A2 M7&M8

Monitoring

**CPA is required to understand/knowledge Assesses quality of internal control performance over time, by assessing the design and operation of controls on a timely basis and taking the necessary corrective actions. Establishing and maintaining internal control is a responsibility of management. Monitor controls to determine whether they are operating as intended and whether they have been modified appropriately for changes in conditions. The process can include: ongoing monitoring activities built into normal recurring activities; separate evaluations of IC -present and functioning; internal audit function that provides both an evaluation of internal control - including its strengths and weaknesses and recommendations for improvements; evaluation of communications from external parties such as customers. Rule: in a well designed internal control environment, errors should be prevented and/or detected by employees in the ordinary course of their job/ business.

Risk Assessment Overview Part 1

*CPA test internal in order to adequately plan the NET audit procedures. Purpose: An auditor should perform risk assessment procedures, which enable the auditor to: (a) identify and asses the risks of material misstatements --> audit planning. (b) make informed judgments about other audit matters, including: materiality and tolerable misstatement; entity's selection and application of accounting procedures, areas that require special audit consideration, developement of analytical procedures, design and performance. R.A procedures: Obtain an understanding of the entity and its environment, obtain an understanding of internal control over financial reporting, inquire of audit committee, management, and others; perform analytical procedures; conduct a discussion among engagement team members; perform other procedures.

Selection and Application of Accounting Policies

*Gain understanding of internal control of this area. The auditor should evaluate whether the accounting policies are appropriate for the entity's business and consistent with the applicable financial reporting framework and the industry in which the entity operates. The auditor should obtain an understanding of the accounts or disclosures for which judgement is used, especially in determining management's estimates and assumptions.

MCQ part 1

1) Analytical procedures used in planning the audit should focus on (a) enhancing the auditor's understanding of the client business. 2) Those APs used in the planning phase of an audit should focus on enhancing the auditor's understanding of the transactions and events that have occurred since the last audit. 3) An understanding of internal control relevant to an entity's financial reporting objective is necessary as part of audit planning. 4) Analytical procedures do not generally help an auditor develop preliminary judgement about materiality. 5) Test of controls are performed after audit planning is complete. 6) Management representations are typically obtained at the end of the audit, not during the planning stage. 7) Recalcs, test of cash receipts are done during the audit fieldwork stage. 8) Analytical procedures involve comparison of recorded amoutns to independent expectations developed by the auditor. During the planning stage, analytical procedures generally use financial sta, such as unaudited information from internal quarterly reports. 9) A relationship might exist between the square footage of selling space and the level of sales. 10) The auditor should consider the results of analytical procedures performed during the planning stage of the audit in identifying the risks of material misstatement due to fraud. This is one of the primary purposes of performing analytical procedures during the planning stage.

Obtain an Understanding of the entity and its environment

1) Industry, Regulatory, and Other External Factors a) Industry Factors: (pressure) industry conditions, supplier and customer relationships, and technological developments. The market and competition, cyclical or seasonal activity, product technology relating to the entity's products, energy supply and cost. b) Regulatory Factors (pressure): relevant regulatory factors include the regulatory environment. The regulatory environment encompasses, reporting framework, and legal and political environment. Accounting principles and industry specific practices, regulatory framework for regulated industry, laws, taxation, environmental, etc. c) Other External Factors: general econ conditions, interest rates, and availability for financing, inflation, and currency revaluation

Other Risk Assessment Procedures

1) Inquiries: Made of management and others. Also includes other parties such the board of directors, audit comittee, internal auditors, 2) Analytical procedures: Required during the planning stage and the final review stage. (a) Analytical Procedures Required to be performed during planning -- review at a high level, compare financial statements to budgeted or anticipated results. They can review financial and non financial date. The objective is to understand the nature of company? and identify the unusual transactions and events, and amounts, ratios, or trends that might be significant to the financial statements and may represent specific risks to the audit. (the primar objective is to assess the risk of material misstatement and to design and perform audit procedures) Passkey: during the planning, the auditor is specifically required to perform analytical procedures related to revenue in order to identify unusual or unexpected relationships that might indicate material misstatement, including material misstatement due to fraud. The auditor should also take into account analytical procedures performed during interim reviews (if performed)

Auditor's consideration of internal control

1) Relevance to the Audit: The five components of IC are applicable to the audit of every entity. Each of the five components of internal control may affect any of the three entity objectives. 2) Factors affecting the application of framework: The applicability and importance of internal control components are affected by the entity's size, organizations, complexity, information processing 3) Acceptable Internal Control Frameworks: CRIME --> Management can elect COSO or other when establishing and evaluating internal control. For integrated audits, the auditor should use the framework used by management in its annual evaluation of the effectiveness of internal control over financial reporting.

