chapter-72746.ppt
-
Upload
faisalcsedu -
Category
Documents
-
view
216 -
download
0
Transcript of chapter-72746.ppt
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 1/65
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved
Chapter 7
Auditing Internal Control over Financial
Reporting in Conjunction with an Auditof Financial Statements
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 2/65
7-2
Management Responsibilities
under Section 404
Section 404 of the Sarbanes-Oxley Act requires
managements of publicly traded companies to issue
an internal control report that explicitly accepts
responsibility for establishing and maintaining“adequate” internal control over financial reporting.
LO# 1
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 3/65
7-3
Management Responsibilities
under Section 404Management must comply with the following in order for its public accounting firm to complete an audit of
internal control over financial reporting.
1. Accepts responsibility for the effectiveness of the entity’s
internal control over financial reporting.
2. Evaluate the effectiveness of the entity’s internal control
over financial reporting using suitable control criteria.
3. Support its evaluation with sufficient evidence, including
documentation.
4. Present a written assessment of the effectiveness of the
entity’s internal control over financial reporting as of the
end of the entity’s most recent fiscal year.
LO# 1
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 4/65
7-4
Auditor Responsibilities under
Section 404The entity’s independent auditor must audit and report
on management’s assertion about the effectiveness of
internal control. The auditor is required to conduct an
integrated aud it of the entity’s internal control over
financial reporting and its financial statements.
LO# 2
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 5/65
7-5
Internal Control over Financial
Reporting Defined
Internal control over financial reporting is defined as a
process designed to provide reasonable assurance
regarding the reliability of financial reporting and the
preparation of financial statements in accordance with
GAAP. Controls include procedures that:
1. Pertain to the maintenance of records that fairly reflect the
transactions and dispositions of the assets of the company.
2. Provide reasonable assurance that transactions are
recorded in accordance with GAAP.
3. Provide reasonable assurance regarding prevention or
timely detection of unauthorized acquisition, use or
disposition of the company’s assets.
LO# 3
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 6/65
7-6
Internal Control Deficiencies
Defined A control deficiency exists when the design or operation of a control does not allow management or employees, in
the normal course of performing their assigned functions,
to prevent or detect misstatements on a timely basis.
A significant deficiency is a control deficiency, or
combination of control deficiencies, that adversely affects
the entity’s ability to initiate, authorize, record, process,
or report external financial data reliably in accordance
with GAAP such that there is more than a remotelikelihood that a misstatement of the entity’s annual or
interim financial statements that is more than
inconsequential will not be prevented or detected (AS2,
¶9).
LO# 4
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 7/657-7
Internal Control Deficiencies
Defined
A control deficiency may be serious enough that it is to
be considered not only a significant deficiency but also a
material weakness in the system of internal control. A
material weakness is a significant deficiency, or
combination of significant deficiencies, that results inmore than a remote likelihood that a material
misstatement of the annual or interim financial
statements will not be presented or detected (AS2, ¶10).
As illustrated on the next slide, the auditor must consider
two dimensions of the control deficiency: likelihood
(remote or more than remote) and magnitude (material,
consequential, or inconsequential).
LO# 4
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 8/657-8
Internal Control Deficiencies
Defined
Material
Consequential
Inconsequential
Remote More than remote
Material
weakness
Significantdeficiency
Insignificant deficiency
L I K E L I H O O D
M
A
G
NI
T
U
D
E
LO# 4
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 9/657-9
Management’s Assessment
Process
Management must:
1. Design and implement an effective system of internal
control. This process involves determining whether a
necessary control is missing or an existing control is notproperly designed.
2. Develop an ongoing assessment process for the internal
controls in place. Management must assess the likelihood
that failure of a control could result in a misstatement.
3. Management must decide which business units to include in
the assessment process.
LO# 5
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 10/657-10
Management’s Documentation
Management must develop sufficient
documentation to support its assessment of the
effectiveness of internal control. This
documentation may take many forms, such aspaper, electronic files, or other media. It also
includes policy manuals, job descriptions,
flowcharts, and process models.
LO# 6
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 11/657-11
Framework Used by Management
to Conduct Its AssessmentMost entities use the framework developed by COSO.
This framework identifies three primary objectives of
internal control: (1) reliable financial reporting;
(2) efficiency and effectiveness of operations;
and (3) compliance with laws and regulations.
LO# 7
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 12/657-12
Performing an Audit of Internal
Control over Financial Reporting
Plan the engagement.
Evaluate management’s assessment process.
The auditor typically obtains his or her understanding of
management’s assessment process through inquiry of
management and others.
LO# 8
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 13/65
7-13
Performing an Audit of Internal
Control over Financial ReportingPlan the engagement.
Evaluate management’s
assessment process.
Obtain and document anunderstanding of internal control.
