D215 - Unit 7
Explain each of the four steps commonly involved with a transaction, from start to finish. Provide an example in the context of selling goods to a customer
1. Authorization. Normally a transaction is authorized at the start of a transaction stream, like a product is ordered and a sales order is initiated. 2. Executing the transaction involves filling the order so title passes to a good. In the sales process, normally title passes when goods authorized in step 1 above are shipped. 3. Recording the transaction means transactions are recorded after title passes for goods, using an accrual basis. In the sales process, the transaction is recorded with a sales invoice. 4. Consideration occurs when a transaction is completed (a good is shipped) and consideration (usually cash or electronic transfer of funds) is received. A sales transaction is completed when cash is received from a customer.
Explain five different techniques for testing controls and provide an example for each
1. Inquiry involves the auditor using questioning skills to determine how the control is completed and whether it appears to have been carried out properly and on a timely basis. An auditor might ask questions of employees regarding exceptions on follow-up reports to determine if items on the exception report are addressed by the correct level of management and they are cleared in a timely manner. 2. Observation involves the auditor observing the actual control being performed. An auditor may observe monthly variance reports by management and the process management takes to resolve the issues on the variance report. 3. Inspection of physical evidence involves testing the physical evidence to verify the control has been performed properly. For example, the auditor may inspect initials and dates on a bank reconciliation, or trace certain amounts on the bank reconciliation to accounting records or to other documents (for example, a bank statement) to gain evidence that the procedures were properly performed. 4. Reperformance involves the auditor reperforming the control to test its effectiveness. The auditor may test the effectiveness of manual follow-up by reperforming the follow-up procedures to see that items put on an exception report were appropriately cleared. If an auditor is reperforming a bank reconciliation, the auditor would gather checks and a blank bank statement for a period of time (a month) and actually redo what the client did, and then following up on any discrepancies found. 5. Software-based audit techniques usually involves an auditor submitting test data (not actual client data) to the computer program while the program is under the auditor's control. The purpose of this is to verify that the computer program is functioning as designed. The test data might include data to appropriately process a transaction and appropriately reject a transaction.
Explain each of the seven steps associated with assessing control risk.
1. Understand Entity-Level Controls: At this stage the auditor conducts interviews throughout the organization to understand the strength of entity level controls and to identify weaknesses at the entity level. The auditor also want to understand if weaknesses are so pervasive to offset strengths at a transaction level. 2. Understand the Flow of Transactions: The auditor performs a system walkthrough to understand the flow of transactions and identify potential strengths and weaknesses at the transaction level. 3. Identify What Can Go Wrong (WCGW): The auditor uses his or her understanding of assertions to identify what can go wrong at the transaction level. 4. Identify Relevant Controls to Test: Given the auditor's understanding of entity level and transaction level controls, the auditor should identify key controls for each assertion. 5. Determine Preliminary Audit Strategy: When internal control strengths are present at the assertion level the auditor may want to follow a reliance strategy: If internal control strengths are not present at the assertion level the auditor will follow a primarily substantive approach. The auditor may have different strategies for different assertions for the same transaction class. 6. Perform Tests of Controls: The auditor should test controls where the auditor plans a reliance strategy. 7. Evaluate Evidence and Assess Control Risk: The auditor evaluates the evidence obtained from tests of controls. If evidence shows that controls are strong the auditor should document finding and proceed with a reliance strategy. If control tests do not support a finding of strong controls, the auditor might identify compensating controls and test those controls. If control testing does not support the preliminary audit strategy, the auditor should revise his or her audit strategy.
What is a compensating control? Develop an example of a compensating control.
A compensating control is a control that may control an assertion, when the key control tested by the auditor is not effective. For example, when testing payroll the auditor determines that manual follow-up of exceptions noted by the computer is not timely or effective. However, a performance review exists where department manager must approve the total payroll charged to their departments, and this control is effective. This would be an example of a compensating control.
An auditor is testing controls over accounts payable. During the testing, the auditor is matching client purchase orders, receiving documents, and vendor invoices. The tests show that there are a few instances in which the matching of purchase orders, receiving documents, and invoices did not occur. After a full analysis is conducted, it is determined that these payments result in a material misstatement to the overall fi nancial statements. Which type of opinion should be issued on the ICFR?
