Upgrade to remove ads
Only $2.99/month

Audit Final: Chapter 6

Terms in this set (40)

COSO
Committe On Sponsoring Organization
COSO: Mission
Develop guidance on internal controls.
4 Objectives of IC
reliability of financial reporting, effectiveness/efficiency of operations; compliance with laws/regs, safegaurding assets
5 Elements of I/C per the COSO Framework (COSO Cube)
Control environment, control activities, risk assessment process, monitoring controls, and info/communications
COSO: Responsibility
No matter how good the controls you will probably have to do both controls and substantive testing
Relationship between I/C testing and substantive testing
the more effective the I/C, or the more comfortable the auditors are with them, the less they have to substantively test.
When would the auditors increase substantive testing?
Uncomfortable with controls (ineffective?), or because regardless for new clients or riskier areas
COSO I/C Components: Control Environment
What is the environment like? Communication and enforcement of integrity and ethical values? What is the organizational structure? HR's policies and practices? How often does the Audit Committee meet with internal auditors?
COSO I/C Components: Entity's Risk Assessment Process
How does management deal with common risks such as: change in industry, change in economy, global issues (affecting supply chains), etc.
COSO I/C Components:
Involves performance reviews, physical controls, segregation of duties (client employees), and information processing controls
COSO I/C Components: Control Activities: Performance Reviews
Not an individual, but overlooking business as a whole.
COSO I/C Components: Physical Controls
Security of the facility, programs, etc.
COSO I/C Components: Segregation of Duties
the client's employee's duties should be segregated to avoid abuse of power.
COSO I/C Components: Information Processing Controls: General
Controls covering an area, like controls over making software changes. (IT department)
COSO I/C Components: Information Processing Controls: Application
more specific controls are examined, relevant to the particular I.T. item, such as payroll...are inputs and outputs, are they correct?
COSO I/C Components: Information and Communications
The more complex the systems here, the more you'll need IT's help to discuss the results.
COSO I/C Components: Monitoring Controls
What management does to make sure controls are working correctly. Testing cash is getting reconciled, etc.
Other I/C Issues: Effect of size
can use the controls/reliance approach on small clients, but it is a lot harder because there are less segregation of duties. But those smaller companies also typically have more oversight. Smaller companies also usually have a lot less documentation, making the contrls approach harder.
Other I/C Issues: Normal Limitations of I/C:
Human Error, management override, and collusion.
Other I/C Issues: Documenting Understanding of I/C
procedure manuals, flow charts, narratives, I/C questionairres, and memos.
Assessing Control Risk: Steps
1: ID controls we plan to rely on, and test those controls (key controls). 2: Determine control risk based on tests of controls. 3: Conclude regarding "achieved level of risk." 4: If test results don't allow you to conclude controls are operating as expected, what do you do?
Assessing Control Risk: Step 1
ID controls we plan to rely on, and test those controls (key controls).
Assessing Control Risk: Step 2
Determine control risk based on tests of controls. Has the risk changed? IS the risk low, medium, or high?
Assessing Control Risk: Step 3
Conclude regarding "achieved level of risk." If it was high risk and you expected it to be, did it have good controls?
Assessing Control Risk: Step 4
If test results don't allow you to conclude controls are operating as expected, what do you do? If you don't have comfort, change audit approach because controls are less reliable. *Basically, more substantive testing.*
Substantive Procedures:
Testing about existence, occurrence, completeness, accuracy, cut-off, etc.
Substantive Procedures: Circumstances where we might want to use this rather than reliance approach
Controls do not pertain, controls likely ineffective (based on knowledge of client), testing controls would be inefficient
Why use Substantive Procedures: SOX exception
for SOX, the reason "testing controls would be inefficient" is not a reasonable exucuse to skip testing controls.
Timing of Procedures: Advantages of doing work early
Get small stuff out of the way... so no surprises in big areas, and can fix problems so that they're good for the "as of year end" qualification of I/C testing
Timing of Procedures: Items to Concider
The higher the materiality, the later in the year you MUST test it (the sooner to "as of year end") but it should also be done earlier (see advantages card).
Timing of Procedures: Greater Risk, Later Testing...However...
Again, they should also be tested throughout the year to ensure there are no surprises. If an item is a QUARTERLY control, you better catch it by mid-year so that you can have 2 tests under your belt.
Timing of Procedures: Update/Roll Forwards
Whatever you have tested earlier, you will have to do "something" to get it at year end date too (whether that's testing it again or something else).
Service Bureaus: What are they and why do auditors care?
Client outsourcing stuff. We care because its still work we need to test and it may be sneakier / easier to hide things.
Service Bureaus: Type 1 Tests
The Service Bureau auditor describes the controls
Service Bureaus: Type 2 Tests
The Service Bureau auditor describes AND tests the controls
Service Bureaus: Our Responsiblity
Examine the SB Auditor's work, does it look legit?
Communication of I/C Issues to client (non-public company)
Table 6-7, we report differently depending on the level of the control deficiency.
Non-Public Client: Reporting Control Deficiency: Material Weakness
Deficiency/combo of them in IC such that there is a reasonable possibility that a material misstatement can occur without correction. Put it in writing and show management (board).
Non-Public Client: Reporting Control Deficiency: Significant Deficiency
A less severe version of material weakness. Still put it in writing and tell management.
Non-Public Client: Reporting Control Deficiency: Minor Deficiency
Noise level, not much to it. verbally tell management, at a minimum.
YOU MIGHT ALSO LIKE...