Chapter 8: Planning and Testing Operating Effectiveness of Internal Control over Financial Reporting

Terms in this set (46)

AS 5 Procedures for Gathering Evidence include ones that are applicable to Testing Controls.

Testing Control Procedures:

1) Inquiry: test personnel knowledge and activities. Not sufficient to support effectiveness, but corrobarates.

2) Inspection: Inspect relevant documents to test controls that require documentary evidence. Complete docs, signatures.

3) Observation: Test the way controls are performed. Observe activities to see if performed correctly. Only test performance at time of observation though.

4) Reperformance: Reperformance of application of control. Effective when documentary evidence of control exists.

5) Recalculation is a specific type of reperformance.

The auditor performs the audit procedure that tests whether the CONTROL OBJECTIVE is achieved.

CONTROL OBJECTIVE (AS5): Specific target against which to evaluate Effectiveness of Controls.

A Control Objective...relates to a relevant ASSERTION and states a criterion for evaluating whether the company's control procedures in a specific area provide REASONABLE ASSURANCE.

Ex. Disbursements only made for Authorized purchases. Criterion: No disbursements unless vendor on list, vendor invoice supported by approved purchase and receiving report.


Assertion: Occurrence
Control Objective: Disbursement only for Authorized Purchases
Criterion For Eval: 1) Disbursement on Vendor List
2) Vendor invoice supported by approved purchase and receiving report.

Assertion: Rights, Valuation
Control Objective: All Sales Transactions using CC follow CC issuers' required procedures to that receivables are collectible from CC issuer.
Criterion For Eval: 1) CC scanned at PS and electronic approval rec'd 2) CC inspected by cashier for signature 3) Customer signature on sales processing doc

Assertion: Occurrence
Control Objective: Payroll disbursement only made to Current Employees for labor actually provided
Criterion for Eval: 1) payroll Master File up to date 2) Disbursements to employees on Payroll Master File 3) Disbursement for amount earned consistent with rates documented in personnle fils and hours worked supported by time records or salaries supported by contracts.

CAATS: Computer Assissted Audit Techniques
-Is a testing strategy for completely automated controls
-Relies on the assumption that automated controls are going to continue to function in a consistent manner unless something changes within the program (application) or in the surrounding environment.
- This is a strength of IT.

Benchmarking is appropriate only when both ITGC and application controls are effective.

Through benchmarking, auditor TESTS computer application at a baseline point in time and establishes that it functions properly.

Year 1: Test whether program an application control function correctly and whether ITGC are effective.

If yes, subsequent audits, auditor can rely on benchmark tests of applications controls and limit testing to ITGC.

ITGC tested EVERY year during audit. If audit collects sufficient evidence that programs are only changed when authorized, then when program changes are implemented the auditor retests the application controls. This is to establish new baseline for application controls.

Note: Auditor must retest application controls after a certain period of time, regardless if changes have been made. Time period? Professional judgement.

*PQ #35

Benchmarking only appropriate when:
1) Both ITGC and application controls are effective
2) ITGC remains strong year to year
3) the application programs do not change*

Good example:
2010: CPA firm does Benchmark Testing on application controls. Also tests general IT controls (test controls for general access and changes to application programs). All good.
2011 and 2012: No system updates at the company. So, audit begins with ITGC. They are effective. They chose to rely on the 2010 benchmark tests for audit evidence on the application programs.
2013: Updates to programs + been 3 years so test the application controls.

Purchased software makes source code hard to alter so benchmarking very efficient in this case.
Roll-forward period = Period between the interim test date and the fiscal year end.

ASK: the auditor must test the effectiveness of ICFR for the entire period being audited. How do you do that?

Audit planning standards describe an audit plans that relies on the effectiveness of ICFR as one that sets "control risk at less than the maximum". If auditor assumes max control risk that means controls do NOT operate effectively. That means auditor will not plan to rely on ICFR in the FS audit.

If control risk at less than max, then auditor must test function of controls. To rely on ICFR in FS audit, must test operating effectiveness of controls to determine preliminary expectation.

Auditors may choose to test controls well before "as of" date simply because less busy at that time. Then audit work done at busier time is limited to tests of the ROLL FORWARD PERIOD. Early testing gives mgmt chance to correct any deficiencies found, remediate.

*PQ #37
If deficiences in ICFR found in interim period and management has taken steps to correct the deficiencies: auditor needs to test the controls to obtain evidence about whether the deficiencies have actually been corrected.*

Even without changes, must perform some roll forward period tests to update earlier ICFR conclusion and verify relevance at AS OF date to issue opinion on ICFR.