As part of gaining this understanding the auditor must:
1. Understand and assess
company-level controls.2. Evaluate the effectiveness of
the audit committee.
3. Identify significant
accounts.
4. Identify relevant financial
statement assertions.
5. Identify significant
processes and major classes of transactions.
6. Understand the period-end
financial reporting process.
7. Perform walkthroughs.
8. Identify controls to test.
LO# 8
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 14/65
7-14
Performing an Audit of Internal
Control over Financial ReportingPlan the engagement.
Evaluate the management’s
assessment process.
Obtain and document anunderstanding of internal control.
Evaluate the design effectiveness
of internal control.
Controls are effectively designed when they prevent or
detect errors or fraud that could result in material
misstatements in the financial statements.
LO# 8
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 15/65
7-15
Performing an Audit of Internal
Control over Financial ReportingPlan the engagement.
Evaluate the management’s
assessment process.
Obtain and document anunderstanding of internal control.
Evaluate the design effectiveness
of internal control.
Test and evaluate the operating
effectiveness of internal control.
In testing the effectiveness of controls, the auditor needs to
consider the nature, timing , and extent of testing.
LO# 8
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 16/65
7-16
Special Consideration:
Using the Work of Others
AS2 requires the auditor to perform enough of
the audit so that his or her own work provides
the principal evidence for the auditor’s opinion.
However, a major consideration for the external
auditor is how much the work performed by
others (internal auditors or others working for
management) can be relied on in adjusting the
nature, timing, or extent of the auditor’s work.
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 17/65
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 18/65
7-18
Performing an Audit of Internal
Control over Financial ReportingPlan the engagement.
Evaluate the management’s
assessment process.
Obtain and document anunderstanding of internal control.
Evaluate the design effectiveness
of internal control.
Test and evaluate the operating
effectiveness of internal control.
Form an opinion of the
effectiveness of internal control.
The auditor should
evaluate all evidence
before forming an opinion
on internal control,
including (1) the adequacyof management’s
assessment, (2) the results
of the auditor’s evaluation,
(3) the negative results of
substantive proceduresperformed, (4) any control
deficiencies.
LO# 8
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 19/65
7-19
Written Representations
In addition to the management representations obtained
as part of a financial statement audit, the auditor also
obtains written representations from management related
to the audit of internal control over financial reporting.
Failure to obtain written
representations from
management, including
management’s refusal to
furnish them, constitutes a
limitation on the scope of the
audit sufficient to preclude an
unqualified opinion.
LO# 10
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 20/65
7-20
Auditor Documentation
Requirements
The auditor must properly document the processes,
procedures, judgments, and results relating to the audit
of internal control.
When an entity has effectiveinternal control over financial
reporting, the auditor should
be able to perform sufficient
testing of controls to assesscontrol risk for all relevant
assertions at a low level .
LO# 11
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 21/65
7-21
Reporting on Internal Control
Sarbanes-Oxley requires management’s description of internal control to include:
1. A statement of management’s responsibility for establishing
and maintaining adequate internal control.
2. A statement identifying the framework used by management toconduct the required assessment of the effectiveness of the
company’s internal control.
3. An assessment of the effectiveness of the company’s internal
control as of the end of the most recent fiscal year, including
an explicit statement as to whether internal control is effective.4. A statement that the public account firm that audited the
financial statements included in the annual report has issued
an attestation report on management’s assessment of internal
control.
LO# 12
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 22/65
7-22
The Auditor’s Report on Internal
Control over Financial Reporting
Once the auditor has completed the audit of internal
control, he or she must issue an appropriate report to
accompany management’s assessment, published in the
company’s annual report.
LO# 13
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 23/65
7-23
Types of Reports Relating to the
Audit of Internal Control
The auditor’s report contains opinions on two separate
items:
1) management’s assessment of the effectiveness of
internal control over financial reporting, and
2) the effectiveness of internal control over financial
reporting based on the auditor’s independent audit
work.
LO#
13 & 14
O#
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 24/65
7-24
Types of Reports Relating to the
Audit of Internal Control
Opinion
An unqualified opinion
signifies that the client’s
internal control is
designed and operating
effectively.
A qualified opinion isissued when there is a
limitation on the scope
of the auditor’s work.
A serious scope
limitation requires the
auditor to disclaim an
opinion.
An adverse opinion is
required if a material
weakness is identified.
LO#
13 & 14
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 25/65
7-25
Auditor’s Paragraph on
Internal Control
We also have audited, in accordance with the standardsof the Public Company Accounting Oversight Board(United States), the effectiveness of the Company'sinternal control over financial reporting as of December 31, 2005, based on criteria established in
Internal Control - Integrated Framework issued by theCommittee of Sponsoring Organizations of the TreadwayCommission (“COSO”), and our report dated February10, 2006, except as to the second, third and fourthparagraphs of Management’s Annual Report on InternalControl over Financial Reporting (as restated), which areas of January 19, 2007, expressed an unqualifiedopinion on management's assessment of, and anadverse opinion on the effective operation of, internalcontrol over financial reporting as of December 31, 2005.
