audit exam 2
"spreadsheet goofs"
can pose risks to an entity's internal control system
cancelled checks
either paper or elec contain data that might identify forgeries and what a cancelled check would look like and what info it contains
The three conditions that are likely to be present when a fraud occurs (Exhibit 6.1) are commonly referred to as
fraud triangle
Not surprisingly, whenever a fraud risk exists, the professional standards require that auditors
gain an understanding of the internal controls that are in place to mitigate the assessed fraud risk.
Psychotic motivation is relatively rare, but it is characterized by the
habitual criminal who steals simply for the sake of stealing.
Cash Receipts and Disbursements: Key Control Activities
info processing physical controls over the security of assets segregation of duties performance reviews reconciliation (by an independent person)
Audit team members need to know about the
red flags, those telltale signs and indications that have accompanied many frauds.
Stated differently, internal control is
set of policies and procedures designed to achieve management objectives in three different categories.
An assessment of control risk should be coordinated with the final audit plan, which includes the list of
substantive procedures to detect material misstatements in account balances and financial statement disclosures for each relevant assertion.
the higher the position in an organization,
the higher the position in an organization,
Management's philosophy and operating style.
Management's philosophy and operating style support achieving effective internal control over financial reporting.
reconciliation
Monitoring of the internal control over cash can be provided by timely bank reconciliations made by individuals outside of the normal cash operations.
In general, egocentric motivations drive people to steal to achieve more personal prestige.
Ideological motivations are held by people who think their cause is morally superior and they are justified in making someone else a victim.
Access controls help prevent the improper use or manipulation of data files, unauthorized use of computer programs, and improper use of the computer equipment.
Locked doors, security passes, passwords, and check-in logs can be used to limit access to the computer system hardware
Financial reporting competencies.
The company retains individuals who are competent in financial reporting and related oversight roles.
Organizational structure.
The company's organizational structure supports effective internal control over financial reporting by establishing clear and unambiguous reporting lines.
Custody of assets involved in the transactions.
This duty refers to the actual physical possession or effective physical control of property.
Sarbanes-Oxley requires that management of public companies report on their assessments of the effectiveness of their financial reporting controls and that audit teams provide opinions on the controls over financial reporting.
This may involve more extensive procedures than those required by GAAS.
Once a tolerable rate of deviation has been established and upper limit rate of deviation has been computed,
auditors compare the rates
The focus thus far has been on quantitative factors: sample sizes, numbers of deviations, tolerable rate of deviation, and ULRD. Regardless of the results of the attributes sampling application, the audit team should
conduct a qualitative evaluation of deviations to determine their nature and cause. In some cases, deviations can truly represent an isolated incident on a specific transaction; in others, they can represent something far more serious.
Decisions regarding the assessed level of control risk should consider the
costs of performing additional tests of controls versus the cost savings from reduced substantive procedures.
audit teams use inquiry about the
existence of control activities and then corroborate the oral evidence by observing that the client-described control activities are actually being performed.
The auditor is required to
gain an understanding of each of these components and to document this understanding in the audit files.
internal control questionnaires are designed to
help the audit team obtain evidence about the control environment and the accounting and control activities that are considered appropriate for normal circumstances.
Performance reviews require
management's active participation in the supervision of operations.
If inherent risk has already been assessed as high, this means that
there is high susceptibility for this account to be misstated.
The sample size represents the number of items that the audit team examines. In variables sampling, these items are
transactions or components underlying the account balance or class of transactions being audited.
fraud
•consists of knowingly making material misrepresentations of fact with the intent of inducing someone to believe the falsehood and act upon it and thus, suffer a loss or damage.
A schedule can help detect unauthorized access because most software can produce usage reports that can be compared to the planned schedule.
Applications that are being run at unauthorized times can then be investigated for inappropriate use of computer resources.
most common motivations in bus frauds
However, economic benefits are by far the most common motivations in business frauds.
in practice
audit teams typically use a combination of methods to document their understanding of the client's internal control.
Internal control consists of five components:
control environment, risk assessment, information and communication system, control activities, and monitoring of the control system.
Reports, Documents, and Data files used to Audit the Cash Account
•Cash receipts journal •Cash disbursements journal •Bank reconciliations •Canceled checks •Bank statements
According to COSO, a well-functioning internal control environment is characterized by philosophies such as the following:
Integrity and ethical values board of directors managements philosophy and operating style organizational structure financial reporting competencies authority and responsibility human resources
Four main factors influence the sample size in an MUS application:
Sampling risk (risk of incorrect acceptance). Tolerable misstatement. Expected misstatement. Population size.
documenting internal control understanding
The audit team must document its understanding of internal control on every audit. The understanding can be summarized and documented effectively in the form of: Questionnaires Narratives (written description of control process) Flowcharts (visual depiction of control process. usually accompanied w narrative)
there are also controls designed to detect fraudulent activity if it occurs.
The control tests are designed to enable the audit team to obtain objective evidence about the operating effectiveness of control activities.
An entity whose only control is "trustworthy employees" has no control.
The possibility of being detected by a control activity can be an effective deterrent to a potential fraudster. Stated simply, control activities often take away the opportunity for a fraudster to commit a fraud.
Ultimately, the overall level of audit risk that the auditors achieve is lower than necessary.
Thus, assessing control risk too high causes an efficiency loss for the audit team because more extensive substantive procedures are performed than necessary to reduce overall audit risk to acceptable levels.
Auditor's Report On Internal Control Over Financial Reporting (ICFR)
Title—include the word independent Responsibility of auditors and management In accordance with PCAOB standards Definition of internal control over ICFR Inherent limitations of ic Opinion Reference to opinion on financial statements (last para) Date of report (last day of field work)
control
are specific actions that a client's management and employees take to help ensure that management's directives are carried out.
In a lockbox arrangement, a
fiduciary (usually a bank) opens the box on a daily basis, lists the receipts, deposits the money, and sends the remittance advices (stubs showing the amount received from each customer) to the company.
Common sense probably tells you that samples should be
larger for larger populations (a direct relationship).
The audit team also investigates the causes of all
misstatements to ensure they do not represent a lack of controls or a pattern of fraud.
Although the philosophy behind the calculation of the basic allowance for sampling risk is somewhat technical, the calculation is relatively straightforward. To calculate the basic allowance for sampling risk,
multiply the sampling interval by the confidence factor for the risk of incorrect acceptance. The confidence factor corresponding to zero overstatement errors is selected because these sampling intervals did not contain an overstatement error
An allowance for sampling risk
of 3.4 percent (ULRD of 5.0% − Sample rate of deviation of 1.6% = 3.4%). The allowance for sampling risk represents the "adjustment" of the sample rate of deviation for the acceptable risk of overreliance.
Ultimately, financial reporting control activities are imposed on the accounting system for the purpose of
preventing, detecting, and correcting errors and frauds that could enter and flow through to the financial statements.
bank reconciliations
primary doc we use to touch cash allows mgmt to monitor seg of duties important element of companies IC sys for cash company doing their own bank recs is a type of IC
Under MUS, items in the sample are selected based on their size; that is, each item in the sample has a probability of being selected that is proportional to its size. Thus, this method of selection is often called
probability proportional to size (PPS) selection. For example, a customer's account recorded at $30,000 is ten times more likely to be selected than a customer's account recorded at $3,000.
It is important to note that monitoring does not include
regular management and supervisory control activities and other actions that employees take in performing their everyday duties.
tainting percentage
represents the percentage by which the transaction is misstated. It is determined by dividing the difference between the recorded balance and the audited value by the recorded balance.
the documentation prepared by the audit team should be
sufficient for an experienced auditor to replicate the sampling procedure.
For any flowcharting application, the chart must be
understandable to an audit supervisor
var samp
which is used to examine a population when the audit team wants to estimate the "true" balance or the misstatement of a particular account or class of transactions.
Extended Procedure to Detect Fraud: Proof of Cash
•A proof of cash would be used in situations where controls over cash are weak. •It essentially combines two bank reconciliations, reconciling all transactions that occurred during the period to the client's Cash Receipts Journal and Cash Disbursements Journal. only do when we think cash is really messed up bc its a long difficult process
Overall, the audit team's choice of which test of controls to use depends on the nature and importance of the control activity being tested.
Not surprisingly, certain types of tests produce more evidence about the operating effectiveness of a control activity than others.
Two other methods of selecting samples are block selection (which involves the selection of a series of contiguous or adjacent items) and haphazard selection (which selects items in an unstructured manner without intentional bias).
A recent survey of the sampling practices of six international accounting firms (including the Big Four) concluded that unrestricted random selection and systematic random selection are generally preferred, with haphazard selection being the least preferred method.
test of controls
After identifying specific control activities that can be relied on to reduce substantive testing for a financial statement assertion, must test the control Procedures used from the least persuasive to the most persuasive form of evidence: -Inquiry (alone is never enough) -Observation -Inspection -Reperformance Direction of test does matter (test of controls are still linked to mgmt assertions. make sure testing in right directions for existence occurrence and completeness)
The populations are as follows:
Attributes sampling. All possible applications of controls by client personnel. Variables sampling. All components or transactions comprising the account balance or class of transactions.
A second petty cash count is unexpected, and auditors might catch an embezzling custodian who incorrectly believes that "the auditors are gone, so now it's safe!
Auditors should always make sure a client employee is present during the count and that the employee signs for the returned cash so the auditor cannot be blamed for any shortages. Another "trick of the trade" is to make sure that the auditor's pockets are empty (leave wallets locked up Page 258safely elsewhere) when counting client cash on hand. This is especially important when counting cash at a financial services client such as a bank or credit union. All cash should be counted simultaneously to prevent embezzling employees from substituting cash from other places. If this is not possible (e.g., the employee claims that he or she does not have the safe combination), there is audit tape (similar to police tape) to seal the safe until it can be opened with the auditor present. If the seal is broken, your suspicions should be raised.
How would the audit team proceed from this point?
Because the ULRD for the control related to the occurrence assertion (5.0 percent) is less than the tolerable rate of deviation (6.0 percent), it appears that the control for the occurrence assertion is functioning effectively. As a result, the audit team could decide to rely on internal control as planned and maintain the planned level of control risk as well as the planned level of detection risk.
Measure Deposit Lag Time
Compare the date of the deposit slip to the date recorded as a debit in the general ledger to the date the deposit was credited in the account by the bank. Someone who takes cash and then holds the deposit for the next cash receipt to make up the difference causes a delay between the date of recording and the bank's date of deposit.
A qualitative evaluation of deviations attempts to answer questions such as these with regard to observed deviations:
Do deviations represent a pervasive error made consistently on all transactions or an isolated mistake made on a specific transaction? Are deviations intentional or unintentional in nature? Do deviations represent a misunderstanding of instructions or careless attention to duties? Do deviations have implications with regard to the effectiveness of other controls (for example, information technology general controls or other Committee of Sponsoring Organizations of the Treadway Commission, or COSO, components)?
One way to subject all items in a population of occurrences for a particular control activity is to use exception testing.
Exception testing is designed to identify a violation of a particular control activity through the use of an automated test procedure designed to test all items in a population. For example, consider an entirely automated control activity that is designed to compare a customer's credit limit to the sum of (1) a potential sales transaction and (2) that customer's outstanding credit balance before approval of that sales transaction. If the control activity operated effectively throughout the year, a customer's outstanding credit balance would not exceed its credit limit.
A deviation does not necessarily indicate that an error in processing a transaction has occurred.
For example, an employee could have mathematically verified a sales invoice but forgotten to record his or her initials on the sales invoice. In addition, the invoice could be correctly calculated regardless of whether the invoice was verified. However, the failure of client employees to document their performance of key controls represents a deviation from that control activity and should be investigated. Further, the documentation may be initialed, but not by an authorized employee.
rationalizations
I need it more than other people (also known as the Robin Hood theory). I am borrowing the money and will pay it back. Nobody will get hurt. The company is big enough to afford it. A successful image is the name of the game. Everybody is doing it. I am underpaid, so this is due compensation.
If any deviations appear to be pervasively occurring throughout the sample, to represent intentional actions on the part of client employees, to represent careless attention, or to have implications with respect to other controls, they have additional implications for the audit and should be discussed with the client and its audit committee.
In addition, for public entities, these deviations may reflect significant deficiencies or material weaknesses that must be disclosed in the audit team's report on internal control over financial reporting.
The professional standards are clear that an auditor cannot merely rely on information produced by the company's information system without investigation.
Instead, the audit team is required to perform audit procedures that are designed either to test the controls that have been designed to ensure that the information is complete and accurate or to test the completeness and accuracy of the information using substantive testing procedures
Here are some examples:
Inventory is not counted on a regular basis, so inventory shortages and losses are not known. Proper separation of duties related to cash receipts or payments is compromised because of a termination or retirement. The vice president of finance has investment authority without review. Frequent emergency jobs leave a lot of excess material in a manufacturing plant just lying around.
Management evaluates the quality of information by determining whether the content is appropriate and the information is timely, current, accurate, and Page 188accessible.
Note that these sometimes are contradictory. For example, waiting to ensure that information is accurate can cause it not to be timely.
flowchart
The flowchart should communicate all relevant information and evidence about separation of responsibilities, authorization, and accounting and control activities in an understandable, visual form.
if a control is missing or ineffective, the risk of a material misstatement increases, but an error or fraud may or may not exist.
Thus, if controls are not in place or personnel in the organization are not performing their control activities effectively, auditors need to design substantive procedures to try to detect whether control failures have produced material misstatements in the financial statements.
In fact, the Auditing Standards Board has even
integrated important aspects of the COSO framework into the professional standards (i.e., AU-C 315).1
•An opportunity is an open door for solving the unshareable problem by violating a trust.
-Weak internal controls -Circumvention of internal controls -The greater the position, the greater the trust and exposure to unprotected assets higher up u are, the greater op u have for fraud ex: if inventory is not counted on a regular basis, then shortages wouldnt be known about then stealing inventory may be something where an opportunity exists to not get caught. a lack of segregation of duties can be an opportunity if the VP of Finance has investment authority w/o any kind of review. if excess material is left lying around w/0 accounting for it.
Proper separation of duties and responsibilities can prevent such fraudulent actions.
. For example, as it relates to cash disbursements, effective internal control begins with different people and different departments handling the cash disbursement authorization; custody of blank documents (checks); record keeping for payments; and bank reconciliation. Auditing with fraud awareness often involves the combination of observing client control activities that were put in place and trying to "think like a crook" and imagine ways that theft could occur. When controls are missing, the ways and means for theft may be obvious. Otherwise, it might take significant planning and collusion to figure out how to steal from an employer.
At the end of the day, an independent employee should receive
1) a copy of the check listing, (2) a report of payments recorded in accounts receivable, and (3) a copy of the deposit slip from the bank.
A new employee who has been a fraudster in some other organization's accounting department has a higher probability of being a fraudster in a new organization.
As a result, organizations have even been known to hire private investigators to make background checks. Fraudsters should be fired and, in most cases, prosecuted.
Some tests of controls depend on documentary evidence such as a payroll entry supported by a time card.
In these cases, document examination for evidence of signatures, initials, checklists, reconciliations, and the like provides better evidence than procedures that leave no documentary tracks. Document examination might be enough; the audit team may look to see whether the documents were marked with an initial, signature, or stamp to indicate they had been checked. For example, audit teams could examine canceled checks for authorized signatures, inspect voucher packets for the initials of the employee who matched vendor invoices with supporting purchase orders and receiving reports, or examine bank reconciliations to make sure that they have been performed on a timely basis.
The cash receipts journal contains all of the detailed entries for all receipts of cash by the entity (debits to the cash account), including cash deposits.
It contains the population of credit entries that should be reflected in the credits to accounts receivable for customer Page 240payments. It also contains the adjusting and correcting entries that can result from the bank account reconciliation. These entries are important because they may signal the types of accounting errors or manipulations that occur in the cash receipts accounting.
disadvantages associated with the use of MUS:
MUS provides a more conservative (higher) estimate of misstatement in the account balance or class of transactions compared to classical variables sampling. As a result, MUS is more likely to signal the need for an adjustment in the account balance or class of transactions, which will likely entail performance of additional procedures by the audit team. MUS is not effective in identifying misstatements in accounts when understatement is the primary concern (such as liabilities and expenses). The expansion of an MUS sample is difficult when preliminary results indicate that the account balance or class of transactions is materially misstated. MUS requires special considerations for logical units having a zero or negative balance. In some cases, logical units having these characteristics indicate employee fraud.
Although many factors are considered in determining the appropriate sample size, the acceptable level of sampling risk is one important factor.
Recall that an advantage of statistical sampling plans is that they determine a sample size that measures and controls exposure to sampling risk. An individual who wishes to reduce sampling risk to lower levels needs to select more items for examination as shown.
