an ‘GRAPTER 5 idence ond Docuerton Vit wuutmgra ico l/txboos/etjen tod detailed descriptions ofthe following ‘chapter specific cases and te download required materials. _ HarthWear Case 5-1 Preliminary Analytical Procedures : ompetean valis lis & Adam ntcmationas preliminary anal procedures on | BarthWeay’s unaudited financial statements. -_EarthWear Case 5-2 Bvaluation of Audit Evidence ‘Bvaluate @ portion of the evidence that Willis & Adam International gathered during an _ avs obyeevei for accurny compleener and eiencs | Authorization of transactions is an important aspect of the design and effectiveness of internal ‘control that may relate to multiple financial statement asserions sich as occurrence, completeness ‘and accuracy. For example, accuracy would ordinarily rellet that ransacifonsand events have been ‘both recorded accurately and properly authorized. In this book we discuss proper authorization of transactions as a separate assertion, together with those financial statement assertions listed i auditing standard guidance. We have found that such explicit discussion makes it easler to understand the oe of proper authorization and how it slates tothe direct financial statement assertions, : "i SeeW.F Messier Jr, C.A. Simon and. L. Smith, “Two Decades of Behavioral Research on Analytical Procedures: What Have We Learned, Auditing: Journal of Practice & Theory (Eebrisry 2013), ‘pp. 199-102, fora discussion of current research on analytical procedures and for PCAOR erliclsms ‘offirms’ epplicaton ofthe various steps in the analjtlcal review process. iA Elen end W.F Messier Ji “Auditor Detection of Misstatements: A Review and Integration of Epil neseaeh ural of Acounting Literature, 19 (210), pp. 1-5, reve the ua rear ‘onthis issue. iv See WR Kinney, Astenton-aiecting Analytical Review Using Accountg Ratio: A Case Stuy, ‘Auditing: A Journal of Practice and Theory (Spring 1987), pp. 89-73, fora discussion ofthis imitation ‘ofanalytiel procedures. ¥ Sources: M. Maremont, J Elsinger and J Carreyrou, ‘How High-tech Dream at Lernout & Hauspie “Crumbled in & Scandal) Wall iret Journal, 7 December 2000, pp. Al, A1G; J. Carreyrou and 'M, Maremont, ‘Lernout Unit Engaged in Massive Fraud to Fool Auditors, New Inquiry Concludes; ‘Wall Steet Journal, 6 April 2001, p. A3; J. Carzeyrou, ‘Lemout Unit Booked Fictitious Sales, Says. Probe} WallStreet Journal, 9 April 2001, p.B2. Online Learning Centre 5} When you have ad this chapter, log on to the Online Learning Centre website at ‘uew.megraw-hil.co.uk/texthooks/eilifsen 9 explore chapter-by-chapter (est {questions and more online study tools,Major Phases of an Audit Client acceptance) ‘continuance (Chapters) ‘Preliminary engagement © activities (Chapter) een Plan the audit (Chapters 3,4 and 5) ‘Audit business processes ‘and related accounts {e.. revenue generation) (Chapters 10-16) Complete the audit : (Chapter 17 Evaluate results and issue avait ‘eport (Chapters 1 and 18) | | 1 Chapter 4, we noted that a major part ofthe auditor’ Understanding ofthe enly and is envionment invlves knowledge about he enti intemal cont In Chapter 5, | we introduced you tothe cancepts ofthe essurance fasting Fierorchy’ andthe ‘cssurance. bucket’, which indicate thot the auditor typically obteins essurance from tests of controls before’ subsistve procedures. This chapter provides detailed coverage ofthe aualio’s ostassment of ontal risk. I addresses the importance of inernl contrel fond iis components, <3 well as how evalucting internal conel relates to substantive fesing. The chopler covers the COSO (Commies of Sponsoring Organizations ofthe Treadway Commission) Fremevork and how the auditor’ consideration of on enfilys internal contol impacts the financial saemest audit. Tis chapier clo discusses the timing of audit procedvres, service orgenizations and the required communicators of deficiencies in internal contol. Advanced Modules cover the types of contals in fa IT environment, compulsssisted oucit techniques and flowehontng techniques, v5Internal control plays an important role fo how management meets its stewardship oF ageney responsibilities. Management hes the responsibilty to design and maintain a system of internal control that provides reasonable assurance that assets and records are properly safeguarded, and ‘thatthe enttys information system generates information that stellable for decision making, Ifthe Information system does not generate reliable information, management may be unable to make informed decisions about issues such as product pricing, cost of production and profit information, and external reports may not be useful to investors and other stakeholders, "An entiys system of intemal control Is management's responsiblity but itis important to the auditor because the auditor needs assurance about how well the assets and records of the entity are safeguarded and about the reliability ofthe data generated by the information system. The auditor "uses risk assessment procedures to obtain an understanding of the entity’ internal contol. These procedures elp the auditor to identity key controls, recognize the types of potential misstatements that are relatively likely to arise, and design tests of controls and substantive procedures. As we discussed, previously, there is an inverse relationship between the reliability of internal contol and the amount ‘of substantive evidence required ofthe auditor. In other words, when filling the assurance bucket for ‘an assertion (Figure 5-4) ifthe auditor obtains more controls evidence, then less substantive evidence Isneeded to top off the bucket. ‘As we shall seein this chapter, the auditor's understanding and assessment of internal controls a ‘major factor in determining the overall audit strategy. Ater providing an overview of internal control and the COSO Incernat Gontot ~ Integrated Pramework, we discuss the auditor's responsibilities for {internal control under two major topics: (1 obtaining an understanding of internal control; and (2) assessing control risk. a eeirsecescatos Definition of internal Control According to COSO's Internal Contr - Integrated Framework, a system of internal control i designed and carried outby those charged with governanceln the entty(e anentity’s board of diectorsoraulit committee), management and other personnel to provide reasonable assurance about the achievement oftheentiy’sobjectvesin te following ategories: (1) reliability timelinessand transparency ofinternal and extemal, non-financial and financial reporting: (2) effectiveness and efliciency of operations, including safeguarding of assets; and (3) compliance with applicable laws and regulations. According 0 COSO, the purpose of Its framework isto help management beter control the organization and t0 provide those charged with governance with an added ably to oversee internal contol An effective system of internal contral allows management to focus on operetions and financial performance goals, hile maintaining compliance with relevant lave and minimizing surprises. Controls Relevant to the Audit The controls that are of most direct relevance toa financial statement audit are those that contribute to ‘he reliability timeliness and transparency of external financial reporting, These controls are relevant ‘oan ancit beceuse they help to prevent or detect and correct, material misstatements inthe entry's financial statements, Controls relating to operations, compliance and other types of reporting may be relevant when they have an impact on data the auditor uses to apply audit procedures, For example, the internal controls that relate to operating statistics may be important because such data may be utilized by the auditor for performing analytical procedures. However, many controls that relat 10 ‘management's planning or operating decistons may not be relevant1o the auditor. The Effect of Information Technology on Internal Control ‘The extent of an ently’ use of information technology (FT) can affect internal control because IT affects the way that transactions are initiated, authorized, recorded, processed and reported, The C030 Fromework RRR Controls in most information systems consist of @ combination of sometimes interdependent automated nd manual conuols. Manual controls often use information produced byTT, and they ace ‘offen used to monitor the functioning of, and errors and exceptions dened by, automated controls, “An enty’smixof manuel and automated controls varies withthe nate and complexity athe en's use of. For example, ‘oud computing’ and storage of daain the’ coud” bring spec ats andthe need or corresponding contol. w “Table 6-1 lists the benefits and risks of using I ran enti’ internal contol. The risks to internal contol vary depending on the nature and characteristics ofthe eaiy’s information sytem. For example, wheze multiple uses may access a common database, lack of contol ata single ser eny Point may compromise the secur ofthe ene databte. This may result n improper changes 0 ot festrction of data. When IT personnel oF users can gain access privileges beyond those necessary to peeiorm their assigned duties, a breakdown in segregation of dues can occur resulting in ‘unauhorized transactions or changes to programs oxgete jumes of transactions or da ea ‘The COSO Framework ‘Components of Internal Control Inert control as defined by the COSO Framework consists of five components: 1 Control environment. 2 Entity’ isk assessment. 3 Contvol activities. 4 Information and communication, {5 Monitoring activites.