Risk Assessment Procedures and Audit Evidence

Always required in financial statement audit. Risk assessment procedures sometimes provide audit evidence about transactions, balances, disclosures, or controls, even if they were not designed to provide such evidence. The auditor may choose to perform substantive procedures or test of control if it is efficient to do so.

Components of Internal Control

An auditor MUST obtain an understanding of the design and implementation of internal control during the planning stage of the audit. In order for the auditor to understand the D&I of IC, auditor should understand its components like: * main - C Control Environment: the overall tone of the organization R Risk Assessment: management identification of risk I Information and Communication Systems: a means of recording transactions and communicating responsibilities. M Monitoring: assessment of internal control performance over time E Existing control activities" control policies and procedures. CPA is required to understand each element of "CRIME" as it relates to financial reporting. Side note: lots of questions on control environment and existing control activities.

Audit Data Analytics (ADAs)

An auditor may choose to use audit data when performing risk assessment procedures. ADAs involve analyzing patterns, identifying anomalies, and extracting other useful information in data underlying anomalies, and extracting other useful information, and visualization. Steps for ADAs: Generally, five steps are performed when using ADAs to help with the assessment of the risks of material misstatement: 1- Plan the ADA, 2-access and prepare the data, 3-consider the relevance and reliability, 4-perform the ADA, 5- evaluate the results and conclude For example, i can use ADAs to analyze the inventory. If I see that sales of a particular product are declining then there might be inventory on hand that is devalued.

Documentation from Client

An entity's procedures manuals may include documentation of the entity accounting system and related controls. The entity's organizational chart outlines designated lines of authority and responsibility. Both documents can assist the auditor in understanding the entity's system of internal control.

Internal Control Questionnaires

An internal control questionnaire generally consists of a list of questions to be answered by "yes" or "no" responses. A negative is designed to draw attention to a possible weak ness in internal control. The questions address internal controls over an element, account, or process.

Other Audit Considerations

Audit issue: If evidence is not retrievable it is difficult to determine timing of control testing and substantive testing. Effect of Information Technology on internal Control: C: management's failure to appropriately address IT risks may negatively impact the control environment. R: The use of IT may enhance an entity's risk assessment by providing more timely information. I: Many information and communication systems make extensive use of IT, and the way in which IT is used often affects entity's IC. M: much of the information used in monitoring is provided by it, and therefore the accuracy of the IT is crucial. E: The use of IT may affect the way in which existing control activities are implemented. Also, the effectiveness of user controls may depends on the accuracy of information provided to the user by IT systems. IT Exception: IT systems may make it impossible to resolve the detection risk through substantive testing along. Must do control testing as well.

Control Environment

CPA is required to understand/ knowledge. The control environment: (a) sets the tone of an organization (b) provides discipline and structure as foundation (c) originates with management. Includes factors as the following: (a) communication and enforcement of integrity and ethical values with those people who create, administer, and monitor internal controls (b) commitment to competence as reflected in management's consideration of the knowledge and skills required for particular jobs. (c) participation of those charged with governance, including assessment of their knowledge, experience, stature (d) management's philosophy and operating style with respect to its approach to risk taking (e) organizational structure (f) assignment of authority, responsibility, and accountability (g) Human resource policies. (like a manual Passkey: circumstances that would raise concerns regarding management's philosophy: management consume with meeting the budget -- pressure, management dominated by one person -- opportunity, management compensation upon entity's performance = rationalization. **Those charged with governance: their responsibilities include: overseeing "whistle-blower" procedures; overseeing financial reporting, balancing conflicting pressures placed on management, bearing responsibility for prevention and detection of error. **Pervasive Effect of Control Environment: (a) Weak Control Environment: When there is a weak control environment, the auditor may perform more substantive procedure as of the balance sheet date rather than interim (b) Strong Control Environment: When there is a strong control environment, the auditor may perform tests at an interim date rather than at the balance sheet date; may use tests that provide somewhat less persuasive evidence; or may reduce the extent of testing.