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 26/65
7-26
Internal Control Report
Report of Independent Registered Public Accounting Firmon Internal Control Over Financial Reporting
Board of Directors and ShareownersThe Coca-Cola Company
We have audited management's assessment, included in theaccompanying Report of Management on Internal Control Over Financial Reporting, that The Coca-Cola Company and subsidiariesmaintained effective internal control over financial reporting as of December 31, 2006, based on criteria established in Internal Control —Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (the COSOcriteria). The Coca-Cola Company's management is responsible for
maintaining effective internal control over financial reporting and for its assessment of the effectiveness of internal control over financialreporting. Our responsibility is to express an opinion onmanagement's assessment and an opinion on the effectiveness of the Company's internal control over financial reporting based on our audit.
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 27/65
7-27
Internal Control Report
We conducted our audit in accordance with the standards
of the Public Company Accounting Oversight Board(United States). Those standards require that we plan andperform the audit to obtain reasonable assurance aboutwhether effective internal control over financial reportingwas maintained in all material respects. Our auditincluded obtaining an understanding of internal control
over financial reporting, evaluating management'sassessment, testing and evaluating the design andoperating effectiveness of internal control, and performingsuch other procedures as we considered necessary in thecircumstances. We believe that our audit provides a
reasonable basis for our opinion.
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 28/65
7-28
Internal Control Report A company's internal control over financial reporting is a processdesigned to provide reasonable assurance regarding the
reliability of financial reporting and the preparation of financialstatements for external purposes in accordance with generallyaccepted accounting principles. A company's internal controlover financial reporting includes those policies and proceduresthat (1) pertain to the maintenance of records that, in reasonabledetail, accurately and fairly reflect the transactions and
dispositions of the assets of the company; (2) provide reasonableassurance that transactions are recorded as necessary to permitpreparation of financial statements in accordance with generallyaccepted accounting principles, and that receipts andexpenditures of the company are being made only in accordancewith authorizations of management and directors of the
company; and (3) provide reasonable assurance regardingprevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could have a materialeffect on the financial statements.
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 29/65
7-29
Internal Control Report
Because of its inherent limitations,internal control over financial reportingmay not prevent or detect misstatements.
Also, projections of any evaluation of effectiveness to future periods are subjectto the risk that controls may becomeinadequate because of changes inconditions, or that the degree of
compliance with the policies or procedures may deteriorate.
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 30/65
7-30
Internal Control Report
As indicated in the accompanying Report of Management on
Internal Control Over Financial Reporting, management'sassessment of and conclusion on the effectiveness of internalcontrol over financial reporting did not include the internalcontrols of Kerry Beverages Limited (subsequently renamedCoca-Cola China Industries Limited), Brucephil, Inc., ApollinarisGmbH and TJC Holdings (Pty) Ltd. which are included in the
2006 consolidated financial statements of The Coca-ColaCompany and subsidiaries and constituted approximately6.1 percent of the Company's consolidated total assets as of December 31, 2006 and approximately 1.6 percent of theCompany's consolidated net operating revenues for the year then ended. Our audit of internal control over financial reporting
of The Coca-Cola Company also did not include an evaluation of the internal control over financial reporting of Kerry BeveragesLimited (subsequently renamed Coca-Cola China IndustriesLimited), Brucephil, Inc., Apollinaris GmbH and TJC Holdings(Pty) Ltd.
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 31/65
7-31
Internal Control Report
In our opinion, management's assessment that
The Coca-Cola Company and subsidiariesmaintained effective internal control over financial reporting as of December 31, 2006, isfairly stated, in all material respects, based on
the COSO criteria. Also, in our opinion, TheCoca-Cola Company and subsidiariesmaintained, in all material respects, effectiveinternal control over financial reporting as of December 31, 2006, based on the COSO
criteria.
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 32/65
7-32
Internal Control Report
We also have audited, in accordance with the
standards of the Public Company AccountingOversight Board (United States), theconsolidated balance sheets of The Coca-ColaCompany and subsidiaries as of December 31,
2006 and 2005, and the related consolidatedstatements of income, shareowners' equity,and cash flows for each of the three years inthe period ended December 31, 2006, and our report dated February 20, 2007, expressed an
unqualified opinion thereon.
Atlanta, GeorgiaFebruary 20, 2007
LO# 15
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 33/65
7-33
1. A title that includes the word “independent.” 2. An identification of management’s conclusion about the
effectiveness of the company’s internal control over
financial reporting.
3. A definition of internal control over financial reporting.4. A statement that the auditor planned and performed the
audit to obtain reasonable assurance about whether
effective internal control is maintained.
