Chapter 8 Planning and Testing Operating Effectiveness of Internal Control over Financial Reporting Prepared by Richard J. Campbell Copyright 2011, Wiley and Sons

Learning Objectives 1. Learn the relationships of a control, evidence available, and tests of the control, including IT impacts. 2. Recognize the importance of audit considerations such as fraud, illegal acts, related parties, multiple locations, and service providers in controls tests. 3. Learn how sampling is applied to controls tests and the risks associated with sampling. 4. Understand the audit risk model. 5. Learn what is included in audit documentation and why it is important. Chapter 8 -1

Learning Objectives 6. Understand the important judgments involved in evaluating test results and the impact of the severity of ICFR deficiencies. 7. Discuss the practical application of control concepts to ICFR audits. 8. Apply the results of ICFR tests to financial statement audit plans. Chapter 8 -2

SELECTING THE CONTROLS TO TEST Exhibit 8-1 Tests of ICFR Operating Effectiveness Chapter 8 -3 Learning Objective #1

TESTING METHODS Testing controls include inquiry, inspection, observation, and reperformance. The auditor performs the audit procedure that tests whether the control objective is achieved. A control objective is a specific target against which to evaluate the effectiveness of controls. A control objective…relates to a relevant assertion and states a criterion for evaluating whether the company’s control procedures in a specific area provide reasonable assurance. (AS 5.A2) Chapter 8 -4 Learning Objective #1

Computer-Assisted Audit Techniques (CAATs) Chapter 8 -5 Learning Objective #1

Computer-Assisted Audit Techniques (CAATs) Chapter 8 -6 Learning Objective #1

Examples of Management Assertions, Control Objectives, and Evaluation Criteria EXHIBIT 8-2 Chapter 8-7 Learning Objective #1

• Identify when testing should be performed. PLANNING THE TESTS • Define the potential error that results from failure of the control and the appropriate evidence related to the error. • Identify when testing should be performed. • Determine the extent of testing needed—how many different types of tests should be performed and how many items to test. Chapter 8 -8 Learning Objective #1

Define the Error and Identify Evidence Related to the Error Direct documentary evidence does not exist for some controls. Audit evidence regarding management’s philosophy and operating style might be inferred from documents such as the company’s mission statement and code of conduct. For these types of soft controls, the appropriate tests are inquiry of appropriate personnel, corroborated by observing company activities and reading any related documents. Chapter 8 -9 Learning Objective #1

Plan the Timing and Extent of Testing Next the auditor decides the timing of the test—when it is to be performed—and the extent of testing. These decisions are affected by the risk related to the control. Risks associated with a control are: 1. the risk that a control might not be effective and 2. the risk that if a control is not effective a material weakness would result. (AS 5.46) Chapter 8 - 10 Learning Objective #1

TIMING OF TESTS The frequency with which controls operate affects not only the time frame in which the operation of the control is tested, but also the sample size required. The audit procedures for testing automated controls that operate continuously or frequently differ from those that are used for manual controls that operate with similar frequency. Auditors limit the extent of tests of automated controls because the controls function in a consistent manner. Chapter 8-11 Learning Objective #1

Benchmarking Benchmarking, a testing strategy for completely automated controls, relies on the assumption that automated controls are going to continue to function in a consistent manner unless something changes within the program or in the surrounding environment Benchmarking is only appropriate when • both ITGC and application controls are effective. • ITGC remain strong from year to year. • the application programs do not change. Learning Objective #1 Chapter 8-12

Document Availability Some controls can be tested at any time after their operation by inspection of documents— either paper or electronic—and reperformance of the control steps When a company’s documentary evidence is retained for limited periods of time or hardcopy records are changed into electronic format, the auditor considers this policy when developing the audit plan. Chapter 8-13 Learning Objective #1

Updating Interim Audit Work When auditors perform control testing at an interim date, additional tests are usually needed closer to the end of the fiscal period. The auditor may not need to test controls that were in place earlier in the year if they have been changed or were replaced later during the year under audit If the controls in place early in the year were not effective and the auditor did not test them, more substantive evidence about the affected account balances is needed. Chapter 8-14 Learning Objective #1

EXTENT OF TESTS Each audit must collect persuasive evidence about the effectiveness of all controls for relevant assertions for all significant accounts and disclosures every year. The extent of testing needed to provide the auditor with evidence that a control is performing effectively depends on the nature of the control Manual controls—those relying on the company’s personnel—generally require more testing than automated controls. Learning Objective #1 Chapter 8-15

