Chapter 8: Planning and Testing Operating Effectiveness of Internal Control over Financial Reporting
Terms in this set (46)
1) Understand ICFR
1b) Evaluate DESIGN of ICFR
2) SELECT CONTROLS AND TEST the OPERATING EFFECTIVENESS of CONTROLS
3) WHY TEST? Gain AUDIT EVIDENCE regarding whether or not controls are doing what they were DESIGNED to do and whether INDIVIDUALS involved are competent and authorized to perform tasks.
If design is bad, ICFR cannot be effective.
If design effective, ICFR must operate as planned in order to be effective.
Auditor evaluates OPERATING EFFECTIVENESS of ICFR to express OPINION on ICFR and confirm that plans made to RELY on ICFR effectiveness for the Financial Statement audit are appropriate.
Selecting Controls to Test
Understanding ICFR + Testing and Evaluating Design Effectiveness of ICFR ===>
Identification of Controls that must operate as planned for ICFR to be effective.
To plan Appropriate Tests of Operating Effectiveness, auditor must consider:
- POINTS at which material misstatements from errors or fraud could occur, considering both Financial Statement misstatements and Unauthorized acquisition or use or disposition of company ASSETS.
- Nature of controls implemented by management to PREVENT OR DETECT material misstatement.
-- SIGNIFICANCE of each control (1 control achieves more than 1 control objective; or more than 1 control is needed to achieve control objective)
- RISK likely to Affect whether the controls operate effectively.
AS 5 Procedures for Gathering Evidence include ones that are applicable to Testing Controls.
Testing Control Procedures:
1) Inquiry: test personnel knowledge and activities. Not sufficient to support effectiveness, but corrobarates.
2) Inspection: Inspect relevant documents to test controls that require documentary evidence. Complete docs, signatures.
3) Observation: Test the way controls are performed. Observe activities to see if performed correctly. Only test performance at time of observation though.
4) Reperformance: Reperformance of application of control. Effective when documentary evidence of control exists.
5) Recalculation is a specific type of reperformance.
The auditor performs the audit procedure that tests whether the CONTROL OBJECTIVE is achieved.
CONTROL OBJECTIVE (AS5): Specific target against which to evaluate Effectiveness of Controls.
A Control Objective...relates to a relevant ASSERTION and states a criterion for evaluating whether the company's control procedures in a specific area provide REASONABLE ASSURANCE.
Ex. Disbursements only made for Authorized purchases. Criterion: No disbursements unless vendor on list, vendor invoice supported by approved purchase and receiving report.
ASSERTIONS, OBJECTIVES, EVALUATION CRITERIA.
Control Objective: Disbursement only for Authorized Purchases
Criterion For Eval: 1) Disbursement on Vendor List
2) Vendor invoice supported by approved purchase and receiving report.
Assertion: Rights, Valuation
Control Objective: All Sales Transactions using CC follow CC issuers' required procedures to that receivables are collectible from CC issuer.
Criterion For Eval: 1) CC scanned at PS and electronic approval rec'd 2) CC inspected by cashier for signature 3) Customer signature on sales processing doc
Control Objective: Payroll disbursement only made to Current Employees for labor actually provided
Criterion for Eval: 1) payroll Master File up to date 2) Disbursements to employees on Payroll Master File 3) Disbursement for amount earned consistent with rates documented in personnle fils and hours worked supported by time records or salaries supported by contracts.
CAATS: Computer Assissted Audit Techniques
Planning the Tests
1) Define the POTENTIAL ERROR that results from failure and the appropriate EVIDENCE related to the error.
2) Identify WHEN testing should be performed.
3) Determine the EXTENT of testing needed -- how many TYPES of tests and how many ITEMS to test.
Define the ERROR and Identify Evidence Related to the Error
Direct documentary evidence does not exist for some controls.
Soft Controls (COSO): Example is Management's philoshopy and operating style. This soft control has little documentary evidence.
Audit Evidence on philosophy and style might be INFERRED from documents such as company's MISSION STATEMENT and CODE of CONDUCT.
For these types of SOFT CONTROLS, appropriate tests are:
1) Inquiry of appropriate personnel
2) corroborated by OBSERVING company activities
3) Reading related documents.
Identifying Control and Control's purpose and defining what constitutes a failure => What Audit Evidence is Relevant. Once that is identified, auditor figures out what Audit Evidence is Available.
Plan The 1) Timing and 2) Extent of Testing
1) Identifies controls to be tested
2) Defines circumstances that indicate failure
3) Identifies sources of Evidence Available
4) Determine which Test Procedures (I,I,O,R or combo)
Now, Auditor decides Timing of the Test
1) When it is to be performed
2) The extent of the testing
These decisions are based on Risk related to Control. Risks associated with a control are:
1) Risk that a control might not be effective
2) Risk that if a control is not effective a material weakness would result.
PLANNING THE TESTS
TIMING OF TESTS: 1) Benchmarking
-Is a testing strategy for completely automated controls
-Relies on the assumption that automated controls are going to continue to function in a consistent manner unless something changes within the program (application) or in the surrounding environment.
- This is a strength of IT.
Benchmarking is appropriate only when both ITGC and application controls are effective.
auditor TESTS computer application
at a baseline point in time and establishes that it functions properly.
