Module 17: System and control procedures Flashcards
Systems and control analysis
After acceptance and planning, next stage = systems and control analysis
Use of internal control systems by auditors
- Control systems - IDENTIFY, UNDERSTAND, document, update risk assessment
- Walkthrough
- Identify KEY controls
- Assess control DESIGN
- 1 Control NOT designed effectively => do NOT rely/test controls AND raise in MGMT LETTER
- 2 Controls DESIGNED effectively => test control operation
- 2.1 Controls operating effectively => sub testing REDUCED
- 2.1 Controls operating INeffectively => INCREASE substantive testing
Examples of controls that may be in place over sig risk areas:
- review of assumptions used in estimates
- use of experts
- formal procedures for estimates
- approval of estimates by TCWG
ITGC Manual controls
- authorisation
- reconciliations
ITGC Automated controls
- record transactions electronically (replacing paper docs)
- most prevalent in financial institutions
ITGC: Combination of manual/automated controls
- manual review/reconciliation of exception reports
ITGCs: auditors understanding and testing of ITGCs should be documented as follows:
- Understanding of the ITGC
- Procedures to EVALUATE the D&I and operating effectiveness of controls
- Deficiencies
- Conclusion on relevant audit assertions
APOC
- Access to programs and data
- Program development and changes
- Computer operations
- Continuity of operations
Risk assessment of IT systems: additional auditor considerations
Additional risks associated with information systems:
- info system V MANUAL => INCREASED risk of human error
- COMPLEX IT systems use HIGH LEVEL OF INTEGRATION with other systems => auditor to consider the use of IT and how this affects the risk in the system
- NEW IT system/process => INCREASED risk of error due to new procedures and associated risks from new IT system
- INCREASED RISK PROFILE of the transaction e.g. risk of cash sales being misappropriated
ITGC Test - involvement of specialists
IT specialists should be involved in the review of ITGC environment where COMPLEX IT system that auditor wishes to rely on.
Access to program and data: examples of audit procedures to test the design & operating effeciveness
- obtain user listing from system and inspect listing to determine if any generic usernames or sharing of usernames - DISCUSS with client any exceptions to UNDERSTAND purpose of such usernames
NOTE// design is considered ineffective if there is unnecessary/excessive use of generic IDs
- OBTAIN screenshots of password parameter settings from the system & INSPECT against best practice.
Request staff member to change password to a single or blank space and determine if system accepts. If so, operating INeffectively
Program development and changes: Examples of audit procedures to test design & operating effectiveness
- for a SAMPLE of program changes, OBTAIN REQUEST FORM and INSPECT for appropriate sign offs
- check for test sign offs on the form and obtain test plans and screenshots to evidence testing
- obtain screenshots of the test environment
- make ENQUIRIES of client staff to determine which user group has the ability to migrate changes and develop programs. INSPECT users within these groups to verify
Documenting control systems
For each process to be documented, understanding of the control activities within the process gained through the following:
- DISCUSSION with activity owner (purchase ledger clerk) and supervisor (mgmt/financial accountant)
- REVIEWING procedural MANUALS which can form the basis for documentation of procedures and controls
- CONFIRMING procedures documented in PY file (has there been any changes since PY?)
Best ways of documenting various cycles (processes)
Flowcharts
Narrative notes
Checklists
Walkthrough tests
Where one of more transactions are followed through the system from INITIATION through to REPORTING AND SETTLEMENT.
May identify transaction flows that were not included in documentation
Key control definition
A control that
- MITIGATES RISK which can result in a misstatement in the FS
- PREVENTS MATERIAL MISSTATEMENTS in the FS
- DETECTS AND CORRECTS MATERIAL MISSTATEMENT in the FS
Controls that the auditor would not care about, they don’t affect the FSs
- controls ensuring all customers are visited on regular basis
- controls to prevent the excessive use of materials in prod’n to reduce wastage
Assessing design and testing operating effectiveness
Assessing the DESIGN of the controls (umbrella without holes)
Testing whether the controls OPERATED effectively throughout the year (used when raining?)
Is enquiry alone sufficient?
