Audit midterm 2

kill me

Basis of internal controls

process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives related to operations, reporting, and compliance.

auditors evaluate controls because they affect both risk of material misstatement and the nature, timing, and extent of substantive procedures.

why do auditors need to assess - internal controls

1. intended to safe guard assets. make sure investment and cash aren’t disappearing

2. generate reliable information for decision making

• helps dermine control risk

• guides whether a reliance strategy or substantive strategy is appropriate

• understand where misstatements could occur and dessign responsive audit procedures

why do auditors care about internal controls

we care on the FS. Are the controls DESIGNED and IMPLEMENTED APPROPRIATELY to PREVENT/DETECT material misstatements related to error or fraud?

Controls relevant to an audit - internal controls

controls that relate to financial reporting and assertions that are relevant.

Components of COSO internal controls

1. control environment

2. risk assessment

3. control activities

4. information and communication

5. monitoring activities

Control environment - COSO framework

TONE AT THE TOP!!

integrity, ethical values, competence, governance

risk assessment - COSO framework

internally - within the organization

management identifies and analyzes risks to achieving objectives 

control activities - COSO framework

specific policies and procedures (approvals, reconsolidations, segregation of duties)

information and communication - COSO framework

systems that capture and communicate relevant information

are they using the appropriate information to make decisions

monitoring activities - COSO framework

ongoing or periodic evaluations of control performance

internal audit, monitor their own controls 

Limitations of internal control

1. management override of internal control

2. human errors or mistakes

3. collusion 

Components of audit risk

AR = IR x CR x DR

• Inherent Risk (IR): susceptibility of an assertion to misstatement before considering controls.

• Control Risk (CR): risk that internal control fails to prevent/detect misstatement.

• Detection Risk (DR): risk auditor’s procedures miss the misstatement.

Auditors control DR through the nature, timing, and extent of substantive tests.

Substantive strategy

used when controls are weak or testing them is inefficient. Auditor performs extensive substantive testing

reliance strategy

used when controls are effective. Auditor tests controls; if they operate effectively, substantive testing can be reduced

Assertions

• Classes of transactions: occurrence, completeness, accuracy, cutoff, classification.

• Account balances: existence, rights and obligations, completeness, valuation and allocation.

• Presentation and disclosure: occurrence/rights and obligations, completeness, classification and understandability, accuracy and valuation.

why do we perform test of controls

• Performed when a reliance strategy is used.

• Objective: obtain evidence that controls operated effectively throughout the period.

• Common procedures: inquiry, observation, inspection, reperformance.
  Effective controls → lower CR → less substantive testing.

what does test of controls achieve

good internal controls? → reliance approach, less testing

BAD? → substantive approach, more testing, high CR

communication of internal control

Auditors must communicate significant deficiencies and material weaknesses in writing to those charged with governance.

Lesser issues (“control deficiencies”) may be communicated to management orally or in writing.

• Control deficiency: design or operation of controls doe snot allow management or employees to prevent/detect misstatements on a timely basis

• significant deficiency: a deficiency, or a combination, in internal control that is less severe than a material weakness but important enough to merit attention by those charged with governance 

• material weakness: a deficiency, or a combination, in internal control that this is a reasonable possibility that a material misstatement of the FS will not be prevented on a timely basis

preventive control

stop misstatements before they occur (e.g., segregation of duties, authorization).

detective control

identify errors after they occur (e.g., reconciliations, reviews).

manual controls

performed by people; flexible but error-prone

automated controls

programmed and consistent; require evaluation of IT general controls.

Often combined (manual review of automated reports)

different procedures used in testing controls

• inquiry

• observation

• inspection of physical evidence

• reperformance

• test of software controls

factors that influence the sample size for test of controls

1. tolerable deviation rate

2. desired level of assurance

3. expected rate of deciation

4. the number of sampling units aka. population size

tolerable level of assurance

maximum error the auditor will accept

INVERSE RELATIONSHIP TO SAMPLE SIZE

larger samples - the smaller the rate from the prescribed control procedure that the auditor can tolerate, the larger the sample size

smaller samples - the larger the rate from the prescribed control procedure that the auditor can tolerate, the smaller the sample size

desired level of assurance

desired certainty in conclusions

the tolerable rate of deviation is not exceeded by the actual rate of devision in the population

DIRECT RELATIONSHIP TO SAMPLE SIZE - related to DR

larger samples - higher levels of assurance

smaller samples - lower levels of assurance

expected rate of deviation

anticipated error rate

DIRECT RELATIONSHIP TO SAMPLE SIZE

large samples - the closer tolerable deviation rate and expected deviation rate are to each other, the larger the sample size

smaller samples - the greater the amount of difference between tolerable deviation rate and expected deviation rate, the smaller the sample size

population size larger than 5000

NO AFFECT :D - unless very very super duper small

different types of control deficiencies

it will alter opinions on internal controls, but won’t need to alter FS opinion

material deficiencies → material weakness

not material but significant deficiencie(s) → significant deficiency

neither material nor significant → control deficiency

material deficiencies - impact on the report in ICFR and who to report to?