Year 1: Test whether program an application control function correctly and whether ITGC are effective.
If yes, subsequent audits, auditor can rely on benchmark tests of applications controls and limit testing to ITGC.
ITGC tested EVERY year during audit. If audit collects sufficient evidence that programs are only changed when
then when program changes are implemented the auditor retests the application controls. This is to establish new baseline for application controls.
Note: Auditor must retest application controls after a certain period of time, regardless if changes have been made. Time period? Professional judgement.
Benchmarking only appropriate when:
1) Both ITGC and application controls are effective
2) ITGC remains strong year to year
3) the application programs do not change*
2010: CPA firm does Benchmark Testing on application controls. Also tests general IT controls (test controls for general access and changes to application programs). All good.
2011 and 2012: No system updates at the company. So, audit begins with ITGC. They are effective. They chose to rely on the 2010 benchmark tests for audit evidence on the application programs.
2013: Updates to programs + been 3 years so test the application controls.
Purchased software makes source code hard to alter so benchmarking very efficient in this case.
PLANNING THE TESTS
TIMING OF TESTS: 2) DOCUMENT AVAILABILITY
Some controls can be tested at any time after their operation by inspection of documents -- either paper or electronic -- and re-performance of the control steps.
When a company's documentary evidence is retained for limited periods of time or hard copy records are changed into electronic format, the auditor considers this policy when developing the audit plan.
Some controls do not provide documentary evidence -- the SOFT CONTROLS mentioned above. These must be tested while it is actually operating.
PLANNING THE TESTS
TIMING OF TESTS: 3) UPDATING INTERIM AUDIT WORK
Roll-forward period = Period between the interim test date and the fiscal year end.
: the auditor must test the effectiveness of ICFR for the entire period being audited. How do you do that?
Audit planning standards describe an audit plans that relies on the effectiveness of ICFR as one that sets "control risk at less than the maximum". If auditor assumes max control risk that means controls do NOT operate effectively. That means auditor will not plan to rely on ICFR in the FS audit.
If control risk at less than max, then auditor must test function of controls. To rely on ICFR in FS audit, must test operating effectiveness of controls to determine preliminary expectation.
Auditors may choose to test controls well before "as of" date simply because less busy at that time. Then audit work done at busier time is limited to tests of the ROLL FORWARD PERIOD. Early testing gives mgmt chance to correct any deficiencies found, remediate.
If deficiences in ICFR found in interim period and management has taken steps to correct the deficiencies: auditor needs to test the controls to obtain evidence about whether the deficiencies have actually been corrected.*
Even without changes, must perform some roll forward period tests to update earlier ICFR conclusion and verify relevance at AS OF date to issue opinion on ICFR.
When auditors perform control testing at interim date, additional tests needed closer to end of fiscal period.
Auditor may not need to test controls that were in place earlier in the year if they have been changed or were replaced later during the year under audit.
If the controls in place early in the year were not effective and the auditor did not test them,
more substantive evidence about the affected account balances are needed
During financial statement audit, more evidence is collected for the part of the year when the auditor cannot rely on the controls.
PLANNING THE TESTS
EXTENT OF TESTS: GENERAL
Each audit must collect persuasive evidence about the effectiveness of all controls for relevant assertions for all significant accounts and disclosures every year.
The extent of testing needed to provide the auditor with evidence that a control is performing effectively depends on the NATURE of the control.
* PQ #34
Manual Controls -- those relying on company personnel -- require MORE testing than Automated controls. *8
Manual - test sample transactions every month.
Alternatively, if Application Control is automated and ITGC operating effectively, auditor could need a single transaction or rely on benchmarking approach.
ITGC: Provides assurance regarding AUTHORIZATION for program changes and access to programs and data.
Complexity, judgments involved, and competency of person executing control affect EXTENT of testing.
Frequency with which control operates. More frequent, more testing. Combine this with IMPORTANCE (period end financial reporting -- VERY IMPORTANT) and decide on EXTENT.
Extent of Testing considers whether a control manual or automated and frequency with which it operates. Importance of the control (period-end financial reporting for ex). More important, more testing.
PLANNING THE TESTS
EXTENT OF TESTS:
Period-End Reporting Process
Period-End Reporting Process
Will not test at the end of each month.
But at Year End, will test extensively and in-depth.
These controls provide assurance regarding many financial statement assertions. Lots of controls will be tested.
Examples of Controls in the Period-End Financial Reporting Process
Input to Financial Reporting process
[Controls over posting to GL, Chart of Accounts. Segregation of Duties, unauthorized postings, acctg policies consistent with GAAP and/or IFRS, estimation methods]
Authorization to input journal entries
Recording Journal Entries
[reject entries that do not balance]
Input of Nonrecurring journal entries [sufficient level of authorization]
[All depts submit closing entries for mgmt review. ]
Drafting Financial Statements
[import balances from GL into software that produces financial statement. Check, compare,etc]
Disclosure in Financial Statements
[reviewed and approved by non-financial and financial personnel]
Final Management Changes [approved by CFO]
Fraud assessment begins with Client Acceptance and Continuance process and continues as auditor gains an UNDERSTANDING of the system and assesses design of ICFR.
Results of test controls, including anti-fraud controls, may cause auditor to perform additional tests or modify the plan for the financial statement audit.