Management's responsibility for IC
Responsibility for establishing and maintaining adequate internal control over financial reporting Assess and report on the effectiveness of internal control over financial reporting
control environment
Sets the "tone at the top" of an organization, influencing the control consciousness of its people. It is the foundation for all other components. As a result, an auditor must obtain a detailed understanding of the control environment and document that understanding. if mgmt doesnt care about internal controls, controls wont be implemented well and this will have a negative impact on every other level.
info and comm
The identification, capture, and exchange of information in the form that enables people to carry out their responsibilities Must understand the information systems that are relevant to financial reporting Information systems produces a trail of activities from data identification to financial reports. This is known as the "audit trail"
a bank account reconciliation that compares the book cash balance to the bank cash balance provides management with an opportunity to monitor the separation of duties for cash receipts and cash disbursements.
The timely preparation of bank reconciliations is, therefore, an important element of a company's internal control activities over cash.
Authorization to execute transactions.
This duty belongs to people who have the authority and the responsibility for initiating or approving transactions. Authorization may be general, referring to a class of transactions (e.g., all purchases up to $100,000), or it may be specific (e.g., sale of a major asset).
Analyze the Mix of Cash and Checks in Deposits
This procedure is most effective for retail operations in which cashiers receive significant amounts of both cash and checks. Unless there is a marked change in consumer behavior, one should expect the mix of cash and checks to be relatively consistent over time. A decrease in the proportion of cash in the mix is often a sign that employees may be stealing cash.
The sample size represents the number of items that the audit team examines within a population of interest. Four main factors influence the sample size in an attributes sampling application:
Tolerable rate of deviation. Sampling risk (risk of overreliance, or risk of assessing control risk too low). Expected population deviation rate. Population size.
recording
When checks are prepared, entries are made to debit accounts payable and credit cash. Someone without access to the check-writing function should always perform the recording function.
The expected misstatement is the
amount of misstatement the audit team anticipates in the account balance or class of transactions. The audit team's estimate of expected misstatement is ordinarily based on prior experience with the client—that is, the amount by which misstatements have been identified in specific accounts in prior audits.
As a consequence, when evaluating the design of internal controls related to cash,
an auditor must also consider whether the controls have been designed to mitigate the risk of employee fraud.
errors
are unintentional misstatements or omissions of amounts or disclosures in financial statements. typically not from fraud. typically mistakes from the ledgers. different from fraud bc they are not w intent
As a result, audit teams will usually select a subset of controls, transactions, or components and base their conclusions on this subset (or sample) of items. The AICPA Audit Guide defines audit sampling
as the "application of an audit procedure to less than 100 percent of the items within an account balance or class of transactions for the purpose of evaluating some characteristic of the balance or class."
The purposes of the audit team's evaluation of internal control are to
assess the control risk (as part of the overall assessment of the RMM) in order to make the substantive audit plan and to report control deficiencies to management and the board of directors.
For kiting, these procedures include
being alert to the signs of kiting activity and preparing a schedule of interbank transfers.
Internal control can help prevent and detect many errors, but
but it cannot guarantee that they will never happen.
other names for mus
combined attributes-variables (CAV) sampling, cumulative monetary amount (CMA) sampling, and dollar-unit sampling (DUS).
For lapping, these procedures include
comparing the details of customer payments listed in bank deposits to the details of customer payment postings (remittance lists).
fraud
consists of knowingly making material misrepresentations of fact with the intent of inducing someone to believe the falsehood and act upon it and, thus, suffer a loss or damage. This definition encompasses all ways by which people can lie, cheat, steal, and deceive other people.
Proper separation involves different people and different departments handling custody of blank documents (checks), cash disbursement authorization, record keeping for payments, and bank reconciliation:
custody authorization recording reconciliation
In the planning stages, auditors determine the objective of the sampling application and
define the characteristic of interest and the population.
Once the objective of sampling has been determined, the audit team
defines the characteristic of interest.
Often, imaginative "extended procedures" can be
employed to unearth evidence of fraudulent activity. Audit team members must always exercise technical and personal care, however, because accusations of fraud are taken very seriously. For this reason, after preliminary findings indicate fraud possibilities, the audit team should enlist the cooperation of management and assist fraud examination professionals when bringing an investigation to a conclusion.
The first condition (incentive/pressure) recognizes that
employee or manager of a company is likely to either have incentives in place (e.g., bonus compensation) or be under significant pressure to meet specific estimates, forecasts, or expectations about net income.
audit teams should be aware that
entity personnel often fully understand that "yes" answers are "good" and "no" answers are "bad," so they tend to tell audit teams "yes" all the time.
Catching people in the fraudulent act is difficult to accomplish. The act of conversion is
equally difficult to observe because it typically takes place in secret away from the entity's offices (e.g., selling stolen inventory).
A motive, in the fraud context, is
essentially a reason for a person to take a fraudulent action that is believed to be unshareable with friends and confidants.
On every audit engagement, the audit team should
evaluate the design of internal control and determine whether controls have been implemented over all relevant assertions related to each significant account and financial statement disclosure
Once the relevant assertions have been identified for cash (e.g., existence) and the tests of control activities are complete, the auditor must
evaluate the evidence obtained from risk assessment activities and control tests to determine the risk of material misstatement for each relevant assertion.
This module discusses attributes sampling, which the audit team uses to
evaluate the operating effectiveness of internal control activities.
Auditors often perform dual-purpose tests by
examining documents for both attributes and monetary misstatements. For example, an invoice might be examined for the attribute of a credit authorization signature (control test) and the monetary misstatement of an incorrect price (substantive test).
For all the relevant assertions for each significant account and disclosure, audit teams begin by
examining entity-level controls, controls that are pervasive to the internal control system and the reliability of the financial statements taken as a whole
Flowcharts are created with audit-specific flowcharting software but also can be created rather easily in
excel or ppt
the third condition (attitude/rationalization) recognizes that
for an employee or a manager of a company to perpetrate a fraud, the individual must possess an "attitude" that allows her or him to rationalize why he or she is knowingly committing a crime
A good internal control activity is to
have the control account and subsidiary account entries made by different people, and later the accounts receivable entries and balances can be compared (reconciled) to determine whether they agree in total.
In the compliance category,
he broad management objective is to comply with laws and regulations that affect the entity. It is important to point out that external auditors are primarily concerned with a client's internal control system as it relates to the financial reporting category.
there are many control activities that do not lend themselves to automated audit testing. In such situations, auditors are
likely to take a sample from the population of occurrences for the control activity being tested. Most importantly, in such situations, the population being sampled must include all occurrences of the relevant control activity for the entire period of reliance, and the sample must be representative of that population to be considered appropriate audit evidence
Once the sample size has been determined and the sample has been selected, the next step is to
measure the sample items
Incentive or pressure gives rise to a
motive to commit fraud.
The audit team can use one of two statistical approaches for variables sampling.
mus or cvs
The procedures used to gain an understanding of internal controls provide the audit team an
overall acquaintance with the control environment and management's risk assessment, the flow of transactions through the accounting system, and the design of some client control activities.
Control activities include
performance reviews, separation of duties, physical controls, and information-processing controls.
Internal control provides
reasonable assurance, not absolute assurance, that management's objectives will be achieved. Because people operate the controls, breakdowns can occur.
When used in substantive procedures, the audit team's objective is to determine whether an account balance or class of transactions is
recorded and presented according to generally accepted accounting principles.
horizontal analysis
refers to changes of financial statement numbers and ratios across several years.
vertical analysis
refers to financial statement amounts expressed each year as proportions of a base such as sales for the income statement accounts and total assets for the balance sheet accounts. Auditors look for relationships that do not appear logical as indicators of potential large misstatement and fraud.
One unique feature of using systematic random selection in MUS is that the
sampling unit is defined as an individual dollar within an a population. However, it is not reasonable for the audit team to examine only a dollar of a component; the entire component should be verified. Thus, the audit team examines the logical unit that contains the individual sampling unit that is selected for examination
If the team members plan to rely on controls to reduce substantive procedures, they must
test the controls for operating effectiveness. However, if they do not plan to rely on controls, tests of operating effectiveness are not required.
example of the use of sampling,
the objective of which is to make a statement about a population of interest (in this case, all eligible voters) by examining only a subset (or sample) of that population (in this case, the voters responding to the pollster's inquiries).
assertion is relevant if
theres a reasonable possibility of containing a misstatment that would cause the FSs to be materially misstated related to that assertion existence and pres and discolsure are always relevant w cash as the sig acct. if its a global comp then valuation may be relevant bc if holding foreign currency
If the controls are not functioning as described,
they cannot be relied upon
by defining the population as sales invoices, the audit team is examining only transactions that have been recorded. As a result,
this population cannot be used to provide evidence for the completeness assertion. However, this population is appropriate if the audit team is interested in verifying that all recorded sales invoices represent valid transactions (as evidenced by the presence of shipping documents), which corresponds to the occurrence assertion. As a result, the population should be defined as all sales invoices prepared by AirCon during the period under audit.
A second method for documenting the audit team's understanding of internal control is to write a narrative description of each important control subsystem.
uch a narrative simply describes all environmental elements, the accounting system, and all control activities. The narrative description can be efficient in audits of very small businesses. However, for a large entity, this description may be difficult to comprehend and might not readily identify potential weaknesses in internal control in a manner that "no" responses do in an internal control questionnaire.
Note that the reassessment of control risk can go only one direction:
upward.
For public entities, the auditors' report must be in
writing and presented to those in charge of governance (usually the audit committee) before their report on internal control over financial reporting is issued to the public. The report is to be addressed to management, the board of directors, or the audit committee. all deficiencies noted must be communicated in writing to management.
There are three conditions that are likely to be present when a fraud occurs. They are:
•Motivation •Opportunity •Rationalization
•Cash is highly liquid, easily transportable, and not easily identifiable, and therefore is a primary target for employee thieves. •Some strong internal control activities:
-Dual custody of cash at all times -Lockbox arrangement -Fidelity bonds
In recent years, entities of all sizes have increasingly recognized the need for a formalized process to identify, properly assess, and ultimately manage the full range of business risks that they face:
factors, events, and conditions that can prevent organizations from achieving their business objectives.
Personality red flags are difficult because
(1) honest people often show them as well, (2) they often are hidden from view, and (3) auditors are not in a good position to notice these characteristics.
physical controls over the security of assets
-Deposit cash and checks daily and intact -Lock box account -EDI transactions -Dual custody over cash -Unused checks secured -Check imprinting machine
•SEGREGATION OF DUTIES
-Separate custody, authorization, recording, execution
info processing
-Voucher packet (Purchase requisition, purchase order, receiving report, invoice) matched prior to cash disbursement authorization -Deposits reconciled to amounts credited to accounts receivable ledger -Bank reconciliation
Whether auditing a nonpublic entity under GAAS or a public entity in an examination conducted under PCAOB standards, the audit team must
communicate significant deficiencies and material weaknesses in internal control that come to their attention during the performance of the audit.
cash disbursements journal
companys checkbook contains all detailed entries for checks written during the period under audit via check or electronic disbursements contains adjusting and correcting entries from the bank reconciliation red flags here: checks made out to cash or a bearer. you should look at any voided checks to make sure theyre properly voided and dont subsequently clear the bank
A third method for documenting the auditors' understanding of accounting and control is to
construct an accounting and control system flowchart.
cash receipts journal
contains detailed entries for all receipts of cash including cash deposits. all debits to cash included in this journal. contains the pop of credit entries to accts rec where we debit cash and credit AR. all of those entries in here. contains adjusting and correcting entries from the bank reconciliation.
The audit team uses attributes sampling in evaluating the effectiveness of the client's internal controls and assessing
control risk (the likelihood that the client's internal control policies and procedures fail to prevent or detect a material misstatement).
The final step in the planning stage of MUS is to
define the population of interest. As noted earlier, one of the most important distinctions of MUS is that the population is defined as all of the individual dollars (or euros, yuan, yen, etc.) within the account balance or class of transactions. Recall that the population of sales transactions is 895 transactions recorded at $12,563,336. As a result, MUS defines the population as 12,563,336 individual dollars of accounts receivable. Once defined, it is important that the audit team ensure the completeness and accuracy of the population prior to beginning the sampling process.
One of the unique characteristics of MUS is that the sampling unit is
defined as a dollar in an account balance or class of transactions. Thus, the sales transactions totaling $12,563,336 are characterized as a population size of 12,563,336 one-dollar items. Logically, as the population size increases, the necessary sample size increases. This represents a direct relationship between population size and sample size.
PCAOB Auditing Standard No. 2201 (AS 2201)
details the work that the external audit team of public entities must perform to comply with section 404 of Sarbanes-Oxley.
Additional procedures can be performed to try to
detect attempts at lapping accounts receivable collections and kiting checks.
In an MUS application, the characteristic of interest is the
difference between the recorded balance and the audited value, or the amount of misstatement.
Reporting to Audit Committee on Internal Control Related Matters
disclosed to help mgmt carry out their responsibilities for internal controls and help audit committee helo mgmt carry out their oversignt of mgmts role: Significant deficiencies and material weaknesses (lists them and defines them) Sarbanes-Oxley requires that the report be in writing (in mgmt letter at end of audit) The auditor may communicate during or after audit
With respect to auditing the cash balance, the detailed procedures performed on the bank reconciliation provide
evidence about the existence of cash
Although different companies may have other risks, in general the most significant risks relate to the
existence of cash and the presentation and disclosure of cash. As previously stated, depending on the nature of the audit client's operations, valuation may also be a relevant assertion for cash. Although we will focus our discussion on these assertions, other assertions may be relevant depending on the facts and circumstances at the audit client.
When using systematic random selection (commonly referred to as systematic selection), the audit team
identifies a random starting point in the population and then bypasses (or "skips") a fixed number of items (referred to as the sampling interval) and selects the corresponding items until the appropriate number of items has been selected. The sampling interval is determined by dividing the number of items in the population by the desired sample size.
When using unrestricted random selection (also known as random selection), the audit team
identifies a series of random numbers equal to the desired sample size and selects the numbered item in the corresponding population (for example, selecting the 120th, 268th, 341st, etc. sales invoices comprising AirCon's population of sales invoices).
Control systems
limit trust and, in the extreme, can strangle business in bureaucracy. The challenge is to have useful controls and to avoid picky rules that are "fun to beat." Managers and employees must have freedom to do business, which may mean giving them some freedom that can result in committing frauds.
Physical access to assets and important records, documents, and blank forms should be
limited to authorized personnel. Assets such as inventory and securities should not be available to persons who have no need to handle them. Likewise, access to records should be denied to people who do not have a record-keeping responsibility for them. Some blank forms are very important for accounting and control, and their availability should be restricted.
The accountants who record cash receipts and credits to customer accounts should
never handle the cash. They should use the remittance list or remittance advice to make the entries to the cash and accounts receivable control accounts and to the customers' accounts receivable subsidiary account records.
Although the phrase nonstatistical sampling sounds less professional and less favorable,
nonstatistical sampling methods can be appropriate in some circumstances. In certain cases, it is not necessary (or desirable) to use the laws of probability to select sample items.
Cash can be received in several ways
over the counter, through the mail, and by electronic funds transfer. It can also be received in a lockbox arrangement in which payments are remitted by customers to an external location (i.e., a lockbox)
In addition, given the importance of the computerized information processing system,
physical security of computer equipment and restricting access to the organization's data and computer application files are important to achieving effective internal control.
The starting point in the system, if possible, should be
placed at the upper-left-hand corner
nonstatistical sampling
plans do not meet either of these criteria. Thus, these two types of plans differ in terms of how sample size is determined and how the results are evaluated.
In the operations category,
some examples of management objectives are maintaining a good business reputation, ensuring a positive return on investment, increasing market share, promoting new product innovation, and using assets effectively and efficiently.
The control environment and management's risk assessment are explained in terms of
understanding the client's business.
Four methods that can be used to select a sample
unrestricted Random Selection (Random Selection) Systematic Random Selection (Systematic Selection) Haphazard Selection Block Selection
The audit team then selects the sample from the population. Two common methods used are
unrestricted random selection and systematic random selection.
Key Decision: Deciding Whether to Continue to Test Controls
For an integrated audit at a public company, the auditor must test controls for all relevant assertions for each significant account and disclosure.
Should Test of Controls Be Completed?
For public company audits, an auditor MUST test controls For non-public company audits, an auditor may choose not to test controls for one of two reasons: Internal control system is too ineffective in preventing or detecting misstatements to rely upon to justify reductions in substantive testing It may take more time to test controls than it would to just perform more substantive testing to provide evidence needed to conclude about a financial statement assertion For either reason, result is more extensive and effective substantive procedures to obtain the appropriate level of detection risk and, ultimately
Unimpeachable integrity is the
ability to act in accordance with the highest moral and ethical values at all times. Thus, it is the lapses in integrity that permit a person's incentives or pressures to motivate fraudulent action when the opportunity presents itself. But people normally do not make deliberate decisions to "lack integrity today while I steal some money." They find a way to describe (rationalize) the act in words that make it acceptable for their self-image.