MATERIAL WEAKNESS! → adverse opinion on ICFR

report to those charged with governance of the entity and to management

not material but significant - impact on the report in ICFR and who to report to?

significant deficiency → unqualified opinion on the ICFR

report to those charged with governance of the entity and to management

neither material nor significant - impact on the report in ICFR and who to report to?

control deficiency → unqualified opinion on ICFR

report to management (but it does depend how they respond to feedback and how touchy they are about things that they are doing wrong!)

how will the results of control testing impact the nature of audit procedures performed?

if controls are effective, the auditor can rely on them and perform less detailed substantive testing and more analytical procedures

if controls are ineffective, the auditor must perform more reliable substantive procedures

how will the results of control testing impact the timing of audit procedures performed?

effective controls → testing may be performed at interim dates (before year-end) and with roll-forward procedures

ineffective controls → testing should occur closer to or at year-end, when final figures are available to reduce DR

how will the results of control testing impact the extent of audit procedures performed?

effective controls → smaller samples size or reduced scope of substantive procedures

ineffective controls → larger samples size, more accounts testing, increased procedures to obtain sufficient and appropriate evidence

5 step approach for planning and performing audit data analytics

1. obtain company background information and data

2. what is the audit problem you are trying to solve

3. gather information and evidence

4. perform the analysis and evaluate the results

5. draw an audit conclusion

the steps associated with gathering and preparing data for analytics (Step 3)

Access and prepare data for ADA

1. determine that the data is complete

• verify that the data is the same data that is used to prepare the financial statements

• check the numerical continuity of the data

• does it include key elements needed for analysis

• is data sufficient to draw a conclusion

2. does the data need to be cleaned?

• are there files with missing data

• are the data appropriately and consistently formatted

Includes data extraction, cleansing, transformation, validation, and formatting.
Auditors ensure data are complete, accurate, and authorized before analysis.

different types of application of data analytics in risk assessment

1. clustering transactions or balances based on a particular characteristic or multiple characteristics 

2. matching the characteristic of two populations to see if there are any overlaps 

3. regression analysis, whereby the notable items are identified using statistics

4. visualization, where the auditor plots certain characteristics of a population of account balances or transactions, looking for unusual characteristics

use of the risk analysis decision tree

Framework guiding whether ADA is used for risk assessment, tests of controls, or substantive procedures, depending on the reliability of data and strength of expectations.

notable items

when the auditor uses ADA, they are looking for anomalies, things outside of our expectations. These transactions or relationships that stand out from expected patterns become the focus of further audit procedures

benefits of data visualization

1. Facilitate people making visual comparisons between data elements. This
   can help auditors identify patterns, deviations from patterns, and outliers in the analysis stage of an ADA.

2. Are generally understood by a wider audience, because visualizations reduce the message to its core components and use minimal, or no, jargon.

3. Communicate a lot of information efficiently

4. Are likely to be remembered

risks of data visualization

misinterpretation, over-simplification, or misleading visuals if scales or filters distort data.

the scaling, remember the axis example. if you do not scale the visual correctly, it will not provide much benefit and becomes hard to read.

how are data analytics used in substantive testing

will perform ADA as a substantive test when the test of controls and the entity is:

• strong IT general controls, including strong access controls

• strong IT application controls related to the assertion being tested

• strong controls over electronic data interchange and the exchange of electronic information about transactions between the client and its customers or suppliers

a number of substantive procedures involve matching information in actg records with information on underlying documents

risk response at the financial statement level

Auditors design overall responses (e.g., assign more experienced staff, add unpredictability, perform year-end testing) and assertion-level responses (specific tests).

1. emphasize that audit team members should maintain professional skepticism

2. assign more experiences staff to areas of higher risk of material misstatement

3. provide more supervision

4. include more elements of unpredictability in the selection of audit procedures  (more CFOs were auditors)

5. make general changes to the nature, timing, and extent of audit procedures to obtain more persuasive evidence

substantive analytical procedures

compare recorded amounts or ratios to expectations the auditor develops using independent data. provides audit evidence about the reasonableness of an account balance or transaction

when used:

• the relationships are predictable

• controls are effective and risk is low

• data are reliable

effectiveness depends on:

• nature of the assertion

• plausibility and predictability of the relationship

• availability and reliability of the data used to develop the expectation

  • consider the source of data, controls over data, testing of data and comparability of data

• precision of the expectation

when are substantive analytical procedures typically used

for assertions that have a lower risk of material misstatement, it is efficient to perform prior to year-end (at interim)

