chapter 8 planning and testing operating effectiveness of internal control over financial reporting...

Chapter 8

Planning and Testing Operating Effectiveness of Internal Control

over Financial Reporting

Prepared by Richard J. Campbell

Copyright 2011, Wiley and Sons

Learning Objectives1. Learn the relationships of a control,

evidence available, and tests of the control, including IT impacts.

2. Recognize the importance of audit considerations such as fraud, illegal acts, related parties, multiple locations, and service providers in controls tests.

3. Learn how sampling is applied to controls tests and the risks associated with sampling.

4. Understand the audit risk model.

5. Learn what is included in audit documentation and why it is important.

Chapter 8 -1

Learning Objectives

6. Understand the important judgments involved in evaluating test results and the impact of the severity of ICFR deficiencies.

7. Discuss the practical application of control concepts to ICFR audits.

8. Apply the results of ICFR tests to financial statement audit plans.

Chapter 8 -2

SELECTING THE CONTROLS TO TEST

Learning Objective #1Chapter 8 -3

Exhibit 8-1

Tests of ICFR OperatingEffectiveness

TESTING METHODS

Chapter 8 -4

Testing controls include inquiry, inspection, observation, and reperformance.

The auditor performs the audit procedure that tests whether the control objective is achieved. A control objective is

a specific target against which to evaluate the effectiveness of controls. A control objective…relates to a relevant assertion and states a criterion for evaluating whether the company’s control procedures in a specific area provide reasonable assurance. (AS 5.A2)

Learning Objective #1

Computer-Assisted Audit Techniques (CAATs)

Chapter 8 -5 Learning Objective #1

Computer-Assisted Audit Techniques (CAATs)


Examples of Management Assertions, Control Objectives, andEvaluation Criteria

Learning Objective #1Chapter 8-7

EXHIBIT 8-2

PLANNING THE TESTS


• Define the potential error that results from failure of the control and the appropriate evidence related to the error.

• Identify when testing should be performed.

• Determine the extent of testing needed—how many different types of tests should be performed and how many items to test.

Define the Error and Identify Evidence Related to the Error


Direct documentary evidence does not exist for some controls.

Audit evidence regarding management’s philosophy and operating style might be inferred from documents such as the company’s mission statement and code of conduct.

For these types of soft controls, the appropriate tests are inquiry of appropriate personnel, corroborated by observing company activities and reading any related documents.

Plan the Timing and Extent of Testing

Next the auditor decides the timing of the test—when it is to be performed—and the extent of testing. These decisions are affected by the risk related to the control. Risks associated with a control are:

1. the risk that a control might not be effective and

2. the risk that if a control is not effective a material weakness would result.

(AS 5.46)

Learning Objective #1Chapter 8 - 10

TIMING OF TESTS

The frequency with which controls operate affects not only the time frame in which the operation of the control is tested, but also the sample size required.

The audit procedures for testing automated controls that operate continuously or frequently differ from those that are used for manual controls that operate with similar frequency.

Auditors limit the extent of tests of automated controls because the controls function in a consistent manner.


Benchmarking


Benchmarking, a testing strategy for completely automated controls, relies on the assumption that automated controls are going to continue to function in a consistent manner unless something changes within the program or in the surrounding environment

Benchmarking is only appropriate when • both ITGC and application controls are

effective. • ITGC remain strong from year to year. • the application programs do not change.

Document Availability


Some controls can be tested at any time after their operation by inspection of documents— either paper or electronic—and reperformance of the control steps

When a company’s documentary evidence is retained for limited periods of time or hardcopy records are changed into electronic format, the auditor considers this policy when developing

the audit plan.

Updating Interim Audit Work


When auditors perform control testing at an interim date, additional tests are usually needed closer to the end of the fiscal period.

The auditor may not need to test controls that were in place earlier in the year if they have been changed or were replaced later during the year under audit

If the controls in place early in the year were not effective and the auditor did not test them, more substantive evidence about the affected account balances is needed.

