CH-9 Control Assessment and Testing – Auditing: An International Approach : Book Guide

CHAPTER 9 CONTROL ASSESSMENT AND TESTING SOLUTIONS FOR REVIEW CHECKPOINTS 9-1 A company’s management is responsible for its control environment, for its accounting system, and for establishing and maintaining a system of internal control procedures. Continuous managerial supervision and modification are elements of management’s responsibility. Management is responsible for the internal control that supports the production of financial statements and all the other objectives of the business. 9-2 A trade-off is required because there are costs that must be paid to implement controls, and at some point the costs will exceed the benefits. This is because it is not possible to reduce risks to zero. Managers need to decide what level of risk is acceptable by trading off between benefits of risk reduction and costs of controls. 9-3 If management understates the risks in an attempt to cut costs, or through ignorance or poor analysis, this becomes a source of control risk because significant risks will not be reduced to an acceptable level. Further, note that controls often involve humans, and it is impossible for absolute assurance to exist when dealing with human behaviour. 9-4 Control systems generally do not provide absolute assurance that the objectives of internal control are satisfied because at some point the costs of implementing controls against risks will exceed the benefit that can be achieved by reducing these risks. Reasonable assurance is the best that can be attained given that the cost of an entity’s internal controls should not exceed the benefits that are expected to be received. 9-5 Management can be biased in how they make estimates of benefits they expect to get from controls and weigh them against the costs, and can use the “cost-benefit” and “reasonable assurance” concepts justify tolerating control deficiencies as a way to cut costs and increase profits. Since management has the power to make these cost-benefit decisions and are likely to have rationalized them in their own minds, auditors must be objective (i.e. free of bias that might arise from accepting management’s rationales too readily) in their assessment of whether a system contains internal control weaknesses that create risks of material financial statement misstatements. 9-6 External auditors are responsible for evaluating existing internal controls and assessing the risk of a material misstatement related to them. They use this assessment to determine the audit work required to support their opinion and develop appropriate audit programs. 9-7 Involvement in designing internal control systems is a threat to auditor independence because it could impair the PA’s objectivity in assessing the quality of those controls for audit purposes. In essence, when evaluating these controls the auditor will be reviewing his or her own work, thus lacking an independent and objective perspective. Accordingly, the design and implementation of internal control is always management’s responsibility, not the auditor’s. 9-8 External auditors’ communications of reportable conditions and material weaknesses are intended to help management carry out its responsibilities for internal control monitoring and change. Auditors’ control evaluation work can result in them identifying areas of potential weaknesses, or alerting management to instances where the actual performance of a control activity deviates from “expected” behaviour. 9-9 Control risk is the risk that the auditee's internal control procedures will fail to prevent, or detect and correct, on a timely basis, a material misstatement that could occur in an assertion. Control risk is a function of the effectiveness of the design and operation of internal control in achieving the auditee’s objective of preparing accurate financial statements. Some control risk will always exist because of the inherent limitations of internal control. The seven general types of misstatements are: 1. Invalid transactions are recorded. 2. Valid transactions are omitted from the accounts. 3. Unauthorized transactions are executed and recorded. 4. Transaction amounts are inaccurate. 5. Transactions are classified in the wrong accounts. 6. Transaction accounting is incomplete. 7. Transactions are recorded in the wrong period. 9-10 The auditor’s main goal is to assess the risk of the financial statements being misstated, and assessing inherent and control risks is a key step in performing this assessment. Control risk is the risk that internal control will fail to prevent or detect a material financial statement misstatement. 9-11 The inherent risk is high for the watches because these items are easy to pick up and conceal, have a high dollar value and are easy to ‘fence’ (sell illegally). The auditor expects management to have a variety of strong controls in place to protect the business against these risks. If this were not the case, it is unlikely that the company could survive as the inventory would often disappear. This is referred to as inventory ‘shrinkage’. 9-12 Two types of control assessments relate to the two extreme types of audit situations, the “clean” audit and the “dirty” audit. In a clean audit, the control risk will be assessed as very low because the accounting records are easy to verify and accurate due to the strong controls in place. In a dirty audit, as a result of the weaknesses in controls the accounting records may be incomplete, riddled with misstatements, and harder to verify, so the auditor will assess the control risk to be very high. 9-13 A clean audit should require less work than a dirty audit. Good controls, by definition of their objectives, should result in low risk of material misstatement. Conversely, a dirty audit is normally associated with poor or nonexistent controls. So, one reason auditors evaluate internal controls is because they are a good indicator of the accuracy of the accounting records and therefore reduce the amount of work needed to verify their accuracy more directly. If controls are weak, more substantive procedures will be needed to provide sufficient evidence about whether the financial statements contain a material error. 9-14 Relying on internal controls can create efficiencies in clean audits because it can justify less substantive work. It is not just for efficiency purposes, however, that auditors rely on controls. There may be risks of misstatements that substantive procedures alone cannot remove. For example, one of the assertions, completeness, is virtually impossible to verify without some minimal reliance on controls. It is by relying on controls to some minimal extent that the auditors get sufficient assurance on whether items that they might not know about, such as accrued liabilities, get recorded. Since it is difficult for auditors to verify items that they might not know about, some level of control reliance is required to get enough assurance on the completeness assertion for these items. There are situations where controls are so bad, leading to such a dirty audit situation, that the entity is not auditable. An example of such an extreme situation is given in the anecdote in the text box above this question in the chapter, titled “Understanding the Auditability of the Accounts: Bad Books Block a Municipal Government Audit”. This box illustrates that control risks are so great that the auditor cannot develop compensating audit procedures to reduce the risk of material misstatement to an acceptable level. This extreme a case is a fairly rare occurrence. 9-15 If controls are very weak, an audit could still be done if the auditor can identify compensating control procedures that would lower the risk of material misstatement, and can design and peform substantive audit procedures that can provide sufficient and appropriately reliable evidence despite the control weaknesses. If there are no compensating controls, audit may not be possible as control risks would likely be so great that the auditor cannot develop appropriate substantive audit procedures to reduce the risk of material misstatement to an acceptable level. Also, it is sometimes impossible to obtain sufficient evidence about certain assertions such as completeness, without some reliance on the entity’s control procedures. 9-16 Dual purpose tests can lower the cost of obtaining audit evidence because they provide both compliance and substantive evidence from the same audit procedure. Much of the time and cost of performing procedures is in planning and setting up the test and obtaining the sample items, so the incremental time and cost of extending the testing procedures to obtain substantive evidence is often fairly small. 9-17 Cost-effectiveness refers to choosing that combination of control reliance and substantive evidence that maximizes efficiency and minimizes auditing costs. Auditors develop a cost-effective overall audit plan by selecting the most cost-effective set of evidence gathering procedures to provide support for the audit opinion. Integrating all aspects of the auditee’s business and systems into the overall design of the audit will allows the auditor to select an audit approach that uses whichever combination of control reliance and substantive evidence is most cost-effective. 9-18 The auditing standards require the auditor to design and perform substantive procedures for each material class of transactions, account balance, and disclosure, irrespective of the auditor’s assessed risk of material misstatement. Some substantive evidence is always required because of the limitations of the audit and the limitations of controls. Even if the controls are generally strong, undetected control exceptions may have occurred which could lead the auditor to make an incorrect assessment of risk. To provide high quality independent assurance, the auditor requires some substantive verification of details supporting any financial statement amounts that could be material to users. 9-19 The auditor is required to perform substantive procedures on the financial statement closing process, such as reconciling the final financial statements with the general ledger and supporting accounting records, and examining the purpose and appropriateness of any material journal entries or other adjustments made that cause the final financial statement amounts to differ significantly from those in the general ledger and trial balance that were subject to audit. These late adjustments can materially change the financial statements so they must be examined in detail. These are also non-routine entries that are subject to management’s override of the company’s internal control systems, so the pose a risk that exists independently of other factors the auditor would consider in assessing the risk of material misstatement. 9-20 The control risk assessment affects auditor decisions about the timing and extent of work. If the auditor has assessed control risk to be low, certain procedures such as confirmation of a sample of customer accounts receivable could be done before year-end. This can be efficient because audit staff have more free time then versus if confirmation is done as of December 31, when staff is busier. Control risk might suggest less testing of cut-off transaction data is required, as long as the items examined do not contain any errors. 9-21 Planning activities that are performed to lead up to the control risk evaluation are: - Understand the business and its risks, by considering classes of transactions, financial statement account balances, disclosures in the financial statements, controls (per control framework e.g. COSO), financial statement users and materiality - Identify risks at the financial statement assertion level - Assess risks’ magnitudes - could they lead to a material misstatement? - Identify controls related to significant risks. 9-22 Tests of controls are performed if the auditor determines in the preliminary risk assessment that s/he can rely on internal controls for one or more assertions, and decides to rely on them in performing the audit. In this case, the auditor must test the controls to a sufficient extent to ensure that they are working as s/he expects them to be. In some cases it may also be relevant to consider if control testing and reliance, i.e., a combined audit approach, is the most efficient way to do the audit; this choice would be considered if there is the possiblity of using a substantive approach instead of a combined one. In the case where there is a need to rely on control to get sufficient appropriate audit evidence about one or more assertions, auditors must test control effectivenss. Often, auditors will try to design dual purpose tests, these are tests of controls that also provide substantive evidence, which can increase audit efficiency. 9-23 First, it is important to note that the auditor is required to perform control risk assessment procedures on all audits. This is necessary to allow the auditor to conclude on the risk of material misstatement, which is comprised of both inherent and control risks. Further control testing procedures would not be performed, however, if the preliminary risk assessment procedures indicate the controls are weak and unlikely to justify reducing substantive work. Also, control testing procedures would not be need to be performed if there is sufficient evidence that can be obtained just through substantive audit procedures, so there is nothing to gain by testing controls. However, if there are significant risks of financial statement misstatement because of the possibility that controls are too weak, the auditor needs to investigate this even though no reliance on controls is planned for. Audit work performed to evaluate control strengths and weaknesses may be similar to the techniques used in testing controls, but generally the term ‘control test’ is used in this book to mean obtaining evidence that controls are operating effectively and can be relied on to reduce the amount of audit evidence that has to be obtained from other substantive audit work. Other work on controls is referred to as obtaining an understanding and evaluating controls. 9-24 The objective of control procedures is to process transactions correctly. Correctly processed transactions produce accurate account balances, which in turn help produce reliable assertions in the financial statements. 9-25 Validity - to prevent the recording of undocumented (possibly fictitious) transactions. Completeness to ensure no valid transactions are omitted from the accounts. Authorization to stop any unauthorized transactions from being entered. Accuracy to ensure that no dollar amounts are calculated incorrectly Classification to ensure that transactions are not recorded in the incorrect accounts, charged or credited to the wrong customers, entered in the wrong segment product line or inventory description, and so forth. Accounting to ensure that the way an accounting process for a transaction is performed does not result in violating any GAAP. Proper period to ensure that transactions are not entered in the wrong period; they should be entered in the period in which they occur. 