Module 17 Flashcards
Three components of internal control assessed at planning stages
Control environment
Risk assessment procedures
Monitoring of controls
Components of internal control systems identified at the planning stage
Information systems
Control activities
Auditor must gain understanding of control activities in place relevant to the audit which they deem necessary to understand (2)
- Risk of material misstatement at the assertion level
- Significant risks identified
Tabs
Brown
Auditors understanding of ITGC should be documented as (4)
1) Understanding of ITGC
2) Procedures to evaluate design and implementation and operating effectiveness of controls
3) Deficiencies
4) Conclusion on relevant audit assertions
If the information system is very manual
Higher risk of human error
If the IT system is highly complex
May make it more risky
Additional risks of IT systems: (4)
- IT system is very manual
- Complex IT system
- New IT system
- Increased risk profile of transactions
Audit of IT may require (unless simple ITGCs)
IT Specialists
Understanding of IT control activities within a process can be gained through (3)
- Discussion with activity owners
- Reviewing procedural manuals
- Confirming procedures documented in PY audit file
Variety of methods to document cycles (3)
- Flowcharts
- Narrative notes
- Checklists
Impact of weak control environment/ monitoring (2)
Controls less likely to be designed well or operating consistently
Weaknesses likely to affect number of systems therefore number of areas in FS
Impact of weak risk assessment procedures
May indicate inefficiencies in control system (controls not addressing nature of risks)
Increases likelihood of those risks occurring
Impact of weak information systems
Potential for override of controls
Impact of weak ITGC
Potential for transactions being processed through system incorrectly Eg if no passwords - no segregation of duties
Once system has been documented
Walkthrough test should be completed to confirm if understanding is correct
Walkthrough test =
When one or more transactions is followed through system from initiation through to reporting and settlement
Testing operation of controls is necessary to obtain audit evidence regarding the existence and effectiveness of internal control system at: (3)
- Mitigating risks
- Preventing material misstatements
- Detecting and correcting material misstatements
In combination with enquiry, other procedures to test controls are (3)
- Inspect
- Observe
- Reperforn
Must test control in operation
Throughout the whole period particularly high risk periods eg holidays
Each testing technique has different level of (2)
- Relevance
- Reliability
Two areas where CAATs/ analytics can be used
- Test data techniques
- Audit data analytics
Test data techniques used to
Verify proper operation of computer processes and controls built into computer programs
Test data
Set of fictitious transactions which are inputted into the system to verify the correct operation of the system
Test data can be applied to either
Live or dead system
Weakness of test data techniques
Test the operation of controls at a single point in time
Examples of ADAs (audit data analytics) (6)
- Re-performing
- Matching transactions
- Review for missing items eg sequentially numbered
- Identifying breach or management override of control activities
- Testing interfaces
- Assisting in segregation of duties testing
In comparison to test data, ADAs provide
Greater coverage over relevant reporting period as they can assess and analyse much larger volumes of information
Routine transactions - risk of misstatement
Lower - more predictable
When documenting control test ensure word it to include (3)
- Technique (eg inspect)
- What you are looking at (eg sample)
- What you are looking for (eg signature)
Inventory counts ISA
ISA 501
Considerations of completeness and existence of inventory (7)
- Reliability of inventory systems
- Timing of physical inventory counts relative to YE
- Location of inventory
- Physical controls eg over theft
- Nature of inventory
- Degree of fluctuations of inventory levels
- Difficulty in assessing quantity
Considerations of RoMM in completeness and existence of inventory as a result of fraud (4)
- False sales raised relating to inventory being moved to another location rather than delivered to customers
- Appearance of inventory altered so appears higher value/ quantity
- Estimation techniques inappropriate
- Inventory count records altered
Perpetual inventory counts assessment
Reviewing procedures used during the year (including attendance of one or more of perpetual counts)
If differences in perpetual counts vs inventory system
Consider asking the client to perform a full year end count
Attendance at perpetual count by the auditor will be to perform
Compliance tests only
Where controls have been found to be absent, designed ineffectively or are not operating throughout the period
Auditor must conclude there should be no or limited reliance placed on these controls, therefore largely substantive approach
How to communicate control findings to TCWG
Management letter should be sent to TCWG detailing the control failure, weakness or absence
