ch08-sm-moroney-3e-answer-for-chapter-8-of-auditing-a-practical-approach
advertisement
lOMoARcPSD|8624398 Ch08 sm moroney 3e - Answer for Chapter 8 of Auditing: A practical approach Auditing (Victoria University) StuDocu is not sponsored or endorsed by any college or university Downloaded by Parteek Singh (Parteek.singh30@gmail.com) lOMoARcPSD|8624398 Solutions manual to accompany Auditing: a practical approach rd 3 edition by Moroney, Campbell and Hamilton Prepared by Jane Hamilton © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) lOMoARcPSD|8624398 Solutions manual to accompany Auditing: a practical approach 3e Chapter 8: Execution of the audit – testing of controls Review questions 8.11 What is the difference between entity-level controls and transaction-level controls? Entity level controls are the collection of the internal control components of control environment, entity’s risk assessment process, the information system, control activities, and control monitoring (ASA 315/ISA315). The entity level controls exist at an organisational or entity level rather than at a more detailed transaction level. Transaction level controls operate at the transaction level. For example, there are controls; such as the authorisation required for sales above a certain amount, and reconciling and accounting for every cheque issued through a bank reconciliation statement. Transaction level controls operate at a much lower level than entity controls and have the best chance of preventing things going wrong with transactions, or detecting when they have gone wrong. 8.12 Explain the purpose of (a) prevent controls and (b) detect controls. Why would it be important for an entity to have both types of controls? Controls have two main objectives: to prevent or detect misstatements in the financial report, or to support the automated parts of the business in the functioning of the controls in place. The prevent controls are designed to stop fraud or errors from occurring. The prevent controls are applied to each transaction with the objective that all transactions that are entered into the client’s accounting system do not contain any errors. The detect controls are designed to detect fraud or errors that have occurred. As such, they are applied after transactions have been processed with the objective that any transactions that were entered into the client’s accounting system with error are detected so that they can be rectified. Ideally, the prevent controls would stop all fraud and error, so that detect controls are not necessary. However, because prevent controls do not work at 100% effectiveness, the detect controls are necessary. Prevent controls are normally expected to be less than 100% effective because of factors such as: Management override of the controls. Failure to apply the prevent controls due to staff tiredness, busyness, or malfunctioning hardware or software. Also, the prevent controls may not leave an auditable trail when they are applied. This means that it is not always easy to verify if the prevent control has worked. For example, there may be a signature of the person authorising the transaction, but it is not clear if the transaction was carefully checked before it was authorised. Also, the prevent control may not leave any evidence if the transaction is not processed © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.2 lOMoARcPSD|8624398 Chapter 8: Execution of the audit – testing of controls (because it was not correct). An effective detect control will provide additional assurance that the transaction was checked because it shows the errors detected. The system should not rely solely on detect controls. Prevent controls are necessary to support the detect controls because the detect controls are unlikely to be sensitive enough to detect all errors after they enter the records. 8.13 The form completed by casual employees to claim overtime requires a signature from the supervisor before payroll will process the claim. Is this a prevent or detect control? Explain. In this case, requiring a signature on a form means that the form must be authorised by that person before it can be processed. The absence of a signature is supposed to prevent an incorrect, or unauthorised, form being processed. This means that it is a prevent control. 8.14 A junior employee must prepare a bank reconciliation and submit it to the manager. Is this a prevent or detect control? Explain. Bank reconciliations are classified as detect controls because their purpose is to detect errors that have been made. They operate after the transactions have been created and processed, so cannot be classified as ‘prevent controls’. A bank reconciliation will detect delays in depositing receipts, incorrect recording of the amount of a cheque etc., and by detecting the error, allowing it to be corrected. 8.15 What does “ITGC” stand for? Explain their purpose. ITGC means Information Technology General Controls. The three types of ITGCs are: 1. program change controls – only appropriately authorised, tested and approved changes are made to applications, interfaces, databases and operating systems. 2. logical access controls – only authorised personnel have access to data and applications and can perform only authorised tasks and functions. 3. other ITGCs, including regular and timely back-ups of data, following up and resolving program faults and errors in a timely manner, following up any deviations from scheduled processing on a timely basis, and planning upgrades to programs and applications on a timely basis. These controls are ‘general’ because they do not relate to a specific program, or type of transaction process. They apply generally to the IT system. The purpose of these controls is to support the functioning of the IT system. They are prevent and detect controls, and provide evidence supporting the auditor’s reliance on the electronic audit evidence. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.3 lOMoARcPSD|8624398 Solutions manual to accompany Auditing: a practical approach 3e 8.16 What is the difference between observation and inspection of physical evidence? Observation means the auditor observes the control being performed. Inspection of physical evidence means that the auditor inspects the documents for evidence that the control was performed. Inspection of physical evidence is normally more reliable than observations because the auditor gathers evidence about the performance of the controls in detail. However, the evidence is not complete because, for example, finding a signature on a document does not prove that the person signing read and understood the contents of the document. Observation is less reliable than inspection of physical evidence because the people performing the control may be on their ‘best behaviour’ when they are observed. The auditor does not know if they always perform the control well. The auditor could gather more evidence from the documents on multiple dates. 8.17 Does an auditor have to test every control? Explain. An auditor does not have to test every control because some controls are redundant or control errors that are not likely to result in material misstatements of the financial report. The auditor would select the controls that will provide the most efficient and effective audit evidence (that the controls are working). The auditor selects the controls that they believe are critical to their opinion. Factors affecting the auditor’s decision about which controls to test include: type of control frequency of the controls level of assurance that the auditor wants to gain. Generally, the auditor tests controls that address the WCGWs the most effectively with the least amount of testing. If one control addresses multiple WCGWs, then it would be most likely to be selected for testing. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.4 lOMoARcPSD|8624398 Chapter 8: Execution of the audit – testing of controls 8.18 What factors do auditors consider when deciding how much control testing to do? The factors affecting the auditor’s decision about how much control testing to do include: the frequency of the control’s operation the level of assurance required (i.e. how much the auditor will rely on the control to reduce substantive testing) the persuasiveness of the evidence gained from testing the control the need to be sure that the control operated throughout the period the existence of a combination of controls address the WCGW the relative importance of the WCGW being addressed the likelihood that the control operated as intended (i.e. how competent are the staff, the quality of the control environment, changes in the accounting system, unexplained changes in related account balances, the auditor’s prior period experience with the client). 