Audit Exam Chapters 6-9
Relevance and reliability of data used
1. A given set of procedures may provide audit evidence that is relevant to certain assertions, but not to others. 2. Designing substantive procedures includes identifying conditions relevant to the purpose of the test that constitute a misstatement in the relevant assertion. • It is particularly important that the data be relevant to the assertion being tested. • The data that will help the auditor determine that all transactions are recorded is not the same data that will help the auditor determine that recorded transactions are valid.
Tools for searching for notable items
1. Clustering transactions or balances based on a particular characteristic or multiple characteristics. 2. Matching the characteristics of two populations to see if there are any overlaps. 3. Statistical analysis, such as regression analysis, whereby the notable items are identified using statistics. [NOT COVERED] 4. Visualization, where the auditor plots certain characteristics of a population of account balances or transactions, looking for unusual characteristics.
Documents found in the process of selling goods
1. Customer master file 2. Sales order 3. Bill of lading 4. Packing slip 5. Sales invoice 6. Sales cycle database 7. Monthly statements of receivable balances
Five types of IT general controls
1. Data center and network operations controls address the segregation of duties within the IT department and between IT and user departments. 2. System software acquisition, change, and maintenance controls relate to computer software that is designed to operate and control the computer hardware and to provide a platform for running application software. 3. Program change controls are designed to provide assurance that changes to software applications are introduced in a controlled and coordinated manner. 4. Access controls are designed to prevent unauthorized use of IT equipment, data files, and computer programs. 5. Application system acquisition, development, and maintenance controls focus on controlling specific software applications, such as a sales or inventory application.
Three internal control weaknesses
1. Deficiency 2. Material weakness 3. Significant deficiency
Good visualizations
1. Facilitate people making visual comparisons between data elements. This can help auditors identify patterns, deviations from patterns, and outliers in the analysis stage of an A D A. 2. Are generally understood by a wider audience 3. Visualizations communicate a lot of information efficiently. 4. Visualizations are likely to be better remembered.
Three categories of misstatements
1. Factual misstatements 2. Judgmental misstatements 3. Projected misstatements
Benefits of IT systems over manual systems
1. IT systems can provide greater consistency in processing than manual systems because they uniformly subject all transactions to the same controls. 2. More timely software-generated accounting reports may provide management with more effective means of analyzing, supervising, and reviewing the operations of the company. 3. IT systems enhance the ability to monitor the entity's performance and activities.
Objectives of internal control
1. Operations objectives. Pertain to effectiveness and efficiency of the entity's operations, including operational and financial performance goals, and safeguarding assets against loss. 2. Reporting objectives. Pertain to internal and external financial and nonfinancial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters, or the entity's policies. 3. Compliance objectives. Pertain to adherence to laws and regulations to which the entity is subject.
Cluster analysis process
1. Plan the ADA 2. Access and prepare the data for ADA 3. Perform the ADA 4. Evaluate the results and draw conclusions
Steps in performing audit data analytics
1. Plan the ADA. 2. Access and prepare the data for ADA. 3. Consider the relevance and reliability of the data used. 4. Perform the ADA. 5. Evaluate the results and conclude whether the purpose and specific objectives of performing the ADA have been achieved.
Three types of IT general controls
1. Program change controls. Any and all changes to applications, interfaces, databases, and operating systems must be appropriately authorized, tested, and approved. 2. Logical access controls. Only authorized personnel have access to data and applications. Only authorized tasks and functions can be performed. 3. Other ITGCs: IT operations and controls, such as: regular and timely data backup, timely follow up and resolution of program faults / errors, timely follow up on deviations from scheduled processing, and planning upgrades to programs and applications on a timely basis.
Documents in the sales process
1. Remittance advice 2. Prelist of cash receipts 3. Remittance report from the bank 4. Bank deposit slip 5. Sales cycle database 6. Independent bank reconciliation 7. Monthly statements of receivable balances
Risks of IT systems
1. The IT system may produce a transaction trail that is available for audit for only a short period of time. 2. There is often less documentary evidence of the performance of control procedures in computer systems. 3. Files and records in IT systems are usually in machine-sensible form and cannot be read without a computer. 4. The decrease of human involvement in computer processing can obscure errors that might be observed in manual systems. 5. IT systems may be more vulnerable to physical disaster, unauthorized manipulation, and mechanical malfunction than information in manual systems. 6. Various functions may be concentrated in IT systems, with a corresponding reduction in the traditional segregation of duties followed in manual systems. 7. Changes in the system are often more difficult to implement and control in IT systems than in manual systems. 8. Various functions may be concentrated in IT systems, with a IT systems are vulnerable to unauthorized changes in programs, systems, or data in master files. 9. Reliance is placed on systems that process inaccurate data, process data inaccurately, or both. 10. Unauthorized access to data may result in the destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions. Inappropriate or unauthorized manual intervention could occur.
Control environment principles
1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises oversight over the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
6 steps to an affective audit strategy for controls over management assertions
1. Understand the flow of transactions in a given transaction cycle. 2. Identify what can go wrong from initiating the transaction to the recording in the general ledger. Link what can go wrong to assertions. 3. Assess whether controls exist to mitigate what can go wrong. 4. Identify relevant controls, perform the controls to test them, and evaluate the results. 5. Report internal control weaknesses to those charged with governance of the entity. Weaknesses include controls that are absent and controls that are not operating effectively. 6. Determine an audit strategy at the assertion level.