9-26 Authorization may be delegated to a fairly low level of management for routine transactions as these tend to be small amounts and relatively simple transactions. Thus the costs of higher level controls would not be justified. The board of directors should authorize significant non-routine transactions like sales of major assets and acquisition of another business, or responsibility for signing the company name to a loan agreement since these types of transactions can be significant to the company and may be complex, requiring legal or other expert advice to complete. The board’s authorization for significant transactions will be included in the minutes of the board meeting where the matter was voted on. 9-27 Proper period accounting (cutoff) is related to all kinds of transactions — sales, purchases, inventories, expense accruals, income accruals and others. The risks of errors occurring in cut-off relates to the cutoff aspect of the existence and completeness assertions. Risks of cut-off errors tend to be high because they are complex and non- routine events, and also they can be used to manipulate income, for example by using accruals to record sales too early or expenses too late. 9-28 Validity - Existence Completeness - Completeness Authorization - Ownership (Rights & obligations) Accuracy - Valuation Classification - Presentation Accounting - Presentation, and other assertions may be affected Proper period - Existence and completeness 9-29 Yes, some assertions may be easier to control than others. For example, the existence/occurrence of sales can be ensured by strong validity controls, but completeness of sales is not as easy to control if there are high volumes of small cash sales that can be easily stolen and concealed by not entering them in the records. 9-30 Control risk is the CR element in the audit risk model: AR = IR x CR x DR (as explained in Chapter 7). This assessment is an auditor’s expression of the effectiveness of the control system for preventing, detecting and correcting specific errors and irregularities in management’s financial statement assertions. When control risk is low this means less detection /substantive work is needed to achieve the same audit risk level. 9-31 Generally, the more auditors know about good controls, the less substantive year-end work they need to do. The allocation of work times between control evaluation and “substantive audit work” is a cost-benefit trade-off. Auditors do not necessarily need to evaluate or test the entire internal control structure. They need to understand it well enough to assess whether there are any significant risks of material misstatement so they can plan the other audit work. A major goal in audits is to be efficient. This means performing the work in minimum time and cost while still doing high-quality work to obtain sufficient, appropriate evidence. 9-32 Key controls are those that are essential to prevent or detect significant risks. An example would be controls over sales completeness because a material misstatement could occur and there is no other reliable substantive procedure that auditors can use to verify that all sales have been recorded. If these are absent it would present a material risk of misstatement. 9-33 Non-key controls are other controls that are either related to risks that are not significant, or that the auditor plans to address by testing the related balances substantively. An example is the use of variance reports and analysis to control inventory - if the auditor does not need to rely on this control to test the year end inventory balance assertions it is non-key. 9-34 It is necessary to evaluate the key controls by testing their effectiveness during the audit period in order to ensure that material misstatements are unlikely to exist in the financial statements. 9-35 Controlled access limits access to physical assets and records to those employees who are authorized, to reduce risk of theft and cover up. Controlled access must be combined with assigning access so that incompatible functions are separated among different employees. 9-36 Periodic comparisons include counts of cash on hand, reconciliation of bank statements, counts of securities, confirmation of accounts receivable and accounts payable to determine whether accounting records represent real assets and liabilities. Frequent periodic comparisons give management the opportunity to detect errors in the records and take action to correct differences. Periodic comparison and action to correct errors lowers the risk that material misstatements will remain in the accounts. 9-37 General IT controls commonly include: controls over data centre and network operations; system software acquisition, change and maintenance; access security; application system acquisition, development, and maintenance; adequate safeguards over access to assets, systems and records; authorization for access to computer programs and data files; and periodic comparisons; separation of incompatible functions; error checking routines (these are closely related to application controls, but because of significant risk posed by compounding errors if they are not corrected quickly and appropriately, they have a pervasive impact on the entire accounting system’s integrity); performance reviews, management’s risk assessment procedures and follow up on any discrepancies, and if weaknesses, errors or other irregularities are uncovered to take appropriate action to implement corrections and solutions. 9-38 The duties performed by IT analysts, programmers and operators should be separated to prevent one person from being able to initiate fraudulent transactions, such as inappropriate asset transfers (like paying salaries to their non- employee friends) and then cover it up inside the information system records. 9-39 About the control environment the auditor should know: • Managers’ and directors’ attitudes and actions regarding control, • The company’s organizational chart and personnel assignments, • The segregation of functional responsibilities. Methods used to communicate responsibility and authority, • Methods used to monitor and supervise the accounting system and the control procedures and to control access to assets and documents, • The work assignments of internal auditors, if any. 9-40 About the flow of transactions through the accounting system the auditor should know: • The various classes of significant accounting transactions, • The types of material errors and irregularities that could occur, • Methods by which each significant class of transaction is: - Authorized and initiated, - Documented and recorded, - Processed in the accounting system, - Placed in financial reports and disclosures. 9-41 Understanding of the internal controls is gained through : (1) previous experience with the company as found in last year’s audit, (2) responses to enquiries directed to auditee personnel, (3) inspection of documents and records, and (4) observation of activities and operations made in a “walk-through” of one or a few transactions. 9-42 Working paper documentation should include records showing the audit team’s understanding of the internal controls. The understanding can be summarized in the form of questionnaires, narratives and flowcharts. 9-43 Audit file documentation records the underlying reasons for the reliance decision, which is helpful for assessing the quality of the audit in the current year in the manager and partner file reviews, and for planning next year’s audit. Documentation of the reasons justifying the auditor’s decision on control reliance also provide evidence in case the auditor’s decision is ever challenged, for example by a practice inspector, CPAB, or in a legal liability case. 9-44 Internal control questionnaires are designed to help the audit team obtain evidence about the control environment and about the accounting and control procedures that are considered good error-checking routines. They are an efficient means of gathering evidence about internal control by guiding the types of questions that should be asked in a formal interview with knowledgeable managers, using a checklist format. 9-45 An internal control narrative is a description of each important control subsystem. Such a narrative would simply describe all the environmental elements, the accounting system and the control procedures. 9-46 A flowchart is a drawing that presents all relevant information and evidence about segregation of responsibilities, authorization and accounting and control procedures in an understandable, visual form. The flowchart details give auditors information about where to find audit evidence later. It differs from a narrative which is all words, no pictures. 9-47 Companies often will have documented their own systems for internal reasons, to manage their processes, information and systems better. Securities regulations like SOX and the CSA impose requirements for public company management to report on the company’s control effectiveness; management will need documentation of the systems as the basis for providing these control reports. Auditors may benefit from being able to use the existing systems documentation for audit purposes. An auditor can find auditee documentation of the accounting system in the: Chart of accounts Accounting manual--definitions and instructions about measuring and classifying transactions Computer systems documentation Computer program documentation Systems and procedures manuals Flowcharts of transaction processing Various paper or on-screen forms 9-48 A “walk through” test, or a ‘test of one’, is a way of verifying the accuracy of the flowchart or narrative. It involves tracing each transaction all the way through the system’s documents and procedures to verify that they are processed in the manner described. An understanding of the flow of transactions through the accounting system is required to support the design of control tests and substantive audit procedures. 9-49 Internal auditors will have documented controls and may have done some testing that the documentation is accurate, on which auditors may be able to rely. 9-50 A substantive audit approach refers to the case when the auditor decides not to test internal controls, which can occur because either the auditor chooses not to, or cannot, rely on internal controls. In a substantive audit approach, there is no reliance on assurance from effective internal control that would allow a reduction in the extent of substantive audit procedures. Note however that audit work is done to understand the auditee’s internal control and to evaluate risks of material misstatement, regardless of whether controls will be tested or not. The combined audit approach refers to two types of situations. One, if on a preliminary basis the auditor does decide to test internal controls, and the tests confirm that the controls are operating effectively, then the auditor may reduce the extent of substantive audit procedures. Second, in the case where the auditor cannot obtain sufficient appropriate audit evidence on the basis of substantive tests alone, the auditor tests controls and finding them to be effective can increase the evidence sufficiency to an acceptable level to support the audit opinion. 9-51 The steps in a control risk assessment are: - Identifying specific control objectives based on the types of misstatements that may be present in significant accounting applications, - Identifying the points in the flow of transactions where specific types of misstatements could occur, - Identifying specific control procedures designed to prevent or detect these misstatements, - Identifying the control procedures that must function to prevent or detect the misstatements, - Evaluating the design of control procedures to determine whether it suggests the auditee has strong control procedures in place and whether it may be cost effective to test these controls as part of the audit. A useful assessment technique is to analyze control strengths and weaknesses. 9-52 Control strengths are specific features of effective control procedures that would prevent, detect or correct material misstatements. Control weaknesses are the lack of controls in particular areas that would allow material errors to get by undetected. Auditors often will want to rely on control procedures that are strong so they can reduce audit work on the related account balances. Tests of these controls would be performed to obtain evidence about whether the control procedures that appear strong actually are performed well. The audit program segment of the bridge working paper describes specific control tests of the strong control procedure. Test of controls auditing (Phase 3) consists of procedures designed to produce evidence of how well the controls worked in practice. If they pass the auditor’s criteria (the required degree of compliance), control risk can be assessed low. If they fail the test, the final conclusion is to assess a high control risk, revise the audit plan to take the control weakness into account, and then proceed with the audit work. 9-53 A “bridge working paper” is a piece of the audit file documentation that connects (bridges) the control evaluation to subsequent audit procedures. The major strengths and weaknesses apparent in the system description documentation (flow chart or narrative) are summarized in the bridge working paper. In addition to brief descriptions of control strengths and weaknesses, the bridge working paper contains implications for control or error related to accounts, and statements of audit program procedures related to the strengths and weaknesses. The procedures related to control strengths are control test procedures, and the ones related to control weaknesses are substantive procedures. The audit program document describes planned control tests for auditing the control strengths and suggestions about substantive account balance audit procedures related to the weaknesses. 9-54 Auditors do not need to test control weaknesses just to prove they are weak places. Doing so would be inefficient. Auditors need to take control weaknesses into account in assessing the risk of material misstatements due to error or fraud in the financial statements and in designing further substantive audit work. 9-55 In assessing control risk, to be prudent an auditor would initially assume that the control risk related to the transaction stream or balance is very high (e.g., say 0.9 in probability terms). Audit work is then performed to obtain evidence about whether the apparent strengths actually are performed well to support assessing control risk at lower than high, and/or to identify any weaknesses. Test of controls auditing (Phase 3) consists of procedures designed to produce evidence of how well the controls worked in practice. The audit program describes specific control tests of the relevant control procedure for each of the identified control strengths. If the control tests indicate that the control is being performed with the required degree of compliance over the whole period being audited, the auditor’s control risk assessment can be lowered. The auditor probably will want to rely on the strong controls to reduce audit work on the relevant year-end balance(s)in many cases. If the controls fail the test (are not being complied with at the required level), the auditor will assess a high control risk, develop (or revise) the audit plan to take this control weakness into account, and then proceed with the audit work on the basis that controls are unlikely to have prevented or detected material misstatements. This situation implies more substantive evidence will be required to support the audit opinion than if the auditor finds the controls operated effectively over the audited period. 9-56 Challenges for management and the auditor when complex IT is use include: - maintaining the integrity of control systems in a rapidly changing environment - ensuring access to relevant records for management and audit purposes. In some circumstances the auditor may determine that controls are critical to reducing financial reporting risks and it will be necessary to assess and test effectiveness of key controls. The auditor should assess whether controls are adequate to ensure that the requirements are met relevant to the financial statement assertions, information’s authorization, authenticity, confidentiality, integrity, non-repudiation and availability. 