Section 3 of a SOC 1, Type 2 report.

Following is a general outline of what is included in Section 3 of a SOC 1, Type 2 report: A description of the control environment A description of risk assessment procedures A description of relevant processing and accounting services performed for user organizations A description of monitoring activities. A list of specific control objectives. For each control objective management may describe specific control activities designed to accomplish the control objective.

What is the difference between an IT application control and an IT general control?

IT General Controls are designed to control the integrity of software applications. IT application controls are the fully automated controls that apply to processing of individual transactions. These controls are driven by the particular software application being used for different business processes to identify potential misstatements in assertions.

What is the impact on the extent of required substantive procedures if inherent risk is high and no assurance has been obtained from controls testing?

If inherent risk is high, and no assurance is obtained from control testing, the risk of material misstatement is high. Hence, detection risk should be low, and the auditor should do extensive substantive testing of the assertion at year end.

What information does the auditor need to include in the audit working papers when documenting the results of the controls testing?

Once controls have been tested, the auditors document their work in a working paper. Working paper documentation should include: -the auditors' conclusion about control risk -the basis for their conclusion (e.g., underlying evidence)

Why does the auditor always investigate control exceptions?

The auditor investigates exceptions to determine how significant the exceptions are. The auditor needs to determine if the exception is a deficiency in internal control, a significant deficiency, or a material weakness. The auditor evaluates this based on the likelihood of a misstatement and the materiality of a misstatement that may result from a breakdown in internal control.

What criteria might be used by the service auditor when evaluating management's assertion about its system of internal control?

The criteria used by the service auditor when auditing management's assertion include: Risks that threatened the achievement of control objectives stated in the report have been identified by management of the service organization. The controls identified in the description, if operating effectively, would provide reasonable assurance that those risks would not prevent the control objectives from being achieved. The controls were consistently applied as designed, and manual controls were applied by people having appropriate competence and authority.

List the four sections of a SOC 1, Type 2 report.

The four sections of a SOC 1, Type 2 report are: Section 1: The Independent Service Auditor's Report Section 2: The Service Organization's Management's Assertion about Internal Controls Over Financial Reporting Section 3: The Service Organization's Description of Internal Controls Section 4: The Service Auditor's Tests of Controls and Findings

Give an example of the package of evidence that is needed to test an IT application control that matches every sales invoice to an underlying bill of lading to ensure that revenue is properly recognized.

The package of evidence that support an IT application control usually involves: Submitting test data to see that the application control functioned as designed. Testing the effectiveness of manual follow-up procedures to determine that items flagged as possible misstatements are cleared on a timely basis. Testing IT general controls to ensure that the application functions effectively over time.

Which auditing standard sets the minimum level of documentation required in the working papers stored in the audit files?

The professional standard that address audit documentation are AU-C 230 Audit Documentation and AS 1215 Audit Documentation. AU-C 230 Audit Documentation

What is a compensating control? Develop an example of a compensating control.

A compensating control is a control that may control an assertion, when the key control tested by the auditor is not effective. For example, when testing payroll the auditor determines that manual follow-up of exceptions noted by the computer is not timely or effective. However, a performance review exists where department manager must approve the total payroll charged to their departments, and this control is effective. This would be an example of a compensating control.

Can the content ordinarily included in a management letter be delivered verbally to those charged with governance? Explain your answer.

AU-C 265 requires written communication of internal control deficiencies to those charged with governance of the entity. A management letter meets this requirement and avoids any ambiguity or confusion as to what observations, conclusions and recommendations the audit firm has made.

What level of internal control deficiencies are reported to management? Explain your reasoning. What level of internal control deficiencies are reported to those charged with governance of the entity? Explain your reasoning.

All deficiencies in internal control are communicated to management. However, material weaknesses and significant deficiencies are also communicated to those charged with governance of the entity as part of a management letter. Auditors of both public companies and private entities have a responsibility to report material weaknesses and significant deficiencies in internal control based on both PCAOB AS 2201 and AU-C 265.

Explain the concept of benchmarking. Why might it be appropriate not to test a key control that is an IT application control every year?

Benchmarking is based on the premise that a computer will continue to perform any given procedure in exactly the same way until such time as the program (or application) is changed. If the auditor can verify that a given program that executes an application control has not changed since last tested by the auditor, and IT general controls are strong, an auditor may decide not to repeat direct tests of the application control in a subsequent period.

Do auditors always communicate internal controls deficiencies to those charged with governance? Explain your answer.

The purpose of the management letter is to meet the auditor's responsibility for communicating internal control matters in writing on a timely basis with those charged with governance and to inform those charged with governance of the auditor's recommendations for improving its internal controls. Significant professional judgment is necessary in deciding whether a weakness identified is significant enough to warrant communicating to management and those charged with governance. When the auditor identifies risks of material misstatement that the entity has not controlled (or has not adequately controlled), or if in the auditor's judgment there is a material weakness in the entity's design or implementation of internal control, the audit is required to communicate these weaknesses as soon as practicable to those charged with governance.

Name five factors to consider when deciding the extent of tests of controls to be performed. Give an example of how each factor would result in an increased sample size.