When planning extent of tests of ICFR operating effectiveness, auditor includes specific tests of anti-fraud controls.
Auditors discuss their understanding of fraud risk with the Audit Committee.
More risk ,more tests. Risk too high -- auditor not confident about producing audit opinion..
EXAMPLES OF CONTROL TEST RESULTS THAT MAY AFFECT AUDITOR ASSESSMENT OF FRAUD RISK
Transactions not recorded in a complete or timely manner
Transactions improperly recorded
Unsupported/unauthorized balances or transactions
Last minute adjustment with sig affect
Evidence of employee access to system inconsistent with that necessary to perform authorized duties
Tips about alleged fraud
Inconsistent or implausible explanations from mgmt
Unusual discrepancies among audit evidence
Lack of evidence for program changes, etc that are required for ITGC
Missing electronic evidence
Missing inventory or physical assets of significance
Illegal acts are violations of laws and government regulations. Fraud is illegal, but illegal acts refers to behavior other than fraud.
Auditors don't determine if act is illegal.
They focus on impact of illegal acts on financial statements
Those that have direct and material effect on financial statements.
Illegal Act with Direct Effect: Tax laws that effecting amount of accruals and expenses and regulations that affect how much revenue can be recognized under govt contracts.
Auditors consider RISK of direct and material illegal acts when deciding on extent of controls to test.
Illegal Acts with Indirect Effect:
Contingent Liabilities may exist because of an illegal act. Ex. Securities Trading, FDA, OSHA, Environmental Protection Agency, equal employment, price fixing.
Testing of Operating Effectiveness of ICFR considers Illegal acts with Direct effect. But, if auditor becomes aware of illegal acts with indirect effect on FS, further testing done.
From Official Doc:
Entities may be affected by many other laws or regulations, including those related to securities trading, occupational safety and health, food and drug administration, environmental protection, equal employment, and price-fixing
or other antitrust violations.
Generally, these laws and regulations relate more to an entity's operating aspects than to its financial and accounting aspects
, and their financial statement effect is indirect. An auditor ordinarily does not have sufficient basis for recognizing possible violations of such laws and regulations.
Their indirect effect is normally the result of the need to disclose a contingent liability because of the allegation or determination of illegality. For example, securities may be purchased or sold based on inside information. While the
direct effects of the purchase or sale may be recorded appropriately, their indirect
effect, the possible contingent liability for violating securities laws, may not be appropriately disclosed
Illegal act with indirect effect:
Placing foreign substances in food in an effort to save money. This is related to FDA.
Not: Fraud, bribing local officials (direct), Failure to pay taxes (direct). *
Note that last 2 both were financial transaction related. indirect effect answer was operations related.
Examples of Control Testing Evidence that may effect auditor Assessment of likelihood of Illegal Acts
Illegal Acts with Direct Effect
Notice all Financial, not Operations
Unauthorized transactions, not complete or timely manner in order to maintain accountability for assets
Investigation by govt agency, payment of fines
Violations of laws or regs cited in reports by reg agencies
Large payments for unspecified services
Excessively large sales commissions
Unusually large payments in CASH, transfers to bank accounts
Unexplained payments to government or employees (could be bribery)
Failure to file tax returns or govt duties
Related Party Transactions
ASK ABOUT A, B, C, F, G. What is this saying
Operating Effectiveness of controls over Related Party Transactions will be tested Extensively.
Related Party Transactions are transactions conducted with an entity or person meeting the definition of a related party set forth in FASB definition of related parties.
FASB RELATED PARTIES INCLUDE:
a. affiliates of an entity
b. Entities for which investment in their equity securities would be required....to be accounted for by the Equality Method by the Investing Entity
c. Trusts for the benefits of employees, such as pension and profit sharing trusts that are managed by or under trusteeship of mgmt
d. principal owners of the entity and members of immediate family
e. Management of the entity and members of immediate family
f. Other parties with which entity may deal if one party controls or can significantly influence mgmt or operating policies of the other to an extent that one of the transacting parties might be prevented from fully pursuing its own separate interests transactions
g. Other parties that can significantly influence the mgmt or operating policies of the transacting parties or that have an ownership interest in one of the transacting parties and can significantly influence the other to an extent that one or more of the transacting parties might be prevented from fully pursuing its own separate interest.
Auditors consider the possibility that transactions may not be Arms Length.
If a transaction is NOT arms length, then dollar amounts recorded are not the real value of the exchange (?)
Audit addresses whether FS disclosures meet Accounting Standard requirements.
*PQ #40: IMPORTANT
Related party transactions can include sales, leases, service agreements and loan agreements.
Which transaction is a related party transaction?
Answer: Borrowing funds from the pension fund maintained by the company (a loan).
- Transferring money to a subsidiary (this is just normal, Intercompany transfer. Subsidiary is part of the company).
- Selling inventory to a parent (This is a normal Intercompany Inventory Transaction)
Sampling is applying audit procedures to less than 100% of a population, subset.
Sampling is used on both ICFR and financial statement phases of an integrated audit.
Sampling makes audit procedures feasible.
Obtaining evidence based on a subset of information often involves sampling.
