Lecture 5 - Advanced Auditing

What are internal controls?

Policies and procedures ensuring reliable financial reporting and achievement of control objectives.

Why do auditors evaluate internal controls?

To assess RMM, determine control reliance, and design audit procedures.

What standards require understanding of controls?

ISA 315 (risk assessment) and ISA 330 (responses to assessed risks).

What are the five COSO components?

Control environment, risk assessment, control activities, information & communication, monitoring.

Three types of controls?

Preventive, detective, corrective.

Example of preventive control?

Segregation of duties, authorization.

Example of detective control?

Reconciliations, performance reviews.

Example of corrective control?

Adjusting entries, reprocessing transactions.

What are the three stages of control testing?

Design, existence, operating effectiveness.

What is design effectiveness?

Whether a control can prevent/detect misstatements.

What is operating effectiveness?

Whether the control works consistently throughout the period.

What must auditors do to rely on controls?

Test design, existence, and operating effectiveness.

Are substantive procedures always required?

Yes, for all material FSLIs.

What if control deviations occur?

Perform further testing or shift to substantive procedures.

What are IT dependencies?

Automated elements auditors rely on (interfaces, report logic, calculations).

What are automated controls?

Accuracy checks, system calculations, workflows.

Why must auditors test ITGCs?

Automated controls rely on ITGCs functioning properly.

Main categories of ITGCs?

Change management, access management, continuity management.

Risks related to change management?

Unauthorized program changes, incorrect data conversion.

Risks related to access management?

Excessive access, direct data manipulation, misconfigured settings.

Risks related to continuity management?

Inability to recover data, unauthorized network access, failed scheduled tasks.

What happens if ITGCs are ineffective?

Auditor cannot rely on automated controls; must increase substantive testing.