Having superior information systems can be a part of
an entity's strategy and competitive advantage (e.g., Amazon.com)
Gaining an understanding of internal controls should be performed in a
"top-down" risk-based manner that first identifies significant accounts and disclosures and their relevant assertions.
Employee frauds generally consist of
(1) the fraudulent act itself, (2) the conversion of assets to the fraudster's use (very easy if cash is involved), and (3) the cover-up.
employee fraud
(often referred to as misappropriation of assets) is the use of fraudulent means to take money or other property from an employer. It usually involves falsifications of some kind—false documents, lying, exceeding authority, or violating an employer's policies.
As with any sampling application, the audit team is exposed to sampling risk
(the risk that the decision made based on the sample differs from the decision that would have been made if the entire population had been examined).
Inquiry
Be careful not to discuss fraud possibilities with the managers who might be involved. It gives them a chance to cover up their fraud or even resign from the organization prior to detecting the fraud
Audit Process to Evaluate the Effectiveness of ICFR (PCAOB AS No. 2201)
Phases of the engagement 1. Planning the engagement 2. Use a top-down approach Identify entity-level controls Walkthroughs 3. Testing controls Design effectiveness Operating effectiveness 4. Evaluating identified deficiencies Deficiencies Significant deficiencies Material weaknesses 5. Wrapping up Unqualified opinion Disclaimer of opinion Adverse opinion 6. Reporting on internal control
Conditions of the "fraud triangle"
The first condition (incentive/pressure) recognizes that an employee or a manager of a company is Page 261likely to either have incentives in place (e.g., bonus compensation) or be under significant pressure to meet specific estimates, forecasts, or expectations about net income. The second condition (opportunity) recognizes that in order for a fraud to be perpetrated, there must be a weakness in the system of internal control to allow the fraud to occur. Finally, the third condition (attitude/rationalization) recognizes that for an employee or a manager of a company to perpetrate a fraud, the individual must possess an "attitude" that allows her or him to rationalize that she or he is knowingly committing a crime.
reporting on IC
The next step in the process is reporting on internal control over financial reporting. For the auditors' report on internal control, two options are available. One option is to have two separate reports: one on the fairness of the entity's financial statements (presented earlier in Chapter 2) and a separate report on internal control over financial reporting. Each report would be separately titled, dated (although using the same date), and signed. The auditors' separate report on internal control is discussed in detail in the following section. The second option is to prepare a combined report that expresses one opinion on the financial statements and a second on the effectiveness of internal control over financial reporting.
Generally accepted auditing standards do not require the use of statistical sampling procedures.
The use of nonstatistical sampling methods is often justifiable when the costs of using statistical sampling methods exceed the benefits of doing so. However, nonstatistical sampling should not be used solely as a means to reduce sample sizes.
With respect to the study and evaluation of the client's internal control, the audit team's objective is to determine whether they can rely upon important control policies and procedures to prevent or detect financial statement misstatements.
The use of sampling in this context is referred to as attributes sampling
To achieve the specific objectives for each of these categories of objectives, the COSO report defines five basic components of a properly designed internal control system. The five components are
(1) control environment, (2) risk assessment, (3) control activities, (4) monitoring, and (5) information and communication.
If an employee has diverted customer payments for his or her own use, the canceled checks showing endorsements and deposits to a bank where the company has no account are not available because they are returned to the issuing customer
Ask the customer to give originals or copies (front and back) or to provide access for examination.
custody
Blank documents such as blank checks should be kept secure at all times. If unauthorized persons can obtain a blank check, they can be in another country before an embezzlement is detected.
To select an MUS sample, the audit team calculates a sampling interval by dividing the recorded account balance by the necessary sample size.
In the examination of accounts receivable, recall that the transactions were recorded at $12,563,336 and that the audit team determined a sample size of 85 items.
coso
internal control components
MUS is one method of variables sampling the audit team uses in performing substantive procedures;
it selects individual dollars from an account balance for verification.
Beyond a strong control environment, management must be sensitive to the
needs of the business by instituting controls that will prevent or detect fraud without impeding business activity.
Measuring sample items is the step in the sampling process when nonsampling risk can occur. Nonsampling risk is the
risk that the audit team's sample provides an incorrect conclusion for reasons other than the representativeness of the sample. For example, the audit team could make an unintentional error in evaluating evidence (such as classifying a deviation as a nondeviation or vice versa) or may fail to recognize that initials on a document are not those of an appropriate individual.
One way to detect inappropriate computer usage is by
specifying a planned schedule for running large-scale computerized applications.
One of the major disadvantages of sampling is
that the decision made based on the sample could differ from the decision that would have been made after examining the entire population. This disadvantage (referred to as sampling risk) can be overcome to some extent through the use of statistical sampling methods.
Horizontal and vertical ratio analysis procedures are
very similar to preliminary analytical procedures explained in earlier chapters.
an important feature of an effective internal control system is the separation of duties and responsibilities for
(1) transaction authorization, (2) record keeping, (3) custody of or access to assets, and (4) reconciliation of actual assets to the accounting records.
•A motive, in the fraud context, is some kind of pressure a person experiences and believes to be unshareable with friends and confidants:
-Actual or perceived need for money (Economic motive) -"Habitual criminal" who steals for the sake of stealing (Psychotic motive) -Committing fraud for personal prestige (Egocentric motive) -Cause is morally superior, justified in making others victims (Ideological motive) incentive/pressure
testing controls
After identifying significant controls over financial reporting in the previous step, the audit team decides which controls to test. The evaluation and testing for each assertion must be performed on an annual basis. After an understanding of internal controls is gained through inquiry, document examination, and observation, the controls are evaluated for the possibility that they would not prevent or detect a misstatement. The tests of operating effectiveness are similar to a test of controls discussed previously. A sample of transactions is examined using inquiry, observation, document examination, and reperformance. The more risk associated with a control, the more persuasive evidence is required for testing. Tests of controls are not performed if the internal control system design is not considered effective. Only the control activities for each relevant assertion that the auditor is relying on to mitigate the risk of material misstatement need to be tested.
Selection and development of control activities.
Has the audit client's management team selected and developed control activities considering their cost and their potential effectiveness in mitigating the risks identified?
Defining the population can sound straightforward, but it must be defined carefully to be able to meet the objective of the sampling application.
In our example, the population is defined as all members of Healthy Bodies clubs. If the population is defined more broadly (all residents of the city in which Healthy Bodies is located) or narrowly (all members of Healthy Bodies who are currently enrolled in an aerobics program), the results will not appropriately represent the population of interest.
Internal Control Questionnaires
Perhaps the most efficient means to begin gathering evidence about an entity's internal control is to conduct a formal interview with knowledgeable managers using the checklist form of internal control questionnaire. his questionnaire is typically organized under headings that identify Page 194questions related to relevant themes like the control environment and relevant management assertions. Not all questionnaires are organized like this, so audit teams need to know the general objectives in order to know whether the questionnaire is complete. Likewise, if you are assigned to prepare an internal control questionnaire, you will need to be careful to include questions about each relevant assertion.
Auditor Focus - Risk Assessment
Should examine management's process for: Assessing risks relevant to financial reporting objectives, including fraud risk Assessing the likelihood and significance of risk of misstatements due to fraud Deciding about actions to address these risks
The cash should be sent to the cashier or treasurer's office where a bank deposit is prepared and the money is sent to the bank daily and intact. (No money should be withheld from the deposit.)
The list or remittance advices go to the accountants (controller's office), who record the cash receipts. (You have prepared a "remittance advice" each time you write the amount enclosed on part of your credit card bill, tear it off, and enclose it with your check.)
Periodic reconciliation of existing assets to recorded amounts.
This duty refers to making comparisons at regular intervals and taking appropriate action with respect to any differences.
recording transactions
This duty refers to the accounting and record-keeping function, which in most organizations is delegated to a computerized information system. People who control computerized processing are the record keepers
Document Examination
When performing this procedure, auditors will look for erasures, alterations, and photocopies where originals should be filed, telltale lines from a copier when a document has been pieced together, handwriting, and other oddities. Auditors should always insist on seeing original documents instead of photocopies. Importantly, while professional document examination is a technical activity that requires special training (e.g., training by the IRS, FBI), crude alterations may still be observed by the auditor when performing procedures, which should lead to a consultation with a professional document examiner when deemed necessary.
The information system produces a trail of activities (often referred to as an audit trail) from data identification to reports.
You can visualize that the audit trail begins with the source documents (purchase orders, sales orders, etc.) and proceeds through to the financial reports. Auditors often follow this trail frontward and backward, identifying and testing relevant control activities along the way. They follow it backward from the financial reports to the source documents to determine whether everything in the financial reports is supported by appropriate source documents (the occurrence assertion). They follow it forward from source documents to reports to determine whether everything that happened (i.e., transactions) was recorded in the accounts and reported in the financial statements (the completeness assertion).
Hiring and firing policies are important. Background checks on prospective employees are
advisable and very good business practice.
All organizations have unique features, and answers to the questions should not be
aken as final and definitive evidence about how well controls actually function.
A very important characteristic of effective internal control is
an appropriate separation of duties or functional responsibilities
Four types of functional responsibilities should be performed by different departments or at least by different persons on the entity's accounting staff:
authorization to execute transactions recording transactions custody of assets involved in the transactions periodic reconciliation of existing assets to recorded amts
Experience has shown that they have a low rate of repeat Page 239offenses if they are prosecuted, but
but they have a high rate if not. Prosecution has the added benefit of sending the message that management does not believe that fraudulent activity is acceptable.
A common feature of cash management is to require that persons who handle cash be insured under a
fidelity bond, which is an insurance policy that covers most kinds of cash embezzlement losses. Fidelity bonds do not prevent or detect embezzlement, but the failure to carry the insurance exposes the company to complete loss if embezzlement occurs. Moreover, bonding companies often perform their own background checks of employees before bonding them. Auditors often recommend fidelity bonding to small companies that might not know about such coverage.
The three conditions that are likely to be present when a fraud occurs (Exhibit 6.1) are commonly referred to as the
fraud triangle
attributes sampling
is used to determine the extent to which some attribute (or characteristic) exists within a population of interest. In tests of controls, that attribute is whether a specific control was properly applied by client personnel and is appropriately functioning to prevent or detect material financial statement misstatements.
although almost all organizations employ computerized information processing,
manual controls over certain information processing activities remain important in most systems.
Classical variables sampling uses
normal distribution theory and the central limit theorem to provide a range of either the recorded balance of the account balance or class of transactions or the misstatement in the account balance or class of transactions.
The company's bank reconciliation is the
primary document used to test the cash balance in the financial statements. The amount of cash in the bank is almost always different from the amount in the general ledger (financial statements), and the reconciliation is designed to explain the difference between these two amounts.
Generally, the evidence that is gathered from a computer forensic investigation is
subject to the same rules of evidence as manual data in the eyes of law enforcement
Although the risk of underreliance is also a form of sampling risk, this risk will actually result in
the audit team achieving a lower level of audit risk than planned. Therefore, in an attributes sampling plan, the audit team will typically control only the exposure to the risk of overreliance in determining the appropriate sample size.
If the auditors commit the risk of incorrect acceptance and conclude that the account is not misstated, they most likely do not perform additional procedures or examine additional items related to that account balance or class of transactions. As a result,
the auditors conclude that the account balance is fairly stated when, in fact, it is materially misstated. This is the basic definition of detection risk. The ultimate result of failing to propose an adjustment to materially misstated financial statements is issuing an unmodified opinion on financial statements that are materially misstated, resulting in a reputation loss or litigation by shareholders and other third parties relying on the auditors' work. This results in an effectiveness loss for the auditors because they made an incorrect conclusion with respect to the client's account balance.
In the professional auditing standards, the concept of reasonable assurance recognizes that
the costs of controls should not exceed the benefits that are expected from the controls. Hence, an entity can decide that certain controls are too costly considering the risk of loss that can occur.
Statistical sampling methods control
the individual's exposure to sampling risk by selecting a sufficient sample size and evaluating sample results in such a way to control sampling risk
One final and very important consideration made by the audit team when gaining an understanding of this component relates to the
use of information produced by the company during the audit.
To evaluate the sample results, the sample average must be
"adjusted" to control for the acceptable level of exposure to sampling risk (in this example, 10 percent). This is done by forming a range of estimates that have a certain probability of including the true (but unknown) population value. Assume that we can conclude with 90 percent probability that the true population average reduction in resting heart rate is between 15.5 bpm and 19.5 bpm (the sample estimate of 17.5 bpm plus and minus a 2.0 bpm adjustment factor)
audit committee duties
Appointment, compensation, and oversight of the public accounting firm conducting the entity's audit. Resolution of disagreements between management and the audit team. Oversight of the entity's internal audit function. Approval of nonaudit services provided by the public accounting firm performing the audit engagement. Oversight of anonymous fraud hotline designed to provide employees a confidential effective manner to report possible financial reporting issues. Authority to engage legal counsel in the event of management fraud.
Fraudsters often exhibit these behaviors:
Experience sleeplessness. Drink too much. Take drugs. Become irritable easily. Can't relax. Get defensive, argumentative. Can't look people in the eye. Sweat excessively. Go to confession (e.g., priest, psychiatrist). Find excuses and scapegoats for mistakes. Work standing up. Work alone. Work late frequently. Don't take vacations.
At this point, the audit team has learned the design of controls (or how those controls are intended to function).
However, this does not inform the audit team as to the operating effectiveness of controls unless there is some automation that provides for the consistent application of the operation of the control. Additionally, reperformance of critical controls along the transaction trail can take place at this time to provide evidence of operating effectiveness.
For example, someone not involved in accounting for payroll should not be able to pick up blank time cards.
Only authorized persons should be able to obtain blank checks after signing for them. Sometimes, access to blank forms is the equivalent of access to an important asset. For example, someone who has access to blank checks has a measure of actual custody and access to cash.
Generally, the most effective test of controls is reperformance.
Reperformance can involve any client internal control activity, such as the detailed review of the monthly bank reconciliation by the entity's CFO. For this control, the auditor would follow up on each reconciling item reviewed by the CFO and then reperform each of the mathematical calculations. The key difference between document examination and reperformance is that with the former, audit teams inspect documents for evidence that employees have performed the control activity; reperformance provides direct evidence that the control activity was (or was not) done correctly.
Audit of Cash
The first procedure in an audit of cash is to obtain a bank reconciliation for each cash account and audit them in the following manner: •Balance per bank -CONFIRM (STANDARD BANK CONFIRMATION) directly with bank -Agree amount to CUTOFF BANK STATEMENT •Add deposits-in-transit -TRACE to cash receipts journal -VOUCH to CUTOFF BANK STATEMENT •Subtract Outstanding Checks -VOUCH to cash disbursements journal -TRACE checks cleared from cutoff bank statement •Add/Subtract other Debit/Credit Memos -Inspect bank credit/debit memo and audit for reasonableness. Examine relevant supporting documentation. •calc Balance per books -FOOT (add it up) the entire reconciliation for mathematical accuracy -TRACE the amount to the trial balance
PCAOB explicitly includes parts or all of the COSO framework elements.
This is deliberate. If the audit team decides that an entity-level control sufficiently reduces a specific risk of material misstatement for a relevant assertion, it may not need to delve further into transaction-level controls (discussed next) related to that risk. For example, if a chief financial officer who is very familiar with the company's payroll process performs reviews of weekly payroll reports and investigates discrepancies thoroughly, this may provide a control that is sufficient to meet the internal control objectives for payroll reporting (i.e., address or mitigate the risk of material misstatement for each of the relevant assertions for payroll expense).
Evidence obtained through the interview process is categorized as
inquiry-level info that is not sufficient to demonstrate the operating effectiveness of a control activity. The person being interviewed could always give answers that reflect what the system should be rather than what it really is. The person can be unaware of informal ways in which duties have been changed or can be innocently ignorant of the system details. Nevertheless, interviews and questionnaires are useful for detecting control weaknesses. An auditor should always consider the possibility that a respondent admits that a control is weak.
upper limit on misstatements (ULM)
is the sum of the three components discussed in this subsection: the projected misstatement, the incremental allowance for sampling risk, and the basic allowance for sampling risk. The upper limit on misstatements is the amount that has a (1 − Risk of incorrect acceptance) probability of equaling or exceeding the true amount of misstatement in the population. Stated another way, there is a (risk of incorrect acceptance) probability that the true amount of misstatement in the population exceeds the upper limit on misstatements.
audit risk
s defined as the risk that auditors will issue an unmodified opinion on financial statements that contain a material misstatement. Audit risk is manifested when a material misstatement enters the financial reporting process (inherent risk) that the client's internal controls do not prevent or detect (control risk) and that the auditors' substantive procedures do not detect (detection risk).
