Академический Документы
Профессиональный Документы
Культура Документы
b.
11-2. In assessing control risk for an assertion, the auditor should perform the following five
steps:
1. Consider knowledge acquired from procedures to obtain an understanding about
whether controls pertaining to the assertion have been designed and placed in
operation by the entity's management.
2. Identify the potential misstatements that could occur in the entity's assertion.
3. Identify the necessary controls that would likely prevent or detect the misstatements.
4. Perform tests of controls on the necessary controls to determine the effectiveness of
their design and operation.
5. Evaluate the evidence and make the assessment.
11-3. a.
b.
c.
11-4. a.
b.
Evidence obtained from tests of controls pertains to the effectiveness of the design
and/or operation of the control tested and may be used in making a final
assessment of control risk for an assertion.
11-5. When evaluating the significance of any deficiency in internal control the auditor should
consider the likelihood (frequency of deviations) and the magnitude of potential
misstatements. For example, when evaluating a deficiency in internal controls related to
revenue recognition, the auditor needs to evaluate the percentage of the time that the
control might fail (likelihood or probability) and the dollar amount of misstatement that
could happen when the control fails (magnitude or materiality). The auditor will
normally classify deficiencies as (1) deficiencies, (2) significant deficiencies, or (3)
material weaknesses depending on the likelihood and magnitude of potential
misstatements that might result from an internal control weakness.
11-6. a.
b.
Three strategies that the auditor might use when testing a system of internal
controls that use information technology include:
1. Assessing control risk based on user controls.
2. Planning for a low control risk assessment based on application controls.
3. Planning for a high control risk assessment based on general controls and
manual follow-up.
The auditor might assess control risk as low based on two of the three above
strategies, assuming that the evidence shows that the controls are effectively
designed and placed in operation. First the auditor can assess control risk as low
based on user controls, such as effective performance reviews by management.
Second, the auditor can assess control risk as low based on effective computer
application controls. This strategic also involved effective manual follow-up of
exceptions noted by application controls.
c.
The auditor can assess control risk as high based on evidence obtained about both
computer controls and manual follow-up procedures. The auditor may be able to
develop implications about the effective operation of application controls based
on inspection of exception reports and inquiries of those who follow-up on
exception reports. However, the auditor must perform direct tests of application
controls in order to assess control risk below a high level.
11-7. a.
b.
Under the test data approach, dummy transaction are prepared by the auditor and
processed under auditor control by the clients computer program. This is often
performed during a time when the auditor can take full control over the clients
computer operations. In an integrated tests facility approach the auditor does not
control computer operations and dummy transactions are processed
simultaneously with real transactions. This usually requires the creation of a small
subsystem (a mini-company) within the regular IT system. It may be
accomplished by creating dummy master files or appending dummy master
records to existing client files. Test data, specially coded to correspond to the
dummy master files, are introduced into the system together with actual
transactions.
b.
Inspection of documents,
reports, or electronic files,
indicating performance of the
control.
Reperformance of the
application of the control by
the auditor, including CAATS
11-13. a.
The timing of tests of controls relates to when it was obtained and the portion of
the audit period to which it applies. For example, performing CAATs, such as the
use of test data, applies only to the point in time when the test was performed.
b.
When the auditor obtains evidential matter about the design or operation of
controls during an interim period, he or she should determine what additional
evidential matter should be obtained for the remaining period. Professional
standards suggest that the auditor should consider the following factors when
determining the evidence that needs to be obtained during the remaining period.
The significance of the assertion involved
The specific controls that were evaluated during the interim period
The degree to which the effective design and operation of those controls were
evaluated
The results of the tests of controls used to make that evaluation
The length of the remaining period
The evidential matter about design or operation that may result from the
substantive test performed in the remaining period.
The auditor should also obtain evidential matter about the nature and extent of
any significant changes in internal control, including its policies, procedures, and
personnel that occur subsequent to the interim period.
c.
The auditor of a private company may consider evidence about the effective
design or operation of internal controls obtained during prior audits in assessing
control risk in the current audit. Professional standards state that when evaluating
the use of evidence obtained in prior audits the auditor should consider:
The significance of the assertion involved.
The specific controls that were evaluated during the prior audits.
The degree to which the effective design and operation of those controls were
evaluated
The results of the tests of controls used to make those evaluations
The evidential matter about design or operation that may result from
substantive tests performed in the current audit.
The auditor should also consider that the longer the time elapsed since the
performance of tests of controls, the less assurance it may provide. Finally, the
auditor needs to evaluate evidence in the current period about whether changes
have occurred in internal control, including its policies, procedures, and
personnel, subsequent to the prior audits, as well as the nature and extent of any
such changes.
