Upgrade to remove ads
Only $2.99/month

ACCT 422 Chapter 13

Terms in this set (76)

Four reasons why to conduct an assurance engagement:
Risk, Internal Controls evaluation for External Reporting, "post mortem" event diagnose, modifications to process (immediate changes) needed.
Risk
Inherent risks identified during the business risk assessment process,
Risks detected the last time the area was audited, and
Other relevant factors.
Regarding risk, the auditor must:
Understand what underlying business risks
Design the engagement plan
->to provide the appropriate assurance regarding the design adequacy and operating effectiveness of controls implemented -> to mitigate those risks.
Internal controls evaluation for external reporting
U.S. Sarbanes-Oxley Act of 2002 Section 404 requirements
The internal auditor must:
Ensure that the engagement is designed to test the areas covered by the underlying regulations (for example, provide assurance regarding the design adequacy and operating effectiveness of internal control over financial reporting).
"Post mortem" event diagnose
A recent event (for example, natural disaster, fraud, or customer bankruptcy) has tested the process under unusual circumstances and management desires a "post mortem" to determine where the process was effective and where it was not.
The internal auditor must tailor the testing and evaluation around the specific event that occurred.
Modifications to process (immediate changes) needed:
Changes in the business or industry require immediate modifications to the process -> management desires a quick validation that these modifications appear to be designed appropriately to address the changes.
The internal auditor may perform
a full controls-focused audit or
to focus only on the controls that changed
Which of the following is not likely to be an assurance engagement objective?
a. Evaluate the design adequacy of the payroll input process
b. Guarantee the accuracy of recorded inventory balances
c. Assess compliance with health and safety laws and regulations
d. Determine the operating effectiveness of fixed asset controls
b. Guarantee the accuracy of recorded inventory balances
Why is establishing engagement objectives important:
Know what to accomplish and how to accomplish
Know what to accomplish
Engagement objectives articulate specifically what the engagement is trying to accomplish.
Know how to accomplish:
Without the establishment of formal engagement objectives, the internal audit team may not be aligned with the reasons for the engagement and, consequently, may conduct inadequate or unnecessary tasks.
5 types of scope statements
Boundaries of the process, in-scope versus out-of-scope locations, subprocesses, components, time frame limitations.
Scope: boundaries of the process
At what point in the process the engagement will begin and where it will end
Scope: in-scope versus out-of-scope locations
Which location will be included (not included) in the engagement
Scope: subprocesses
A discrete and recognizable portion or component of a process
Larger processes may be composed of a series of subprocesses
Scope: components
Certain portions/components of a process maybe omitted
Scope: time frame limitations
The period of time (or point of time) the engagement covers
Scope
What is or is not included in the engagement.
Validate objectives and scope by considering two "ends"
Potential outcomes of the tests of engagement
Deliverables
Anticipate testing exceptions -> detect such exceptions, such as:
Financial errors or misclassifications in accounts, balances, or disclosures
Control deficiencies: specific controls not achieving desired effect
Shortfalls in objectives: due to control deficiencies or inadequate performance
Inefficiencies: due to resources not being deployed in optimal manner
Out-of-compliance situations: laws, regulations, policies not complied
Deliverables
auditee expectations regarding engagement communications
Types of deliverables communication:
Full-scope internal reports for wide distribution
Internal memoranda for limited distribution
Reports for 3rd party
Communication with higher level of confidentiality
Understanding the form and content of the final communication
helps to ensure all necessary information is gathered during the engagement.
Auditee
The subsidiary, business unit, department, group, or other established subdivision of an organization that is the subject of an assurance engagement.
