280 likes | 412 Views
BA 427 – Assurance and Attestation Services . Lecture 21 Tests of Controls. Lecture 21 – Tests of Controls. Management’s assertions: Existence or occurrence. Completeness. Rights and obligations. Valuation or allocation. Presentation and disclosure. Lecture 21 – Tests of Controls.
E N D
BA 427 – Assurance and Attestation Services Lecture 21 Tests of Controls
Lecture 21 – Tests of Controls • Management’s assertions: • Existence or occurrence. • Completeness. • Rights and obligations. • Valuation or allocation. • Presentation and disclosure.
Lecture 21 – Tests of Controls • Audit risk: • Inherent Risk • Control Risk • Detection Risk
Lecture 21 – Tests of Controls • Audit risk: • Inherent Risk: • The susceptibility of an assertion to a material misstatement assuming no related controls exist. • Control Risk • Detection Risk
Lecture 21 – Tests of Controls • Audit risk: • Inherent Risk • Control Risk: • The risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timely basis by the entity’s internal control system. • Detection Risk
Lecture 21 – Tests of Controls • Audit risk: • Inherent Risk • Control Risk • Detection Risk: • The risk that the external auditor will not detect a material misstatement that exists in an assertion. • Can be broken down into TD x AP: • TD = the risk for tests of details • AP = the risk for analytical procedures and other procedures
Lecture 21 – Tests of Controls The audit risk model: AR = Audit Risk AR = IR x CR x DR The auditor establishes AR as an overall goal, assesses IR, and then plans the audit to achieve levels of CR and DR that results in the targeted AR.
Lecture 21 – Tests of Controls • Control risk: An evaluation of the effectiveness of internal controls in preventing or detecting material misstatements. • Control risk is stated in terms of the financial statement assertions: • Existence or occurrence. • Completeness. • Rights and obligations. • Valuation or allocation. • Presentation and disclosure.
Lecture 21 – Tests of Controls • Reasons to set control risk at 100% (primarily pertains to nonpublic companies): • Controls are unlikely to pertain to an assertion. • Controls are unlikely to be effective. • Evaluating effectiveness would be inefficient.
Lecture 21 – Tests of Controls • Procedures necessary to set control risk below 100%: • Identify specific controls relevant to specific assertions. • Some controls have pervasive effects, whereas other controls affect only a specific assertion. • Test controls. • Reach a conclusion on the assessed level of control risk.
Lecture 21 – Tests of Controls • Test controls • There are procedures to evaluate the effectiveness of a control’s design, which are concerned with whether the control is suitably designed to prevent or detect material misstatements. • There are procedures to evaluate the operating effectiveness of controls. • In some cases, the same procedure can serve either or both purposes.
Lecture 21 – Tests of Controls • Test controls • In general, sample sizes will be larger when testing the operating effectiveness of controls than when obtaining evidence about the design of controls. • Also, tests of the operating effectiveness of controls need to cover an adequate time period. Tests of the design of controls can be drawn from a single point in time.
Lecture 21 – Tests of Controls • Test controls • The following procedures can be used to evaluate the design of controls: • Inquiry of entity personnel • Inspection of documents and reports • Observation of the application of the control • Narratives • Internal control questionnaires • Flowcharts
Lecture 21 – Tests of Controls • Test controls • The following procedures can be used to test the operating effectiveness of controls: • Inquiry of entity personnel • Inspection of documents and reports • Observation of the application of the control • Reperformance by the auditor
Lecture 21 – Tests of Controls • Inquiry of entity personnel • This procedure is legitimate, although it provides relatively weak evidence that the control is operating as described.
Lecture 21 – Tests of Controls • Inspection of documents and reports • This procedure provides strong evidence that the control is operating. • Requires that the control leaves an audit trail.
Lecture 21 – Tests of Controls • Observation of the application of the control: • Particularly helpful if there is an identified control that does not leave an audit trail. • Example: segregation of duties.
Lecture 21 – Tests of Controls • Reperformance by the auditor: • Particularly helpful if there is an identified control that does not leave an audit trail. • Example: Trace sales prices to an authorized price list.
Lecture 21 – Tests of Controls • Walkthroughs • The auditor • selects one or a few documents for the initiation of a transaction type. • traces the documents through the entire accounting process. • makes inquiries and observes current activities at each stage of the processing of the transaction. • examines completed documentation for the transactions.
Lecture 21 – Tests of Controls • Walkthroughs • PCAOB Auditing Standard No. 2 requires walkthroughs for each major class of transactions.
Lecture 21 – Tests of Controls • Sarbanes-Oxley Section 404 • There is an obvious and close connection between tests of controls in support of the auditor’s assessment of control risk in the Audit Risk Model, and tests of controls in connection with the auditor’s reporting requirements under Section 404.
Nonpublic Company Public Company Sufficient to audit financial statements Sufficient to audit internal control over financial reporting Obtain an understanding of internal control: design and operation
Nonpublic Company Public Company Sufficient to audit financial statements Sufficient to audit internal control over financial reporting Obtain an understanding of internal control: design and operation Low, medium or high Decide on control risk for each transaction type Select “low”
Nonpublic Company Public Company Sufficient to audit financial statements Sufficient to audit internal control over financial reporting Obtain an understanding of internal control: design and operation Low, medium or high Decide on control risk for each transaction type Select “low” Extent of testing depends on cost-benefit analysis Extensive tests for all objectives Plan and perform tests of controls and evaluate results
Nonpublic Company Public Company Extent of testing depends on cost-benefit analysis Extensive tests for all objectives Plan and perform tests of controls and evaluate results Revise assessed control risk, if necessary
Nonpublic Company Public Company Extent of testing depends on cost-benefit analysis Extensive tests for all objectives Plan and perform tests of controls and evaluate results Revise assessed control risk, if necessary Likely to be more substantive testing, depending on control risk Plan detection risk and perform substantive tests in accordance with the A.R.M. Likely to be less substantive testing
Nonpublic Company Public Company Must communicate, preferably in writing, to the audit committee or its equivalent, describing significant deficiencies and material weaknesses. Must issue a report on internal control over financial reporting and issue a written communication to the audit committee describing significant deficiencies and material weaknesses. Issue internal control report or letter