8.19 What is the premise underlying the use of benchmarking? Why is it helpful to the auditor? Benchmarking is the audit testing strategy that allows the auditor to carry forward the benefit of certain application controls testing into future periods, such as from an interim date to the rest of the year, or to future years. The premise underlying the use of benchmarking is the idea that a computer will continue to perform any given procedure in exactly the same way until such time as the program (or application) is changed. This means that if the auditor can show that there has been no change in the program or the application, the auditor can continue to rely on the results of testing the program or application in previous periods. The auditor is likely to be more successful in showing the absence of change if the overall control environment is strong, the length of time between the original test and the audit test period is shorter, and the specific program or application is more defined and likely to be stable. In addition, the decision to use benchmarking is more likely if the results of other tests are consistent and the consequences of failing to detect changes because of the reliance on benchmarking are less severe. Benchmarking is helpful to the auditor because the auditor’s testing is reduced. Instead of re-testing the program or application, the auditor needs to test only the lack of changes to the program or application. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.5 lOMoARcPSD|8624398 Solutions manual to accompany Auditing: a practical approach 3e 8.20 Discuss the concepts of nature, timing and extent as they relate to controls testing. Nature refers to the type of test (enquiry, observation, inspection of physical evidence, re-performance). As discussed in review question 8.16, the types of tests vary in the reliability of the evidence produced. Timing refers to the date of testing (i.e. interim vs. year-end). Interim testing is common for controls testing because it provides evidence about control risk which influences the nature, timing and extent of substantive testing to be conducted at or near year-end. Further control testing is conducted during the remainder of the year to provide evidence that the controls continue to operate effectively throughout the financial period. Extent refers to the number of items tested (i.e. size of the sample). A larger sample provides more reliable evidence about the strength of controls, and would be used if the auditor wishes to gain a higher level of assurance from the controls testing. 8.21 What is the relationship between the results of tests of controls and substantive testing? If an auditor assesses control risk as being less than high, the auditor must gather evidence from controls testing to support their assessment. If the evidence shows that control risk is less than high, the auditor can tolerate a higher level of detection risk. Higher detection risk means that the auditor can adjust the nature, timing, and extent of substantive testing such that less evidence is required from these tests. Therefore, the evidence gathered from tests of controls can provide a reasonable level of assurance that there are no material misstatements in the financial report. In this case, the auditor will perform only limited substantive testing (perhaps relying on analytical review). If the auditor is able to obtain only limited assurance from tests of controls, the auditor will need to perform more substantive testing. If the auditor is unable to gain any assurance from controls testing, the auditor will perform considerable substantive testing. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.6 lOMoARcPSD|8624398 Chapter 8: Execution of the audit – testing of controls 8.22 Explain the process of documenting the auditor’s conclusions. What must be documented? The auditor would document the results of the control testing, including the purpose of the tests and the deviations found. The auditor must document the action taken, if any, to resolve the exceptions or issues that arose during the controls testing. For example, there could be a compensating control which was working effectively, so that the auditor did not need to do further testing. Alternatively, the auditor would document the additional work done to resolve the issue, or the adjustment to substantive tests to take into account the higher than expected control risk. The tests are documented in detail: the actual control being tested the purpose of the test the work performed (e.g. the items selected for testing) the results of testing each item whether the test results supported overall purpose of the test details on audit personnel performing the test, date of the tests. The documents should allow another auditor to review the working paper, re-perform the steps and reach the same conclusion as the original auditor. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.7 lOMoARcPSD|8624398 Solutions manual to accompany Auditing: a practical approach 3e Professional application questions 8.23 Performance indicators The audit assistant has been assigned to review performance indicators in the procurement department of Kentucky Kapers, a manufacturing audit client. The assistant reports to you that he has obtained a copy of reports used by the supervisor in the procurement department to assess the performance of the purchasing team. The reports include details of orders processed per day, backlog of orders and time taken to clear the backlog (on a weekly basis), and overtime requests by staff in the department. The assistant also reports that his discussions with the supervisor reveal that the performance indicators are used to manage the department, but are not used for follow-up on unexpected results in the financial reporting system. Required Are the performance indicators in the report useful as audit evidence for the financial report audit? Explain. The performance indicators appear to be useful to the client. That is, the supervisor of the procurement department uses the performance indicators in the reports to assess the performance of the purchasing team. This means that the client has faith in the quality of the data. As such, the auditor has more confidence in the data. However, the supervisor also reveals that the performance indicators are not used for follow-up on unexpected results in the financial reporting system. The performance indicators are based on non-financial data. Although the non-financial data are relevant to financial data (e.g. overtime requests would be related to payroll expense classified as overtime payments), the client does not appear to relate the performance indicators to the financial reporting system. This means that the relevance of the indicators to the topic of the financial report audit is lower. The auditor could conduct tests of the non-financial data to gain additional assurance about their reliability, including their relation to the financial data, before using them in the audit. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.8 lOMoARcPSD|8624398 Chapter 8: Execution of the audit – testing of controls 8.24 Controls testing results Washington Cleaning has more than 50 employees and has several contracts to clean offices in the central business district. In order to keep disruption to a minimum, the teams of cleaners do not commence work until after 6 pm each night. In the working papers documenting the control testing results the senior auditor notices that there was one instance of a part-time staff member for Washington Cleaning being paid an incorrect hourly rate. Required Explain why the result shows a control exception (deviation). The audit evidence is that there is one instance of a part-time staff member being paid an incorrect hourly rate. The fact that the payment was incorrect is evidence that the procedures for calculating and checking the payments have failed in some way. The client’s controls for preventing the error should have stopped the incorrect payment being made. An example of such a control would be a step in the system that would not have allowed the payroll clerk to select the incorrect rate when calculating the payment. The detecting controls have also failed. For example, it could be the payroll manager’s job to review and approve the payments for the month. The incorrect