When auditors perform control testing at interim date, additional tests needed closer to end of fiscal period.

Auditor may not need to test controls that were in place earlier in the year if they have been changed or were replaced later during the year under audit.

If the controls in place early in the year were not effective and the auditor did not test them, more substantive evidence about the affected account balances are needed During financial statement audit, more evidence is collected for the part of the year when the auditor cannot rely on the controls.
Illegal acts are violations of laws and government regulations. Fraud is illegal, but illegal acts refers to behavior other than fraud.

Auditors don't determine if act is illegal. They focus on impact of illegal acts on financial statements Those that have direct and material effect on financial statements.

Illegal Act with Direct Effect: Tax laws that effecting amount of accruals and expenses and regulations that affect how much revenue can be recognized under govt contracts.

Auditors consider RISK of direct and material illegal acts when deciding on extent of controls to test.

Illegal Acts with Indirect Effect:
Contingent Liabilities may exist because of an illegal act. Ex. Securities Trading, FDA, OSHA, Environmental Protection Agency, equal employment, price fixing.

Testing of Operating Effectiveness of ICFR considers Illegal acts with Direct effect. But, if auditor becomes aware of illegal acts with indirect effect on FS, further testing done.

From Official Doc:
Entities may be affected by many other laws or regulations, including those related to securities trading, occupational safety and health, food and drug administration, environmental protection, equal employment, and price-fixing
or other antitrust violations. Generally, these laws and regulations relate more to an entity's operating aspects than to its financial and accounting aspects, and their financial statement effect is indirect. An auditor ordinarily does not have sufficient basis for recognizing possible violations of such laws and regulations.
Their indirect effect is normally the result of the need to disclose a contingent liability because of the allegation or determination of illegality. For example, securities may be purchased or sold based on inside information. While the
direct effects of the purchase or sale may be recorded appropriately, their indirect
effect, the possible contingent liability for violating securities laws, may not be appropriately disclosed

*PQ #39
Illegal act with indirect effect:
Placing foreign substances in food in an effort to save money. This is related to FDA.
Not: Fraud, bribing local officials (direct), Failure to pay taxes (direct). *

Note that last 2 both were financial transaction related. indirect effect answer was operations related.
Operating Effectiveness of controls over Related Party Transactions will be tested Extensively.
Related Party Transactions are transactions conducted with an entity or person meeting the definition of a related party set forth in FASB definition of related parties.

a. affiliates of an entity
b. Entities for which investment in their equity securities would be be accounted for by the Equality Method by the Investing Entity
c. Trusts for the benefits of employees, such as pension and profit sharing trusts that are managed by or under trusteeship of mgmt
d. principal owners of the entity and members of immediate family
e. Management of the entity and members of immediate family
f. Other parties with which entity may deal if one party controls or can significantly influence mgmt or operating policies of the other to an extent that one of the transacting parties might be prevented from fully pursuing its own separate interests transactions
g. Other parties that can significantly influence the mgmt or operating policies of the transacting parties or that have an ownership interest in one of the transacting parties and can significantly influence the other to an extent that one or more of the transacting parties might be prevented from fully pursuing its own separate interest.

Auditors consider the possibility that transactions may not be Arms Length.
If a transaction is NOT arms length, then dollar amounts recorded are not the real value of the exchange (?)ASK.

Audit addresses whether FS disclosures meet Accounting Standard requirements.


Related party transactions can include sales, leases, service agreements and loan agreements.

Which transaction is a related party transaction?
Answer: Borrowing funds from the pension fund maintained by the company (a loan).
- Transferring money to a subsidiary (this is just normal, Intercompany transfer. Subsidiary is part of the company).
- Selling inventory to a parent (This is a normal Intercompany Inventory Transaction)
Sampling is applying audit procedures to less than 100% of a population, subset.

Sampling is used on both ICFR and financial statement phases of an integrated audit.

Sampling makes audit procedures feasible.

Obtaining evidence based on a subset of information often involves sampling.

When auditor does not examine or test all of the items in the targeted population of the account balance or class of transactions, SAMPLING RISK is introduced to the audit process.

*Sampling Risk == The possibility that the sample does NOT represent the population from which it was selected.

Sampling Error = An incorrect conclusion that results because the sample does not represent the population from which it was selected. *

In ICFR tests of Operating Effectiveness, sampling risk is the risk that the RISK OF FAILURE OF CONTROLS in the sample of transactions is different from the RATE OF FAILURE for the rest of the transactions. (could be greater than smaller, either way will make the wrong conclusion).

Sampling Error results can be incorrect rejection or incorrect acceptance.

