Control Assessment & Testing

advertisement
Control Assessment and Testing
1
Management Versus Auditor
Responsibility for Control
Management responsibility:
Management is responsible for
a) its control environment
b) accounting system
c) for establishing and maintaining a system of internal control
procedures
2
Internal Control
Internal control is defined as:
•
The process designed and effected by those charged with
governance, management, and other personnel to provide
reasonable assurance about the achievement of the entity’s
objectives
3
Management Versus Auditor
Responsibility for Control
External auditor’s responsibility:
•
Evaluating existing internal controls and assessing the risk of
material misstatement related to them.
4
General Categories of
Misstatements
1.
2.
3.
4.
5.
6.
7.
Invalid transactions are recorded.
Valid transactions are omitted.
Unauthorized transactions are executed.
Transaction amounts are inaccurate.
Transactions are classified incorrectly.
Transaction accounting is incomplete.
Transactions are recorded in incorrect period.
5
Reasons for Control Evaluation
The primary reason for conducting an evaluation of internal
control is to give the auditors a basis for determining
•
Examining the business processes provides a structure for the
auditor
6
Control Risk
The risk that the client’s internal control will not prevent or detect
material misstatement.
•
•
The auditor does not
The auditor’s task is to
7
Extent of IT Use
The extent of IT use needs to be considered in planning the
nature, extent and timing of audit procedures.
All aspects of a client’s computer processing should be
considered in determining the need for specialized IT skills.
8
How Control Risk Assessment
Affects the Audit Program
The control risk assessment will affect the procedures included in the
audit program.
For an entity with poor controls (as compared to an entity with good
controls):
•
The nature of tests
•
More testing will take place at year-end than at an interim date.
•
More evidence will have to be gathered
9
Control Objectives
There are seven control objectives.
•
Each control objective is intended to prevent a class of errors that
may lead to material misstatement.
Financial Statement Assertions
Objectives
Existence or
Occurrence
Completeness
Valuation
X
Rights and
Obligations
Presentation
and Disclosure
1.
Validity
X
2.
Completeness
3.
Authorization
4.
Accuracy
5.
Classification
X
6.
Accounting
X
7.
Proper period
X
X
X
X
X
X
X
X
10
Control Objectives and Financial
Statement Assertions
An auditor may determine that not all of the control objectives
are met for a particular account balance.
11
Phases of a Control Evaluation
The process of control evaluation takes place in three phases:
1.
2.
3.
Understanding control
Assessing control risk
Testing Controls
12
Audit Cost Trade-off
Generally, the more auditors can rely on good internal controls,
the less substantive work they need to do.
•
Auditor can opt not to rely on controls
•
Auditor can perform a complete evaluation of control
•
Auditor needs to determine the most efficient mix
13
Internal Control: Principles and
Concepts
•
The client’s system of internal is an important factor in an
audit engagement
•
The study of internal control often represents a significant
part of field work
•
We will examine:
1.
2.
Basic considerations
Meeting the second standard of GAAS
14
ST. CATHARINES: Former stock broker Stan Magda has been jailed for contempt of court for refusing to say what
happened to the $2 million his wife stole from the St. Catharines Standard.
Ontario Superior Court Justice Linda Walters sentenced the 59-year-old self described house husband to five says in
jail yesterday and gave him until Sep. 7 to account for the money his wife stole from her employer.
Lucy Magda, 62, was sentenced to 34 months in penitentiary last July for embezzling $2.2 million over a five-year
period while she was running the classified ad department at The Standard. She is now living in a half-way house in Dundas.
Once considered a trusted employee, she stuffed up to $6,000 a day in her handbag and covered her tracks by
destroying or doctoring the paper trail. She was caught and immediately fired in the spring of 1997 after a temporary
employee she had berated discovered discrepancies in the books.
She and her husband, who was no longer working, were both charged with theft related charges in1997. But the
charges against Stan were dropped in January 2004, after she pleaded guilty to theft over $5,000.
The St. Catharines Standard had earlier won a $2.3 million civil judgment that held the couple jointly responsible for
the missing funds. The case has dragged on in the courts for almost eight years with lawyers for the paper pressing the pair to
account for the money.
During the theft investigation, Niagara police found what s detective described as an “Aladdin's cave” of stolen booty
in the couple’s modest Thorold home. Police tallied about $1,170,000 worth of items, including hundreds of pairs of shoes and
rooms full of unworn clothing that still had price tags.
They also found about $470,000 in cash stashed in the house and several hundred thousands in numerous bank
accounts under aliases. Lucy had never earned more than $48,000 a year.
When asked about the money during pre-trial discoveries, Lucy told The Standard’s lawyer Peter Mahoney her late
father had won the $470,000 while gambling with his buddies in the 1960’s, according to court documents.