‘Gonirol enronamont The cool chvronmentsthe st ofsandardejprocesres and xuchies that provide the basis for carrying out internal contzol across the organization, The board of ‘dizectots and senior management establish the cone atthe top regarding the Importance of Internal contol and expected standards ofconduct. ‘The entity's risk assessment process, Rsk assesment involves a dynamic and erative process for “dently and analysing risk o achieving the entis/s objectives, forming a basis for determining Jiovrsks should be managed, Management considers posible changes{n the extemal envionment and irthin ts own business model it may impede its abilcyto achieve ts objectives: ‘Control activities, Conti activities are the actions established by policies and procedures to hep ensuite thst management dieedves 1 miligae rsks to the achievernent of objectives are ‘carried ut, Control activites are performedat all levels ofthe eatty and at various stages within business processes, and over the technology environment. {information and communication. Information is necessary forthe entity to cazry out inteznal ‘contra esponsibiliies in support ofachlevement offs objectives. Communication occurs both ‘Internally andl externally and provides the organization withthe information needed to carryout ay to-day internal control activities. Communication enables personnel to understand internal ‘control esponsibililis anid thelrimpovtance tothe achievernent of objectives. é Monitoring of controls. Ongoing evaluations, separate evaluations or soine combination of the tivo ate used to ascertain whether each o! tne ve components ofinternal contol, including contiols to effect the principles within each component are present and functioning, Findings ‘re evaluated and defielencies ae communicatedin a timely mariner, wilh serlous matters Feported to senior management and 6 those charged with governance, ‘Tle 6-2 defines each of the components, while Figure 6-1 shows how the categories of objectives of internal control, including safeguarding of assets, relateto the ve components. A direct relationship exists between objectives (which reflec what an entity is striving achieve), components (which represent what the entity needs todo in order to achieve the objectives) andthe structure of te entity (she operating unit, legal entities and others). The relationship can be depicted in the form of a cube, as Mustrated In Fgure 6-1, As mentioned previously, the auditor is mainly concerned with how the five components, evaluated Individually and in tems of row they operate together, affect the external nancial reporting objective, eran Mentoring Atiios The COSO Fromewark = ce 1, The organization demonstrates « commitment o integity and ethical values. 2, Those charged with governance demonstrate independence ror management end exeicise oversight of the development and performance pf internal contrl. 43, Management esteblshes, wth those chargediv ith goversiance oversight, structures, reporting lines, end appropriate authorities and responsibilities inthe punt of objectives, 4 The organization demonstrates. commitment attract, develop and fetain competent Individuals in alignment with objectives. 5, The organization holds individuals accountable for thelr internal contol responsibilities in the ursultofobjectives ‘ ‘Risk Assessment. ¥ 6, The organization species objectives with sulicient clarity to enable the identification and assessment of risks relating to objectives. 7, The organization identifies risks to the achievement of ts objectives actoss the entity and analyse risks asa basis for determining how the risks should bomaraged. 4, The organization considers the potential for fraud in assessing rks othe achievement of objectives. 4, The organization identifies and assesses changes that could significantly impact the system af ‘internal conto, Control Activities 10. The organization elects and develops control activises shat con rbute othe mitigation of risks tothe achievement of objectives to accepiable levels. 11, The organization selects and develops general contol activities over technology to support the ‘achievement of objectives 12, The organisation deploys contcol activities through policies thatestablish what is expected and ‘procedures that put policies into action. Information and Communication 13, The organization obtains or generates andl ses relevant, quality information to support the functioning of other components of intemel contol 4d, The organization internally communicates information, including objectives and esponsibilies for internal contol, necessary to support the funcuoning of otier components ofintesnal contro! 15, ‘The organization communicates with external parties regarding matters affecting the functioning of other components ofinternal contol. ‘Monitoring Activities 16, The organization select, develops and perforius ongoing and/o: separate evaluations 10 ascertain whether the components ofinternal control are presert and functioning, 17, The organization evaluates and communicates internal contol deficienciesina timely manner {6 those partes tesponsible for taking covrective action, including senior management and those charged with governance, as appropriate. In the updated COSO Framework (revised in 2013), each component includes principles that represent fundamental concepts underlying the effectiveness of each component. An entity can Achieve effective internal control by applying all 17 principles. The principles are summarized in ‘Table 6-3, grouped by component. The COSO Framework sets forth the requirements for an effecive system of Internal control ‘An effective system provides reasonable assurance that the risk of not achioving an entity objective= i CHAPTER 6 Internal Control ina Financial Satement Audit ‘ is reduced to an acceptable level. For a control system to be considered effective, each of the five ‘components and relevant principles must be present and functioning, and the fve components must ‘operate togetherin an integrated manner. Control Environment ‘The control environment sets the tone of an organization, influencing the control consciousness of lts people. ‘The importance of control to en entity iseflected inthe overall attinude to, awareness and actions of ‘those charged with governance, management and ownecsregasding contzol. The control environment establishes the foundation for implementing the entity's system of intemal controls. Principle 1: The organization demonstrates « commitment to integrity and ethical values ‘The effectiveness ofan entity's internal controsis heavily inluenced by the integityand ethical values cofmanagement personnel, who ste responsible for creting administering and monitoring the entity's system of controls. Manegements philosophy and operating style can significantly effet the quality of internal coneol heough the establishment of an appropriate tone at te top! ‘Awellcontrolled entity establishes and evaluates adherence to ethical and behavioural standards thatare communicated to employees and reinforce by day-to-day practice. For example, management should remove inentives and opportunities that might lead personnel to engage in dishonest, legal ot unethical acts. Examples of such incentives are pressures to meet unrealistic performance targets and performance-dependent rewards, Examples of opportunities include an ineffective board of dlieetors, a weak ternal audit function, and lack of contol activities that might detect improper behaviour, Management can best communicate integrity and ethical behaviour within an entty by «example and through the use of policy statements, codes of conduct and training, Management must promptly address deviations from standards of conduct. Characteristics that may signal important information to the auditor about management's Integrity and ethical values include management's approach to taking and monitoring business risks, and manogement’s attitdes and actions regarding financial reporting ~ for example, whether ‘management tends to be conservative or aggressive when selecting ftom altemative accounting prinlpies. Principle 2: Those charged with ince demonstrate independence Kom Renegomon and echo eshte eeveopmen ord partomance of internal control ‘Those charged with governance, such a5 the board of directors, the supervisory board and the audit committe, significantly influence the contol consciousness of the enti. Those charged with governance must take thelr fiduciary responsibilities seriously and actively oversee the entity’ accounting and reporting policies and procedures, Factors thtafect the efleciveness of those charged ‘with governance include the follow 1 Experience and stature of members and independence from management. 1 Extent of involvement with and serutiny ofthe entity’ activites. 