No
CAATS: two areas where they may be utilised in testing controls
Test data techniques
Audit data analytics
CAATs Test Data - controls testing
Used to verify the proper operations of computer processes and controls built into computer programs (application controls)
Set of transactions inputted into the system to verify correct operations through the input of normal transactions and the input of unusual transactions
Purpose is to determine whether the outputs generated by the system are as expected
Applied to either a live system or ‘dead’ system (client prefer dead, auditor prefers live)
WEAKNESS:
they test operation of controls at a SINGLE POINT IN TIME => not practical to test the operation throughout the year (you could access the change log to see previous changes)
CAATS: ADA - control testing
When testing operating effectiveness of controls ADAs enable auditors to perform manually impossible procedures due to highly automated processes and controls
Compared to test data, ADAs can provide greater coverage over reporting period as they can access and analyse much larger volumes of info => improve the overall extent of the audit testing carried out and aid overall assessment of control risk
Examples of ADA tools currently used by auditors for testing controls
- REPERFORMING calculations or controls such as recs
- MATCHING transactions as they pass through a processing cycle (process analytics)
- Reviewing documents/transactions for EVIDENCE OF MISSING ITEMS e.g. reviewing sequentially numbered items and identifying gaps for discussion with mgmt
- ASSISTING in SoD testing
- TESTING INTERFACES between systems to ensure APPROP TRANSFER and COMPLETENESS of data for FR purposes
- IDENTIFYING BREACH OF MGMT OVERRIDE OF CONTROLS activities for further investigation
Exam tips for CAATs and ADA
May be asked to identify CAATs and ADAs for testing controls or substantive procedures
- identify other relevant CAATs and ADAs by thinking how you would test it manually and then think how you could use the techniques described in this module to do the same
CAATs = more reliable info
Combinations of tests are best: what are the control techniques
RICEO Reperform Inspect Consider use of CAATs Enquiry Observation
Routine transactions
Low ROMM as they are more predictable
Exam tip: Test of Controls checklist
- Identify the CONTROLS that EXIST within the specific scenario - use module 9 checklist
- For each control identify an appropriate mix of test of controls (5 methods) and ensure you evaluate reliability of your tests
- Draft a plan (like a marking schedule)
- Consider the number of points relevant to marks available
- Write answers, clearly describe:
- testing technique performed (reperform, enquiry, observe)
- source documents from which you draw a sample to test if applicable
- what you expect to be looking for when performing the test (e.g. evidence of review and authorisation, expected output from test data procedures)
Planning the inventory count: three aspects
- Matters relevant to PLANNING THE VISIT
- consider risk in relation to COMPLETENESS and EXISTENCE of inventory recorded in the financial statements
- Consider ROMM in the completeness and existence of inventory as a result of FRAUD
Planning and inventory count: Matters relevant to PLANNING THE VISIT
- ROMM of inventory
- Nature of INTERNAL CONTROL related to inventory
- Whether ADEQUATE procedures are expected to be established and PROPER INSTRUCTIONS issued for physical inventory counting
- whether the entity maintains a PERPETUAL inventory system
- the LOCATIONS at which inventory is held
- MATERIALITY of inventory at diff locations
- whether an EXPERT is needed
Planning and inventory count: consider risk in relation to COMPLETENESS and EXISTENCE of inventory recorded in the financial statements
- RELIABILITY of inventory systems
- TIMING of the physical inventory counts relative to the year end date and reliability of the records used in any roll forward
- LOCATION of inventory
- PHYSICAL CONTROLS and inventory’s susceptibility to theft/deterioration
- objectivity, experience and reliability of INVENTORY COUNTERS and those monitoring their work
- DEGREE OF FLUCTUATION of inventory levels
- NATURE of the inventory
- the difficulty in carrying out the ASSESSMENT of QUANTITY
Planning the inventory count: Consider ROMM in the completeness and existence of inventory as a result of FRAUD
- FALSE sales raised relating to inventory moves to another location in the entity rather than being delivered to customers
- APPEARANCE of inventory is altered so it appears of higher value/quantity e.g. empty boxes at the back, inventory stored in a pile and items underneath are not the same items
- ESTIMATION techniques are inappropriate
- Inventory take records are ALTERED
Perpetual inventory counting
Auditor must attend one or more of these counts during the year
Assessment of the inventory counting system is done by REVIEWING the PROCEDURES used DURING THE YEAR in order to check the accuracy of the records
Any differences would indicate errors => auditor will ask the client to perform a FULL YEAR END count
No controls reliance
where controls are absent, designed ineffectively or are not operating throughout the period, auditor must conclude NO, or LIMITED RELIANCE placed on these controls => audit largely reliant on substantive tested with additional ToD
MANAGEMENT LETTER sent to TCWG detailing control failures, weakness or absence.
Reliance on internal audit
Qualifications Experience in industry Independence Conduct of work Lack of IT specialist if IT reliance in company
What can we use IA for
Develop understanding of processes
Assist in risk assessment
Compliance testing, in accordance with ISA 610
Use of IA report findings - highlight things not identified/discussed at planning