She said her father, who died in 1975, told her to keep the money in the house until it was sold. She also claimed her
dad had given her money to go shopping.
The Hamilton Spectator, Wednesday, June 22, 2005.
15
What is Internal Control?
•
Remember the second examination standard
•
CAS 315
The process designed, implemented and maintained by those charged with
governance, management and other personnel to provide reasonable assurance
about the achievement of an entity’s objectives with regard to reliability of
financial reporting, effectiveness and efficiency of operations, and compliance
with applicable laws and regulations.
16
•
Two subdivision of internal control
1. Administrative controls
•
The procedures and records concerned with the decision
process
•
Also includes statistical analyses, time and motion
studies, performance reports, and quality controls
•
Some administrative controls do have an impact on
accounting records
17
2. Accounting controls
The procedures and records concerned with
•
safeguarding of assets
reliability of accounting records
1.
2.
•
Designed to provide reasonable assurance that:
1.
Transactions are authorized
2.
Transaction recorded in conformity with?
3.
Access to assets is authorized
4.
Recorded accountability for assets is compared to existing records
18
Management’s Objectives for
Internal Control
•
•
Managements responsibility
Objectives should include:
1.
Discharge of statutory
3.
Profitability and cost minimization
Prevention and detection of fraud and
4.
Safeguarding of
5.
Reliability of accounting
6.
Timely preparation of reliable financial information
2.
19
Internal Control Environment
•
A good internal control environment complements
prescribed control procedures
Should include:
•
1.
2.
3.
4.
5.
6.
7.
Management leadership
Organizational
Budgets and internal reports
Internal auditing
Reliable personnel
Sound practices
Company circumstances
20
Internal Accounting Control
Principles
•
Classified as preventative, detective, or corrective
•
Preventative controls are used prior to or during the
authorization, physical event, or recording of the
transaction
•
Detective controls are utilized after the transaction
has occurred or been recorded
21
Major Categories of Controls
1. Authorization Procedures
•
•
•
The purpose is to ensure that transactions are authorized
by management personnel acting within the scope of their
authority
Authorizations may be routine or non-routine
Authorization procedures are also important in limiting
access to
22
2.
Segregation of Duties
•
It is important for an entity to segregate the authorization of
transactions, recording of transaction, and custody of related assets.
•
Independent performance of each of these functions reduces the
opportunity for any one person to be in a position to both perpetrate
and conceal errors or fraud
•
Different departments and individuals
•
Small companies?
23
3.
Documentation Procedures
•
Provides evidence of occurrence
•
Signing or stamping documents
•
Prenumbered documents
•
Chart of accounts
•
Accounting procedures that relate to timely
processing
24
4.
Access to Assets and Records
•
Physical precautions
•
Data processing
•
Physical controls
•
Access controls
•
Backup and recovery
25
5.
Independent Internal Verification
•
Reviewing the accuracy and propriety of an employee’s
work by another employee
•
Who performs the task?
•
How often?
•
Errors and exceptions?
26
Meeting the Second Examination
Standard
•
A sufficient understanding of internal control should be
obtained to plan the audit. When control risk is assessed
below maximum, sufficient appropriate audit evidence
should be obtained through tests of controls to support the
assessment.
•
Reliance on internal control
•
If internal control is not tested, at what level is control risk
set?
27
Objectives and Scope of the Standard
•
Internal controls can change significantly from year to year
•
Why sufficient understanding of internal control?
•
Appropriate audit evidence
•
Relationship between reliance on internal control and the
amount of substantive audit work needed
28
Methodology for the Study of Internal Control
•
Two closely related parts:
1.
A review of the system
2.
Tests of controls
29
Planning Phase
•
The minimum study contemplated by the second
examination standard
•
General knowledge
•
At the conclusion, the auditor must decide, for each
major class of transactions, whether to continue or
terminate the review
30
Study Phase
•
The auditor obtains specific knowledge and understanding of
the client’s prescribed control procedures
•
Involves the following steps
1.
Gathering information
2.
Verifying the understanding
3.
Preliminary evaluation
1.
Gathering Information
•
How to obtaining the information?
31
•
Generally information is organized according to one of the
following approaches:
Transaction cycles
a)
a)
b)
c)
d)
Revenue Cycle
Acquisition & Payments Cycle
Inventory and Warehousing Cycle
Payroll Cycle
b)
Financial Statement classification
c)
Business function
32
Internal Control Questionnaires (ICQ’s)
•
A series of questions relating to control procedures required to
prevent and detect errors and irregularities
Campus Theatre
Internal Accounting Internal Control Questionnaire
December 31, 201X
CYCLE: Revenue
Control Procedure
Date: 9/8/201X
CLASS OF TRANSACTIONS: Cash Receipts
Yes
1. Are prenumbered tickets used and
subsequently accounted for?