Adverse An adverse opinion on the ICFR is issued for a material weakness in controls.
What level of internal control deficiencies are reported to management? Explain your reasoning. What level of internal control deficiencies are reported to those charged with governance of the entity? Explain your reasoning.
All deficiencies in internal control are communicated to management. However, material weaknesses and significant deficiencies are also communicated to those charged with governance of the entity as part of a management letter. Auditors of both public companies and private entities have a responsibility to report material weaknesses and significant deficiencies in internal control based on both PCAOB AS 2201 and AU-C 265.
Which type of detective control includes automatic reports to identify whether transactions are within client limits?
Application with manual follow-up This includes automatic reports to identify whether transactions are within limits and are supplemented with a manual follow-up
Which audit technique should be used to determine the extent of review needed to determine aninternal control's effectiveness?
Attribute sampling Attribute sampling is a technique used to reach a conclusion about a population in terms of a frequency of occurrence, where the control measure is either met or not.
Explain the concept of benchmarking. Why might it be appropriate not to test a key control that is an IT application control every year?
Benchmarking is based on the premise that a computer will continue to perform any given procedure in exactly the same way until such time as the program (or application) is changed. If the auditor can verify that a given program that executes an application control has not changed since last tested by the auditor, and IT general controls are strong, an auditor may decide not to repeat direct tests of the application control in a subsequent period.
An auditor is tasked with evaluating tests of controls of sales of a private manufacturing company. During testing, a sample of 100 customer orders is compared to shipping documentation and sales invoices. As a result of testing, it is determined that a significant amount of customer orders did not result in a sales invoice. After further analysis, it is determined that internal controls over the sales process are not working as planned, and sales are materially misstated on the financial statements. Who should the auditor notify in response to this situation?
Company management The auditor has a responsibility to inform those in charge of the company if a material misstatement is identified.
Which component must an auditor document in a working paper at the conclusion of an ICFR audit?
Controls selected for testing One of the requirements of the working paper is to document controls selected for testing.
An auditor tests a control comparing each vendor invoice to a matching receiving report, noting two exceptions that are immaterial and insignifi cant. A receiving employee maintains a log of all items received along with its bill of lading in case a receiving report is missed during printing. How should the auditor respond to this information?
Determine if a compensating control exists The receiving employee's log containing the bills of lading provides a compensating control to the receiving reports.
Which type of relationship exists between the assurance level of internal controls and the size ofthe sample for testing?
Direct relationship The more assurance an auditor wants, the more representative a sample should be of the population.
Which business function allows an auditor to reduce the testing of transaction-level controls?
Effective monitoring controls The auditor can use the assurance of effective monitoring activities to lower testing.
Which rate should be used when an auditor anticipates fi nding internal controls that do not function as planned in the population tested?
Expected rate of deviation The expected rate of deviation is the expected rate at which the auditor expects controls are not functioning as designed.
Identify the types of evidence that can be used to support a test of controls.
Five key procedures are used for testing controls: inquiry (questions are asked regarding the operation of the control), observation (the operation of the control is observed as occurring), inspection (of physical evidence resulting from the performance of the control), reperformance (when the auditor reperforms the control to test its effectiveness), and software-assisted audit techniques (when the auditor uses software to test automated controls).
Heather is the audit manager for Berry & Heider Auditing Firm. Berry & Heider is planning an audit of Sparkit's fi nancial statements. What is Heather's fi rst step in determining which controls to test?
Heather should start by understanding the entity and the business, and by determining the risk of material fraud or error at the fi nancial statement level. Heather must fi rst by gain an understanding of the entity and the business todetermine the risk of material fraud or error at the fi nancial statement level.
What is the impact on the extent of required substantive testing if inherent risk is high and no assurance has been obtained from controls testing?
If inherent risk is high, and no assurance is obtained from control testing, the risk of material misstatement is high. Hence, detection risk should be low, and the auditor should do extensive substantive testing of the assertion at year end.
What steps should an auditor take if the auditor determines that a key control is not operating effectively?