1 Information availability and willingness/ Fon ar Pureoe ape renege UoGORAaoog Document ‘comments. This can be accomplished by using the annotation symbol or just writing the comment directly on the flowchart. ‘Allowchart s typically designed along the lines of tho entity’s derartments or functions. Its thus {Important to indicate the delineation of activities between the departments or functions. As shown in Figure 6-3, this can be accomplished by using a vertical dashed line, © Key Terms | Application controls, Controls that apply tothe processing of speriie computer applications and | ae pat ofthe computer programs used inthe accounting system, Computerasssted cudit techniques (CAATS). Computer programs tha alow auditors 10 test | computer les and databases Control cetvies. The policies and procedures that help ensure that management's directives are carted out Control environment. Includes the governance and management functions and the atiudes, ssvareness and actions ofthose charged with governance end management concerning the entiys {internal control andits importance inthe enti. Control risk. The risk that material misstatements that could oe-ur will not be prevented, or detected and eocrected by internal controls. Deficiency in infernal conro. A control designed, implemented or cperated in such away that itis ‘unableto prevent or detect and cozrect, misstatements on a timely basis ora control necessary to proven, oF detect and correct, misstatements on a timely basis thats missing Electronic commerce (Infernal). Business transactions between indtviduals and organizations that ‘occur without paper documents, using computers and telecommunication networks.CCHAPIER 6 isrnal Conlin @Finoaclal Salomon? Ault lectronic data interchange (EDI). The transmission of business transactions over | telecommunieations neworks. Enfiy's risk assessment process. A component of internal control that i the entity's process for ‘deabilving business risk relevant to financial eporting objectives and deciding about actions to ‘aess those risks, and the results thereof ‘General controls. Controls that relate tothe overall information processing envionment and have pervasive effect on the entity's computer operations Information system relevant fo financial reporting. A component of internal control that includes the financial eporting gystem, and consists of the procedures and records established to initiate, luthorize, record, process and seportentxytrensections (as well as events and conditions) and 0 maintein accountability forthe relate assets, liabilities and equity. Infernal control, The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the Echievement of an ently’ objectives with regard to reliability of nancial reporting, effectiveness And efficiency of operations, and compllance with applicable vrs and regulations. {W eawironment. The policies and procedures thatthe entity implements and the I infrastructure (hardwate, operating systems, etc.) and application software that it uses to support business operations and achieve business suategies, Monitoring of controls A process that assesses the quality of intemal contsol performance over ime. Relionce strategy. The auditor's decision to rely on the entity's controls, test those controls end reduce the substantive tests ofthe nancial statement accounts, Significant deficiency in internal control. A deficiency or combination of deficenctes in intemal fontol that in the auditor's professional judgement is of sufficient importance to meri the attention of those charged with governance, Substantive strategy. The auclitor’s deelsion not to rely on the entity’ controls and to audit the related financial statement accounts by relying more on substantive procedures, 1 Tests of controls. Audit procedures designed to evaluate the operating effectiveness of controls in preventing or detecting and correcting, material misstatements atthe assertion level | ‘Wolk:through. A transaction being traced by an auditor from origination through the entiy’s Information system until iis relected in the entiy’s financial reports. It encompasses the entice process initieting, authorizing, recording, processing and reporting individual transactions and. ‘controls for each ofthe significant processes identified. Review Questions 61 (LO1) What are managements incentives for establishing and maintaining strong internal contro? What are te auditor's main concerns with internal control? 4-2 (\O4) What ace the potential benefits and risks to an entity’ Internal contzol from information technology? 62 {LO5) Deseribe the ve components of internal contol 6-4 (UO5) what are the factors thet aflect the control environment? 65 (108) what are the major differences between a substantive strategy and a rellance strategy ‘when the auditor considers internal contol in planning an audit? Problems 46 {106 Why must the auditor obtain an understanding ofinternel control? 67 {1071 what is meant by the concept of reasonable assurance interms of internal control? What fare the inherent limitations ofnternal control? 68 {08,9} List the tools thar can document the understanding of internal contol 69 {1010} What are the requirements under auditing standards for documenting the assessed level of control isk? 410 [LO11,12) What factors should the auditor consider when substantive procedures are to be ‘completed at an interim date? Ifthe auditor conducts substantive procedures at an interim date, what audit procedures would normally be completed forthe remaining period? 6-11 (LO1d) whatis the auditors responsibility for communicating deficienctesin internal contol? 612 (L015) Distinguish between generalized and cistom audit software List the functions that can be performed by generalized audit software. (geessuice 6,9} An auditor should obtain sulicient understanding of each component of an entity’ internal contol system to plan the audit of the entiy’s financial statements and to ‘assess control risk forthe assertions embodied in the transaction clas, account balance and slsclosure elements ofthe financial statements, Required: © Define internal control bb For what purpose should an auditor's understanding ofthe internal control components be used in planning an audit? What are an auditor's documentation requirements conceraing an entity’s internal control ystem and the assessed level of control risk? 614 (105.7) Johnson, independent auditor, has been engaged to audic the fnanctalstarements of| Rose, Before assessing contro risk, Johnson is required to obtain an understanding of Rose's control environment, Required: Identify additional control environment factors (excluding the factor iluctated in the Jellowing example) that set the tone ofan organization, influencing the control consciousness ‘ofits people, bb For each contro environment factor identified in part a, describe the components and why ‘each component would be of incerest othe audit. Use the following format ‘Communication and Enforcement of Integrity and Eehical Values: The effectiveness of controls cannot rise above the Integrity and ethical values of the people who create, administer and monitor them. Integrity and ethical values are essential elements of the control environment, affecting the design, administration and monitoring of other components. Integrity and ethical behaviour are the product ofthe entity’s ethical and behavioural standards, how they are communicated and how they are reinforced in practice. 615 (104) Assume that you aze an auclt senior in charge of planning the audit of an entiy that ‘your firm has audited for the previous four years. During the audit planning meeting with theos oy ee [CHAPTER 6 Internol Cantal in @Finonlal Sctoment Ault anager and partner In charge of the engagement, he partner noted thet the entity recently ‘opted an f-based accounting system to replaceits manual system, The manager and partner have limited experience with TT-based accounting systems and ae relying on you t help them understand the audit implications ofthe encty's change. Consequently, they have asked you to respond toa few concems regarding automated accounting systems, Required: fo In previous year the audit frm has relied heavily on substantive procedures asa source of ‘iutit evtdence for this entity. Given that the entity now has changed its eccounting system, tutta are some of the factors that you should consider when deciding whether to move o a reliance strategy? bb Uneer what conditions should the audit frm consider engaging an IT expert to assist inthe uatuation Ifthe firm hires an ET expert, what énformation should the auditors ask the expert to provide? “Hou are the five components oftheentty’s internal control affected by the enity’sckange toan TRebased accounting stom? [L08) Auditors use various tools to document thelr understanding ofan entity's internal control system, ineluding narrative descriptions, internal control questionnaires and fowchatts Required: Identify te relative strengths of each 100. 1 Briefly describe how the complexity of an entity's internal control system: afets the use ofthe various ts {105,6,9) The audit committee of small manufacturing company that sells its products {globally has ditected internal audit function to perform specific annual reviews to monitor fhanual journal entries, with a particular focus on potential management override activities. Internal audits review includes basie information such as the number, monetary amount, preparer busiaess unit and timing relative w month- and quarter-end, Required: «e What spe ssues sould the intemat auditor be concerned about with espet individual bb Could the external auditor rely on te éxternal aud’ work velated o manual journal entries toreduce control ris? (0011,12) Cook, independent suits has been engaged o aut the nancial statements of General Department Stores, acontnulng audit entity, which sa chain of medium-sized real Stores, General's sca yea wll enon 30 june 2013, and Generals management bas asked Cook todsnue the auditors report by L August 2013. Cookwll nothave suficint ie o perform Stlof the necessery fieldwork nly 2013 but wl have me to perform mos ofthe eléwork as ‘fan interim dae, 90 April 2013, ‘Ate the aecounts are tested at the Interim date, Cook will also perform substantive proceduses covering te uansactons ofthe Snal to months of the yeas, This wll be necessary {ovextend Cook’: conclusions to te balance sheet date Required: «Describe the factors Cook should consider before applying substantive procedures to General's balance sheet accounts at 30 April 2013. bb For accounts tested at 30 April 2013, describe how Cook should design the substantive procedures covering the balances as of 40 June 2018, and the transactions ofthe nal two months ofthe year (Adapted from AICPA) 19 20 621 cal {1014} Ken Smith, the partner in charge of the audit of Houghton Enter ; of the audit of Houghton Enterprises, identified the following deficiencies in internal contol during the audit of tye $1 December 2013 financi 1 Consols for granting credit to new customers were not adequate. In particular, the credit department did not adequately check the creditworthiness of customers with an outside credit agency. 