ba 427 – assurance and attestation services
DESCRIPTION
BA 427 – Assurance and Attestation Services . Lecture 21 Tests of Controls. Lecture 21 – Tests of Controls. Management’s assertions: Existence or occurrence. Completeness. Rights and obligations. Valuation or allocation. Presentation and disclosure. Lecture 21 – Tests of Controls. - PowerPoint PPT PresentationTRANSCRIPT
BA 427 – Assurance and Attestation Services
Lecture 21Tests of Controls
Lecture 21 – Tests of Controls Management’s assertions:
Existence or occurrence. Completeness. Rights and obligations. Valuation or allocation. Presentation and disclosure.
Lecture 21 – Tests of Controls Audit risk:
Inherent Risk Control Risk Detection Risk
Lecture 21 – Tests of Controls Audit risk:
Inherent Risk: The susceptibility of an assertion to a
material misstatement assuming no related controls exist.
Control Risk Detection Risk
Lecture 21 – Tests of Controls Audit risk:
Inherent Risk Control Risk:
The risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timely basis by the entity’s internal control system.
Detection Risk
Lecture 21 – Tests of Controls Audit risk:
Inherent Risk Control Risk Detection Risk:
The risk that the external auditor will not detect a material misstatement that exists in an assertion.
Can be broken down into TD x AP: TD = the risk for tests of details AP = the risk for analytical procedures and
other procedures
Lecture 21 – Tests of Controls
The audit risk model:
AR = Audit Risk
AR = IR x CR x DR
The auditor establishes AR as an overall goal, assesses IR, and then plans the audit to achieve levels of CR and DR that results in the targeted AR.
Lecture 21 – Tests of Controls Control risk: An evaluation of the effectiveness
of internal controls in preventing or detecting material misstatements.
Control risk is stated in terms of the financial statement assertions: Existence or occurrence. Completeness. Rights and obligations. Valuation or allocation. Presentation and disclosure.
Lecture 21 – Tests of Controls Reasons to set control risk at 100%
(primarily pertains to nonpublic companies): Controls are unlikely to pertain to an
assertion. Controls are unlikely to be effective. Evaluating effectiveness would be
inefficient.
Lecture 21 – Tests of Controls Procedures necessary to set control risk
below 100%: Identify specific controls relevant to specific
assertions. Some controls have pervasive effects, whereas
other controls affect only a specific assertion. Test controls. Reach a conclusion on the assessed level of
control risk.
Lecture 21 – Tests of Controls Test controls
There are procedures to evaluate the effectiveness of a control’s design, which are concerned with whether the control is suitably designed to prevent or detect material misstatements.
There are procedures to evaluate the operating effectiveness of controls.
In some cases, the same procedure can serve either or both purposes.
Lecture 21 – Tests of Controls Test controls
In general, sample sizes will be larger when testing the operating effectiveness of controls than when obtaining evidence about the design of controls.
Also, tests of the operating effectiveness of controls need to cover an adequate time period. Tests of the design of controls can be drawn from a single point in time.
Lecture 21 – Tests of Controls Test controls
The following procedures can be used to evaluate the design of controls: Inquiry of entity personnel Inspection of documents and reports Observation of the application of the
control Narratives Internal control questionnaires Flowcharts
Lecture 21 – Tests of Controls Test controls
The following procedures can be used to test the operating effectiveness of controls: Inquiry of entity personnel Inspection of documents and reports Observation of the application of the
control Reperformance by the auditor
Lecture 21 – Tests of Controls Inquiry of entity personnel
This procedure is legitimate, although it provides relatively weak evidence that the control is operating as described.
Lecture 21 – Tests of Controls Inspection of documents and reports
This procedure provides strong evidence that the control is operating.
Requires that the control leaves an audit trail.
Lecture 21 – Tests of Controls Observation of the application of the
control: Particularly helpful if there is an
identified control that does not leave an audit trail.
Example: segregation of duties.
Lecture 21 – Tests of Controls Reperformance by the auditor:
Particularly helpful if there is an identified control that does not leave an audit trail.
Example: Trace sales prices to an authorized price list.
Lecture 21 – Tests of Controls Walkthroughs
The auditor selects one or a few documents for the
initiation of a transaction type. traces the documents through the entire
accounting process. makes inquiries and observes current
activities at each stage of the processing of the transaction.
examines completed documentation for the transactions.
Lecture 21 – Tests of Controls Walkthroughs
PCAOB Auditing Standard No. 2 requires walkthroughs for each major class of transactions.
Lecture 21 – Tests of Controls Sarbanes-Oxley Section 404
There is an obvious and close connection between tests of controls in support of the auditor’s assessment of control risk in the Audit Risk Model, and tests of controls in connection with the auditor’s reporting requirements under Section 404.
Nonpublic Company Public Company
Obtain an understanding of internal control: design and operation
Sufficient to audit financial statements
Sufficient to audit internal control over financial reporting
Nonpublic Company Public Company
Obtain an understanding of internal control: design and operation
Sufficient to audit financial statements
Sufficient to audit internal control over financial reporting
Decide on control risk for each transaction type
Low, medium or high
Select “low”
Nonpublic Company Public Company
Obtain an understanding of internal control: design and operation
Sufficient to audit financial statements
Sufficient to audit internal control over financial reporting
Decide on control risk for each transaction type
Low, medium or high
Select “low”
Plan and perform tests of controls and evaluate results
Extensive tests for all objectives
Extent of testing depends on cost-benefit analysis
Nonpublic Company Public Company
Plan and perform tests of controls and evaluate results
Extensive tests for all objectives
Extent of testing depends on cost-benefit analysis
Revise assessed control risk, if necessary
Nonpublic Company Public Company
Plan and perform tests of controls and evaluate results
Extensive tests for all objectives
Extent of testing depends on cost-benefit analysis
Revise assessed control risk, if necessary
Plan detection risk and perform substantive tests in accordance with the A.R.M.
Likely to be less substantive testing
Likely to be more substantive testing, depending on control risk
Nonpublic Company Public Company
Issue internal control report or letter
Must issue a report on internal control over financial reporting and issue a written communication to the audit committee describing significant deficiencies and material weaknesses.
Must communicate, preferably in writing, to the audit committee or its equivalent, describing significant deficiencies and material weaknesses.