Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
The auditor is not expected to search for sgf deficiencies in this phase. If the
control is improperly designed, it may represent a material weakness in the
entitys I/C. The 5 elements of I/C are:
Control activities is composed of the various policies and procedures
that help ensure that necessary actions are taken to address risks to
achieving the entitys objectives. The auditor should obtain an
understanding of control activities relevant to the audit. An audit does not
require an understanding of all control activities. The auditor would utilize
info regarding the presence/absence of control activities to determine
areas that need attention. Such control activities include: PIPS.
Performance reviews Establishing budgets and forecasts to
identify variances from expectations is a mgt control method that
helps mgt supervise more effectively. It provides a means for mgt to
establish expectations, to compare them to actual results, and then
to follow up in areas where sgf diffs appeared. Such budgets
enable mgt to supervise more effectively than monitoring
compliance.
Information processing controls that check accuracy,
completeness and authorization of transactions. For e.g. Batch
processing the similar nature of transactions involved with
batch processing ordinarily makes it relatively easy to follow the
transactions thru out system. Here, transactions are processed by
type, not in the order they occur. These still exist and are not
expected to be replaced by online real time processing well into the
1
future. May be used for both database and non-database
applications.
Physical controls activities that ensure physical security of
assets and records.
Segregation of duties ARCCs diff people are assigned with
duties relating to Authority, Recording, Custody & Comparisons.
Note: Understanding only relates whether the controls are in place and
does not require evaluating the operating effectiveness. It is the tests of
control that evaluate the effectiveness of I/C.
When obtaining an understanding of an entitys I/C procedures, an auditor shud
concentrate on the substance of the procedures, rather than their form, because
Mgt may establish appropriate procedures but not enforce compliance with them.
The auditor is not expected to search for significant deficiencies in the operation
of the I/C structure nor, is the auditor expected to determine whether control
procedures are suitably designed to prevent/detect material misstatements.
3
Resolution of deficiencies is imp in assessing the controls environment.
GAAS requires the auditor to obtain an understanding of the I/C structure
sufficient to plan the audit. Note: however, the auditor does not need to
understand I/C specifically related to an a/c (if it is both immaterial and has low
IR), in order to plan the audit. i.e. auditor can skip some procedures.
Walk thru is the procedure that involves literally tracing a transaction from its
origination thru the companys information systems until it is reflected in the
companys financial report. It provides evidence to:
Confirm the auditors understanding of the flow of transactions and the
design effectiveness of controls i.e. evaluate effectiveness of design
not operating effectiveness.
Confirm whether controls have been implemented.
Performing a walk-thru is an efficient way of:
i. Understanding flow of transactions in the entity
ii. Identifying points within the entitys processes at which MM
due to fraud or error could arise.
iii. Identifying controls that mgt has implemented to address
potential misstatements.
iv. Identifying the controls that mgt has implemented to
prevent or timely detect unauthorized acqn, use or
disposition of company assets that could result in MM
of the F/S.
In performing a walkthrough, the auditor follows a transaction from
origination through the company's processes, including information
systems, until it is reflected in the company's financial records, using the
same documents and information technology that company personnel
use. Walkthrough procedures usually include a combination of inquiry,
observation, inspection of relevant documentation, and re-performance of
controls. A simple spreadsheet program like Microsoft Excel is sometimes
used for storage and reporting of G/L transactions. Examples include:
o Follows a transaction thru cos processes
o Follows a transaction thru companys I/S e.g. ERP system
o Follows a transaction thru companys I/S e.g. Microsoft excel.
An eg Qs that would be asked from an employee are that: have you ever
been asked to override the process? what do you do when you find an
error? What kind of errors have you found?
4
I/C environment
Availability of info from that entity
Specific audit methodology
Extent of technology used
The I/C are put in place to protect:
The reliability of F/REP
The effectiveness and efficiency of operations and,
Its compliance with applicable laws and regulations.
The auditor is reqed to document key elements (CRIME) of I/C in ff ways:
Flowcharts is a visual depiction of I/C. It is a symbolic representation
of system or series of sequential processes. This is particularly helpful
in determining if there is adequate segregation of duties. A CPA prepares
flowcharts to assemble I/C findings into a comprehensible format
suitable for analysis.
Advantages include: systematic approach, tailored to client, fairly
easy to review and understand, easy to update from year to year.
Disadvantages include: tedious, time consuming to initially prepare,
might fail to recognize deficiencies if overly absorbed in details.
ICQs series of Q that can be answered with a simple yes/no. The more
yes the better the controls.
Main adv easily identifies weaknesses in I/C thru the no
answers, can have a std form for many clients.