When auditor does not examine or test all of the items in the targeted population of the account balance or class of transactions, SAMPLING RISK is introduced to the audit process.
*Sampling Risk == The possibility that the sample does NOT represent the population from which it was selected.
Sampling Error = An incorrect conclusion that results because the sample does not represent the population from which it was selected. *
In ICFR tests of Operating Effectiveness, sampling risk is the risk that the RISK OF FAILURE OF CONTROLS in the sample of transactions is different from the RATE OF FAILURE for the rest of the transactions. (could be greater than smaller, either way will make the wrong conclusion).
Sampling Error results can be incorrect rejection or incorrect acceptance.
AU Section 350 of the AICPA Professional Standards indicates that audit risk arises from sampling and nonsampling risk. Sampling risk results from performing an audit procedure on less than one hundred percent of the population. It represents the risk that the audit sample is not representative of the population. In other words, that the auditor's evaluation of a population based on an audit sample is different from what it would be if the entire population was tested.
Sampling risk should be considered when an auditor performs an audit procedure on less than one hundred percent of a clearly definable population for the purpose of evaluating the population
Sampling Risk for Test of Controls
risk of "assessing control risk too low"
represents the risk that an audit sample supports the conclusion that the design and operation of an internal control is effective when in fact it is not.
MEANS: auditor too easy going. standards too low, said control ok when not
risk of "assessing control risk too high"
represents the risk that an audit sample supports the conclusion that the design and operation of an internal control is not effective when in fact it is effective.
MEANS: auditor too strict. standards too high, said not effective when it was.
Impact of Sampling Error on Audit Decisions
Auditors Conclusion: Effective
Meaning: Correct Audit Decision
Auditors Conclusion: Effective
Actual Conclusion:Not Effective
Meaning: Incorrect Audit Decision, Incorrect Acceptance. Effectiveness Problem.
Auditors Conclusion: Not Effective
Meaning: Incorrect Audit Decision, Incorrect Rejection, Efficiency Problem.
Auditors Conclusion: Not Effective
Actual Conclusion:Not Effective
Meaning: Correct Audit Decision
The risk of assessing control risk too low and the risk of incorrect acceptance are concerned with the
of audit tests...
while the risk of assessing control risk too high and the risk of incorrect acceptance are concerned with the
of audit tests.
Sampling Risk for Substantive Tests
risk of incorrect acceptance
represents the risk that an audit sample supports the conclusion that a material misstatement does not exist when in fact a material misstatement does exist. This risk is similar to the risk of assessing control risk too low. (auditor too lenient)
risk of incorrect rejection
represents the risk that an audit sample supports the conclusion that a material misstatement exists when in fact a material misstatement does not exist. This risk is similar to the risk of assessing control risk too high.(auditor too conservative)
Sampling Risk for Control Tests and Substantive Tests
Summary of last 2 slides
Assessing Control Risk Too Low
Applies to Samples for: Test of Controls
What it means: Sample indicates control operates effectively when it does not.
Assessing Control Risk Too High
Applies to Samples for: Test of Controls
What it means: Sample indicates control does not operate effectively when it does
Applies to Samples for: Substantive Test
What it means: Sample indicates balance is not materially misstated when it is
Applies to Samples for: Substantive Test
What it means: Sample indicates balance is materially misstated when it is not
Sampling risk can be considered using a non-statistical or statistical approach. Both approaches require
The main difference between the two approaches is that statistical approaches allow auditors to quantify sampling risk.
SAMPLING: Planning the Sample
Auditor identifies the important characterisitc to be tested.
Identify physical population from which a sample will be selected, which is sometimes called the sampling frame. (items in a computer file, file of paper documents)
Divide into subgroups, Stratify and could apply different tests to each subgroup
Dual purpose testing: info in one audit step helpful for financial statement audit, so combine controls and substantive testing processes.
Knowing Important Characteristics and the Nature of the Population very important for designing an Effective Sample.
Approaches to Sampling
Statistical and Nonstatistical
Statistical = Uses the law of probability. Randomly selected based on identifying document numbers produced by a random number generator computer program.
AU 350 AICPA
Random Sampling = involves selecting items from the population so that each item has an equal chance of being selected. Random selection requires the use of random number tables or computer programs to guarantee that each population item has an equal chance of selection.
Systematic Sampling = involves selecting every kth item from the population after a random start.
The first two sample selection methods are referred to as probability (statistical) sample selection methods since every population item has a known probability of selection.
NonStatistical, do not use laws of probability, is now called haphazard sampling because there is no plan or justification for the items selected.
AU 350 AICPA
Haphazard Sampling involves selecting items from the population without consideration to known characteristics of the items in the population (i.e. any conscious bias in the selection of population items)
Non-probability (non-statistical) sample selection method.
This distinction is important because sample results from probability selection methods can be assessed using statistical theory whereas sample results from non-probability samples cannot.
Nevertheless both probability and non-probability selection methods are considered acceptable and used in practice.
Non Sampling Risk
Sampling Risk = Risk that sample is not representative of the population.
All tests have Nonsampling Risk (applies to all tests whether a sample or 100%): Human Error:
1) Risk that auditor will use an audit procedure that is not appropriate for what the test is intended to accomplish
2) The risk that the auditor may fail to detect a problem when applying the audit procedure
3) The risk that the auditor may misinterpret an audit result.
