Ch08 Internal Control over Financial Reporting.docx

Review Questions Solutions Chapter 8, Planning and Testing Operating Effectiveness of Internal Control over Financial Reporting Page 370 A1 What is a control objective? A control objective is the purpose for which the control is designed. By knowing the purpose, the auditor is able to identify the characteristics of the operations that are required to accomplish the purpose. A2 What procedures can be accomplished using automated audit software and CAATS? Electronic work papers Communications Group interaction Administrative tasks Time records Client billing Accounting and auditing standards reference files Statistical sampling and related analysis Data extraction Recomputation Test data analysis Other data analysis Statistical analysis and analytical procedures A3 How can the use of CAATS prevent an auditor from having to rely on sampling? The auditor can examine the entire population Page 374 B1 How does the way a control failure is defined affect the audit evidence that is needed? How a failure is defined affects the supporting information the auditor has access to, and what is needed to tell if a failure has actually occurred. For example, some controls do not have documentary evidence so the auditor must observe the control. B2 What affects the risks associated with a control? 1. the risk that a control might not be effective 2. the risk that if a control is not effective a material weakness would result B3 What types of characteristics of transactions can be easily checked with CAATS? CAATs work well on tests for specific characteristics such as mathematical accuracy or whether the transaction is with an authorized party. B4 What is benchmarking? Through benchmarking the auditor tests and establishes the proper functioning of a computer application program at a baseline point in time. The auditor is then able to rely on its proper functioning for a period of time in the future, subject to the results of ITGC tests and modifications to the program. B5 What impact does the client’s retention policy for electronic and paper documentation have on the auditor’s plan for testing ICFR? The client’s documentation provides the evidence for a control’s effectiveness, so the auditor has to consider how long and in what form the client retains documents when planning the time at which tests are to be performed. Page 379 C1 What is the roll-forward period? What audit procedures occur related to the roll-forward period? Roll-forward refers to the period between the interim test date and the fiscal year end. Tests of controls (and tests of account balances) are conducted during the roll-forward period. C2 If the client changes the accounting information system during the year, what impact does this have on the auditor’s tests of ICFR? Do controls have to be tested before and after the change? Why or why not? What impact might this have on the financial statement audit? If the client changes the AIS during the year the auditor considers this in planning the tests of controls. For the ICFR audit, the auditor only has to test those controls that are in operation as of the end of the year. This means they have to be tested for a long enough period prior to year end to be sure they are effective at year end. Regarding the financial statement audit, the auditor has to test the operation of the controls for all periods during the year that the controls are going to be relied on. C3 Why does a manual control require more tests of operating effectiveness than an automated control? As manual controls are performed by humans, they are more susceptible to variability than automated controls. For automated controls, if ITGC are effective, the auditor can often rely on the test of one repetition of its operation as evidence of performance during the period. For manual controls multiple tests of operating effectiveness are needed. C4 How does the complexity of a control and judgments required to apply it affect the extent of testing? Complexity, judgments involved, and competency required of the person executing the control increase the evidence required to indicate that the control operates effectively. This usually increases the extent of testing required. C5 Why does the period-end reporting process require extensive controls testing? The process is important and provides assurance regarding many financial statement assertions. Page 381 D1 What kinds of illegal acts does the auditor address during testing? Illegal acts that have a direct and material effect on the financial statements. D2 What happens when the auditor becomes aware of possible illegal acts that have an indirect effect on the financial statements? This is the situation when, even though the auditor is not testing specifically for illegal acts, he or she finds them. In this case, more tests are performed. (When illegal acts are performed the auditor has to consider whether they have a material impact on the financial statements and, as covered in Chapter 11, has to consider any required communications to those in charge of the entity’s governance.) D3 What are the audit concerns about related party transactions? How do these concerns affect the testing of operations of controls? Related party transactions are a greater source of risk both in terms of balances and the financial statement disclosures required. Since the transactions are with an entity that is connected with the client, there is a high risk that the transactions are not at arms length – in other words, not conducted on the same terms that they would be with a non-related party. The auditor has to look for the transactions, understand their business purpose, and then determine whether they are fairly recorded and disclosed according to the accounting standards. Page 386 E1 What is sampling? The application of audit procedures to less than 100 percent of the items within an account balance or class of transactions. E2 What is sampling risk? The possibility that the sample does not represent the population from which it is selected resulting in the auditor arriving at the wrong conclusion about the population. E3 What is the next step when an auditor concludes, based on a sample, that a control is not operating as designed? The