Disadvantages include these are generic not tailored to client
personally, irrelevant qs may annoy clients, client may conceal
deficiencies by incorrect answers.
Decision table/trees help to list each possible condition and the actions
what will result from each (depicts the logic of an operation or process). It
uses yes/no questions and each answer will direct the user to the next
relevant question. It is usually presented in a tabular form. This is
5
however, a limited tool as it cannot effectively document the entire
structure.
6
If the auditor desires to further reduce level of CR, he must first consider
whether additional evidence will be available to support such a reduction
and whether it would be efficient (cost-effective) to collect such evidence.
Gaining an understanding of I/C and assessing CR may be performed
concurrently. Procedures performed to obtain an understanding of I/C may
also be used to gather the evidence needed to assess CR.
Assessing CR at the maximum level, means placing no reliance usually
because:
Evaluating the effectiveness of the controls would be inefficient
No availability of sufficient evidential matter to support the
assertions.
Even if additional evidential matter is available, gathering that
evidence would not be efficient. Remember, the cost of gathering
that additional evidence should not be higher than the benefit
derived from being able to reduce substantive tests.
Where there are few transactions involved with large amounts, a
substantive approach would be more efficient and so the auditor
would most likely assess CR risk at the maximum level.
DR is a function of the effectiveness of an auditing procedure and
of its application by the auditor. It is inversely related to the
assurance provided by substantive tests.
RMM at the F/S level as the risk of RMM increases the auditor may have the
following overall response:
Assign more experienced staff to the engagement
Provide closer supervision
Use specialists
Use more unpredictable audit procedures.
7
Remember, for the audit of a non-issuer, TOCs are only required
when the auditor relies on the controls, or substantive tests are not
sufficient to audit particular assertions. TOCs are only performed on
those controls that the auditor plans to RELY ON.
In an audit of F/S in accordance with GAAS, an auditor is reqed to:
Identify specific I/C structure procedures reg F/S assertions
Perform TOCs to evaluate effectiveness
Determine whether procedures are suitably designed to prevent or
detect material misstatements
Only if such controls are to be tested and used to reduce the
CR assessment of if the control relates to sgf risk areas.
If the auditor plans to use audit evidence obtained from prior audits and
the controls have not changed since they were last tested, the auditor
shud test the operating effectiveness of such controls at least every 3rd
year.
When the auditor plans to rely on controls that have changed since
they were last tested, the auditor should test the operating
effectiveness of such controls in the current audit.
The objective of tests of details of transactions performed as TOCs
is NOT to detect MM in the a/c balances (that is achieved thru
substantive testing) but to evaluate whether I/C operated effectively.
In a highly automated information processing system, substantive
tests alone will not be sufficient to restrict DR to an acceptable level
and so some TOCs may be required. When evidence is available only in
electronic form, the auditor may find that generalized audit software is the
best and most efficient means to extract evidence from clients database.
The auditor would be least likely to be concerned about I/C as it relates to
shareholder meetings as they will often attend the S/H meetings and be
aware of what has transpired, but important matters at such meetings are
generally publicly available.
8
DR is effectively set by the auditor when decisions about the nature, timing and
extent of substantive audit procedures are made.
The ultimate purpose of assessing CR is to contribute to the auditors evaluation
of the risk that MM exist in the F/S. Assessing CR & IR help the auditor to identify
where misstatements might exist, the auditor then performs auditing procedures
to detect those misstatements.
Significant risks are those that the auditor believes require special audit
consideration. E.g. issues involving judgement.
6. Document conclusions
Documenting the assessed level of CR comes after the evaluation of the
operating effectiveness of the controls. The auditor is required to communicate
sgf deficiencies and material weaknesses to Mgt and those charged with
governance.
The basis of risk assessment must always be documented, and the
justification for reducing the CR risk assessment below maximum. If the
control risk is assessed at maximum, the auditor is also reqed to
document that and the basis for that. Contradicting info in audit evidence
Major elements of the understanding of CRIME and RMM, the sources of
info used for that understanding and the risk assessment procedures
performed. This includes an understanding of the a/cing system which is
part of the Information and Communication component.
Assessment of RMM at F/S and at assertion levels
Sgf risks identified and related controls evaluated - Significant risks are
risks that the auditor believes require special audit consideration. Usually
involves judgmental matters like accounting estimates.
Risks identified that require TOC to obtain sufficient audit evidence and
related controls evaluated.
Major elements of the understanding of CRIME of I/C to assess the risk of
RMM.
REQUIRED COMMUNICATION
Under the AICPA professional stds, written communication is required no later than 60
days after the audit report release date (incl matters communicated orally during the
audit).