Sampling risk occurs because of a nonrepresentative sample, which is a
sample that differs substantially on one or more key characteristics of interest from the population from which the sample is drawn.
differences between internal control audits and financial statement audits
scope is different. reporting for fs audit will also include paragraph that refers to ic audit for public.
Cash Receipts: Process Activities
•Receive cash and remittance advice in mail •Prepare remittance listing •Enter total from remittance listing (or remittance advice) in cash receipts journal •Prepare deposit slip and deposit cash receipts in bank (intact and daily) •Record update to subsidiary accounts receivable using remittance advice •Reconcile remittance listing, subsidiary accounts receivable, and deposit slip daily
In many situations, an individual employee initially receives cash and checks and thus has custody of the physical cash for a short time. Because this initial custody cannot be avoided, it is always a good control to
(1) have two people open the mail containing customer receipts, if possible, resulting in joint custody; (2) endorse the checks immediately Page 247after removing them from the envelope; (3) prepare a list of the cash receipts as early in the process as possible; and then (4) separate the actual cash from the record-keeping documents.
the basic three-step approach for using the audit risk model to plan an engagement:
1. Set audit risk at desired levels (normally, low). 2. Assess risk of material misstatement, which incorporates inherent risk based on the nature of the account balance or class of significant transactions and control risk based on gaining an understanding of internal control. 3. Determine detection risk at the significant account and assertion level based on the level of audit risk and risk of material misstatement.
Evaluating identified deficiencies
An internal control deficiency—whether resulting from a design or an operating deficiency—exists when either the design or the operation of the control under consideration does not allow the entity's management or employees to detect or prevent misstatements in a timely fashion. A design deficiency is a problem relating to either a necessary control that is missing or an existing control that is so poorly designed that it fails to satisfy the control's objective. An operating deficiency, on the other hand, occurs when a properly designed control is either ignored or inappropriately applied (possibly because employees are poorly trained). More serious internal control deficiencies can be categorized into one of two groups—significant deficiencies or material weaknesses—depending on their severity. A material weakness in internal control is defined as a deficiency, or combination of deficiencies, that results in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis. The following circumstances should be regarded as strong indicators that a material weakness exists: Restatement of previously issued financial statements to reflect the correction of a material misstatement. Evidence of material misstatements (identified by the audit team) that were not prevented or detected by the client's internal controls.Page 206 Ineffective oversight of the financial reporting process by the entity's audit committee. Indication of fraud (either material or immaterial) by senior management. A significant deficiency is a deficiency or a combination of deficiencies in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance. The primary difference between a significant deficiency and a material weakness involves the magnitude of the potential misstatement that could occur and would not be detected on a timely basis. As the potential misstatement reaches overall materiality, an auditor may conclude that a material weakness exists. The final conclusion is always a matter of professional judgment.
Using Top-down approach:
As mentioned earlier, the top-down approach focuses on the threats to the integrity of the external financial reporting process. The audit team's first step in gaining an understanding of the client's internal control system should focus on entity-level controls (ELCs) because they can have a pervasive impact on control activities at the process, transaction, or application level. The team next moves down to the Page 205significant accounts and disclosures and their relevant assertions. By relevant, we mean that the assertion has a reasonable possibility of containing a material misstatement. The audit team is required to understand the internal control process over financial reporting. This aspect of the standard emphasizes performing a walkthrough of the internal control process by the audit team members.
Commercial deposit slips have multiple copies. The bank runs these copies through the teller machine, which imprints the time, date, account, and amount on each copy.
At least one copy is returned to the person making the deposit, who returns the copy to the company as evidence that the deposit was made. If the cash received during the day is maintained intact, the information on all three items should match.
The following provides a general overview of how audit teams control this risk:
Establish the desired level of audit risk. Based on the susceptibility of the account balance or class of transactions to misstatement, assess inherent risk. Based on the effectiveness of the client's internal controls in preventing or detecting misstatements, assess control risk. Based on the use and ability of analytical procedures to detect misstatements, assess analytical procedures risk. Using the audit risk model and considering the risks in (1) through (4), determine the tests of details risk (which reflects the nature, timing, and extent of the audit team's substantive tests).
A typical white-collar criminal:
Has education beyond high school. Is likely to be married. Is a member of a mosque, temple, or church. Ranges in age from teens to over 60. Is socially conforming. Has an employment tenure from 1 to 20 years (although the scale of the fraud typically increases with tenure as the employee becomes more trusted). Has no arrest record. Usually acts alone (70 percent or more of incidents). AUDITIN
Several limitations to internal control systems prevent management from obtaining complete assurance that controls are absolutely effective:
Human error due to mistakes in judgment, fatigue, and carelessness can still occur. Although controls are implemented to prevent and detect errors, deliberate circumvention by people in the system can still occur. Because most internal controls are directed at lower-level employees, management override can occur. For example, it is often possible for management to override controls by force of authority (i.e., if the CEO says to do something, most employees will). Although separation of duties can be extremely effective in an internal control system, collusion among people who are supposed to act independently can lead to a failure in the achievement of relevant internal control objectives.
internal control questionnaires tend to be inflexible.
If a key question is not included on the list because the question is unique to a client, the auditor might not even know to ask the question. Thus, for new clients, other methods of gaining an understanding that are tailored to the client are preferable.
Which of these risks is of more concern to auditors?
If the auditors commit the risk of incorrect rejection and initially conclude that the account balance is misstated, the client typically requests that the auditors expand the sample size or gather additional evidence before making an adjustment to the financial statements. As this occurs and as the sample becomes more representative of the population, the auditors ultimately reach the correct conclusion. What is the cost to them? They were required to perform additional substantive procedures beyond those performed to control detection risk to acceptable levels. Thus, the incorrect rejection causes an efficiency loss for the auditors.
At a minimum, auditors are required to document that understanding in the workpapers.
In fact, auditors are also likely to evaluate the design, implementation, and operating effectiveness of identified internal control activities related to fraud risks that exist. Importantly, an entity's internal control cannot thwart or detect all fraud schemes. Inherent limitations in internal control (such as collusion among employees) prevent complete assurance that every fraud scheme will be detected before a loss is incurred. For this reason, the entity's auditors, accountants, and security personnel must be acquainted with the basics of fraud awareness. Although the professional auditing standards concentrate on fraudulent financial reporting—the production of materially false and misleading financial statements—the standards also require auditors to pay particular attention to employee fraud perpetrated against a client for at least two reasons. First, it is possible that employee fraud can result in a material financial statement misstatement to the extent that a crime was covered up using the financial statements. Second, audit clients always want to know if they are being robbed by their employees, regardless of the amount being stolen!
Many companies have anonymous hotlines for reporting ethical problems.
Indeed, companies that must comply with the Sarbanes-Oxley Act of 2002 are required to maintain an anonymous employee hotline. Usually, the best kind of hotline arrangement is to have the responding party be a third-party agency outside the organization. In the United States, some external providers are in the business of being the recipients of hotline calls Page 236and coordinating their activities with the audit committee or the internal audit department of the various organizations to whom they provide this service.
The resulting report, the COSO framework, issued in 1992 defined internal control as follows:
Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories: Reliability of financial reporting. Effectiveness and efficiency of operations. Compliance with applicable laws and regulations.
The cash disbursements journal is the company's checkbook
It contains all detailed entries for checks written during the period being audited (cash disbursements). Because all cash disbursements (other than those from a petty cash or payroll account) should be made via check or electronic transfer, the cash disbursements journal contains the cash credit entries that provide a population for testing cash disbursements. It also contains the adjusting and correcting entries that can result from the bank account reconciliation. These entries are important because they may signal the types of accounting errors or manipulations that occur in the cash disbursements accounting. The cash disbursements journal is usually inspected for suspect items such as checks made out to "cash" or "bearer." In addition, company procedures should require that "voided" checks be retained and auditors should review these checks to ensure they were in fact actually voided and have not been recorded in bank statements.
The following are advantages associated with the use of MUS:
MUS typically results in relatively smaller sample sizes (in terms of the number of transactions or components selected for examination) compared to classical variables sampling. MUS samples typically include transactions or components reflecting relatively large dollar amounts. MUS is more effective in identifying misstatements in accounts when overstatement is the primary concern (such as revenues and assets). MUS is generally simpler to use than classical variables sampling, which often requires complex calculations.
Another method of long-term fraud prevention, however, lies in the treatment of people within an organization.
Managers and supervisors at all levels can exhibit a genuine concern for the personal and professional needs of their subordinates and fellow managers, and subordinates can show the same concern for each other and their managers.
flowcharts
Many control-conscious companies have their own flowcharts that the audit team may use as a starting point instead of constructing their own from scratch. The advantages of flowcharts can be summarized by an old adage: "A picture is worth a thousand words." Flowcharts tend to help the audit team assess the key control points in the process and can be helpful in identifying missing controls.
effective monitoring involves ongoing evaluation of the controls. Some common monitoring controls include
Periodic evaluation of controls by internal audit. Analysis of and appropriate follow-up of operating reports or metrics that might identify anomalies indicative of a control failure. Supervisory review of controls, such as reconciliation reviews as a normal part of processing. Self-assessments by boards and management regarding the tone they set in the organization and the effectiveness of their oversight functions. Audit committee inquiries of internal and external auditors. Quality assurance reviews of the internal audit department
In 1985, in response to a report by the National Commission on Fraudulent Financial Reporting (referred to as the Treadway Commission after its first chair, former SEC commissioner James Treadway), a group of professional organizations met to determine what business entities could do to improve financial reporting.
Representatives from the Financial Executives Institute, the American Accounting Association, the Institute of Internal Auditors, the Institute of Management Accountants, and the American Institute of Certified Public Accountants—collectively referred to as the Committee of Sponsoring Organizations, or COSO—debated internal control theory and definitions.
However, for audits of nonpublic companies, after the audit team members have documented their understanding of the entity's internal control, an important decision needs to be made:
Should the audit team perform tests of the operating effectiveness of those controls? Audit teams may choose not to do so for one of two reasons. First, the audit team could conclude that the internal control system is too ineffective in preventing or detecting misstatements to rely upon justifying reductions of subsequent audit procedures for the relevant assertions. This conclusion is equivalent to assessing control risk at the highest level and specifying extensive substantive procedures such as confirmation of all customer accounts as of year-end. Consider for a moment the Krispy Kreme management report presented earlier that identified significant material weaknesses in the internal control system. In such a situation, the audit team would have to make sure that the audit is conducted in an effective manner by conducting significant substantive testing.
Although audit teams never know the true population rate of deviation with any certainty, they can use sampling tables to "adjust" the sample rate of deviation to one that has a certain probability of equaling or exceeding the true rate of deviation.
Simply stated, this adjusted rate (the upper limit rate of deviation, or ULRD) provides a conservative estimate of the population rate of deviation that allows the audit team to control exposure to sampling risk to acceptable levels.
For the control related to the accuracy assertion, since the ULRD (15.4 percent) exceeds the tolerable rate of deviation (10.0 percent), the audit team has one of two options.
The first option is to reduce the planned degree of reliance on internal control, increase the planned level of control risk, and reduce the planned level of detection risk by performing more effective substantive procedures. Referring to Exhibit F.1, assume that a tolerable rate of deviation of 16 percent corresponds to a control risk assessment of 0.80 (slightly below maximum). Thus, without gathering any further evidence, the audit team could increase the assessment of control risk from 0.50 (moderate) to 0.80 (slightly below maximum) and correspondingly decrease the necessary level of detection risk. This decrease in the necessary level of detection risk would require the audit team to perform more effective substantive procedures.
When audit teams reach the third phase of an evaluation of internal control, they already have identified specific control activities for relevant assertions on which risk could be assessed below the maximum (100 percent).
This is often referred to as controls on which the audit team intends to rely.
Covert Surveillance
When performing this procedure, auditors will observe activities while not being seen. For example, audit team members might watch employees as they punch in to a work shift, observing whether they use only one time card. Casino auditors actually get paid to gamble so they can observe cash-handling procedures. Traveling hotel auditors may check in unannounced, use the restaurant and entertainment facilities, and observe employees to determine if they are stealing cash receipts or tickets. (Trailing people on streets, undercover surveillance, and maintaining a "stake-out" should be left to trained investigators.)
unrestricted Random Selection (Random Selection)
When using unrestricted random selection (random selection), the audit team identifies a series of random numbers from either a random number table or computer program and selects the numbered item in the corresponding population. For example, if the team identified 120, 268, and 341 from a computer program, they would identify the 120th, 268th, and 341st members from a prenumbered listing and include these members in their test.
authorization
`Cash disbursements are typically authorized by an accounts payable department's assembly of purchase orders, vendor invoices, and internal receiving reports to demonstrate a valid obligation to pay. This assembly of supporting documents is called a voucher and will be discussed in more detail in Chapter 8. (Accounts payable obligations usually are recorded when the purchaser receives the goods or services ordered.) A person authorized by management signs the checks. A company may have a policy to require two signatures on checks over a certain amount (e.g., $50,000). Vouchers should be marked "PAID" or otherwise stamped to show that they have been processed completely so they cannot be paid a second time.
According to the professional standards, a financial statement assertion is relevant if it has
a "reasonable possibility of containing a misstatement that would cause the financial statements to be materially misstated."
An opportunity is an open door for solving the unshareable problem by violating some type of trust. The violation may be
a circumvention of existing internal control activities, or it may be simply taking advantage of an absence or lapse of a control activity in an Page 234entity.
Another variation of attributes sampling is discovery sampling
a form of attributes sampling that is used when deviations from controls are very critical yet are expected to occur at a relatively low rate. Discovery sampling should be used when a control is extremely important for the audit team's examination or when the audit team suspects the existence of fraud.
The professional standards recognize that to make effective decisions, managers must have
access to timely, reliable, and relevant information.
In conducting walkthroughs, the auditors select examples of a transaction (in this case, customer remittance advices)
and "walk them through" the information-processing system from their initial receipt all the way to their recording in the accounting records. Sample documents are collected, and employees in each department are questioned about their specific duties. The walkthrough, combined with inquiries, can contribute evidence about appropriate separation of duties, which might be a sufficient basis for a preliminary assessment of control risk. However, a walkthrough is too limited in scope to provide evidence of whether the client's control activities were operating effectively during the period under audit. Rather, to justify a low control risk assessment and a reduction of substantive testing procedures, an auditor would have to conduct a test of operating effectiveness for the control activity under consideration.
Tests of controls, when performed, should be
applied to samples of transactions and control activities executed throughout the period under audit. The reason for this requirement is that the conclusions about controls will be generalized to the whole period under audit. If the auditor obtains audit evidence about the operating effectiveness of controls during an interim period, additional audit evidence should be obtained for the remaining period. There are certain situations when audit teams can rely on tests from previous periods if they have evidence that the procedure has not changed and the auditor does not believe there is a significant risk of material misstatement. However, in an annual audit, the auditor may not rely on audit evidence about the operating effectiveness of controls obtained in prior audits for controls that have changed since they were last tested or for controls that mitigate a significant risk.
The audit team controls this sampling risk (referred to as the risk of overreliance or the risk of assessing control risk too low) in determining the
appropriate sample size and evaluating the sample results.
Incompatible responsibilities
are combinations of responsibilities that place a person alone in a position to create and conceal misstatements due to errors or frauds in her or his normal job. Duties should be divided so that no one person can control more than one of these responsibilities. If different departments or persons are forced to deal with these different facets of transactions, frauds are more difficult to commit because they would then require collusion of two or more persons, and most people hesitate to seek the help of others in order to conduct wrongful acts.A second benefit of separating duties is that by acting in a coordinated manner (handling different aspects of the same transaction), innocent errors are more likely to be found and corrected. The old saying is "Two heads are better than one."
Another important difference between AS 2201 internal control audits and GAAS financial statement audits is that the audit of internal control is
as of the end of the fiscal year, whereas, for audits of the financial statements, the audit team must understand and evaluate internal control for the entire period to determine its effect on the nature, timing, and extent of further audit procedures.
Internal control is assessed in a top-down manner by which
audit teams first identify accounts that may contain significant risks of material misstatement. Audit teams then identify which relevant assertions may be misstated. After determining "what can go wrong," Page 209audit teams examine entity-level controls that might mitigate the risk of material misstatement. Finally, audit teams identify transaction level controls that would mitigate any residual risks. If the audit team relies on controls, it must test the controls to ensure they are operating effectively. Where controls are not in place to reduce the risk, or if testing the controls would not be cost effective, substantive tests are designed to identify any material misstatements.