Importance of detect controls
1. completely and accurately capture all relevant data 2. identify all potentially significant misstatements (e.g., address all relevant assertions) 3. are performed on a consistent and regular basis 4. include follow-up and correction on a timely basis for any misstatements or issues detected
Components of internal control
1. control environment 2. risk assessment 3. control activities 4. information and communication 5. monitoring activities
Three groups of IT application controls
1. input controls 2. processing controls 3. output controls
Control activities principles
10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into actions.
Information and communication principles
13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15. The organization communicates with external parties regarding matters affecting the functioning of internal control.
Monitoring principles
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
Risk assessment principles
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risk as a basis for determining how the risks should be managed. 8. The organization considers the potential for fraud in assessing the risks to the achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control.
Sales invoice
A client-prepared document stating the particulars of a sale, including the amount owed, terms, and date of sale. It is used to bill customers, and it provides the basis for recording a sale in the sales journal
Packing slip
A client-prepared document with the details of the items included in a shipment
Sales order
A client-prepared prenumbered document that includes customer information, description, and quantity of what was ordered, and terms of sale
Deficiency
A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions: to prevent, or detect and correct, misstatements on a timely basis.
Material weakness
A deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis.
Significant deficiency
A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance
Misstatement
A misstatement is a difference between what is reported in the client-prepared financial statements and what is required for the item to be presented fairly in accordance with the applicable financial reporting framework. Examples of causes of misstatements include the following: 1. Intentional or unintentional omission of an amount 2. Incorrect accounting estimate caused by a misinterpretation of facts or by management bias 3. Inappropriate selection of accounting policies 4. Inaccuracies in gathering or processing data 5. Disclosures not presented in accordance with the applicable financial reporting framework
Internal control definition
A process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives related to operations, reporting and compliance.
Monthly statements of receivable balances
A report sent to each customer showing the beginning receivable balance, transactions during the month, and the ending receivable balance
Bill of lading
A shipping document that serves as acknowledgement of receipt of goods for delivery by a freight carrier
Nature of accounting estimates
According to A U-C 540, there are two types of accounting estimates: 1. Forecasting the outcome of a transaction or event, as required by a financial reporting framework. 2. Determining fair value of a transaction or financial statement item for inclusion in the financial statements, and disclosure in the notes as required by a financial reporting framework. • Estimation uncertainty is the susceptibility of an accounting estimate and related disclosures to an inherent lack of precision in its measurement. • Management bias is a lack of neutrality by management in the preparation and fair presentation of information.
Auditing accounting estimates
An accounting estimate is an approximation of a monetary amount when a precise means of measurement is not available.
Customer master file
An electronic file containing the customer shipping and billing information and the customer credit limit
Tests of details part 2
Auditors should read and inspect the notes and recalculate amounts, as needed, to gather sufficient appropriate evidence that: 1. Management has adequately disclosed the significant accounting policies applied in the financial statements. 2. Information in the notes is accurate and does not contain errors or inconsistencies with information presented in the financial statements. 3. Appropriate and understandable terminology is used, as prescribed by the applicable financial reporting framework. 4. All disclosures that are required by the financial reporting framework have been included.
Substantive analytical procedures
Depending on the risk factors for a particular assertion, substantive analytical procedures can be used as follows: 1. As the only substantive test for a class of transactions or account balance 2. In combination with tests of details Factors that impact the effectiveness and efficiency of using a substantive analytical procedure to respond to risk include the: 1. Nature of the assertion 2. Plausibility and predictability of the relationship 3. Availability and reliability of the data used to develop the expectation 4. Precision of the expectation
Sales cycle database
Electronic files that accumulate data on sales, cash receipts, and accounts receivable
IT general controls (ITGCs)
IT General Controls ( ITGCs): ITGCs support the ongoing functioning of the automated (programmed) aspects of prevent and detect controls and also provide the auditor with a basis for relying on electronic audit evidence. Ordinarily, an entity has three types of ITGCs in place
Results of inquiries and observations
If, during inquiries or observations later in the audit process, the auditor identifies that significant changes to processes and controls have occurred, the auditor's previous tests of controls may no longer provide a basis for relying on those controls.
Input controls
Input controls are program controls designed to detect and report errors in data that are input for processing
Chapter 6 learning objectives
L O 1 Define internal control and explain the COSO framework. L O 2 Explain and evaluate internal controls at an entity level. L O 3 Explain and evaluate internal controls at a transaction level. L O 4 Explain and evaluate information technology (IT) controls. L O 5 Identify and explain different techniques used to document internal controls. L O 6 Explain the importance of identifying strengths and weaknesses in a system of internal control. L O 7 Explain how to communicate internal control weaknesses to those charged with governance.