pay is evidence of a control exception or deviation because if the controls had been designed and executed correctly the incorrect pay would not have occurred, or would have been detected and corrected before the auditor found it. 8.25 IT controls – password The client company assigns each new employee a user profile and password for the computer system. The first time the new employee logs onto a company desktop computer, they are automatically forced to change their password. Passwords must be changed every 30 days. Required Explain what type of control the above information describes. Discuss its strengths and weaknesses. The control described is an IT general control. The login and password system is a logical access control preventing unauthorized personnel from having access to the computer system. The login details would normally be linked to a level of access, for example a senior manager would have greater access than a junior staff member. The login details would also be linked to specific functions within the computer system. For example, a staff member in sales would not have access to personnel records even if the person was a senior member of the sales team. Login and password controls prevent staff from accessing certain areas and introducing errors, so is a prevent control. It is a strong system to force the staff member to change the password on the first login because this reduces the risk that others can know the password and use it, © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.9 lOMoARcPSD|8624398 Solutions manual to accompany Auditing: a practical approach 3e because the staff member chooses their own password. Changing the password every 30 days is also an advantage because it reduces the risk that others will get to know the password and be able to use it because they would have to know the new password. There is no information about whether the staff member can reuse old passwords, or whether the password must satisfy certain criteria (such as using a mix of numbers or letters) to make it a stronger password. A weakness with passwords is that some staff do not keep them secret (for example, they might share the password with others, leave it on display, use obvious passwords such as the name of their favourite sport team, use the same password for different applications, etc.). 8.26 IT controls - suppliers Within the client’s IT system, supplier information is contained in a supplier master file (SMF). Each supplier has a unique supplier code. If the purchasing clerk attempts to place an order from a supplier not in the SMF, the order cannot be processed. To avoid delays in processing orders, the purchasing clerk has access to the supervisor’s password, which allows the clerk to allocate a supplier code to new suppliers. Required Explain what type of control the above information describes. Discuss its strengths and weaknesses. The control is a transaction control. Specifically it is an IT application control. The purpose of the control is to prevent errors because the order cannot enter the system if the correct supplier code is not used. This prevents a clerk from either making an error with the code itself (such as recording 865 as 8655) or using a supplier that has not been authorised for use. It is not clear whether the supplier code is linked to the items being purchased. For example, if the clerk uses an incorrect but valid supplier code, will the system accept the purchase order? If item ABC is only to be ordered from supplier 865, and not from supplier 864, will the order be accepted if the item ABC is being ordered from supplier 864 (which is a valid supplier code)? If the suppliers are not linked to the items that may be ordered from them, there is the potential for some incorrect orders to be accepted into the system. Another potential weakness of the system is that there might be a delay between identifying a suitable supplier and getting the supplier approved and an approved supplier number issued and accepted into the system. It is probably for this reason that the clerk has obtained the password that allows the clerk to allocate a code to a new supplier. It is a control failure to allow passwords to be shared in this way. It means that the system will show that the new code was properly authorised, but it has not been because the supervisor has not necessarily seen the information and made a decision about using that supplier. A stronger control would require additional © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.10 lOMoARcPSD|8624398 Chapter 8: Execution of the audit – testing of controls evidence that the supervisor has agreed to add the new supplier (such as a document trail with signatures or additional authorisations). 8.27 Internal controls from prior year. The junior auditor on the engagement has suggested that, since there were no exceptions detected in previous years, no work on internal controls is required because last year’s evidence will be sufficient. The senior auditor accepts the suggestion because it is a good example of benchmarking. Required Explain why the junior auditor’s suggestion is not appropriate and outline what work is required. There are several reasons why using the work done in previous years would not be appropriate. The most likely are that conditions at the client have changed. For example, if the client has grown significantly from previous years the controls may no longer be suitable for the larger organisation. Other changes to the management or systems at the client could render the control system less effective than in previous years. Several controls could work together to create an effective control system, but one or more of the individual controls could have changed, creating a different level of overall control over the transactions. The auditor might have taken a substantive approach to the audit last year, and not placed much reliance on the control system. If the auditor wanted to adopt the lower assessed level of control strategy this year, there would be more testing of controls required than done in previous years. If the auditor wanted to adopt a mainly substantive approach this year, the auditor must still gain an understanding of the current system of controls. In all cases, the auditor must consider what work is to be done on the controls this year, regardless of the level of work done in previous years. The suggestion is not a good example of benchmarking because there is no assurance that the application has not been changed or modified since the last test of the application control. The auditor would need to gather evidence to support any carry forward of reliance on the control. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.11 lOMoARcPSD|8624398 Solutions manual to accompany Auditing: a practical approach 3e 8.28 Prevent controls Nebraska Industries manufactures and wholesales small tools. It sells the tools to a large group of regular customers and makes most sales by telephone to this group. Additionally, it receives orders online by its sales team who sign up new customers within the sales area. In the past, Nebraska Industries has had trouble with customers who do not pay their accounts on time. Despite instructing the sales team not to make sales to customers before their creditworthiness has been assessed, sales are still being made to new customers before their limits have been set and to existing customers beyond their credit limit. Also, the economic recession has started to affect its customers, and Nebraska’s management is concerned about the possibility of increasing bad debts. Required (a) What sort of prevent control could be used to deal with the problems faced by Nebraska Industries? Explain how the control would work. (b) Assume the prevent control is implemented, and during this year there have been no sales to customers that have taken any customer beyond its credit limit. What are two possible explanations for this that the auditor must consider? (c) If an auditor finds two sales transactions during the year that are in excess of a customer’s credit limit at the time of the sale, what conclusion would the auditor draw from this evidence? What other evidence could the auditor consider before concluding that the prevent control has failed. (a) Prevent controls would be designed to stop sales being made to non-creditworthy customers. For example, the software would not allow a sale to be made until the credit manager has approved the sale on credit, or the software could require a credit check authorisation number