EXTENT OF TESTS


Each audit must collect persuasive evidence about the effectiveness of all controls for relevant assertions for all significant accounts and disclosures every year.

The extent of testing needed to provide the auditor with evidence that a control is performing effectively depends on the nature of the control

Manual controls—those relying on the company’s personnel—generally require more testing than automated controls.

Period-End Reporting Process


Examples of Controls in the Period-EndFinancial ReportingProcess

EXHIBIT 8-3




EXHIBIT 8-3

FRAUD


The auditor’s assessment of fraud risk begins with the client acceptance and continuance process and continues as the auditor gains an understanding of the system and assesses design of ICFR.

Results of tests of controls, including anti-fraud controls, may cause the auditor to perform additional tests or modify the plan for the financial statement audit.

FRAUD RISK


ILLEGAL ACTS


RELATED PARTY TRANSACTIONS


Related party transactions are transactions conducted with an entity or a person meeting the definition of a related party set forth in the FASB definition of related parties.Related parties include:

SAMPLING


Basically, an auditor has the option of examining 100% of a company’s financial evidence and records or looking at some subset of that information. Obtaining audit evidence based on a subset of the information often involves sampling.

When the auditor does not examine or test all of the items in the targeted population of the account balance or class of transactions, sampling risk is introduced into the audit processes.

Planning the Sample


Exhibit 8-4

Impact of SamplingError on Audit Decisions

Sampling Risk

Chapter 8-26 Learning Objective #3

Approaches to Sampling


A sample may be randomly selected based on identifying document numbers produced by a random number generator computer program

Nonsampling risk includes:

• The risk that the auditor will use an audit procedure that is not appropriate for what the test is intended to accomplish

• The risk that the auditor may fail to detect a problem when applying an audit procedure

• The risk that the auditor may misinterpret an audit result

Sampling and ICFR Testing


Attribute sampling is the term often used to describe the audit process when an auditor applies sampling methods to an ICFR sampling and testing procedure

The first decision is how much risk the auditor is willing to accept of concluding that the internal control is operating effectively when it is not

The second decision involves determining the tolerable deviation rate

The third decision deals with the likely rate of deviation in the population. Likely rate of deviation is also called the expected population deviation rate

Factors Affecting Sample Size


EXHIBIT 8-5

AUDIT RISK MODEL


Audit risk is the risk that the auditor may unknowingly fail to appropriately modify the opinions on ICFR and the financial statements.

Engagement risk is a term used for the overall risk to the auditor of being associated with a client

AUDIT RISK MODEL


AR stands for audit risk

RMM is the risk of material financial statement misstatement

IR stands for inherent risk

CR stands for control risk

DR stands for detection risk.TD is the risk that a material misstatement will be missed by the auditor’s tests of details of balances.

AP is the risk that a material misstatement is missed by the audit’s analytical procedures

Inherent Risk and Control Risk


Inherent risk results from the nature of the account or class of transactions

Control risk deals with the likelihood that any problems that occur with an account or class of transactions will not be prevented or detected by the company’s ICFR.

Relationships of Audit Assurance and Characteristics


EXHIBIT 8-6

AUDIT DOCUMENTATION


AUDIT DOCUMENTATION


Permanent files include information that is relevant to the company and its audit for recurring engagements.

The current files include all the information and audit evidence relating to the current integrated audit engagement

AUDIT DOCUMENTATION


EVALUATING THE RESULTS


The testing and evaluation process for tests of ICFR operating effectiveness can be summarized as follows:

• Conduct the control test procedures (e.g., inquiry, inspection, observation, reperformance) that compare actual operations of ICFR to the control objective and evaluation criterion.

• Identify control errors or deviations from control procedures.

• Determine whether the deviation rate of each control is high enough to be a control deficiency.

• Consider both qualitative and quantitative factors related to the deficiency.