Quality Control procedures such as training, proper supervision, and review all reduce and control nonsampling risk.
From Article AU Section 350:
Nonsampling risk results from human error. It represents the risk that the selected audit procedure is
for the intended purpose or the evidence from an audit procedure is
. Nonsampling risk exists regardless of the number of items selected from a population for testing.
Sampling and ICFR Testing
Attribute Sampling is the term often used to describe the audit process when an auditor applies sampling methods to an ICFR sampling and testing procedure.
Attribute sampling is a statistical approach used with tests of controls. The process is used to evaluate the frequency with which a characteristic or attribute occurs in the underlying population based on a sample. In the case of ICFR testing, the attribute for which auditor is looking is failure of the internal control. Does the control fail to operative effectively in the population? Control is not effective is fails too frequently.
Auditor indentifies controls to test, defines failure of control, determines population from which to select sample, he or she needs to determine SAMPLE SIZE. This involves several decisions:
1) First decision is HOW MUCH RISK the auditor is willing to accept of concluding that the internal control is operating effectively when it is not. How much risk auditor is willing to take of making an incorrect acceptance error.
2) Second decision involves determining the TOLERABLE RATE OF DEVIATION. What percentage of the time can a control fail in the sample and the auditor will still conclude that it is working effectively in the whole population?
3) Third Decision deals with the likely rate of deviation of the Population. Likely rate of deviation is also called Expected Population Deviation Rate. Percentage of time that the auditor EXPECTS the control to fail in the total population.
Using these parameters, can determine sample size.
Factor Effecting Sample Size for Attribute Sampling
AU 305 AICPA
Risk of assessing control risk too low
represents the risk that the auditor concludes that the design and operation of an internal control is
effective when in fact it is not
. The level used for this risk is based on the auditor's desired control risk assessment. The lower the desired control risk assessment, the lower the needed risk of assessing control risk too low. This risk is inversely related to sample size.
If risk of assessing control risk too low increases (more lenient), then sample size decreases.
If risk of assessing control risk too low decreases (less lenient), then sample size increases.
Expected Population Deviation Rate represents the auditor's best estimate of the population deviation rate. This rate is normally based on prior experience with the client. This rate is directly related to sample size.
Expected Pop Deviation Rate Increases, then sample size Increases. If decreases, the sample size decreases.
Tolerable Deviation Rate represents the highest deviation rate the auditor could accept and still conclude that the design and operation of an internal control is effective. This rate is based on the tolerable misstatement relative to the number and dollar size of traansactions included in the population. Tolerable misstatement represents the maximum misstatement that could occur before the population would be considered materially misstated. The lower the required tolerable misstatement relative to the number and dollar size of transactions the lower the needed tolerable deviation rate. This rate is inversely related to sample size.
Tolerable Rate of Deviation increases (so more lenient), sample size decreases. TRD decreases (stricter), sample size increases.
Population Size increases, then Sample Size Increases. Population Size decreases, then sample size decreases.
AU 305. Not in Book, but Good.
Sample results are evaluated by comparing the computed maximum population deviation rate to the tolerable deviation rate.
The computed maximum population deviation rate equals the sample deviation rate plus an allowance for sampling risk.
If the maximum population deviation rate is larger than the tolerable deviation rate the auditor will conclude that the design and operation of the internal control is not effective.
If the computed maximum population deviation rate is less than or equal to the tolerable deviation rate the auditor will conclude that the design and operation of the internal control is effective.
Factors Affecting Sample Size
Inverse Relationship between amount of risk of assessing control risk too low/tolerable rate of deviation and sample size needed:
Direct Relationship between Likely rate of deviation in population/Population Size and Sample Size needed
If Auditor will to accept a LARGER risk of making an incorrect acceptance error, the sample size needed becomes SMALLER.
If auditor willing to accept a LARGER tolerable rate of deviation, sample size needed is SMALLER. More audit evidence needed (larger sample size needed) to support assertion that control rarely fails than assertion that fails no more than quite frequently.
If expected rate of deviation in the population is larger -- there is an expectation that the control may not work effectively -- the auditor needs more evidence and therefore a larger sample size to support conclusion that control functions effectively.
Increases in the size of the population normally increase the sample size.
Can select sample statistically or not.
Regardless, auditor basically uses the deviation rate in the sample as an estimate of the deviation rate in population and allows for the likelihood that the sample does not exactly mirror the population's characteristics.
The auditor concludes that the control is functioning effectively in the population if the sample's failure rate is no higher than the tolerable rate.
Audit Risk Model
Audit Risk = The Risk that the auditor may UNKNOWINGLY fail to appropriately modify the opinions on ICFR and the financial statement.
Saying all is effective and fair, when it is not.
Engagement Risk: Term used for the overall risk to the auditor of being associated with a client. Includes possibility of financial loss or damage to the audit firms reputation from client. This is addressed with during Client Acceptance and Continuance Procedures.
Risk of associating with a client known to have a dubious reputation is Engagement Risk.
Not: Audit Risk or Detection Risk
udit Risk Model (the equation in next slide) does not include risk of incorrect rejection. Incorrect rejection results in INEFFICIENCY. (auditor concludes ineffective, does more audit work and finds conclusion was wrong). Also does not include engagement risk.