to be included in the sale transaction. The system could require all new customers to be approved before a debtor account can be opened, and the account has to be open before a sale can be processed to that customer. The system would prevent a sale being made if the sale took the account balance beyond the approved credit limit, unless authorised by the credit manager. (b) The auditor observes that no credit sale has been processed which takes a customer over its credit limit. The two possible explanations are: (1) the prevent control is working effectively, (2) no customer has tried to purchase items which take it over its credit limit. In the second case, there is no evidence that the prevent control is working or not working, because it was not triggered. (c) The transaction could have been authorised by the credit manager (or other senior manager). The authorisation could be because the client has security for the debt. However, the authorisation could be inappropriate and be a case of management override of the control. That is, the manager has overridden the prevent control to make a sale for reasons such as receiving a kick-back from the customer, disregard for company policy against such sales, an effort to reach sales targets in the department etc. The auditor would consider whether there was evidence of higher level authorisation of the transactions, such as reading board minutes, reading correspondence or memos between the managers, reading the customer file for © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.12 lOMoARcPSD|8624398 Chapter 8: Execution of the audit – testing of controls evidence of security for the debt, making enquiries of the relevant sales managers. The auditor would also consider if other similar transactions (same sales manager, same client, same product etc.) are being processed correctly, or if there is evidence of other sales in excess of credit limits being prevented. 8.29 Testing bank reconciliation controls You are testing the controls over bank accounts for your audit client, Orleans Ltd. You note that the responsibility for bank reconciliations has changed due to a corporate reorganisation halfway through the current financial year. Both the staff member performing the bank reconciliations and the supervisor have changed. You are able to talk to only the current staff member and supervisor because the other staff took voluntary redundancies and left the client’s employment six months ago. Required (a) What techniques are available to you to gather evidence about the bank reconciliations? Explain how you would use each technique and comment on the quality of the evidence obtained from each. (b) When you ask the employees responsible for bank reconciliations about how they perform the reconciliations there is a possibility that they will not tell the whole truth about their performance of the reconciliations. Given this, will you bother to ask them? Explain. (c) Explain the impact of the staff changes on your controls testing program. (a) The most reliable evidence would be gathered by re-performance of a sample of bank reconciliations. The auditor could judge if all items were dealt with appropriately. In addition, completed bank reconciliations can be inspected for evidence of identification of errors and follow-up. The least reliable evidence would be obtained from observing client staff complete a bank reconciliation or by making enquiries of the client staff (because these procedures would not provide reliable evidence about the bank reconciliation performance at earlier periods when different staff were involved). (b) The auditor would approach discussions with client staff with professional scepticism. This means that the auditor does not assume the client’s staff are lying, but the auditor has a questioning mind, being alert to conditions which may indicate possible errors or fraud. The auditor makes a critical assessment of any statements by the staff. For example, do the statements make sense given what the auditor knows about the client and in the context of other evidence gathered? What other evidence could be obtained to support the statements? How much would the auditor expect the staff to know about bank reconciliations performed by other staff at other periods? The auditor cannot assume that staff would lie and not ask them about the audit, but the auditor cannot rely on staff statements alone. (c) The staff changes impact on the controls testing program because the auditor would require evidence that the performance of bank reconciliations was similar in different periods. The auditor would be careful to obtain evidence about the © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.13 lOMoARcPSD|8624398 Solutions manual to accompany Auditing: a practical approach 3e performance of the controls from each period. If there was any evidence that performance was poor during any sub-period, the auditor would seek to obtain additional evidence about control performance, or increase the substantive testing. In this case there is six month period since the staff left, during this period many changes could have occurred. 8.30 Inventory program controls Denver Drapers supplies custom-fitted curtains and blinds to retail customers. It has recently expanded to offer a wide variety of home decorating products through its six stores across the state. After some initial problems with stock control it installed a new automated inventory system in April this year. The system replaced another automated system that had been modified so often over the years that the auditor had advised Denver’s management that they did not regard it as reliable. That is, the auditor was unable to rely on the old system sufficiently to assess control risk for inventory as anything less than high. Required (a) Explain the normal process an auditor would expect to find in the client’s systems governing changes to computer programs. Why is an auditor concerned about program changes? (b) Denver Drapers’ financial year-end is 31 December. Does the auditor need to obtain evidence about the performance of the inventory control system from every month in the year or from a sample of months? Explain. (c) If the auditor conducts tests of the inventory controls at an interim date, is it appropriate to conclude that the controls also relate to the end of period date? Why? (a) The auditor would expect to find client documentation about the changes to computer programs. If the client made major changes to the computer programs (e.g. install a new system), the matter could be discussed at the board level. Other changes would be authorised by senior management, as appropriate. In all cases, there would be some level of authorisation of the changes, including complete documentation of the changes and their effects on the client’s reporting and operations. In addition to documenting the changes to the programs, the auditor would expect to find a log of the changes (including the staff involved, the changes, test data, copies of programs etc.). The auditor would expect to find some type of segregation of duties. For example, those making the computer changes would not also be those staff involved in maintaining accounting records. Auditors are concerned about program changes because they potentially introduce errors to programs. In addition, the changes could mean that the auditor is unable to rely on the results of any previous testing by the auditor of the computer system in the audit. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.14 lOMoARcPSD|8624398 Chapter 8: Execution of the audit – testing of controls (b) The financial reports for the year include the effects of sales and purchase transactions from the entire year. If the computer program is changed at any point during the year, the auditor must consider whether controls should be tested separately for the periods before and after the change. Evidence is not necessarily required from every month of the year, but there should be evidence from before and after the new system was installed in April. Inventory balances as at 31 December can be tested through the end of year stock-take procedures. (c) The results of the interim testing to the end of year inventory balance is appropriate if the testing was performed during the period after the installation of the new stock control system. However, as noted above, the total purchase and sales transactions also include pre-April transactions which were processed through the old system. The testing of these accounts should include evidence from pre-April dates. Questions 8.31 and 8.32 are based on the following case. MaxSecurity Limited (MaxSecurity) has been an audit client of Smith & Associates (S&A) for the past 15 years. MaxSecurity is based in Wollongong, where it manufactures high-tech armour-plated personnel carriers. MaxSecurity often has to go through a competitive market tender process to win large government contracts. Its main product, the small but powerful Terrain Master, is highly specialised and MaxSecurity only does business with nations that have a recognised, democratically elected government. MaxSecurity maintains a highly secure environment, given the sensitive and confidential nature of its vehicle designs and its clients. In September 2016, MaxSecurity installed an off-the-shelf costing system to support the highly sophisticated and cost-sensitive nature of its product designs. The new system replaced a system that had been developed in-house as the old system could no longer keep up with the complex and detailed manufacturing costing process that provides tender costings. The old system also had difficulty with the company’s broader reporting requirements. MaxSecurity’s IT department, together with the consultants from the software company, implemented the new manufacturing costing system. There were no customised modifications. Key operational staff and the internal audit team from MaxSecurity were significantly engaged in the selection, testing, training and implementation stages. The manufacturing costing system uses all of the manufacturing unit inputs to calculate and produce a database of all product costs and recommended sales prices. It also integrates with the general ledger each time there are product inventory movements such as purchases, sales, wastage and damaged stock losses. MaxSecurity’s end of financial year is 30 June. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.15 lOMoARcPSD|8624398 Solutions manual to accompany Auditing: a practical approach 3e 8.31 Understanding types of controls In relation to the new manufacturing costing system, describe two automated application controls that MaxSecurity could be using. Automated application controls apply to the processing of individual transactions. These controls include edit checks, validations, calculations, interfaces and authorisations. For example: only authorised personnel would have access to the costing system – this would be controlled through log-on and password procedures. All transactions would have an appropriate level of authorisation, through input of an authorisation code by a senior manager (once transaction request is input, the manager’s computer would alert the manager to the transaction and request approval, then the transaction would be released for processing). Inventory movement transactions entered into the system would require input of an inventory part number which is checked against a master file before the transaction is allowed to proceed. 8.32 Assessing control testing results Discuss the implications of finding evidence that the controls identified in question 8.31 are (a) effective, (b) not effective. Evidence that the controls are effective increases the auditor’s confidence in the controls and justifies the lower assessed level of control risk approach. Evidence that the controls are not effective means that the auditor needs to identify and successfully test alternative controls which prevent or detect the WCGWs, or increase the reliance on substantive testing. Specifically, in respect of suggested controls in 8.31: Non-authorised personnel access – a failure of this control would suggest that nonauthorised personnel are able to process transactions. This creates doubt about the validity of all transactions and would be a major control failure. Authorisation – transactions not authorised before entry, creating the possibility that unauthorised transactions have been processed. This is also a major control failure. Inventory part numbers checked against master file – failure of this control means that part numbers could be incorrect. Inventory movement transactions processed with incorrect part numbers could lead to incorrect stock balances in the accounting records. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.16 lOMoARcPSD|8624398 Chapter 8: Execution of the audit – testing of controls 8.33 Control testing results and documentation Amy Adams, the audit senior, is reviewing the working papers written by the audit assistant on the audit of Virginia Creepers, a garden nursery and retailer of garden accessories. Amy reads the following description of the results of testing of inventory controls written by the audit assistant: Stock controller advises that no changes have been made to the inventory programs during the current financial year. There are no documents on file authorising program changes so I conclude the stock controller’s statement is true. Stock controller also advises that management did not attempt to override any controls relating to inventory. There are no memoranda or emails from management on file instructing the stock controller to go against procedures, so I conclude the stock controller’s statement is true. The audit assistant concludes that the inventory controls have not been changed or overridden during the financial year, so the results of the interim testing of controls can be relied upon. Required (a) Examine the statements by the audit assistant. What deficiencies in the testing can you identify? (b) If the results of testing one control show that the control is not effective, does the auditor have to increase substantive testing? What other options are available to the auditor? (c) Explain why it is important for the working papers to be completed with sufficient detail for another auditor to understand what has been done. Make a list of the parties who might review the documents. (a) The audit assistant is incorrectly interpreting an absence of evidence of an event as evidence of the absence of the event. There is no evidence of any program changes or overrides, but only limited testing has been done. The auditors need to gather direct evidence that there were no changes or overrides. The auditors will need to conduct further tests to verify the statements. (b) Other options available to the auditor include testing other controls that could perform the same function, that is, what other controls exist to prevent or detect the WCGW? Further, would failure of the control being tested necessarily lead to a potential material misstatement in the financial report? For example, is the control aimed at behaviour which does not impact on the financial reports (e.g. making sure that inventory is sorted correctly by colour on the shelves if not relevant to the financial report)? If the auditor concludes that the only controls relevant to preventing or detecting an error that is likely to result in a material misstatement in the financial report, the auditor would increase substantive testing. (c) Working papers (whether electronic or paper based) are used to provide instructions to audit staff and to record results of testing. As the working papers are completed, more senior staff review the results of the tests in order to assess the adequacy of the evidence. The audit opinion must be based on sufficient, appropriate © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.17 lOMoARcPSD|8624398 Solutions manual to accompany Auditing: a practical approach 3e evidence. Ultimately, the audit partner must sign off on an audit report using the results recorded in the working papers as justification. Within the audit firm, other partners are often used to review the decisions reached to ensure quality standards are maintained. These other partners are not involved in the audit and must rely on the documentation to understand the nature, timing and extent of all testing, and the results obtained. The papers must be completed with sufficient detail to allow the review partners to reach a decision. Audit partners from other firms could also review the working papers to provide more independent testing of the audit quality as part of peer review programs within the auditing profession. Regulators, such as ASIC, will also review some audit working papers to monitor audit quality and write reports on the overall level of audit quality in the economy. Finally, the working papers could be used as evidence in legal disputes between auditors and their clients or other interested parties. 