Unit 7 - Performing Tests of Controls Flashcards
There are seven steps associated with assessing control risk.
Explain step 1: Understand Entity-Level Controls
At this stage, the auditor conducts interviews throughout the organization to understand the strength of entity level controls and to identify weaknesses at the entity level.
The auditor also wants to understand if weaknesses are so pervasive to offset strengths at a transaction level.
There are seven steps associated with assessing control risk.
Explain step 2: Understand the Flow of Transactions
The auditor performs a system walkthrough to understand the flow of transactions and identify potential strengths and weaknesses at the transaction level.
There are seven steps associated with assessing control risk.
Explain step 3: Identify What Can Go Wrong (WCGW)
The auditor uses their understanding of assertions to identify what can go wrong at the transaction level.
There are seven steps associated with assessing control risk.
Explain step 4: Identify Relevant Controls to Test
Given the auditor’s understanding of entity level and transaction level controls, the auditor should identify key controls for each assertion.
There are seven steps associated with assessing control risk.
Explain step 5: Determine Preliminary Audit Strategy
When internal control strengths are present at the assertion level the auditor may want to follow a reliance strategy.
If internal control strengths are not present at the assertion level the auditor will follow a primarily substantive approach.
The auditor may have different strategies for different assertions for the same transaction class.
There are seven steps associated with assessing control risk.
Explain step 6: Perform Tests of Controls
The auditor should test controls where the auditor plans a reliance strategy.
There are seven steps associated with assessing control risk.
Explain step 7: Evaluate Evidence and Assess Control Risk
The auditor evaluates the evidence obtained from tests of controls.
If evidence shows that controls are strong the auditor should document finding and proceed with a reliance strategy.
If control tests do not support a finding of strong controls, the auditor might identify compensating controls and test those controls.
If control testing does not support the preliminary audit strategy, the auditor should revise his or her audit strategy.
What are Preventive Controls?
Preventive controls are those applied to each transaction during normal processing that are intended to stop fraud or errors from occurring.
ex.
Assertion: Valuation and Allocation
WCGW: Sales occur that may not be collectible
Detective Control: The software application will not allow a sale to be processed if a customer has exceeded its credit limit.
If those who are responsible for processing the sales is able to override the credit limit control in the software, the control is not strong.
What are Detective Controls?
Detective controls are those applied AFTER transactions have been processed to identify whether fraud or errors have occurred, and to rectify the fraud or errors on a timely basis.
Most companies design detective controls to ensure that if preventive controls are not effective, errors or fraud are detected and corrected on a timely basis.
ex.
Assertion: Completeness, Occurrence, Cutoff
WCGW: Cash is received but not recorded in the general ledger; payments are made but not recorded; cash receipts or cash payments are not real or not recorded on a timely basis
Detective Control: Bank reconciliation identifies unexpected outstanding items which are followed up.
The performance of reconciliations without following up on unusual items is not a control. The control is the follow-up.
Detective controls are often accompanied by _________ evidence such as _____________ or _____________. This is in direct contrast to preventive controls, which tend to be ____________.
Detective controls are often accompanied by PHYSICAL EVIDENCE such as EXCEPTION REPORTS or MONTHLY RECONCILIATIONS. This is in direct contrast to preventive controls which tend to be DEPENDENT ON IT.
Detective vs. Preventive Controls: Which is more likely for an auditor to identify as “key controls” to test and evaluate?
Detective controls are often accompanied by physical evidence such as exception reports or monthly reconciliations. Preventive controls are often driven by error messages that are part of the particular software used by the company, and therefore there is no physical evidence of the control. Often, a specialist with IT skills is required to audit ITGCs and IT application controls, depending on how sophisticated the client’s IT system is. Therefore, the auditor is more likely to identify DETECTIVE controls as “key controls” to test and evaluate.
Example Scenario:
In February, a large group of employees were given a retroactive pay raise. When this payroll was processed, the software application produced an exception report. It turned out that some of the employees who were eligible for the retroactive payment had left the company and did not work during the affected payroll period. The IT application control checked to make sure that an employee actually worked during the period before processing the payroll for the time period.
What must occur for this to be a true detective control?
The financial controller had to personally approve payment of the retroactive payroll that was due to employees who did not work during the affected period.
The software identified a potential misstatement, and the manual follow-up also did its job.
If, after an interview with the financial controller, an auditor discovers that the computerized payroll system checks to make sure each employee is on the master payroll file before the transaction is processed further, what must the auditor determine about this preventive control?
Who has access to change the master payroll file?
How does the client ensure the completeness and accuracy of the master payroll files?
What are the 5 types of Tests of Controls?
Inquiry
Observation
Inspection of Physical Evidence
Reperformance
Various Data Analytics Techniques
When would an auditor most likely perform observation and inquiry procedures on a control?
Inquiry and observation are probably most appropriate for observing segregation of duties. Some controls, such as segregation of duties, may or may not provide physical evidence, in which case the auditor must rely on observation and inquiry.