Chapter 9 learning objectives
L O 1 Demonstrate how audit risk, management assertions, and substantive procedures are linked. L O 2 Describe methods of risk response at the financial statement level. L O 3 Explain and analyze factors that impact the nature of substantive procedures at the assertion level. L O 4 Explain and analyze factors that impact the timing of substantive procedures at the assertion level. L O 5 Explain and analyze factors that impact the extent of substantive procedures at the assertion level. L O 6 Explain and apply audit procedures used to audit accounting estimates. L O 7 Describe how auditors document the results of substantive procedures.
Chapter 7 learning objectives
L O 1 Explain the five-step process associated with planning, performing, and evaluating results from audit data analytics. L O 2 Explain and apply steps associated with accessing and preparing data for audit data analytics. L O 3 Explain how audit data analytics is used as a risk assessment procedure. L O 4 Apply audit data analytics as a risk assessment procedure and evaluate the results. L O 5 Explain how audit data analytics is used as a substantive test. L O 6 Apply audit data analytics as a substantive test and evaluate the results.
Chapter 8 learning objectives
L O 1 Explain the steps in assessing control risk. L O 2 Explain the different types of controls that an auditor might encounter. L O 3 Make decisions about alternative methods to test controls. L O 4 Make decisions about how to select and design tests of controls. L O 5 Evaluate the results of tests of controls. L O 6 Document the results of tests of controls.
Matching information in key data fields
Matching information in key data fields is a process whereby the auditor uses audit data analytics to search for key characteristics that may exist in several different databases. Often the auditor uses this process with an expectation that there should be no matches.
Documenting conclusions
Once controls have been tested, the auditors document their work in a working paper. Working paper documentation should include: 1. the auditors' conclusion about control risk 2. the basis for their conclusion (e.g., underlying evidence) Documenting test of controls assists in carrying out the testing by reminding the auditor of the overall purpose in testing the controls. If the auditor identifies any exceptions or issues, he or she should determine if there is an impact on the testing strategy by considering whether the control exception means that the control no longer meets the objective of the test.
Output controls
Output controls are designed to ensure that the processing results are correct, that exceptions are addressed on a timely basis, and that only authorized personnel receive the output.
Processing controls
Processing controls are designed to provide reasonable assurance that the computer processing has been performed as intended for the particular application
Organizational structure
Some private companies or not-for-profit organizations may have simple organizational structures, and some multinational organizations have complex organizational structures; the key issue is that some controls are implemented at the entity level, while other controls may be implemented at a division, operating unit, or function level. All three internal control objectives (operations, reporting, and compliance) should be accomplished throughout the organizational structure of the entity. When understanding a client's system of internal control, the auditor must consider the client's objectives and the five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring).
Evidence provided by other tests
Tests of account balances (substantive testing) can often provide evidence about the continued functioning of controls.
Risk response at the financial statement level
The Auditor's Responses to the Risks of Material Misstatement, provide the following examples: 1. Emphasize that audit team members should maintain professional skepticism. 2. Assign more experienced staff to areas of higher risk of material misstatement. 3. Provide more supervision. 4. Include more elements of unpredictability in the selection of audit procedures. 5. Make general changes to the nature, timing, or extent of audit procedures to obtain more persuasive evidence.
Tests of details
The phrase tests of details refers to the substantive procedures auditors use to test the details of account balances, transactions, and disclosures. The nature of the assertion being tested affects the type of test of details that auditors use. Tests of details are also used to evaluate assertions related to the disclosures of the financial statements, referred to as the notes. It is management's responsibility to prepare the note disclosures. The objective of auditors is to determine if the notes are prepared in accordance with the applicable financial reporting framework.
IT application controls
The purpose of IT application controls is to use the power of information technology to control transactions in individual transaction cycles. Therefore, IT application controls will differ for each transaction cycle.
IT general controls
The purpose of IT general controls is to control program development, program changes, and computer operations, and to secure access to programs and data.
Visualization
The representation of a data set, or key information, as a chart or another image. "Visualization is a fundamentally human activity" is how Garrett Grolemund and Hadley Wickham put it in their recent Data Science book.
Transaction flow in a typical sales process
The transaction flow in a typical sales process for a client that sells goods includes: processing orders, approving credit, shipping goods, invoicing customers, and recording sales and trade receivables. The transaction flows for a client that sells services are similar but instead of shipping goods the client sells or performs the services.
Selecting and designing tests of controls
Three areas that require a large degree of professional judgment are deciding: 1. which controls should be selected for testing 2. the extent of tests of controls 3. timing of when to perform tests of controls
Using ADA as a risk assessment procedure
To assess the reliability of data used in performing ADA, the auditor obtains an understanding of the system of internal control, and perhaps performs tests of controls.
Transaction-level internal controls definition
Transaction-level controls are controls that affect a particular transaction or group of transactions. Transactions in this sense refer to transactions that are ordinarily recorded in the general ledger for the client and span from initiation of the transaction through to the reporting of the transaction in the financial report.