AU Section 350 of the AICPA Professional Standards indicates that audit risk arises from sampling and nonsampling risk. Sampling risk results from performing an audit procedure on less than one hundred percent of the population. It represents the risk that the audit sample is not representative of the population. In other words, that the auditor's evaluation of a population based on an audit sample is different from what it would be if the entire population was tested.

Sampling risk should be considered when an auditor performs an audit procedure on less than one hundred percent of a clearly definable population for the purpose of evaluating the population
Attribute Sampling is the term often used to describe the audit process when an auditor applies sampling methods to an ICFR sampling and testing procedure.

Attribute sampling is a statistical approach used with tests of controls. The process is used to evaluate the frequency with which a characteristic or attribute occurs in the underlying population based on a sample. In the case of ICFR testing, the attribute for which auditor is looking is failure of the internal control. Does the control fail to operative effectively in the population? Control is not effective is fails too frequently.

Auditor indentifies controls to test, defines failure of control, determines population from which to select sample, he or she needs to determine SAMPLE SIZE. This involves several decisions:

1) First decision is HOW MUCH RISK the auditor is willing to accept of concluding that the internal control is operating effectively when it is not. How much risk auditor is willing to take of making an incorrect acceptance error.

2) Second decision involves determining the TOLERABLE RATE OF DEVIATION. What percentage of the time can a control fail in the sample and the auditor will still conclude that it is working effectively in the whole population?

3) Third Decision deals with the likely rate of deviation of the Population. Likely rate of deviation is also called Expected Population Deviation Rate. Percentage of time that the auditor EXPECTS the control to fail in the total population.

Using these parameters, can determine sample size.
Risk of assessing control risk too low represents the risk that the auditor concludes that the design and operation of an internal control is effective when in fact it is not. The level used for this risk is based on the auditor's desired control risk assessment. The lower the desired control risk assessment, the lower the needed risk of assessing control risk too low. This risk is inversely related to sample size.

If risk of assessing control risk too low increases (more lenient), then sample size decreases.

If risk of assessing control risk too low decreases (less lenient), then sample size increases.

Expected Population Deviation Rate represents the auditor's best estimate of the population deviation rate. This rate is normally based on prior experience with the client. This rate is directly related to sample size.

Expected Pop Deviation Rate Increases, then sample size Increases. If decreases, the sample size decreases.

Tolerable Deviation Rate represents the highest deviation rate the auditor could accept and still conclude that the design and operation of an internal control is effective. This rate is based on the tolerable misstatement relative to the number and dollar size of traansactions included in the population. Tolerable misstatement represents the maximum misstatement that could occur before the population would be considered materially misstated. The lower the required tolerable misstatement relative to the number and dollar size of transactions the lower the needed tolerable deviation rate. This rate is inversely related to sample size.

Tolerable Rate of Deviation increases (so more lenient), sample size decreases. TRD decreases (stricter), sample size increases.

Population Size increases, then Sample Size Increases. Population Size decreases, then sample size decreases.

AU 305. Not in Book, but Good.
Sample results are evaluated by comparing the computed maximum population deviation rate to the tolerable deviation rate. The computed maximum population deviation rate equals the sample deviation rate plus an allowance for sampling risk.

If the maximum population deviation rate is larger than the tolerable deviation rate the auditor will conclude that the design and operation of the internal control is not effective.

If the computed maximum population deviation rate is less than or equal to the tolerable deviation rate the auditor will conclude that the design and operation of the internal control is effective.
Used in assessing audit risk and planning audit procedures.

Overall, the definition of the audit risk model are stated in terms of financial statement audit . But impt for ICFR.

Addressing Audit Risk while planning ICFR and Financial Statement audits helps the auditor decide on the nature and timing of audit procedures and the extent of testing.


AR = (IR x CR) x (TD x AP)

AR = Audit Risk
Uncertainty inherent in applying audit procedures. Risk of saying FS fair when not. Risk of saying ICFR effective, when not.

RMM = Risk of material financial statement misstatement. Risk that error or fraud has caused MM; iCFR did not prevent or detect it. As RMM gets larger, auditor is willing to accept less risk of missing a misstatement while performing the audit.
Why? Because AR = RMM x DR. Reduce DR to reduce AR. RMM is given/determined by auditor.

IR = Inherent Risk is based on nature of the account. Independent of Audit decisions. Vulnerability of a particular account or transaction type to error or fraud. Cash. Transactions requiring lots of judgment or complex calculations, handling of cash, more vulnerable to misstatement than easily measured, straight forward transactions handled using bank documents) Classify transactios (Routine, nonroutine, estimation) helps determine IH.