Evidence obtained in the prior period is not a substitute for evidence obtained in
the current period. After considering the factors that affect evidence obtained in
the prior period and evidence obtained about changes in the current period, the
evidence may support either increasing or decreasing the additional evidential
In general, the lower the planned assessed level of control risk, the greater the
extent of tests of controls.
Three factors bear on the auditors decisions about test of controls: (1) the nature
of the control, (2) the frequency of operation of the control, and (3) the
importance of the control.
With respect to the nature of the control the auditor should subject manual
controls to more extensive testing than automated controls. A single test of each
condition of a programmed control may be sufficient to obtain a high level of
assurance that the control operated effectively if general controls are also
operating effectively. However, manual controls usually require more extensive
testing. In general, as the level of complexity and the level of judgment in the
application of a control increase, the extent of the auditors testing should also
increase. If the level of competency of the person performing the control
decreases, the extent of testing should also increase.
With respect to the frequency of operation of the control the more frequent the
operation of a manual control, the more operations of the control the auditor
should test. Controls that operate daily should be tested more extensively than
controls that operate monthly (account reconciliations), or quarterly (quarter end
reviews).
With respect to the importance of the control, controls that are more important
should be tested more extensively. Some controls such as the control
environment or computer general controls have a pervasive impact on other
controls should be subjected to more extensive tests than controls that are less
important to the audit strategy.
11-15. It might be appropriate to use a computer audit specialist to evaluate computer general
controls and application controls. It might also be appropriate to bring in a health care
industry expert to evaluate the risk of incorrect Medicare billing, or a banking industry
expert to evaluate FDIC regulatory compliance.
Entry level staff usually have sufficient qualifications to evaluate internal controls over
routine transactions, such as sales, purchases, or payroll.
11-16. Dual-purpose tests occur when the auditor simultaneously performs tests of controls and
substantive tests of details of transactions to detect monetary errors on the same
transactions.
11-17. a.
For an account affected by a single transaction class, the control risk assessment
for a particular account balance assertion is the same as the control risk
assessment for the same transaction class assertion. Thus, control risk for the
existence or occurrence assertion for the sales account balance is the same as the
control risk assessment for the existence or occurrence assertion for the sales
transactions class. The actual control risk assessment is then compared with the
planned control risk assessment for the assertion. If the actual assessment is not
greater than the planned assessment for the assertion, the planned level of
substantive tests is supported.
b.
For an account affected by more than one transaction class (a balance sheet
account), the combined control risk assessment is based on the control risk
assessment for the transaction class assertions that increase the account balance
and the transaction class assertions that decrease the account balance. Thus,
control risk for the existence of accounts receivable is based on the combined
control risk assessments for the occurrence of sales and the completeness of cash
receipts transactions and the completeness of sales returns and allowance.
11-18. When the control risk assessments for the relevant transaction class assertions differ, the
auditor may (1) judgmentally weigh the significance of each assessment in arriving at a
combined assessment or (2) use the most conservative (highest) of the relevant
assessments. The assessment for each related transaction class assertion must be
considered because a misstatement in any of the relevant transaction class assertions
could produce a misstatement in the account balance assertion.
11-19. a.
b.
11-20. a.
b.
The requirements for documenting the assessed level of control risk are: (1)
control risk at maximum - only this conclusion needs to be documented; (2)
control risk below the maximum - the basis for the assessment must also be
documented.
In practice, documentation of the assessed level of control risk often takes the
form of narrative memoranda organized by financial statement assertions.
The auditor is required to identify and report to the audit committee, or other
entity personnel with equivalent authority and responsibility, certain conditions
that relate to an entity's system of internal control observed during an audit. In
particular, the auditor should report significant deficiencies or material
weaknesses in internal control.
Both significant deficiencies and material weaknesses have more than a remote
likelihood of occurrence. They differ in the magnitude of misstatement that might
result for the deficiency. The magnitude of misstatement in a significant
Comprehensive Questions
11-21. (Estimated time 30 minutes)
a.
An auditor may assess control risk at the maximum level for some or all
assertions because the auditor believes internal controls are unlikely to pertain to
an assertion, are unlikely to be effective, or because evaluating their effectiveness
would be inefficient.
b.
To support assessing control risk at less than the maximum level, an auditor must
determine whether internal controls are suitably designed to prevent or detect
material misstatements in specific financial statement assertions and obtain
evidence through tests of controls that the policies and procedures are operating
effectively.
c.