auditor performs more testing to confirm that the audit findings are correct. If the findings are correct the auditor investigates the source of the problem. E4 What is the risk that an auditor concludes a control is functioning when it is not more important to the audit than concluding that a control is not function when it is? If audit tests indicate that the control is not operating effectively, the auditor does more tests to confirm the finding. If the control is actually ok, upon more testing the auditor will discover that the test result was due to sampling error. If the test results indicate that the control is operating effectively (when it is not) the auditor does not have any indicator to do more testing. The only additional information that may come to the auditor’s attention that there is a problem with the control will be if substantive testing indicates a problem with the account balance. If control tests indicate that the control is effective, but material problems are found during the substantive tests, this will indicate to the auditor that the control tests might have been wrong due to sampling error and the auditor will go back and do more tests of controls. E5 What does it mean to stratify a population, and why would the auditor do this? Stratifying a population means to separate items into groups that are more homogeneous than the original population. The auditor stratifies the population to be able to perform different audit procedures on the different sub-groups based on their risk. E6 What is the advantage of using statistical methods in sampling and evaluating the results of audit tests? The use of statistics in evaluating an audit sample permits the auditor to quantify sampling risk. E7 What are the sources of nonsampling risk? How are these controlled and reduced? Nonsampling risk is the risk of human error. It is: 1. The risk that the auditor will use an audit procedure that is not appropriate. 2. The risk that the auditor will fail to detect a problem when applying an audit procedure. 3. The risk that the auditor will misinterpret an audit result. These are controlled and reduced through quality control procedures including training, supervision and review. E8 When using statistical methods, why does the auditor set or estimate the tolerable deviation rate and expected population deviation rate? In order to calculate the required sample size, and ultimately, to perform the calculations to interpret the sample result. Page 390 F1 What components of risk are independent of the audit? Which components may be set by the auditor? What is the basis for setting them? Which components are estimated? Which component may be calculated based on the others? Inherent risk and control risk (the risk of material misstatement) are independent of the audit work. Detection risk is the risk that the auditor is willing to accept that a problem will occur and the auditor will fail to find it. Audit risk is the risk the auditor is willing to accept that a problem will occur and will not be prevented or detected by the client’s internal controls or the audit procedures. The auditor sets audit risk, estimates inherent and control risks, and based on that, can calculate or estimate/set detection risk/ F2 Do the components of risk have to be set quantitatively? No F3 Give examples of accounts and classes of transactions that have greater inherent risk for specific assertions. Why is their inherent risk greater? Cash, inventory, transactions requiring skill and judgment for proper authorization, suspense accounts and related party transactions have higher inherent risk, basically because they are more susceptible to fraud or error. F4 After the auditor determines detection risk, what is it used for? For planning aspects of testing such as nature, timing and extent of tests, as well as whether to stratify the population and setting or calculating sample size Page 397 G1 Why do audit work papers need to be indexed and cross referenced? Why do auditors need to use tick marks? Indexing and cross referencing allows the auditor or a reviewer to move in between work papers to view the complete audit evidence. Tick marks provide a convenient way to indicate on the work papers the audit work that was done and conclusions reached. G2 What are the next steps when audit tests indicate a problem with the operating effectiveness of a control? What are the criteria for evaluating the seriousness of a control deficiency? The next step when a problem is found is to modify the audit plan and collect more evidence. The auditor considers quantitative and qualitative criteria to determine the seriousness of a deficiency. The auditor evaluates whether a deficiency rises to the level of a significant deficiency or a material weakness, based on the likelihood that the deficiency could have allowed a material misstatement of the financial statements. G3 What does it mean that the auditor must consider not only whether a material misstatement has already occurred from a control deficiency, but also whether a material misstatement could have occurred? A control deficiency can exists even if a financial statement misstatement did not actually already occur. What matters is whether, because of the deficiency, the misstatement could have occurred. G4 How much reliance can the auditor place on experience with people and conditions found in a company in prior-year audits? The fact that a company employee or particular procedure was not associated with control deficiencies in the past should not affect the auditor’s assessment of current evidence. Conditions and people can change. Similarly, the auditor cannot rely on positive prior experience regarding management’s integrity to downplay the current possibility of fraud. Page 403 H1 In what situation might an auditor need to test only entity-level controls to conclude on operating effectiveness? This occurs when the entity-level control is designed and operates at a level of precision that would adequately prevent or detect, on a timely basis, misstatements to one or more relevant assertions. H2 Why doesn’t the auditor need to test the operating effectiveness of all preventive and detective controls? The auditor only tests the operating effectiveness of those controls that are important to achieve the control objectives and therefore does not usually test a control that duplicates the result of another control that has already been successfully tested with good results. H3 What makes a location or business unit important enough for the auditor to consider it in planning the ICFR audit tests? When the location or business unit presents a reasonable possibility of causing the financial statements to be materially misstated. H4 What causes an auditor to need to consider outsourced services in an ICFR audit? When the auditor concludes that the outsourced service activity is part of the company’s information system. H5 How can an auditor obtain evidence about the operating effectiveness of controls at an outside service provider? 