2 There were inadequate physical safeguards over the company’s Inventory. No safeguards prevented employees from stealing high-value inventory pans. menos Required: How should Smith communicate the identified deficiencies internal control? (L016) Aualsors use various audit techniques vo gather evideace when & clients accounting Information is processed using. Select the audit procedure from the followinglist and enterit in the appropriate place on the grid Andit procedure: 1 Test data method. 2 Custom auelit software, 3 Auditing around the computer. 4 Generalized audit software. ees | a Program written by the auditor to perform specific task fora particular entity b Theauditor’s auditing ofthe inputs and outputs ofthe system without verification ofthe processing ofthe data, © Processing fetitfous and real data separately through the client's system, 11016) Brown, independent auditor, i aulting the Mancial statements of Big Wholesaling. a continuing audit entity, for the year ended 31 January 2013. On' January 2013, Brown observed th tagging and counting of ig phys inventory and made appropriate es counts These test counts have been recorded on a computer fle. As in prior years, Big Z gave Brown to computer fles. One file represents the perpetual inventory (Ers-in, first-out) recorés for he year ended 31 January 2013, The other file epresents the 5 Janvary physical inventory count. Assume: | Brown issued an unmodified opinion on the prior year’s financial statements 2 Allinventony is purchased for resale and located ina single warehouse, 3. Brown has appropriate computerized aul software, 4 The perpetual inventory file contains the following information in item number sequence: «Beginning balances at 1 February 2012: item number, em description, total quantity and price b Foreach tem purchesed during the year: date eclved,eelving report number vendor item number om deveripion, quant and tal eur amount «For each tom sold during the yea: date shipped nvace number, item numb, em description, quantiyyand euro amos 4 or each tem ase for pips invetory count diferences: dat, tem nutes ten deserpio, quant and euro amount ‘Tues inventory le contane the following informatcn nt number sequence: umber ten mumbo item description and count quay —Describe the substantive audit procedures Brown may consider performing with computerize ‘audit software using Big 2's two computer files and Brown's computer file of test counts. The “substantive aude procedures deserlbed may indicate the reports to be printed out for Brown's {folloe-up by subsequent application of manual procedures. Do not describe subsequent manual ‘audit procedures. Group the procedures by those using (1) the perpetual inventory fle and (2) the physical inventory and test count files Demers {105,6) Youare the engagementpartner of the entity Fish Farms. The company operatessalmon arms in Canada and Chile, mainly supplying the American and Asian markets with fresi and ‘rozen salmon. You have the following information of the stock of salmon (biomass). 1 Lists with details of numbers and weights oflive salmon in net cages in open water and smolt (mall salmon) in closed fesh-water tanks on land 2 Daily market prices for harvested salmon of various sizes. 4 Production cost of salmon ofall sizes. Seventy per cent ofthe production costs of salmon relates to feeding, Ittakes two to five years for smolt to grow into matket-ready salmon. Fish Farms has designed and implemented strong controls that keep track of the number and weight of salmon during production and at harvesting. Smokt are counted when they transfer from fresh water to cages in the sea, All harvested fsh are counted and weighed. Dead fish are immediately removed from cages and counted. The weight ofthe fish during production i an estimate based on the relationship between expected growth rates and food consumption. The net cages are large and the salmon are constantly in motion, Salmon are easly sessed and cannot be removed from ‘the cages before they ae harvested. Required: ‘© What ave the assertions you consider to be most critical In the audit of the stock of salmon (iomas) of Fish Farms? 1b You pian to rey on the internal controls wher appropriate. To prepare for a meeting with your audit team, write a short memo explaining why you are considering using a reliance strategy. «¢ Glue examples of tests of controls you plan 10 perform in the ault of the stock of salmon (iomas). (105,6) Preview Company, a diversified manufacturer, has five divisions. Preview has Ilstorically allowed its divisions to operate autonomously. Corporate intervention occurred ‘only when planned results were not obtained. Corporate management has high integrity, but the board of directors is not very active, Preview has a poliey of hiring competent people. The ‘company has a code of conduct, but there i litle monitoring of compliance by employees. ‘Management Is fallly conservative in terms of accounting policies and practices, but employee compensation packages depend highly on performance, Preview Company does not have an infernal audit department, and itrelies on your frm to review the controls in each division. ‘Chip Harts isthe general manager of she Fabricator Division. The Fabricator Division produces a variety of standardized parts for small appliances. Hairs has been the general ‘manager for the last seven years, and each year he has beer able to improve the profitability of the division, He Is compensated based largely on the division's profitability. Much of the Improvement in profitability has come through aggressive cost-cutting, Including a substantial reduction in contol activities over inventory. During the Inst year & new competitor has entered Fabricators markets and has offered ‘substantia price reduetions in order to grab market share, Hartls has responded to the i FR 4 eee | 2 CHAPTER 6 let Conta i Finance Staanen! Aude Notes ais | oe el, eal quired: competitor’sactions by matching the price cus in the hope of alntaning market share. Haris is very concerned because he cannot see any other areas where costs can be reduced so tit ‘the division's growth and profitability can be maintained. If profitability is not maintained, his alary and bonus wil be reduced. artis has decided that one way to make the division more profitable Is to manipulate inventory because it represents large amount ofthe divisions balance sheet. He also knows that controls over inventory are weak, He views this inventory manipulation asa short-term Solution tothe profit decline due to the competitor's price cuting, Haris is certain that once ‘the compestor stops euting prices of goes bankeupt, the misstatements in inventory can be corrected with ite impact on the bottom line. Required: « Baluate he strengths and weakneses of Prepew Company’scontrol environment. 1 What factor in Preview Company’ contol environment have ted to and fcltated Haris! Imantpuaton of ventory? (Used with permission ofthe PicewateshouseCaopers LLP Foundation) Visit wunemegrahill.ca.ul/testbooks/ellfien to And detailed descriptions of the following chapter-specific cases and to download required materials Barth Wear Case 6-1 Control Environment and Internal Control Documentation Complete the remaining sections of the EarthWear control environment and internal control questionnaites. EarthWear Case 6-2 Tests of Controls (Part A) Complete controls testing ona sample of FarthWear voucher packets ancl judgementally evaluate theresuls ofthe ests of contol. (In Part ofthis mini-case youare asked to statistically quantify angi evaluate the results of tests of controls Part Bis described in Chapter). See PricewatethouseCoopers, 212 Current Developments for Directors, PrlewaterhouseCoopers, [New York, 2012, fora discussion ofauditcommittees and corporate governance. Also seeinormation ‘published by KPMG's Audit Commitee Institute (wurw.kpmiginstiites.com/aci) ‘A, Blifsen and W, F. Messier, J, ‘Auditor Detection of Misstatemerts: A Review and Integration of ‘Empirical Research jownal of Accounting Literature, 19 (2000), pp. 1-43, reviews research studies that have examined the causes of auditor-detecred misstatements, For example, A. Wright and R, HL. Ashion, ‘Identlying Audit Adjustments with Attention-directing Procedures, Accounting Review {Getober 1989), pp. 710-728 find that approximately 35 per cent ofthe exors detected by auditors ‘resulted from personnel problems, insufficient accounting knowledge end judgement exots- In recent years, COSO has provided a significant amount of guldance In the area of enterprise risk management (ERM). For example, sce COSO, Enterprise Risk Management—Integated Framework, 2004 and COSO, Strengthening Enterprise Rsk Management for Strategic Advantage {wirvccaso. org). Exhibit 6-1 shows how the understanding of intemal control can be developed and documented using a separate internal control questionnaire. Some oral ofthe Information on the components ‘of the entity’s internal contol may be captured as part ofthe audir's understanding ofthe entty ‘and its environment (see Chapter 3).HAPTER nel Conklin a Foot Semen Ast Chepte20 a discusses assurance andar ncuding SAP 402 Assurance Reports on Contos aa Service Organization, 9 Note tha eternal sido involvement the information syatoms acqusiion and develop _provess may cause a self review threat. Provision of such non-audit services is most limited whe tho ents a public interest nt. See Chapter 1 fora dacusion ofthe IESBA Code of ils Salluicue bare ee ‘nine Learning Centre websteat il.c. ein eplote ce Wy cae et Auditing Internal Control over Financial Reporting218 = th sudtand reper reponablides aoe this inlrnationel textbook on auditing and assurance It covers cudlting of the efectveness of the entity's mal conrol over financial reporing CF) = required by he US Sarbones-Onley Act of 2002. The chapter is of inieest for an infemotional audience because many ronlS auditing practices are involved in auditing ICFR This, ‘occurs because mony international companies avdied by ‘nonUS practices ar publlyreded in he US and therefore ‘te required to comply wih the Sarbenes-Oxley Act. Also, US public compories may hve ther foreign subsiciries cued by aon US ousting practices ‘The Satbones-Oxley Act of 2002 imposes unprecedented requirements on both management and auditors of US public empanat:parcy, Secon 404 he Arabs et manogement report onthe efetiveness of is CFR ond that the auelior also provides en atestation on the effectiveness oF ICFR bosed on standards issued by the Public Company ‘Accounting Oversight Boord (refer to Chapler 2 for a discussion of he PCAOB}. i 2007, the Secures ond Exchonge Commission {SEC} issyed guidance for management and the PCAOB issued Auditing Standard Ne. 5, An Audit of intemal Control ‘over Financial Reporting tha sInlegroted with an Audit of Frnancial Stalemens (ASS), for audios. These documents ‘require thot management and the auditor follow o topdown, Fiskbosed approcch to evaluating ICFR. This chopler covers whet management must do in order C apie 7 differs in focus from the rest ofthe choplrs in to isue a report that the ani’ ICFRiseflecive ond how the ‘uditor performs an audit regarding the efleciveness oF ICFR.. ‘The material covered in this chapler applies fo companies subject to the reporting requirements of Section 404 of the Sorbanes-Onlay Act of 2002, The Dode-Frank Act of 2010, Internal Corto over Financial Reporting Defined RRRS a9 srt ten a ep nt gn pg ‘onal io om be nana eran eel on oft conta ver Sone eee Section 404 of the Sarbanes-Oxley Act requires managements of publicly traded companies to issue 4 report that accepts responsiblity for establishing and maintaining adequate ICER and assert as to whether ICFR is effective as ofthe end of the fiscal yeat. This assessment isto be made as ofa specific point in hme that's ‘a of” the end ofthe ical yeas. Thus, managements assessment does not cover ‘the entire year Tis has implications for any contro deficiencies discovered duing the year. The‘a80f° nature ofthe assessment in many cases allows management to remediate deficiencies discovered prior ‘oyear end and stil receive an unqualified opinion on ICR, ‘Management must comply with the following requirements in order for the external autor to complete an audit of CFR: 1 Accept responsibly forthe effectiveness of the entity's CFR. 1 Evaluate the elfeciveness of the entity's ICFR using suitable conto eriteria. 1 Support the evaluation with sufficient evidence, including documentation, 1 Present a writen assessment regarding the effectiveness ofthe entity's ICFR ‘aso the end of the entity's mostrecent fiscal yea. ach of these steps is discussed below. Recognize, howeves that the second and thied bullet pofnts require a substantial investment of time, energy and money on the partof the entity. ea Section 404 requires the auditor to audit management's assertion about the effectiveness of CFR. ASS states that the auditor must conduct the audits of nancial statements and ICER in an integrated way ‘because each sual provides the auditor with information relevant tothe evaluation ofthe results of the othes. The auditor’ objective in an audit of IGFR is ‘to express an opinion on the effeciveness of the company’s internal control over Snancial reporting’ (ASS, pea. 3), while the objective in a financial statement audit sto express an opinion on whether te financial statements are las stated ‘naccordance with generally accepted accounting principles (GAAP). ‘To form a basis for expressing an opinion on the effectiveness of CPR, the auelitor must plan and perform the audit to obtain reasonable assurance about whether the entity maintained, in all material respects, elfective intemal control ‘ss of the date specified in management's assessment, Reasonable ‘assurance in this context recognizes that no system of internal contul is perfect and that there Is & remote likelIhood that material misstatements wil not be preventec or detected on a timely bars, even ifcontrols are, in fac effective, Like the financial statement audit, reasonable assurance indicates ahlgh level ofassurance. A process designed by, or under the supervision of, the company's principal executive and principal financial officers, or persons performing similar functions, and effected by the company’s board of directors, management, and other personnel, to provide reasonables ol : a CHAPTER 7 Auchtng internal Corto} over Financial Repesting a assurance regarding the reliabiiy of nancial reporting and the preparation of fnanclat ‘Statements for external purposes in accordance with GAAP, and includes those policies and procedures that (G) Pertain to the maintenance of records that, in reasonable detal, accurately anc fairy reflect the rmansactions and dispostions ofthe assets ofthe company: (2) Provide reasonable assurance that transactions are recorded as necessary to pernit preparation of nancial statements in accordance with generally accepted accounting principles, and that voces and expenditures ofthe company are being made only in accordance with authorications of ‘management and directors ofthe company; and @) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, tus or aispostion of the company’s assets that could have a material eft on the jinanclat statements. (AS5, para. AS) ‘This definition makes it clear that the CEO and CFO are responsible forthe reliability of ICFR and the preparation of the financial statements. It is the responsibility of the board of directors and ‘Management to implement an eflecive intemal control sytem. You will nove thatthe objectives of {Rtemnal control in the PCAOS'S definition are more specific than the objectives listed in the COSO {lefnition, Items (1) and @ relate direct to controls forLntating, authorizing, recording, processing ie reporting significant accounts and disclosures and related assertions embodied in the financial Statements tem (3) concems contols over safeguarding of assets, Control Deficiency For menagement and the suitor to asses whether ICFR is effective, it necessary to define what eo dae contol deficiency and to define diferent levels f sever. While the PCAOB’ defnitonsin ‘fists are somewhat technica ts important that you vest the tmeand energy tounderstand them. “A ontrl deficiency exists wien the design or eperation of contol does not allow management oF jl geen inthe normal couse of performing ther assigned fansons, to preventor detect mistatements ns tely basi A design deficiency ets when (1) «contol necessary to met the selevant contr Sbjscive i misringor (2) a exiting Conroe not propery designed so that, even the contol operates sega, the conto objective would not be met. A defieny in operation exis when a propety Feige contol does not operate as designed or when the peson performing the conto does not ceatte the necesary author or qualiiadons to perform the contol eflecivey (ASS, para. 3). ‘Material Weakness ‘The focus of the audit of ICFR is on deficiencies that are serious enough that there is @ reasonable ‘possibilty that a material misstatement of the fnancial statements could result. Ancordingy, the PCAOB defines a material weakness asa deficiency, or combination of deficiencies, in ICFR, sch ther there is a reasonable possibility that a material misstatement of the annwal or interim financial ‘statements vl not be prevented or detected on a timely basis (ASS, para. 47) Significant Deficiency ‘A Agnifcant decency ia contol defcency, or combinauon of eno defidencis in CFR hats aaa nee walaes,yoimportent enough tomer atention by those responsibefoe ersign of the ents nana epotng (55, ar. AI) Likelihood and Magnitude ‘According tothe ahove definitions, in judging the significance of a control deficiency, management dina he audltor must conoider two dimensions of the contol deficiency alitood and magnitude cll tte tht coud eal om he contol ein Te tion of mata wees Include th phraueoneonable potty nd tobe inte sing te dance Topi 0, Conger According, the tellood of an event a reasoneole possibly it {ihr esonaly pot or probable. Wl ths glance she there coscopt ae cles) ‘jie nde hapten coset ein ue iemining mage of nal eters mitten at might eu fom ¢ cons dette i fogs egret del of roferonaladgmentInmaingsuch ements thao Should be seated tt patent oc? woul be ite to concutn deleranng wheter is ‘euwonshlyponnble tae Goan eoment mlstatcment suing Com a dfeny satel he ‘Ndltoreleson teste concoptoinaterally sisson detrminiageancl stasment mately ‘Notetaifielineedeseteedae cmos ansentiiedcotal edocs nteven ete elev ofcontaldefclency. Howes