Different process has different objectives-> 4 Objective types in COSO ERM framework:
Operations, Reporting, Compliance, Strategic
Operations Objectives
Reason the process exists
Governance or task-oriented-> frequently focus on
accuracy, timeliness, completeness, or control attributes (Governance)
ensuring the effectiveness and efficiency of operations (Task-oriented)
safeguarding of assets (Task-oriented)
The most common process objective
due to the fact that most auditable processes are created to support an important but non-strategic aspect of the business
Reporting Objectives
To meet reporting needs (internally or externally) Usually embedded in or produced as a by-product of operational processes
Compliance objectives
(laws, regulations, policies, contracts)
Usually embedded in or produced as a by-product of operational processes
Strategic Objectives
to align with the organization's strategic objectives
Link between day-to-day activities and the strategies that drive an organization's success.
Auditor needs to approach the process as a component of the organization as a whole
Tend to be less task-oriented and more subject to the judgments and efforts of individuals
Sources of useful process information from process owners:
Policies relating to the process.
Procedures manuals.
Organizational charts or similar information outlining the number of employees and key reporting relationships.
Job descriptions for people involved in the process.
Process maps or flowcharts depicting the overall flow of the process.
Narrative descriptions of key tasks or portions of the process.
Copies of key contracts with customers, vendors, outsourcing partners, etc.
Relevant information regarding laws and regulations affecting the process.
Other documentation that may have been developed to support required reporting on the effectiveness of the system of internal controls.
Analytical Procedures
Reviewing and evaluating existing information, which may be financial or nonfinancial, to determine whether it is consistent with predetermined expectations
High-level assessments-> may reveal process activities that warrant closer attention and, accordingly, more detailed testing -> effectiveness of processes
Examples:
Benchmarking financials
Ratio analysis
Budget vs. Actual
Data Analysis Using CAATs
To obtain information about the population of transactions that could prove useful when determining the internal audit approach.
help the internal auditor design tests that more effectively address the inherent risks in the process.
Entity level controls
controls that operate across an entire entity and, as such, are not bound by, or associated with, individual processes
Entity-level controls are pervasive
may influence controls across the organization.
Weaknesses in entity-level controls can make it easier to
circumvent controls within a process that are otherwise well designed.
The existence of entity-level control weaknesses may cause the internal auditor to:
apply more direct and substantive tests of controls with potentially larger sample sizes to:
satisfy audit objectives and
provide reasonable assurance that the entity-level weaknesses did not cause the process-level controls to operate ineffectively.
Which of the following controls is not likely to be an entity level control?
a. All employees must receive ongoing training to ensure they maintain their competence
b. All cash disbursement transactions must be approved before they are paid
c. All employees must comply with the Code of Ethics and Business Conduct.
d. An organizationwide risk assessment is conducted annually
b. All cash disbursement transactions must be approved before they are paid
3 common ways of documenting a process flow
Process maps, flowcharts, narrative memoranda
Process maps
To depict the broad inputs, activities, workflows, and interactions with other processes and outputs
Provide a framework to understand the activities and sub-processes
Flowcharts
Expands on a process map to include computer systems and applications, document flows, detailed risks and controls, manual versus automated steps, elapsed time, and owners of key steps.
Help reviewer understand the process and its flow.
Narrative memoranda
Provide information about the process flow using only written words
To combined with flowcharts to create a hybrid form of documentation.
High-level flowcharts
To depict broad inputs, tasks, workflows, and outputs
Helps reviewers understand the overall activities, systems, reports, and interfaces with other processes or subprocesses.
This understanding will provide a frame of reference for identifying key subprocesses and systems that may be considered for the scope of the engagement.
An important starting point
Yet it does not provide the depth and level of detail needed to support the internal auditor's judgments regarding the design of the process
Detailed Flowcharts
Documents the more specific inputs, tasks, actions, systems, decisions, and outputs-> Provide:
More detailed depiction of the process flow
Additional information that enhances the understanding of the process.
Reasons for use of Narrative Memoranda
Process is too simple (that a flowchart is not necessary)
Septs are too complicated (that a flowchart is not enough)
Process owner's preference (can use the memo to support other doc.)
More efficient (than flowchart)
6 categories a memorandum generally include:
Overall description of the process.