Remittance report from the bank
a document prepared by the bank showing the details of electronic funds transfers received by the bank from customers
Remittance advice
a document received from the customer showing details of payments made by the customer
Bank deposit slip
a receipt from the bank showing the total amount deposited with the Bank
Prelist of cash receipts
an internally prepared document showing the listing of cash received from customers
Independent bank reconciliation
independent person reconciles cash account in the general ledger with the bank statement from the bank
Audit data analytics defintion
the science and art of discovering and analyzing patterns, identifying anomalies, and extracting other useful information in data underlying or related to the subject matter of an audit through analysis, modeling, and visualization for planning and performing the audit
Grouping or filtering process
• A grouping and filtering process could be used as follows: a. Identify characteristics common to groups of notable items, focusing on their nature, cause, and what can go wrong at the relevant assertion level. b. Sort the notable items into two groups being comprised of items: i. requiring no further response to identify new or higher risks (sometimes called "false positives"), and those ii. requiring further response from the auditor to identify new or higher risks c. Further analyze the characteristics of the items mentioned in b.ii to help identify and sort those notable items into the following three subgroups: i. Those indicating one or more risks of material misstatement of which the auditor was not previously aware (new risks) ii. Those indicating a higher level of risk of material misstatement than previously identified iii. Those that do not indicate new or higher levels of risk of material misstatement
Management letter
• A management letter, sometimes referred to as a letter of recommendations, is deliverable prepared by the audit team and provided to those charged with governance. • The management letter discusses internal control weaknesses and other matters discovered during the course of the audit. • The purpose of the management letter is to meet the auditor's responsibility for communicating internal control matters in writing on a timely basis to those charged with governance, and to inform those charged with governance of the auditor's recommendations for improving its internal controls.
Entity level internal controls
• A top-down approach begins by considering what can go wrong in the financial statements. • The auditor needs to understand what could go wrong both at the entity and transaction levels, and controls the client may have in place at both levels. • The internal control components, when collectively considered, are often referred to as entity-level controls because each of them exists at an entity (organizational) level rather than at a transactional level. •Gaining an understanding of the entity-level internal control components helps in establishing the appropriate level of professional skepticism, gaining an understanding of the client's business and financial reporting risks, and making assessments of the risk of material misstatement. • The 17 COSO principles of internal control are usually implemented at the entity level. • If the entity-level controls are weak, it is less likely that transaction-level controls will be effective.
Internal risk factors
• Ability to adjust existing operations and legacy IT infrastructures to meet performance expectations. • A disruption in information systems processing can adversely affect the entity's operations. • The quality of personnel hired and methods of training and motivation can influence the level of control consciousness within the entity. • A change in management responsibilities can affect the way certain controls are implemented. • The nature of the entity's activities, and employee accessibility to assets can contribute to misappropriation of resources. An unassertive or ineffective board or audit committee can provide opportunities for indiscretions
Monitoring activities
• After establishing and maintaining internal controls, management must monitor the controls to assess whether they are operating as intended. • Also, the circumstances for which the system of internal controls was originally designed may change, causing it to be less effective in warning management of risks brought about by new conditions. • Accordingly, management needs to determine whether its internal controls continue to be relevant and able to address new risks.
Audit risk and substantive procedures
• An audit strategy can take a reliance on controls approach, a substantive approach, or a combination of both. • With a reliance on controls approach, the auditor will test and rely more upon controls, and will perform fewer substantive tests. • With a substantive approach, auditors will test and rely less upon controls, and will perform more substantive procedures. • The term substantive comes from substantiate, which means auditors gather evidence to support the transactions, account balances, and disclosures provided by management in the financial statements. • Substantive testing is time consuming and expensive. It is far more efficient and economical if an auditor can rely more upon controls and reduce the amount of substantive testing.
Identifying strengths and weaknesses of internal control systems
• An important outcome of understanding the internal control system that a client puts in place is the ability to make observations, draw conclusions, and offer recommendations regarding the strengths and weaknesses observed. • When the auditor identifies internal control strengths, he or she will consider a reliance on controls approach for assertions influenced by these strengths. • If the auditor identifies internal control weaknesses, the risk of material misstatements being undetected by management's processes and controls increases. • Further, the areas of weakness are where the auditor typically performs additional substantive testing to quantify the (potential) material misstatement.
Audit sampling
• Auditors are more likely to use audit sampling when: 1. Professional standards expect the auditor to perform certain audit procedures. 2. Evidence to support the audit test is not available in electronic form. 3. The audit population is small and can efficiently be tested using traditional audit tests. 4. Relevant data is not reliable and internal controls over the reliability of data are weak. 5. Relevant data may be in different formats and is not easy to use.
ADA and substantive procedures
• Auditors use ADA to identify items that are at a high risk of material misstatement, and will use traditional substantive tests to evaluate high risk balances or transactions. • ADA, substantive analytical procedures, and tests of details are all powerful tools, but they do not replace the need for professional judgment and skepticism. • Auditors must use professional judgment when designing the procedures, interpreting the results, and determining how the results influence the nature, timing, and extent of other audit procedures. • Confirmation bias is the tendency to seek or interpret evidence in ways that support pre-existing beliefs or expectations.
Steps in a transaction stream
• Authorization. Normally a transaction is authorized at the start of a transaction stream. • Executing the transaction. This involves filling the order so that title passes to a good or service. In a sales process, normally title passes when goods are shipped or received, or when a service is completed. In a payroll cycle, the transaction takes place when individuals work. • Recording the transaction. Transactions are recorded after title passes (for goods) or services are completed and using the accrual basis. In the sales process, the transaction is recorded with a sales invoice. In the purchases process, the transaction is normally recorded with an internally prepared voucher. • Consideration. A transaction is completed when consideration (usually cash or electronic transfer of funds) is received or paid. A sales transaction is completed when cash is received from a customer. A purchase transaction is normally completed when a vendor is paid.
