Module 17: System and control procedures

Question 1

Systems and control analysis

Answer 1

After acceptance and planning, next stage = systems and control analysis

Question 2

Use of internal control systems by auditors

Answer 2

1. Control systems - IDENTIFY, UNDERSTAND, document, update risk assessment
2. Walkthrough
3. Identify KEY controls
4. Assess control DESIGN
5. 1 Control NOT designed effectively => do NOT rely/test controls AND raise in MGMT LETTER
6. 2 Controls DESIGNED effectively => test control operation
7. 2.1 Controls operating effectively => sub testing REDUCED
8. 2.1 Controls operating INeffectively => INCREASE substantive testing

Question 3

Examples of controls that may be in place over sig risk areas:

Answer 3

• review of assumptions used in estimates
• use of experts
• formal procedures for estimates
• approval of estimates by TCWG

Question 4

ITGC Manual controls

Answer 4

• authorisation

- reconciliations

Question 5

ITGC Automated controls

Answer 5

• record transactions electronically (replacing paper docs)

- most prevalent in financial institutions

Question 6

ITGC: Combination of manual/automated controls

Answer 6

• manual review/reconciliation of exception reports

Question 7

ITGCs: auditors understanding and testing of ITGCs should be documented as follows:

Answer 7

1. Understanding of the ITGC
2. Procedures to EVALUATE the D&I and operating effectiveness of controls
3. Deficiencies
4. Conclusion on relevant audit assertions

Question 8

APOC

Answer 8

1. Access to programs and data
2. Program development and changes
3. Computer operations
4. Continuity of operations

Question 9

Risk assessment of IT systems: additional auditor considerations

Answer 9

Additional risks associated with information systems:

1. info system V MANUAL => INCREASED risk of human error
2. COMPLEX IT systems use HIGH LEVEL OF INTEGRATION with other systems => auditor to consider the use of IT and how this affects the risk in the system
3. NEW IT system/process => INCREASED risk of error due to new procedures and associated risks from new IT system
4. INCREASED RISK PROFILE of the transaction e.g. risk of cash sales being misappropriated

Question 10

ITGC Test - involvement of specialists

Answer 10

IT specialists should be involved in the review of ITGC environment where COMPLEX IT system that auditor wishes to rely on.

Question 11

Access to program and data: examples of audit procedures to test the design & operating effeciveness

Answer 11

• obtain user listing from system and inspect listing to determine if any generic usernames or sharing of usernames - DISCUSS with client any exceptions to UNDERSTAND purpose of such usernames

NOTE// design is considered ineffective if there is unnecessary/excessive use of generic IDs

• OBTAIN screenshots of password parameter settings from the system & INSPECT against best practice.
  Request staff member to change password to a single or blank space and determine if system accepts. If so, operating INeffectively

Question 12

Program development and changes: Examples of audit procedures to test design & operating effectiveness

Answer 12

• for a SAMPLE of program changes, OBTAIN REQUEST FORM and INSPECT for appropriate sign offs
• check for test sign offs on the form and obtain test plans and screenshots to evidence testing
• obtain screenshots of the test environment
• make ENQUIRIES of client staff to determine which user group has the ability to migrate changes and develop programs. INSPECT users within these groups to verify

Question 13

Documenting control systems

Answer 13

For each process to be documented, understanding of the control activities within the process gained through the following:

• DISCUSSION with activity owner (purchase ledger clerk) and supervisor (mgmt/financial accountant)
• REVIEWING procedural MANUALS which can form the basis for documentation of procedures and controls
• CONFIRMING procedures documented in PY file (has there been any changes since PY?)

Question 14

Best ways of documenting various cycles (processes)

Answer 14

Flowcharts
Narrative notes
Checklists

Question 15

Walkthrough tests

Answer 15

Where one of more transactions are followed through the system from INITIATION through to REPORTING AND SETTLEMENT.

May identify transaction flows that were not included in documentation

Question 16

Key control definition

Answer 16

A control that

• MITIGATES RISK which can result in a misstatement in the FS
• PREVENTS MATERIAL MISSTATEMENTS in the FS
• DETECTS AND CORRECTS MATERIAL MISSTATEMENT in the FS

Question 17

Controls that the auditor would not care about, they don’t affect the FSs

Answer 17

• controls ensuring all customers are visited on regular basis
• controls to prevent the excessive use of materials in prod’n to reduce wastage

Question 18

Assessing design and testing operating effectiveness

Answer 18

Assessing the DESIGN of the controls (umbrella without holes)

Testing whether the controls OPERATED effectively throughout the year (used when raining?)

Question 19

Is enquiry alone sufficient?

