Module 17: System and control procedures Flashcards
Systems and control analysis
After acceptance and planning, next stage = systems and control analysis
Use of internal control systems by auditors
- Control systems - IDENTIFY, UNDERSTAND, document, update risk assessment
- Walkthrough
- Identify KEY controls
- Assess control DESIGN
- 1 Control NOT designed effectively => do NOT rely/test controls AND raise in MGMT LETTER
- 2 Controls DESIGNED effectively => test control operation
- 2.1 Controls operating effectively => sub testing REDUCED
- 2.1 Controls operating INeffectively => INCREASE substantive testing
Examples of controls that may be in place over sig risk areas:
- review of assumptions used in estimates
- use of experts
- formal procedures for estimates
- approval of estimates by TCWG
ITGC Manual controls
- authorisation
- reconciliations
ITGC Automated controls
- record transactions electronically (replacing paper docs)
- most prevalent in financial institutions
ITGC: Combination of manual/automated controls
- manual review/reconciliation of exception reports
ITGCs: auditors understanding and testing of ITGCs should be documented as follows:
- Understanding of the ITGC
- Procedures to EVALUATE the D&I and operating effectiveness of controls
- Deficiencies
- Conclusion on relevant audit assertions
APOC
- Access to programs and data
- Program development and changes
- Computer operations
- Continuity of operations
Risk assessment of IT systems: additional auditor considerations
Additional risks associated with information systems:
- info system V MANUAL => INCREASED risk of human error
- COMPLEX IT systems use HIGH LEVEL OF INTEGRATION with other systems => auditor to consider the use of IT and how this affects the risk in the system
- NEW IT system/process => INCREASED risk of error due to new procedures and associated risks from new IT system
- INCREASED RISK PROFILE of the transaction e.g. risk of cash sales being misappropriated
ITGC Test - involvement of specialists
IT specialists should be involved in the review of ITGC environment where COMPLEX IT system that auditor wishes to rely on.
Access to program and data: examples of audit procedures to test the design & operating effeciveness
- obtain user listing from system and inspect listing to determine if any generic usernames or sharing of usernames - DISCUSS with client any exceptions to UNDERSTAND purpose of such usernames
NOTE// design is considered ineffective if there is unnecessary/excessive use of generic IDs
- OBTAIN screenshots of password parameter settings from the system & INSPECT against best practice.
Request staff member to change password to a single or blank space and determine if system accepts. If so, operating INeffectively
Program development and changes: Examples of audit procedures to test design & operating effectiveness
- for a SAMPLE of program changes, OBTAIN REQUEST FORM and INSPECT for appropriate sign offs
- check for test sign offs on the form and obtain test plans and screenshots to evidence testing
- obtain screenshots of the test environment
- make ENQUIRIES of client staff to determine which user group has the ability to migrate changes and develop programs. INSPECT users within these groups to verify
Documenting control systems
For each process to be documented, understanding of the control activities within the process gained through the following:
- DISCUSSION with activity owner (purchase ledger clerk) and supervisor (mgmt/financial accountant)
- REVIEWING procedural MANUALS which can form the basis for documentation of procedures and controls
- CONFIRMING procedures documented in PY file (has there been any changes since PY?)
Best ways of documenting various cycles (processes)
Flowcharts
Narrative notes
Checklists
Walkthrough tests
Where one of more transactions are followed through the system from INITIATION through to REPORTING AND SETTLEMENT.
May identify transaction flows that were not included in documentation
Key control definition
A control that
- MITIGATES RISK which can result in a misstatement in the FS
- PREVENTS MATERIAL MISSTATEMENTS in the FS
- DETECTS AND CORRECTS MATERIAL MISSTATEMENT in the FS
Controls that the auditor would not care about, they don’t affect the FSs
- controls ensuring all customers are visited on regular basis
- controls to prevent the excessive use of materials in prod’n to reduce wastage
Assessing design and testing operating effectiveness
Assessing the DESIGN of the controls (umbrella without holes)
Testing whether the controls OPERATED effectively throughout the year (used when raining?)
Is enquiry alone sufficient?
No
CAATS: two areas where they may be utilised in testing controls
Test data techniques
Audit data analytics
CAATs Test Data - controls testing
Used to verify the proper operations of computer processes and controls built into computer programs (application controls)
Set of transactions inputted into the system to verify correct operations through the input of normal transactions and the input of unusual transactions
Purpose is to determine whether the outputs generated by the system are as expected
Applied to either a live system or ‘dead’ system (client prefer dead, auditor prefers live)
WEAKNESS:
they test operation of controls at a SINGLE POINT IN TIME => not practical to test the operation throughout the year (you could access the change log to see previous changes)
CAATS: ADA - control testing
When testing operating effectiveness of controls ADAs enable auditors to perform manually impossible procedures due to highly automated processes and controls
Compared to test data, ADAs can provide greater coverage over reporting period as they can access and analyse much larger volumes of info => improve the overall extent of the audit testing carried out and aid overall assessment of control risk
Examples of ADA tools currently used by auditors for testing controls
- REPERFORMING calculations or controls such as recs
- MATCHING transactions as they pass through a processing cycle (process analytics)
- Reviewing documents/transactions for EVIDENCE OF MISSING ITEMS e.g. reviewing sequentially numbered items and identifying gaps for discussion with mgmt
- ASSISTING in SoD testing
- TESTING INTERFACES between systems to ensure APPROP TRANSFER and COMPLETENESS of data for FR purposes
- IDENTIFYING BREACH OF MGMT OVERRIDE OF CONTROLS activities for further investigation
Exam tips for CAATs and ADA
May be asked to identify CAATs and ADAs for testing controls or substantive procedures
- identify other relevant CAATs and ADAs by thinking how you would test it manually and then think how you could use the techniques described in this module to do the same
CAATs = more reliable info