Audit Test 2

Management Responsibilities

establishing and maintaining adequate internal control over financial reporting; assess and report on the effectiveness of internal control

Internal Control

a process designed to provide reasonable assurance regarding the achievement of objectives in three categories

Reliability of financial reporting

Internal Control Objective (1)

Effectiveness and Efficiency of Operations

Internal Control Objective (2)

Compliance with applicable laws and regulations

Internal Control Objective (3)

Auditors’ Responsibility

issue an opinion about the effectiveness of ICFR (public); evaluate whether controls are in place to mitigate fraud risk; assess control risk to determine the nature, timing and extent of substantive procedures

Less Reliance on Internal Control

higher control risk; higher RMM; lower detection risk

More reliance on Internal Controls

lower control risk; lower RMM; higher detection risk

Nature (less reliance)

more effective tests (ex. use of substantive tests of detail)

Nature (more reliance)

less effective tests (ex. use of substantive analytical procedures)

Timing (less reliance)

testing performed at year-end

Timing (more reliance)

testing can be performed at interim

Extent (less reliance)

higher sample size

Extent (more reliance)

lower sample size

Limitations of Internal Controls

human error due to mistakes in judgement, fatigue, or carelessness; deliberate circumvention; management override; collusion among employees

Control Environment

COSO (1)

Risk Assessment

COSO (2)

Control Activities

COSO (3)

Information & Communication

COSO (4)

Monitoring

COSO (5)

17

How many COSO principles are associated with the five components of internal control

Control Environment

“setting the tone at the top”; foundation for all other components; an auditor must obtain a detailed understanding of the control environment

Control Environment Characteristics

integrity and ethical values; board of directors; management’s philosophy and operating style; organization structure; financial reporting competencies; human resources

Audit Committee

a sub-committee of independent members of board, “financially literate”, one financial expert

Fraud Hotline

anonymous phone number/email to report fraud within the company

Risk Assessment

management’s identification and analysis of relevant risks to achievement of its objectives

Control Activities

the policies and procedures that help ensure management directives are carried out

Preventive Controls

procedures that prevent misstatements before they occur (ex. limiting access, requiring approval, separation of duties)

Detective Controls

procedures that detect misstatements after they occur

Occurrence Assertion

Sales revenue is recorded when the goods have not been shipped to customers

All invoices are matched to shipping documents before recording them in the general ledger

Problem: Sales revenue is recorded when the goods have not been shipped to customers

Valuation Assertion

goods will be shipped to a new customer who is unable to pay for the goods

the credit department performs a detailed credit check of all new customers

Problem: goods will be shipped to a new customer who is unable to pay for the goods

Completeness Assertion

goods will be shipped to a customer, and the revenue is not recorded

all shipping documents are matched to sales invoices that have been recorded in the general ledger

Problem: goods will be shipped to a customer, and the revenue is not recorded

System-Generated Report

a report generated by the audit client’s information system that is used to execute its internal control procudures or produce its financial statements

Accounts Receivable Aging Report

the ________ is generated on a monthly basis by the information system. The report is reviewed by the chief financial officer to evaluate the adequacy of the allowance for doubtful accounts

Three-Way Match Exception Report

In an accounts payable process, the _______ referred to the process where a vendor invoice is compared to an approved purchase order and a receiving report to make sure that a payable is valued before payment is made; reviews by accounts payable clerk on a weekly basis

New-Hires Report

the ____ is generated on a quarterly basis by the system. Reviewed by the payroll clerk to ensure that all new employees are reflected in payroll expense

Information and Communication

the identification, capture, and exchange of information in the form that enables people to carry out their responsibilities; information systems produces a trail of actives from data identification to financial reports

Incompatible Responsibilities

combinations of responsibilities that place a person alone in a position to create and conceal misstatements due to error or frauds in his/her normal job

Occurrence Direction

Sales Order <— Financial Statements

Completeness Direction

Sales Order —> Financial Statements

Monitoring

in order to allow for continuous improvements and consider changes in the entity’s operating environment management needs to monitor its internal control systems

Monitoring Philosophies

ongoing and separate evaluations, reporting deficiencies

Internal Control Evaluation (Phase 1)

Understand and Document the clients internal controlsD

Internal Control Documents

narrative, questionnaire, or flowchart

Internal Control Evaluation (Phase 2)

Assess control risk; consider cost effectiveness of reliance/testing

Internal Control Evaluation (Phase 3)

Identify Controls to Test and Perform Test of Controls; test of controls audit procedures, re-assess control risk

Reason to NOT test controls (1)

internal control system is too ineffective in preventing or detecting misstatements to rely upon, nor justify substantive testing

Reason to NOT test controls (2)

may take more time to test controls than it would to just perform more substantive testing to provide evidence needed to conclude about a financial statement assertion

