AUD: A3
What factors affect the extent of the auditor's consideration of the client's internal controls?
-How frequently the control is performed -The expected deviation rate -The extent to which other tests provide evidence about the same assertion
What is assessing risk based on the effective operation of internal controls involve?
1. Identifying specific internal controls relevant to specific assertions that are likely to prevent or detect material misstatements in those assertions 2. Performing tests of such controls to evaluate their effectiveness.
Implementation of Controls
A controls been implemented if it exists and is being used
Providing more supervision during an audit of a nonissuer in response to assessed risks of material misstatement at the financial statement level is an exsample of:
An overall response. -
Application Controls
Apply to the processing of an INDIVIDUAL transaction and help to ensure the transactions occurred, are authorized, and are completely and accurately reported.
Effect of IT on IC
Audit Issue: If evidence is not retrievable (if it's in real-time) it's difficult to determine timing of control testing and substantive testing.
In planning an audit, the auditor's knowledge about the DESIGN of relevant internal controls should be used to:
Identify the types of POTENTIAL MISSTATEMENTS that could occur. Note: the operating efficiency is not significant to the auditor; the auditor is concerned with operating EFFECTIVENESS. -Also, the auditor is not required to assess operating effectiveness during the planning stage. -
Audit RIsk
The risk of issuing an unmodified opinion when you shouldn't
Limitations of Internal Control
(Related to control environment) -Management override of IC -Human error -Deliberate circumvention of controls by collusion of 2+ people
Segregation of Duties (in an IT system)
-Control group -operators -programmers -analyst (system) -librarian -If one oversees another or if one does both..that's a weakness when it comes to IT.
The inventory environment should prevent/detect fraud by:
-One person NOT collusion or management override
During the planning phase of the audit, an auditor obtains an understanding of the internal control system by considering:
-The types of misstatements that may occur -The risk that misstatements may occur -Factors that influence the design of tests of controls and substantive tests -The assessment of inherent risk -Judgments about materiality -The complexity and sophistication of the entity's operations and systems -The use of manual vs computerized control procedures. **The auditor is NOT REQUIRED TO OBTAIN KNOWLEDGE ABOUT OPERATING EFFECTIVENESS AS PART OF UNDERSTANDING INTERNAL CONTROL.
Audit evidence concerning segregation of duties ordinarily is best obtained by:
Audit evidence concerning segregation of duties is best obtained by: observing the employees as they apply control procedures. -Generally the auditor's direct, personal knowledge obtained through observation, inspection, and physical examination is more persuasive than indirect information.
The Five Components of Internal Control
COSO Framework: "CRIME" C: Control Environment = Overall tone of the organization R: Risk Assessment = Management's identification of risk I: Info & Communications = A means of recording transactions and communicating responsibilities M: Monitoring = Assessment of internal control performance over time E: Existing Control Activities = Control policies and procedures (The CPA is required to understand each element of CRIME as it relates to FINANCIAL REPORTING.)
PAID TIPS
Control activities in a strong system of internal control: Prenumbering documents Authorization of transactions Independent checks to maintain asset accountability Documentation Timely and appropriate performance reviews --Analytical procedures, such as comparison of performance to budgets and forecasts and prior periods, and comparison of financial and nonfinancial info Information processing controls - General and application controls ensure that transactions are valid, properly authorized and completely and accurately recorded. -Application Controls apply to the processing of individual transactions. -General Controls apply to information processing through the COMPANY Physical controls for safeguarding assets -Locked doors, etc Segregation of duties - Duties should be segregated such that work of an individual provides cross check for another. -Reduces the opp. for any one individual to perpetrate or conceal fraud in the normal course of business. -Keywords authorizing, recording and custody SEG of Duties is the ARC to protect against a FLOOD of troubles: Authorization Record Keeping Custody of related assets In a well designed internal control environment, errors should be prevented and/or detected by employees in the ordinary course of their job/business.
Management override of internal control policies and procedures might cause the auditor to think what is high?
Control risk
In obtaining an understanding of the entity and its environment, including its internal control, an auditor is required to obtain knowledge about the:
Design of the relevant internal controls pertaining to financial reporting in each of the five internal control components. -
Detective Controls
Designed to provide reasonable assurance that errors or irregularities are discovered and corrected on a timely basis.
Preventive Controls
Designed to provide reasonable assurance that only valid trans. are recognized, approved and submitted for processing.
What should an auditor do when CONTROL RISK is assessed at the max level?
