Evaluate, Test and Report 2(a)-2(c) Flashcards
Describe the IT Audit Process:
(1) Plan audit or review
(2) Gain understanding of Entity Environment, related controls, including IT
(a) Risk Assessment
(b) Design FAP
(c) Execute FAP
(d) Use prof. judgment to determine if audit or review objectives satisfactorily met
- If not, return to Phase 1 to Plan
(3) Reporting
(a) Evaluate audit findings, evidence and control deficiencies
When should Controls be tested?
(1) When required by law (SOX)
(2) When no paper audit trail exists (EDI)
(3) When substantive procedures alone do not provide sufficient audit evidence (high volume of routine transactions)
Planning for Tests of Controls (ToC) for Application Controls is reliant upon what 3 factors:
(1) ToC can ONLY be conducted if relevant ITGCs are reliable
(2) ToC must be related to audit objectives
(3) The objective is operational effectiveness, not simply appropriate design of control or implementation of control
What is an approach to determine benefits of testing Application Controls vs. Manual Substantive Procedures?
- Look for overlaps (the key to audit/review efficiency and effectiveness)
- Overlap scenario is when audit objective and control objective are the same
- Ex: If audit objective to gain assurance disbursements properly approved and an automated control purpose is to ensure all disbursements properly approved, and ITGC reliable, then audit situation efficiency gains by employing ToC over set of approval controls
- If ToC results indicate automated control is reliable, then manual substantive procedures can be reduced substantially by relying on automated control and
reducing scope of substantive procedures by increasing cutoff or reducing sample size.
Describe Factors to Application Control Testing:
- Purpose to gain assurance that testing of apps follows proper procedures and employs adequate controls to ensure minimal errors, fraud or operational problems in deploying new or revised apps
- CITP perform app testing by:
(1) Interview key personnel and ask about testing processes
(2) Reviewing relevant docs (end user acceptance report)
(3) Observing processes in operations - Observation useful in staging or project mgnt meetings.
- Should follow SDLC guidelines for customized code:
(1) IT function should have QA testing where independent party in IT function tests app
(2) App tested by end users and internal sponsor
(3) End user acceptance agreement signed to provide evidence app was properly tested by end users
(4) Integration Testing: App interfaced to all potential apps and modules w/in a staging area, in entity’s system, offline, and test for integration error
Describe Factors to System Testing:
- Follows Application Testing
- Proceeds to integrate w/ relevant financial reporting or accounting apps or systems, all the way to GL
- Include enterprise test new or revised system integrated w/ all components of enterprise system
- Bc of increased risk, system testing usually includes “war room” approach to switch over from old to new (including major revised) system
- Staging area is good to centralize switch over and prepare for any integration or app failures
What is the primary strategy in “Gathering Evidence”?
- To reduce audit risk to sufficiently low level, and provide sufficient evidence for various audit objectives
- Evidence must be gathered for each relevant assertion of each material acct balance or class of transactions or
disclosure in financial audit
What is the “Power of the Tests”?
- In RBA, one driving factor behind evidence gathering
- The “Power of the Tests” used to gather evidence must be aligned w/ the level of assessed risk to audit objective (the specific assertion(s) of material acct balance)
- The higher the assessed level of risk,
the more powerful the test required in order to gather sufficient evidence
Name 4 methodologies for Statistical Sampling:
ADCP
(1) Attribute sampling
(2) Discovery sampling
(3) Classical variables sampling (CVS)
(4) Probability-Proportional-to-Size Sampling (PPS)
What is Attribute Sampling?
- A Statistical Sampling method
- Estimates rate of occurrence of certain characteristics in a population
- Useful for examining deviations in performance of control and useful in ToC
- Any failure of control treated as deviation
What is Discovery Sampling?
- A Statistical Sampling method
- ID a small number of critical deviations or exceptions in the population
- If detect at least 1 deviation in sample, auditor must examine entire population
- Used to detect fraudulent transaction
What is Classical Variables Sampling (CVS)?
- A Statistical Sampling method
- Estimate numerical quantity, like dollar balance of an acct
- Used by auditors to perform substantive tests
- CVS includes mean-per-unit estimation, ratio estimation and difference estimation
- CVS is useful in confirming accts like AR
What is Probability-Proportional-to-Size Sampling (PPS)?
- A Statistical Sampling method
- Estimates total dollar amt of misstatement in a population
- PPS uses dollar-unit sampling or monetary unit sampling (MUS)
- In PPS, higher dollar value of a sample transaction, more likely included in sample
- MUS is often used in fraud detection
What is a “Directed Sample”?
- A sampling approach
- Sampler determines sample size based on prof. judgment.
- Ex: If table suggests sample size of 66, sampler may choose to add cutoff factor of all transactions above certain figure
- Sampler may use prof. judgment to reduce sample size of 66 if ToC proved reliable, where assumption is low risk of deviations or misstatements bc ToC are reliable
What is Sample Size determined by?
- Sample size is determined by:
(1) Population Size
(2) Deviation (error) rate
(3) Statistical methodology - Tables created to assist IT auditor in determining sample size
- Larger the sample size, examine more transactions and greater probability anomalies or exceptions found