X
2. Is there restricted access to rolls of unused
tickets?
X
3. Is a ticket machine used in issuing tickets?
X
4. Are tickets voided upon admission of patrons?
X
5. Is there segregation of duties between
issuance of tickets and admission of patrons?
X
6. Is there an independent daily cash count and
reconciliation with tickets issued?
X
7. Are cash receipts deposited in total daily?
Prepared by: ILA
No
X
Remarks
Deposited weekly
33
Flowcharts
•
Separate flowcharts are prepared for each major class of
transactions
Narratives
•
Written comments by the auditor about the system
34
2.
Verifying the Understanding
•
Reinforces the understanding of the information gathered
•
Transaction walkthrough
3.
Making a Preliminary Evaluation
a)
Rely on internal control?
b)
On which internal controls?
c)
Substantive auditing procedures necessary due to weakness in internal
control
35
•
When is internal control considered reliable?
•
When there is no planned reliance on a internal control procedure
•
Communication to management
•
A material weakness exists when there more than a relatively low risk
that error or fraud would have a material effect on the financial
statements
•
At what percentage?
36
Prepared by:ILA
Date: 9/10/201X
Campus Theatre
Preliminary Evaluation: Cash Receipts Transactions
December 31, 201X
Errors and Fraud
Necessary Control
Procedures Required
The Theatre’s Prescribed
Control Procedures
Planned
Reliance
Yes
1
2
3
4
5
Tickets may be issued without
accounting for cash
Prenumbered tickets
All tickets are prenumbered
and the theatre manager
accounts for tickets issued
X
Unused tickets may be stolen and
sold for cash
Physical control and
restricted access
Unused tickets are stored in a
safe. Only the manager has
access
X
Tickets may be issued out of
sequence and cash may not be
accounted for
Mechanical equipment for
issuing tickets
Ticket machines are used in
issuing tickets
X
Doorperson could resell tickets or
combine with cashier to resell
tickets and keep the cash
Mutilation of tickets upon
admission of patron
Doorperson tears tickets in half
when admitting patron
X
The cashier may collect cash and
admit patron without issuing ticket
Segregation of duties in
admissions
Cashier issues tickets and the
doorperson admits patrons with
tickets
X
No
37
Prepared by:ILA
Date: 9/10/201X
Campus Theatre
Preliminary Evaluation: Cash Receipts Transactions
December 31, 201X
Errors and Fraud
Necessary Control
Procedures Required
The Theatre’s Prescribed
Control Procedures
Planned
Reliance
Yes
6
7
Cash may be over or short due to
mistakes in making change
Independent daily cash
count and reconciliation
with tickets issued
Theatre manager makes a daily
cash count and reconciliation
All cash receipts may not be
deposited
Deposit total cash receipts
daily
Cash receipts are deposited
weekly
No
X
X
38
Tests of Controls
•
Performed in order to obtain reasonable assurance that the
controls expected to be relied upon are in use and operating
as planned throughout the period of reliance
1.
Nature of Test of Controls
Concerned with four questions:
•
•
•
•
•
Were the control procedures performed?
How?
By whom?
Throughout the period?
39
•
The failure to perform a required procedure or the failure to perform
it properly
•
CAS 315
•
Document inspection
•
Inquiry and observation
•
Reperformance
40
•
Assume that in the billing department, a second clerk must
independently verify the correctness of unit selling prices on invoices
by comparing the price to an authorized price list
•
What would be the evidence of this control?
•
In testing compliance by reperformance?
•
Each instance of the use of incorrect prices would be regarded as an
exception
2.
Extent and Timing
•
Throughout the accounting period being audited
41
•
An example of Tests of Controls
•
Campus Theatre cash receipts scenario
Campus Theatre
Audit Program
December 31, 200X
Tests of Controls: Revenue cycle
Working
Paper
Reference
Class of Transactions: Cash Receipts
Done by
Audit Procedure
Auditor
Date
1 Examine tickets for prenumbering. Six series of 100 throughout the year.
2 Observe storage of unused tickets and inquire about authorized access to the
safe. At interim and year-end.
3 Observe the use of ticket machines issuing tickets. At interim and year-end.
4 Observe the doorperson in admitting patrons and examine ticket receptacle
for mutilated tickets. At interim and year-end.
5 Observe segregation of duties between the cashier and the doorperson. At
interim and year-end.
6 Examine documentary evidence of daily cash counts and reconciliations
with tickets issued. One week, for each of six months.