Key inputs.
Key steps in the process.
Key outputs.
Risks that threaten the process.
Key controls.
Which of the following is not typically a key element of flowcharts or narrative memoranda?
a. Overall process objectives
b. Key inputs to the process
c. Key outputs from the process
d. Key risks and controls
a. Overall process objectives
Identifying Key Process Indicators (KPIs)
A metric or other form of measuring whether a process or individual tasks are operating within prescribed tolerances.
Two key reasons internal auditors must identify and understand process-level key performance indicators (KPIs):
It tells the auditor how process-level control activities are monitored
-> aids in the evaluation of both the design adequacy and operating effectiveness of the process.
It gives an indication of management's tolerance levels surrounding the process
-> provides the internal auditor with insights as to how to evaluate the significance of testing exceptions or observations.
KPIs should be
Relevant
Measurable
Available
Aligned (with key objectives of the process)
Articulated (to the people involved)
Evaluating Process-Level Fraud Risks
Fraud
Any illegal act characterized by deceit, concealment, or violation of trust.
Not dependent upon the threat of violence or physical force.
Are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.
3 steps to evaluate potential fraud scenarios in the process
Identify potential fraud scenarios
Understand potential fraud impact (impact of each fraud scenario)
Determine whether to test for specific fraud risks
Inherent likelihood of risk increases if there is the potential for fraud
When an individual intends to commit a fraud or there is collusion among multiple individuals, the inherent likelihood of a given risk may be greater.
The likelihood of a risk is commonly assessed assuming individuals are honest and intend to do the right thing.
Process-level risk scenario
Is any realistic event or situation that could make it difficult to achieve one or more process-level objectives.
Each scenario can be thought of as a separate root cause impacting those objectives.
Question to ask: what can happen that would prevent the achievement of each process-level objective? To answer:
Choose a single process-level objective
Brainstorm barriers
Continue the exercise for the remaining process-level objectives
Categorize and combine similar risk scenarios (to define process-level risks)
Process-level risks
Represent a collection of like scenarios or root causes that have similar characteristics.
The reason for grouping risk scenarios in this manner is that typically the similar root causes can be managed in a comparable manner. This classification of scenarios helps simplify risk assessment and risk management.
3 steps of conducting a process-level risk assessment:
Determine the impact of various outcomes associated with each risk.
Estimate the likelihood that each risk impact will occur.
Combine the assessment of impact and likelihood into a single risk assessment
Understanding Management's risk Tolerance-> 3 steps
Identify Possible Risk Outcomes.
Understand Established Tolerance Levels.
Assess Tolerance Levels for Outcomes that Have Not Been Established
Identify Possible Risk Outcomes
Frequently outcomes are measured in financial terms
Other risk outcomes are either do not lend themselves to financial measurement or are more severe than the financial impact, such as:
Safety of employees
Failure to protect the privacy of customer data
Understand Established Tolerance Levels.
discussions can be held with process management to identify tolerance levels that they have already established. Such levels may be reflected in documentation of key performance measures, individual performance goals, or in other communications.
Assess Tolerance Levels for Outcomes that Have Not Been Established
To the extent that established tolerance levels do not comprehensively address all possible risk outcomes, discussions should be held with process management to determine appropriate tolerance levels. Questions to facilitate this discussion include:
How much variability can you or senior management tolerate relative to the achievement of process objectives?
What types of outcomes would you consider to be unacceptable?
What types of risk scenarios would you be uncomfortable dealing with?
Key control
An activity designed to reduce risk associated with a critical business objective.
Examples of common control types (at process level):
Approving
Calculating
Documenting
Examining
Matching
Monitoring
Restricting
Segregating
Supervising
Key questions to ask when evaluating the adequacy of process design:
Does the internal auditor understand what an "acceptable level" of risk is, based on management's risk tolerance levels for the process?