Design the Nature, Extent and Timing of Further Audit Procedure.

Depends on the size and complexity of company, the auditor's existing knowledge, nature of controls, company's use of IT.

Evaluate the Design and Implementation of Internal Control

Design: Evaluating the design of a control involves determining whether it is capable individually or in combination with other controls of preventing or detecting and correcting material misstatement. CPA responsiblity: an understanding of each element of CRIME as it pertains to finacnial reporting Implementation: A control has been implemented if it exists and is being used. The auditor must obtain evidence about whether the individuals responsible have an awareness of the existence of the procedure and their responsibility for its performance. Procedures: procedures used to obtain evidence about design and implementation of internal controls include inquiry of entity personnel, observation, inspection of documents, walk throughs.

Understanding the Group, Its components, and their environment

Do the following: (a) enhance its understanding of the group, its components, and their environments, including group-wide controls. (b) obtain an understanding of the consolidation process, including the instructions issued by group managements to components. (c) confirm or revise its initial identification of significant components.

Document the Understanding of Internal Control

Documentation may include any item the auditor can FIND: Flowcharts Internal Control Questionnaire or Checklists Narrative Documentation from client, including copies of entity's procedures manuals and organizational charts. Flowcharts: Depicts auditor's understanding of internal control. Serves in two ways: first, flowcharts of systems are prepared to evaluate internal control. Second, IT flowcharts used as documentation tools in programming are useful to the auditor in evaluation internal control. There are (a) system flowcharts: show origin of each document in system, subsequent processing, and its final disposition. (b) program flowcharts: IT flowcharts are initially created to document the logic and existing flow of a computer program. The auditor can use these flowcharts to evaluate both the flow of program and IC related to IT function in general. (c) Program Flowchart: initially created to document the logic and existing flow of a computer program. (d) Flowchart Org: show the general flow of docs and data

IT Risk Assessment

Garbage in --> garbage out The use of IT may also create additional internal control risks. The auditor must evaluate the entity's use of IT to determine whether and to what extent the following risk exist: (a) potential reliance on inaccurate systems, (b) unauthorized access (c) unauthorized changes to data (d) failure to make required changes or updates to systems or programs (e) potential loss of data. Auditor should 1) document use of programs 2) perform tests more often during the year.

Narrative:

Hard to "see" weaknesses in internal control. A narrative is a written version of a flowchart. Flowcharts are more appropriate for documenting complex control structures, and written narratives are more appropriate for less complex structures.

Assess the Risks of Material Misstatement:

ID types of potential misstatement.

Information and Communication Systems (CPA is required to understand/ knowledge)

IS support the identification, capture, and exchange of information in a timely and useful manner. Information systems: The IS relevant to financial reporting consists of the procedures and records established to initiate, authorize, record, process, and report entity transactions, etc, etc. It's all that records, identifies transactions, process and accounts for system overrides, describes transactions in a timely manner, measures and records the proper monetary value of transactions, determine and ensure proper recording, etc. Accounting Information systems: The auditor is especially interest in the business processes relevant to financial reporting, and should obtain understanding of: (a) the classes of transactions that are significant to financial statements, (b) accounting processing ( both automated and manual), from initiation of a transaction to inclusion in the financial statements,(c) the accounting records, supporting information, and specific records involved in authorizing, recording, (d) the financial reporting process, including the development of significant accounting estimates and the inclusion of appropriate disclosures.

General and application controls

IT General Controls: General controls are policies and procedures that relate to many applications and support the effective functioning and proper operation of the information system. It can be categorized as controls over data center and network operations, system software acquisitions, change and maintenance controls, access security controls, application system acquisition; development and maintenance controls. IT Application Controls: application controls apply to processing of individual transactions and help to ensure transactions occurred, are authorized, and are completely and accurately processed and reported. Including access rights, controls over interfaces, mathematical accuracy.

