ACC Chapter 10 (Exam 3)
Appropriate working paper standardization may include:
1. A uniform cross-referencing system for all engagements 2. Consistent working paper layouts 3. Standardized tick marks (that is, symbols used on working papers to represent specific audit procedures) 4. A prescription for the types of information to store in pertinent or carry-forward files (that is, files containing pertinent information of continuing importance for a particular auditee)
Purpose and content of working papers
1. Aid in planning and performing the engagement 2. Facilitate supervision of the engagement and review of the work completed 3. Indicate whether engagement objectives where achieved 4. Provide the principal support for the internal auditor's communications to the auditee, senior management, the board of directors, and appropriate third parties 5. Serve as a basis for evaluating the internal audit function's quality assurance program 6. Contribute to the professional development of the internal audit staff 7. Demonstrate the internal audit function's compliance with IIA's standards
Common analytical procedures performed by internal auditors include:
1. Analysis of common size financial statements 2. Ratio analysis 3. Trend analysis 4. Analysis of future oriented information 5. external benchmarking 6. Internal benchmarking
Each Working paper should:
1. Contain an appropriate index or reference number 2. Identify the engagement and describe the purpose or contents of the working paper 3. Be signed (or initialed) and dated by both the internal auditor who performed the work in the internal auditor who reviewed the work 4. Clearly identify the sources of auditee data included on the working paper 5. Include clear explanations of the specific procedures performed 6. Be clearly written and easy to understand by internal auditors unfamiliar with the work performed (for example, an internal auditor who refers to the working paper at a later date)
Although there are no hard and fast rules regarding reliability and sufficiency of evidence, they are useful guidelines internal auditors can follow if they remember that guidelines are generally characterized by exceptions. Such guidelines in clue:
1. Evidence obtained from independent third-parties is more reliable than evidence obtained from auditee personnel 2. Evidence produced by a process or system with effective controls is more reliable than evidence produced by a process or system with ineffective controls 3. Evidence obtained directly by the internal auditor is more reliable than evidence obtained indirectly 4. Documented evidence is more reliable than undocumented evidence 5. Timely evidence is more reliable than untimely evident 6. Corroborated evidence is more sufficient than uncorroborated or contradictory evidence 7. Larger samples produce more sufficient evidence than smaller samples
Some of the more common CAATs are defined by ISACA as follows:
1. Generalized audit software (GAS) 2. Utility software 3. Test data 4. Application software tracing and mapping 5. Audit expert systems 6. Continuous auditing
Benefits of using GAS
1. It allows internal auditors to conduct audit procedures in a wide variety of hardware and software environments with minimal customization 2. It enables internal auditors to perform tests on data independently of the company's IT personnel 3. Using GAS enables the internal auditor to deftly analyze very large quantities of data 4. Some applications of GAS facilitate 100% examination of data populations almost instantaneously as opposed to testing a sample of data items manually 5. Using GAS to perform necessary but routine audit tasks frees up time for the internal auditor to think analytically
Audit procedure steps in order
1. Obtain a thorough understanding of the auditee, including the auditee's objectives, risks, and controls 2. Test the design adequacy and operating effectiveness of the targeted area's system of internal controls 3. Analyze plausible relationships among different elements of data 4. Directly test recorded financial and nonfinancial information for errors and fraud 5. Obtaining sufficient appropriate evidence to achieve the prescribed audit objectives involves determining the nature, extent, and timing of audit procedures to perform
Obstacles to implementing GAS successfully
1. Obtain access privileges to relevant and reliable data 2. Gaining physical access to the data 3. Understanding how the data is stored and formatted in the system 4. Extracting the data and downloading it to the internal auditors personal computer 5. Importing the data in a usable format into the audit software
Assume that an internal auditor wants to determine whether a particular vehicle included in the company's fixed asset ledger exists and is owned by the company. The internal auditor locates the vehicle in the company's parking lot. (1) Can the internal auditor reasonably conclude that the vehicle exist just by seeing it? (2) Can the intern Octa reasonably conclude that the company owns the vehicle just by seeing it?
1. Yes 2. No. The internal auditor would need to inspect pertinent documentary evidence, such as title of ownership
Continuous auditing
Allows information systems auditors to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer
Negative confirmations
Ask recipients to respond only when they believe the information provided to them is incorrect
Positive confirmations
Ask recipients to respond regardless of whether not they believe the information provided to them is correct
Utility software
Comprised of computer programs provided by a computer hardware manufacturer or software vendor and used in running the system... This technique can be used to examine processing activities; to test programs, system activities, and operational procedures; to evaluate data file activity; and, to analyze job accounting data
Reliable
Did the evidence come from a credible source? Did the internal auditor directly obtain the evidence?
Analytical procedures
Entail assessing information obtained during engagement by comparing the information with expectations identified or developed by the internal auditor Examples: 1. Prepare common size financial statements for the current year and proceeding two years; look specifically for variances or unexpected trends 2. Compare the organization's common size financial statements with published industry common size information looking for unexpected inconsistencies 3. Calculate accounts payable turnover for the current year and proceeding two years as evidence of vendor payment.