1. The auditor must communicate in writing the sgf deficiencies and material
weaknesses identified in the audit to Mgt and those charged with Governance.
Both categories of deficiencies should be reported separately.
2. Certain matters such as mgt integrity cannot be communicated to Mgt.
9
3. The auditors written communication on I/C deficiencies identified in an audit
shud include a disclaimer of opinion on the effectiveness of ICFR.
4. An auditors letter issued on sgf deficiencies relating to an entitys I/C observed
during a F/S audit should indicate that the audits purpose was to report on the
F/S and not provide assurance on I/C.
5. Communication of I/C matters usually should be addressed to the Senior mgt
and those charged with governance.
6. Include definitions of sgf deficiency and material weakness in the report.
Definition of sgf deficiency may be excluded if no sgf deficiency.
7. The auditor may include other lesser matters. E.g. minor I/C problems as well as
recommendations for improving controls.
8. A restriction on the distribution of the report i.e. limited to use of the audit
committee, mgt, or those charged with governance and others within the orgn,
not external parties.
The auditor should not issue a written communication that no sgf
deficiencies were identified during the audit.
The auditor is permitted to orally communicate I/C related matters during
fieldwork as deemed appropriate. However, the auditor must nonetheless
communicate all material weaknesses and sgf deficiencies in writing as
reqed by prof stds, including those that may have been communicated
orally during fieldwork.
SIGNIFICANT DEFICIENCY
A significant deficiency is a deficiency/combination of deficiencies in I/C that is
less severe than a material weakness, yet important enough to merit attention by
those charged with governance. It is a control deficiency in the design or
operation of I/C that could adversely affect the entitys F/rep process. It must be
reported to Mgt and Governance if discovered during the audit. It could result
from a failure in the design of the I/C as well as a failure in the operation of an
I/C. e.g. evidence of lack of objectivity by those responsible for making
accounting decisions, ineffective oversight of F/rep by governance.
Factors to be considered in evaluating deficiencies include:
Entitys size
Complexity
Nature and diversity of b/s activities.
Sgf uncorrected deficiencies by mgt would not necessarily cause the auditor to
consider whether material misstatements exist as Mgt is may have cost-benefit
considerations when deciding whether to correct I/C weaknesses.
Sgf deficiencies do need to be recommunicated each year even if Mgt chooses
not to fix the deficiency.
10
Letters on sgf deficiencies are restricted as to distribution only mgt, audit
committee or governance and others within the orgn.
Sgf deficiency is a control deficiency that can adversely affect the F/S. E.g
evidence of a lack of objectivity by those responsible for a/cing decisions.
Control deficiency when the design or operation of a control does not allow
mgt or employees, in the normal course of performing their assigned functions, to
prevent, detect and correct MM on a timely basis. It does not explicitly consider
the likelihood of loss. All material weaknesses are control deficiencies.
Deficiency in design when a control necessary to meet the control objv
is missing, or when the control objective is not always met, even if the
control operates as designed.
Deficiency in operation when a properly designed control does not
operate as designed, or when the person performing the control does not
have the authority or competence to effectively perform the control.
2 factors that the auditor will consider when evaluating a control deficiency
to determine if it is a sgf deficiency or material weakness are probability
and magnitude. Probability relates to likelihood of MM in F/S remote,
reasonably possible and probable. Magnitude of MM relates to immaterial
or material.
o Remote and immaterial control deficiency
o Reasonably possible and material material weakness
MATERIAL WEAKNESS
Material weakness is a deficiency (or combination of deficiencies) in I/C such
that there is a reasonable possibility that a material misstatement of the entitys
F/S will not be prevented or detected and corrected on a timely basis. It is
determined by whether there is more than a remote likelihood of a material
loss occurring due to the control deficiency; the actual loss identified need not be
material though usually material amounts are involved.
Reasonable possibility is defined as reasonably possible or probable not
moderate. Reasonable assurance is more than moderate level of assurance
usually it means a high level of assurance.
The auditor should not issue a written communication stating that no sgf
deficiencies were identified- however, the auditor is permitted to add a comment
that no material weaknesses were identified.
11
Mgt may issue a written response and if such a written response is included with
the auditors communication, the auditor shud add a paragraph to disclaim an
opinion on mgts written response.
More than remote is the likelihood of loss due to material weakness. No
likelihood threshold given for sgf deficiency or control deficiency.
Indicators of material weaknesses in I/C include:
Ineffective oversight by audit committee
Fraud material or immaterial on the part of senior mgt
Restatement of previously issued F/S to reflect the correction of a MM due
to fraud/error.