When seeking a further reduction in the planned assessed level of control risk, the
auditor should consider the likelihood that evidence can be obtained in a costefficient manner to support a lower assessment.
d.
11-22. If the auditor wants to assess control risk at a low level, the auditor needs to put the
following combination of tests of controls together to have compelling evidence that the
programmed control functioned effectively throughout the period.
The auditor needs evidence to support the conclusion that computer general
controls are effective.
The auditor needs evidence from CAATs to conclude that the programmed control
is effectively matching sales invoices with underlying shipping information.
The auditor needs evidence that items that appear on exception reports are
followed-up upon and corrected on a timely basis.
c. Making an initial
assessment
of control risk
d. Performing
additional or
planned tests of
controls
e. Making a final
assessment of
control risk
f. Documenting the
control risk
assessment
b. Performing
concurrent tests of
controls
Designing substantive
tests
Category of
General Controls
Possible Misstatement
procedural
6. Organization and
operation
7. Systems
development and
documentation
8. Access
group.
Observe segregation of duties
between user departments and IT.
Examine evidence of
independent check of proper
authorization, testing, and
documentation.
Use of a library, librarian, and logs
to restrict access and
monitor usage.
9. Hardware and
systems software
10. Systems
Development and
documentation
11. Organization and
operation
12. Data and
procedural
Manual
2.
Computer and
manual follow-up.
3.
Manual.
Manual
4.
5.
6.
7.
Manual.
Computer
Computer or
check protection
machine.
8.
9.
a. Potential
Misstatements
b. Computer or
manual
control
Manual
Computer and
manual follow-up.
b. Computer or
manual
control
Both manual and
computer
Manual
Manual
Manual
3
4
5
6
7
10
Computer
Computer
Computer
Computer
Computer
Manual
2. Output
3. Processing
4. Processing
5. Output
6. Input
7. Processing
8 Input
9. Input
Control
Computer generates prenumbered control over requisitions and purchase orders
and checks numerical sequence.
Computer compares account distribution on the voucher with account
distribution on purchase requisition or purchase order.
Computer checks batch totals and run-to-run totals to ensure that all
transactions are processed.
Computer match of voucher information regarding vendor, type of good,
quantity of goods, and dollar amount against authorized purchase order and
receiving report.
Computer checks for a valid purchase order in order to initiate receiving report.
Computer verification of employee authorization code to enter requisition or
purchase order.
Computer performs limit test on requisitions and purchase orders. Necessary
approvals tied to limit test.
Computer checks the mathematical accuracy of the voucher and supporting
documents.
Assertion
Completeness
Presentation and disclosure
Completeness
Valuation and allocation
Existence and occurrence
Existence and occurrence
Valuation and allocation
Valuation and allocation
c.
The CPA would decide to audit "through" the computer instead of "around" the
computer (1) when the computer applications become complex, or (2) when
transaction trails become partly obscured and external evidence is not available.
Auditing "around" the computer would be inappropriate and inefficient in the
examination of transactions when the major portion of the system of internal
control is embodied in the IT system. Auditing "around" the computer will also be
ineffective if the sample of transactions selected for auditing does not cover
unusual transactions that require special treatment.
1.
2.
d.
The auditor may use test data to gain a better understanding of what the
data processing system does, and to check its conformity to desired
objectives. Test data may be used to test the accuracy of programming by
comparing computer results with results predetermined manually. Test
data may also be used to determine whether or not errors can occur
without observation and thus test the application's ability to detect
noncompliance with prescribed procedures and methods. Assurance is
provided by the fact that if one transaction of a given type passes a test,
then all transactions containing the identical test characteristics will-if the
appropriate control features are functioning--pass the same test.
Accordingly, the volume of test transactions of a given type is not
important. However, the auditor does need to test computer general
controls to gain assurance that the program operates consistently over
time.
In addition to actually observing the processing of data by the client, the auditor
can be satisfied that the computer programs presented are actually being used by
the client to process its accounting data by requesting the program on a surprise
basis from the IT librarian and using it to process a test data.
The CPA may also request on a surprise basis that the program be left in the computer at the
completion of processing so that he or she may use the program to process test data. This
procedure may reveal computer operator intervention, as well as assuring that a current version
of the program is being tested. This is an especially important consideration in newly organized
computer systems undergoing many program changes. To gain further assurance about this
matter, the CPA should inquire into the client's procedures and controls for making program
changes and erasing superseded programs, and should examine logs showing programs used
when available.
11-30. (Estimated Time 30 minutes)
a.
b.
Computer file security should be provided to assure that entries are not made
to the accounts except during normal processing periods.