If the auditor determines that a control is not functioning as designed, the auditor should: 1. Look for a compensating control 2. Test the compensating controls as appropriate 3. If the compensating control is effective, proceed with the planned audit strategy. 4. If a strong control is not identified for an assertion the auditor should decrease the level of assessed detection risk and 5. make appropriate changes to the nature, timing and extent of substantive tests related to an assertion.
What does the auditor do when he or she identifies control exceptions? Develop an example of an internal control exception.
If the auditor determines that an effective compensating control does not exist, or tests of controls show that the compensating control is not functioning as designed, the auditor revises the overall audit risk assessment for the related account and assertion, and revises the planned audit strategy. If the tests of controls indicate that a detect control related to the occurrence of sales did not function as prescribed and compensating controls are not available or were not effective, the auditor should revise his or her audit risk assessment (increase control risk), reduce or eliminate the intended reliance on the control, and reduce detection risk by designing more extensive substantive audit procedures related to the occurrence of revenues and the existence of accounts receivable. If the auditor tested a control that compared every sales bill of lading with each sales invoice to ensure that all sales were recorded, but exceptions were noted— the control did not function as planned. However, the auditor later determined that an independent client employee reconciled total shipments with total billings on a daily basis, and this compensating control would have identified any unrecorded transactions. If the compensating control is tested and function effectively, the auditor will rely on the compensating control and proceed with a reliance strategy.
What internal control deficiencies are communicated in an auditor's report on ICFR?
If the auditor is engaged to perform an integrated audit and issues opinions on both the financial statements and on ICFR, the determination that a control deficiency is a material weakness (a deficiency, or combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected or corrected, on a timely basis) will result in the auditor issuing an adverse opinion on the company's ICFR. Hence, material weaknesses are communicated in the auditor's report on ICFR. However, if the auditor determines that either a significant deficiency (a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance) or a control deficiency exists, the auditor will issue an unqualified opinion on ICFR. As a result, control deficiencies and significant deficiencies are not communicated in the auditor's report on ICFR
When would an auditor most likely perform observation and inquiry procedures on a control?
Inquiry and observation are probably most appropriate for observing segregation of duties. Some controls, such as segregation of duties, may or may not provide physical evidence, in which case the auditor must rely on observation and inquiry.
An auditor is going to test the client's controls over bank reconciliations. The auditor will perform which of the following audit procedures for this test of controls?
Inquiry of the person performing the bank reconciliation and reperformance of the bank reconciliation procedure.
Which type of controls are intended to stop fraud from occurring?
Preventive Preventive controls are intended to keep fraud from occurring.
John is preparing for an integrated audit of Utilhill, Inc. John will need to issue an opinion on the financial statements and on the internal controls over financial reporting (ICFR). Which of the following is correct in relation to the approach John should use and the report John should write?
John should use a top-down approach to determine which controls to test. When performing an integrated audit (to issue an opinion on the financial statements and an opinion on ICFR), the auditor uses a top-down approach to determine which controls to select.
Which type of control includes a comparison of budgeted versus actual expenses?
Management-level analysis This is the comparison of actual versus budgeted expenses.
Based on prior experience, Jason and his auditing team, from Auditors of Dallas, are auditing the accounts payable controls of Devy Aeronautics. Devy processes 50,000 invoices annually. The expected deviation rate is 3%. The tolerable deviation rate is 15%. Due to the difference between the tolerable deviation rate and the expected deviation rate, Jason is planning a large sample size because the statistical variance is low. Is Jason correct regarding his test of controls?
No, because the greater the variance between the expected and tolerable deviation rates, Jason should use a smaller sample size.
Which testing method involves an auditor watching an employee perform a control?
Observation Observing is when the auditor watches an employee perform a test.
What information does the auditor need to include in the audit working papers when documenting the results of the controls testing?
Once controls have been tested, the auditors document their work in a working paper. Working paper documentation should include: the auditors' conclusion about control risk the basis for their conclusion (e.g., underlying evidence)
An auditor might commonly identify multiple controls related to an assertion. What factors should an auditor consider when determining which control(s) should be tested during the audit?
Once the auditor determines WCGW, the auditor looks for internal controls to prevent misstatements from happening or what control will detect and correct misstatements on a timely basis. Determining multiple controls for an assertion presents a challenge for the auditor, as it is inefficient to test every control. Only key controls important to the auditor's conclusion about whether the entity's controls sufficiently address the assessed risk of misstatement should be tested.