Identification by the auditor of MM which would not have been detected by
the entitys I/C.
ASSERTIONS (UPERCV)
In order to assess CR below maximum, the auditor must collect evidence to
support the reduction. Collecting such evidence involves identifying specific I/C
relevant to specific assertions and then performing TOC to evaluate the
effectiveness of the controls. Such assertions may be found in the a/c balance, -
transaction class or disclosure components. Based on the CR assessments, the
auditor determines the nature, timing, and extent of the auditing procedures to be
performed.
Some specific applications of these assertions include:
Understanding and classification - transactions & events have been
recorded in the proper a/cs and info is presented & described clearly.
Presentation and disclosure all transactions have been presented
correctly and disclosure made of any RP transactions.
Existence or occurrence (vouching) all transactions have actually
taken place. Here the auditor moves from the books to the source
documents. E.g. vouching the acquisition of assets with cancelled checks.
Rights and obligations confirms right or ownership to assets or to
collect receivables or pay off liabilities. E.g., verifying that securities in the
safe deposit box are registered in the entitys name.
Completeness (tracing) & cutoff deals with whether all transactions
are recorded. E.g tracing a bill of lading to the sales invoice. Or,
comparing assets on record (pref pre-numbered with physical check).
Valuation, allocation and accuracy deals with whether a/cs are valued
correctly e.g. current prices of recorded investments, A/R are likely to be
collected.
12
TRANSACTION CYCLES
A transaction cycle is a group of essentially homogenous transactions i.e.
transactions of the same type. E.g. revenue, payroll, expenditures, inventory, FA,
investing/financing.
CR is generally constant within a particular category of transactions as all
transactions are processed in the same way. So the transaction cycle is the
highest level of aggregation for which CR may be viewed as a constant. Within a
given transaction cycle, CR is essentially constant.
To obtain an understanding of a manufacturing entitys I/C structure concerning
any transaction cycle an auditor would most likely review the entitys policies
and procedures.
13
Review Supervisor - Each days cash receipts acc to listing compared to
agreement with each days deposit according to the bank
statement/validated deposit slips.
Review Supervisor - Bank reconciliations should be reviewed by an
appropriate supervisor and initialed to document approval.
Authorization Treasurers dept establishes credit policies, authn of
write-offs, custody of securities/cash.
Remember lack of segregation of duties is an I/C weakness. Allowing
sales dept to authorize credit memos is an I/C weakness that could permit
an employee defalcation scheme.
Adjusting journal entries should be approved by MGT.
Bank reconciliations should be reviewed by MGT.
A/R dept Employees with access to cash receipts ordinarily shud be bonded.
Bonding is a form of insurance against theft by a covered employee and
includes background investigation by the bonding agent. Fidelity bonding insures
the co against loss from illegal acts by employees. Bonded employees must be
approved by the bonding co. As a result, fidelity bonding reduces the possibility
of employing dishonest individuals and deters dishonesty by making employees
aware that insurance cos may investigate and prosecute dishonest acts.
Establishing a bank lockbox system would provide the best control over
customer receipts because it would prevent the employees from having
access to the receipts so reduce risk of diversion. Here the collection of
receivables is done directly by the bank thereby eliminating employee contact
with the cash.
Where a clerk is responsible for both approving credit memos and has access to
cash, then there is a high risk of fraud as the clerk can collect money from a
customer and issue a fraudulent credit memo as the basis for credit to
customers a/c. A responsible person shud review credit memos after they are
recorded to see a receiving report for sales returns for which the credit memos
have been generated.
When A/R are written off they should be controlled for possible future collection
and accordingly they should be recorded to maintain a/cablity in a separate
ledger. If they were simply written off and forgotten, there would be no means of
maintaining a/cability over these contingent assets.
In an ordinary sales transaction, authorization is required for the ff:
Granting of credit credit dept
Shipment of goods
Determination of discounts/w/offs - Treasurer
Selling of goods for cash lack of specific authorization will not as such raise
concern as the fact that cash is being received eliminates any credit problem
considerations. Also ath the point of selling goods for cash, decisions on matters
such as appropriate discounts will have already been made.
14
Lapping involves the altering of A/R when cash that is intended for the payment
of a recable is misappropriated. The first recable collected is used to cover the
misappropriation , while the second recable is collected to a/c for the first
occurs when a remittance reced from one customer is stolen and the shortage is
hidden by crediting the first customers a/c with the cash received from a second
customer. It is best prevented by separating custody from recording i.e.
segregation of duties btw those receiving cash and those posting to the A/R
ledger. Best audit procedure: comparing date checks are deposited per bank
statements with the dates remittance credits are recorded. Remember, lapping
will result in a delay in the recording of specific remittance credits but the checks
will be recorded on the same day. Another way to prevent lapping is to have
customers send payments directly to the companys depository bank.