CR = Control Risk. Independent of Audit Decisions. Likelihood that any problems with an accout will not be prevented or detected by company's ICFR. Design/Operating effectiveness major components of Control Risk. Material Misstatement will not be prevented or detected by Internal Controls.
Related to ICFR audit.

When planning to rely on controls in the FS Audit, instead of testing ICFR operating effectiveness just at management's reporting date, the auditor tests operating effectiveness for the ENTIRE PERIOD. HOW?
This means assuming low CR, so auditor structures control tests to accept very low SAMPLING RISK for entire period

If controls are good, they can lower RMM no matter how high IR. If ICFR not effective, CR is large.

DR = Detection Risk. Risk that auditor will not detect (detect through audit procedures) a material misstatement that exists in a management assertion. Higher the RMM, the less detection risk an auditor can accept.

TD = Tests of Details of Balances. Risk that material misstatement will be missed by test of details of balances. (in icfr is like auditor not detecting that a control does not operate effectively) 2 reasons test of detail balances will miss a restatement: 1) nonsampling error 2) incorrect acceptance.
QC, planning, reviews reduces nonsampling risk.
When a sample is used, TD is defined as sampling risk of incorrect acceptance.

AP = is the risk that a material misstatement is missed by the audit's analytical procedures.

Note: Refers to specific assertions. This means these risks are assessed to plan testing for individual accounts or classes of transactions.

Use ARM for planning if audit firm has guidelines regarding the level of audit risk it is willing to accept.

Estimate IR and CR for accounts/transactions. Calculated the DR that keeps audit risk at acceptable level.

Helps auditor understand Components of Risk while planning the audit.

Ultimate goal of considering Audit Risk in planning audit procedures is to determine acceptable level of DETECTION RISK.

1) Financial Statement audit provides conclusion about fairness of FS. The nature of a complete set of FS requires that the auditor's opinion addresses the results and activities FOR THE ENTIRE FISCAL PERIOD and the Financial Position at the Fiscal Year End.

2) The ICFR audit results in an audit opinions about effectiveness of ICFR. Both Management and Auditor for a conclusion about ICFR effectiveness only as of a PARTICULAR DATE -- the end of the Fiscal Year. In order to do this, they must decide that ICFR was functioning effectively for a REASONABLE PERIOD of time prior to that date, and perform tests of controls to support those conclusions. This process does NOT necessarily mean that ICFR was functioning effectively for the entire fiscal year. Neither ICFR nor FS aspects of integrated audit report on consistency of the quality with which ICFR functioned throughout the entire fiscal period.

If ICFR was effective throughout year, or even specified part of year, auditor can , in the financial statement audit, choose to rely on the controls for the period they were effective. Reliance on the controls means the auditor may be able to change the N,T,E of substantive testing on the FS. To rely on controls and reduce substantive audit work on the FS, auditor must test the controls for design and operating effectiveness over the entire period reliance. This requires more tests of control than is necessary for ICFR audit. So, tradeoff. Substantive financial statement audit effort can only be reduced over the period for which controls are tested and found to be effective.

Auditor may decided test effectiveness of ICFR only enough to issue opinion on effectiveness at the FYE and use substantive audit tests to test account balances and disclosures for the FS audit. Or choose to rely on ICFR for some parts and focus on ST of balances and disclosures for other parts.

Conclusions about ICFR operating effectivness also confirm or refute the auditor's risk assessment used to plan substantive audit tests for the financial statement audit.
ITGC = IT General Controls deal with the IT environment and IT policies and procedures.

Application Controls: Deal with controls built into specific applications.

Auditor considers both and evaluates for design and operating effectiveness. 1st evaluated design and operation of ITGC. Next, evaluate application controls.

Some control tests in IT environment use the client's computer.

Automatic Control Tests

1) Test Data Approach
Prepare sample data and then process it in application. Sample is specifically designed for the test. Auditor knows expected result.

Access authorization, Field Limit Checks (upper bounds), Range Check, Validity Check (field type), Completeness Check (all fields populated that should be).

Run to Run Control: Check that data are not dropped or added from one computer to the next.

Error Handling Procedures

2) Parallel Simulation
Reprocess previously processed data using a program that accomplished same step as client's original program. Compare results to original output to see if correct results. Can be performed using CAATs (computer assisted audit SW).

3) Integrated Test Facility
Part of the client's system (testing integrated into client system) and tests the functioning of applications on at Real-Time Basis as they are processing data.

- Dummy files exist alongside Real Files.

- Test transaction input and process concurrently with real transactions.

- Results post to Dummy Files and are compared to Expected Results.

Key Benefit: Processed Test data as part of REGULAR OPERATION. Files must be controlled so don't corrupt real files.