An auditor is tasked with assessing a client's system of internal controls. The client is a distribution company that processes customers' purchase orders in one warehouse. Once the purchase order is fulfi lled, the inventory orders are placed on a truck for shipment, and a sales invoice is prepared. During the year, the client recorded $40 million in sales. In order to ensure that sales are recorded accurately in the fi nancial statements, an auditor compares a list of sales invoices for the month to the sales journal. No exceptions are noted during the control testing. How should the auditor respond to the results of this test of controls?
Planned substantive procedures should continue as planned.
An auditor is assessing the control risk of a new client. Which final procedure should be performed by the auditor?
Report internal control weaknesses to those in charge of governance The last step in assessing the control risk of a new client is reporting internal control weaknesses to those in charge of governance.
A company works in a rapidly growing industry where many companies quickly fail and competition is very high. The auditor is concerned there is a high risk of material misstatement for management's assertions regarding uncollectible accounts. There are multiple interrelated controls for both accounts receivable and uncollectible accounts. Which strategy should the auditor use to make assertion testing as effi cient as possible?
Test key controls over the assertion The assertion should be tested in order to identify error or fraud. Identifying key controls in the process is how testing is more effi ciently conducted.
An auditor is conducting a test of controls for a private company. At the conclusion of the audit engagement, the auditor is preparing a working paper to document the results related to controls testing. The auditor is trying to determine what must be documented in the working paper at the conclusion of the audit. What must the auditor document?
Tests performed One of the requirements of the working paper is to document the tests performed.
Why does the auditor always investigate control exceptions?
The auditor investigates exceptions to determine how significant the exceptions are. The auditor needs to determine if the exception is a deficiency in internal control, a significant deficiency, or a material weakness. The auditor evaluate this based on the likelihood of a misstatement and the materiality of a misstatement that may result from a breakdown in internal control.
Give an example of the package of evidence that is needed to test an IT application control that matches every sales invoice to an underlying bill of lading to ensure that revenue is properly recognized
The package of evidence that support an IT application control usually involves: Submitting test data to see that the application control functioned as designed. Testing the effectiveness of manual follow-up procedures to determine that items flagged as possible misstatements are cleared on a timely basis. Testing IT general controls to ensure that the application functions effectively over time.
Which auditing standard sets the minimum level of documentation required in the working papers stored in the audit files?
The professional standard that address audit documentation are AU-C 230 Audit Documentation and AS 1215 Audit Documentation.
Document the results of tests of controls.
The purpose of the tests of controls, selection of controls to test, results of the controls testing performed, and conclusion regarding the design and implementation of the controls are all documented in a working paper. This working paper is then reviewed by a more experienced auditor to determine if sufficient work was performed and if the appropriate conclusion was reached. Ultimately, the results of tests of controls should influence the auditor's audit strategy. If the controls are effective, the auditor may continue with a reliance on controls approach. If controls are ineffective, the auditor must decide how to modify the nature, timing, and extent of substantive tests.
Determine how to design tests of controls.
The selection of which controls to test is a matter of professional judgment. Illustration 7.5 provides a list of factors that influence the auditor's decision about which controls to test. The extent of testing of controls (that is, how many to test) is also a matter of professional judgment, although sampling techniques are available. Illustration 7.6 explains the factors that influence sample size for a test of controls and Illustration 7.8 provides an example of how sample size is influenced by the frequency at which the control is performed during the year (e.g., some controls may function only monthly or quarterly). Auditors usually perform tests of controls at an interim date, and then they update their conclusions at year-end to ensure that the controls continued to function as designed during the remainder of the year. In some cases, the auditor may be able to use a benchmarking technique to test use of software applications from prior years, if the auditor is able to obtain evidence that the software application has not changed.
Describe the steps in assessing control risk.
The seven steps involved in assessing control risk are (1) understand entity-level controls, (2) understand the flow of documents through the system for each transaction cycle, (3) identify what can go wrong (WCGW), (4) identify relevant controls to test, (5) perform tests of controls, (6) evaluate evidence and assess control risk, and (7) report findings to those charged with governance and, if relevant, in a report on ICFR.