Online systems are better than batch systems as in they enable shipments of
customer orders to be initiated as soon as the orders are reced.
Pre-numbering is the std cure for completeness to enable all sales transactions
to be recorded.
A proper form of comparison over sales transactions involves matching the
customers PO with the shipping document and sales invoice for agreement.
Indirect access to merchandise by unauthed access to a cos computer system
can be controlled by computer passwords being periodically revised and limited
to authed personnel.
An auditor may analyze the completeness of sales using cash receipts and
A/R e.g. A/R b/fwd Cash receipts + A/R c/fwd = estimate of sales.
Testing credit approval relates to the valuation assertion as it helps assure that
goods are shipped to customers who are likely to be able to pay.
Cut-offs relate to the completeness assertion whether all transactions have
been recorded in the proper period.
Presentation assertion relates to whether F/S components are properly
classified, described and disclosed.
Likely frauds that can occur in the revenue cycle include shipping goods to
nonexistent customers (which are stolen by employees), failing to bill customers
(these could again be employees) for goods shipped, recording sales without an
underlying transaction in order to inflate the sales and accounts receivable
figures, creating fictitious credit memos for returned goods (a method of
stealing cash), and booking sales in periods earlier than they actually occurred
(to hike up the sales figures). A client most likely will overstate revenue and
accounts receivable in a fraudulent scheme. Only the authorization of credit
memos by personnel who receive cash may permit the misappropriation of cash
is a likely scenario which would benefit either the entity or certain dishonest
employees.
15
SPENDING/DISBURSEMENT
Steps/Segregation
Authorization Initiating depts. to authorize requisition/request of
goods. This should not be performed by purchasing as same person
cannot authorize request for goods as well as purchase of goods.
Authorization Purchasing dept would verify that requisitions are
properly completed and authorized. Also, the issue and approval of
purchase orders and negotiation of terms with vendors are both authn
functions. Also issue of debit/credit memos which are then sent to A/C
dept for recording. Will also send copies of POs to the receiving dept (pref
with qty column to be filled in by the receiving dept).
Authorization Voucher payable dept responsible for reviewing
vouchers (incl. checking mathematical accuracy), verification of invoices
by matching with related supporting documentation (PO, receiving report)
and getting an authorized person to sign for payment. Also, includes
indicating the asset and expense a/cs to be debited.
Authorization A/P dept approving vendors invoices for payment,
invoice verification i.e. match vendors invoice with receiving report and
purchase order to ensure that the item was both ordered and received.
Compare invoice price to purchase order price, ensure proper authn of
invoice and compare quantities ordered to quantity purchased. Ensuring
that the goods have been received by the party requesting the goods will
be something that A/P would be unable to determine as normally goods
received are placed in stores. Processing the payment for the invoice,
sending the check to treasurer for signing and mailing and then filing all
the supporting doc after payment.
Custody - Treasurer signs checks and mails them and cancels all
supporting documentation. Mailing disbursement checks and RA should
be controlled by the employee who signs the checks last. Less risk of
diverting or modifying checks before mailing. Also same person also
cancels supporting documents to prevent duplicate payments for the same
invoice and stamps paid on the voucher to prevent double payment.
Custody Receiving dept uses approved purchase order copy from
purchasing dept to accept incoming goods. I/C is strengthened when the
receiving dept personnel are unaware of the quantities ordered (bcoz qty
ordered is omitted from copy of PO sent) so that they will provide an
independent count of quantities received.
Recordkeeping Accounts dept posting the A/P records.
Review reconciling A/P ledger.
16
When the shipping dept returns goods to a vendor, the purchasing dept shud
send a debit memo to the a/cing dept. A debit memo advises the accounting that
the vendor invoice shud not be paid in full due to returned goods.
Not all payments made are vouchered so correct control to determine
unauthorized payments would be getting a sample of cancelled checks.
If the auditor is concerned that invoices and vouchers are being paid and
destroyed, then u cant take sample of invoices or vouchers. The auditor would
select a sample of cash disbursements for inventory and trace to the vendor
invoice, approved voucher and receiving report.
Voucher register records goods reced thru purchase - The main benefit of
maintaining an A/P subsidiary ledger over voucher register is partial payments to
vendors are continuously made in the ordinary course of b/s.
Pre-numbering is a control for completeness to ensure that no voucher got lost
and that all vouchers got recorded.
To determine whether checks are being issued for unauthorized expenditures
need to examine sample of cancelled checks.