Answer 19

No

Question 20

CAATS: two areas where they may be utilised in testing controls

Answer 20

Test data techniques

Audit data analytics

Question 21

CAATs Test Data - controls testing

Answer 21

Used to verify the proper operations of computer processes and controls built into computer programs (application controls)

Set of transactions inputted into the system to verify correct operations through the input of normal transactions and the input of unusual transactions

Purpose is to determine whether the outputs generated by the system are as expected

Applied to either a live system or ‘dead’ system (client prefer dead, auditor prefers live)

WEAKNESS:
they test operation of controls at a SINGLE POINT IN TIME => not practical to test the operation throughout the year (you could access the change log to see previous changes)

Question 22

CAATS: ADA - control testing

Answer 22

When testing operating effectiveness of controls ADAs enable auditors to perform manually impossible procedures due to highly automated processes and controls

Compared to test data, ADAs can provide greater coverage over reporting period as they can access and analyse much larger volumes of info => improve the overall extent of the audit testing carried out and aid overall assessment of control risk

Question 23

Examples of ADA tools currently used by auditors for testing controls

Answer 23

• REPERFORMING calculations or controls such as recs
• MATCHING transactions as they pass through a processing cycle (process analytics)
• Reviewing documents/transactions for EVIDENCE OF MISSING ITEMS e.g. reviewing sequentially numbered items and identifying gaps for discussion with mgmt
• ASSISTING in SoD testing
• TESTING INTERFACES between systems to ensure APPROP TRANSFER and COMPLETENESS of data for FR purposes
• IDENTIFYING BREACH OF MGMT OVERRIDE OF CONTROLS activities for further investigation

Question 24

Exam tips for CAATs and ADA

Answer 24

May be asked to identify CAATs and ADAs for testing controls or substantive procedures

• identify other relevant CAATs and ADAs by thinking how you would test it manually and then think how you could use the techniques described in this module to do the same

CAATs = more reliable info

Question 25

Combinations of tests are best: what are the control techniques

Answer 25

RICEO
Reperform
Inspect
Consider use of CAATs
Enquiry 
Observation

Question 26

Routine transactions

Answer 26

Low ROMM as they are more predictable

Question 27

Exam tip: Test of Controls checklist

Answer 27

1. Identify the CONTROLS that EXIST within the specific scenario - use module 9 checklist
2. For each control identify an appropriate mix of test of controls (5 methods) and ensure you evaluate reliability of your tests
3. Draft a plan (like a marking schedule)
4. Consider the number of points relevant to marks available
5. Write answers, clearly describe:
   - testing technique performed (reperform, enquiry, observe)
   - source documents from which you draw a sample to test if applicable
   - what you expect to be looking for when performing the test (e.g. evidence of review and authorisation, expected output from test data procedures)

Question 28

Planning the inventory count: three aspects

Answer 28

1. Matters relevant to PLANNING THE VISIT
2. consider risk in relation to COMPLETENESS and EXISTENCE of inventory recorded in the financial statements
3. Consider ROMM in the completeness and existence of inventory as a result of FRAUD

Question 29

Planning and inventory count: Matters relevant to PLANNING THE VISIT

Answer 29

• ROMM of inventory
• Nature of INTERNAL CONTROL related to inventory
• Whether ADEQUATE procedures are expected to be established and PROPER INSTRUCTIONS issued for physical inventory counting
• whether the entity maintains a PERPETUAL inventory system
• the LOCATIONS at which inventory is held
• MATERIALITY of inventory at diff locations
• whether an EXPERT is needed

Question 30

Planning and inventory count: consider risk in relation to COMPLETENESS and EXISTENCE of inventory recorded in the financial statements

Answer 30

• RELIABILITY of inventory systems
• TIMING of the physical inventory counts relative to the year end date and reliability of the records used in any roll forward
• LOCATION of inventory
• PHYSICAL CONTROLS and inventory’s susceptibility to theft/deterioration
• objectivity, experience and reliability of INVENTORY COUNTERS and those monitoring their work
• DEGREE OF FLUCTUATION of inventory levels
• NATURE of the inventory
• the difficulty in carrying out the ASSESSMENT of QUANTITY

Question 31

Planning the inventory count: Consider ROMM in the completeness and existence of inventory as a result of FRAUD

Answer 31

• FALSE sales raised relating to inventory moves to another location in the entity rather than being delivered to customers
• APPEARANCE of inventory is altered so it appears of higher value/quantity e.g. empty boxes at the back, inventory stored in a pile and items underneath are not the same items
• ESTIMATION techniques are inappropriate
• Inventory take records are ALTERED

Question 32

Perpetual inventory counting

Answer 32

Auditor must attend one or more of these counts during the year

Assessment of the inventory counting system is done by REVIEWING the PROCEDURES used DURING THE YEAR in order to check the accuracy of the records

Any differences would indicate errors => auditor will ask the client to perform a FULL YEAR END count

Question 33

No controls reliance

Answer 33

where controls are absent, designed ineffectively or are not operating throughout the period, auditor must conclude NO, or LIMITED RELIANCE placed on these controls => audit largely reliant on substantive tested with additional ToD

MANAGEMENT LETTER sent to TCWG detailing control failures, weakness or absence.

Question 34

Reliance on internal audit

Answer 34

Qualifications
Experience in industry
Independence
Conduct of work
Lack of IT specialist if IT reliance in company

Question 35

What can we use IA for

Answer 35

Develop understanding of processes
Assist in risk assessment
Compliance testing, in accordance with ISA 610
Use of IA report findings - highlight things not identified/discussed at planning