iikalhood is xed es more than emote conta os Wl be considered defclancy,asignicantGefiency orate eae depending on the mapa ofthe encieney. Th the difezencesetneva gontol deen and sigan delle), fed between igen defency anda mater weakness dcermined sll by age, Figue 7-1 sepesents how Mkelnood and megnfad rae 1 eah other in he determination of ‘ethra cool defen rset ls evel sigalcan dfn rater weeknee Tater n he chapter we duces how the eur apples te cones of eiod end mately ‘nana of CPR wellar he autor eporng xporsbiteseebdin gure terol ConolDacenie Oaned SSE 221 FFF een eee feCMeE itso! i s Me Matera Reporte aude ‘conmites ate managerest Notmateral Signfieant butsigiicant deteency Notmateral Feperio orsianfeant : ent emote Reasonably possi or probable ‘uxeuso00 Before deciding whether a significant deficiency oF material wealness exists, ASS requires the autor t0 evaluate the effectiveness of compensating controls. To have a mitigating effect, ‘the compensating control should operate ata level of precision tat would prevent or detect @ ‘misstatement that could be material (ASS, par. 68).Leo CCAAITER 7 Asiing etnal Conrel ove Financial Reporting nec cncn ae emcee 2 ae tn order co ase a report onthe efectvenes of internal conto, msnagement needs to fist design wilimplementan effective system of CFR and then develop an ongoing assessment process. To asst seintgumanr the SEC knuod guidance for evaluating and assessing GFR thet provides fora top-down, Tktued approach for management to follow in evaluating and assessing ICFR. The purpose of Thanagementscvauaton oFTCFRs to provide management witha reasonable basis forts assessment wo Shuber any mazrial wealnesses in TCFR exist ‘a of the end ofthe period The evaluation process has thre steps: 1 Tens Sinancil reporting risks and elated controls 2 Consider which locations to include in the evaluation. 2 Brats evidence about the operating efectveness of1CFR, noe the evalston proces complete, management mas adress ts reporting responsiiies. \tonsgenentirequred to bases assessment ofthe eniy’s CFR ona sultable, recognized contol sramewote established by «body of experts that follows due-process procedures. Inthe USA, most ‘ics ue tie framework developed hy COSO, Other suableamewocks have been published in ‘ther counties Review Chapter fora discussion ofthe COSO framework, Identify Financial Reporting Risks and Related Controls Management mast ist identi andastes nancial reporting risks; thats ube vsctatamistaterent withd emul in @ material misstatement of the financial staemens. How management identifies financial reporting risks wil'vary based on the characternties of the ent suchas the size complexity find organiatlonal structure ofthe entity, and if processes and financial eporting environment. ‘Magagement then Hlentifes contols that are In place to adazess the financial reporting sks, tn addition to specie controle that addzess nauclal reporting risks, management also evaluates Athethor there are convo In pace to adress enty-level contols and other pervasive elements of Tera Entley-Jevelcontrolscan havea pervasive elec on the ents ability to meet the COSO contol ‘siteria Table? presents examples ofentiy-level contol ‘Management should then consider the effect of information technology (IT) general controls ‘at are necessary for proper end consistent operation of other technology-based controls designed to addtess finencial reporting tsks. Lastly, management must obtain and document reasonable evidential support for ls assessment. ‘Managements Assesment Process Consider Which Locations fo Include in the Evaluation a ee a el ah reo elitr a in crt frm ng Hwee: rena rtm nage tee ta cael toc ere ara nrg i ty oo tr a sre eset err Gi ieee en rere a in or oneness Seperate ne in ne rene topes fe ee halen ramen scars een ft tne ig ct tn ai sgn ev een a nen cs reporting risks for the controls at an individual location are high, management will normally need to ope cere aot Stop and Think: Take a moment and think about how a large, mulknational about how a large, multinational corporation such ‘as BM or Coca-Cola would accomplish such a task. Leter inthe chapter we will present an approach to selecting locations. Evaluate Evidence about the Operating Effectiveness of ICFR ‘The evaluation ofthe operating efectivenest of contol consders whether the conto i operating 28 dsgne and whether he person performing the contelpossene he necessary aot as fompetnce to perio thecomteleecuvly Manegement oul ost valaation on estat pose the highet a to ICTR. As the ik of contenu inereasey manegerent wil need mare Evidence to supports conclusion about the operating eectivenesso the con Table 7-2 shows ontols hate peal nluded fortertng Evidence on the operating effectiveness of a control may be obtained from direct testing of the control, ongoing monitoring, or both. Direct tests of controls are usually performed on a periodic basis by individuals witha high degree of objectivity (eg, internal audtore) with respectto the contzol being tested. Ongoing monitoring includes self-assessment procedures and procedures to analyse Desforianes menses (Key performance indeators) designed to tack the performance of the ‘Management’ assessment must be supported by evidence that provides reasonable support for ts ‘assessment. The nature and extent ofthis evidence will vary based on te assessed level ofICER risk for controls over each of ts financial reporting elements.BB 224 PP cuaPTeR 7 Avdting internal Control aver Financial Reporting et oh Reporting Considerations In determining its reporting responsibilities, management frst evaluates the severity of the control deficiencies identified, Similar to the approach taken by the auditor, management considers the ‘kelhood of and magnitude to which the financial statements could be misstated by the control allure. Ifmanagement determines that no materia! weaknesses exist, they can conclude that the entity's ICFR, wes effective, Exhibit-1 provides an example management report. Gis eae RRNA STC HSRC) ‘Management Is responsible for establishing and maintaining adequate internal control over financial reporting ofthe entity, Internal control aver financial reporting i a process designed to provide reasonable assurance regarding the rllabltyof financial reporting and the preparation Of fnaiclal statements for extemal purposes in accordance with accounting principles generally Accepted in the United Staces of America. “The entity's intemal control over financial reporting includes those polcles and procedures that () pertain to the maintenance of records that, in reasonable detall, accurately and laity reflect the transactions end dispositions ofthe assets ofthe eniy (Il) provide reasonable assurance that ‘transactions ate tecorded as necessary to permit preparation of financial statements in accordance with accounting principles generally accepted in the United states of America, and thatreceipts and ‘expenditures of the entity are being made only in aecordance with authorizations of management land directors of the entity; and (ii) provide reasonable assurance regarding prevention or timely tection of unauthorized acquisition, use, or disposition of the entity's assets that could have a material effect on the financial stacements ‘Because ofits inherent limitations, internal control over fnatcal reporting may not prevent or detect misstatements, Also, projections of any evaluation of effectiveness to future periods are subject to the risk dhat controls may become inadequate because of changes in conditions, or that the degree of compllance with the policies or procedures may deteriorate ‘Management conducted an evaluation of the effectiveness of internal control over financial reporting based on the framework in Internal Control Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), Based on this valuation, management concluded that the entty’slnternal contzol over nancial reporting was, effective as of December 31,2012. Virginia M. Rometty Chairman President and Chief Executive Oficer February 26,2013 Mark Loughridge Senior Vice President and Chief Financial Officer Finance and lnteiprise Transformation brary 25,2013 Ifa contol deficiency is determined to be a material weakness, management must disclose the material wealaess in fs assessment ofthe electiveness of ICFR on an annual basis. The disclosure ‘bout the materlal weakness(s) should include the following: 18 The nature ofthe meteriel weakness(es), f lts{mpacton the entiy’s financial zeporting and its ICER. ‘= Management’ current plans, ifany, for remediating the material weakness. Fchibit 7-2 presents an example of managements disclosure of a material weakness. Any contol deficiency that is considered a significant deficiency or material weakness should be reported tothe ‘audit committee and the external auditor. Perornng an aun cicee, TASES 225/08 as Jn connection with the preparation of our financial statements forthe year ended December 31, 2011, we concluded there is a material weakness in the design and operating effectiveness of out internal control over financial reporting as defied in SEC Regulation $-X. A materlal weakness a deficiency, or a combination of deficiencies, in intemal control over nancial reporting such that there isa reasonable possibilty that a material misstatement of tke annual or interim financial ‘statements will note prevented o detected on a timely basis. The rrimary factors contebuting to ‘the material weakness, which relates to ous financial statement close process, were: + We did not maintain financial close process and procedures tat were adequately