• Determine whether any deficiencies identified, either individually or in combination, meet the threshold of a significant deficiency or material weakness.

ADDITIONAL DOCUMENTATION CONSIDERATIONS


“BIG PICTURE” TOPICS AND OPERATING EFFECTIVENESS


When auditing the operating effectiveness of ICFR, testing entity-level and pervasive controls may or may not be sufficient to make a conclusion about operating effectiveness.

“Softer” internal control components mentioned by the COSO IC Framework, such as management’s philosophy and operating style, require a different kind of testing than controls that produce documents as evidence.

IMPACT OF OUTSOURCING


When planning the tests of the operation of controls, the auditor considers processes that are performed for the client by service organizations or third-party service providers.

Examples of service organizations are (AU 324.03):

• bank trust departments that invest and service assets for employee benefit plans and for others

• mortgage bankers that service mortgages for others

• application service providers that provide packaged software applications and a technology environment that enables customers to process financial and operational transactions.

ICFR EFFECTIVENESS AND THE FINANCIAL STATEMENT AUDIT


If ICFR was effective throughout the entire year, or even a specified part of the year, the auditor can, in the financial statement audit, choose to rely on the controls for the period that they were effective.

APPENDIX A: TESTING IT APPLICATION CONTROLS AND COMPUTERASSISTEDAUDIT SOFTWARE

Appendix AChapter 8-43

A test data approach, parallel simulation, and integrated test facility are three well-known examples of automated controls tests.

Common input validation controls that the auditor might test using test data include the following.

Access control and authorization Limit check Range check Validity check Completeness check

Using Computer-Assisted Audit Software to Facilitate Testing

Chapter 8-44

Some audit software is proprietary; being owned by a specific audit firm. However, various packages can be purchased and are widely used by many firms. ACL, short for Audit Command Language, is a popular and widely used audit software package.

An important audit step performed by audit software is to examine the data for unusual transactions, errors, and unauthorized transactions

Appendix A

APPENDIX B: STATISTICAL TECHNIQUES AND TESTS OF CONTROLS

Chapter 8-45

Specific steps and an example of how they can be applied to a control test for cash disbursements follow:

1. Determine the objective of the audit procedure.

2. Define the population to be sampled

3. Specify the item that is to be selected

4. Define the characteristic the auditor wants to examine

5. Design the test of the control

6. Determine the sample size.

7. Perform the audit procedures and document the results

8. Calculate the rate of deviation found in the sample and the upper deviation rate.

9. Form final conclusions about the results.

Appendix B

Review Question

Chapter 8-46

Which of the following types of evidenceprovides the least assurance regarding the effective operations of ICFR?

(a) Confirmations of accounts receivable(b) Computer logs documenting attempts at unauthorized access to the system(c) Documents containing initials of the person authorizing the transaction being examined(d) Oral responses to auditor inquiry during walkthroughs

Review Question

Chapter 8-47

The operating effectiveness of controls that are intended to prevent fraud is:

(a) tested based on the initial plan drafted immediately after client acceptance.(b) tested as a result of the information on fraud risk obtained from the internal audit staff.(c) tested, and results are used as one source of information for the auditor’s assessment of fraud risk.(d) will not likely affect subsequent audit procedures that have already been planned.

Review Question

Chapter 8-48

When the auditor identifies a material misstatement in the financial statements in the current period that would not have been identified by the company’s ICFR,

(a) a material weakness in ICFR exists.(b) the deficiency should be evaluated to determine whether it is a deficiency.(c) the situation should be regarded as an indicator of a material weakness in ICFR.(d) the auditor should reconsider whether the financial statement misstatement is actuallymaterial

Copyright

“Copyright © 2011 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.”

chapter 8 planning and testing operating effectiveness of internal control over financial reporting...

Documents

tests chapter

control objectives

controls tests

control objectiverelates

effectiveness slide

testing controls

a2 learning objective

error chapter