Period-End Reporting Process EXHIBIT 8-3 Examples of Controls in the Period-End Financial Reporting Process Learning Objective #1 Chapter 8-16

Period-End Reporting Process EXHIBIT 8-3 Examples of Controls in the Period-End Financial Reporting Process Chapter 8-17 Learning Objective #1

Period-End Reporting Process EXHIBIT 8-3 Examples of Controls in the Period-End Financial Reporting Process Chapter 8-18 Learning Objective #1

Period-End Reporting Process EXHIBIT 8-3 Examples of Controls in the Period-End Financial Reporting Process Chapter 8-19 Learning Objective #1

FRAUD The auditor’s assessment of fraud risk begins with the client acceptance and continuance process and continues as the auditor gains an understanding of the system and assesses design of ICFR. Results of tests of controls, including anti-fraud controls, may cause the auditor to perform additional tests or modify the plan for the financial statement audit. Chapter 8-20 Learning Objective #2

FRAUD RISK Chapter 8-21 Learning Objective #2

ILLEGAL ACTS Chapter 8-22 Learning Objective #2

RELATED PARTY TRANSACTIONS Related party transactions are transactions conducted with an entity or a person meeting the definition of a related party set forth in the FASB definition of related parties. Related parties include: Chapter 8-23 Learning Objective #2

SAMPLING Basically, an auditor has the option of examining 100% of a company’s financial evidence and records or looking at some subset of that information. Obtaining audit evidence based on a subset of the information often involves sampling. When the auditor does not examine or test all of the items in the targeted population of the account balance or class of transactions, sampling risk is introduced into the audit processes. Chapter 8-24 Learning Objective #3

Planning the Sample Exhibit 8-4 Impact of Sampling Error on Audit Decisions Chapter 8-25 Learning Objective #3

Sampling Risk Chapter 8-26 Learning Objective #3

Approaches to Sampling A sample may be randomly selected based on identifying document numbers produced by a random number generator computer program Nonsampling risk includes: • The risk that the auditor will use an audit procedure that is not appropriate for what the test is intended to accomplish • The risk that the auditor may fail to detect a problem when applying an audit procedure • The risk that the auditor may misinterpret an audit result Chapter 8-27 Learning Objective #3

Sampling and ICFR Testing Attribute sampling is the term often used to describe the audit process when an auditor applies sampling methods to an ICFR sampling and testing procedure The first decision is how much risk the auditor is willing to accept of concluding that the internal control is operating effectively when it is not The second decision involves determining the tolerable deviation rate The third decision deals with the likely rate of deviation in the population. Likely rate of deviation is also called the expected population deviation rate Chapter 8-28 Learning Objective #3

Factors Affecting Sample Size EXHIBIT 8-5 Chapter 8-29 Learning Objective #3

AUDIT RISK MODEL Audit risk is the risk that the auditor may unknowingly fail to appropriately modify the opinions on ICFR and the financial statements. Engagement risk is a term used for the overall risk to the auditor of being associated with a client Chapter 8-30 Learning Objective #4

AUDIT RISK MODEL AR stands for audit risk RMM is the risk of material financial statement misstatement IR stands for inherent risk CR stands for control risk DR stands for detection risk. TD is the risk that a material misstatement will be missed by the auditor’s tests of details of balances. AP is the risk that a material misstatement is missed by the audit’s analytical procedures Chapter 8-31 Learning Objective #4

Inherent Risk and Control Risk Inherent risk results from the nature of the account or class of transactions Control risk deals with the likelihood that any problems that occur with an account or class of transactions will not be prevented or detected by the company’s ICFR. Chapter 8-32 Learning Objective #4

Relationships of Audit Assurance and Characteristics EXHIBIT 8-6 Chapter 8-33 Learning Objective #4

AUDIT DOCUMENTATION Chapter 8-34 Learning Objective #5

AUDIT DOCUMENTATION Permanent files include information that is relevant to the company and its audit for recurring engagements. The current files include all the information and audit evidence relating to the current integrated audit engagement Chapter 8-35 Learning Objective #5