Audit Risk Model
Applies to Financial Statement Audit
ASK -- Deals with same question about how do you test operating effectiveness for the ENTIRE PERIOD?
Used in assessing audit risk and planning audit procedures.
Overall, the definition of the audit risk model are stated in terms of
financial statement audit
. But impt for ICFR.
Addressing Audit Risk while planning ICFR and Financial Statement audits helps the auditor decide on the nature and timing of audit procedures and the extent of testing.
AR = RMM x DR
AR = (IR x CR) x (TD x AP)
AR = Audit Risk
Uncertainty inherent in applying audit procedures. Risk of saying FS fair when not. Risk of saying ICFR effective, when not.
RMM = Risk of material financial statement misstatement. Risk that error or fraud has caused MM; iCFR did not prevent or detect it. As RMM gets larger, auditor is willing to accept less risk of missing a misstatement while performing the audit.
Why? Because AR = RMM x DR. Reduce DR to reduce AR. RMM is given/determined by auditor.
IR = Inherent Risk is based on nature of the account. Independent of Audit decisions. Vulnerability of a particular account or transaction type to error or fraud. Cash. Transactions requiring lots of judgment or complex calculations, handling of cash, more vulnerable to misstatement than easily measured, straight forward transactions handled using bank documents) Classify transactios (Routine, nonroutine, estimation) helps determine IH.
CR = Control Risk. Independent of Audit Decisions. Likelihood that any problems with an accout will not be prevented or detected by company's ICFR. Design/Operating effectiveness major components of Control Risk. Material Misstatement will not be prevented or detected by Internal Controls.
Related to ICFR audit.
When planning to rely on controls in the FS Audit, instead of testing ICFR operating effectiveness just at management's reporting date, the auditor tests operating effectiveness for the ENTIRE PERIOD. HOW?
This means assuming low CR, so auditor structures control tests to accept very low SAMPLING RISK for entire period
If controls are good, they can lower RMM no matter how high IR. If ICFR not effective, CR is large.
DR = Detection Risk. Risk that auditor will not detect (detect through audit procedures) a material misstatement that exists in a management assertion. Higher the RMM, the less detection risk an auditor can accept.
TD = Tests of Details of Balances. Risk that material misstatement will be missed by test of details of balances. (in icfr is like auditor not detecting that a control does not operate effectively) 2 reasons test of detail balances will miss a restatement: 1) nonsampling error 2) incorrect acceptance.
QC, planning, reviews reduces nonsampling risk.
When a sample is used, TD is defined as sampling risk of incorrect acceptance.
AP = is the risk that a material misstatement is missed by the audit's analytical procedures.
Note: Refers to specific assertions. This means these risks are assessed to plan testing for individual accounts or classes of transactions.
Use ARM for planning if audit firm has guidelines regarding the level of audit risk it is willing to accept.
Estimate IR and CR for accounts/transactions. Calculated the DR that keeps audit risk at acceptable level.
Helps auditor understand Components of Risk while planning the audit.
Ultimate goal of considering Audit Risk in planning audit procedures is to determine acceptable level of DETECTION RISK.
Very important. Covered in PCAOB AS 3. Audit work papers provide support for audit report. Use papers to conduct and supervise audit.
All audit work performed using tests of controls is documented in the audit work papers.
PCAOB AS 3
Audit Documentation for Samples
Identification of Items Inspected by indicating source and specific selection criteria:
1) if audit sample selected from population of documents, documentation should include identifying characteristics (check #s)
2) All items over specific $ amount selected from population of documents, audit docs should describe scope and identification of the population (all checks > $10K from October disbursements journal)
3) Systematic sample selected from population of documentation, provide identification of source of docs and indication of starting point and sampling interval (Invoices from 10/1 to 12/1, starting with invoice 412 and selecting every 40th invoice).
Permanent Files and Current Files
Audit Work Papers classified into 2 categories: Permanent Files and Current Files.
Include information that is relevant to the company and its audit for
chart of accounts,
Docs on Stocks and Bonds
These files are reviewed and updates during each year's annual audit.
Which are kept in permanent files?
Current Org Chart
Not: Current Year Financial Statements
Not: Audit Plan
Include all information and audit evidence relating to the current integrated audit environment.
-Copy of any of management's documentation of company's system and ICFR
-Working papers supporting procedures and conclusions of audit of ICFR.
-Working Trial balance with adjusting and reclassifying entries.
-Work papers supporting procedures and conclusions of FS audit.
Work papers also include info from important meetings with BOD, AC, etc.
Work papers document tests performed, results, and evaluation of results.
FS and Audit Report added to Working Papers at the end.
Work Papers: Indexing, Cross Referencing and Tick Marks
Audit Software assists with construction of work papers.
Cross Reference: Related papers are cross referenced.
Drill down from general to detailed.
Tick Marks = Symbols used by auditor to indicate what was done. Legend is provided defining each symbol.
See example on p 394
Evaluating the Results
The testing and evaluation process for tests of ICFR operating effectiveness can be summarized as follows:
1) Conduct control test procedures (IIOR = inquiry, investigation, observation, reperformance) that compare actual operations of ICFR to control objective and evaluation critera.
2) Identify control errors or deviations from control procedures.