Automated controls
• Automated controls generally rely on the client's IT applications (or software) in some way, as discussed in the Chapter 6 section titled, "Information Technology Controls." • There are three categories of IT controls: 1. IT General Controls 2. IT Application Controls 3. IT Output Controls
Documenting internal controls
• Before the auditor tests specific internal controls, he or she needs to document his or her understanding of the internal control system. • AU-C 315.33 requires auditors to document their understanding of each of the internal control components. • The most common forms of documentation include the following: 1. Narratives 2. Flowcharts and Logic Diagrams 3. Combinations of narratives and flowcharts 4. Checklists and preformatted questionnaires
Benchmarking
• Benchmarking is an audit testing strategy that can be used to allow evidence obtained in prior audit periods to support a conclusion about IT application controls in the current audit period. • Benchmarking is based on the premise that a computer will continue to perform any given procedure in exactly the same way until such time as the program (or application) is changed.
Changes in the overall control environment
• Changes in the overall control environment. An effective entity-level control environment may allow the auditor to limit tests of controls to inquiry and observation during the period between when they tested the controls (interim) and year-end. • The auditor always needs to investigate any control exceptions (deviations) that he or she identifies during testing to find out, to the extent practical, the causes, the amounts involved, the financial statement accounts affected, and the potential effect on other audit procedures.
Cluster analysis
• Cluster analysis is the process of discovering groups (termed clusters in data science) of similar items in a set of data; items in the same group are similar, while items in different groups are not as similar. • Clustering could also be used in an audit of a construction company to look for work in progress with unusually high gross profit margins. • A risk analysis decision tree is used to determine whether (i) (unusual items) unusual characteristics are acceptable because they are underpinned by a valid business reason that can be substantiated and (ii) whether there is a risk of a material level of misstatement.
Control activities
• Control activities are policies and procedures that help ensure management's directives are carried out and that necessary actions are taken to address risks impacting the achievement of the organization's objectives. • Control activities, whether automated or manual, have various objectives and are applied at various organizational and functional levels.
Detect controls
• Detect controls are controls applied after transactions have been processed and are intended to identify whether fraud or errors have occurred, and to rectify the fraud or errors on a timely basis. • Often detect controls are applied using IT application controls. For example, a computer program may electronically match every sales invoice with an underlying shipping document to ensure a sales transaction that is about to be recorded actually occurred.
Prevent and detect controls compared
• Detect controls are often accompanied by physical evidence such as exception reports or monthly reconciliations. • Prevent controls are often driven by computer messages that are part of the particular software used by the company, and therefore there is no physical evidence of the control. • In addition to prevent and detect controls, the auditor needs to obtain evidence that the underlying transactions are captured and recorded properly. This is ordinarily done via the identification and testing of the underlying prevent controls. • Detect controls can be applied on a transaction-by-transaction basis or on reconciliations that test the accumulation of transactions.
Risk assessment procedures of accounting estimates
• During the risk assessment phase, auditors gain an understanding of the nature and type of accounting estimates made by management. • Auditors perform the following procedures: 1. Gain an understanding about what is required by the client's financial reporting framework. 2. Inquire of management regarding the process for identifying the need for accounting estimates. 3. Inquire of management regarding how accounting estimates are made. Some specific procedures include the following: 1. Inquire about the method of measurement. 2. Inquire about assumptions used by management. 3. Recalculate the accounting estimate. 4. Inspect events occurring after year-end and up to the date of the auditor's report.
Understanding entity-level controls
• Entity-level controls impact the client financial statements pervasively and involve five components: 1. The client's control environment 2. Risk assessment process 3. Control activities 4. Information and communication system 5. Monitoring of controls • Strong entity-level controls make it more likely that transaction-level controls will operate effectively. • Even if entity-level controls are strong, the auditor must still identify key controls at the transaction level.
Entity-level internal controls defintion
• Entity-level internal controls are at the entity-wide or whole-organization level and have the potential to impact all of the processes management puts in place for the entire organization.
Roll-forward procedures
• For assertions that have a lower risk of material misstatement, it may be more efficient for auditors to perform substantive procedures on those assertions prior to year-end (during an interim period) to allow more time for testing higher risk assertions at year-end. • When substantive procedures are performed during an interim period, auditors must perform roll-forward procedures to update their audit findings from the time of the interim procedures through to year-end.
IT output controls vs. IT application controls
• IT Application Controls: IT application controls are the fully automated controls that apply to the processing of individual transactions. • IT Output Controls: IT output controls are automated and semi-automated controls that ensure the accuracy, timeliness, and quality of data output.