9-57 Privacy laws require all businesses to have control over privacy of information in place, and weaknesses can result in legal action against a company, as well as action by private individuals whose information was improperly given out. The auditor needs to consider privacy controls over data, since a weakness could mean a material misstatement of the financial statements exists in the form of an undisclosed contingent liability. 9-58 Control Procedures ensure the proper recording of transactions and prevent or detect errors, and establish methods for monitoring control effectiveness. 9-59 Manual controls are procedures that people do using documents or actions, such as initialing documents they have approved, and reports they have reviewed, performing and documenting reconciliations and following-up on reconciling items. IT controls are automated procedures embedded in computer programs, such as a limit check on the number of digits entered for a credit card number. 9-60 Manual controls may be more suitable where judgment and discretion are required, such as for large, unusual or non-recurring transactions; in circumstances where errors are difficult to define, anticipate or predict; in changing circumstances that require a control response outside the scope of an existing automated control; and in monitoring the effectiveness of IT controls. IT controls may be preferable for systems that process a high volume of recurring transactions, or in situations where errors that can be anticipated or predicted can be prevented or detected by control parameters that are automated; and where the specific ways to perform the control can be adequately designed and automated. This is because manual controls are performed by people, and therefore may be less reliable than IT controls when they can be more easily bypassed, ignored, or overridden. Manual controls are also more prone to simple human errors, so the consistency of application of a manual control element cannot be assumed as it can for a well designed IT control. 9-61 Risks related to the recording and processing of e-commerce transactions include the completeness, accuracy, timeliness and authorization of information in the entity's financial records. Control activities relating to transaction integrity in an e-commerce environment are often designed to, for example: - validate input; - prevent duplication or omission of transactions; - ensure the terms of trade have been agreed before an order is processed, usually payment is obtained when an order is placed; - distinguish between customer browsing and orders placed - ensure a party to a transaction cannot later deny having agreed to specified terms (non-repudiation) - ensure transactions are with approved parties when appropriate; - prevent incomplete processing by rejecting the order if all steps are not completed and recorded; - ensure that transaction details are properly distributed across multiple systems in a network; and - ensure records are properly retained, backed up and secured. 9-62 Possible fraudulent activities in e-commerce include the following: • Unauthorized movement of money • Payments to fictitious suppliers located in foreign jurisdictions • Misrepresentations of company tenders; • Corruption of electronic ordering or invoicing systems; • Duplication of payments • Denying an order was placed • Denying an order was received • Denying receipt of goods • Denying that payment was received • Falsely declaring that a payment was made 9-63 If IT processes are not properly aligned there is a risk of inconsistent recording and other errors. Many websites are not automatically integrated with internal systems, increasing the risk of inconsistent data existing in different components of the system. Transactions generated on the business website should be processed identically by the entity's internal systems, such as the accounting system, customer relationship management systems and inventory management systems (often known as "back office" systems). 9-64 The three main parts of the transaction flow are input, processing and output. 9-65 Points of vulnerability to misstatement errors classified in terms of manual input, computer processing and error correction activities when IT is used: Manual input- 1. Activities related to source data preparation are performed, causing the flow of transactions to include authorization and initial execution. 2. Noncomputerized procedures are applied to source data, such as a manual summarization of accounting data (preparation of batch totals). Computer processing - 3. Source data are converted into computer-readable form. 4. Input files are identified for use in processing. 5. Information is transferred from one computer program to another. 6. Computer-readable files are used to supply additional information relating to individual transactions (e.g., customer credit reports). 7. Transactions are initiated by the computer. 8. Output files are created or master files are updated. 9- Master files are changed (records added, deleted or modified) outside the normal flow of transactions within each cycle through file maintenance procedures. 10. Output reports or files are produced. Error correction activities - 11. Errors identified by control procedures are corrected. 9-66 Control objectives the same whether manual or computerized controls procedures are used because the objectives relate back to the fundamental financial statement assertions. These never change regardless of what kind of information systems are used. The methods by which a control objective is achieved depend on the nature of the system and technology used to implement control procedures - these can be manual or IT-based methods. 9-67 Manual control procedures often involve creation of documentary evidence of compliance. Visible evidence of the transactions and/or the control procedure may not exist in computerized processing, so different types of procedures may be required even though the control objective is the same. Manual controls are performed by people, and therefore may be less reliable than IT controls because they can be more easily bypassed, ignored, or overridden, and are prone to simple human errors. So manual controls must often also include monitoring procedures, such as reviews and reconciliations, to ensure their effectiveness. 9-68 In a manual system, credit approval can be indicated by the credit manager signing a source document, such as a customer’s order or invoice. In a computerized system, approval can be accomplished by the credit manager using an approved password that allows the release of a credit sale transaction by assigning a special code to it. The password provides access to programs that permit initiating a specific type of transaction only to authorized users. 9-69 The three conclusions the auditor can reach about control risk, and the implications for planning the audit are: • Control risk may be assessed low, and it seems efficient to test controls. The auditor believes the control procedures designed to prevent or detect misstatements can be audited for compliance in a cost-effective manner. In this case the auditor plans an audit approach that combines control reliance and substantive testing. or • Control risk may be assessed low, but audit inefficiencies would occur if controls were tested. Control policies and procedures appear to be good, but testing controls is not cost effective because substantive procedures can provide sufficient appropriate evidence and are cheaper than a combined approach. In this case the auditors would concentrate attention on the substantive audit procedures. or • Control risk may be assessed high. Control policies and procedures do not appear to be sufficient to prevent or detect material misstatements. In this case the auditors will concentrate on substantive audit procedures. The auditor also has additional responsibilities to report the control weaknesses to management and the audit committee. 9-70 The required degree of compliance is the auditors’ decision criterion for assessing whether controls perform well. Knowing that compliance cannot realistically be expected to be perfect auditors might decide, for example, that evidence of using shipping documents to validate sales invoice recordings 96 percent of the time is sufficient to assess a low control risk for the audit of accounts receivable (controls relating to the existence assertion in receivables and sales). The actual degree of compliance is how well the company’s control procedures actually worked during the period under audit, which auditors can perform control tests to assess. 9-71 In the third phase of an internal control evaluation, auditors will have identified specific controls on which risk could be assessed very low (e.g., control strengths). To reach a final conclusion that control risk is low, auditors must determine (1) the required degree of company compliance with the key control policies and procedures and (2) the actual degree of control compliance for these key controls. 9-72 A control test is a test that auditors can perform to determine how well the company’s control procedures actually worked during the period under audit. A control test indicates whether the control activity works or not. It provides evidence about compliance with controls. A control test does not produce substantive evidence about monetary misstatements in the account balances. A control test can be designed as a dual purpose test that provides evidence about both compliance and substantive evidence about the monetary amount recorded. 9-73 The two parts of a control test are: 1. an identification of the data population from which a sample of items will be selected for audit. 2. a description of the action taken to produce relevant evidence. In general, the action is to determine whether the selected items correspond to a standard (e.g., mathematical accuracy), and/or to determine whether the selected items agree with information in another data population. 9-74 The direction of a control test relates to control objectives because testing from source documents to accounting records (tracing) addresses the completeness objective, while testing in the opposite direction from accounting records to source documents (vouching) tests the validity/existence objective. Other terms sometimes used to describe direction of testing are ‘cradle to grave’ and ‘grave to cradle’. 9-75 Reperformance is when the auditors redo the arithmetic calculations and the comparisons done by the auditee company’s personnel. Inspection is when the auditors just look to see whether the documents were marked with an initial, signature or stamp to indicate that they had been checked (some refer to this as “pure” tests of controls). Some auditors think that reperformance is not necessary, and inspection is enough to test compliance with a control. A compromise is to perform both procedures (dual-purpose tests) on at least some of the tested transactions. 9-76 A dual purpose test provides, at the same time, evidence about control compliance and substantive evidence about the monetary amount recorded. 9-77 Control elements, such as segregation of employees’ duties, that leave no documentary evidence are tested by the auditor observing the performance of the control, for example watching employees performing control operations and ensuring that incompatible functions are performed by separate people. 9-78 Controls must be tested over the whole period under audit because controls affect the transactions recorded over the whole period that result in the final period-end account balances. In the case of audited general purpose financial statements, the conclusions about whether controls operated effectively will apply to the whole period under audit. If a control breakdown occurred for one month in the middle of the year, the transaction in that month may contain a high proportion of errors. 9-79 The auditor is responsible for reporting all identified control deficiencies, other than obviously trivial ones, to an appropriate level of management as soon as possible. The appropriate level of management is usually the one at least one level above those responsible for the deficient controls. The auditor has a responsibility to report all significant control deficiencies in writing to those charged with governance (audit committee or equivalent). Examples of such deficiencies are a control environment weakness indicating a lack of management competence or integrity, a lack of effective controls over critical accounting processes, a weakness allowing a material misstatement or fraud, or one that increases the entity’s susceptibility to fraud. 9-80 The auditor has a responsibility to assess internal control and fraud risk on all audits, and follow up on any suspected fraud to confirm or dispel the suspicion. All significant misstatements and all misstatements that appear to be intentional and fraud-related that are found during the audit must be communicated to those charged with governance (e.g., Audit Committee or Board of Directors). 9-81 The auditor should inform the appropriate level of management whenever he or she obtains evidence of a nontrivial misstatement, and of weaknesses in internal control that could allow a material misstatement to occur. The audit committee or board of directors should be informed of all significant misstatements and all misstatements that appear to be intentional and fraud-related. 9-82 Professional skepticism, means the auditor should be aware of factors that increase the risk of misstatement. Examples of such factors are those relating to the two types of fraud relevant to the auditor's consideration — that is, fraudulent financial reporting and misappropriation of assets. For each of these types of fraud, the risk factors are further classified based on the three conditions generally present when material misstatements due to fraud occur: • Incentives / pressures that create a motive to commit fraud; • Opportunities that provide conditions in which a fraud can be perpetrated successfully, which can include weaknesses in internal controls; and • Attitudes/rationalizations that are the effect of managers’ characteristics that indicate a lack of integrity, honesty and trustworthiness and virtuous ethical character. The auditor should also consider other factors in the auditee’s operations and its external operating environment that make the risk of misstatement higher, such as poor financial condition, changing market conditions, increases in input costs, etc. and take these into account in performing the audit. Professional skepticism also means the auditor has a responsibility to take appropriate action if there is evidence that suggests management dishonesty. The auditor neither assumes that the manager is honest nor dishonest and always needs to be sure that management’s representations and claims can be proven on the basis of objective information obtained independently of management. If the auditor does not find evidence that dispels a suspicion that management is dishonest, the auditor needs to consult with those responsible for governance in the auditee organization (audit committee, board of directors or other responsible parties) and may also need to seek legal advice if illegal acts are suspected and/or if the auditor believes it may be necessary to resign from the engagement. Professional skepticism helps auditors to meet their responsibilities to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether the misstatement is intentional or not because it helps them to stay objective and not be overly influenced by management’s point of view. 9-83 Many factors that indicate high risk of material misstatement can be related to poor internal controls. If there are a lot of warning signs - “red flags” - present, the auditor will assess a higher inherent risk, and if control risk is also high, these higher assessments will require the auditor to perform more extensive work to ensure there is not a material misstatement in the financial statements. 