TRUE

T/F; for public companies, auditors must test controls

Test of Controls Evidence (least to most)

inquiry, observation, inspection of documents, reperformance

Vouching Direction

Summary Listing —> Source Document

Tracing Direction

Summary Listing <— Source Document

Internal Control Deficiencies Categories

Internal control deficiency, significant deficiency, material weakness

Significant Deficiency vs Material Weakness

(1) likelihood & (2) materiality that a potential/actual misstatement would not be detected on a timely basis

Reporting to Audit Committee

significant deficiencies and material weakness’ found; Sarbanes-Oxley requires that the report be in writing, auditor may communicate during or after audit

transaction-level controls

controls that pertain to specific classes of transactions, account balances, and disclosures

walkthrough

observing the actives that occur and the documents that are used within an internal control process; seek to understand (1) flow of transactions (2) the points in the process where a material misstatement could occur (3) the controls that management has put in place to mitigate each riskde

design effectiveness

determining whether the internal controls over financial reporting would be expected to prevent or detect errors or fraud that could result in a material misstatement in the financial statements

operating effectiveness

whether the control is operating as designed and the person performing the control possesses the necessary authority and qualifications to perform the control effectively

audit trail

a chain of evidence provided through coding, cross-references, and documentation connecting account balances and other summary results with the original transaction source documents

Automated Application Controls

applied to specific business actives within an accounting information system; address relevant assertions about significant accounts in the financial statements

IT Control Issues

(1) existence of systematic rather than random processing errors (2) lack of an audit trail (3) possibility of inappropriate access to computer files and programs (4) reduced human involvement in processing of transactions (5) input error possiblities

IT Control Dependencies

(1) purely manual control activities (2) manual control activities that rely on a system generated report (3) entirely automated controls

General Controls

apply to all applications of an automated accounting information system; seen as pervasive across the entire technological infrastructure at an audit client

General Control Categories

(1) access to programs and data controls (2) program change controls (3) computer operations controls (4) program development controls

Access Controls

provides reasonable assurance that access to programs and data is granted only to authorized users

Program Change Controls

implemented by the entity to provide reasonable assurance that request for modifications to existing programs are (1) properly authorized (2) involve appropriate users (3) tested and validated prior to use (4) appropriate documentation

Computer Operations Controls

(1) the processing of transactions though the accounting information system is in accordance with objectives (2) processing failures are resolved on a timely basis and do not affect/delay the processing of there transactions (3) actions re taken to facilitate the backup and recovery of important data

Program Development Controls

(1) acquisition and development of new programs are authorized and conducted in accordance with policy (2) appropriate users (3) tested and validated programs/software (4) appropriate documentation

Automated Application Controls

controls applied to specific business activities within an accounting information system to mitigate the risk of material misstatement

Automated Application Control Categories

(1) Input Controls (2) processing controls (3) output controls

Input Controls

designed to provide reasonable assurance that data received for processing by the computer department has been properly authorized & accurately entered or converted for processing

Processing Controls

data processing has been performed accurately without any omission or duplicate processing of transactionsO

Output Controls

output reflects accurate processing; only authorized persons receive output or have access to files generated from processingC

Check Digit

numbers used in accounting systems in lieu of customer names, vendors, ect…; digits must match

Batch Total

total sum of important and numerically meaningful quantity or amount

Control Totals

record counts, batch totals, hash totals, and run-to-run totals calculated during processing operations and summarized in a report

Assessing Control Risk in an IT Environment (1)

identify specific types of misstatements that could occur

Assessing Control Risk in an IT Environment (2)

Identify points in the flow of transactions where misstatements could occur

Assessing Control Risk in an IT Environment (3)

Identify control procedures designed to prevent or detect misstatements (general controls and automated application controls)

Assessing Control Risk in an IT Environment (4)

Evaluate design of control procedures (are tests of controls cost effective?; does the design suggest a low control risk?)

Test Data Approach

simulated transactions containing known errors to test the client’s controls

The Test of One

only one type of each kind of transaction error needs to be tested

End User Control Issues

(1) lack of separation of duties (2) lack of physical security (3) lack of program documentation and testing (4) limited computer knowledge of personnel

Damage-Limiting Control

designed to limit the amount of fraud if it does occur

Attribute Sampling

used to estimate the extent to which a characteristic exists within a population

Deviation Conditions

estimate the rate a which internal control activities are not functioning as intended

Tolerable Rate of Deviation

compare estimated rate to an allowable rate

Sampling Step (1)

Determine the objective of the sampling

Sampling Step (2)

define the characteristic of interest

Sampling Step (3)

define the population

Sampling Step (4)

determine the sample size

Sampling Step (5)

select the sample items

Sampling Step (6)

measure the sample items

Sampling Step (7)

evaluate the sample results

Risk of Overreliance

assessment of control risk too low, samples indicate controls functioning effectively but they’re not in reality

Risk of Underreliance

assessing control risk too high, samples indicate controls are not functioning effectively but controls in reality are