If the internal control activities are not operating effectively (e.g., because personnel in the organization are not performing the cash control activities very well),
auditors may need to expand substantive audit procedures to ensure that the cash balance is not materially misstated and to identify possible fraudulent acts related to cash.
Observation occurs when auditors
ave eyewitness observation of employees at their jobs performing control activities. Observation is typically used when certain control activities, such as separation of employees' duties, leave no documentary evidence for subsequent examination. Observation also can produce evidence of access controls such as the use of password-secured access to the computerized information system, locked doors, and security guards. The limitation of observation is that this test of control is performed as of one point in time (usually near year-end), and what is observed at that point in time may not be representative of prior time periods.
If the results are clearly acceptable or clearly unacceptable, the audit team
can draw its conclusion; if the results are inconclusive, the audit team can go forward and examine additional items.
Once calculated, the ULRD is compared to the tolerable rate of deviation. If the ULRD is less than the tolerable rate of deviation, the audit team
can rely on internal control as planned and accept the planned level of control risk. If the ULRD is higher than the tolerable rate of deviation, the audit team can either increase the assessed level of control risk (which will increase the necessary level of substantive procedures) or expand the sample to attempt to provide a ULRD that is lower than the tolerable rate of deviation.
there is overlap between these two goals (i.e., mitigating the risk of material misstatement and preventing employee fraud), meaning that
certain control activities may help to achieve objectives at an audit client. However, to help improve your understanding of both objectives, we now consider these topics separately.
Strictly speaking, your common sense is accurate;
clearly, the sample size for a population of 10 items would be smaller than for a population of 1,000 items. However, once a population reaches a certain size, any increase has a minimal effect on sample size. As a result, unless the population size is very small (which is not common for most attributes sampling applications), the audit team does not consider population size in determining sample size to a great extent.
In addition to expressing an opinion on the effectiveness of the entity's internal control over financial reporting, the audit team also should evaluate the
completeness and presentation of management's annual report on internal control over financial reporting. Among other factors, the audit team also must obtain written representations from management that explicitly acknowledges: It is responsible for effective internal control over financial reporting. It has evaluated the effectiveness of the internal control over financial reporting. It has disclosed all internal control deficiencies and frauds to the audit team.
Although auditing standards concentrate on management fraud—the production of materially false and misleading financial statements (i.e., fraudulent financial reporting)—professional standards also require auditors to
consider employee fraud perpetrated against an entity. Attention to employee fraud is important in the context that the cover-up may create financial statement misstatements (e.g., overstating inventory to disguise unauthorized removal of valuable products).
Because the risk of overreliance results in the audit team's failure to reduce audit risk to acceptable levels (an effectiveness loss),
controlling exposure to this risk is of primary importance.
Most computerized accounting programs post the customers' accounts automatically by keying in the
customer identification number, and the computer program controls agreement.
The unique feature of MUS is its
definition of the population as the number of dollars (euros, yuan, yen, etc.) in an account balance or class of transactions.
concealment of the crime is a
distinguishing attribute of a fraud. Often, the audit team's first indication of a fraud is the identification of a control violation. Cover-up attempts generally appear in the accounting records.
After the sample is selected, the audit team performs tests of controls to determine whether the control is functioning as intended. A sample rate of deviation is determined by
dividing the number of deviations by the sample size; this rate is adjusted to control for the acceptable exposure to the risk of overreliance to determine the upper limit rate of deviation (ULRD). The ULRD is a measure that has a (1 - Risk of overreliance) probability of equaling or exceeding the true rate of deviation in the population.
Good auditors often change a question when they ask it, just to
ensure that the interviewee is listening and not giving only "yes" answers.
The projected misstatement assumes that the
entire sampling interval contains the same percentage of misstatement as the item examined by the auditor.
Audit teams usually know or suspect that some level of deviation occurs in the client's internal control activities; this rate is referred to as the
expected population deviation rate.
essentially, sampling trades effectiveness for
fficiency. That is, sampling allows an individual to obtain information about a population of interest in a fraction of the time it would take to examine the entire population. In other words, sampling is more efficient. However, because the individual is not examining all items in the population, there is a chance that sampling will not provide the correct answer to the question being examined. (Sampling is less effective.) Sampling is used when the gains associated with efficiency exceed the losses associated with effectiveness.
As in the evaluation of internal control, auditors do not expect account balance or classes of transactions to have zero misstatements but are concerned when these misstatements reach a level that would influence the decisions of those relying on financial statements (referred to as materiality). When performing substantive procedures, auditors
first determine the level of misstatement they are willing to accept without concluding that the account balance is materially misstated (tolerable misstatement). Next, based on a sample of transactions or components, the audit team will calculate a sample estimate of misstatement; similar to attributes sampling, this sample estimate of misstatement is then "adjusted" to a level that has a specified probability of equaling or exceeding the true level of misstatement (the upper limit on misstatements [ULM] ). The ULM adds precision to the sample estimate of misstatement, allowing the audit team to control its exposure to sampling risk to desired levels.
When defining the population, the audit team also needs to determine the physical representation of the population. The physical representation is the
frame of reference that the audit team uses in selecting the sample, also referred to as the source of the sample. That is, the audit team will select the sample from the physical representation
the first step in testing the controls for cash disbursements is to
gain an understanding of the controls and document that understanding
Auditors' communications of significant deficiencies and material weaknesses are intended to
help management carry out its responsibilities for internal control monitoring and change. However, external auditors' observations and recommendations are usually limited to external financial reporting matters.
If control risk is assessed too low, the resulting detection risk is
higher than appropriate in the circumstances. When this occurs, the auditors' substantive procedures do not reduce the overall audit risk to an acceptable level. This happens because the auditors believe that internal control is more effective in preventing or detecting misstatements than is the case. The ultimate result of failing to reduce audit risk to an acceptable level is issuing an unmodified opinion on financial statements that are materially misstated, resulting in a reputation loss or litigation by shareholders and other third parties relying on the auditors' work. Therefore, assessing control risk too low exposes the auditors to an effectiveness loss.
Establishing the right tone at the top is an essential step toward building a strong fraud prevention program.
his tone is established by upper management, in large part, to demonstrate a commitment to integrity and high ethical standards in the completion of all activities throughout the organization
As a result, an entity's information system should be devised to
identify data from reliable external sources such as suppliers, customers, economic databases, and so on, as well as internal sources.
At this stage of the process, auditors are trying to identify the controls that may be relied upon as part of the overall audit process. To do so, auditors need to
identify the controls that they believe will mitigate the risks of material misstatement that have been identified for each of the relevant assertions. Ultimately, these controls would have to be tested before the audit team could rely on them to reduce substantive testing. However, it is important to point out that audit teams should not perform tests of controls for those controls that will not be relied upon because there is no need to prove that they are operating effectively. Doing so would be inefficient. Instead, the audit team would have to perform additional substantive procedures to compensate for the lack of internal controls that could be relied upon to obtain sufficient appropriate evidence that would allow the auditor to reach a conclusion for the related relevant assertions.
The second condition (opportunity) recognizes that
in order for a fraud to be perpetrated, there must either be a weakness in the system of internal control or an ability to circumvent the system.
an account's significance is based on its
inherent risk (i.e., the likelihood of containing a material misstatement before the consideration of internal control). Thus, audit teams focus on likely sources of significant misstatements. This determination is not based on quantitative measures alone, but it is unlikely that a large, material account balance would ever be omitted from consideration.
Once the items have been selected for testing, the four methods of testing controls are
inquiry, observation, document examination, and reperformance.
The PCAOB's AS 2201 defines additional responsibilities for management and public accounting firms' reports on
internal control stipulated by the Sarbanes-Oxley Act.
Block Selection
involves selecting a series of contiguous (or adjacent) items from the population. One example of block selection is the selection of the first 10 members from five pages of the membership roster for a total of 50 sample items. In this case, the population unit is really a list of members. Block selection is less desirable because it is difficult to efficiently obtain a representative sample; ordinarily, a relatively large number of blocks need to be selected to be representative.
Effective long-run prevention measures are complex and difficult,
involving the elimination of the causes of fraud by mitigating the effect of motive, opportunity, and lack of integrity.
The precision interval
is a range around the sample estimate that has a certain likelihood (equal to reliability) of including the true population value. In this example, the precision interval is 15.5 bpm to 19.5 bpm.
Embezzlement
is a type of fraud involving employees' or nonemployees' wrongfully taking money or property entrusted to their care, custody, and control, often accompanied by false accounting entries and other forms of lying and cover-up.
true bal
is the amount at which the account should be recorded if no misstatements exist.
chain of custody
is the crucial link of the evidence to the criminal suspect that bears directly on the relevance of evidence often referred to by attorneys and judges
misstatement
is the difference between the true balance and the recorded balance of the account. Variables sampling is used as the audit team performs substantive tests of details.
The reliability (or confidence level)
is the likelihood of achieving a given level of precision. In the example, the reliability is 90 percent, which is equal to 100 percent minus the acceptable sampling risk of 10 percent.
Sampling risk
is the likelihood that the decision made based on the sample differs from the decision that would have been made had the entire population been examined. There are two types of sampling risks for attributes sampling applications: the risk of underreliance and the risk of overreliance (sometimes referred to as the risk of assessing control risk too high and the risk of assessing control risk too low, respectively).
tolerable rate of deviation
is the maximum rate of deviations permissible by the audit team without modifying the planned assessed level of control risk. In determining the tolerable rate of deviation, the audit team should consider (1) the planned assessed level of control risk and (2) the degree of assurance desired by the audit evidence in the sample. Generally, if a control is judged to be more important and would result in a more significant reduction in substantive testing, the tolerable rate of deviation should be established at lower levels.
The precision (or allowance for sampling risk)
is the numeric distance from the estimated population value in which the true (but unknown) population value may lie with a given probability. In this case, the precision is 2.0 bpm.
Variables Sampling
is used to examine a population when auditors want to estimate the amount (or value) of some characteristic of that population. Auditors use variables sampling when performing substantive procedures to evaluate the fairness of an account balance or class of transactions.
Auditors can use another method to discover unrecorded cash transactions.
it is called a proof of cash. its a reconciliation in which the bank balance, the bank report of cash deposited, and the bank report of cash paid are all reconciled to the corresponding records maintained in the entity's general ledger, cash receipts journal, and cash disbursements journal.
Haphazard Selection
items are selected in an unstructured manner but without intentional bias. Although this can be done in any number of ways, two ways are to identify items (members) as they arrived at the club or flip through membership rosters selecting items until a total of 50 were selected. items chosen by haphazard selection are not taken in a careless manner, and the results are expected to be representative of the population.
When completing a fraud examination, auditors should
learn to mark the evidence, writing an identification of the location, condition, date, time, and circumstances as soon as it appears to be a signal of fraud. This marking should be on a separate tag or page; the original document should be put in a protective (plastic) envelope for preservation and locked away for protection. Then audit work should proceed with copies of the documents instead of originals
The audited value is the amount at which the
logical unit should have been recorded, assuming no misstatements or misapplications of generally accepted accounting principles.
Similar to cash receipts, for cash disbursements, effective internal control begins with
making sure that appropriate separation of duties has been achieved in an organization.
Management that performs frequent performance reviews has
more opportunities to detect errors in the records than management that does not. The frequency, of course, is governed by the costs and benefits. Subsequent action to investigate or correct differences is also important. Periodic comparison and action to correct errors lowers the risk that material misstatements due to error or fraud exist in the financial statement accounts.
Importantly, if the control activity has high risk, the audit team needs
more persuasive evidence about its operating effectiveness than it would for a lower risk control in order to determine if it is operating effectively. Since gathering more persuasive evidence is typically associated with a higher cost than gathering less persuasive evidence, if the audit team wants to achieve a lower control risk assessment, it will be more costly. This is why it may be more efficient for the auditor to choose not to rely on controls and instead rely on substantive testing procedures to gain assurance for certain significant accounts.
example
mportant manual control activities over the purchasing and cash disbursement cycle include using purchase orders to ensure proper authorization (the occurrence assertion), matching vendor invoices with receiving reports and purchase orders to ensure that the quantity billed agrees with the quantity ordered and received at previously agreed-upon prices (the accuracy assertion), and using and accounting for prenumbered documents (checks, purchase orders, and receiving reports) to ensure that all transactions have been recorded (the completeness assertion). (Note: Failure to account for the numeric sequence of documents eliminates the benefit of prenumbering.)
The need for audit teams to control their exposure to audit risk (the risk that a material misstatement occurs, is
not prevented or detected by the client's internal control, and is not detected by the audit team's substantive procedures) has been discussed throughout the text.
Be Aware of Exceptions
oMissing documents. oAlterations on documents. oPhotocopied documents. oSecond endorsements on checks. oUnusual endorsements. oOld outstanding checks. oUnexplained adjustments to accounts receivable and inventory balances. oUnusual patterns in deposits in transit. oGeneral ledgers that do not balance. oCash shortages and overages. oExcessive voids and credit memos. oCustomer complaints. oCommon names or addresses for refunds. oIncreased past due receivables. oInventory shortages. oIncreased scrap. oDuplicate payments. oEmployees that cannot be found. oDormant accounts that have become active.
According to GAAS, when auditing nonpublic entities, the audit team must
obtain an understanding of internal controls to determine the nature, timing, and extent of further audit procedures to be performed.
When evaluating the information and communication component of internal control, the "auditor should
obtain an understanding of the information system [emphasis added] including the related business processes, relevant to financial reporting. As part of that process, the auditor must seek to understand the nature of the underlying accounting records, supporting information and the accounts that are used to fully execute a transaction." The auditor should also understand "how the information system captures events and conditions, other than transactions, that are significant to the financial statements."4 Clearly, the size of the entity will have an impact on this component. However, regardless of the entity's size. the COSO framework establishes three principles that, if applied properly, will result in an effective evaluation of the information and communication component.
The process of obtaining an understanding of IC SHOULD
occur early in the audit engagement.
For the examination of AirCon's revenue cycle, the two major assertions of interest are
occurrence (does the recorded sale represent an actual sale made to a customer?) and accuracy (has the sale been recorded at the proper dollar amount?). Once the relevant assertions have been determined, the audit team then specifies one or more controls that, if functioning, allow the client to meet the recording objectives related to these assertions. The following is a summary of the assertions and one relevant control that will be tested
Given a choice of the two sampling risks, the risk of overreliance clearly is
of more concern to auditors than the risk of underreliance. As a result, auditors explicitly control their exposure to the risk of overreliance to acceptable levels when (1) determining the necessary sample size and (2) evaluating sample results.
Cash is highly liquid, very portable, and not easily identifiable. For these reasons, cash is
often the primary target of fraudulent activities and must be carefully controlled and monitored.
wallkthrough
onsists of a combination of inquiry of personnel, observation of an entity's operations, and document examination while tracing a single transaction through the entire audit trail from the beginning or the initiation of the transaction to its final inclusion in the financial statements. Each client employee involved is asked to demonstrate the procedures that he or she follows in processing the transaction. The walkthrough is an important step in awareness because, often, the information that is contained in manuals and understood by supervisors may not be the same as the procedures actually being performed. People can change procedures to make them more efficient, they can forget to perform procedures, they may go on vacation, they may intentionally not perform procedures, or the procedures may not be understood by a new person taking over that position.
Management's study of budget variances with follow-up action is an example of a
performance review.
The audit team must
plan and perform the audit to obtain reasonable assurance about whether the entity maintained effective control over financial reporting. The SEC understands reasonable assurance not to be absolute but a "high level of assurance" is expected. The focus in the professional standard is to determine whether a material weakness exists at the end of the year being reported on. If a material weakness exists, the entity's internal control over financial reporting cannot be considered effective. For the audit team, this duty entails an increased amount of testing for the internal control system
statistical sampling
plans apply the laws of probability to selecting sample items for examination and evaluating sample results. Specifically, statistical sampling methods enable the audit team to make quantitative statements about the results and to measure the sufficiency of evidence gathered (i.e., determine a sufficient sample size) and evaluate the results in such a way to control sampling risk
When performing variables sampling, the audit team has the
primary objective of determining whether an account balance or class of transactions is fairly stated. As with any sampling application, the audit team is exposed to sampling risk (the risk that the decision made based on the sample differs from the decision that would have been made if the entire population were examined). Using statistical sampling allows the audit team to control this sampling risk (referred to as the risk of incorrect acceptance) in determining the appropriate sample size and evaluating the sample results. Two primary statistical types of variables sampling plans are monetary unit sampling (MUS) and classical variables sampling (of these, MUS is more commonly used in practice).
mus
provides an estimate of the amount of misstatement in the account balance or class of transactions. The distinguishing feature of MUS is that it tends to select higher dollar transactions or components within an account balance for examination
nonsampling risk
represents the probability that an incorrect conclusion will be reached as a result of reasons unrelated to the nature of the sample. Even if the auditors examine all items, they are still subject to nonsampling risk. Nonsampling risk typically occurs because of errors in judgment or execution. For example, if the engagement team incorrectly measures the resting heart rate of a member, the sample average will be incorrect and can result in an inappropriate conclusion. Note that this error is not caused by a nonrepresentative sample but by an evaluator error. In an auditing context, nonsampling risk arises when auditors use an inappropriate procedure or misinterpret evidence they have obtained.