Examples of detect controls
• IT application controls and manual follow-up. Reports are automatically produced showing transactions that fall outside a set of parameters selected by the client. • Reconciliations are prepared, unusual items are then investigated, and issues are resolved or corrections made, if necessary. It is normally enough to make inquiries of staff and examine evidence that the reconciliation was properly completed and that the appropriate reviews and follow-ups were carried out by the client in a timely manner. • Management level reviews are made of actual performance versus budgets, forecasts, prior periods, competitors (if available), and/or industry averages (if available). • Performance indicators relate different sets of data, operating or financial, to each other.
IT dependent manual controls
• IT-dependent manual controls are internal controls that are performed manually by individuals, but rely on computer-generated information. • Accounting information is input into computer systems, but the data is not subject to IT application controls; therefore, the computer processes the data without performing any tests to validate the information. • The completeness and accuracy of the system-generated accounting information depends on the effectiveness of the manual control over the computer output.
Determine preliminary audit strategy
• If the auditor identifies internal control strengths relative to an assertion, the auditor will consider the efficiency of testing the controls and possibly following a reliance on controls strategy. Therein, the auditor will test and rely upon controls, and perform fewer substantive tests. • In some cases, it may be efficient for the auditor to follow a primarily substantive approach even when internal controls appear to be strong, particularly when auditing smaller audit populations, such as notes payable. Therein the auditor will not test controls extensively and will perform more substantive tests.
Internal control in smaller entities
• In smaller entities, there are often limitations surrounding the entity's ability to put effective internal controls in place. This is due primarily to the limited number of employees and departments inherent to small organizations. And, it impacts the ability of the organization to segregate duties and functions. • This challenge is commonly recognized. Still, both the client and the auditor must be aware of the increased risk in small businesses and other small organizations, such as many nonprofit entities.
Counter measures to mitigate risk in small entities
• Management setting a strong ethical tone at the top in order to create an ethical company culture. • Effective hiring processes, training, and supervision. • Strong and effective communication within the organization to encourage reporting of improprieties.
Management override
• No matter how strong an organization's internal controls, they can be defeated by management override. • Management override is when a manager intentionally and illegitimately abuses his/her authority to overrule prescribed laws, regulations, policies, procedures, controls, and / or safeguards - usually for direct or indirect personal gain. • The risk of management override can be reduced by establishing documented policies and procedures. However, if no such procedures or controls are in place, the risk of management override will need to be reduced from an audit perspective by the performance of additional audit procedures.
Identify what can go wrong
• Once auditors understand the flow of transactions, they will use their knowledge of assertions to understand what can go wrong (WCGW). • Auditors use the financial statement assertions to guide them in considering WCGW with each assertion relevant to the various transaction classes, account balances, or disclosures being audited.
Perform tests of controls
• Once the auditor has decided to follow a reliance on controls strategy for an assertion and has identified the key controls to test, the auditor performs tests of controls. • The auditor will design different tests for automated controls vs manual controls.
identify relevant controls to test
• Once the auditor identifies W C G W, the auditor will look for relevant internal controls that will either prevent misstatements from happening, or detect and correct misstatements on a timely basis. • This presents a challenge for the auditor because it is uneconomical and inefficient to test every control.
Factors considered when identifying controls to test
• Points at which error or fraud could occur • The nature of the control implemented by management • The significance of each control in achieving the objectives of the control and whether more one control achieves a particular objective. Factors that affect the risk that the control might not be operating effectively...
Prevent controls
• Prevent controls are controls applied to each transaction during normal processing and with the intent to stop fraud or errors from occurring. • When designing prevent controls, consideration is given to WCGW with the transaction (the risk of material misstatement) at the assertion level. For example, documentation may have been signed based on only a quick glance or without any review at all.
Manual controls
• Purely manual controls are those that do not rely on the client's IT environment for their operation. • For example, a client may reconcile the amount of inventory held on consignment that was manually counted during its inventory count to the amounts listed in the third party's computer-generated consignment inventory statement. • In most situations, purely manual controls are prevent controls and, therefore, the considerations for an effective prevent control, listed in the section titled "Prevent Controls," are particularly important.
Risk assessment
• Risk is defined as anything that can keep an organization from achieving its objectives. • An entity's risk assessment process is its process for identifying and responding to risks that an organization will not achieve its objectives. Risks will affect the entity's ability to survive, compete, grow, and improve the quality of its products, services, and people. • An organization's risk assessment process is different from the auditor's consideration of risk. • The purpose of the entity's risk assessment process is to identify, analyze, and manage the risks that affect its ability to achieve its operational effectiveness.
External risk factors
• Technological development can affect the nature and timing of research and development, or lead to changes in procurement. • Changing customer needs or expectations can affect product development, production processes, customer service, pricing, or warranties. • Competition can alter marketing or service activities. • New legislation and regulation can force changes in operating policies and strategies. • Natural catastrophes can lead to changes in operations or information systems and highlight the need for contingency planning. • Economic changes can have an impact on decisions related to financing, capital expenditures, and expansion.
Timing of tests of controls
• Tests of controls will usually be carried out at an interim date, often about three months prior to year-end. • The auditor will also want to complete control testing in time to allow for substantive testing at an interim date. • When the auditor concludes that control risk is low at an interim date, the auditor also needs to update that conclusion through to the year-end date. • In most cases, a client may not have made significant changes in the control environment or controls between completion of the interim work and year-end. • If tests of controls demonstrate that internal controls are strong and function effectively at an interim date, the auditor still must test the remaining period to ensure that controls functioned effectively throughout the year. • The auditor will also want to complete control testing in time to allow for substantive testing at an interim date. • When the auditor concludes that control risk is low at an interim date, he or she also needs to update that conclusion through to the year-end date.