9-84 If the auditor suspects that the financial statements are misstated, she or he should perform procedures to confirm or dispel that suspicion. SOLUTIONS FOR EXERCISES AND PROBLEMS EP9-1 a) Computer internal control understanding Does access to on-line files require specific passwords to be entered to identify and validate the terminal user? Possible errors or irregularities--unauthorized access may be obtained to processing programs or accounting data resulting in the loss of assets or other company resources. Are control totals established by the user prior to submitting data for processing? Possible errors or irregularities--sales transactions may be lost in data conversion or processing, or errors made in data conversion or processing. Are input totals reconciled to output control totals? Possible errors and irregularities - sales transactions may be lost in data conversion or processing, or errors made in data conversion or processing. Control totals are useless unless reconciled to equivalent controls created during processing. b) Computer internal control questionnaire evaluation Weakness: Access to on-line files does not require specific passwords to be entered to identify and validate the terminal user Impact on audit approach and program -- This is a severe environmental control weakness that creates a high risk of unauthorized entries that could make the financial statements misstated. This weakness will make it unlikely that we can rely on any controls or any system generated information - A substantive approach will be required to verify all key assertions for all transactions and balances - Additional procedures to investigate whether any manipulation of data appears to be occurring as this may indicate attempts to cover up fraud or theft. Weakness: No control totals are established by the user prior to submitting data for processing. Impact on audit approach and program -- This weakness will affect the accuracy and completeness objectives in all data entry functions. As a result the system processing cannot be relied on. In the audit program, more extensive substantive testing of data output will be required, checking transactions back to source documents to verify accuracy and checking from source documents to transactions recorded in the books of account to test for completeness. Weakness: Input totals are not reconciled to output control totals Impact on audit approach and program -- This weakness will affect the accuracy and completeness objectives in the output from the information system processing. In the audit program, more extensive substantive testing of data output will be required, checking transactions back to source documents to verify accuracy and checking from source documents to transactions recorded in the books of account to test for completeness. EP9-2 Starting the "Logical Approach" Identification of errors or irregularities and specification of accounts affected. For each of the classes of transactions, the possible errors or irregularities can be expressed in general in terms of the seven control objective categories. Here's an expression of them, and you can guide students' suggestions to fit the list. Possible Errors and irregularities 1. Invalid transactions are recorded. 2. Valid transactions are omitted from the accounts. 3. Unauthorized transactions are executed and recorded. 4. Transaction amounts are inaccurate. 5. Transactions are classified in the wrong accounts. 6. Transaction accounting is incomplete. 7. Transactions are recorded in the wrong period. Students might need to think more specifically about which accounts could be affected. i) Credit sales transactions * Sales revenue * Sales discounts * Accounts receivable * Inventory/Cost of Goods Sold ii) Raw materials purchase transactions * Purchases * Inventory * Cost of goods sold * Accounts payable iii) Payroll transactions * Payroll expense * Labor and overhead in inventory/cost of goods sold * Accrued payroll liabilities * Pension, profit sharing-based expenses and liabilities iv) Equipment acquisition transactions * Fixed assets * Accumulated depreciation * Depreciation expense * Overhead in inventory/cost of goods sold * Gain on disposition v) Cash receipts transactions * Cash * Accounts/notes receivable * Sales * Other income vi) Leasing transactions * Property, plant and equipment * Depreciation expense * Overhead in inventory/cost of goods sold * Interest expense * Accrued interest payable * Long-term debt (lease obligation) * Current portion of long term debt vii) Dividend transactions * Liability for dividends declared * Retained earnings * Dividends declared/paid viii) Investment transactions (short term) * Cash * Marketable securities (i.e. ‘financial instruments held for trading’, or ‘financial instruments at fair value through profit and loss’) * Dividend, interest income * Accrued interest receivable * Gain/loss on disposition EP9-3 Key control, control test evaluation a) The auditor would consider this a key control because it is an important procedure to make sure all invoices that were issued were for real sales. If it was not performed well non-existent sales could be entered and not detected. b) The control test will indicate how well the company’s control procedures actually worked during the period under audit. If the test provides evidence that this control operated effectively during the audit period, the auditor can assess a low control risk for the controls relating to the existence assertion in receivables and sales. Since the auditee has a large number of customers, a large number of accounts would need to be audited at year end to get sufficient evidence that accounts receivable balance exists (is not overstated). This control test provides evidence that can allow the auditor to reduce the amount of substantive testing that needs to be done on the audit of year-end accounts receivable balance. This may be efficient. Also, this control test can be designed in a way to provide evidence on both control effectiveness and substantive evidence on existence of the sales transactions - if the test includes tracing the sale to the sales journal in the accounting records. This dual purpose test can be even more efficient than just testing the control itself. c) A control test has two parts. Part 1 is an identification of the data population from which a sample of items will be selected for audit. Here the sample will be selected from the population of sales invoices issued during the year. The sample should include invoices from throughout the year so the test will provide evidence for the whole audit period. Part 2 is a description of the action taken to produce relevant evidence. Here the action is to determine whether the selected invoices agree with information in another data population, the Shipper’s Receipts filed in the warehouse office for the whole year. d) At 95% or 100% the auditor would probably be able to conclude that this control is operating effectively. The larger the sample of invoices tested, the more confidence the auditor would have in this conclusion. For example, if 20 invoices were tested and one was wrong, compliance is 95%. If 100 invoices were tested and 5 were wrong the compliance rate is still 95% but the auditor has more confidence that this is the compliance rate for the whole population. Similarly, if 2 invoices were tested and neither was wrong, compliance is 100% but unless more invoices are examined the auditor would not have a lot of confidence assuming 100% compliance for the whole population. And as long as the auditor only looks at a sample and not the entire population of invoices, he or she can never have 100% confidence that the control is always operating. If the control test finds the control only operates 60% of the time, this is probably too low a compliance rate to indicate the control is reliable, regardless of how many invoices are tested. As an example, if 10 invoices are sampled and 4 are wrong, compliance is 60% - this finding may be due to very bad luck in choosing a sample that has a much higher rate of non-compliant transactions than actually exists in the population, and the auditor should discuss this finding with the auditee to see if there is some other reason that can explain it - maybe the auditee’s filing procedures changed during the year and the auditor’s test is not designed properly to find the documentation of the control. Once the control test design is fixed, it may make sense to do further testing to see if it indicates a higher compliance rate. If the auditee has no convincing explanation for such a low compliance rate in the sample, the auditor has to assume that compliance is too low. In this case there is probably no point in doing more control testing - the auditor should assume the control risk is high and do more substantive tests that can determine directly if there are misstatements (overstatements in this case) in sales and accounts receivable. EP9-4 Online sales, audit procedures a) The question requires one to consider how data entry controls can be designed in a setting where customers input their own order data. Some examples of controls include: Ranges of entry amount limits Playback of data entry for check by data entry customer and confirmation before updating the order system Valid data checks, e.g. credit cards start with certain numbers and have a certain number of digits, phone numbers and email addresses have certain features, etc. b) As the controls probably leave no documentary evidence observation and enquiry would be used to establish that effective control exist. CAATs would be used to test other control procedures that are performed by the IT itself. IT audit techniques such as reperformance with test data or examination of program instructions might be used. EP9-5 Tests of control procedure and audit programs 1. Credit approval Control Objective: Authorization of credit sales transactions. Test of Control Procedure: Select a sample of recorded sales invoices from the sales journal. Note the date, number, amount and customer name. Find the Copy 2 in the accounts receivable department chronological (date) file and read (vouch) the customer order to see if credit was approved according to company policy. 2. Sales transaction recording Control Objective: Validity of recorded sales. Proper period recording of sales. Test of Control Procedure: Select a sample of recorded sales invoices from the sales journal (same sample as in a). Note the date, number, physical quantity and customer name. Find the Copy 3 in the billing department file for the recording date. Compare (vouch) the quantities noted in Copy 3. Note the shipping document number. Find the bill of lading in the shipping department numerical file. Compare (vouch) the quantity shipped, date and customer name. 3. Pricing and mathematical accuracy Control Objective. Mathematical accuracy of recorded sales. Authorized prices used on invoices. Test of Control Procedure: Select a sample of recorded sales invoices from the sales journal. (Same sample as in a and b). Note the date, invoice number, amount and customer name. Find Copy 2 (because it is the copy used in the accounting entry) in the accounts receivable department file (same copy as found in a). Look up the correct unit price in the catalog and recalculate the invoice arithmetic. 4. Classification of sales. Control Objective. Classification of sales. Test of Control Procedure. Select a sample of recorded sales from the sales journal (same sample as in a, b, and c). Find Copy 2 (same as a and c). Knowing the names of the subsidiary companies, determine whether Copies 2 with those names are coded "9" and so entered in the sales journal, and that none are not coded "9" and entered as sales to outsiders. EP9-6 Control Objectives and Procedures Associations Required: a. Opposite the examples of transaction errors lettered a-g, write the name of the control objective auditees wish to achieve to prevent, detect, or correct the error. b. Opposite each numbered control procedure, place an "X" in the column that identifies the error(s) the procedure is likely to control by prevention, detection, or correction. EXHIBIT EP 9-6-1 Solution Form a. "Validity" Sales recorded, goods not shipped b. "Completeness" Goods shipped, sales not recorded c. "Authorization" Goods shipped to a bad credit risk customer d. "Accuracy" Sales billed at the wrong price or wrong quantity e. "Classification" Product A sales recorded as Product line B f. "Accounting" Failure to post charges to customers for sales g. "Proper period" January sales recorded in December CONTROL PROCEDURES 1. Sales order approved for credit X 2. Prenumbered shipping doc prepared, sequence checked X X 3. Shipping document quantity compared to sales invoice X X X 4. Prenumbered sales invoices, sequence checked X 5. Sales invoice checked to sales order X 6. Invoiced prices compared to approved price list X 7. General ledger code checked for sales product lines X 8. Sales dollar batch totals compared to sales journal X X X 9. Periodic sales total compared to same period accounts receivable postings X 10. Accountants have instructions to date sales on the date of shipment X 11. Sales entry date compared to shipping doc date X 12. Accounts receivable subsidiary totaled and reconciled to accounts receivable control account X 13. Intercompany accounts reconciled with subsidiary company records X 14. Credit files updated for customer payment history X 15. Overdue customer accounts investigated for collection X X X X Note: Other categorizations besides those above may also be valid. [Formatting note: this exhibit should appear alone on one page so students can be given copies to complete] EXHIBIT EP9.6-1 Blank form for Students a. Sales recorded, goods not shipped b. Goods shipped, sales not recorded c. Goods shipped to a bad credit risk customer d. Sales billed at the wrong price or wrong quantity e. Product line A sales recorded as Product line B f. Failure to post charges to customers for sales g. January sales recorded in December CONTROL PROCEDURES 1. Sales order approved for credit 2. Prenumbered shipping doc prepared, sequence checked 3. Shipping document quantity compared to sales invoice 4. Prenumbered sales invoices, sequence checked 5. Sales invoice checked to sales order 6. Invoiced prices compared to approved price list 7. General ledger code checked for sales product lines 8. Sales dollar batch totals compared to sales journal 9. Periodic sales total compared to same period accounts receivable postings 10. Accountants have instructions to date sales on the date of shipment 11. Sales entry date compared to shipping doc date 12. Accounts receivable subsidiary totaled and reconciled to accounts receivable control account 13. Intercompany accounts reconciled with subsidiary company records 14. Credit files updated for customer payment history 15. Overdue customer accounts investigated for collection c. Control Objectives and Assertions Associations For each error/control objective, identify the financial statement assertion most benefited by the control. (Based on Exhibits 9-5 & 9-6) Assertions a. "Validity" Sales recorded, goods not shipped Existence/occurrence Ownership (Rights/obligations) b. "Completeness" Goods shipped, sales not recorded Completeness Ownership (Rights/obligations) c. "Authorization" Goods shipped to a bad credit Valuation risk customer d. "Accuracy" Sales billed at the wrong price Valuation or wrong quantity e. "Classification" Product A sales recorded as Presentation/ Product line B disclosure f. "Accounting" Failure to post charges to Presentation/ customers for sales disclosure also Valuation g. "Proper period" January sales recorded in December Existence/occurrence d. Auditee control procedures and auditor’s control tests For each auditee control procedure numbered 1-15, write an auditor's control test that could produce evidence whether the auditee's control procedure has been installed and is operating effectively. Sales Invoice Sample: Select a sample of random numbers representing recorded sales invoices, and: 1(a). Inspect the attached sales order for credit approval signature. 