AUDIT DOCUMENTATION Chapter 8-36 Learning Objective #5

AUDIT DOCUMENTATION Chapter 8-37 Learning Objective #5

EVALUATING THE RESULTS The testing and evaluation process for tests of ICFR operating effectiveness can be summarized as follows: • Conduct the control test procedures (e.g., inquiry, inspection, observation, reperformance) that compare actual operations of ICFR to the control objective and evaluation criterion. • Identify control errors or deviations from control procedures. • Determine whether the deviation rate of each control is high enough to be a control deficiency. • Consider both qualitative and quantitative factors related to the deficiency. • Determine whether any deficiencies identified, either individually or in combination, meet the threshold of a significant deficiency or material weakness. Chapter 8-38 Learning Objective #6

ADDITIONAL DOCUMENTATION CONSIDERATIONS Chapter 8-39 Learning Objective #5

“BIG PICTURE” TOPICS AND OPERATING EFFECTIVENESS When auditing the operating effectiveness of ICFR, testing entity-level and pervasive controls may or may not be sufficient to make a conclusion about operating effectiveness. “Softer” internal control components mentioned by the COSO IC Framework, such as management’s philosophy and operating style, require a different kind of testing than controls that produce documents as evidence. Chapter 8-40 Learning Objective #7

IMPACT OF OUTSOURCING When planning the tests of the operation of controls, the auditor considers processes that are performed for the client by service organizations or third-party service providers. Examples of service organizations are (AU 324.03): • bank trust departments that invest and service assets for employee benefit plans and for others • mortgage bankers that service mortgages for others • application service providers that provide packaged software applications and a technology environment that enables customers to process financial and operational transactions. Chapter 8-41 Learning Objective #7

ICFR EFFECTIVENESS AND THE FINANCIAL STATEMENT AUDIT If ICFR was effective throughout the entire year, or even a specified part of the year, the auditor can, in the financial statement audit, choose to rely on the controls for the period that they were effective. Chapter 8-42 Learning Objective #8

Access control and authorization Limit check Range check APPENDIX A: TESTING IT APPLICATION CONTROLS AND COMPUTERASSISTED AUDIT SOFTWARE A test data approach, parallel simulation, and integrated test facility are three well-known examples of automated controls tests. Common input validation controls that the auditor might test using test data include the following. Access control and authorization Limit check Range check Validity check Completeness check Chapter 8-43 Appendix A

Using Computer-Assisted Audit Software to Facilitate Testing Some audit software is proprietary; being owned by a specific audit firm. However, various packages can be purchased and are widely used by many firms. ACL, short for Audit Command Language, is a popular and widely used audit software package. An important audit step performed by audit software is to examine the data for unusual transactions, errors, and unauthorized transactions Appendix A Chapter 8-44

APPENDIX B: STATISTICAL TECHNIQUES AND TESTS OF CONTROLS Specific steps and an example of how they can be applied to a control test for cash disbursements follow: 1. Determine the objective of the audit procedure. 2. Define the population to be sampled 3. Specify the item that is to be selected 4. Define the characteristic the auditor wants to examine 5. Design the test of the control 6. Determine the sample size. 7. Perform the audit procedures and document the results 8. Calculate the rate of deviation found in the sample and the upper deviation rate. 9. Form final conclusions about the results. Chapter 8-45 Appendix B

Review Question Which of the following types of evidence provides the least assurance regarding the effective operations of ICFR? (a) Confirmations of accounts receivable (b) Computer logs documenting attempts at unauthorized access to the system (c) Documents containing initials of the person authorizing the transaction being examined (d) Oral responses to auditor inquiry during walkthroughs Chapter 8-46

Review Question The operating effectiveness of controls that are intended to prevent fraud is: (a) tested based on the initial plan drafted immediately after client acceptance. (b) tested as a result of the information on fraud risk obtained from the internal audit staff. (c) tested, and results are used as one source of information for the auditor’s assessment of fraud risk. (d) will not likely affect subsequent audit procedures that have already been planned. Chapter 8-47

Review Question When the auditor identifies a material misstatement in the financial statements in the current period that would not have been identified by the company’s ICFR, (a) a material weakness in ICFR exists. (b) the deficiency should be evaluated to determine whether it is a deficiency. (c) the situation should be regarded as an indicator of a material weakness in ICFR. (d) the auditor should reconsider whether the financial statement misstatement is actually material Chapter 8-48

Copyright “Copyright © 2011 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.”