Chapter 9 - Control Risk Assessment Part 2 Flashcards
What is application programming interfaces?
The glue that connects IoT devices to the company’s applications and dashboards so the data can be analyzed.`
What does IoT and API improve?
- Business processes
- Accounting system
They improve the quality and accuracy of the data
What is the impact of IoT and API on the accounting system?
Financial transactions from any department are automatically recorded in the ERP without human intervention, reducing input errors. They are also continuously being monitored, reducing the need for reconciliation.
What is the impact of IoT and API on auditors?
Auditors cannot rely upon manual controls and must evaluate associated automated controls related to data from IoT, API, and the ERP, in addition to access controls and services providers in the processing of new e-commerce transactions.
What is the idea behind smart contracts?
Allow for all kinds of transactions to be made automatically without third parties, such as banks, to verify the payments.
What is a blockchain?
A distributed digital ledger to which certain computers, or nodes are granted access.
What is a smart contract?
A computer code running on top of a blockchain containing a set of rules by which the parties to the contract agree to interact with each other. When predefined rules are met, the agreement is automatic, no human intervention.
What is a benefit of the blockchain?
Fast and less expensive than traditional methods and it minimizes theft and fraud as no one person can alter the blockchain.
What are disadvantages of the blockchain?
Can have errors in coding and in interpreting intended outcomes. Risks relating to handoffs
How will the blockchain and smart contracts alter the way in which auditors perform controls risk assessment? Why?
- If it affects financial reporting, they need to understand the impact on the assessment of internal controls. Auditors must be concerned with the reliability, accuracy, and completeness of the data since blockchain can be unauthorized, fraudulent, illegal or involve related parties.
What is the consensus mechanism and what is the impact? What does this assist in assessing?
Dictates how parties reach agreements on the transactions to be added top the blockchain. Allows the auditor to assess reliability and the ability to be manipulated or altered, look at the consensus algorithm attacks.
What are the two situations where a test of controls is performed?
- When the auditors assessment of RMM at the assertion level includes an expectation that controls are operating effectively
- When substantive procedures cannot provide sufficient appropriate evidence.
What is the purpose of the tests of controls
The purpose of the test of controls is to determine and ensure that the control activities were working within the relevant period in preventing, detecting, and/or correcting misstatements. Unlike substantive testing, it does not look at the relevant assertions.
Which controls do we test?
Performed only on the controls that are suitably designed to prevent or detect a material misstatement in a relevant assertion and the auditor plans to test those controls.
What are the Three Characteristics of Effective Controls
- Well designed (Control design)
2.. In use (control implementation) - Operate reliably throughout the period
What are the 4 Types of Procedures used to test controls?
- Inquiry
- Inspection
- Observation
- reperformance
What are three considerations to designing the test of controls?
- How the control was applied at the relevant times during the period
- The consistency with which the controls were applied
- By whom (or by what means) the controls were appliedW
What is the test data approach?
Reperformance of the control through processing the auditor’s test data on the client’s computer system and application program, including test data that the client’s control system should accept or reject, then comparing the actual output to the expected output to assess the effectiveness.
What are generalized audit software (GAS)?
Programs designed specifically for auditing purposes, to perform data analytics that test the effectiveness of client controls for an entire population.
What is the primary difference between the test of controls and the risk assessment procedures?
The extent to which procedures are performed. In risk assessment procedures, the auditor will examine one or two transactions or observe at one point in time. Controls tests are performed on large samples and observations are made at more than one time.
Describe the extent of controls tests meaning.
- What type of procedures will they use?
To obtain sufficient appropriate evidence regarding the effectiveness, they will use a combination of procedures like inquiry with inspection or reperformance. The greater the reliance to rely on the effectiveness of controls the more persuasive the evidence.
What are factors to consider whether more effective controls evidence is needed?
- Frequency of control operations - Manual or automated. The auditor will test year end controls but also test a sample of controls that operate only monthly or quarterly.