1(b). Trace customer to up-to-date credit file/information underlying the credit approval. 14. Note whether credit files are updated for customer payment history. 2. Inspect the attached shipping document for (i) existence, and (ii) prenumbering imprint. 3. Compare billed quantity on sales invoice to shipped quantity on shipping document. 4. Find the sales invoice associated with the random number (failure to find means an invoice wasn't recorded). Alternatively, use computer to add up the recorded sales invoice numbers and compare to a sum of digits check total. 5. Compare sales invoice to sales order for quantity, price, other terms. 6. Compare prices on sales invoice to approved price list. 7. Check product code for proper classification compared to product invoices. 11. Compare invoice date to shipping document date. Other 2. Count the number of shipping documents (subtract beginning number from ending number) and compare to same-period count of sales invoices (to look for different number of documents). 2. Select A sample of random numbers representing shipping documents and look for them in the shipping document file. 2. Computer-scan the shipping document file for numbers missing in sequence. 2. Use computer to add the shipping document numbers entered in the files and compare to a computed sum of digits check total. 8. Find auditee's sales dollar batch totals, recalculate the total, and compare to sales journal of the relevant period. 9. Use the same sales dollar batch totals for comparison to separate total of accounts receivable subsidiary postings, if available. 10. Study the accounting manual and make inquiry about accountants' instructions to date sales on date of shipment. 12. Obtain auditee's working papers showing A/R subsidiary total reconciled to A/R control account. Alternatively, add up the subsidiary and compare to the control account. 13. Obtain auditee's working papers showing reconciliation of intercompany receivables and payables for sales and purchases. Alternatively, confirm balances with subsidiaries or other auditors. 14. Select a sample of credit files and trace to customers' accounts receivable, noting extent of up-date for payment history. 15. Study auditee correspondence on investigation and collection efforts on overdue customer accounts, noting any dispute conditions. If no effort is made, follow up overdue accounts with audit procedures (confirmation, determine existence of debtor, directories, etc.) EP9-7 Part A a. b. c. Control 1 Purchase Requests from operating departments are authorized by the appropriate person in the requesting department. Type: authorization procedures Objective: authorization Test: examine the PR documents to verify they have been signed Control 2 The Purchasing Clerk verifies that there is a signature on the Purchase Request and then issues a pre-numbered Purchase Order for the items required. The Purchasing Clerk retains copies of the PR and the PO and files them by PO number. Type: documentation and records created to support transaction Objective: completeness, accuracy Test: examine the PR/PO documents to verify they match test numerical continuity, Control 3 The Purchasing Manager reviews Purchase Order to see whether the Purchase Request is authorized, and if so, approves it and forwards it to the Buyer. Type: authorization is verified independently by segregation of duties Objective: authorization Test: examine the PR documents to verify they have been approved by Purchasing Manager Control 4 The Buyer must select a vendor from a pre-approved list for all Purchase Orders over $5,000. For POs under $5,000 the Buyer can select any vendor. Type: authorization control procedure to ensure company is receiving the best price and suppliers are at arm’s length from Buyer Objective: authorization, validity Test: examine the PO documents to verify those over $5000 are sent to a preauthorized vendor, scrutinize POs for signs the Buyer is sending these disproportionately to certain vendors, enquire of Purchasing Manager and Buyer about preauthorized vendors to assess their validity Control 5 The Receiver who accepts the goods into the warehouse verifies that the quantity received matches the Bill of Lading, and signs on behalf of IMS for receipt of the goods listed on the Bill of Lading. If there is a discrepancy in the quantity received, the receiver does not sign the Bill of Lading; the Bill of Lading is sent to the Buyer to resolve the problem with the vendor. Type: documents and records are used to record transaction information and allow for independent verification Objective: accuracy, completeness Test: examine the BL documents for evidence of quantities being verified, follow up of documents showing discrepancies to verify they have been signed for approval Control 6 The Purchasing Clerk matches the signed BL with the filed copies of the PO and PR Type: documents and records to allow independent verification of details Objective: accuracy, completeness Test: examine the PO/PR documents to verify they agree to BL. Part B d. e. f. Control Weakness 1 The Purchasing Clerk does not verify that the Purchase Requests are authorized by an appropriate person in the operating department, but only checks that there is a signature on the document. Risk: unauthorized expenses may not be detected Possible error: none in the financial statements (This is a subtle point, but if even if expenses are improper, as long as they are correctly recorded as debits in the income statement accounts the net income is still correctly stated - effectively, these are a cost of doing business and should be recorded as such. This can, however, be seen as a type of misclassification misstatement in that the improper expenses should be shown as such in the income statement, not buried in with properly classified expenses. If improper expenses are detected by the auditor, this would indicate a fraud risk that needs to be followed up.), but management’s control objective of safeguarding company assets is not being met Impact on audit: Inform management of internal control weakness, and potential fraud risk. Control Weakness 2 Access to the warehouse is not controlled and anyone can enter and leave anytime. Risk: Theft of goods after received Possible error: If inventory is recorded then stolen, perpetual inventory will be overstated. The inventory count should pick up and record any shrinkage, so the year-end financial statements would be corrected (This point is subject to the same consideration as noted above for Control Weakness 1 - the ‘loss’ due to theft is real cost to the business so needs to be recorded, but it should not be classified as part of Cost of Sales, and the implications for the auditor’s assessed risk of fraud need to be followed up.), but management’s control objective of safeguarding assets is not being met. Impact on audit: Do not rely on perpetual inventory records. Increase substantive tests of inventory completeness. Inform management of weakness. Control Weakness 3 The receiver does not match the BL to an authorized PO. Risks: 1) unauthorized goods or incorrect quantities may be accepted, increase possibility of errors in recording accounts payable and purchases Possible error: Incorrect purchases and account payable recorded (as above, if unauthorized inventory is then stolen, it will be a cost of doing business and not an error if loss is picked up by inventory count and adjustment for shrinkage) Impact on audit: Increase substantive tests of payables, purchases, and expenses. Inform management of control weakness. EP9-8 Explain computer control procedures a) 1. Input control objectives Transactions have been recorded properly (neither double-counted nor omitted--that is, control over validity and completeness) Transactions are transmitted from recording point to processing point Transactions are in acceptable form 2. Processing control objectives Loss or nonprocessing of data is detected Arithmetic functions are performed accurately Transactions are posted properly Errors detected in the processing of data are controlled until corrected and processed 3. Output control objectives Processed data are reported correctly and without unauthorized alteration Output is required by the user Output is distributed only to persons authorized to receive it b) 1. Control procedures--input source data Registration at point of entry Sequential numbering Grouping (batching) with control totals Key verification Programmed edits Edits for completeness and reasonableness Checklists to ensure input arrived and on time 2. Control procedures--processing controls Prevention of loss or nonprocessing of data (e.g., control totals) Performance of arithmetic functions Assurance of proper posting (sample test of postings) Correction of errors Exclusion of unauthorized persons from operating areas (e.g., programmers) 3. Control procedures--output controls Review performed by originating area of the reports and other output data Sampling and testing of individual transactions Use of control totals obtained independently from prior processing or original source data Distribution lists used to route output only to authorized persons Making inquiries as to whether the output is desired by the recipient (Solution adapted from CIA Examination ) EP9-9 Testing computer processing a) The statement is reasonable as long as the auditor can obtain reasonable assurance that all invoices in the audit period are produced under exactly the same conditions. The possibility for errors always exists even if a process is computerized, for example the data entered for processing could be such that the program does not process it properly (e.g. a 5 digit entry is made but the computer is only programmed to read four digits and ignores the fifth one, or the ‘Y2K’ type of problem). So, while not a lot is gained by randomly sampling the population with statistical methods, this does not mean that no errors can occur. If in fact the program is producing the wrong calculations, the extent of the resulting error will likely be huge. b) The case scenario suggests there is a risk that the program may have changed during the period. Statistical testing of transactions from different periods could identify a program change that had an impact on the output amounts, which could result in a misstatement in the financial statements. EP9-10 Control tests and errors/irregularities 1. Controlled access to blank sales invoices. a) Observation. Visit the storage location yourself and see if unauthorized persons could obtain blank sales invoices. Pick some up yourself to see what happens. b) Someone could pick up a blank and make out a fictitious sale. However, getting it recorded would be difficult because of the other controls such as matching with a copy from the shipping department. (Thus a control access deficiency may be compensated by other control procedures.) 2. Sales invoices check for accuracy. a) Vouching and Recalculation. Select a sample of recorded sales invoices and vouch quantities thereon to bills of lading, vouch prices to price lists, and recalculate the math. b) Errors on the invoice could cause lost billings and lost revenue or overcharges to customers which are not collectible (thus overstating sales and accounts receivable). 3. Duties of accounts receivable bookkeeper. a) Observation and Inquiry. Look to see who is performing bookkeeping and cash functions. Determine who is assigned to each function by reading organization charts. Ask other employees. b) The bookkeeper might be able to steal cash and manipulate the accounting records to give the customer credit and hide the theft. (Debit a customer's payment to Returns and Allowances instead of to cash, or just charge the control total improperly.) 4. Customer accounts regularly balanced with the control account. a) Recalculation. Review the auditee's working paper showing the balancing/reconciliation. Do the balancing yourself. b) Accounting entries could be made inaccurately or incompletely and the control account may be overstated or understated. EP9-11 Control risk assessment, online input The question requires one to apply principles of control to a non-business situation. The response requires one to consider the objectives of tax return filing more generally, what can go wrong in terms of efficiency, accuracy and appropriateness of tax information submitted, and then identify how the e-file system may provide greater control and efficiency, and what new risks it might introduce. EP9-12 1. The organizational structure should identify those responsible for overall management of IT and supervision of IT staff. The IT management would be responsible for design, implementation and monitoring of policies and procedures such as: controls over data centre and network operations; system software acquisition, change and maintenance; access security; application system acquisition, development, and maintenance; adequate safeguards over access to assets, systems and records; authorization for access to computer programs and data files; and periodic comparisons; separation of incompatible functions; error checking routines. These policies and procedures will reduce risk by supporting the effective functioning of IT application controls. 2. Management’s risk assessment process should include consideration of IT role in achieving business objectives. This will reduce the risk of inappropriate systems acquisition that do not reduce risks and help the organization meet its objectives. 3. The IT general controls should include performance reviews at appropriate management levels and follow up on any discrepancies, with appropriate action to implement corrections and necessary system changes. Management’s monitoring is important to reduce the risk that well designed control systems may not be operating effectively due to changes in personnel or operating conditions. 