What to do when there is a large number of notable items
• The AICPA Guide to Audit Data Analytics suggests that the auditor first evaluate whether the ADA has been appropriately planned and performed and, if not, refine and reperform the ADA. • The Guide also suggests that the auditor might decide to apply a grouping of filtering process.
Which controls should be selected for testing
• The auditor begins by gaining an understanding the entity and the business, and determining the risk of material fraud or error at the financial statement level. • The auditor then works down to transaction-level controls related to significant accounts, disclosures, and related assertions that present a reasonable possibility of material misstatement in the financial statements. • Auditors do not need to test each and every client control. Rather, auditors identify key controls that might be relevant to financial statement assertions and WCGW. • The auditor also needs to consider whether the effectiveness of one control depends on the effectiveness of other controls.
Computer assisted audit techniques and audit data analytics
• The auditor might use a variety of CAATs to test controls. A common CAAT involves submitting test data to the computer program while the program is under the auditor's control. • In addition, in various circumstances the auditor might use a form of (ADA) to test controls. • Subsequently, the auditor might use audit software to identify any transactions for which the individual authorizing the initiation of a transaction and the approval of the transaction for payment were the same.
Reporting findings
• The auditor must classify any breakdown as a "deficiency" in internal controls, a "significant deficiency," or a "material weakness." • If the auditor is auditing a public company in the United States and must report on Internal Controls Over Financial Reporting (ICFR), the identification of one or more material weaknesses will result in an adverse opinion on ICFR. • Internal control findings are normally reported when the auditor issues a management letter to those charged with governance of the entity. Therein, the auditor shares observations and potential ways to correct the deficiencies.
ADA as a substantive test
• The auditor will most likely perform ADA as a substantive test when the auditor has performed tests of controls and concluded that the entity has: 1. Strong IT general controls, including strong access controls 2. Strong IT application controls related to the assertion being tested 3. Strong controls over electronic data interchange and the exchange of electronic information about transactions between the client and its customers or suppliers
Cash receipts function
• The cash receipts function, which includes the processing of receipts from cash and credit sales, involves the following sub-functions: (1) receiving cash, (2) depositing cash, and (3) recording the receipts. • A major risk in processing cash receipts transactions is the possible theft of cash before or after a record is made of the cash receipt. • Thus, control procedures should provide reasonable assurance that documentation establishing accountability is created at the moment cash is received and that cash is subsequently safeguarded.
Control environment
• The control environment sets the tone of an entity and influences the control consciousness of its people. • It is the foundation for all other components of internal control and is often thought of as a combination of the culture, structure, and discipline of an organization. • The control environment reflects the overall attitude, awareness, and actions of management, the board of directors, others charged with governance, and owners concerning the importance of controls and the emphasis given to controls in determining the organization's policies, processes, and organizational structure.
Extent of substantive procedures
• The extent of substantive procedures refers to how much testing will be performed within a class of transactions or account balance. • An auditor is more likely to use ADA when the following conditions exist [SUPER IMPORTANT!]: 1. Evidence to support the audit test is available in electronic form. 2. The audit population is large and the auditor's tests are supported by reliable and relevant data in electronic form, making ADA efficient. 3. Relevant data is reliable and internal controls over the reliability of data are strong. 4. Relevant data is clean or can be cleaned up easily.
Information and communication
• The quality of information and communication affects management's ability to make appropriate decisions in controlling the organization's activities, and to prepare reliable financial reports. • Information and communication involve capturing and providing information to management and employees so that they can carry out their responsibilities, including providing an understanding of individual roles and responsibilities as they relate to internal controls over financial reporting.
Evaluate evidence and assess control risk
• The section "Results of the Auditor's Testing" discusses how to evaluate the results of tests of controls. • In some cases, tests of controls may indicate that a control is not functioning as designed. In those situations, the auditor will determine if other compensating controls exist and are effective. • If a control is not functioning as designed and other compensating controls do not exist or are not effective, the auditor should: • increase the assessed level of control risk • decrease the level of assessed detection risk • make appropriate changes to the nature, timing, and extent of substantive tests related to the assertion
The extent of tests of controls
• The tolerable deviation rate is the maximum rate of deviation from a prescribed control that an auditor is willing to accept and still use the planned control risk. • The auditor should consider the desired level of assurance that the tolerable rate of deviation is not exceeded by the actual rate of deviation in the population. • The expected rate of deviation in the population is the rate at which the auditor expects controls to not function as planned. • Using a technique called attribute sampling, the auditor is able to determine with a certain level of confidence (90% or more) that the error rate for control exceptions is acceptably low.
Observation
• This procedure involves the auditor observing the actual control being performed. For example, the auditor may observe the preparation of the bank reconciliation. • The limitation with this technique is that employees often perform procedures more diligently when they know they are being observed.