8.34 Technique for testing computerised controls The sales transactions at Colorado Park, a new audit client, are handled by a software application that is not supported by very detailed documentation. The audit partner requests the team to re-perform some controls to ensure that the software application controls are working as described by Colorado Park’s management. The audit software used by the audit team can access the data on the client’s files, allowing the use of standard audit procedures. Required (a) Give examples of controls over sales transactions that should be part of the software application. (b) How could the audit team test the controls in the client’s sales software application? (a) Sales transaction control examples: Rejection of transactions above a specific limit (to prevent incorrect data for sales amount). Inclusion of inventory item ID in sales transaction so that sales are automatically priced. Include customer number in sales transaction so that sales to customers who have exceeded their credit limit are rejected. (b) Possible tests include: Test data – the auditor prepares some data to process through the client’s computer system. The data would have valid and invalid types of transactions. The auditor would try to prepare enough invalid transactions to mimic all types of errors (e.g. if the client does not sell items with values greater than $1000, the auditor could prepare a transaction with $1,000,000 as the value to test if the client’s system will reject the transaction). Process the client’s actual transactions through another software package controlled by the auditor. The auditor would test if the output from the client’s software is the same as the output from the auditor’s software. This would © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.18 lOMoARcPSD|8624398 Chapter 8: Execution of the audit – testing of controls 8.35 require the auditor to have software that would be similar enough to the client’s systems. Interrogation software – the auditor would have special software to interrogate the client’s systems to request reports of transactions with certain parameters. The audit software could also search for evidence of changes, which could be unauthorised, made to the client’s software. The audit software could also search for certain likely problems with client software. Payroll controls The audit senior on the audit of Frankel Factors is preparing the audit plan for the year ended 30 June 2017. The following notes relate to the payroll application system that went live on 1 January 2017. 1. The new payroll application is more complex than the old system, but its reporting function provides more detail. For example, the new application calculates leave, superannuation, payroll tax and work cover expenses, as well as the corresponding accruals. 2. Due to the brief time available to implement the new system, the previous application ceased operation on 31 December 2016 and the new application went live on 1 January 2017 without running parallel with the previous application. Staff training and testing of the new application was limited. 3. Access to the master files is restricted to the payroll supervisor and her deputy. Access to transaction files is restricted to payroll staff who are responsible for the processing of fortnightly and monthly pay. Prior to the introduction of the new payroll application system, the payroll master and transaction files were kept in a separate database from the general ledger application. At the end of each month, the IT staff imported transaction data from the database into the general ledger. Management decided to upgrade the existing accounting system due to the frequent problems encountered by IT staff when importing data into the general ledger. Required (a) Based on the information above, explain two relevant concerns you may have about the payroll application’s integration with the general ledger application. (b) Describe one IT application control that would ensure the accuracy of the salaries and wages expenses transaction. (c) Describe one IT application control that would ensure the occurrence of the salaries and wages expenses transaction. (d) Design and describe in detail appropriate tests of control that you would use to satisfy yourself about the effectiveness of these internal controls. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.19 lOMoARcPSD|8624398 Solutions manual to accompany Auditing: a practical approach 3e (a) The new system provides expenses and accruals for the accounting system, and thus any errors in its calculations can have a direct effect on the accounts. No testing prior to the new system going ‘live’. The auditor cannot review evidence of the system’s ability to operate in the same way as the old system (i.e. would the same data be generated under both systems). Limited staff training increases the risk that there will be errors in either the system and its financial data or the way it is interpreted and used by the client’s staff. (b) Accuracy is affected by the raw data and the calculations. Controls could be over the entry of data (e.g. hours worked, approved pay rates linked to the position classification, limits on total amounts calculated to prevent 10 hours being entered as 100 hours because the total would be over the approved limit), and over the calculations (e.g. reasonableness tests such as overall limits on total payments). (c) Occurrence relates to whether the payment is for hours actually worked, there would need to be a control that did not allow payment to be made until a supervisor had authorised the hours worked; controls to prevent duplicate payments (i.e. same worker paid twice for hours worked). There should be a reconciliation between payments made and recorded in the general ledger with records of hours worked via the payroll report. (d) Tests of controls could include use of dummy data (feed in new data to determine if the controls prevented the payment if it was not authorised, feed in deliberately incorrect data, such as duplicate payments); gathering documentary evidence of approvals of hours worked; reconciling hours worked for a pay period with total payments made that period; seeking documentary evidence for supervisor reviews of salary payments etc. An example of a control test: Client name: xxxxx Year end: 31 December 2013. Working paper: Payroll control testing Purpose of test: The purpose of this test is to verify that the payroll reconciliation control for hours worked with overall payments is adequately designed and implemented for the 12 months ending 31 December 2013. Work to be performed: Select two payroll reconciliations from different months, tie the total payments as per the general ledger to the payroll report, and the payments on the payroll report with the approved hours worked, tie the payments listed on the payroll report to the bank statement, and vouch all differences between the payroll report and the approved hours worked, and payroll report with general ledger and bank statement greater than 10% to supporting documentation to ensure valid reconciling items and that the reconciliation has been performed correctly. Ensure the reconciliation has been prepared and reviewed on a timely basis. Findings/results of testing: Conclusion: Prepared by: P1.1 Reviewed by: © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) Index: 8.20 lOMoARcPSD|8624398 Chapter 8: Execution of the audit – testing of controls Questions 8.36 and 8.37 are based on the following case. Chan & Partners Chartered Accountants is a successful mid-tier accounting firm with a large range of clients across Australia. During the 2017 year, Chan and Partners gained a new client, Medical Services Holdings Group (MSHG), which owns 100 per cent of the following entities: Shady Oaks Hospital, a private hospital group Gardens Nursing Home Pty Ltd, a private nursing home Total Cancer Specialists Limited (TCSL), a private oncology clinic that specialises in the treatment of cancer. Year-end for all MSHG entities is 30 June. You are an audit senior on the Shady Oaks Hospital engagement. Your initial review of the business has highlighted the following significant risks. 1. Payroll expense. Shady Oaks employs, in addition to its full-time staff, a significant number of casual nursing, cleaning and administrative staff. Overtime is often worked on weekends and night shifts due to a shortage of staff. Payment at overtime rates for standard weekend and night shifts has been a common occurrence. 2. Accounts payable. Shady Oaks also has a large number of suppliers for various medical supplies and drugs. Paying the supplier twice for the same purchase has been a continuing problem. 