4. Management should implement general controls over to identify employees who should have access to data files and ability to make changes, and set up appropriate user identification procedures to limit access to those authorized. Physical access controls over data and systems are required to reduce risk of unauthorized changes. Data and system backup procedures should be routinely performed. Disaster recovery plans to restore data and processing capability should be in place, with well understood by key employees, or to provide backup processing capability and SOLUTIONS FOR DISCUSSION CASES DC9-1 Back-up procedures, impact on internal control risk a) The case involves auditee company procedures for backing up computer files, and the implications of this on internal control risk. Management’s cost-benefit decision has resulted in a system that appears to operate well enough considering there is a fairly low risk of lost files. However, more comprehensive storage procedures are becoming relatively cheap, and the ability to store all prior periods’ details may create opportunities for management review and analysis. This analysis can support more intense supervision of operations and improve management’s ability to assess whether the reported sales data are accurate, thus having implications for financial reporting. There is also some technological risk to consider, the backup disks may deteriorate and the equipment for reading them will become hard to maintain and ultimately obsolete over time. A more up-to-date back up technology would strengthen the general control over data storage and so management’s cost/benefit decision is due to be reconsidered, and the auditor may communicate relevant information about the latest back up technologies to management as comment on control adequacy. b) The audit approach will need to accommodate the current backup procedures, and ensure that the management provides the appropriate files required for year end testing. The lack of transaction data through the period may create a scope limitation if there is insufficient data to allow for the extent of transaction testing required. Whether other sufficient evidence can be obtained to support substantive procedures, such as print out the montly sales transactions listings. If there are key controls that are IT-based without leaving external documentary evidence, it is unlikely that a combined approach could be used on this audit unless the computer transaction files are retained for the full period under audit. So the recommendations to management to consider this type of system change would also increase the scope for the company’s auditor to consider a combined approach, and potentially increase the efficiency of the audit. DC9-2 Control Risk Assessment and Testing - Costs and Benefits The case gives detailed sales systems descriptions for two different businesses with different inherent risks. Avocet is a high volume, low value cash business with high inventory turnover. Bobolink is a high value low volume business with low turnover where it is relatively easy to identify inventory and ownership issues. Control risk assessment, control testing costs and benefits a) Consider the difference in risks in operating these two businesses. Avocet is a high volume, low value cash business with high inventory turnover. The main risks are to secure the cash on hand, ensure food orders are correctly completed, and that food is charged correctly to customers. There are also operating risk related to food items, which can be stolen or wasted. Inaccurate daily records of sales are also a risk, as the volume of transactions is high. Bobolink is a high value low volume business with low turnover and easy to identify inventory and ownership issues. The risk of misappropriation of inventory is low, but incorrect pricing may be used and can have a big impact - this could be done intentionally for example in collusion with a customer to give a low selling price. There is credit risk - if the credit is granted inappropriately the selling price will not be collected. There is also security risk over cash if a cash sale occurs it would be a large sum to have on hand. An operating risk is keeping correct records on warranties, service contracts, and leases. b) Avocet: input - POS entries when food is sold have various edit controls to prevent incorrect entries and food preparation; processing is by the POS system so correct prices are used and a second cash total is tracked for reconciling to the cash on hand, and uplink to central processing at head office will have security and access controls in the telecommunications software; and output control procedures involve routines for producing daily reports and reconciliations. Bobolink: input controls are use of standards forms with duplicates and authorizations prior to finalizing sales contracts and financing, processing is fairly straightforward given low volume and similar terms for each transaction, and output is used for incentives and other decisions so supervisory reviews provide a good control over accuracy, completeness and authorization. c) Consider that different controls address different points in the control risk - detecting if after the fact or preventing it in the first place. Control procedures should fit the kinds of risks identified in the different businesses, given consideration of the fact that preventative controls may be more costly than detective and correction controls, and in some cases may not be possible. This part requires one to assess whether the controls are appropriate in terms of the trade-off between cost and effectiveness, and suggest improvements if possible. Avocet: POS input and processing controls are preventive control procedures, manager observations are detective, cash reconciling and daily report reviews are detective. Bobolink: standard forms and authorizations prior to finalizing sales contracts and financing are mainly preventive, using duplicate forms and supervisory reviews are detective, and output used for incentives and other decisions are detective. d) Control strengths [S] and weaknesses [W] in the sales systems that can affect the financial reporting include (some assumptions are made where details are missing in the system descriptions provided): Avocet Validity Only authorized employees with access codes can use POS terminals [S] Supervisory control by manager circulating and spot-checking ensures food is prepared only when order was entered [S] Completeness POS entry required to prepare/serve food. [S] Cash reconciliation to POS is performed regularly [S] Cash balanced and deposited daily - may be large amount of cash on premises inviting theft [W] Cash collection and order entry not segregated [W] Authorization Only employees with authorized access codes can use POS [S] Order entry and food service segregated [S] Accuracy Programmed prices and processing control accuracy [S] (auditor needs to test the programming to assess controls) Classification POS and processing will classify sales, returns [S] (auditor needs to test the programming to assess controls) Accounting Summary reports are reviewed by manager and head office [S] Pricing and summarization automatically by POS system function means any program errors, e.g. incorrect product prices, can result in large errors [W] Proper period Programmed dates determine period sales are entered in [S] (auditor needs to test the program to assess this control) Bobolink Validity Purchase agreement form approved by customer and general manager (GM) prior to delivery [S] Sales are reported to manufacturer’s head office, this ensures inventory sold existed and sale is valid [S] Completeness Sale requires legal documentation of ownership transfer [S] Sale amount can be negotiated so improper prices may be used [W] Cash sales are verified by general manager [S] Cash sales can result in large quantity of cash on hand that is vulnerable to theft [W] (auditor needs to access procedures for securing and depositing cash) Commissions reports reviewed by salespeople will ensure sales are not understated [S] Authorization Credit must be approved by GM and finance company prior to sale [S] Bookkeeper also follows up on collection, this lack of segregation can allow funds to be taken improperly and covered up in the books [W] Accuracy Sale details verified by customer and GM [S] Sales entry segregated from salespeople, done by bookkeeper [S] Classification Serial numbers and car sales documents distinguish car sales from other revenues, e.g. service, parts and accessories [S] Accounting Bookkeeper’s work does not appear to be reviewed or reconciled to sales documents by GM [W] Proper period Sales may be recorded prior to receipt of funds from bank or leasing company, so if there is a problem with the credit granting process the sale may be recorded too early [W] e) Control tests and assertions related to the control. At this stage, only general descriptions of how to test controls are expected. More detailed explanations and examples of control tests for sales transactions are covered later in Chapter 11 Avocet Visit restaurant and enquire of manager and employees regarding daily control procedures in the restaurant Observe daily procedures match the way employees and manager described them Review system documentation for POS Use CAAT to verify operation of programmed controls Test access controls using an invalid entry, and by enquiry of employees Select a sample of daily cash summaries and examine for evidence of reconciliation to cash on hand, follow- up and resolution of any discrepancies (trace to cash journal entry to extend to a dual purpose test) Select a sample of daily summaries transmitted to head office and examine for evidence of management review (trace to sales journals for a dual purpose test) Bobolink Obtain the list of sales for the year and scan for unusual items. Select a sample of sales and obtain related purchase agreement form and car purchasing finance - examine for evidence of review and approval by GM Enquire of GM and bookkeeper regarding cash handling and deposit procedures. Enquire of bookkeeper regarding procedures for entering sales and proceeds from financing companies. f) Discuss pros and cons of testing/relying on controls in the two different situations, and suggest an audit approach based on cost/benefit considerations of testing controls. For Avocet, as many of the processes and controls are performed by the computerized information system, so it will be necessary to rely on controls in the programs and processing. The high volume of low value transactions also indicates a systems-based approach using CAATs. Analytical procedures can provide substantive evidence on whether sales are materially misstated. Analyses such as comparison to prior periods, to other operating financial measures such as food purchases and wages, to non-financial measure such as retail floor area/seating capacity and to industry averages can be cost-effective. For Bobolink, the low volume and high value of the main sales items indicates a substantive approach, involving verifying a relatively large number of sales transactions, may be more effective than control testing. The controls are mainly manual, each transaction is unique and well documented. It is also possible to confirm various details for sales transactions with the car manufacturer. The control tests identified in b. relate mainly to assessing whether there are any weaknesses that create a risk of financial misstatement. DC9-3 Costs and Benefits of Control A. Porterhouse management may hesitate because its expected loss from bank accounting errors may be less than $10,000, or the expected benefit (reduction of the expected loss) by $10,000 or more might be in doubt. Bank accounting is generally very accurate and further analysis might confirm management's hesitation. B. Josh Harper should install the steel doors and burglar bars but not hire the armed guards. Cost-Benefit of Doors and Bars Benefit $500,000 loss x 90% elimination $450,000 Qualitative benefit--The company is no longer a "push-over target" for thieves Unknown Direct cost ($25,000) Direct cost-subsequent maintenance small Qualitative costs none (?) Net benefit estimated $425,000 Cost-Benefit of Armed Guards Benefit $500,000 Qualitative benefit--no longer a "push-over target" for thieves Unknown Direct cost (75,000) Direct cost--subsequent inflation some expected Qualitative cost--possibility of someone being killed or wounded in robbery attempt; social and insurance costs remote, but high Net benefit estimated $425,000 Marginal Analysis (Measurable Information) 1. If armed guards are hired, no more loss reductions (benefit) is available to justify the additional $75,000 direct cost. 2. Doors and Guards Bars Only Only Both Neither Loss expected without control 500,000 500,000 500,000 500,000 Remaining expected loss with control 50,000 -0- -0- 500,000 Benefit (expected loss reduction) 450,000 500,000 500,000 -0- Cost of control 25,000 75,000 100,000 -0- Net benefit 425,000 425,000 400,000 -0- The armed guards control has two adverse factors not expected with the doors/bars control: (1) Inflation in guard costs will probably outpace the doors/bars maintenance costs and (2) The possibility of a shooting incident on company property is not very appealing. C. Both of the manager's assertions are justifiable. 1. Cost-Benefit of the New Arrangement Benefits 4 meals @ $6 x 260 days 6,240 10 meals @ $6 x 104 days 6,240 Customer satisfaction some Possible reduction of exposure to theft loss to collecting cashier at end of food line (former arrangement) * 12,480 * The control is cost-beneficial without considering whether theft of cash had occurred. Costs New salary, annual 10,000 New adding machine, 5-year life 500 Employee dissatisfaction none expected TOTAL COST 10,500 Net benefit, first year 1,980 Net benefit, succeeding years 2,480** ** Assuming inflation in food prices tends to offset future salary increases. 2. The control is better because (i) The recording duty and cash custody are separate. Running the cash register amounts to authorizing and recording transactions for all practical purposes, and under the former arrangement this person also handled the cash. The cashier could have failed to ring up a sale and just pocketed the money. (ii) The manager can compare the internal adding machine cumulative total to the cash register total for correspondence of amounts. A theft would require collusion of both persons. D. CAS 256, paragraph 10 is relevant to this situation. It states: “10. The auditor shall also communicate to management at an appropriate level of responsibility on a timely basis: (Ref: Para. A19, A27) (a) In writing, significant deficiencies in internal control that the auditor has communicated or intends to communicate to those charged with governance, unless it would be inappropriate to communicate directly to management in the circumstances; and (Ref: Para. A14, A20-A21) (b) Other deficiencies in internal control identified during the audit that have not been communicated to management by other parties and that, in the auditor's professional judgment, are of sufficient importance to merit management's attention. (Ref: Para. A22-A26) Paragraph A2 is also useful in this case: A2. In discussing the facts and circumstances of the auditor's findings with management, the auditor may obtain other relevant information for further consideration, such as: • Management's understanding of the actual or suspected causes of the deficiencies. • Exceptions arising from the deficiencies that management may have noted, for example, misstatements that were not prevented by the relevant information technology (IT) controls. • A preliminary indication from management of its response to the findings. “ Assuming that you communicated this control deficiency to the local manager prior to including it in your report to the ‘central administration’ (i.e., a level of management above the local manager in this case), his views on it might have been incorporated in your communication. However, since you have concluded that the control deficiency is significant despite the manager’s views on it, clearly you do not agree with the manager’s position. You could give advice to the manager about your analysis and conclsuion. Still, the manager is theh one responsible for risk analysis and cost-benefit decisions. You are responsible for conducting an audit that meets the requirements of the CAS that are relevant to the audit. It is not appropriate for the manager to include any statement in your communication. If the manager wishes to add a statement to a report that the central administration will prepare, for example a control report to be forwarded to a higher level of governance in which they copy your communication, you would not express any opinion on management's statement. This is an internal matter that is beyond the scope of your engagement. If asked to provide response to the manager’s statement, you would disclaim any opinion about the statement because it is beyond the scope of your work to opine on such matters. This response assumes you have been engaged just to audit the financial statements, not to report on the effectiveness of internal control. There may be other considerations in an engagement to specifically provide an audit opinion on control effectiveness. DC9-4 Controls, fraud risk SB Construction Company--Significant Control Deficiency/ Material Weakness in Internal Control The discussion could take several directions, including some or all of the following: 1. Material Weakness. The facts seem to suggest "a condition in which specific control features (few or none are described) or the degree of compliance with them do not reduce to a relatively low level the risk that errors or fraud in amounts that could be material to the financial statements may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions." Gee has authority and influence over too many interrelated activities. Nothing he does seems to be subject to review or supervision. He even is able to exclude the internal auditor. An identification of the potential irregularities will illustrate the misdeeds he can perpetrate almost single- handedly. 