- Expected rate of deviation
- Rational Testing
- Evidence from Other Controls Tests
What is the expected rate of deviation on manual controls and automated controls
Manual controls - Since manual controls are performed by people there may be manipulation. To test those controls they rely on sampling and selecting a sample of transactions to test whether the control is operating effectively.
Automated Controls - Expected rate of deviation is low as long as the computer is programed adequately. Thus the auditor may be able to assess only one transaction.
What is rotational testing? What are the exceptions?
Test of controls must happen for each specific control once every 3 years, three year rule.
Exceptions: If a key control has been changed it will be assessed in the current year and a proportion of other controls must be tested in the current year. Significant risk controls must be tested every year.
What are the impacts of changes in the IT system?
If an entire IT system or set of system is changed, auditors must ensure that the new systems internal controls are documented and evaluated and an audit of the data conversion if performed.
What is the conversion audit? What does it emphasize?
Occurs when the conversion controls are poor or not documented, substantive tests must be performed on the conversion process. It emphasizes accuracy and authorization of new master files, completeness and existence of data in those files, and cutoff transactions.
What are the three parts to the conversion audit? What are its purposes?
- Test comparing details from the new system with the old system - To verify that only accurate, authorized information has been established.
- Tests comparing details from the old system to those of the new system - To ensure accuracy and that no transactions are omitted.
3, Cutoff Testing - To ensure that transactions are included in the proper system and have not been omitted.
What is the auditors responsibilities on reporting on internal control?
Required to communicate significant deficiencies and material weakness to those in charge of governance and management, audit committee or equivalent (board of directors or the owner-management)
What is the internal control letter? What is included in the internal control letter?
- What does the auditor do with these suggestions?
A letter or report from the auditor to the audit committee or senior management detailing significant control deficiencies. Includes - Description of the internal control deficiency, recommendation in the year end report
- The auditor will have a discussion with the auditor and encourage them to implement the suggestions.
What are management letters? What must the letter indicate?
This is made when auditors observe less significant internal controls related matters, as well as opportunities for the client to make operational improvements.
Indicate that it is a derivative report to indicate that, while the purpose of the engagement was not to determine weaknesses in internal controls, such weaknesses were identified as a by product of the audit.
What are the rules for public firms that must report on Internal controls?
What is the Canadian equivalent to the requirements of the USA?
Regarding the internal control rules, what is the responsibility of management and the responsibility of the auditors in Canada.
It is required by the Sarbanes Oxley act that affect Canadian companies that are subsidiaries of American companies or that register securities for sale in the United States.
An audit of internal control over financial reporting performed that is integrated with an audit of the financial statements
In Canada, management is required to provide an assessment of the internal controls, however the auditors are not required to do this.
What is the difference between the internal controls assessment required by the Sarbanes Oxley act and financial statement audits?
For Sarbanes Oxley, since the auditor is providing an opinion on the effectiveness of the internal controls that management has assessed , the auditor must understand and perform test of controls for all significant account balances, transactions, disclosures, and related assertions, this is not required necessarily required under the financial statement audit, they must only test the controls that they are planning to rely on.
What is the Internet of Things?
It is the concept of connecting all wifi enabled devices to the internet, each other, other devices, and centralized computers
What is the impact of AI and Machine Learning in Audits?
It can help to identify patterns and trends, look for key terms, use logical reasoning to detect fraud and ultimately auditors need to take this into account when performing their internal controls risk assessment
Provided below are the 7 types of functions that Generalized Audit Software does, briefly describe what they do:
- Verify extensions and footings - Verify the accuracy of the clients computations by calculating information independently.
- Examine records for quality, completeness, consistency, and correctness - Scan all records using a specified criteria
- Compare data on separate files - Determine that information in two or more data files agree
- Summarize or resequenced data and do analysis - Change or aggregate the data
- Select the audit sample - Select samples from electronic data
- Generate confirmation requests - Pull data for sample items selected for confirmation testing
- Compare data obtained through other audit procedures with company records. - Compare machine readable electronic data with audit evidence gathered manually, which is converted to machine readable format.