If receiving reports are getting misplaced and therefore missing, the auditor can
only identify receipt of goods thru open purchase orders and vendor invoices.
Unrecorded payables = search for unrecorded liabilities = examine cash
disbursements after y/end i.e. JAN following year. Payments made that month
are existing liabilities that should have been accrued @ y/end.
PAYROLL CYCLE
Authorization Personnel - hiring of personnel, approve changes in pay rates
and deductions from employee salaries. The personnel dept must promptly send
employee termination notices to the payroll supervisor so that they are
immediately removed from payroll.
Custodial function Treasurer signs checks and hands over the checks to
appropriate departmental supervisor (who will distribute the checks to personnel)
& custody of unclaimed pay checks.
o Personnel with access to payroll checks should be bonded.
o Proper segregation of duties btw personnel and payroll
disbursement eliminates many frauds in which the phantom
employees are being paid.
o For a cash payroll, each employee should be asked to sign a
receipt after being paid. The best control is to get the unclaimed
cash out of the firms physical control and into the bank.
o Payroll supervisor cannot distribute payroll checks to employees
only treasurer/ independent pay master can.
o Undistributed checks should be deposited in a bank a/c.
17
Recordkeeping Payroll maintain payroll register which is a primary
accounting record which lists amounts owed to individual employees for a given
payroll period. This dept. calculates the salary to be paid. They should not
authorize payroll rate changes.
Payroll dept supervisor responsible for:
o Reviewing and approving time reports to ensure that payment is
made only for the work performed.
o Hiring subordinate employees.
o Initiate requests for salary adjustments for subordinate employees.
PRODUCTION CYCLE
18
The objectives of the I/C structure for a production cycle are to provide
assurance that transactions are properly executed and recorded, and that access
to assets (R/M, WIP & FGs) is permitted only in acc with Mgts authorization, and
finally, the recorded accountability for assets is compared with the existing assets
at reasonable intervals and differences are investigated and resolved.
Inventory the use of periodic inventory counts to adjust the perpetual inventory
records would ensure inventory records are accurate.
Primary concern here is custody/control/access to inventory of R/M, WIP and
of FG and they are properly maintained and that all releases of R/M by
storekeepers are based on approved requisition documents.
A perpetual inventory system will show when and where materials are being
used.
Vendors invoices for R/M approved for payment, signed checks for
purchase of R/M and details of disbursements for R/M balanced with the
total to be posted to general ledger are all related to disbursement cycle.
Finished goods should be accepted for stock only after presentation of a
completed production order and inspection report. This is because
finished goods should be inspected to determine their condition before
leaving the production dept.
Comparison of daily j/es with factory labor summary will detect direct
manufacturing labor which has been properly recorded on the labor
summary but incorrectly posted to a manu o/head a/c.
19
Misclassification of equipment acquisitions as maintenance exps would most
likely be detected thru investigation of R&M variances. Equipment acquisitions
tend to be large $ purchases which will distort normal maintenance exps.
Initiation and execution of FA transactions would not include restricted access to
equipment. Reviewing FA acqns for soliciting competitive bids is a valid
consideration for initiation and execution of FA.
Should attach FA ID tags to individual assets and maintain a detailed listing of all
such tags with $ balances reconciled to the general ledger control a/c.
A weakness in I/C over recording retirements of equipment means that some
assets are being shown in records even though they have been retired thereby
overstating equipment a/c. The auditor can identify such assets by selecting
certain items in the a/cing records and attempting to locate them.
To improve a/cability for FA retirements, mgt most likely would implement control
that includes continuous utilization of serially numbered retirement work orders.
20
PCAOB AS #5 INTEGRATED AUDIT
The objective of such an engagement is to express an opinion on MGTS
ASSESSMENT of the effectiveness of ICFR.
Risk assessment underlies the entire audit process described by PCAOB
AS#5.
The auditor should not issue a written communication stating that no
sgf deficiencies were identified- however, the auditor is permitted to
add a comment that no material weaknesses were identified.
Planning the audit the audit of ICFR should be integrated with the audit
of F/S that is TOC should be designed to address both the objectives of
the audit of ICFR and the audit of F/S. Can use the work of others
includes internal auditors, other co personnel, service auditors and 3rd
parties. As the CR increases, the auditor should take increasing
responsibility for performing the work instead of using the work of others.
Top-down approach is a risk-based approach to auditing that
o Begins at the F/S level and with the auditors understanding of the
overall risks to ICFR.
o The auditor then focuses on entity-level controls and
o Finally works down to sgf a/cs and disclosures and their relevant
assertions.