The internal controls which should be in effect pertaining to matters other than
information input are as follows:
Account balances should be backed-up or printed at regular intervals to
provide for record reconstruction and testing.
Limit tests should be included in the computer program to permit ready
identification of obvious exceptions, e.g., a withdrawal from an account
should not exceed the balance on deposit in the account.
The internal audit staff should have the responsibility for testing accounts and
transactions and checking error listings. Adjustments to the accounts proposed
by the internal audit staff should first be approved by a responsible official
and then be recorded in the normal manner so as to provide proper segregation
of work.
Account balance printouts and transaction records necessary to reconstruct the
accounts should be maintained in a separate location from the computer file
storage as a precaution against simultaneous destruction.
There should be provision for continued operation to avoid a time loss in case
of computer failure, e.g., each terminal should have mechanical registers in
addition to the computer's electronic registers.
Security should be provided at each terminal to assure that certain operations
could be initiated only by authorized personnel.
Back-up / auxiliary power source to allow orderly shutdown in the event of a
loss of electrical power.
Account
Cash
Accounts
receivable
Accounts
payable
Sales
(1)
Low (6)
Moderate (10)
Low (3)
Low (7)
Low (11)
Low (4)
Low (8)
Low (12)
This is the most conservative of the control risk assessments for occurrence of cash receipts
(low) and the completeness of cash disbursements (low).
(2)
(3)
(4)
(5)
(6)
(7)
(8)
(9)
(10)
(11)
(12)
This is the most conservative of the control risk assessments for occurrence of credit sales
(low), the completeness of cash receipts (moderate), and the completeness of sales returns
and allowances (moderate).
This is the most conservative of the control risk assessments for occurrence of purchases
(low), the completeness of cash disbursements (low), and the completeness of purchase
returns (moderate).
This is just the control risk assessment for the occurrence of credit sales (low).
This is the most conservative of the control risk assessments for the completeness of cash
receipts (moderate), and the occurrence of cash disbursements (low).
This is the most conservative of the control risk assessments for the completeness of credit
sales (low), the occurrence of cash receipts (low) and the occurrence of sales returns and
allowance (low).
This is the most conservative of the control risk assessments for the completeness of
purchases (low), the occurrence of cash disbursements (low) and the occurrence of purchase
returns (low).
This is just the control risk assessment for the completeness of credit sales (low).
This is the most conservative combination of the valuation or allocation assertions for cash
receipts (low) and cash disbursements (low).
This is the most conservative combination of the valuation or allocation assertions for credit
sales (low), cash receipts (low), and sales returns (moderate).
This is the most conservative combination of the valuation or allocation assertions for
purchases (low), cash disbursements (low), and purchases returns (low).
This is just the control risk assessment for the valuation of credit sales (low).
Cases
11-32. (Estimated Time - 50 minutes)
a.
Controller
DP Manager
Data Entry
System Analysis
Programming; Operations
b.
1.
2.
Weakness
Organization and operation
The EDP manager reports to a significant
user department.
There is improper segregation of
functions between programming and
computer operations.
There is no data control group.
Systems development and
documentation controls
Program documentation is inadequate.
An operator's manual is not provided.
Operators can change programs.
User department is not involved in the
design or approval of new systems.
Undocumented "patch" changes are
made in programs by a programmer.
3.
4.
4.
5.
Recommended Improvement
EDP manager should report to president or
some other nonuser officer.
Programming and computer operations
should be separated.
A data control group should be established.
b.
Weakness
procedures when they encounter
difficulties.
No back-up equipment is provided.
There is no definite retention plan.
There is no provision for a data control
group to monitor EDP activity.
6.
Input Controls
There apparently are no controls over
input data.
No mention is made of controls over
conversion of input data into machinereadable form.
No provision seems to be made for
resubmission of incorrect data.
7.
Processing Controls
Tapes are not adequately labeled.
No provision appears to be made for
control totals and limit and
reasonableness tests.
8.
Output Controls
There is no control
over the distribution
of output.
A report distribution sheet is not
maintained.
Recommended Improvement
approved by a supervisor or the EDP
manager.
Back-up equipment should be provided at
another location and the capability of such
equipment should be tested periodically.
A definite plan, such as the grandfatherfather-son, should be implemented.
A data control group should be established.
11-33. See separate file with answers to the comprehensive case related to the audit of Mt. Hood
Furniture that is included with this chapter.