Both the projected misstatement and the incremental allowance for sampling risk apply to
sampling intervals in which the audit team's substantive procedures revealed a misstatement. However, what about those sampling intervals in which no misstatement was discovered? For example, assume that the audit team evaluated an invoice recorded at $42,821 and found no misstatement. Is it reasonable to conclude that the entire sampling interval of $147,804 represented by that invoice contained no misstatements? To account for this possibility, the audit team calculates a basic allowance for sampling risk to provide a statistical measure of the misstatement that could be included in sampling intervals in which the audit team did not detect a misstatement.
Now assume that the measurements provided an average reduction of 11 bpm. In this case, the engagement team's conclusion that an aerobic program was not effective in reducing the resting heart rate would be incorrect because the true average reduction (unknown to the engagement team) is 18 bpm.5 This situation is an example of
sampling risk, which is the likelihood that the decision made based on the sample differs from the conclusion that would have been made if the entire population had been examined.
While all items have a chance to be selected, MUS tends to
select higher dollar transactions or components for examination. Although MUS will not always select the highest dollar transactions or components, it provides a relatively high probability that these components will be selected. (Any transaction that is higher than the sampling interval has a 100 percent chance of selection.)
When using MUS, the audit team normally
selects the sample items using a systematic random selection method. When a systematic method is used, the audit team determines a random starting point within the population, which represents the first item selected. The audit team then bypasses a fixed number of items in the population and selects the next item for examination.
The upper management team is responsible for
setting the tone at the top. To send the right message from the top, many organizations publish codes of conduct for employees. Some of these codes are simple, and some are very elaborate. Government agencies and defense contractors typically have the most elaborate rules for employee conduct. Sometimes these codes are effective; sometimes they are not. However, a code can be effective only if the control environment and tone at the top support it. When the chairman of the board and the president make themselves visible and living examples of the code of conduct, other people will then believe it is real. Subordinates tend to follow the boss's lead.
even if weak controls are functioning, they are
still weak and do not reduce the risk of material misstatement. There is one exception: You find that you were in error during the understanding of controls phase; there are additional controls about which you were unaware. In that case, lowering control risk could be justified.
controls over cash receipts and disbursements must be
strong
In general, a person acting alone or in a conspiracy who can perform two or more of these functions can commit a fraud by
taking assets, converting them, and then covering up the crime.
For private company audits, a second reason that audit teams might not test controls would be the
team's decision that it would take more time to test the operating effectiveness of the control activities than it would take to perform the substantive tests necessary for a relevant assertion (even if the controls turn out to be working well). In this situation, the cost of obtaining a low control risk assessment can be high. In this case, the conclusion is also equivalent to assessing control risk at 100 percent, but this time it is because the audit team has not conducted the tests of operating effectiveness of control activities, not because the team has concluded that controls are ineffective.
To support the reduced control risk assessment and the reduction of related substantive procedures for each relevant assertion, audit teams must
test the control activities to determine whether they are operating effectively throughout the period. The required level of effectiveness is a matter of professional judgment. Audit teams know that compliance cannot realistically be expected to be perfect. The auditors could decide, for example, that evidence such as 96 percent of recorded payroll being supported by validated time cards is sufficient to assess a "low" control risk for the occurrence assertion. Most public accounting firms have internal guidelines to determine the acceptable rate of compliance for an internal control activity to be considered effective. Generally, if a control is judged to be more important and would result in a more significant reduction in substantive testing, the level of compliance must be higher.
It is essential that auditors maintain their professional skepticism at all times throughout the engagement. In fact, professional standards require
that when auditors brainstorm about the potential for all types of fraud in an engagement the activity should "occur with an attitude that includes a questioning mind, and the key engagement team members should set aside any prior beliefs they might have that management is honest and has integrity."
does not allow them to conclude that the account balance is fairly stated. In this instance, one of two options exists
the audit team could increase the sample size and examine additional items. These additional items would effectively reduce the sampling interval, reducing the projected misstatement, incremental allowance for sampling risk, and basic allowance for sampling risk. If enough additional items are examined and no additional misstatements are detected, the recalculated upper limit on misstatements could fall below the tolerable misstatement of $628,167. If so, the audit team could conclude that the financial statements were not materially misstated. The audit team could recommend making an adjustment to the recorded balance of the client's accounts receivable. With an upper limit on misstatements of $650,000, an adjustment of $21,833 would result in a revised upper limit on misstatements of $628,167 ($650,000 − $21,833). This revised upper limit on misstatements allows the audit team to conclude that the account balance is fairly stated at a risk of incorrect acceptance of 10 percent.
In summary, MUS is best used when
the audit team expects to find few or no misstatements and when overstatement (existence assertion) is of greatest concern. In contrast, when a relatively large number of misstatements is expected or when understatement (completeness assertion) is of greatest concern, MUS is less effective.
The tests of details risk determined above dictates
the number of transactions or components of the account balance or class of transactions that are examined. As such, this risk is directly related to the audit team's need to select an appropriate sample of transactions or components of the account balance.
Auditors can perform tests of controls to determine whether company personnel are properly performing controls that are said to be in place. In general,
the procedures used in tests of controls are inquiry, observation, inspection, and reperformance.
Due to the nature of cash, the majority of audit clients have
trong controls over cash, and tests of controls often support a reduction in control risk. This reduction in control risk reduces the auditor's assessment of the risk of material misstatement over cash. However, regardless of the final assessment of the risk of material misstatement, as with any significant account, the auditor will perform at least some substantive procedures over cash.
When using MUS, the audit team calculates an
upper limit on misstatements, which has a (1 − Risk of incorrect acceptance) probability of equaling or exceeding the true amount of misstatement in the population. If the upper limit on misstatements is less than or equal to the tolerable misstatement, the audit team would conclude that the account balance is fairly stated; in contrast, if the upper limit on misstatements exceeds the tolerable misstatement, the audit team would either propose an adjustment to the account balance or class of transactions or expand the sample. MUS is unique in defining the sampling unit as an individual dollar in an account balance or class of transactions. As a result, MUS tends to select larger dollar components for examination.
Documentation of an entity's internal control system is accomplished through the
use of questionnaires, flowcharts, and narratives.
the firms either explicitly require the
use of statistical methods or ensure that the sample sizes and sampling conclusions reached with nonstatistical methods are comparable to those if statistical methods were used, suggesting that nonstatistical methods are not frequently used in practice
Much of the initial work, including documenting and testing controls, is done by employees of the client, management, the internal audit staff, and outside parties hired by management. AS 2201 encourages the audit team to
use the work of internal auditors and others, but the audit team members must evaluate the internal auditors' competence and objectivity and must perform some tests of their work. For more risky areas, audit teams should perform more of the work and the assessment of likely sources of misstatement themselves or supervise any others who assist them in the evaluation.
Classical Variables Sampling
uses the laws of probability and the central limit theorem to estimate either (1) the amount of misstatement in the account balance or class of transactions or (2) the true balance for an account balance or class of transactions.
The concept of reasonable assurance suggests that the client's internal control activities
will not function perfectly (i.e., a zero rate of deviation). Thus, some level of deviations is typically observed and is incorporated into the determination of sample size.
Fraud Prevention
•A strong control environment and tone at the top -Can have a pervasive effect on fraud prevention •Managing people pressures in the workplace -Counseling services -Anonymous hotlines -Ethics officers •Internal control activities and employee monitoring -Segregation of duties and responsibilities for transaction authorization, record keeping, custody of or access to assets, and reconciliation of actual assets to the accounting records. •Tone at the top and integrity by example and enforcement -Management establishes commitment to integrity and high ethical standards -Accountability -Codes of conduct -Hiring and firing policies -Background checks prior to hiring -Prosecution of fraudsters
Audit Evidence Used to Test Cash
•Cash receipts journal (all inc in cash) •Cash disbursements journal (all dec in cash) •Bank reconciliations -Year-end bank statement (from bank directly to auditor from days from fiscal yr end to when audit finished to se if checks cleared by yrend) -Cutoff bank statement •Bank confirmations •Schedule of interbank transfers (to look 4 kiting)
Other Extended Procedures for Detecting Fraud Involving Cash
•Count and recount petty cash on the same day (suprises client, make them sign) •Examine endorsements on canceled checks (looking for handwritten and second endorsements) •Retrieve customers' checks (taking checks and depositing in their own bank instead of ur companys bank) •Use marked coins and currency •Analyze the mix of cash and checks in deposits •Measure deposit lag time (compare date of deposit slip and when its recorded in the ledger). lapping: holding cash to cover next day. delay. lag time. •Document examination (looking for photocopies etc) •Inquiry (should not discuss fraud possibilities w mgmt cause then they can cover it up, flee, or quit) •Covert surveillance (observe w/o being seen) •Horizontal and vertical analyses (ratio analysis. looking for relationships that dont appear logical) •Net worth analysis (calc subjects NW at the beg and end of period and look for diffs) •Expenditure analysis (look at subjects spending compared to known income) •Reasonableness tests (ask simple Qs: where is cash going, for what purposes, is that purpose reasonable)
Observation of changes in a person's habits and lifestyles may reveal some red flags. Fraudsters may exhibit these behaviors:
•Experience sleeplessness •Drinking too much •Take Drugs •Become irritable easily •Can't relax •Get defensive, argumentative •Can't look people in the eye •Sweat excessively •Go to confession (e.g., priest, psychiatrist) •Find excuses and scapegoats for mistakes •Work standing up •Work alone •Work late frequently •Don't take vacations managers are more likely to notice the changes in demeanor and lifestyle and what they do or change and if auditor realizes, let managers know.
Characteristics of a Fraudster
•Has education beyond high school •Is likely to be married •Is member of a mosque, temple, or church •Ranges in age from teens to over 60 •Is socially conforming •Has an employment tenure from 1 to 20 years •Has no arrest record •Usually acts alone (in about 70% of the acts they do/we notice) Unfortunately, a fraudster looks like most everybody else!
-Some of the most frequent rationalizations are:
•I need it more than the other person. •I'm borrowing the money and will pay it back. •Everybody does it. •The company is big and will never miss it. •Nobody will get hurt. •I am underpaid, so this is due compensation. •I need to maintain a lifestyle and image.
Schedule of Interbank Transfers: Check Kiting
•Is the deliberate floating of funds between two or more bank accounts to make it appear that more cash is present and available than is really the case. This practice is also known as "playing the float." •Advances in technology and bank scrutiny has decreased this possibility in recent years. still does happen tho so we still do look for it •A Schedule of Interbank Transfers is generally used by auditors to detect check kiting. looking for instances where the same money was counted twice where it was included in two acct bals at the end of the yr. possible by the delay in processing data by banks biggest concern at end of yr
Confirmation of Bank Balances
•Standard Bank Confirmation Inquiry -Must be mailed under auditor's own control (comes from client tho) -Used to confirm deposit balances and loan balances -Also can be used to request information about contingent liabilities and secured transactions •Electronic Confirmation Requests -Many banks now only complete confirmation requests electronically (e.g., confirmations.com) -Can improve the control of both delivery and receipt of the confirmation request (so we prefer it) -Allowed by professional auditing standards
rationalization
•When people do things that are contrary to their personal beliefs - outside their normal behavior - they provide an argument to make the action seem like it is in line with their moral and ethical beliefs.
Authority and responsibility.
Management and employees are assigned appropriate levels of authority and responsibility to facilitate effective internal control over financial reporting.
Nonstatistical sampling is
acceptable under generally accepted auditing standards. Instead of using statistical theory to determine sample size and allowance for sampling risk, auditors rely on their professional judgment in making these decisions.
classical variables sampling
approaches use normal distribution theory and the central limit theorem to provide an estimated range of either the recorded balance of the account balance or class of transactions or the misstatement in the account balance or class of transactions.
Clearly, preventive controls, procedures that prevent misstatements before they occur (those that ensure hiring competent people, limiting access, requiring approval, separating duties, etc.), are
are preferable to detective controls, procedures that detect misstatements after they occur.
Relevant assertions
are those that represent the possibility of a material misstatement. Thus, an assertion that does not represent a meaningful risk of misstatement (e.g., completeness of cash) is not relevant and should not be considered by the audit team
Direct-effect Illegal Acts
are violations or government regulations by the company, or its management or employees that produce direct and material effects on dollar amounts in the financial statements. not thought of as fraud, more of company breaking law.
Elements of the accounting system are explained in
conjunction with control activities designed to prevent, detect, and correct misstatements that occur in transactions.
The following hierarchy lists the type of control tests from the least persuasive (inquiry) to the most persuasive type of evidence:
Inquiry of client personnel. Observation of the control activity being performed. Inspection of relevant documentation. Reperformance of the control activity.
reasonableness tests
Often, auditors become so involved in ticking and tying numbers that they forget to ask themselves the simplest questions: Where is the cash going? For what purpose? Is this reasonable? The answers to these questions often motivate the auditor to ask more penetrating questions of management and to dig for more evidence.
White-collar criminals do not make themselves obvious, although they may leave telltale signs or red flags.
Older individuals (usually over 50) who hold high executive positions, have long tenure, and are respected and trusted employees have often gained the trust and confidence of others and, therefore, are in a position to commit the largest frauds.
A significant advantage of sequential sampling methods is that they could allow the audit team to evaluate the operating effectiveness of controls more efficiently.
One disadvantage of these methods is that the allowable rate of deviations in the sample is lower than that in a fixed sampling plan (i.e., sequential sampling is more conservative). In addition, the audit team should be careful in continuing to extend the sample using a sequential sampling approach if the preliminary sample evidence does not support the planned level of control risk (in other words, once the audit team has determined that the control is not functioning effectively, there is no reason to expand testing).
general audit procedures can at times be used as dual-purpose tests.
That is, a single audit test can produce both control testing and substantive testing evidence and, thus, serve both purposes. For example, a selection of recorded payroll entries could be used to (1) vouch payroll to time cards and (2) calculate the correct dollar amount of payroll. The first procedure provides relevant information about an important control activity. The second provides dollar value information that can help offer substantive evidence to support the account balance in the financial statements.
Nonstatistical sampling methods are permissible under generally accepted auditing standards and differ from the statistical methods discussed in this chapter as follows:
The audit team may judgmentally determine the sample size and is not required to quantify the various parameters (although the sample sizes under statistical and nonstatistical methods should be comparable). The audit team may use nonrandom methods in selecting sample items, such as block selection or haphazard selection. The audit team may judgmentally evaluate sample results, based on the sample rate of deviation and tolerable rate of deviation.
expenditure analysis
This analysis is similar to net worth analysis except the data are the suspect's spending for all purposes compared to known income. If spending exceeds legitimate and explainable income, the difference may be the amount of a theft.
Summary of Internal Control Deficiencies
Three Categories: -Internal Control Deficiency -Significant Deficiency -Material Weaknesses (worst) (probability of misstatement is at least reasonably possible and if the effect of the potential misstatement is material it would change the judgement of a reasonable person) -The difference between a significant deficiency and a material weakness is the (1) likelihood and (2) materiality that a potential (or actual) misstatement would not be detected on a timely basis. remote, reasonably possible, and probable are the three areas of likelihood. if the probability is remote, we'd classify it as a control deficiency. if reasonably possible or probable of misstatement, the category (sig def or mat weak) is determined by materiality. if materiality is insignificant, then we would stay just a control deficiency if its significant but not material, hen it'd be a sig deficiency and if it rises to the materiality level of material its a material weakness.
Systematic Random Selection (Systematic Selection)
When using systematic random selection (systematic selection), the audit team randomly selects a starting point from within the population and includes every nth item thereafter, where n is determined based on the number of items in the population and the necessary sample size. In this case, n is referred to as the sampling interval and represents the frequency with which items are selected within the population. The sampling interval is calculated by dividing the number of items in the population by the necessary sample size.
If combinations of two or more of these responsibilities are completed by one person or within the same office, there may be an opportunity for
a fraudster to commit a crime. In addition, and almost more important in today's environment, is the fact that the computerized information-processing system must also provide for proper separation of duties. In practice, this is often accomplished by assigning the proper functional "permissions" to the appropriate employees through their password access credentials. Simply stated, in a computerized environment, proper separation of duties is dependent on proper password access controls.