1. From the service organization’s auditor’s Type II report 2. Obtaining more information from the service organization 3. Performing audit procedures at the service organization H6 How does the result of the ICFR audit tests affect the financial statement audit? If ICFR was effective over the entire year, or even a specified part of the year, the auditor can choose to rely on the controls for that period that they were effective and may be able to change the nature, timing and extent, so that the financial statement audit substantive tests required less audit effort Review Questions Solutions Chapter 8, Appendix A, Testing IT Application Controls and Computer-Assisted Audit Software Page 416 I1 How does the definition of general controls differ from that of entity-wide controls and application controls? Explain the relationship of the three concepts. ITGC refers to controls of the computer environment. IT application controls refer to controls that are programmed into specific software functions. ITGC are typically entity-wide. Application controls can be entity wide if the application and its controls are used consistently across a company. I2 Why might an auditor decide not to test certain application controls at specific business units or locations? If a company has good ITGC and the same applications are used at all locations, it may not be necessary to test the application controls at all locations, at least not in any one year. I3 Why is it difficult for the function of application controls to be effective when the design or operation of general controls is not? If the ITGC are not effective then, for example, program code might be changed or processing error logs might not be followed up on. In these situations, the application controls cannot be relied on. If ITGC are not effective, there is no way to know that application controls continue to be effective even if they have previously been successfully tested. Page 417 J1 What types of input validation controls might an auditor test using test data? Explain what the input validation controls do. Input controls prevent input that is unauthorized and determine that the data being input are appropriate for the process. The auditor might test: access controls, authorization controls, limit check, range check, validity check, completeness check. J2 What types of processing controls might an auditor test using test data? Explain what processing controls do. Processing controls address how the computer application program handles the data. The auditor might test: Run-to-run control totals: data are not dropped or added from one processing step to the next. Limit or range checks: results of a processing step (addition, subtraction, multiplication, division) are within the expected range Error handling and correction procedures are followed Access and error logs are created J3 What type of software is often used to perform parallel simulation, and why is this good? Audit software is often used to perform parallel simulation; this is effective because special programs do not have to be written to perform the test J4 What is the benefit of an integrated test facility? What is the risk to the client’s records? The benefit is that an integrated test facility lets the auditor see how the IT system handles data while actual files are being processed. The risk is that test data may contaminate the company’s real information files if any data are incorrectly posted to real files. Page 418 K1 For what nontesting purposes can audit software be used? Work paper preparation, time and billing record keeping, group communication K2 What is the advantage of extracting a client’s complete general ledger and transactions files using audit software? The auditor can examine all of the client’s records rather than relying on a sample K3 How does the auditor confirm the data integrity of the new audit work file that is created based on data extracted from the client’s records? Counting and totaling the data in the audit work file Reperforming procedures such as counting records, totaling or footing account balances, verifying that the data are proper alpha or numeric characters, looking for duplicates or gaps in the records K4 What types of transactions will the auditor look for when scanning the client’s files for unusual items? Transactions that are input or processed after normal business hours Large transactions Transactions that do not match known identifiers such as a customer or vendor list Transactions with related parties Transactions that include management estimates Non-recurring adjusting entires Page 419 L1 What are examples of analytical procedures that can be performed using audit software? Trend analysis, relationships among accounts, ratio analysis L2 What steps of audit procedures associated with the confirmation process can be completed using audit software? selecting the sample, preparing and printing the letters, keeping records of the accounts for which confirmations are sent L3 What audit steps can be assisted using expert systems audit software? Planning, analyzing materiality, performing risk analysis L4 How can software utilizing Benford’s law assist the auditor with procedures to detect fraud? Benford’s law states that individual digits in a group of random digits will occur with a predictable frequency. Software that applies Benford’s law analyzes numeric data and identifies patterns of numbers that occur with a frequency inconsistent with Benford’s law.