Inquiry
Entails asking questions of auditee's personnel or third parties and obtaining their oral or written responses. Inquiry produces indirect evidence, which by itself is rarely persuasive Examples: 1. Circulate a questionnaire among senior executives asking them to identify the top 10 risks threatening the organization 2. Ask the organization's outside legal counsel to provide information about any litigation, claims, and/or assessments against the organization 3. Interview managers and employees involved in the cash disbursements process to identify key process controls
Confirmation
Entails obtaining direct written verification of the accuracy of information from independent third-parties Examples: 1. Confirm a sample of accounts receivable subsidiary ledger balances with customers 2. Confirm the principal balance of a note payable and interest rate with the lender 3. Confirm cash account bank balances with banks
Re-performance
Entails redoing controls or other procedures. Reperforming a control provides direct audit evidence regarding operating effectiveness. Examples: 1. Recalculate accumulated depreciation and a depreciation expense to verify that they were calculated correctly 2. Independently estimate the allowance for doubtful accounts to test the reasonableness of the accounting department's estimate 3. Re-perform auditee prepared bank reconciliations to test whether they were completed correctly
Inspection
Entails studying documents and records and physically examining tangible resources. Inspection of documents and records provides direct evidence of the contents. Examples: 1. Review the minutes of board of directors' meetings looking for authorization of significant events (for example, the acquisition of another company) 2. Inspect selected inventory items to determine their condition and salability 3. Read the cash disbursements policies and procedures to obtain an understanding of key elements of the process (for example, assigned roles and responsibilities)
Observation
Entails watching people, procedures, or processes. Observation is generally considered more persuasive than inquiry in the sense that the internal auditor is obtaining direct evidence. Examples: 1. Tour the auditee's facility to gain a general understanding of day-to-day operations 2. Observe the care with which employees count the year and physical inventory 3. Watch employees involved in executing and recording cash disbursement transactions to determine whether they are performing their assigned responsibilities and only their assigned responsibility
Audit expert systems
Expert or decision-support systems that can be used to assist Information systems auditors in the decision-making process by automating the knowledge of experts in the field... This technique includes automated risk analysis, system software and control objectives software packages
Sufficient
Has the internal auditor obtained enough evidence? Do different, but related, pieces of evidence corroborate each other?
Manual audit procedures
Inquiry Observation Inspection Vouching Tracing Re-performance Analytical procedures Confirmation
Relevant
Is the evidence pertinent to the audit objective? Does it logically support the internal auditor's conclusion or advice?
Generalized audit software (GAS)
Multipurpose software that can be used for general purposes such as record selection, matching, recalculation and reporting
To be persuasive, evidence must be:
Relevant Reliable Sufficient
Test data
Simulated transactions that can be used to test processing logic, computations and controls actually programmed in computer applications. Individual programs or entire systems can be tested... This technique includes integrated test facilities (ITFs) and bass care system evaluations (BCSEs)
Application software tracing and mapping
Specialized tools that can be used to analyze the flow of data through the processing logic of the application software and document the logic, paths, control conditions and processing sequences... Both the command language or job control statements and programming language can be analyzed. This technique includes program/system: mapping, tracing, snapshots, parallel simulations and code comparisons
An Internal auditor uses generalized audit software to
Test whether any duplicate payments of invoices exist in the company's cash disbursements transaction file. The internal auditor uncovers several duplicate payments made throughout the year. The internal auditor may correctly infer that controls to prevent and/or detect such payment on a timely basis did not exist, were designed inadequately, or did not operate defectively
Guidelines for working paper preparation
The CAE is responsible for establishing working paper policies and procedures. Well written policies and procedures promote effective any efficient work and facilitate consistent adherence to quality assurance standards
Ratio analysis
The internal auditor calculates pertinent financial ratios (for example, current ratio, gross profit percentage, inventory turnover, and cost of raw materials purchased divided by cost of finished goods produced) and ratios involving nonfinancial values (for example, sales divided by square footage of sales space, payroll expense divided by average number of employees, and percentage of defective units produced)
Analysis of future oriented information
The internal auditor compares current fiscal period information with budgets or forecasts
Trend analysis
The internal auditor compares performance information (for example, individual amounts, common size percentages, and/or ratios for the current physical period) with like information for one or more prior periods
External benchmarking
The internal auditor compares performance information for the organization with like information of other individual organizations or the industry in which the organization operates
Internal benchmarking
The internal auditor compares performance information of one organizational unit with like information for other organizational units
Analysis of common size financial statements
The internal auditor expresses financial statement line items as percentages of relevant totals
Professional skepticism
The state of mind in which internal auditors take nothing for granted; they continuously question what they hear and see and critically assess audit evidence
Timing of audit procedures
The timing of audit procedures pertains to when the tests are conducted in the period of time covered by the tests. For example: 1. An internal auditor testing the operating effectiveness of a manual control over a period of time on a sample basis must take appropriate steps to gain assurance that the sample selected is representative of the entire period 2. An internal auditor testing whether transactions are recorded in the appropriate fiscal year will focus his or her tests on transactions immediately before and after year end
Vouching
Tracing backwards Entails tracking information backward from one document or record to a previously prepared document or record, or to a tangible resource. Vouching is preformed specifically to test the validity of documented or recorded information Examples: 1. Vouch a sample of inventory items from the accounting records to the warehouse to see that the inventory items exist 2. Vouch a sample of sales invoices to corresponding shipping documents to verify that the shipments occurred 3. Vouch a sample of check copies to supporting voucher packages to test the validity of the checks
Tracing
Tracing forwards Entails tracking information forward from one document, record, or tangible resource to subsequently prepared document or record. Tracing is performed specifically to test the completeness of documented or recorded information Examples: 1. Trace internal auditor test counts of inventory to the auditee's inventory compilation records to verify that the counts are properly included in the compilation 2. Trace receiving reports for goods received to the corresponding voucher and then to the voucher register to verify that the receipts of goods are properly recorded as liabilities 3. Traced checks dated within a period of several days before and after year end to the accounting records to ensure the checks were recorded in the proper year