Give an example of the package of evidence that is needed to test an IT application control that matches every sales invoice to an underlying bill of lading to ensure that revenue is properly recognized.
The package of evidence that support an IT application control usually involves:
-Submitting test data to see that the application control functioned as designed.
-Testing the effectiveness of manual follow-up procedures to determine that items flagged as possible misstatements are clearly on a timely basis.
-Testing IT general controls to ensure that the application functions effectively over time.
When there are multiple controls related to one assertion, which control will the auditor determine to be the key control to test?
The control most likely to ensure that fraud or error does not occur if other controls fail.
Define the tolerable deviation rate.
The max rate of deviation from a prescribed control that an auditor is willing to accept and still use the planned assessed level of control risk.
According to the AICPA Audit Sampling Guide, what is the range of tolerable deviation rate if the planned control risk is low?
2%-7%
According to the AICPA Audit Sampling Guide, what is the range of tolerable deviation rate if the planned control risk is moderate?
6%-12%
According to the AICPA Audit Sampling Guide, what is the range of tolerable deviation rate if the planned control risk is high?
11%-20%
Why do auditors perform tests of controls more often when the expected deviation rate is very low?
If you expect a high rate of deviation in the population for a certain control, then why waste time testing the control only to find out you are right and the control fails at a high rate?
In this situation, it is more efficient for the auditors to take a primarily substantive strategy and focus on auditing transactions and account balances instead of testing controls.
Define attribute sampling.
A sampling technique used to reach a conclusion about a population in terms of a rate (frequency) of occurrence.
If the audit objective is to obtain evidence directly about a dollar amount being examined, the auditor is performing a _________ test, not a __________.
SUBSTANTIVE
TEST OF CONTROLS
Define Benchmarking.
An audit testing strategy that can be used to allow evidence obtained in prior audit periods to support a conclusion about IT application controls in the current audit period.
What are the three categories of IT controls?
IT General Controls
IT Application Controls
IT Output Controls
Larger or Smaller:
The smaller the rate of deviation from the prescribed control procedure that the auditor can tolerate, the _______ the sample size.
Larger
Larger or Smaller:
Higher levels of assurance dictate ______ sample size.
Larger
Larger or Smaller:
The closer tolerable deviation rate and expected deviation rate are to each other, the _____ the sample size.
Larger
Larger or Smaller:
The larger the population, the _____ the sample size.
Larger
Larger or Smaller:
The larger the rate of deviation from the prescribed control procedure that the auditor can tolerate, the ______ the sample size.
Smaller
Larger or Smaller:
Lower levels of assurance dictate ________ sample size
Smaller
Larger or Smaller:
The greater the amount of difference between tolerable deviation rate and expected deviation rate, the _______ the sample size.
Smaller
Larger or Smaller:
The smaller the population, the _______ the sample size.
Smaller
For public companies, if the results of the Auditor’s testing shows material weakness in internal controls, the auditor will report an _________ opinion on ICFR.
Adverse
For public companies, if the results of the Auditor’s testing shows significant deficiencies in internal controls, the auditor will report a(n) _________ opinion on ICFR.
Unqualified
(significant deficiencies are considered not material but significant)
For public companies, if the results of the Auditor’s testing show material weakness in internal controls, the auditor will report a(n) _________ opinion on ICFR.
Adverse
For public companies, if the results of the Auditor’s testing show no deficiencies in internal controls, the auditor will report a(n) _________ opinion on ICFR.
Unqualifed
Which rate should be used when an auditor anticipates finding internal controls that do not function as planned in the population tested?
a) Expected rate of deviation
b) Actual rate of deviation
c) Tolerable deviation rate
d) Desired level of accuracy rate
a) Expected rate of deviation
The expected rate of deviation is the expected rate at which the auditor expects controls are not functioning as designed.
Which type of relationship exists between the assurance level of internal controls and the size of the sample for testing?
a) Indirect
b) Direct
c) Uncorrelated
d) Inverse
b) Direct
The more assurance an auditor wants, the more representative a sample should be of the population.
An auditor is reviewing purchase orders during tests of internal controls to provide reasonable assurance that material weaknesses do not exist.
Which level of testing is being used by this auditor?
a) Transaction
b) Entity
c) Financial statement
d) Monitoring
a) Transaction
Error or fraud related to significant accounts is likely a material misstatement and is performed at the transaction level.
Which type of control includes a comparison of budgeted versus actual expenses?
a) Management-level analysis
b) Reconciliations with follow-up
c) Performance indicator analysis
d) Application with manual follow-up
a) Management-level analysis
An auditor is planning a test of internal controls and is using a planned control risk. The auditor must not move beyond the permitted maximum rate of deviation from a prescribed control during the process.
What is the maximum rate of deviation that should be accepted?
a) Tolerable deviation rate
b) Expected rate of deviation
c) Desired deviation rate
d) Actual rate of deviation
a) Tolerable deviation rate
This rate is the maximum rate of deviation where the auditor will still use the planned control risk.