42
Final Evaluation of Controls
•
On completion of the tests of
•
Nature of the Evaluation
•
Weaknesses affecting different classes of transactions do
not offset each other
•
The number of exceptions may be of such magnitude to
doubt that the control procedure can be relied on
43
•
The auditor should look at what was the underlying
cause of the exception
•
In some cases you might expect some exceptions
•
It is essential to attempt to see if the exception was
caused by an error
•
Fraud?
44
•
The Purpose of the Evaluation
•
To determine the extent to which the clients
controls can be relied on in performing substantive
tests
•
Three level of risk
•
Low
•
Medium
•
High
45
•
To what is the final evaluation directed?
•
Should be documented in the working papers
1.
Strengths
2.
Weaknesses
3.
Effects on substantive tests
4.
Communication to management
46
Prepared by:
ILA
Date: 9/15/200X
Campus Theatre
Evaluation of Internal Control Over Cash Receipts
December 31, 200X
Strengths
All of the controls on which reliance is planned were tested for compliance. These controls were found
to be functioning as planned. In my judgment, the control risk associated with these controls is low.
Weaknesses
Cash is deposited in the bank only once a week. This procedure is not satisfactory for good internal
control.
Effect on Substantive Tests
For controls in which control risk is low, the planned audit program should be implemented. For the
control over depositing cash, the substantive tests should be extended.
Management Communication
Indicate that the failure to deposit cash intact daily also makes cash vulnerable to theft. Suggest that
the manager make daily deposits using the banks night depository vault.
47
Determining Effects on
Substantive Tests
•
The second examination standard does not permit
complete reliance on internal control
•
The auditor relies on internal control to reduce
control risk, and substantive tests to reduce
detection risk
•
Reliance on internal control may affect the nature,
timing, and extent of substantive tests.
48
•
Nature
•
The type of auditing procedure to be performed
•
For the verification of sales transactions
•
For a low risk of errors in sales transactions as
demonstrated by tests of controls
•
For a high risk of errors
49
•
Timing
•
The time when the testing is done
•
When there is a low risk of errors in processing
sales transactions
•
When the risk of errors is high
50
•
Extent
•
The amount of substantive testing to be performed
•
When the risk of errors in processing sales
transaction is low
•
When the risk is high
51
Internal Control Letter to Management
•
GAAS
•
But it is important that the auditor communicate any
awareness of significant weaknesses in internal control to
management
•
Internal control letter
•
Communication should be made at the earliest practicable
date to the appropriate official
52
Problem 9-3, Page 368
Key Control, Control Test Evaluation
The auditor learns that the auditee has a control procedure in place that addresses the validity of sales and
existence of accounts receivable. When a truck driver picks up goods from the warehouse, the warehouse
employee has the driver sign a “shipper’s receipt” showing the quantities and item numbers shipped, and the
customer information. The shipper’s receipts are filed in date order in the warehouse office. A copy of the signed
shipper’s receipt is sent to the accounting office where it is used to record the reduction in inventory and issue a
sales invoice. The invoice number is noted on the shipper’s receipt and it is filed by invoice number in the
accounting area. Since the auditee has a large number of customers, the auditor decides that this control will be
tested.
Required:
a.
Why would the auditor decide this is a key control?
b.
What will the auditor achieve by testing this control?
c.
Design a control test the auditor could perform for this control procedure. Describe the two parts of the test
in detail.
d.
Assume the auditor performs a control test and finds the control procedure operated properly 95% of the
time. How does this evidence affect the auditor’s control risk assessment? What if the control operated 60%
of the time? 99% of the time?
53
Problem 9-6, Page 369
a. Sales recorded, goods not shipped.
b. Goods shipped, sales not recorded.
c. Goods shipped to a bad credit risk customer
d. Sales billed at the wrong price or wrong quantity.
e. Product line A sales recorded as Product line B.
f. Failure to post charges to customers for sales.
g. January sales recorded in December.
Control Procedures
1. Sales order approved for credit
2. Prenumbered shipping doc prepared, sequence checked
3. Shipping document quantity compared to sales invoice
4. Prenumbered sales invoices, sequence checked
5. Sales invoice checked to sales order
6. Invoiced prices compared to approved price list
7. General ledger code checked for sales product lines
8. Sales order batch totals compared to sales journal
9. Periodic sales total compared to same period accounts receivable postings
10. Accountants have instructions to date sales on the date of shipment
11. Sales entry date compared to shipping document date
12. Accounts receivable subsidiary totaled and reconciled to accounts receivable control account
13. Intercompany accounts reconciled with subsidiary company records
14. Credit files updated for customer payment history
15. Overdue customer accounts investigated for collection
54
Download