Document the assessment when control risk is at the max level. -Also, the auditor should make decisions to potentially perform more substantive procedures.
Design of Controls
Evaluating the design of controls involves determining whether it's capable, individually or in combo with others, of preventing or detecting and correcting material misstatements.
Flowcharts
F in FIND: Depicts auditor's understanding of IC system: -System flowchart - Adequate flowchart shows origin of each doc in the system, its subsequent processing, and its final disposition -Program flowchart - IT flowcharts are generally created to document the logic and existing flow of a program Flowcharts should:
How do you document things? (abv.)
FIND: Flowchart Internal control questionaires Narrative Documentation from the client, including copies of the entity's procedures manuals
IT Risks
Garbage In -> Garbage Out -Reliance on inaccurate systems -Unathorized access or changes to data -Failure to update data -Inappropriate manual prevent -Loss of data AUditor should: 1. Document use of programs 2. Perform tests more often during the yearx
Assess the RMM
ID Types of potential misstatements in order to design the NET: Nature, extent and timing of further audit procedures
Obtaining an understanding of an internal control involves evaluating the design of the control and determining whether the control has been:
Implemented:
What procedures are used to test operating effectiveness of internal control?
Inquiry, observation, inspection, recalculation, and reperformance.
Manual Controls
Internal controls performed by people and are more suitable when judgment and discretion are required. -Also used to monitor automated controls
What controls must an auditor use if the test of controls for a specific procedure leave no audit trail?
Observation and inquiry,
A client maintains a large data center where access is limited to authorized employees. How may an auditor best determine the effectiveness of this control activitiy?
Observe whether the data center is monitored. -The auditor's direct OBSERVATION provides the most reliable source of evidence**********
Evidence concerning proper segregation of duties is for receiving and depositing cash receipts ordinarily is obtained by:
Observing the employees who are performing the control activities. -
As part of understanding internal control, an auditor is not required to:
Obtain knowledge about the operating effectiveness of internal control. -Operating effectiveness is evaluated later, and only for those controls on which the auditor plans to rely.
Which of the following are always necessary in a financial statement audit: 1. Test of operating effectiveness of controls 2. Analytical Procedures 3. Risk Assessment Procedures
Only 2 and 3. -Risk assessment procedures must be performed to assess the risk of material misstatement and to determine whether and to what extent further audit procedures are necessary -The PLANNING process and overall REVIEW stage of the audit must include application of ANALYTICAL PROCEDURES --Tests of the operating effectiveness of controls are only performed when the auditor's risk assessment is based on the assumption that controls are operating effectively, or when substantive procedures lone are insufficient.
General Controls
Policies and procedures that relate to many applications and support the effective functioning and proper operation of the info system
Procedures of Controls
Procedures used to obtain evidence about the design and implementation of internal controls include: 1 - Inquiry of entity personnel 2 - Observation 3 - Inspection 4 - Observation of the entity's premises and plant facilities 5 - Walkthroughs*
An auditor should obtain sufficient knowledge of an entity's information system relevant to financial reporting to understand the:
Process used to prepare significant accounting estimates.
Walkthroughs
Purpose: To confirm the auditor's understanding Procedures include: Inquiries and additional procedures Additional Procedures - observing individuals performing their information processing and control procedures. -Re-perform -Inspect -Corroborate
Entity Objectives of Internal Control
Reliability of financial reporting = Financial statement fraud (lying) Effectiveness and efficiency of operations = Asset misappropriation (stealing) Compliance with Applicable Laws and Regulations= Corruption (cheating)
What are considered control environment factors?
Remember, control environment represents the collective effect of various factors on establishing, enhancing, or mitigating the effectiveness of specified policies and procedures. -Such factors include mgmt.'s philosophy and operating style, the entity's org. structure, the participation of those charged w/governance, methods of assigning authority and responsibility, and HR policies/practices.
An auditor is auditing a mutual fund comp. that uses a transfer agent to handle accounting for shareholders. What would be the most efficient way to obtain info about the transfer agents internal controls?
Review reports on IC placed in operation and its operating effectiveness produced by the agent's own auditor.
Service Organizations
Such as ADP or Payche
Automated Controls
Suitable for high volume or recurring transactions
When there are numerous property and equipment transactions during the year, an auditor who plans to assess control risk at a low level usually performs:
Tests of controls and limited tests of current year property and equipment tests. -Low level of tests of controls is needed since control risk is at a low level -The need for substantive tests is NEVER eliminated
To obtain audit evidence about CONTROL RISK, an auditor selects tetst from a variety of techniques including:
Tests of controls include such procedures as: -Inspecting documentation, inquiry, observation, and reperformance. --Note that inquiry alone is not sufficient as the auditor should use a combination of procedures. -
If interim substantive procedures for an account identified NO exceptions, what would the auditor not perform on that account at year end?