designed, documented and execited to suppor the acetate and timely reporting of our finenell results [Asa result, we made a numberof manual pst-ciose adjustments necessary in order to prepare ‘the nancial statements included in this Form 109K. + We did not maintain effective controls to provide reasonable assuiance that accounts were ‘complete and accurate and agreed to detailed support, and that account reconciliations were properly performed, reviewed and approved, While dhese activities should be performed in ‘the ordinary course of our preparing our financial statements, we nstead needed (o undertake significant efforts to complete reconciliations and investigate ier identified in those ‘reconciliations during the ours of our financial statement auc + We did not have adequate policies and procedures in place to ensure the imely, effective review ‘ofestimates, assumptions and related reconcilitions and analyses, including those related to ‘customer refund reserves. As noted previously, our original estimate disclosed on February 8 of to eserve for customer refunds proved to be inadequate afte we performed additional analysis, Management's assessment process involves special consideration of two topics: (1) service organizations and (2) safeguarding assets. These topics mus also be considered by the auditor during the audit of ICFR. The Advanced Module atthe end of the chapter diseusses each of these topics in etal Management Documentation The SEC's guidance allows considerable Neabilty to management fs how ie documents reasonable support fo is assessment. Howover, reasonable suppor should inclide the basis for management's assessment and conclusion. Such documentation should Include the design of the contols ‘management has placed in operation to adequately address ierufed financial reporting ks, Including the enty-level controls and other pervasive elements necessary for eflective ICFR. The fuidance does not require management to Identify and document every contol ina processor Alocament the business processes impacting ICFR. Instead, documentation should foeus on those conttols management concludes ae adequate to addeess the entity's nancial reporting sks ‘Documentation of CFR may take many forms, such ss pape, eleeroni Mes or other medi, Kalso Incudesa vary ofinformation, suchas policy manuals process models, owchars job descriptions, dlocaments and forms. ‘While the audit of ICFR and the audit of financial statements have diforent objectives, the auditor ‘must plan and perform the audit work to achieve the objectives of both audits as an integrated audit In Planning the integrated audit, the auditor should design tests of contro'sto accomplish the objectives ofPEE wr stn ta oe cl pt ‘both audits simultaneously. The purpose of ests of controlsin an audit of CFR to provide evidence on. the effectiveness ofthe entity’s contols over financial reporting 'as of’ the end of the reporting period. ‘The purpose of tess of controls in an audit of financial statements isto assist the audtr in assessing ‘control risk, hich in turn affects the nature, timing and extent ofthe auditor's substantive rests. “The auditor should incorporate the results of tess of controls in the audit of ICER into the tests of controls for the audit of the financial statements, and should use those results for determining, ‘he nature, timing and extent of substantive procedures. Similarly, the auditor should consider the rosults of substantive procedures on the conclusions about the effectiveness of ICFR, For example, it ‘a misstatement Is detected by substantive procedures, the auditor should consider how and why the ‘contols failed to detect the misstatement and whether the contol deficiency might affect the opinion fon the audit of CFR. Figure 7-2 shows the steps involved in performing an audit of ICFR. While Figure 7-2 suggests a sequential proces, the audit of CER involves an iterative process of gathering, updating and analysing Information, EERE [167] Table 7-3 contains some of the factors that may affect the planning of an audit of ICFR. A number of ‘hese factors aze similar to those dseussed in Chapter 3. ‘In planning an audit of CFR the auditor considers the following activities: The ole oftiskassessment and the rsk of fraud Scaling the audit. 1 Using the work of others. Planning the Audit of crn ERR lence elated tthe ellectvenes of teen ism, ut the effective The Role of Risk Assessment and the Risk of Fraud -Amajor premise of ASS is that isk assessment underlies the entire audit of CFR. Tn other words, there should be direct relationship between the risk that a material weakness could exist in a particulararea ‘of the internal controls ofthe entity and the amount of audit work that is devoted to that area, Thus, the auditor should devote more attention to areas that have a igh sisk ofa material weakness. Tis process is very similar tothe risk assessment process followed by the auditar in the audit of financial statements thar was discussed in Chapter 4. ‘Amajor part of risk assessment is assessing the rsk of fraud The auditor should evaluate the isk of ‘material misstatement due to fraud and the risk of management oversde of cantols and consider the effec ofthe following controls: = Controls over significant, unusual trensactions, particulary chose that result in iate or unusual journal entries. 1 Controls over journal entries and adjustments made i the pesiod end financial reporting process 1 Controls over related-party transactions. 1 Controls related to significant management estimates, Controls that mitigate incentives for, and pressures on, management to falsify or inappropriately ‘manage financial results (ASS, para. 14), Scaling the Audit ASS (para. 13) specifies that the ‘size and complexity of the company, its business processes, and business units, may affect the wey in which the company achieves many of its contol objectives: Allowing the concepts behind achieving effecive internal contro! to be appropriately scaled 10 ‘companies of different size and complexity Is an extension of the risk-based approach. ASS explicitly :ocognizes and allowsfor the idea thata small, less-complex entity might achieve its conttolabjectves accounting information systems ‘used in different pars of the entity. In some cases, entities use dazess or even hundkeds of computer spreadsheets to summarize and consolidate detalled data into financial statement accounts, Due (o the nature of spreadsheets, tere is @ heightened risk that controls over spreadsheets will hot be effective. The extemal auditor should determine the zis aisoclated withthe entity's use of spreadsheets. Spreadsheets are subject to increased inherent risk (input erots, logic errors, interface ‘errors, etc). The level of control over a spreadsheet should be relative to its use, complexity and required reliability ofthe Information. |dentifying Significant Accounts and Disclosures and Their Relevant Assertions ‘The auditorshould ident signifeanteccounts and dsclosuces and tier reevantassertions Relevant assertions are financial statement assertions (see Chapter 5) that have a reasonable possibility of containing a misstatement that would cause the financial statemants to be materially misstated 1p ldensty sgnifcant accounts end disclosures and ther celevant assertions the auditor tes the olowing risk factors: 1 Size and composition ofthe account 1 Susceptibility to misstatement du oeror or aud. = Volume of activity, compleiy and homogenety ofthe individual transactions processed through the account or reflected in the disclosusee 1 Nanure ofthe account or disclosure.a ee ‘CHAPTER 7 Auuting letenal Control over Financial Reporting 1 Accounting and reporting complexities associated with the account or disclosure, 1 Exposure olossesin the account. 1 Possibility osigaificant contingent liabilities arising ftom the activitos reflected inthe account or disclosure. 1 Existence of related-patty transactions in the account. 1 Changes from the priot period in account or disclosure character ies (ASS, para. 29). “The risefactors that the autor evaluates fr an aut of IGFR are essentially the same as those used in the audit of fnanclal statements. Understanding Likely Sources of Misstatements ‘To understand te likely souresof poten misstatements the audtor needs odo the following: 15 Understand the flow of wansactions related tothe relevant assertions. 1 Identify the polnts within the eniy’s processes at which amisstatement-inchudingamisstatement due to fraud ~ could arse that would be material. 1 densify the controls that management has implemented to address these potential misstatements. 