IT Benefits

IT is used by entity to improve the efficiency and effectiveness of its internal control. The auditor should consider the effect of such benefits as part of assessing internal control. Benefits include: (a) the ability to process large volumnes of transactions, improved timeliness, enhanced segregation of duties, enhanced ability to monitor the performance of the entity's activities. COPAL (control group, operators, programmers, analysts, librarians)

Consider the Limitations of Internal Control (related to control environment)

Internal Control provides only reasonable assurance - not absolute- regarding achievement of objectives due to the following three inheret limitations of internal control: (a) management override of internal control (b) human error, which may include errors in the design or use of automated controls (c) deliberate circumvention of controls by collusion of two or more people.

Manual vs. Automated Controls

Manual Controls: performed by people and are more suitable when judgement and discretion are required, such as when there are: large, unusual or nonrecurring transactions. Also potential misstatements are difficult to define. Manual controls are also used to monitor automated controls. Automated Controls: Automated controls are internal controls performed using IT and are more suitable for: (a) high volume or recurring transactions (b) control activities that can be adequately designed and automated.

Objectives, Strategies, and Business Risks

Objectives are plans, Strategies are means to achieve objectives, business risks could affect the ability tterm-3o achieve objectives and strategies. Examples: Industry developments: entity does not have expertise or personnel. Industry developments may make a particular product obsolete. New Products: may result in an increase in product expense, increase in expense may pressure management to report at lower amount. Expansion of business: demand changes, therefore too much inventory. New Accounting requirements: may result in improper implementation or a cost increase. Changes in key personal, personnel may be unfamiliar.

Ongoing assessment

Obtaining an understanding of the entity and its environment is a process that continues and evolves throughout the audit, and the auditor's assessment of risk may change as additional audit evidence is obtained. For example, intial risk assessment may presume effective operation of controls, but tests of controls may indicate that controls are no operating effectively; or the auditor may detect more or less frequent misstatements than would have been expected given the initial risk assessment. In such situations, the auditor should revise the assessment and modify planned audit procedures. Note: analytical procedures and risk assessment procedure are required. The test of operational effectiveness of controls are no required.

Risk Assessment Part 2

Overview of Internal Control Even if auditor does not rely on IC, he must obtain an understanding of it. IC is process designed to provide reasonable assurance about the achievement of entity's objectives divided in three categories: (1) **Reliability of financial reporting-financial statement fraud = lying. (2) Effectiveness and efficiency of operations --> asset miss-appropriation= lying (3) compliance with applicable laws and regulations --> corruption = cheating. Passkey: Reliability on financial reporting objective is most relevant to the audit. Controls relating to the operations and compliance objectives may occasionally be relevant to the audit and the ones that relate to non compliance if have direct effect on financial statements.

Existing Control Activities (CPA is required to understand/have knowledge)

Policies and procedures that help ensure that management directives are carried out and that necessary steps to address risks are taken. PAID TIPS {activities in a strong system of internal control} P prenumbering of documents to assure that all transactions are recorded for completeness, and that no transactions are recorded more than once existence. A authorization of transactions, to ensure authorization happens before commitment of resources. I independent checks to maintain asset accountability- involve the verification of work previously performed by others like the review of bank recons, comparison of subs records to control account. D documentation: provides evidence of the underlying transactions and is basis for establishing responsibility for the execution and recording of transactions. T Timely and appropriate Financial Performance Reviews: comparison of actual performance to budgets, forecasts, and prior periods. Comparison of financial and nonfinancial information (for example, the management of a sports team might use attendance data to ascertain in the reasonableness of ticket sales) "Analytical procedures" I information processing controls. These controls ensure that transaction are valid, properly authorized, and completely and accurately recorded. Application of control apply to the processing of individual transactions and general controls apply to information processing throughout the company. P physical controls for safeguarding assets: Security: physical segregation and security of assets, protective devices, and bonded or independent custodians, authorized access to assets and records, periodic counting and comparison of actual assets with amounts shown in accounting records. S segregation of duties which involves ensuring that individuals do not perform incompatible duties. Assign different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of the related assets reduces the opportunities to both perpetrate and conceal errors or fraud. (proper segregation, reduces the opportunities for any individual to both perpetrate and conceal errors or fraud) Notes: The auditor's primary consideration should be whether, and how, a control prevents, or detects and corrects, material misstatement. Exception?? Collusion and mgmnt override.