An auditor is tasked with evaluating the internal controls associated with the receipt of inventory into the main warehouse of the client. One of the established controls is that the employee receiving inventory from vendor shipments needs to sign the receiving report. The auditor selects20 receiving reports for internal control testing, and 3 out of the 20 reports are missing signatures. Which compensating control should an auditor consider in this situation?
The warehouse supervisor should independently count each shipment before items are placed in storage. This is a control that could compensate for defi ciencies in the control that receiving report needs to signed by the employee who is receiving the inventory.
Identify the different types of controls that an auditor might encounter.
There are two primary types of controls, manual and automated. Types of automated, or IT, controls include IT general controls (ITGCs), IT application controls, and ITdependent manual controls. Each of these types can be described as either a preventive control or a detective control. Preventive controls, as the name suggests, prevent errors from occurring. Detective controls detect the error after it has occurred and rectify the error on a timely basis
A staff auditor is on a new client engagement and requests to performs a walk-through of various controls in place to gain an understanding of the control environment. The auditor discovers thatin order for a payment to be processed, the staff accountant must fi rst match the invoice to the purchase order as well as to the receiving report. If all three reports are in agreement, the invoice is approved for payment. The auditor also learns that every month, the controller will print off a list of all payments made in the month and review for unusual transactions as well as suspicious vendors. What is the purpose of control being performed by the controller?
To identify fraud after it takes place Detective controls are used to identify and correct fraud after it takes place.
An auditor is planning a test of internal controls and is using a planned control risk. The auditor must not move beyond the permitted maximum rate of deviation from a prescribed control during the process. What is the maximum rate of deviation that should be accepted?
Tolerable deviation rate This rate is the maximum rate of deviation where the auditor will still use the planned control risk.
An auditor is reviewing purchase orders during tests of internal controls to provide reasonable assurance that material weaknesses do not exist. Which level of testing is being used by this auditor?
Transaction Error or fraud related to signifi cant accounts is likely a material misstatement and is performed at the transaction level.
How do auditors identify WCGW in the flow of transactions?
When an auditor understands the flow of transactions in a business, their knowledge of assertions is used to determine WCGW with each assertion, relevant to the various transaction classes.
Name five factors to consider when deciding the extent of tests of controls to be performed. Give an example of how each factor would result in an increased sample size.
When holding other factors constant, the following discussion explains five factors that influence sample size for a test of controls. 1. Tolerable deviation rate: if the auditor can only tolerate smaller deviation rates (e.g., 5% vs. 10%) this will cause large sample sizes. 2. Desired level of assurance that the tolerable deviation rate is not exceeded by the actual rate of deviation in the population: as the auditor want high levels of assurance from the audit evidence sample size will increase. 3. Expected rate of deviation in the population to be tested: When the expected deviation rate is close to the tolerable rate (2% expected deviation rate and 3% tolerable deviation rate) sample size will increase. 4. Number of sampling units in the population when the population is small (less than 5,000): larger population size result in larger sample sizes. 5. Number of sampling units in the population when the population is large (greater than 5,000): population size has not effect on sample sizes
Evaluate the results of tests of controls
When performing tests of controls the auditor must determine in each instance whether the control did or did not function as designed. If tests of controls reveal exceptions (the control did not function as designed), the auditor should consider whether compensating controls exist, and whether the compensating control is likely to be effective. If control exceptions are found, they should be classified as control deficiencies, significant deficiencies, or material weaknesses. Illustration 7.12 summarizes how these classifications affect the auditor's decisions about what should be reported to those charged with governance of the entity, and what should be reported in the auditor's report on ICFR
Why does the auditor update the interim evaluation of controls at year-end?
When the auditor concludes that control risk is low at an interim date, the auditor also needs to update that conclusion through to the year-end date. When updating a control risk conclusion, the auditor should update the evaluation by identifying changes, if any, in the control environment and in the controls themselves. If changes are identified, consideration should be given to the effect of such changes on their evaluation of the controls. When the auditor decides to rely on a controls strategy, tests of controls are often performed at an interim date (often about three months prior to year-end). If tests of controls demonstrate that internal controls are strong and function effectively at an interim date, the auditor still must test the remaining period to ensure that controls functioned effectively throughout the entire year.