1 Identify the controls that management has implemented over the prevention or timely detection, fof unauthorized acquisition, use of disposition of the company’s assets that could result in a ‘material misstatement ofthe financial statements (ASS, par. 4), Performing a walk-through is often the best way to identity sources of misstatements. To perform 4 wallethrough, the auditor traces a wansaction from origination tarough the entiy’s processes and Snformation system until it's reflected in the endty’s nancial reports. Slop and Think: How do walk-through help the auditor in confirming is orher understanding, ‘ofcontrol design and transaction process flow? {In performing the walkthrough the auditor should make inquitles of relevant personnel involved Insignificant aspects of the processor controls, The auditor should use probing questions to determine entity personnel's understanding of what is required by the controls and to determine whether the processing procedures are performed as understood and on a timely basis. These questions typically Include inquiries on how exceptions are hancled, how ‘hand-ofts are property accomplished between, previous and succeeding processes, and who performs the control when an employee is sickor absent. ‘These questions help corzoborate the entiy’s design and transaction flow documentation. Walk through Inquiries should include questions designed to identify abuse of controls (Le. inappropriate ‘management override) or indicators of fraud. Select Controls fo Test ‘The auditor does not need to test all controls only those that are important to the auditor's conclusion. about whether the entiy’s controls sufficiently address the assessed risk of misstatement to each relevant assertion, often referred to as key contols. Identifying the contols tobe tested Isa subjective task that coquires professional judgement. Table 7-4 provides a Ist of factors thatthe auditor should. consider in deciding which controls to test, The auditor should evaluate whether to test preventive ‘controls, detective controls or a combination of both, For example, a monthly reeoneliation (2 ‘detective concal) might detect an out-of balance situation resulting from an unauthorized transaction ‘being ntiated due to an ineffective authorization procedure (a preventive control). When determining Tetooi Oo nd Ops crm coma EN ‘whether the detective control is effective, he auditor should evaluate whether the detective contral is sufficient to achieve the control objective to which the preventive contol relates, ‘The auditor must make decisions similar to management In deciding which locations or business units to include for testing based on the presence of entity-level controls and the financial reporting risk at each individual location or business unit. ieee Evaluating Design Effectiveness of Controls Controls ace effectively designed when they prevent or detect errors of fraud that could result in ‘material misstatements in the finanelal statements. Once key comzols are identifieg, the auditor evaluates design effectiveness through inquiry, observation, walkthroughs, inspection of relevant documentation, and subjective evaluations of whether the controls areikelyto preventor detect errors ‘or fraud that could result in misstatements assuming they are operated as presribed by qualified persons. The procedures performed by the auditor test and evaluate design efecivenese might Some cases also provide some evidence about operating eectiveness, Testing and Evaluating Operating Effectiveness of Controls An auditor evaluates the operating effectiveness of a contol by deterinining whether the control Js operating a5 designed and whether the person performing the conttol possesses the necessary, authority and competence to perform the contol effectively. In testing the operating effectiveness ‘oF contols, the auditor needs to consider the scope (nsture, timing and extent) of testing. For each control selected for testing, the evidence necessary to persuade the auditor that the coatzol is efective lepends on the risk that @ material weakness would result. As the risk associated with the contzol boing tested increases, the quality and/or quantity ofthe evidence tha te auditor should obtain also ‘increases. Table 7-5 presents the factors tha affect the risk assoclatedwith «control,EEE 0 tea cote ort Nature of Testing cade such : oe Sr contols for operating effectiveness incide such proceduses a6 inquiry of appropiate Fees mpecton of eaten documentation, obervadon of the ents operations and ree tuance ofthe appicaton of te conta ln any nxn a combination ofthese procedes ‘Shecenaryts ensre ft cont repeating eect. rsa used exensivelyUoughou the au of irl contol: Because ingly alone does ot pig sufilent eldence to suppose opening efecvanes af contol the ator ould perform adtona vee of cons ‘and Think: Suppose an entity implements a control whereby its sales manager reviews and Sra etna wh uns orion go marg Would nay Ulhees manager sto whother eo she inverse escepenies be suficient evidence wees thartaccontol working ofectiayt No The ssdor shoul eoroborat the sales seanayes esonse y performing ote: procedures sce inpecing por generated by dhepetonmance othe conto and evalvetngwetherappropratactons nee ake, “the ype of canto often lets the nature of onl testing the autor can pesform, For example, axis onlin pate (el ete) ihe Pe inctete athe ines approved i However, be prsenesof signature doesnot necestarly mean {hat he person catty revowed te package beloce signing, As a esl the qual of he evidence sealing th elective operaon of te conta might not be sulleent perses. norte raat pesuasve evidence the auditor could reperorm he contol by eheckng the voucher package Tee cburacy and completeness essentially repeating the sep en 1 [nally exon the conto ‘Reco might avo gut of te pertn esponstble fo approving voucber packages rguding sitar ior she looks for when approving packages anda see documentation othe errors hathave Seen ound andecie inthe een pas Timing of Tests of Controls ‘The auditor must perform tests of controls vera period of time thats adequate to determine whether ‘hesigniicant controls were operatingelfectively'asof' the dateindicated in management's report. The “esting the Design end Operating Efeiveness of Controls =e pperiod of ime over which the auditor performs tests of controls will vary with the nature of the controls ‘and the frequeney with which they are applied. Some contols operate continuously (e.g. controls over the processing of routine sales transactions), while other controls operate only occasionally (e.g. ‘monthly bank reconciliations). Routine transactions typically involve mutine processing controls, such as verification of data entry edit checks and validation controls, completeness controls, and so forth. For non-routine transactions, especially those involving estimation, view and approval controls are ‘usually considered more critical. In some cases, controls may operate after the ‘as of" date specified ‘in management's report. For example, controls over a 31 December perlod-end financial reporting ‘process normally operate in January ofthe following year. ‘In many instances, the auditor obtains evidence about the operating effectiveness of controls at ‘an interim date for reporting on internal control even though the aud tor’s report on the effectiveness ‘of intemal control is for an ‘as oF date. For example, the auditor might test controls over the revenue process for the first nine months of the yeat. The auditor will then need to determine what additional ‘evidence is needed concerning the operating effectiveness of the ccntrols for the remalning three ‘month period. In deciding what additional evidence is needed, the auditor considers the specific controls tested prior to the ‘as of” date and the results of those tests the sufficiency of the evidence of effectiveness obtained, the length of the remaining period and the poss{bllty thet zhere have been significant changes In intemal control subsequent co the interim dete (ASS, para. 56). For controls over significant non-routine transactions, controls over accounts or processes with a high degree of ‘subjectivity or judgement in measurement, or controls over the recording of period-end adjustments, the auditor should perform tests closer to the‘ of’ date. If management implements changes to the entity's controls to make them more effective or efficient prior to the date specified in management's report, the auditcr might not need to evaluate the superseded controls Extent of Tests of Controls ASS does not provide any detailed guidance on what constitutes sufficient sample for testing the ‘operating effectiveness of the contro. Thisis eft to the auditor as a mattor of professional judgement. "The auditor should consider the following actors when deciding an the extent of testing ‘© Nature of the control. Manual controls should be subjected “0 more extensive testing than. ‘automated controls in view of the greater variably inherent in controls involving people. ‘» Froquency of operation. Generally, the more frequently a manualeontol operates, the greater the ‘number of operations ofthe contol the auditor should test. ‘2 Importance of the control. The more important the control, the more extensively It should be tested, ‘Most public accounting firms have developed fim-wide guidance for the sample sizes used to test various ypes of contros. Chapter 8 provides gudance on using statistical and non-staistical sampling for test of controls ASS provides guidance on incorporating knowledge obtained flom prior years’ audits Into the ‘decision-making process for determining the nature, iming and extent of testing forthe current-year ‘audit Factors that may affect the risk associated with a contro in the current year include the scope and results of procedures performed in previous auults and whether there have been changes in the control since the previous auait (ASS, para, 68). For example, ifthe results for testing a particular control were favourable in the prior yeas, and no changes were made to the contro, the auditor might assess the risk for the control as being lower and reduce the extent of testing in the current ‘yea. If the controls are automated, the auditor might consider using a benchmarking strategy." A benchmarking strategy is an approach that allows the auditor to conclude that a previously tested automated control continues to be eflective based on indicators of whether Uhere has been any change in the operation of the control rather than on repeating the full extent ofthe prior detail testing work,