If controls are weak
a proof of cash is an effective procedure to verify that recorded cash transactions have occurred and are complete.
Once the specific controls have been identified, the audit team must next
efine the characteristic of interest; in an attributes sampling context, this is a deviation condition. The word deviation (commonly referred to as exception) refers to instances in which the client or its personnel do not follow prescribed controls; in other words, deviations are instances in which controls are not functioning as intended. Defining the deviation conditions at the outset is important because deviation conditions provide the audit team evidence regarding the operating effectiveness of the client's internal control.
This discussion should make clear that the risk of incorrect acceptance is of more concern to auditors than the risk of incorrect rejection.
As with the risk of overreliance in attributes sampling, auditors explicitly control their exposure to the risk of incorrect acceptance when determining the necessary sample size and when evaluating sample results.
After completing phase 1—understanding and documenting internal control—the audit team should be able to make a preliminary assessment of control risk.
At this preliminary stage, the audit team members also may use their internal control findings from the previous year's audit. At this stage of the process, auditors seek to identify internal control activities that are explicitly designed to support reliable financial statement reporting for the relevant financial statement assertion identified about each significant account and disclosure. It is important to remember that a well-designed internal control system will clearly link key internal control activities to the relevant financial statement assertions being supported.
wrapping up
Audit teams are required to issue an opinion on the effectiveness of internal controls. They do so by evaluating evidence obtained from all sources, including the team's testing of controls, any misstatements detected during the financial statement audit, and any identified control deficiencies and material weaknesses. Audit teams then form an opinion on the effectiveness of internal control over financial reporting. Audit teams can issue one of three types of opinions on internal controls: Unqualified. No material weaknesses exist. Disclaimer of opinion. The audit team cannot perform all of the procedures considered necessary and is unable to determine whether material weaknesses exist. Adverse opinion. One or more material weaknesses exist. Note that because the opinion on internal controls is as of the end of the fiscal year, the entity may be able to correct or remediate deficiencies or weaknesses after they have been detected. However, the audit team must have sufficient time to test the design effectiveness and operating effectiveness of the remediated control before providing an unqualified opinion
The audit team assesses tolerable misstatement judgmentally after considering the recorded balance as well as the relationship between the account balance or class of transactions with important financial statement subtotals (such as total assets, total revenue, and net income).
Auditors normally estimate tolerable misstatement after calculating performance materiality for the various account balances and classes of transactions.
The objective of the sampling application is directly related to the question of interest. In this example, the objective is to determine whether an aerobics program results in a reduced resting heart rate; because the engagement team's conclusion with respect to this question is evidenced by whether the reduction is 15 bpm or greater, the reduction in resting heart rate is the characteristic of interest.
Clearly defining the characteristic of interest in a sampling application is critical because it is the measure that will be obtained from the sample items and eventually evaluated against some criterion (related to the objective of the sampling application).
why separate duties
Combining duties allows a single person to create and conceal errors and frauds. Segregating duties forces people to commit fraud through collusion—a much harder task!
It is important to distinguish the "client's control activities" from the "audit team's tests of controls."
Control activities are part of the internal control designed and operated by the entity. The audit team's procedures are the audit team's own evidence-gathering work performed to obtain evidence about the client's control activities.
Three major steps can control sampling risk in the sampling process:
Determining an appropriate sample size. As a higher percentage of items in the population is examined, sampling risk decreases. Ensuring that all items have an equal opportunity to be selected. If all items have an equal opportunity to be selected, the likelihood of sampling risk decreases. Evaluating sample results to control sampling risk. The results from a sample are "adjusted" to consider the likelihood that the sample being evaluated does not appropriately represent the population. We discuss this "adjustment" later.
The control environment sets the tone of the organization.
It is the foundation for all other components of internal control. It provides discipline and structure to all participants and stakeholders. Control environment factors include the integrity, ethical values, and competence of the entity's people
Use Marked Coins and Currency
Plant marked money in locations where cash collections should be gathered and turned over for deposit.
An advantage of using internal control questionnaires is that audit teams are less likely to forget to cover some important point.
Questions are worded such that a "no" answer points out a weakness or control deficiency, thus making analysis easier.
Sampling is typically used when the question of interest has the following two characteristics:
The need for exact information is not important. Considering the preceding example, the engagement team would be more interested in testing all members if it wanted to know an exact change in resting heart rates (e.g., does an aerobic program lower heart rates by 16 bpm as opposed to 15 bpm or more?). The number of items comprising the population is large. If the number of members was 50, the engagement team would be more likely to test all 50 members than if the number of members were 2,500.
Which Selection Method Should Be Used?
The use of statistical or nonstatistical sampling procedures has a significant impact on the method of sample selection. Random or systematic selection is used with statistical sampling because these methods (1) provide a reasonable likelihood of obtaining a representative sample, (2) allow the probability of obtaining sample items to be determined, and (3) allow the sample selection process to be replicated. As a result, these methods allow sampling risk to be measured and controlled to acceptable levels. In contrast, haphazard and block selection do not meet these criteria; they could result in a random sample, but quantitatively evaluating the randomness of the sample selected using them is difficult.
Many companies facilitate this caring attitude with an organized employee assistance program (EAP).
They offer a range of counseling referral services dealing with substance abuse, mental health issues, family problems, crisis help, legal matters, health education, retirement, career paths, job loss troubles, and family financial planning. These program types are not guaranteed to prevent fraud, but they can have a positive impact for an organization.
net worth analysis
This analysis is used when fraud has been discovered or strongly suspected and the information to calculate a suspect's net worth can be obtained (e.g., asset and liability records, bank accounts). The method involves calculating the suspect's net worth (known assets minus known liabilities) at the beginning and end of a period (months or years) and then trying to account for the difference as (1) known income less living expenses and (2) unidentified difference. The unidentified difference may be the best available approximation of the amount of a theft.
When performing attributes sampling, the audit team's primary objective is to
assess the extent to which the client's internal control activities are functioning effectively.
Two major approaches to sampling used in an audit examination are
attributes sampling (in the study and evaluation of internal control) and variables sampling (in the auditors' substantive procedures).
Second,
for each fraud risk identified during the planning stage, the audit team should evaluate whether the client has implemented control activities that are specifically designed to address the risk of fraud that has been identified. These might include control activities that are designed to address risks of fraud to specific financial statement accounts or more generally, control activities that are designed to promote a culture of honest and ethical behavior.
Managers are in the best position to notice changes, especially when a person varies his or her lifestyle or spends more money than his or her salary seems to justify
for example, on homes, furniture, jewelry, clothes, boats, autos, vacations, and the like. Therefore, it is imperative that the auditor make specific inquiries of management regarding changes in an employee's demeanor and lifestyle.
The first step in the attributes sampling process is to
identify the objective of attributes sampling, which is related to examining key controls corresponding to the management assertions of interest to the audit team.
bank stmts
includes number and dollar amts of deposits and checks that can be compared to detailed data on the bank stmt. the acct holders federal bus id number is also on stmt and should and can evaluate the bank stmt for alterations to see if the client has been trying to commit a forgery and misstate cash in some way.
The audit committee
is a subcommittee of the board of directors that is generally composed of three to six independent members (those not involved in the entity's day-to-day management) of the organization's board of directors. Each member must be financially literate, and one member must be a financial expert.
The level of tolerable misstatement is the
maximum amount the account balance or class of transactions can be misstated without the audit team's requiring an adjusting entry to prevent a qualified or adverse opinion. In other words, the audit team members determine in advance the largest misstatement that they will allow (or tolerate) before they conclude that the account balance or class of transactions is materially misstated. Logically, as the amount of tolerable misstatement decreases, the necessary sample size increases because auditors need to examine more of the population to ensure that there are not numerous small misstatements that would accumulate to a material amount. Therefore, tolerable misstatement has an inverse relationship with sample size.
When evaluating the effectiveness of the client's controls, auditors typically think in terms of the
maximum rate of deviation that could exist before they would reduce reliance on that control (tolerable rate of deviation [TRD]). To illustrate, assume that the audit team decides that a control should function at least 96 percent of the time to be considered effective.
When studying a business operation,
members' ability to "think like a crook" to devise ways to steal can help in planning procedures designed to determine whether fraud has happened.
Sequential sampling
methods provide the audit team the opportunity to draw conclusions using a smaller sample than a traditional fixed sampling plan. It is sometimes called "stop-or-go" sampling because the plan allows the audit team to stop after examining a relatively small sample and evaluate the results.
Tests of controls must be performed to obtain evidence about whether controls that are candidates to be relied upon actually operate as described. The test of controls audit plan consists of
procedures designed to produce evidence of how effectively the controls operate in practice. If they are determined to be operating effectively after testing, control risk can be assessed below the maximum. If they do not operate with the required level of effectiveness, the final conclusion is to assess a high or maximum control risk, revise the audit plan to consider the control weakness, and then proceed with additional substantive audit procedures.
Described as a nonaccusatory method of asking key questions of personnel during a regular audit,
raud audit questioning (FAQ) provides employees an opportunity to furnish information about possible misdeeds. Fraud possibilities are addressed in a direct manner, so the FAQ approach must have the support of management. Example questions are: "Do you think fraud is a problem for business in general?" "Do you think this company has any particular problem with fraud?" "In your department, who is beyond suspicion?" "Is there any information you would like to furnish regarding possible fraud within this organization?"
op effectiveness
refers to whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively. Evidence of this nature will be obtained in a subsequent phase of the audit team's study of internal control.
When collecting corroborating evidence to support the financial statements, the audit team must
remain vigilant against the potential for fraud. Discrepancies in the accounting records, conflicting evidence, and missing documentation are all symptomatic of financial statement fraud. When the audit team identifies such instances, members must follow up with management to identify the source of the problems. Management's response is a key source of evidence; vague, implausible, or inconsistent responses to inquiries can be a key indicator of the pervasiveness of the fraud. Similarly, problematic or unusual relationships between the audit team and management are often present in financial statement frauds.
Under Sarbanes-Oxley, an audit of the internal control system over financial reporting is
required. The audit of internal controls must be integrated with the financial statement audit and cannot be performed as a separate engagement. Thus, the procedures related to internal control in an integrated audit performed under AS 2201 are far more extensive than those in a GAAS audit for a nonpublic entity.
An entity should establish input, processing, and output control activities to prevent, detect, and correct accounting errors. Auditors can perform
tests of controls to determine whether the internal control activities related to the correct handling of cash receipts are operating effectively
After measuring sample items, the audit team can calculate a sample rate of deviation, which represents
the rate of deviations from key controls noted by the audit team members in their sample. The sample rate of deviation is calculated by dividing the number of deviations noted in the sample by the sample size. Thus, the sample rate of deviation for the controls related to the occurrence and accuracy assertions were 1.6 percent (2 deviations ÷ 127 invoices) and 7.7 percent (4 deviations ÷ 52 invoices), respectively. Because the tolerable rate of deviation for these controls are 6 percent and 10 percent, respectively, the audit team's initial conclusion might be to rely on the controls as planned because the sample rate of deviation is less than the tolerable rate of deviation.
Sampling risk occurs when the sample selected by the audit team is not representative of the population from which it is drawn. There are two types of sampling risks for variables sampling applications:
the risk of incorrect acceptance and the risk of incorrect rejection
Population variability is often measured as
the standard deviation (or standard error of the mean)
If documents are lost, mutilated, coffee stained, or otherwise compromised (so a defense attorney can argue that they were altered to frame the suspect),
they lose their effectiveness for the prosecution.
In a variables sampling application, the audit team is interested in determining the proper amount at which the items should be recorded;
this amount is often referred to as the audited value, which is simply the dollar amount at which the item would be recorded assuming that no mistakes in judgment or mistakes in the application of generally accepted accounting principles were made.
In addition to entity-level controls, the audit team also identifies
transaction-level controls transaction-level controls The controls that relate to specific classes of transactions, account balances, and disclosures. , controls that pertain to specific classes of transactions, account balances, and disclosures.
Next, the audit team will examine a sample of controls and calculate a sample rate of deviation,
which provides one representation of the true population rate of deviation. Although auditors never know the true population rate of deviation with any certainty, they can use sampling tables to "adjust" the sample rate of deviation to one that has a certain probability of equaling or exceeding the true rate of deviation. Simply stated, this adjusted rate (the upper limit rate of deviation [ULRD]) provides a conservative estimate of the rate of deviation that allows the audit team to control exposure to sampling risk.
COSO defines ERM as
"a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
information and communication general principles
1. the org obtains or generates and uses relevant quality info to support the functioning of IC 2. the org internally communicates info, including the objectives and responsibilities for IC, necessary to support the functioning of IC 3. the org communicates w external parties regarding matters affecting the functioning of IC
control activities general principles
1. the org selects and develops control activities than contribute to the mitigation of risks to the achievement of objectives to acceptable levels 2. the org selects and develops general control acts over tech to support the achievement of objectives 3. the org deploys control acts through policies that establish what is expected and procedures that put policies into action
monitoring general principles
1. the org selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of IC are present and functioning 2. the org evaluates and communicates IC deficiencies in a timely manner to those parties responsible for taking corrective action, including senior mgmt and the board of directors, as appropriate
risk assessment general principles
1. the org specifies objectives w sufficient clarity to enable the identification and assessment of risks relating to objectives 2. the org identifies risks to the achievement of its objectives across the entity and analyzes the risks as a basis for determining how the risks should be managed 3. the org considers the potential for fraud in assessing risks to the achievement of objectives. 4. the org identifies and assesses changes that could significantly impact the system of internal control
Audit Committee
3-6 "outside" members of Board. Provides a buffer between the audit team and operating management. Members must be "financially literate." One "financial expert." hires and fires the auditor
Section 302 of the Sarbanes-Oxley Act stipulates criminal penalties for CEOs and CFOs if they issue materially misleading financial statements.
A clear intention of this section of the act is to make sure that management at the top of an organization sets the proper tone for the internal control system. In fact, the act is specific about management's responsibility for the organization's internal control system: Management is responsible for establishing a control environment, assessing the risks it wishes to control, specifying information and communication channels and content (including the accounting system and its reports), designing and implementing appropriate control activities, and monitoring, supervising, and maintaining the control activities. Management must also estimate the benefits derived from specific controls and then weigh them against the costs. Management is expected to make its own judgments about the necessity of specific controls.
Step 4c: Identify Material Weaknesses
A material weakness in internal control is defined as a deficiency, or combination of deficiencies, that results in a reasonable possibility that a material misstatement would not be prevented or detected on a timely basis. Indicators of possible material weakness: Restatement of previously issued financial statements to reflect the correction of a misstatement (misstatement was material). Evidence of material misstatements (caught by the audit team) that were not prevented or detected by client's internal controls. Ineffective oversight of financial reporting process by entity's audit committee. Indication of fraud (either material or immaterial) by senior management. material weaknesses do cause us to change our opinions on internal controls over financial reporting from unmodified to adverse. there is not the option of a qual opinion on icfr engagements. any time an auditor finds a material misstatement, there must have been a material weakness bc somehow that misstatement got through
Specifically, the entity's annual report must include the following
A statement that management is responsible for establishing and maintaining adequate internal control over financial reporting. A statement identifying the framework (e.g., the COSO framework) that management uses as a benchmark for evaluating the effectiveness of the entity's internal control. A statement providing management's assessment of the effectiveness of the entity's internal control.
Some of the more important duties of the audit committee are
Appointment, compensation, and oversight of the public accounting firm conducting the entity's audit. Resolution of disagreements between management and the audit team. Oversight of the entity's internal audit function. Approval of nonaudit services provided by the public accounting firm performing the audit engagement. Oversight of the anonymous fraud hotline that is designed to provide employees a confidential and effective manner in which to report possible financial reporting issues. Authority to engage legal counsel in the event of management fraud.
Step 5: Wrapping up
Auditors can issue one of three types of opinions on internal control over financial reporting: -Unqualified. No material weaknesses found. -Disclaimer of opinion. The audit team cannot perform all of the procedures considered necessary. -Adverse opinion. One or more material weaknesses found. Evaluate management's report on the effectiveness of internal control.
An Audit of Internal Control over Financial Reporting That Is Integrated with an Audit of Financial Statements (PCAOB AS 2201)
Auditors must provide their opinion on the effectiveness of the client's internal control (Section 404 of Sarbanes-Oxley). have to provide an opinion on the effectiveness of the clients internal controls. focus is to determine whether a material weakness exists at the end of the yr being reported on. only modify internal control opinion if there is a material weakness in internal controls at the end of the year. integrated w the audit of the FSs. Not a separate engagement -Integrated audit of internal control and financial statements Public Companies do this.