2. Potential irregularities include: a. Gee can collude with customers to rig low bids and take kickbacks, thereby depriving the company of legitimate revenue. b. Gee can direct purchases to favoured suppliers, pay unnecessarily high prices and take kickbacks. He might even set up a controlled dummy company to sell overpriced materials to the company. No competitive bidding control prevents these activities. c. Gee, through the control of physical inventory, can (i) remove materials for himself, and (ii) manipulate the inventory accounts to conceal shortages. d. Gee can order truck shipping services for his own purposes and cause the charges to be paid by the company. e. Gee can manipulate the customer billing (similar to a above) to deprive the company of legitimate revenue while taking an unauthorized commission or kickback. 3. Almost every desirable characteristic of good internal control has been circumvented: a. Segregation of Functional Responsibilities. Gee has authorization and custodial responsibilities. b. Authorization, Supervision. Gee is apparently subject to no supervision or review. The accounting staff is probably powerless to challenge transactions because of Su's apparent approval of Gee's powers. c. Controlled Access. The whole situation gives Gee access to necessary papers, records, and assets to carry out his one-man show. d. Periodic Comparison. No one else apparently has any access to the materials inventory in order to conduct an actual count for comparison to the book value (recorded accountability) of the inventory. DC9-5 Cash Receipts Control a) See the System Flowchart in the Figure on the next page. Students could be asked to prepare a bridge working paper for parts b and c. b) The main "material weakness" lies with Sue Kenmore's cash handling duties. She could allow more discount than the customer actually took or approve a credit for a return that was not made in order to (1) take cash for herself, and (2) keep the customer's account properly stated. This weakness is magnified by the fact that no one reviews the amount or pattern of discounts and return allowances for accuracy or reasonableness. An auditor might suspect that Sue has taken cash in this manner from a review of the sales statistics. Observe the following percent relationship of discounts and allowances: Recorded Percent of Sales Amount @ 3% Difference 2006 3.03% $ 500 $ 495 $ 5 2007 2.96 550 557 ( 7) 2008 2.95 520 528 ( 8) 2009 3.10 570 551 19 2010 3.97 950 719 231 2011 5.02 1,480 884 596 2012 5.99 2,230 1,117 1,113 The normal discount of 3% is exceeded by 2010 (when Sue was first employed). The increasing amount of return credits could account legitimately for the difference, but it looks like $1,940 may have been stolen since 2010. Also, Sue seems to enjoy an expensive automobile, which might be considered beyond the normal means of someone who can't afford to go to college. c) This is a small business, a fact that should be considered when making recommendations. 1. Sue Kenmore has an improper combination of duties--custody of cash plus a major record-keeping responsibility. Someone else (Janet Bundy) should receive cash in the store, prepare the remittance list and prepare the bank deposit, especially if Sue continues to keep the cash receipts journal. Sue can post the cash receipts journal from a copy of a remittance list or daily cash report (including sales not on account) prepared by Janet. Then Sue will not have access to the cash. Sue also has authority to approve discounts and allowances. There may be a question of whether she is competent (qualified, experienced) to do so. This function may be left with Sue so long as Janet is responsible for the remittance list. If Sue is embezzling money, her motivation to approve erroneous discounts will be removed because she no longer can handle the money. 2. David Roberts should be assigned the duty (supervisory) of reviewing discounts and allowances for reasonableness and proper approval. He is experienced and is in charge of supervising the record keeping. 3. The cash receipts journal appears to be a superfluous record. A daily cash report of over-the-counter sales and collections on account (mail and in the store) could serve in its place. FIGURE “SYSTEM FLOWCHART--SALLY'S CRAFT CORNER” DC9-6 Tests of control, IT-based sales system This case involves an sales data processing system where some components of the data processing do not involve producing a traditional paper sales document. The case requires one to design procedures for testing sales controls, which are generally described in terms of paper documents. To do this one must understand the underlying objectives from the descriptions of the given procedures, that is obtaining evidence regarding the assertions of the reported sales amounts. It is necessary to apply this understanding of the control testing objective in a new setting by considering how these same objectives can be met in a paperless transaction processing system. One possible approach is outlined below. First, since many aspects of the process are computerized it is necessary to assess general controls over the computer system environment, such as access to data and programs, authorization of data entry and program changes, control over accuracy and authorization of processing. Some aspects require the auditor to have computer programming and system expertise, or to rely on a specialist with this expertise. It is also necessary to recognize the high degree of integration between Garganey’s and BMI’s computer systems, thus some assurance that BMI’s system is operating under control is needed. This can be obtained by obtaining a report from BMI’s auditor regarding any aspects of computer controls that could present a risk in Garganey if they are absent or ineffective. Next the system should be documented to identify areas where assurance is needed on computerized processing and controls, and areas where documents are used for processing and control and thus available for inspection and verification procedures (e.g. shipping instructions documents signed by delivery driver, and bank statements showing electronic funds transfers). Finally, consideration of the extent to which control testing is efficient and effective needs to be analyzed. Independent and sufficient evidence of validity and completeness of sales to BMI may be obtained by a year-end confirmation (substantive procedures). Analytical procedures involving costing data can provide good evidence of validity and completeness. Thus understanding controls, identifying risks (i.e. what kinds of errors could occur) and assessing potential for misstatements arising from risk may suggest a substantive approach is best. DC9-7 Flowchart control points a) 1. Control over issuance and retirement of badges. 2. Control totals developed from input card punch (read electronically) operation with comparison to detail records to ensure that all cards are processed accurately. 3. Control over authority for master file changes and over custody of the master file. 4. Controls to ensure that exceptions are resolved by the foreman (e.g., review procedures or a surprise audit, if necessary.) 5. Control over authority to issue special and indirect labour charges to maintain integrity of cost accounting system. 6. Control totals developed for input job transaction cards and output error listing to ensure that all cards are processed and reprocessed accurately. 7. Controls to ensure that all rejected and erroneous transactions are cleared promptly (e.g., review procedures and a surprise audit, if necessary). b) The question requires one to study a flowchart and update it to reflect adoption of a new automated procedure for employee access and generation of hours-worked entries in a job costing system. Principles of control need to be applied to consider the control strength and efficiencies the new procedure can provide, as well as the new control risks that need to be addressed by control procedures to avoid errors in payroll and job costing. DC9-8 Audit approach, computer service organization The case involves a service organization that produces accounting data, and determining how to obtain audit evidence for leasing revenues in this situation. One possible response: a) Reperformance of the lease calculations manually, analysis based on standard lease terms (if they are reasonably consistent from lease to lease), obtain assurance from the service organization’s auditor over the processing validity and completeness (accuracy) of lease schedules and controls, b) Availability of relevant and reliable data for analytical procedures, availability of service organizations audit report, materiality, audit risk, history of errors, etc. DC9-9 Audit Approach Decision, Combined or Substantive. Information given in case regarding planning factors such as: materiality and risk assessment, controls, nature of transactions, volume , use of analysis and non-financial information [e.g., rooms x occupancy rate] can be applied to making a decision on which audit approach to use. a) Since it appears there is easily obtainable substantive evidence regarding the revenues and are receivable, a substantive approach could be supported for this case. Note that different auditors might make a different choice, by identifying some controls to test and rely on. b) An audit program should be developed listing procedures that can give sufficient, appropriate evidence. The procedures should be clearly described in terms of the evidence gathering techniques to be applied along with the relevant assertion(s) linked to each procedures. The procedures selected should be consistent with the substantive audit approach selected in the case, and cover all the assertions. Information relating to reasonable timing and extents should also be considered. An Audit Program of relevant procedures includes: Nature of audit procedure Type of evidence it provides Assertions addressed [ E C O V P ] Timing Extent, if relevant Enquiry regarding rental terms and conditions, property ownership, etc [P] Enquiry regarding property ownership, etc [O P] Planning Inspect properties, ownership documents /title to establish Golden Years’ rights to rental receipts [E C O] y/e sample largest, cycle through smaller Review tenant leases, terms [V O P] y/e sample Vouch revenue reports, cash receipts to bank records [E C V] y/e sample Cut-off tests of last rent payments received/paid, first payments in new year [E C] y/e all Analytical procedures relating to # units, rent /unit, vacancy rates, etc [E C V] y/e Analysis of uncollectible accounts (trends in relation to revenues, economic conditions)(inspect records of unpaid rents), verify provision is adequate [V] Assess vacancies information is reliable by enquiry, inspection of records, observation (might drive by at dusk to see # lights on) [E V] y/e or intermim Tenant confirmations, if RMM level warrants this [E C V O] y/e sample - other valid procedures and approaches [with related assertions] APPENDIX 9B UNDERSTANDING INFORMATION SYSTEMS AND TECHNOLOGY FOR RISK AND CONTROL ASSESSMENT SOLUTIONS FOR REVIEW CHECKPOINTS 9B-1 In most organizations, accounting information systems and internal controls documentation are found in computer systems documentation, computer program documentation, systems and procedures manuals, flowcharts of transaction processing and accounting manuals. Minimum documentation requirements for a good control- oriented accounting system include a chart of accounts and some written definitions and instructions about measuring and classifying transactions. Internal control documentation should contain statements of objectives, policies and procedures. 9B-2 Management monitoring of controls involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. Ongoing monitoring includes regular management and supervisory activities. Managers are in touch with operations and may question reports that differ significantly from their knowledge of operations. Monitoring of controls is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Monitoring is done to ensure that controls continue to operate effectively. For example, if the timeliness and accuracy of bank reconciliations are not monitored, personnel are likely to stop preparing them. 9B-3 All accounting systems, whether computerized or manual, consist of four essential functions—data preparation, data entry, transaction processing and report production and distribution. 9B-4 The audit trail starts with the source documents and proceeds through each step in the accounting system processing to end up at the financial reports. Auditors can follow this trail backwards from the financial reports to the source documents to determine whether everything in the financial reports is supported by appropriate source documents. They can follow it forward from source documents to reports to determine that everything that happened (transactions) got recorded in the accounts and reported in the financial statements. 9B-5 The extent of IT use has an impact on how a client produces financial information. The information systems and IT used in the client’s significant accounting processes influence the nature, timing and extent of planned audit procedures. Significant accounting processes are those relating to accounting information that can materially affect the financial statements. Important matters to consider include its complexity, how the IT function is organized and its place in the overall business organization, data availability, availability of CAATs, and the need for IT specialist skills. 