Chapter 9 - Textbook Flashcards
What is a walk through?
It involves following a transaction from its origin through the entity’s information systems until it is recorded in the financial records by using the same documents and information technology as the entity’s personnel used.
What is a narrative?
A written description of a client internal controls.
What are the four parts of a narrative?
- The origin of every document and record in the system
- All processing that takes place
- The disposition of every document and record in the system
- Key controls (SPAID) relevant to the control risk assessment.
What is a flow chart?
A symbolic, diagrammatic representation of the clients documents and their sequential flow in the organization. Includes the same four characteristics are a narrative.
What are the two advantages of flow charts?
- Easier to read and easier to update
What is an internal control questionnaire?
Predesigned questionnaire that consist of a series of questions about the controls in each audit area, like the control environment, as a means of indicating to the auditor aspects of internal controls that may be inadequate.
What is the disadvantage of internal control questionnaires?
Their inability to provide an overview of the system.
What is the process of evaluating controls?
- Evaluate the design of controls
- Determine if the controls have been implemented.
- Evaluate the competence of the people carrying out the controls.
- Evaluate the adequacy of information technology
What are strong controls?
Controls that are effective at minimizing the risk of material misstatement for significant classes of transactions, account balances, disclosures and relevant assertions.
What are the two considerations on whether to rely on controls?
- Will tests of controls improve audit efficiency
- Is it necessary to perform the test of controls because transactions are highly automated transactions.
Describe tests of controls improve audit efficiency
If the audit can be done in an interim period instead, can change the nature of the audit evidence, or change the substantive testing required
Describe the tests of controls for highly automated procedures.
There are no audit trails and no way to obtain substantive audit evidence, must rely on the general controls related to processing transactions.
What is a control deficiency?
The design or operation of controls do not detect and correct misstatements on a timely basis.
What is a design deficiency?
A necessary control is missing or not properly designed.
What is an operation deficiency?
A well designed control does not operate as designed or if the person performing the control is in sufficiently qualified or authorized.
What is significant deficiency?
Exists if one or a combination of control deficiencies exist, such that, in the auditors professional judgement are sufficient to merit the attention of those with governance.
What is a material weakness?
Exists if a significant deficiency, by itself or in combination with other significant deficiencies, results in a reasonable probability that internal controls will not prevent or detect material misstatements in a timely basis.
Four Circumstances that Indicate Significant Control Deficiency
- Fraud
- Uncorrected misstatements from previous audits
- Managements failure to respond to significant risk
- Restatement of previously issued financial statements
Describe the evaluating control deficiency matrix
Along the horizontal line it is the likelihood (Remote on the left and reasonably probable on the right)
Along the vertical line we assess significance with material at the top and immaterial at the bottom
If it is both reasonably possible and material than it is a material weakness.
What is a compensating (or mitigating) control?
It is a control elsewhere in the system that offsets a weakness.
What are the two considerations in evaluating the design of a control activity?
- Whether the control activity addresses the identified risk of fraud and / or error (the what can go wrong)
- Whether the control activity addresses the related assertion.
What are the 4 control activities managers are mandated to assess?
- Controls that address significant risk (automated or manual)
- Controls over journal entires
- Controls for which the auditor plans to test operating effectiveness
- Controls related too reconciling detailed records to the general ledger.
What are key controls?
Controls that would be most effective or have the greatest impact on reducing misstatements in the control matrix.
What are some guidelines regarding the effectiveness of control activities.
- Automated controls are more effective than manual
- Simple controls (one step one calculation) more effective than complex controls (many steps and many calculations)
- Control is performed by an experienced person in a position of responsibility vs control is performed by a junior less experienced person.
- Preventive control vs detective control
- One in a group of overlapping control vs a single control
- Detailed transaction level control vs high level control
- Control performed on each occurrence vs control performed on a sample basis.
- Ccntrol occurs as the transactions takes place or is processed vs controls are performed after the transaction occurs.
What are the type 1 and type 2 reports of service auditors?
- Type 1 - A report on managements description of a service organizations system and the suitability of the design of controls
Type 2 - A report on managements system description of a service organizations system and the sustainability of the design and operating effectiveness of controls.
What is the auditors responsibility relating controls and 3rd party service providers to the client?
Need to obtain an understanding and test the service centres controls ion the service centres application involves processing significant financial data. Their understanding depends on the complexity of the system, and the extent to which the control is relied upon to reduce the control risk.m
What is a Service Audit Report?
Service organizations perform controls for multiple customers and provide an independent service auditor report that includes results from a test of controls. To provide guidance and uniformity in the way service providers disclose their control activities and processes to their customers and the entity’s auditors.
What is the purpose of SAR?
Provide service centre customers with reasonable assurance about the adequacy of the service centres general and application controls, eliminating the need for redundant audit by customers auditors.
What are the 5 things that IT specialists do?
- Document and assess the IT control environment
- Test general controls
- Document and assess key automated controls
- Develop automated tools and techniques to test controls and to perform substantive tests
- Develop IT control weakness and develop recommendations.
What is the substantive approach? Why would they select this alternative?
This means that the auditor will perform only substantive procedures. This alternative is selected if the controls are ineffective in reducing material misstatement risk at the assertion level or it is not efficient to perform the test of controls.
Why do we perform test of controls if auditors have already made a preliminary control risk assessment?
The assessment was based upon evidence gathered through risk assessment procedures, which are not extensive enough to provide the persuasive evidence needed to conclude on the effectiveness of internal controls.
Why may auditors choose to perform a test of controls over substantive procedures
It may be more cost-efficient as tests of controls used smaller sample sizes.
Controls are tested on a rotational basis (provided they are tested once every three years)
What is the internet of things?
Concept of connecting any wifi enabled device (everyday objects like a coffee maker or furnace) to the internet, each other, other devices, and centralized computers.
What is the application programming interfaces (API)