Tests of details for the ENTIRE year under audit
The Control Environment
The C in CRIME: -The tone at the top set by management -Auditor/CPA should obtain understanding and knowledge -Communication and enforcement of integrity and ethical values of the people. -Commitment to competence -Participation of those charged with governance -Management's philosophy and operating style EX: We don't cheat, steal lie by using a code of conduct Pass Key: The following circumstances would raise concerns regarding management's philosophy and operating style: A. Mgmt consumed w/meeting the budget - Pressure B. Mgmt dominated by one person - Opportunity (mgmt. override) C. Mgmt compensation contingent upon performance - Rationalize Pervasive Effect on the Control Environment: -The control environment has a pervasive effect on the auditor's risk assessment, and preliminary judgments about its effectiveness may influence the NATURE, EXTENT, AND TIMING of further audit procedures to be performed (THE NET).
Documentation from the client
The D in Find: -May include documentation of entity's accounting system and controls
Existing Control Activities
The E in CRIME: Auditor/CPA should obtain understanding and knowledge.
The Information and Communication System
The I in CRIME: Auditor/CPA should obtain understanding and knowledge. -Support the identification, capture and exchange of info in a timely and useful manner. Accting Info Systems: Accounting processing (both auto and manual), from initiation of a transaction to inclusion in the FS. -The accounting records (both electronic and manual) supporting info, and specific accounts involved in initiatiating, authorizing, recording, processing and reporting transactions. -The financial reporting process, including the development of significant accounting estimates and the inclusion of appropriate disclosures.
Monitoring
The M in CRIME: Auditor/CPA should obtain understanding and knowledge. -Monitoring is the process that accesses the quality of internal control performance over time. -Establishing and maintaining internal control is the responsibility of management.
Narrative
The N in FIND: A written version of a flowchart -Hard to see weaknesses in IC
Risk Assessment
The R in CRIME: This is by management -An entity's identification and analysis of risks to achievement of its objectives by management. Auditor/CPA should obtain understanding and knowledge.
Under which circumstances would an auditor be most likely to perform substantive tests before the BS date?
The account in question has very little activity from year to year. -This account doesn't change much from year to year and is reasonably predictable with respect to amount, relative significance, and composition, making it a prime candidate for interim testing. Note: performing tests at interim increases detection risk
What would an auditor do after discovering a significant amount of deficiencies in internal controls?
The auditor uses tests of controls to evaluate CONTROL risk. If there were a lot of deficiencies, the auditor would: -Increase the assessment of CONTROL RISK (and the risk of material misstatement) and -Revise substantive testing accordingly by increasing the extent of substantive tests
After obtaining an understanding of the entity and its environment, including its internal control, an auditor decided to perform tests of controls. This is likely because:
The auditor's risk assessment is based on the effective operation of controls.
When would substantive testing of AR before the balance sheet date be most appropriate>
The higher the auditor's risk assessment, the closer to period end substantive procedures should be performed. -Effective internal controls reduce CONTROL RISK and reduce RISK OF MATERIAL MISSTATEMENT, allowing more interim testing to occur.
Fraud Risk
The risk that fraud goes undetected
The objective of tests of details of transactions performed as tests of controls is to:
We test controls in order to evaluate whether internal controls operate effectively (NOT EFFICIENTLY) However, the objective of tests of details of transactions performed as SUBSTANTIVE TESTS is to detect material misstatements in the FS.
In an environment that is highly automated, an auditor determines that it is not possible to reduce detection risk solely by substantive tests of transactions. Under these circumstances, the auditor most likely would:
When an entity transmits, processes, maintains, or accesses significant info electronically, factors unique to electronic processing may make it impractical or impossible to reduce detection risk to an acceptable level through substantive testing alone. In such cases, tests of controls should be performed. Answer: perform tests of controls to support a lower level of assessed control risk.
Why would an auditor reduce tests of details for a particular audit objective?
When analytical proceudres have revealed no unsual or unexpected results. -Substantive analytical review procedures may be sufficient to reduce the planned level of detection risk to an acceptably low level.
When would an auditor decide not to test controls?
When it would be inefficient to perform tests of controls that would result in a reduction in planned substantive tests.