8.36 Prevent and detect controls For each of the accounts for Shady Oaks (1 and 2 above) identified to be a significant risk: (a) determine the key assertion at risk (b) describe a practical prevent internal control that would directly address the risk (c) describe a practical detect internal control that Shady Oaks could implement in relation to the risk. You may wish to present your answer in the form of a table as follows. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.21 lOMoARcPSD|8624398 Solutions manual to accompany Auditing: a practical approach 3e In addition your business risk assessment procedures indicate there is a risk that payments to suppliers are made prior to goods being received. As part of your evaluation of the potential mitigating internal controls you note that accounting staff perform the following procedures. 1. A pre-numbered cheque requisition is prepared for all payments. 2. The details on the supplier’s invoice are matched to the appropriate receiving report. 3. The details on the supplier’s invoice and receiving report are matched to an authorised purchase order. 4. The cheque requisition is stapled to the authorised purchase order, receiving report and supplier’s invoice and forwarded to the appropriate senior staff member for review and authorisation. 5. The authorised cheque requisition, together with the supporting documents, is passed to accounts payable for payment. Account at risk a. Assertion at risk A. Payroll expense: overpayment of overtime Occurrence, accuracy B. Accounts payable: payments made twice to the same supplier occurrence b. Preventative internal control Use different codes for standard shifts and overtime hours; require special authorisation of overtime payments Require supplier and invoice code to be input at time of processing payment – system to reject duplicates; Cancel documents used to support payment to prevent reuse © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) c. Detective internal control Review of overtime payment reports Reconciliation of supplier accounts each month, detect debit balances or accounts with more payments than invoices 8.22 lOMoARcPSD|8624398 Chapter 8: Execution of the audit – testing of controls 8.37 Prevent controls (a) Identify the key assertion at risk for payables in relation to payments made prior to receipt of goods. (b) For the control procedures (1) to (5) above for payables: (i) Identify the key preventative internal control that directly addresses the risk of payments being made by Shady Oaks to its suppliers before the goods are received. (ii) Outline how your choice of the internal control in (i) will prevent payment to suppliers prior to receipt of goods. (iii) Design and describe in detail an appropriate test of control that you would use to satisfy yourself about the effectiveness of this internal control. (a) Payment to suppliers before goods are received creates the risk that the payment is for goods that may never be received, or not received in the relevant period at the price quoted. The assertions at risk are the occurrence of the payment of payables. The cheque has been drawn against the bank account, but the payment is not for a liability owing for goods purchased. (b) Requiring a receiving report before payment (with appropriately verified details of date, amount, unit price, total price and supplier) mitigates the risk of payment before receipt of goods. The receiving department will not prepare the receiving report until the goods are received. The senior staff member will review the package of documents for evidence of receipt, thus ensuring that the receiving report is included, and it matches the other documents. (c) I would review authorised packages of documents for evidence of the existence of the receiving report and verify that the details on the receiving report match the other documents (i.e. the number of goods received is the same as the number of goods on the supplier’s invoice and purchase order). © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.23 lOMoARcPSD|8624398 Solutions manual to accompany Auditing: a practical approach 3e Case study – Cloud 9 Answer the following questions based on the information presented for Cloud 9 in the appendix to this text and the current and earlier chapters. You should also consider your answers to the case study questions in earlier chapters. Effective internal controls at the transaction level are designed to prevent or detect material misstatements that could occur within the flow of transactions. In the case study assignment in chapter 6, you were required to identify potential misstatements and affected financial report assertions within the wholesales sales to cash receipts process. Required (a) Use your worksheet from the case study assignment in chapter 6 to complete this part of the assignment. In column four, include the transaction-level internal controls Cloud 9 has implemented to prevent and/or detect potential errors. (b) In designing the audit strategy, auditors should consider the effectiveness of the client’s internal control structure, thereby determining the control risk. An auditor should perform a preliminary assessment of control risk to give confidence to take a controls-based approach to the audit strategy. A controlsbased strategy is one in which the internal controls of a significant process are tested and proven to be effective and, therefore, can be relied upon to reduce the level of substantive testing needed. If internal controls are tested and proven to be operating effectively, the auditor can reduce the control risk of the related financial report assertion. This method of testing and proving controls can reduce the substantive procedures to be performed or allow substantive testing to be performed prior to year-end. When designing control tests, consider whether there will be sufficient evidence that the control: operated how it was understood to operate was applied throughout the period of intended reliance was applied on a timely basis encompassed all applicable transactions was based on reliable information resulted in timely correction of any errors that were identified. Based on the preliminary assessment of Cloud 9’s control environment obtained in earlier procedures, the audit team has decided to test controls over the sales to cash receipts process. It is expected that there will be no deficiencies in the transaction-level internal controls. Josh has partially completed the testing for selected controls over the sales/receivables and cash receipts processes. He has asked you to complete the testing for him. All information has been provided by the client (refer to the appendix to this text). Document your findings on the workpapers Josh has started (see tables 8.4 and 8.5 below) and then conclude with your assessment on the overall effectiveness of the controls tested. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.24 lOMoARcPSD|8624398 Chapter 8: Execution of the audit – testing of controls Aim: To test selected controls over the sales and receivables process. Sample: We haphazardly selected 25 sales invoices from the entire year. Complete the following audit procedures: Match the quantities and products ordered on the invoices to the dispatch notes. If they match, mark all matching lines on both documents with the letter ‘A’. Check the dispatch notes for a signature by the customer. If a signature is present, mark the signature with a ‘B’. Check the invoice contains a passcode entered by the supervisor. If a passcode is present, mark the code with a ‘C’. Aim: To test selected controls over the cash receipts process. Sample: We haphazardly selected 25 working days from the entire year in order to test the reconciliation of daily bank receipts to trade receivables. Match the total amount of the bank receipts to the accounts receivable postings. If the amounts match, mark with a ‘D’ on both documents. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.25 lOMoARcPSD|8624398 Solutions manual to accompany Auditing: a practical approach 3e (a) Controls: The first two columns below are taken from the solution to the Cloud 9 Assignment in chapter 6. The last column ‘Control’ is the solution to this exercise. Significant Process Sales/Accounts Receivable Process Potential Misstatements Control Credit memos are not issued or Credit memos > $10,000 are approved by recorded for returns on a timely receiving manager and finance director. All basis or at all. others are approved by receiving manager. Bar code scanners used to automatically record sales and returns. Duplicate/false sales transactions are recorded. Sales order automatically matched to dispatch note in Swift prior to shipment. Shipping supervisor enters passcode in Swift authorising each shipment. System generates draft invoice when dispatch note authorised by shipping supervisor. System automatically posts invoice to sales and AR sub-ledgers. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.26 lOMoARcPSD|8624398 Chapter 8: Execution of the audit – testing of controls Significant Process Potential Misstatements Control Sales/Accounts Receivable Process Invoice misstates the quantity of goods shipped or incorrect pricing. Draft sales invoices are agreed to dispatch notes signed by customers. Sale price taken from master price file. Sales order automatically matched to dispatch note in Swift prior to shipment. System generates draft invoice when dispatch note authorised by shipping supervisor. System automatically posts invoice to sales and AR sub-ledgers. Proper credit authorisation is not obtained for wholesaler transactions Credit limit check is automatically performed by system against customer master file Sales journal/sub-ledger is incorrectly posted or does not reconcile. System automatically posts invoice to sales and AR sub-ledgers. Unapplied cash receipts are reviewed weekly via the dummy account. Daily review of the unfilled sales order report. Sales transaction is not recorded upon shipment of goods. Draft sales invoices are agreed to dispatch notes signed by customers. Review of exception report listing shipments not yet billed. Sales order automatically matched to dispatch note in Swift prior to shipment. Signed dispatch note file checked regularly System generates draft invoice when dispatch note authorised by shipping supervisor. System automatically posts invoice to sales and AR sub-ledgers. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.27 lOMoARcPSD|8624398 Solutions manual to accompany Auditing: a practical approach 3e Significant Process Potential Misstatements Control Sales/Accounts Receivable Process Sales transaction is recorded when Draft sales invoices are agreed to dispatch goods not shipped. notes signed by customers. Sales order automatically matched to dispatch note in Swift prior to shipment. System generates draft invoice when dispatch note authorised by shipping supervisor. System automatically posts invoice to sales and AR sub-ledgers. Cash Receipts Cash receipts are not recorded when received. Bank reconciliations are prepared and are reviewed timely. Direct banking receipts are reconciled to Accounts Receivable and reviewed/approved. Unapplied cash receipts are reviewed weekly via the dummy account. Cash receipts in foreign currencies incorrectly valued. Bank reconciliations are prepared and are reviewed timely. Cash receipts recorded differ from amounts deposited. Bank reconciliations are prepared and are reviewed timely. Direct banking receipts are reconciled to Accounts Receivable and reviewed/approved. Unapplied cash receipts are reviewed weekly via the dummy account. Cash receipts/transfers are recorded in wrong period. Bank reconciliations are prepared and are reviewed timely. Direct banking receipts are reconciled to Accounts Receivable and reviewed/approved. Unapplied cash receipts are reviewed weekly via the dummy account. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.28 lOMoARcPSD|8624398 Chapter 8: Execution of the audit – testing of controls Significant Process Potential Misstatements Control Cash Receipts Duplicate postings of cash receipts are made to G/L Bank reconciliations are prepared and are reviewed timely. Unapplied cash receipts are reviewed weekly via the dummy account. Totals in cash receipts journal are incorrectly posted. Bank reconciliations are prepared and are reviewed timely. Direct banking receipts are reconciled to Accounts Receivable and reviewed/approved. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.29 lOMoARcPSD|8624398 Solutions manual to accompany Auditing: a practical approach 3e (b) Complete testing Cloud 9 Pty Limited Sales process – testing internal controls 31 December 2016 RESULTS Sales Invoice # 324874 1 2 325048 325324 3 325542 4 5 325987 326067 6 326845 7 327111 8 Date Customer Name 14/01/2016 David Jones – Bondi Junction 23/01/2016 Rin Tin Limited 7/02/2016 Rebel Sport – World Square 16/02/2016 Rebel Sport – Sunshine Coast 2/03/2016 Myer – Adelaide 10/03/2016 Dick’s Sports – Coffs Harbour 8/04/2016 Peacock Prospecting Limited 27/04/2016 Running Shop – Manly © John Wiley & Sons Australia, Ltd 2017 Sale Amount (exc GST) 645.87 Invoice Customer matches signature Dispatch present Note (B) (A) Dispatch Note # ✔ D00324874 Shipping Supervisor authorisation (C) ✔ D00325048 D00325324 ✔ ✔ D00325542 ✔ 675.28 367.96 ✔ D00325987 D00326067 ✔ 10,220.00 ✔ D00326845 ✔ 457.24 ✔ D00327111 ✔ 17,750.00 905.46 ✔ 517.32 ✔ ✔ 8.30 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) ✔ ✔ lOMoARcPSD|8624398 Chapter 8: Execution of the audit – testing of controls For purposes of this case study, sample tests 9-19 have been removed. There were no exceptions noted in the results ✔ 20 332811 21 333410 22 334063 23 334104 24 25 13/10/2016 David Jones - Perth Rebel Sport - World 27/10/2016 Square ✔ D00332811 ✔ ✔ 723.72 ✔ D00333410 ✔ 4/11/2016 Myer – Brisbane ✔ 917.92 ✔ 752.20 ✔ D00334063 ✔ 229.48 335215 6/11/2016 Cross Country Sports Peacock Prospecting 12/12/2016 Limited, Geralton 336947 20/12/2016 Foot Locker - Pitt St 1,021.60 ✔ × ✔ D00334104 ✔ 1,192.14 ✔ D00335215 ✔ ✔ ✔ D00335947 A To complete this test, we agreed the sales invoice to the dispatch note, ensuring it was signed by the customer (B). C To complete this test, we reviewed the dispatch note noting the encrypted passcode symbol. As passcodes are not printed, our IT specialists will perform control testing around passcode entry and the generation of the dispatch note once entered. x It was noted on the dispatch note that a customer signature was not obtained. Upon discussion with the billing team, it was determined that the customer was called to verify receipt of the goods. This should have been noted on the dispatch note to prove that the goods were received and the control was performed properly. CONCLUSION With the exception noted in the testing above, we cannot conclude at this time that the control around matching the sales invoice to the dispatch note is working effectively. To be able to rely on this control, we would need to increase our sample size by another 15 (assuming no exceptions found). © John Wiley & Sons Australia, Ltd 2017 8.31 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) lOMoARcPSD|8624398 Solutions manual to accompany Auditing: a practical approach 3e The control for the shipping supervisor's authorisation does appear to be working effectively. Cloud 9 Pty Limited Controls Testing - Cash Receipts Process 31 December 2016 RESULTS 1 2 3 4 5 6 7 8 Date 8/01/2016 18/01/2016 15/02/2016 27/02/2016 11/03/2016 19/03/2016 4/04/2016 22/04/2016 Total Posted to AR 12 548.45 299 587.37 17 486.82 27 456.24 15 836.08 8 012.74 48 753.91 89 687.45 Total Bank Deposit 12 548.45 299 587.37 17 486.82 27 456.24 15 836.08 8 012.74 48 753.91 89 687.45 © John Wiley & Sons Australia, Ltd 2017 Evidence of Review ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ 8.32 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) lOMoARcPSD|8624398 Chapter 8: Execution of the audit – testing of controls For purposes of this case study, sample tests 9-19 have been removed. There were no exceptions noted in the results 20 21 22 23 24 25 19/09/2016 8/10/2016 23/10/2016 12/11/2016 3/12/2016 19/12/2016 12,577.23 18,765.49 5,490.61 9,302.20 12,567.33 13,874.85 12,577.23 18,765.49 5,490.61 9,302.20 12,567.33 13,874.85 ✔ ✔ ✔ ✔ ✔ ✔ CONCLUSION Based on the results above, the control appears to be operating effectively throughout the entire period. © John Wiley & Sons Australia, Ltd 2017 8.33 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) lOMoARcPSD|8624398 Solutions manual to accompany Auditing: a practical approach 3e Research question Explain the differences between an audit of internal controls as required by section 404 of the US Sarbanes–Oxley Act 2002 and the testing of internal controls for the purposes of expressing an opinion on the financial report as mandated by ASA 315 (ISA 315). Refer to the standard and legislation in your answer. © John Wiley & Sons Australia, Ltd 2017 Downloaded by Parteek Singh (Parteek.singh30@gmail.com) 8.34