When holding other factors constant, the following discussion explains five factors that influence sample size for a test of controls. 1. Tolerable deviation rate: if the auditor can only tolerate smaller deviation rates (e.g., 5% vs. 10%) this will cause large sample sizes. 2. Desired level of assurance that the tolerable deviation rate is not exceeded by the actual rate of deviation in the population: as the auditor want high levels of assurance from the audit evidence sample size will increase. 3. Expected rate of deviation in the population to be tested: When the expected deviation rate is close to the tolerable rate (2% expected deviation rate and 3% tolerable deviation rate) sample size will increase. 4. Number of sampling units in the population when the population is small (less than 5,000): larger population size result in larger sample sizes. 5. Number of sampling units in the population when the population is large (greater than 5,000): population size has not effect on sample sizes.

Identify five key items the user auditor should look for in a SOC 1, Type 2 report.

When reading a SOC 1, Type 2 Service Auditor's Report the user auditor should look for: What is the period covered by the service auditor's report? Are there any scope limitations, such as the discussion of complementary user controls, or other controls that are outside the scope of the auditor's report? Based on management's description of the system of internal control, have there been any significant changes in the system of internal control since the last SOC 1, Type 2 report? Has the service auditor concluded that the firm believes that the evidence they obtained was sufficient and appropriate to provide reasonable assurance for their opinion? Has the auditor expressed an unqualified opinion?

Why does the auditor update the interim evaluation of controls at year-end?

When the auditor concludes that control risk is low at an interim date, the auditor also needs to update that conclusion through to the year-end date. When updating a control risk conclusion, the auditor should update the evaluation by identifying changes, if any, in the control environment and in the controls themselves. If changes are identified, consideration should be given to the effect of such changes on their evaluation of the controls. When the auditor decides to rely on a controls strategy, tests of controls are often performed at an interim date (often about three months prior to year-end). If tests of controls demonstrate that internal controls are strong and function effectively at an interim date, the auditor still must test the remaining period to ensure that controls functioned effectively throughout the entire year.

What does the auditor do when he or she identifies control exceptions? Develop an example of an internal control exception.

If the auditor determines that an effective compensating control does not exist, or tests of controls show that the compensating control is not functioning as designed, the auditor revises the overall audit risk assessment for the related account and assertion, and revises the planned audit strategy. If the tests of controls indicate that a detect control related to the occurrence of sales did not function as prescribed and compensating controls are not available or were not effective, the auditor should revise his or her audit risk assessment (increase control risk), reduce or eliminate the intended reliance on the control, and reduce detection risk by designing more extensive substantive audit procedures related to the occurrence of revenues and the existence of accounts receivable. If the auditor tested a control that compared every sales bill of lading with each sales invoice to ensure that all sales were recorded, but exceptions were noted—the control did not function as planned. However, the auditor later determined that an independent client employee reconciled total shipments with total billings on a daily basis, and this compensating control would have identified any unrecorded transactions. If the compensating control is tested and function effectively, the auditor will rely on the compensating control and proceed with a reliance strategy.

What internal control deficiencies are communicated in an auditor's report on ICFR?

If the auditor is engaged to perform an integrated audit and issues opinions on both the financial statements and on ICFR, the determination that a control deficiency is a material weakness (a deficiency, or combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected or corrected, on a timely basis) will result in the auditor issuing an adverse opinion on the company's ICFR. Hence, material weaknesses are communicated in the auditor's report on ICFR. However, if the auditor determines that either a significant deficiency (a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance) or a control deficiency exists, the auditor will issue an unqualified opinion on ICFR. As a result, control deficiencies and significant deficiencies are not communicated in the auditor's report on ICFR.

When would an auditor most likely perform observation and inquiry procedures on a control?

Inquiry and observation are probably most appropriate for observing segregation of duties. Some controls, such as segregation of duties, may or may not provide physical evidence, in which case the auditor must rely on observation and inquiry.

What are the different types of controls?

Internal controls can be classified into entity-level controls and transaction-level controls. Control can also be classified into preventive controls and detective controls.

Which type of control, preventive or detective, is usually a more effective control type to test? Explain your answer.

It is often more effective to test detect controls. If a prevent control fails, an effective detect control should still identify misstatements and correct them on a timely basis.

Explain the audit strategy for testing IT application controls. Why is a sample size of 2 sufficient for testing an IT application control? What other tests allow the auditor to use this smaller sample size?

When the auditor decides to rely on IT application controls, the auditor must use a more complex testing strategy. The auditor can often test a key decision point in a computer program with a sample size of two. For example, if the auditor is testing an IT application control that notes an exception of an employee who is not on the master payroll file, the auditor can test the computer program with auditor controlled test data. Recognizing that IT application controls operate in a systematic manner, the auditor will submit one transaction where an employee is on the master payroll file and the computer should process the transaction, and then the auditor submits a second transaction where an employee is not on the master payroll file and the transaction should be rejected. This is sufficient to determine that the IT application control was functioning when it was tested. Then the auditor needs to test computer general control to gain assurance that the computer program functions effectively over time. Also, the auditor needs to test the manual follow-up procedures to ensure that items flagged by the computer are cleared on a timely basis. The auditor uses smaller sample sizes when the auditor expects no deviations from the prescribed control procedures.

Why should communications with those charged with governance be done in writing?

Written communications with those charged with governance provides a simple way for the auditor to document the issues that are important for the auditor to discuss with those charged with governance. Discussing internal control deficiencies with management and those charged with governance also provides the auditor with valuable insights into management's attitude towards the importance of internal controls by being able to evaluate what management has done in response to the recommendations made in the previous year at the start of each audit.