Entity-level controls the term refers to policies and procedures that
have very broad implications to the achievement of an entitys control-
related objectives operating activities, F/rep, and compliance.
o Controls related to the control environment;
o Controls over mgt override;
o The cos risk assessment process;
o Controls to monitor results of operations or other controls;
o Controls over the period-end F/rep process
o Policies that address sgf b/s control and risk mgt practices.
21
walkthrus for each of the sgf processes identified, not each and
every transaction type unless all controls are deemed ineffective.
Remember, a walk-thru involves probing questions that go beyond
a narrow focus on the single transaction. A walk-thru will enable
the auditor to gain a sufficient understanding of the process and be
able to identify imp points at which a necessary control is missing
or not designed effectively. The following procedures applicable to
performing walk-thrus are RIIO. Confirmation is a substantive
auditing procedure.
Auditors should perform appropriate review procedures related to mgts
required quarterly certifications about ICFR.
When mgts report on ICFR includes other info regarding mgts plans, for
example, to implement new control procedures, the auditors report on
ICFR should disclaim an opinion on that other info.
Testing design effectiveness of controls IIO - inquiry, observation and
inspection.
Testing operating effectiveness of I/C: - RIIO re-performance is the
additional procedure for testing operating effectiveness.
PCAOB states that a deficiency in any one of the ff controls would at least be a
sgf deficiency:
Controls over the selection and application of a/cing prins that are in
conformity with GAAP
Anti-fraud programs and controls.
Controls over non-routine and non-systematic transactions.
Controls over the period-end F/rep process.
The existence of any sgf deficiencies at the end of the reporting
period does not necessarily mean that mgt should consider ICFR to
be ineffective.
Some indicators of material weaknesses:
1. Identification of fraud involving senior mgt, whether or not material;
2. Restatement of previously issued F/S;
3. Identification by the auditor of a MM of the F/S in the current period;
and
4. Ineffective oversight of the cos external F/rep and I/C by the cos
audit committee.
Evaluation of the existence of material weaknesses in ICFR is
primarily based NOT on whether there are any MM in the F/S but that
the controls will fail to PREVENT/DETECT a MM.
Communicating identified deficiencies: the auditor must
communicate in WRITING:
1. All material weaknesses identified to mgt and the audit committee
2. Other sgf deficiencies identified to the audit committee.
22
3. All other deficiencies writing in ICFR to mgt and inform the
audit committee that such a communication has been made.
4. If the auditor concludes that the audit committees oversight of
F/rep and ICFR is ineffective then must communicate that
conclusion in writing to the BOD.
Reporting on ICFR:
o Separate or combined reports the auditor may choose to
combine report or separate. The separate reports should contain an
additional para that references the other report.
o Title of the report - should include the word Independent
o Combined report an unqualified report on the F/S and on ICFR
consists of 5 paras: Intro, Scope, Definition, Inherent limitations and
Opinion.
o Report date if separate reports are issued, they should be dated
the same.
o Disclaimer Opinion - Inadequate documentation of ICFR by mgt
would be viewed by the auditor as a scope limitation. In that case,
the auditor should issue a disclaimer or withdraw from the
engagement.
o Adverse opinion required to be adverse if even one material
weakness exists at year-end (as of date) not even qualified
opinion is an option. The as-of date is the last day of the fiscal
period; it is this date on which the auditor concludes as to the
effectiveness of I/C. Should determine the effect the adverse
opinion on ICFR has on the opinion on the entitys F/S.
Reasonable assurance as it relates to I/C always consider CBA.
Use the word examine instead of the word audit.
Test ALL CONTROLS. So general distribution.
Always have audit committees in Public companies.
Purchases by telephone and internet are a part of the purchase process
and represent major classes of transactions. Remember, that purchase
transactions may or may not be investigated in extreme detail. Purchases
are not assertions. Purchase type transactions themselves are not control
objectives for IC.
23
COSO - The COSO I/C framework most used by mgt in its I/C assessment
under PCAOB.
Roll-fwd procedures when operating effectiveness has been tested at
an interim date, the auditor should consider what additional testing for the
remaining period may be necessary.
EXAM NOTES
Mgt integrity is a critical component of an effective I/C that a lack of it cud lead to
the auditor withdrawing from the engagement.
An auditor shud consider both quantitative and qualitative aspects of deviations
noted. The square footage of selling space is a non-financial info which may be
used in considering the overall reasonableness of sales.
Computer systems typically supported by a variety of utility software packages
that are important to an auditor because they may enable unauthorized changes
to data files if not properly controlled. Auditor must determine that no unplanned
interventions using utility routines have taken place during processing.
A primary criterion of designing any I/C system is the cost-benefit r/ship. The cost
of an entitys I/C shud not exceed the benefits to be derived.