3) Determine whether the deviation rate of each control to high enough to be a CONTROL DEFICIENCY
4) Consider both qualitative and quantitative factors related to the deficiency
5) Determine whether any deficiencies identified, either individually or in combination, meet the threshold of a SIGNIFICANT DEFICIENCY or MATERIAL WEAKNESS
Audit tests may show an unexpected frequency of errors or control deviations because there actually is a significant problem or because of a sampling error. To rule out sampling error, do more testing.
If still problems, audit conclusion is that an ICFR deficiency in operating effectiveness exists.
ICFR Deficiency and Operating Deficiency
ICFR deficiency can result from the way a control is designed or from how it operates.
Deficiency in ICFR exists when design OR operation of control does not allow mgmt and personnel to prevent or detect material misstatements on a timely basis.
Operating deficiency results from a well-designed control that does not function/operate effectively.
Operating Deficiency exists when control is effectively designed but either the control does not operate as intended or the person carrying out the control procedure lacks the needed authority or competence.
AS5 Definitions of Significant Deficiency, Material Weakness
When deficiency exists, auditor must determine severity -- is it a significant deficiency or a material weakness? Refer to AS5.
Significant Deficiency - a deficiency, or combination of deficiencies, in ICFR that is less severe than material weakness, yet impt enough to merit attention by those responsible for oversight of company's financial statements.
Material Weakness - a deficiency, or combination of deficiencies, in ICFR, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.
...a deficiency that would
prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance that transactions are recorded in accordance with GAAP
, the auditors should treat deficiency as an indicator of MATERIAL WEAKNESS.
Fraud perpetrated by mgmt, no matter how small the dollar amount, indicates a MATERIAL WEAKNESS.
Issue not just whether misstatement has already occurred but also whether it could have occurred AS 5 "reasonable possibility...fail to prevent or detect..."
Deficiencies include problems that have not yet caused, but could cause, misstatements.
Requires significant professional judgment to determine severity.
Evaluating the impact of the deficiency requires a judgment about whether the deficiency surpasses the threshold of a significant deficiency or material weakness.
Even if individual control deficiency is serious on a stand alone basis, it may not be when other controls and processes are also considered.
A compensating control may exist for an ICFR deficiency and therefore the deficiency may not create a MATERIAL MISSTATEMENT if the compensating control is EFFECTIVE.
In evaluating deficiencies, auditor uses professional skepticism.
Use this when concluding impact of control exceptions.
-Makes critical assessments of audit evidence
-If Procedure was not associated with control deficiency in past, this should not effect auditor's assessment of current evidence.
- Auditor cannot rely on positive past experience of mgmt integrity to downplay possibility of fraud if current evidence raises concerns.
- Must not be satisfied with less-than-persuasive evidence because of a belief that mgmt is honest (AS 2)
AS 2 examples of deficiencies to consider carefully
1. Control deficiencies over selection and application of accounting policies that are in conformity with GAAP
2. Deficiencies in anti-fraud programs
3. Control deficiencies over over non-routine and nonsystematic transactions, period end financial reporting
4. Ineffective internal audit, regulatory compliance, control environment
AS 5 Indicators of Material Weakness
1) Identification of FRAUD, whether or not material on part of sr mgmt
2) Restatement of previously issued financial statements to reflect the correction of a MISSTATEMENT
3. Identification by auditor of a material misstatement of the Financial Statements in the CURRENT Period in circumstances that indicate that the misstatement would not have been detected by the company's ICFR.
4. Ineffective oversight of the company's
financial reporting and ICFR by the company's audit committee
Big Picture Topics and OPERATING EFFECTIVENESS
Entity Level Controls
When auditing the operating effectiveness, testing
and pervasive controls may or may not be sufficient to make a conclusion about operating effectiveness.
Testing entity level control provide sufficient evidence for auditor to conclude ICFR effective only when ELC falls into category of greatest precision.
Under what circumstances can an auditor rely EXCLUSIVELY on Entity Level Controls for it's test of ICFR?
If controls achieve the greatest Precision.
AS 5 "Some entity level controls may be designed to operate at a *level of precision that would adequately prevent or detect on a timely basis misstatements to one or more relevant assertions. if ELC sufficiently addresses the assessed risk of misstatement, the auditor need not test additional controls relating to that risk" EX. business with multiple locations and ELC over data processing are uniform and strong over all locations. Evidence on operating effectiveness of entity level data processing controls may be sufficient so don't need to test at multiple locations.
Softer internal control components mentioned by the COSO IC Framework, such as management's philosophy and operating style, require a different kind of testing than controls that produce documents as evidence. Talking to people, observe behavior.
Inquiry and Observation, infer from documents, consider competency of persons performing controls, authority and qualifications.
Pervasive Control -- one that affects many of the other more specific transaction-oriented application controls.
ITGC are pervasive controls. Controls at the individual program or application level are less likely to function adequately if ITGC are not effective.
Preventative and Detective Controls
Preventative Controls: Keep a problem from occurring
Find problems after the fact. Intended to permit the company to identify on a timely basis and i the normal course of business any problems that occur.
Better to prevent.
Don't test ALL controls that make up ICFR. Test operating effectiveness of those controls that are important to CONTROL OBJECTIVES. Those being important to the RELEVANT ASSERTIONS OF SIGNIFICANT ACCOUNTS.