9B-6 Transaction trails may be available only in computer-readable form for short periods and possibly in a complex form. Input data, system-generated files and other data required by the audit team to follow this trail may exist only for short periods or only in computer readable form. In some systems hard-copy input documents may not exist at all because information is entered directly. The data retention policies adopted by a client may require auditors to arrange for certain information to be retained for audit purposes. Also, auditors may need to plan to perform certain audit procedures at an interim date while the information is still available. 9B-7 If significant accounting applications are processed at outside service centres, it may be necessary to co-ordinate audit procedures with service auditors. (Refer to Chapter 21 for a discussion of service auditors.) 9B-8 IT audit specialist skills are needed to when a client uses complex data processing, programming languages, or software packages. The system may be organized so that little data exists outside the system for verifying all aspects of accounting transaction entry, processing and output. These characteristics often mean computer assisted techniques need to be used to understand the flow of transactions or to design and perform audit procedures, so specialized skills relating to various methods of using computer-assisted audit techniques may be needed. 9B-9 A highly decentralized organizational structure the computer hardware and software usually will not be uniform throughout the company. Thus, auditors may need to visit many locations to obtain the necessary audit information. 9B-10 Data availability may require the auditor to do some work at an interim date (earlier than year end) if the client does not normally retain all the necessary data until the year end audit field work time. Also it may be necessary to observe procedures when no paper-based evidence of controls or other procedures is available. 9B-11 A simple IT-based system, such as a Local Area Network (LAN) has a central processing facility, usually a server or personal computer (PC),and several other PCs connected to the network. Several LANs can be combined to a wide- area network (WAN). The central processing facility may be set up as a batch system where all records to be processed are collected in groups (batches) of like transactions and processed using the same programs and the same master files. After completion of the processing the output (e.g., cheques and reports) will be distributed. 9B-12 General control procedures include: organization and physical access; Documentation and Systems Development; Hardware controls and preventive maintenance; Data File and Program Control and Security; Backup and recovery procedures; File Security; File Retention; System conversion controls (procedures to ensure the data is transferred completely and accurately and that an accurate cut-off between the two systems is achieved). Application control procedures include: Input Controls: • input authorization • check digits • record counts • batch financial totals • batch hash totals • valid character tests • valid sign tests • missing data tests • sequence tests • limit/reasonableness tests • error correction and resubmission Processing Controls: • run-to-run totals • control total reports • file logs • limit/reasonableness tests Output Controls: • control totals • master file changes • output distribution 9B-13 Input Controls - primarily preventive. Processing Controls - primarily oriented to detecting misstatements. Output Controls - primarily oriented to correcting misstatements already in the system. 9B-14 A self-checking number is a two-part number consisting of a basic set of digits followed by (or preceded by) a "check digit." The check digit is determined by performing a mathematical calculation on the basic set of digits, thus an erroneous basic number may be detected by a computer. A common self-checking number is on every credit card number. 9B-15 Five types of edit or validation controls Valid character tests: check input data fields to see if they contain numbers/alpha characters when they are supposed to. Valid sign tests: check data fields for appropriate plus or minus signs. Missing data tests: check data fields for blanks when they must contain data. Sequence tests: test the input data for numerical sequence of documents for batch processing, or missing documents in a prenumbered series. Limit or reasonableness tests: check whether data values exceed or fall below some predetermined limit or other unusual values that might be errors. An example of each for fields on a sales invoice form Customer name and number - Valid character test: customer number should have numbers/letter in accordance with the number assigning convention used to set up the system Dollar amount of the sale - Limit or reasonableness tests and valid sign tests: flag amounts that are zero or negative, or larger than reasonable for the kinds of sales the company invoices Shipping document number field - Sequence tests: ensure all shipping documents issued result in an invoice, or Missing data tests - invoice should not be issued without matching to a shipping document. 9B-16 Documentation differs significantly as to inclusion of program flowcharts, program listings, and technical operator instructions. File security and retention differs because of the relatively delicate form of the magnetic media requiring fireproof vault storage, insulation from heat, water, light (and other magnetic fields in the case of some older storage media such as tape reels), safeguards from accidental writing on data files, and so forth. 9B-17 Computer system documentation is used to manage, operate, maintain and control the input, processing and output functions of the computer system. Auditors review documentation to gain an understanding of the system and to determine whether the documentation itself is adequate for helping manage and control the computer processing. 9B-18 Auditors need to have an understanding of system conversion controls, so they can assess any risk of misstatement arising from the conversion process. The auditor needs to evaluate the input, processing, and output controls that are in place whenever a system is converted into a new one. These controls are required to ensure that all the information is transferred accurately and completely from the old system to the new one, so affect the risk of misstatement. 9B-19 Control weaknesses in IT can increase the risk of material misstatement. For example, lack of input controls may permit data to be lost or double-counted, and poor processing control can permit accounting calculation, allocation and classification errors to occur. Poor output controls over distribution of reports and other output (negotiable cheques, for example) can be the source of misstatements that could make financial statements materially misleading. 9B-20 If a key control is absent, the potential weakness may be offset by one or more compensating controls at later stages. If compensating controls are in place control still can be considered effective for the accounting records and financial statements. For example if the input validity is not checked prior to data entry, but a daily summary report is reviewed by a manager and any exceptions or unusual items are followed up and corrected, this set of procedures may provide adequate control over input validity. 9B-21 Evaluating general and environmental controls before evaluating the more specific application controls is often most cost effective because the general and environmental controls have a more pervasive impact and tend to be preventive in nature. Generally, a weak control environment cannot be compensated by strong application controls because of the risks of control override and unauthorized access and program changes, so there is no point testing specific application controls unless the overall control environment and general controls are adequate. 9B-22 It may be satisfactory to audit around the computer system (i.e. treat it as a “black box”) for a client where the information system provides all the physical documentation (hardcopy) the auditor needs to collect sufficient appropriate audit evidence. For example, the system is designed so that it is possible to obtain sufficient appropriate audit evidence by vouching data from output to source documents, by tracing from source documents to output, and by recalculation procedures. It is not necessary to rely on any internal processing that does not produce physical evidence or paper documents. 9B-23 Computer-assisted audit techniques (CAATs) refer to audit techniques such as: •Tests of general IT controls—for example, the use of test data to test access procedures to the programs and data, •Compliance tests of IT application controls—for example, the use of test data or an imbedded audit program (continuous auditing) to test the functioning of programmed control procedures, •Tests of details of transactions and balances—for example, the use of auditor-created or auditor-tested software to verify all (or a sample) of the transaction processing in a system, •Analytical review procedures—for example, the use of audit software to identify unusual fluctuations in amounts or in the volume of transactions. “Auditing through the computer” using CAATs refers to the auditor’s evaluation of the hardware and software to determine the reliability of computer operations that cannot be viewed by the human eye. Auditing through IT- based information systems is a method of evaluating important built-in control procedures that may be essential to performing the control assessment and other audit work. 9B-24 In this appendix the term GAS (“general audit software”) is used to describe the use of specialized audit software to perform various audit tests and analytical procedures, and to prepare audit file documentation. Generalized audit software (GAS) programs are a set of functions that may be used to read, compute and operate on machine- readable records. Audit software provides access to audit evidence that otherwise would be unavailable or too costly to be feasible. Auditing using GAS can be referred to as “auditing with the computer”. Some of the GAS applications might also be viewed as types of CAATs since computer programs are being used to assist in performing audit techniques. 9B-25 The question follows on from the previous two by asking for a comparison of the two concepts. Auditing through the computer refers to making use of the computer itself to test the operative effectiveness of application controls in the program actually used to process accounting data. Thus the term refers only to the proper study and evaluation of internal control. Auditing with the computer refers both to the study of internal control (the same as "auditing through") and to the use of the computer to perform audit tasks, such as obtaining substantive evidence about monetary balances. 9B-26 Both are audit procedures that use the computer to test controls that are included in a computer program. The basic difference is that the test data procedure utilizes the client's program with auditor-created transactions, while parallel simulation utilizes an auditor-created program with actual client transactions. In the test data procedure the results from the client program are compared to the auditor's predetermined results to determine whether the controls work as described. In the parallel simulation procedure, the results from the auditor program are compared to the results from the client program to determine whether the controls work as described. 9B-27 CAATs can provide evidence that computer-based control procedures are properly designed and operating effectively at the time they are tested. It is evidence of control compliance. Advanced techniques such as imbedded audit modules can also provide evidence that controls operate effectively over period. 9B-28 Using CAATs to test controls allows the audit team to make a conclusion about the actual operation of IT-based controls in an information system. This conclusion is used to assess the control risk and determine the nature, timing and extent of substantive audit procedures for auditing the related account balances in the overall audit plan. This control risk assessment decision determines whether subsequent audit work may be performed using machine-readable files that are produced in the system. The data processing control over such files is important since their content is utilized later in computer-assisted work using generalized audit software. 9B-29 Test data only test controls embedded in the computer system at a specific point in time because they are processed at a single point in time with the client program that is supposed to have been used during the period under audit. After the analysis of test data results, the auditor still must make an inference about processing throughout the entire period by obtaining assurance that general IT controls, such as controls over program changes, are in place and operating over the whole period being audited. 9B-30 The real transactions selected for processing are “representative” in order for the results of the parallel simulation to be a valid test of the hypothesis that the system its controls are operating effectively. The test results must be valid to provide evidence that is relevant to the audit objectives. Representativeness can be achieved by random selection and identification of important transactions that can have a material impact on the information output being audited. 9B-31 Advantages of a generalized audit software package are: •Original programming is not required. •Designing tests is easy. Many GAS packages are PC based and menu-driven so they operate much like commonly used spreadsheet programs •For special-purpose analysis of data files, GAS is more efficient than special programs written from scratch because of the little time required for writing the instructions to call up the appropriate functions of the generalized audit software package •The same software can be used on various clients’ computer systems. Control and specific tailoring are achieved through the auditors’ own ability to program and operate the system. 9B-32 Audit procedures that can be performed with GAS are: -recalculate depreciation expense -recalculate extensions on inventory items -compute file totals -compare budgeted, standard and prior-year data with current-year data. -select customers’ accounts receivable for confirmation -print the confirmations for mailing -compare audit evidence from other sources to company records -compare inventory test counts with perpetual records -compare adjusted balances on confirmed A/R to the audited balances -compare vendor statement amounts to accounts payable records. -scanning the computer records for exceptions to the auditors’ criteria -compare data on separate files to determine agreement and print out differences for investigation and reconciliation -summarize and sort data to facilitate audit analysis. 9B-33 Generalized Audit Software Limitations - it cannot observe and count physical things (inventory, for example); examine external and internal documentation; vouch accounting output to sources of basic evidence; issues of obtaining the data in a format that can be used on their computers such as compatibility of the client’s with the auditor’s system, data structures in the client’s system and availability of client staff to download the data for use by the auditor; conduct an enquiry involving interactive questions and conversations. Solution Manual for Auditing: An International Approach Wally J. Smieliauskas, Kathryn Kate Bewley 9780071051415