Identifying Controls Relevant to Reliable Financial Reporting.

Relevant are those that prevent, detect, and correct material misstatements. Preventive Controls: applied before the processing activity occurs. Detective Controls: Provide assurance that errors or irregularities are discovered and corrected on a timely basis. Detective controls are normally performed after processing has been completed.

Risk Assessment by Management

Risk assessment is an entity's identification and analysis of risks to the achievement of its objectives. This is not about the CPAs assessment of risk. CPA is required to understand/ knowledge. Circumstance from which risk may arise includes: (a) change in the regulatory or operating environment. (b) new personnel, etc, etc. Likely areas: lying, stealing, cheating. An auditor would most likely perform risk assessment procedures to evaluate the design of relevant controls when obtaining an initial understanding of internal control sufficient to assess the risk of material misstatement of the financial statements.

Notable Items

The application of ADAs may result in the identification of notable items. Notable items include items that may identify a previously unidentified risk, modify or support the assessment of risk of material misstatement, or provide the auditor with information to better plan audit procedures. You can group the notable items, and determine which data include: Items that do not positively identify new or higher risks of material misstatement, and items requiring further consideration because they may represent new or higher risks of material misstatement.

Other Procedures

The auditor should consider: reviewing external information, the results of the fraud risk assessment, information obtained during the client acceptance or continuance process, information obtained on other engagements performed by the entity, prior period evidence to the extent that it is still relevant.

Required Documentation

The auditor should document key elements of the understanding obtained regarding the entity and its environment, sources, and risk assessment procedures performed. Key elements that should be documented include: (a) relevant industry, regulatory, and other external factors, including the applicable financial reporting framework. (b) nature of entity including its operations, ownership and governance structures, types of investment that entity is making and plans to make, how it is financed (c) auditor's evaluation of whether the entity's accounting policies are appropriate** (d) objectives and strategies (d) review of financial performance.

Entity's Financial Performance

The auditor should obtain an understanding of this measurement, as it may indicate risk of misstatement. -- management measures and review performance to evaluate whether performance is meeting the desired objectives. For example, there is a risk in having performance-based compensation. Passkey: auditor's understanding of the industry, regulatory, and other factors like nature, strategies, risks and financial performance, aid the auditor in assessing the entity's inherent risk

Risk Assessment Discussion --> with audit team

The members of the audit team (specialists too) should discuss the susceptibility of the financial statements to material misstatement. If the audit involves multiple locations, then there can be multiple discussions. Important matters should be communicated to all engagement members not present for the discussion. This discussion: should include areas of significant audit risk, allows more experienced team members to share their insights with less experienced staff, should emphasize the need to exercise professional skepticism, and to be alert for and rigorously investigate any potential misstatements, whether due to error and fraud. This dicsussion can be help concurrently with the fraud risk discussion.

Walk Throughs

These are trace transactions relevant to financial reporting through the accounting system from inception through recording in the general ledger and presentation in the financial statements. Purpose: Confirm the auditor's understanding of key elements of the entity's information processing system and internal controls. Evaluate the design of the relevant internal controls. Determine whether certain controls have been implemented. A walkthrough can be performed by: selecting a single transaction and tracing it through the entity's information processing system from inception to financial reporting. Identifying the the key steps in the processing of a class of transactions from inception to financial reporting. *To perform walkthroughs the auditor should make inquiries of those who actually perform the info process and IC procedures. *Other procedures: inquiry alone is not sufficient. The auditor should corroborate inquiry responses by performing additional procedures: (a) observe individuals performing their information processing and control procedures. (b) re-perform the information processing or control procedures (c) inspect the relevant documents and records (d) corroborate inquiry responses with others knowledgeable about the information processing and control procedures.

Small and Midsized Entities

These ones can use less formal means to achieve internal control objectives.

Nature of the Entity

Understanding of operations, ownership, corporate governance. PCAOB says: read public information, read transcripts or earning calls, understand compensation arrangement, obtain information from SEC filings, and other sources about trading activity, inquire of the chair of compensation committee, understand the company's established policies and procedures regarding the autorization and approval of executive officer expense reimbursement. Becoming an investor of the client company would impair the independence of the auditor, rendering the auditor unable to perform the audit.