Materiality: When planning, performing, and evaluating operating effectiveness of ICFR, auditor considers the materiality for both the individual accounts and financial statements taken as a whole. Looks at tests both individually and in aggregate to determine if ICFR is operating sufficiently and effectively to keep financial statements from being misstated.
Impact of Outsourcing
When planning the tests of operation of controls, the auditor considers
processes that are performed for the client by service organizations or 3rd party providers.
The following are considered Service organizations:
- arrangements between co and its pension trustee
- arrangements between contracted workers and company
- arrangement between landscapers and company
Examples of Service Organizations
Bank trust departments
that invest and service assets for employee benefit plans and for others
that service mortgages for others
Application service providers
that provide packaged software applications and a technology environment that enables customers to process financial and operational transactions.
Service orgs are efficient and cost effective.
Service orgs are of concern when svce org is judged to be part of the clent company's information system.
Service orgs can't have hundreds of auditors showing up. Get a specific audit resulting in a report that can be used as evidence by auditors of user company. Type II report addresses functioning of controls by testing them, like evidence regarding effective operations of ICFR at service org.
ICFR Effectiveness and the Financial Statement Audit
How do I know during what period they were effective?
1) Financial Statement audit provides conclusion about fairness of FS. The nature of a complete set of FS requires that the auditor's opinion addresses the results and activities FOR THE ENTIRE FISCAL PERIOD and the Financial Position at the Fiscal Year End.
2) The ICFR audit results in an audit opinions about effectiveness of ICFR. Both Management and Auditor for a conclusion about ICFR effectiveness only as of a PARTICULAR DATE -- the end of the Fiscal Year. In order to do this, they must decide that ICFR was functioning effectively for a REASONABLE PERIOD of time prior to that date, and perform tests of controls to support those conclusions. This process does NOT necessarily mean that ICFR was functioning effectively for the entire fiscal year. Neither ICFR nor FS aspects of integrated audit report on consistency of the quality with which ICFR functioned throughout the entire fiscal period.
If ICFR was effective throughout year, or even specified part of year, auditor can , in the financial statement audit, choose to rely on the controls for the period they were effective. Reliance on the controls means the auditor may be able to change the N,T,E of substantive testing on the FS. To rely on controls and reduce substantive audit work on the FS, auditor must test the controls for design and operating effectiveness over the entire period reliance. This requires more tests of control than is necessary for ICFR audit. So, tradeoff. Substantive financial statement audit effort can only be reduced over the period for which controls are tested and found to be effective.
Auditor may decided test effectiveness of ICFR only enough to issue opinion on effectiveness at the FYE and use substantive audit tests to test account balances and disclosures for the FS audit. Or choose to rely on ICFR for some parts and focus on ST of balances and disclosures for other parts.
Conclusions about ICFR operating effectivness also confirm or refute the auditor's risk assessment used to plan substantive audit tests for the financial statement audit.
ITGC = IT General Controls deal with the IT environment and IT policies and procedures.
Application Controls: Deal with controls built into specific applications.
Auditor considers both and evaluates for design and operating effectiveness. 1st evaluated design and operation of ITGC. Next, evaluate application controls.
Some control tests in IT environment use the client's computer.
Automatic Control Tests
Test Data Approach
Prepare sample data and then process it in application. Sample is specifically designed for the test. Auditor knows expected result.
Access authorization, Field Limit Checks (upper bounds), Range Check, Validity Check (field type), Completeness Check (all fields populated that should be).
Run to Run Control: Check that data are not dropped or added from one computer to the next.
Error Handling Procedures
Reprocess previously processed data
using a program that accomplished same step as client's original program. Compare results to original output to see if correct results. Can be performed using CAATs (computer assisted audit SW).
Integrated Test Facility
Part of the client's system (testing integrated into client system) and tests the functioning of applications on at Real-Time Basis as they are processing data.
- Dummy files exist alongside Real Files.
- Test transaction input and process concurrently with real transactions.
- Results post to Dummy Files and are compared to Expected Results.
Key Benefit: Processed Test data as part of REGULAR OPERATION. Files must be controlled so don't corrupt real files.
Computer Assisted Audit Software to Facilitate Testing
Audit software can manipulate data to see trends, analyze relationships among accounts, perform ratio analyses. Avgs, Standard Deviations, linear Regression.
These are ANALYTICAL PROCEDURES.
- Required by audit standards as part of planning process and used throughout audit. Use Analytical Procedures to plan where they should spend their audit effort, identify unexpected FS results, assess reasonableness of FS numbers. And in wrap up stage of audit.
Point: Audit software can perform processes for specific audit steps.
Audit Software can be used to perform
: Part of audit software that performs specialized task like audit planning, analyzing materiality, an performing risk analysis.
Designed to mimic processessing steps of an expert making judgments about the planning needed, materiality, risk and so son.
: Example of specialized task is programmed analysis for fraud detection using Benford's Law. This law states that individual digits in a group of random digits will occur with predictable frequency. Software that applies Benford's law analyzes numeric data and identifies patterns of numbers that occur with a frequency inconsistent with Benford's Law. The outcome gives auditor info regarding transactions that need further investigation.