Do the key control activities, taken individually or in the aggregate, reduce the corresponding process-level risks to acceptable levels?
Are there additional compensating controls from other processes that further reduce risks to acceptable levels?
Does it appear that the key controls, if operating effectively, will support the achievement of process-level objectives?
To the extent appropriate, does the process design address effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations, and achievement of strategic objectives?
What gaps, if any, exist to improve the effectiveness and efficiency of the process?
What specific gaps exist in the design of the process?
What are the possible outcomes or effects of those gaps?
Why do these gaps exist — that is, what are the root causes?
Determining which controls to test
The primary focus of testing is to determine whether the key controls are operating effectively enough to ensure process-level risks are managed sufficiently
Factors to consider in determining which controls to test:
Are there higher-level controls that might, by themselves, provide reasonable assurance that the relevant risks are managed sufficiently?
Are there other compensating controls that address multiple risks?
Was the design of controls assessed as being adequate?
When do the key controls operate, and, based on the period within scope for the engagement, is it practical to test certain key controls?
Have there been changes in the process during the period that result in certain key controls operating for only a portion of the period within scope?
Which of the following controls is likely to be least relevant when evaluating the design adequacy of a cash collections process?
a. Calculating the amount of cash received
b. Documenting the rationale for selecting the bank account into which the deposit will be made
c. Matching the total deposits to the amounts credited to customers' accounts receivable balances
d. Segregating the preparation of deposit slips from the adjustment of customer account balances
b. Documenting the rationale for selecting the bank account into which the deposit will be made
Developing a testing approach
To consider: nature, extent, and timing of tests to be performed
Documenting the testing approach
Risk and Control Matrix
Work Program
A document lists the procedures to be followed during engagement
Tasks covered in the typical work program
Key administrative tasks, such as preparation of a planning memorandum, scheduling resources, establishing milestone dates, etc.
Conducting a kick-off meeting with process-level management to discuss the objectives and scope of the engagement, process-level risks, timing of the engagement, information needed from process-level employees, reports or other deliverables, and any expectations management has of the engagement.
Planning tasks, which list each of the tasks discussed in this chapter.
Fieldwork tasks, which list the specific tests that will be conducted.
Wrap-up steps, such as clearing open review notes, conducting a closing meeting with process-level management, finalizing the workpapers, etc.
Reporting tasks, such as preparing a draft engagement communication, soliciting feedback from process-level management, and issuing a final engagement communication (covered more fully in Chapter 14, Communicating Assurance Engagement Outcomes and Performing Follow-up Procedures).
Budgeting should include a reasonable estimate of
the number of hours needed to complete the engagement, and
other costs that may be required such as travel, technology, and supplies.
Allocating Human Resources—by asking
What types of skills are needed on this engagement?
What previous experience will be required on the engagement?
Who in the department has the skills and experience to meet these needs?
Is there a need for any specialty skills that do not exist within the internal audit function? If so, where can these skills be obtained at a reasonable cost?
Are there professional development considerations that might impact the allocation of resources to this engagement?
Are there any other unique departmental considerations that may impact which internal auditors should be assigned to the engagement?
Scheduling-> consider the availability of
Key process personnel, engagement resources, outside resources, key reviewers
The assurance engagement transitions from the planning phase to the
performing phase
Use Risk and Control Matrix to document results of testing
Process-level Risk
Key Controls
Design Adequacy
Testing Approach (of each listed process-level risk)
Results of Testing (regarding each listed process-level risk)
Testing Conclusions
The internal auditor must consider the following questions when evaluation evidence gathered from audit testing
Are the key controls designed adequately?
Are the key controls operating effectively, that is, as they are designed to operate?
Are the underlying risks being mitigated to an acceptable level?
Overall, do the design and operation of the key controls support achievement of the objectives for the process or area under review?
The four key elements of a well-written observation are
condition,
criteria,
cause, and
effect.
THIS SET IS OFTEN IN FOLDERS WITH...