Internal control can only provide reasonable assurance with the cost/benefit
ratio being the limiting factor and additional inherent limitations. Because of
inherent limitations like the ones below, only reasonable assurance can be
provided that an entity will achieve its control objectives - COCO
Competence - Mistakes in judgement (esp when tired)
Override of mgt e.g. CEO requesting a check without PO.
Collusion among employees.
Obsolescence
Controls whose effectiveness depends on segregation of duties cannot be relied
upon to ensure that collusion among employees will not occur as it may be
circumvented by collusion.
An auditor uses computer software to access client data files, prepare spread
sheets, construct parallel simulations but LEAST LIKELY USE IT to assess
computer CR. Both the computer and manual systems are assessed after
performing TOCs.
The auditor must perform substantive tests to some degree for all sgf audit areas
cannot assess CR so low that substantive testing is omitted entirely!!
When controls duplicate other controls the auditor who wishes to rely upon I/C
need not test both sets.
When documentation of a control does not exist, the auditor may use observation
and inquiry to test the procedure. Similarly, with lack of audit trail.
24
Estimation transactions are activities involving mgts judgments or assumptions
such as determining the provision for d/debts, warranty reserves, assessing
assets for impairment.
Remember AP is also part of substantive testing so increasing AP is =
increased substantive testing for a weakness in I/C.
Even a single material weakness always results in an adverse opinion.
An auditor would most likely limit substantive testing of sales transactions when
CR is assessed as low for the existence or occurrence assertion and the auditor
has already gathered evidence supporting cash receipts and A/R.
Electronic funds transfer reduces manual handling and therefore reduces risk of
data entry error.
Creation and use of self-monitoring access controls are a limitation of an
electronic system.
Can obtain info from mgt, governance, internal auditors and staff from all depts
thru out the audit.
Suggesting fixes to a control is out of the scope of an audit and close to
consulting services. Therefore, if a transaction is incorrectly processed, the
auditor should obtain an understanding of how the incorrect processing of
transactions was resolved and the effect on CR.
Concluding on the effectiveness of a given control is NOT part of the risk
assessment process.
To determine whether a particular assertion is relevant to a sgf a/c balance or
disclosure, the auditor should evaluate
the nature of assertion,
the volume of transactions/data related to the assertion and
the nature and the complexity of the systems including IT.
The auditor does not evaluate the individual transactions that make up the
a/c.
RMM assessment can be in quantitative terms, qualitative terms F/S level and
relevant assertion level.
A decrease in the amount of tolerable misstatement, means that a more careful
audit needs to be planned to detect small misstatements.
New hire training materials prepared by HR do not meet the definition of reports
prepared by mgt.
Difference btw integrated audit ICFR and obtaining an understanding of I/C +
assessing CR as part of an audit :
Scope different much more extensive for integrated audit test ALL controls.
Procedures similar AIIO v RIIO.
Objective different: understanding of design v- operating effectiveness.
Reviewing ICQ would help the auditor to determine RMM and identify reportable
conditions, but this procedure would not be helpful in identifying non-compliance
with laws and regulations.
25
The fact that employees are not required to take regular vacations is a weakness
in I/C, but it has nothing to do with the computer access.
When the operating effectiveness of a control is not evidenced by written
documentation, the auditor should perform risk assessment procedures (AIIO) to
obtain an understanding of the entity and its environment, including I/C.
Intercompany transactions and large revenue transactions at period end are egs
of non-routine or non-systemic transactions that may indicate a RMM.
Flowcharts would provide the least assurance about the operating effectiveness
of an I/C. Mainly assist the auditor with understanding the design of the I/C.
When an I/C is considered deficient it means it is a material weakness. An
auditor may elect not to test that control if it does not present a RMM to the F/S.
REMEMBER AN AUDITOR ONLY TESTS THE CONTROL IT PLANS TO RELY
ON.
An auditor may decide to perform only substantive testing procedures if no
effective controls relevant to the assertion have been identified.
COSO includes tests of transaction cutoffs, transaction terms and a/c valuation
for end of period a/cs, and tests to ensure a baseline level of I/C.
In planning an integrated audit, the auditor does NOT evaluate the entity having
an operating and effective audit committee.
If the assessed risk is lower because of internal controls and the auditor intends
to base the substantive procedures on that low assessment, then the auditor
performs tests of those controls, as required by paragraph. This may be the
case, for example, for a class of transactions of reasonably uniform, noncomplex
characteristics that are routinely processed and controlled by the entity's
information system.
Large returns in the middle of the period not an e.g. of non-routine
transactions.
26