Explain the audit strategy for testing IT application controls. Why is a sample size of two sufficient for testing an IT application control? What other tests allow the auditor to use this smaller sample size?
When the auditor decides to rely on IT application controls, the auditor must use a more complex testing strategy. The auditor can often test a key decision point in a computer program with a sample size of two. For example, if the auditor is testing an IT application control that notes an exception of an employee who is not on the master payroll file, the auditor can test the computer program with auditor controlled test data. Recognizing that IT application controls operate in a systematic manner, the auditor will submit one transaction where an employee is on the master payroll file and the computer should process the transaction, and then the auditor submits a second transaction where an employee is not on the master payroll file and the transaction should be rejected. This is sufficient to determine that the IT application control was functioning when it was tested. Then the auditor needs to test computer general control to gain assurance that the computer program functions effectively over time. Also, the auditor needs to test the manual follow-up procedures to ensure that items flagged by the computer are cleared on a timely basis. The auditor uses smaller sample sizes when the auditor expects no deviations from the prescribed control procedures.
During your audit of Paradigm Toys, your test of a control over revenue recognition shows that the control is ineffective. Explain what you should do next.
You should consider whether there is a compensating control that might detect and correct a misstatement missed by the original control being tested. If the test results do not confi rm the preliminary evaluation of controls, the auditor will consider whether there is a compensating control that might detect andcorrect a misstatement missed by the original control being tested.
When performing tests of controls, the auditor is making _______.
a "yes or no" decision with respect to effectiveness When performing tests of controls, the auditor is making a "yes or no" decisionwith respect to effectiveness.
Entity-level controls involve _______.
all five components of internal controls Entity-level controls involve all five components of internal controls
The software application compares all sales invoices with underlying shipping information on thebills of lading and packing slips with sales invoices. If differences are revealed, a report isgenerated for review and follow-up by the billing supervisor. This is an example of a(n):
detective control. This is an example of a detective control.
Working papers:
document the auditor's conclusion about control risk and the basis for that conclusion. Working papers document the auditor's conclusion and basis for the conclusion.
If tests of controls indicate that a key control is not functioning as designed, and if other compensating controls do not exist, the auditor should _______.
increase the assessed level of control risk, decrease the level of assessed detection risk and make appropriate changes to the nature, timing and extent of substantive tests related to the assertion. The auditor should increase the assessed level of control risk, decrease the level of assessed detection risk and make changes to the nature, timing, and extent ofsubstantive tests related to the assertion.
An auditor asking the employee who prepares the bank reconciliation how reconciling items are identifi ed would be an example of _______.
inquiry This is an example of inquiry.
The expected rate of deviation in the population _______.
is the rate at which the auditor expects controls not to function as planned The expected rate of deviation in the population is defi ned as the rate at which the auditor expects controls not to function as planned.
Strong entity-level controls _______.
make it more likely that transaction-level controls will operate effectively Strong entity-level controls make it more likely that transaction-level controls will operate efficiently.
IT General Controls (ITGCs) are important because they:
prevent unauthorized personnel from having access to data and applications ITGCs prevent unauthorized personnel from having access to data andapplications.
A software application will not allow a sale to be processed if a customer is over its credit limit.This is an example of a(n):
preventive control
After the auditor has completed test of controls and drawn a conclusion about control risk, _______.
the auditor will want to make decisions about the nature, timing and extent of substantive testing This is the next step in the audit process.
Once controls have been tested, _______.
the auditors document their work in a working paper
Working paper documentation for test of controls should include _______.
the auditors' conclusion about control risk, and the basis for their conclusion (e.g., underlying evidence) These are all documented in working papers
Once auditors understand the flow of transactions, _______.
they will use their knowledge of assertions to understand what can go wrong Understanding the flow of transactions will enable auditors to use their knowledge of assertions to understand what can go wrong.
If the auditor is auditing a public company in the United States and must report on internal controls over fi nancial reporting (ICFR), the identifi cation of one or more material weaknesses_______.
will result in an adverse opinion on ICFR Identifi cation of a material weakness will result in an adverse opinion on ICFR.