Step 6: Reporting on Internal Control
Can be a separate report on internal control -Opinion on financial statements contained in separate audit report (one opinion/report) -Extra paragraph added to report on internal control referencing opinion on financial statements. Or an integrated audit report and report on internal control and the financial statements -Includes auditor's opinions on 1) internal control effectiveness, and 2) the fairness of the company's financial statements.
Step 1: Planning the engagement
Consider knowledge of industry Consider knowledge of business Consider extent of changes in operations Consider extent of changes in internal control Evaluate controls for all relevant assertions for all significant accounts or disclosures
The COSO's 2013 integrated framework includes the following five components
Control Environment (and 5 principles) Risk Assessment (and 4 principles) Control Activities (and 3 principles) Information and Communication (and 2 principles) Monitoring (and 3 principles) The framework includes 17 principles associated with the above five components of internal control.
Step 3a: Testing Controls: Design Effectiveness
Design effectiveness determines whether the controls over financial reporting, if operating effectively, would be expected to prevent or detect errors or fraud that could result in a material misstatement in the financial statements. After an understanding of internal controls is gained through inquiry, inspection, and observation, the controls are evaluated for the possibility that the controls would not prevent or detect a misstatement. control was not designed effectively bc it only controls 2 out of 3
Why Assess Control Risk?
Determine nature, timing, and extent of audit procedures. There is a trade-off between testing of controls and substantive procedures. (control testing is usually cheaper bc takes less manpower. never efficient to test controls that u think are not working. if broken, better off increasing substantive testing w control risk at 100 than test control) At least some substantive procedures are required bc of the limitations of IC (ICcan never 100% eliminate the possibility of misstatement) Control testing is required for public companies (in accordance with PCOAB AS 5), but remains an auditor judgment for other audits.
auditors' responsibility for IC
For public companies, must audit and issue an opinion about the effectiveness of the internal control over financial reporting (ICFR) For each fraud risk, must evaluate whether controls are in place to mitigate the fraud risk Must assess control risk to determine the nature, timing and extent of substantive procedures to be performed (if less than max requirement. if pub traded, auditor must do an integrated audit and test internal controls along w their FS audit reducing substantive testing where controls are working and they must also issue an opinion on that effectiveness of internal controls over financial reporting along w their audit opinion
info tech
Has the audit client taken full advantage of significant advances in information technology by using entirely automated control activities whenever it is efficient and effective?
Level of integration with their risk assessment process
Has the audit client's management team taken the action necessary to address the identified risks to the achievement of financial reporting objectives?
Policies and procedures.
Have the policies related to reliable financial reporting been documented and communicated throughout the company by the audit client's management team?
limitations of internal control
Human error ‒mistakes in judgment, fatigue, carelessness Deliberate circumvention by people in the system Management override by force of authority (necessary evil) Collusion among people who are supposed to act independently Cost/benefit analysis -There is often a trade-off between the cost and the effectiveness of internal controls. -The concept of reasonable assurance recognizes that the cost of an entity's internal control should not exceed the benefits that are expected to be derived.
Human resources.
Human resource policies and practices are designed and implemented to facilitate effective internal control over financial reporting.
Step 2: Using a top-down approach
Identify entity-level controls Perform walkthroughs Auditor must perform work related to: -Company-wide anti-fraud programs -Controls that have a pervasive effect Auditor can incorporate work of internal auditors and others, but -Must obtain "principal evidence" for opinion on their own -Must assess competence and objectivity -Limited reliance -Can't reduce work on control environment
risk assessment
Management's identification and analysis of relevant risks to achievement of its objectives. Auditors focus on risk of material misstatement and risks that affect fin reporting Quite possibly using COSO's Enterprise risk management (ERM) framework to assess risk (larger comps maybe) smaller comps may have smaller less strict risk assessment procedures but theyd still be there.
monitoring
Management's process that assesses the quality of the internal control's performance over time. Such assessments include: Periodic evaluation by internal auditing Supervisory review of controls Follow-up of reporting errors Follow up of customer complaints Audit committee inquiries
Modifications to the Auditors' Standard Report on Internal Control
Material weaknesses in the entity's internal control over financial reporting (have to issue an adverse opinion) Effect of an adverse opinion on internal control on the auditor's opinion on the financial statements Restriction on the scope of the engagement (not able to form an opinion so we disclaim an opnion. change intor para to say we were engaged to audit, scope para deleted, def and inherent paras same, explanatory para included, same rest) (include explanatory para between inherent limitations and opinion if need to)
Step 3b: Testing Controls: Operating Effectiveness
Operating effectiveness is whether the control is operating as designed and whether the person performing the control possesses the necessary authority and qualifications to perform the control effectively. A sample of transactions is examined using inquiry, observation, inspection, and reperformance. Tests of controls would not be performed if design is not evaluated as effective. design is great but somebody failed to do what theyre supposed to do
internal control evaluation
Phase 1: Understand and document Understand the client's internal control Document the understanding of internal control -Internal Control questionnaire -Narrative -Accounting and control system flowcharts Phase 2: Assess control risk (Preliminary) Consider cost effectiveness of reliance/testing. -if privately held, decide if ur going to test. if publicly held, must test (except some small dod frank comps) Phase 3: Identify Controls to Test and Perform Test of Controls Perform test of controls audit procedures Re-assess control risk -if controls are as expected, subs stays same. if controls are more effective than expected, we could revise our subs testing downward and vice versa.
Step 4b: Identify significant deficiencies
Significant deficiencies are defined as conditions, or combinations of conditions, that could adversely affect the organization's ability to initiate, record, process, and report financial data in the financial statements. While not material, they are important enough to bring to the attention of those charged with governance (usually the audit committee). examples: Absence of appropriate separation of duties. Absence of appropriate reviews and approvals of transactions. Evidence of failure of control procedures. opinion would be unmodified but they are important enough that we want to notify those charged w governance (audit committee) about them and make sure they are aware of them.
integrity and ethical values
Sound integrity and ethical values, particularly of top management, are developed and understood and set the standard of conduct for financial reporting.
board of directors
The board of directors understands and exercises oversight responsibility related to financial reporting and related internal control.
control activities
The policies and procedures that help ensure management directives are carried out. Performance reviews (done by mgmt to supervise ops. mgmt study of budget variances w their follow up action) Separation of duties (big control act. taking certain types of duties and making sure diff ppl do them so we dont have overlap) Physical controls over the security of assets (as well as important docs and blank forms making sure those are limited to authorized personnel. includes access to inventory, blank time cards, blank checks, and info in general. should have diff physical controls (lock or guard etc)) Information Processing (especially relevant in computerized environments. would want to make sure that transactions cant be processed w/o proper approvals and authorizations. make sure sys performs verifications as well as reconciliations. ex: if its a numeric field would it allow non numeric data to be entered but we would want maybe only vendors from an approved vendor list to have checks written to them or only items on the inventory list can be invoiced or items shipped compared to items invoiced to make sure that balances have a reconciliation or do checks have supporting docs attached to them) -Approvals and authorization -Verifications and reconciliations Preventive controls vs. detective controls (prev controls prevent misstatements before they occur, which is preferable. detec controls detect misstatements after they occur and should correct them). either is better than none meat and bones baby! what mgmt puts in place to eliminate, mitigate, or compensate for the risks
Step 4a: Evaluate identified deficiencies
Whether the result of a design deficiency or an operating deficiency, an internal control deficiency exists when the design or operation of a control does not allow the entity's management or employees to detect or prevent misstatements in a timely fashion. -A design deficiency is a problem relating to either a necessary control that is missing or an existing control that is so poorly designed that it fails to satisfy the control's objective. -An operating deficiency, on the other hand, occurs when a properly designed control is either ignored or inappropriately applied (possibly because employees are poorly trained). More serious internal control deficiencies can be categorized into one of two groups, significant deficiencies or material weaknesses, depending on their severity.
audit trail
a path that allows a transaction to be traced through a data processing system from point of origin to output or backward from output to point of origin from FS to source docs (backwards -- vouching/occurrence)
First, Sarbanes-Oxley requires
an audit of management's assessment of the effectiveness of internal control over financial reporting for public companies. The internal control audit is conducted along with the financial statement audit as part of an overall integrated audit that is completed at public companies. In essence, the audit firm employs one integrated process that culminates in the issuance of two opinions: one on the entity's financial statements and one on management's assessment of the effectiveness of the entity's internal control over financial reporting.
Because the control environment sets the overall foundation for internal control, professional auditing standards require
an auditor to obtain an understanding of the control environment on all engagements. As part of this understanding, auditors also have to take the time to consider the functioning of the client's board of directors and, in particular, the impact of its audit committee on the client's control environment
The final reason for evaluating an entity's internal control is to
assess preliminary risk of material misstatement (RMM) for each relevant assertion. The assessment of RMM at the assertion level is completed for all financial statement audits in order to give the audit team a basis for planning the audit and determining the nature, timing, and extent of further audit procedures to be conducted for the financial statement audit. RMM is composed of inherent risk and control risk. The assessment of inherent risk, the susceptibility of an account to misstatement, was the focus of Chapter 4; this chapter focuses on control risk assessment. Recall that control risk is the probability that an entity's controls will fail to prevent or detect material misstatements due to errors or frauds that would otherwise have entered the system. The audit team assesses control risk to complete the preliminary determination of RMM for each relevant assertion identified in the audit plan; the higher the assessment of control risk, the higher the assessment of RMM. Most audit teams express their control risk assessment decision with descriptive terminology (e.g., high, moderate, low), which recognizes the imprecise nature of evaluating risk. An audit team's assessment of control risk as high implies that the controls are not effective at preventing or detecting material misstatements and could not be relied upon by the audit team. In this situation, the audit team would likely use substantive tests of details designed to obtain evidence (nature) at or near the entity's fiscal year-end (timing) with large sample sizes (extent). On the other hand, an audit team's assessment of control risk as low implies that the controls are effective at preventing or detecting material misstatements and could possibly be relied upon by the audit team. In this situation, the audit team might be able to use less time-consuming substantive analytical procedures to obtain evidence (nature) at an interim date before the entity's fiscal year-end (timing) with much smaller sample sizes (extent). Of course, an audit team might assess control risk as moderate (between low and high) and adjust the substantive procedures accordingly in order to obtain enough evidence to mitigate the risk of material misstatement to a low level for the relevant assertion being tested. Ultimately, the final decision about nature, timing, and extent of testing is a matter of professional judgment for the audit team. Exhibit 5.2 illustrates the trade-off between testing and relying on internal controls and how it impacts the nature, timing, and extent of further audit procedures to be performed.
both pub and priv
auditor has responsibility of getting understanding of clients internal control system sufficient to plan the nature extent and timing of further audit procedures.
duties important to separate
authorization to execute trasactions, including authority and responsibility for initiating or approving transactions. can be general (class aka all purchases over 100k) or specific (all purch of inventory) recording (accting, record keeping) custody of assets involved in transactions (physical possession or effective physical control of the property) Reconciliation (independent oversight): periodic reconciliation of existing assets to recorded amts at regular intervals. ex: counting inventory at a periodic basis and reconciling it back to whats currently recorded in our books).
interrelated components of internal control
control environment is the overall mgmt attitude about internal controls and can influence all of the other components. risk assessment part is used to determine what the appropriate control procedures would need to be to mitigate the risks identified. (risk assess to control procedures) info system is how the system captures events and conditions and communicates them to those that need info and that goes from very beginning to end. continuum. covers risk and control and monitoring bc whole thing monitoring is the feedback of the system. its how mgmt ensures that the controls are working and any required changes to the sys are implemented and have controls over them as well. oversight part.
The next step in the process requires the audit team members to
document their understanding of the extent to which each of the client's control activities has been designed to support a relevant financial statement assertion by mitigating a risk of material misstatement. If their assessment is positive, the audit team might want to consider testing the control activity in the hopes of relying on it to reduce substantive testing for the relevant assertion that was supported.
The professional standards require the audit team members to
document their understanding of the internal control system on each audit, which includes their understanding of whether management has implemented control activities that are sufficient to address the risks of material misstatement for each relevant assertion.
Central among the provisions of this act is the
emphasis that it places on the internal control system as an important means to prevent or detect material misstatements in the financial statements due to fraud. The feeling is that by holding both management and the auditor responsible for evaluating the effectiveness of the internal control system, the act has imposed the necessary oversight to improve the accuracy and reliability of the financial statements reported by the entity. Simply stated, the intense scrutiny on both the design and operating effectiveness of internal control systems over financial reporting should improve the reliability of the financial statements. This chapter focuses on the importance of the internal control system in the financial statement auditing process.
The audit team has at least three reasons for conducting an
evaluation of an entity's internal control.
The Committee of Sponsoring Organizations of the National Commission of Fraudulent Financial Reporting (COSO), referred to as the Treadway Commission
included a group professional organizations to improve financial reporting. The COSO included representatives from the Financial Executives Institute (FEI), the American Accounting Association (AAA), the Institute of Internal Auditors (IIA), the Institute of Management Accountants (IMA), and the American Institute of Certified Public Accountants (AICPA). developed the internal control framework which is currently the only generally accepted framework of ICs in the US.
Importantly, when documenting their understanding of the internal control system, the audit team should keep in mind the following questions related to control activities:
info technology level of integration with their risk assessment process selection and development of control activities policies and procedures
inside board member vs outside
inside: somebody who's on the board of directors but also works for the company in a mgmt position. ex: CFO or CEO outside: do not work for company.
In a well-functioning internal control system, once the risks to management's objectives have been identified,
internal control activities need to be established to eliminate, mitigate, or compensate for the risks
internal control
is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories: Reliability of financial reporting (what auditors care about the most. objectives about producing reliable fin reports and the safeguarding of assets) Effectiveness and efficiency of operations (maintaining a good bus reputation, using assets efficiently and effectively, increasing market share. about making sure clients bus is running effectively and efficiently) Compliance with applicable laws and regulations IC policies and procedures should allow first of all that records be maintained in reasonable detail to accurately reflect transactions. secondly, that trans are to be recorded to permit FS to be prepared in accordance with GAAP. thirdly, trans to be executed in accordance with authorization from mgmt and fourthly, unauthorized acquisition use or disposition of the entity's assets should be prevented or detected on a timely basis
Under Section 302, management must also disclose any material weaknesses in internal control. If any material weaknesses exist,
management cannot conclude that the entity's internal control over financial reporting is effective.
In addition to certifying the entity's financial statements and disclosures under Section 302, Sarbanes-Oxley requires
management to assess and report on the entity's internal control over financial reporting in Section 404.
size of company
may affect how they implement controls related to the control environment. they might not have a written code of conduct but still have a strong culture of integrity and ethics. they may not have outside members on BD if very small and publicly held, but that does not mean they dotn have independence. smaller comps still can have and effective system of IC using coso framework
internal control integrated framework coso
mgmt considers all 5 principles for each of the three objectives.
relationship between internal control reliance and audit procedures
nature: less reliance on IC (higher CR, lower DR) = more effective tests (for ex, use of substantive tests of detail). more reliance on IC (lower CR, higher DR) = less effective tests (for ex, use of substantive analytical procedures) timing: less reliance on IC (higher CR, lower DR) = testing performed at year end. more reliance on IC (lower CR, higher DR) = testing can be performed at interim extent: less reliance on IC (higher CR, lower DR) = higher sample size. more reliance on IC (lower CR, higher DR) = lower sample size
component auditor
not you, but he/she did some of the work over some of the items.
One way managers address these concerns is to employ an Page 182enterprise risk management (ERM) framework such as the
one developed by the Committee of Sponsoring Organizations (COSO)2 to facilitate the assessment and mitigation of business risks that the entity faces.
control environment general principles
org demonstrates Integrity and ethical values Board of directors demonstrates independence from mgmt and exercises oversight of the development and performance of IC Management establishes, w board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives (mgmt philosophy and op style and org structure of bus) The org demonstrates a commitment to attract, develop, and retain competent individuals in alignment w objectives (individuals competent in fin reporting and related oversight roles. employees are given approp levels of authority to facilitate effective IC of reporting) The org holds individuals accountable for their internal control responsibilities in the pursuit of objectives
We believe that the updated version of the framework will help
students as they learn about the underlying concepts and principles of an effective system of internal control.
In the financial reporting category,
the management objectives are related to producing reliable financial reports and safeguarding assets.
In some sense, all control activities can be thought of as preventive controls because
the possibility of being caught by a detective control might prevent someone from committing an error or a fraud.
A key goal of the updated version is
to provide "enhancements and clarifications intended to ease use and application" of the framework in an ever-changing global environment.
management, boards, and employees have to be constantly thinking about
what could go wrong with the business and how they can prevent it.
In 2013, COSO published an updated version of the framework. The updated framework acknowledges the
widespread use of the original COSO framework and seeks to build upon the core tenets and definitions established in the original framework