• when this happens, auditors have to perform a roll-forward procedure to update their audit findings from the time of the interim procedure through to year-end

for assertions that have a higher risk of material misstatement, it is efficient to perform at year-end

factors to consider whether substantive analytical procedures are appropriate

When relationships amount data are predictable and stable

when control risk is low and data is reliable

during interim or final analytical review stage to test reasonableness

tests of detail

direct test of monetary accuracy of individual transactions and balances - they provide high-quality, persuasive evidence, but are time consuming

refers to the substantive procedures auditors use to test the details of account balances, transactions, and disclosures

• the nature of the assertion being tested affects the type of test of details the auditor use

Used when analytical procedures are insufficient or risk is high

when do we use ADA v sampling

ADA: when the entire population is available and data is reliable - full population testing

sampling: when manual inspection is needed or data are unstructured

factors to consider regarding the performance of substantive procedures at an interim date

more likely to perform analytical substantive tests at interim if:

• internal controls (and control environment) are effective

• assessed risk of material misstatement is low

• information is available during the interim period that may not be readily available at year-end

• the type of procedure can be performed at interim (ex: inquiry of management of fixed assets can be at interim but observation of the physical inventory count can only be a year-end)

• little change is expected in an account balance during the period from interim to year-end

• additional procedures can be performed during the period after interim and after year-end

relationship of RMM and detection risk and the impact on the nature, timing and extent of substantive procedures

there is an inverse relationship

high RMM → low DR → more substantive testing, done at year end, larger samples

medium RMM → medium DR → mix of controls and substantive testing

low RMM → high DR → more reliance on controls, less detailed substantive testing

types of estimates

an approximation of a monetary amount when a precise measurement is not available

two types

1. forecasting the outcome of a transaction or event, as required by a financial reporting framework

2. determining fair value of a transaction or FS item for inclusion in the FS, and disclosure in the notes as required by the financial reporting framework (FV is not always given to us, we might have to estimate)

risks of audit estimates

estimation uncertainty - how difficult is the estimate to make?

management bias - how/is management able to be neutral and objective in making this calculation? do they have a number in mind already and is trying to hit it?

how do we audit estimates

1. gain an understanding about what is required by the client’s financial reporting framework

2. inquire of management regarding the process for identifying the need for actg estimates

3. inquire about how actg estimates are made

• what are the method of measurement?

• what controls are in place?

• what assumptions are used and how are they developed?

• has there been a change, or should there be a change, in the methods or assumptions used to make an actg estimate?

• has management considered the effective of estimation uncertainty?

specific procedures include

• inquire about the method of measurement

• inquire about assumptions used by management

• recalculate the accounting estimate

• inspect events occurring after year-end and up to the date of the auditor’s report

• review prior year estimates for accuracy and appropriate methodology (does it make sense? were PY estimates close to actual?)

different types of misstatements noted during an audit

• factual

• judgmental

• projected

factual - type of misstatement noted

we found a misstatement in testing - related to projected misstatement

judgmental - type of misstatement noted

mainly relates to estimates or disclosures - did management disclose everything we think they should’ve?

projected - type of misstatement noted

our projection that we think the error is as a population as a whole based on a sample. this is why factual and projected are related.

factual error is in the sample. take that error rate and apply it to the population.

why does an auditor use sampling?

to be effective, the sample must be representative of the population, and therefore, likely to provide a reasonable basis for conclusions about the population.

sampling is the application of audit procedures to less than 100% of a population to draw conclusions about the entire population. It allows auditors to form a conclusion while balancing assurance with cost and time.

• populations are often too large to test fully

• enables auditors to obtain sufficient and appropriate evidence effectively

• supports conclusions about assertions (existence, completeness, valuation)

drawbacks of sampling

1. sampling risk - sample may not be representative of the population

• risk of incorrect rejection

• risk of incorrect acceptance

2. human judgement - non-statistical sampling depends on auditory judgement, which may be biased

3. population changes - populations vary over time, the results may not hold across periods

4. cost-benefit trade-off - smaller sample means lower costs but higher sampling risk

sampling risk

the possibility that the auditor reaches an inappropriate conclusion in testing because the sample drawn is not representative of the population

risk of incorrect rejection - sampling risk

in a test of internal controls

• the risk that the sample supports a conclusion that the control is not operating effectively when, in fact, it is operating effectively

in a substantive testing

• the risk that the sample indicates that the recorded balance is materially misstatement when, in fact, it is not

RELATES TO EFFICIENCY ISSUES - bc auditors waste their time doing more testing when it was not needed

risk of incorrect acceptance - sample risk

in test of internal controls

• the risk that the sample supports a conclusion that the control is operating effectively when, in fact, it is not operating effectively

in substantive testing

• the risk that the sample supports the recorded balance when it is, in fact, materially misstated

RELATES TO AN OPINION ISSUE - this is a big worry bc it can cause use to release an incorrect opinion

non-sampling risk

the risk that an auditor arrives at an inappropriate conclusion for a reason unrelated to sampling issues (this can be a problem with procedures, evidence, misunderstanding, untrained staff)

controlled by a review of other people’s work. supervision, review, quality control within the firm