Professional Simulation
Research
Situation
Internal
Control
Deficiencies
Communication
program are not made without being subject to the appropriate program change controls, that the
authorized version of the program is used for processing transactions, and that other relevant
general controls are effective. Such tests also might include determining that changes to the
programs have not been made, as may be the case when the entity uses packaged software
applications without modifying or maintaining them.
.79
To test automated controls, the auditor may need to use techniques that are different from
those used to test manual controls. For example, computer-assisted audit techniques may be used
to test automated controls or data related to assertions. Also, the auditor may use other automated
tools or reports produced by IT to test the operating effectiveness of general controls, such as
program change controls, access controls, and system software controls. The auditor should
consider whether specialized skills are needed to design and perform such tests of controls.
Internal
Control
Deficiencies
Situation
Research
Communication
What is the auditors responsibility for identifying significant deficiencies in internal control as
part of a financial statement audit? Compare and contrast the likelihood that the auditor will
identify significant deficiencies in audit areas where the auditor follows a lower assessed level of
control risk approach vs. audit areas where you follow a primarily substantive approach.
[Authors Note: This question requires that students not only read the professional standards but
apply them to a particular setting. The professional standards to not specifically address various
audit strategies. In this question the student must interpret and apply his or her understanding of
the professional standards to two differing audit strategies.]
AU 325.04 states that the auditor's objective in an audit of financial statements is to form an
opinion on the entity's financial statements taken as a whole. The auditor is not obligated to
search for reportable conditions. However, the auditor may become aware of possible reportable
conditions through consideration of the components of internal control, application of audit
procedures to balances and transactions, or otherwise during the course of the audit. The auditor's
awareness of reportable conditions varies with each audit and is influenced by the nature, timing,
and extent of audit procedures and numerous other factors, such as an entity's size, its
complexity, and the nature and diversity of its business activities.
If the auditor is planning a lower assessed level of control risk approach the auditor will probably
obtain a more in depth understanding of control activities and the auditor will perform tests of
the operating effectiveness of various control activities. As a result, more information may come
to the auditors attention about the significant deficiencies in the operating effectiveness of
various aspects of the system of internal control.
If the auditor is planning a primarily substantive approach, the auditor may not study the system
of internal control in the same depth, particularly with respect to control activities. However, the
auditor still needs a sufficient understanding of the design of the system to plan the audit. This
will usually include some level of system walk through. This process will often identify
deficiencies in the design of the system of internal control. Further, the auditors substantive
tests may reveal misstatements in the accounting records. These tests may also lead the audit to
discover significant deficiencies in the system of internal control.
However, under these two audit approaches, the nature, timing and extent of the audit procedures
differ. As a result, the likelihood of significant deficiencies coming to the auditors attention may
also differ particularly when the auditor has not tested the operating effectiveness of the system
of internal control (e.g., when following a primarily substantive approach).
Communication
Situation
Research
Internal
Control
Deficiencies
Date
George Alpha
Alpha Corporation
Address
Dear Mr. Alpha,
In planning and performing our audit of the financial statements of the Alpha Corporation for the
year ended December 31, 20XX, we considered its internal control in order to determine our
auditing procedures for the purpose of expressing our opinion on the financial statements and not
to provide assurance on the internal control. However, we noted certain matters involving the
internal control and its operation that we consider to be reportable conditions under standards
established by the American Institute of Certified Public Accountants. Reportable conditions
involve matters coming to our attention relating to significant deficiencies in the design or
operation of the internal control that, in our judgment, could adversely affect the organization's
ability to initiate, record, process, and report financial data consistent with the assertions of
management in the financial statements.
Expenditures and Accounts Payable
Issue
As part of a strong system of internal control there should be appropriate systems to ensure that
all goods ordered are received, and that liabilities are recorded in the correct accounting period
for all goods received. This ensures that all appropriate liabilities are recorded.
Findings
When performing a system walk through we did not find controls to ensure that all goods
ordered are received, or that goods received are recorded as accounts payable in the proper
period.
Recommendation
We suggest that the company establish internal controls to ensure that liabilities are recorded for
all goods received. For example, you can have the following controls programmed into the new
automated system for expenditures.
A report should be generated on a regular basis of all purchase orders that have not yet
been matched with a receiving report. Someone who will use the goods ordered should
regularly follow-up on these items that appear on these reports to determine why ordered
goods are not received.
A reports should be generated on a regular basis of all receiving reports that have not yet
been matched with a voucher. Someone in the accounts payable area should follow-up
on items that appear on this report to ensure that all payables are recorded on a timely
basis.
This report is intended solely for the information and the use of the owners, management, and
others within Alpha Corporation and is not intended to be and should not be used by anyone
other than these specified parties.
Sincerely,
Signature