Reperformance
• This procedure involves the auditor reperforming the control to test its effectiveness. • In some smaller organizations, the auditor might find manual controls where an independent person checks the accuracy of computer output to computer input. • If the auditor wants to test this control, he or she must find evidence that the control was performed on a timely basis, and then reperform the control to make sure it was performed correctly.
Inspection of physical evidence
• This procedure relies on the auditor testing the physical evidence to verify that a control has been performed properly. • For example, auditors may read some or all of the reconciliations for other periods and examine the reconciling items to determine whether the reconciliation routinely detected errors and whether those errors were appropriately dealt with.
Inquiry
• This technique involves the auditor using questioning skills to determine how the control is completed and whether it appears to have been carried out properly and on a timely basis. • The auditor may also ask management how it ensures the reconciliation is prepared correctly and on a timely basis. • Important information obtained through inquiry should be corroborated with other evidence.
Nature of substantive procedures
• When analytical procedures are used to obtain audit evidence during the risk response phase, they are referred to as substantive analytical procedures. • AU-C 330 and AS 2301 state that auditors are required to perform substantive procedures for all relevant assertions that have been identified during the risk assessment phase. • Auditors may design a test of controls and a substantive test of details to be performed at the same time on the same transaction. This is called a dual purpose test. • Significant risk is an identified and assessed risk of material misstatement that, in the auditor's judgment, requires special audit consideration.
Is the data complete?
• When appropriate, the auditor should determine if the data set agrees with the general ledger. If the auditor is auditing an accounts receivable file (subsidiary ledger), he or she will want to make sure the receivable file matches the control account in the general ledger as of the date of the test. • The auditor should determine if there are gaps in the sequence of prenumbered documents in the audit file. • For example, if the auditor is auditing revenues, and identifies gaps in the sequence of prenumbered sales invoices, he or she may be facing a completeness problem, even if the file reconciles with the general ledger. • Data may be incomplete if it does not contain key elements of the analysis, such as unique ID numbers for personnel when auditing payroll related applications or unique customer numbers when auditing receivables.
Initial procedures
• When auditing an account balance, auditors perform several initial procedures before applying other substantive procedures. • Let's consider a prepaid insurance account that includes the transactions for all of a client's insurance policies. The following initial procedures are performed in paying insurance premiums: 1. Trace the beginning balance of the prepaid insurance account to the auditor's working papers from the prior year's audit. 2. Scan the transactions in the account for unusual items. 3. Obtain a trial balance or other detailed report for the account. • Auditors continue with the remaining substantive procedures detailed in the audit program.
Results of auditors testing
• When performing tests of controls, the auditor makes a "yes or no" decision. For each sample item, was the control effective or ineffective? Yes, or no? • As discussed previously, the auditor uses smaller sample sizes when the auditor expects no deviations from the prescribed control procedures. • An IT application control will be ineffective if it fails to put an appropriate transaction on an exception report. • If the test results do not confirm the preliminary evaluation of controls, the auditor will consider whether there is a compensating control that might detect and correct a misstatement missed by the original control being tested.
The extent of controls with IT application controls
• When the auditor decides to rely on IT application controls, he or she must use a more complex testing strategy. However, the auditor must also test the operating effectiveness of: 1. Controls over program changes, and/or access to data files. Here the auditor is testing the I T G Cs. The auditor may choose to test controls over any changes to the payroll program to ensure changes are tested and appropriately approved. 2. Manual follow-up procedures that support the application control. The auditor must focus on how the client follows up on exceptions.
Notable items
• When the auditor uses ADA, he or she is looking for anomalies, or balances or transactions that do not meet the auditor's expectations. • The AICPA Guide to Audit Data Analytics, defines these balances or transactions of audit interest as notable items. • A notable item is an item that stands out from the population being analyzed, and has one or more of the following characteristics for a relevant assertion: a. Indicates a risk of a material misstatement not previously identified (a new risk). b. Indicates a higher risk of material misstatement than anticipated by the auditor. c. Provides information useful in designing or tailoring procedures to address risks of material misstatement.
Benchmarking is appropriate when
• a programmed control can be matched to a defined program within an application (e.g., the auditor may be able to benchmark the specific program that performs the invoice extension calculation or interest computation) • the application is stable (i.e., few changes have happened or are expected to happen from period to period) • a reliable trail of program changes exists (refer to the previous discussion on ITGCs). This record or trail of program changes is used to identify each change that has been made to the application and how these changes might impact the audit approach.
Inherent limitations in internal control
• human error that results in a breakdown in internal control • ineffective understanding of the purpose of a control • collusion by two or more individuals to circumvent a control • overriding or disabling a control within a software program • decisions made by management as to the nature and extent of the control it chooses to implement
Internal control system metrics
•Formal (enforceable) vs. informal (non-enforceable) •Bonus vs. penalty oriented •Background vs. front-line •Financial vs. non-financial •Human-centered vs. Technology-centered •Preventative vs. detective •Internally administered vs. outsourced
Understanding internal control
•Understanding internal control is important to (1) auditing internal control over financial reporting and (2) making a preliminary assessment of control risk. •Control risk is a key component of the overall audit risk assessment and provides evidence that influences the resulting audit strategy developed by the auditor.