5. A statement that an audit includes obtaining anunderstanding of internal control, valuating management’s
assessment of testing the design and effectiveness of
internal control and any other procedures.
LO# 15
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 34/65
7-34
Elements of the Auditor’s Report
1. A title that includes the word “independent.”
2. An identification of management’s conclusion about theeffectiveness of the company’s internal control over financial reporting.
3. A definition of internal control over financial reporting.
4. A statement that the auditor planned and performed theaudit to obtain reasonable assurance about whether effective internal control is maintained.
5. A statement that an audit includes obtaining anunderstanding of internal control, valuatingmanagement’s assessment of testing the design andeffectiveness of internal control and any other procedures.
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 35/65
7-35
Elements of the Auditor’s Report
6. A paragraph stating that internal control maynot prevent or detect misstatements becauseof inherent limitations.
7. The auditor’s opinion on whether management’s assessment of theeffectiveness of internal control is fairly stated.
8. The auditor’s opinion on whether the companymaintained effective internal control.
LO# 15
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 36/65
7-36
Types of Reports Relating to the
Audit of Internal ControlReport Modification Based on Control Deficiencies
Likelihood/Magnitude
of Misstatement
Type of
Audit Report
Inconsequentialdeficiency
Significant
deficiency
Material
weakness
Unqualified
opinion
Adverse
opinion
LO# 15
LO# 15
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 37/65
7-37
Types of Reports Relating to the
Audit of Internal ControlReport Modification Based on Scope Limitation
Reason for
Scope Limitation
Type of
Audit Report
Minor effect
Management imposed/
more than minor effect
Sever
limitation
Unqualifiedopinion
Disclaim
opinion or
withdraw
Qualified
opinion
LO# 16
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 38/65
7-38
Modifications to Unqualified Report
on Effectiveness of Internal Control
The auditor should modify the standard report if any of
the following conditions exists:
•There is a material weakness in the company’s internal control
over financial reporting.
•There is a restriction on the scope of the engagement.
•The auditor decides to refer to the report of other auditors as
the basis, in part, for the auditor’s own report.
• A significant subsequent event has occurred since the date
being reported on.
•There is other information contained in management’s report
on internal control.
LO# 17
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 39/65
7-39
Additional Required Communications
in an Audit of Internal Control over
Financial Reporting
The auditor must communicate in writing to management
and the audit committee all significant deficiencies and
material weaknesses identified during the audit (AS2).
This communication should be made prior to the issuance
of the auditor’s report on internal control over financial
reporting. In addition, the auditor should communicate to
management, in writing, all control deficiencies identifiedduring the audit and inform the audit committee when
such a communication has been made.
LO# 18
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 40/65
7-40
Integrating the Audits of Internal
Control and Financial Statements
An integrated audit is composed of the audits of internal
control and the financial statements. The control testing
impacts the planned substantive procedures. Also, the
results of the substantive procedures are considered inthe evaluation of internal control.
Tests of internal
control
Substantiveaudit
procedures
LO# 18
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 41/65
7-41
Effect of the Audit of Internal Control
on the Financial Statement Audit
When the auditor performs an integrated audit, he or
she will have access to a large amount of information
about the client’s controls. This information can make
the financial statement audit more efficient and resultin reduced substantive procedures.
Regardless of the level of control risk
in connection with the audit of the
financial statements, auditingstandards require the auditor to
perform some substantive
procedures for all significant accounts
and disclosures.
LO# 18
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 42/65
7-42
Effect of the Financial Statement
Audit on the Audit of Internal ControlThe effectiveness of the audit of internal controls should
lead the auditor to determine the implications of these
findings on the financial statement audit. The auditor’s
evaluation should include:
1. Misstatements detected.
2. The auditor’s risk evaluations in connection with the
selection and application of substantive procedures,
especially those related to fraud.3. Findings with respect to illegal acts and related party
transactions.
4. Indications of management bias in making accounting
estimates and in selecting accounting principles.
Ad d M d l 1 S i l
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 43/65
7-43
Advanced Module 1: Special
Considerations for an Audit of
Internal Control
Special considerationby management
and the auditor
Using the work
of others.
Multilocations
and business
units.
Service
organizations.
Safeguarding
assets.
LO# 9
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 44/65
7-44
Using the Work of Others
In determining the extent to which the auditor may use
the work of others, the auditor should:
• Evaluate the nature of the controls
subjected to the work of others.
• Evaluate the competence and
objectivity of the individuals who
performed the work.
•Test some of the work performed by
others to evaluate the quality and
effectiveness of their work.
Testing Multiple Locations or
LO# 19
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 45/65
7-45
Testing Multiple Locations or
Business Units
Is unit individually
important?
Are there specific significant
risks?
Are there units that are not
important even when
aggregated?
Are there documented
company-level controls over
this group?
No
No
No
No
135 Evaluate documents and test
controls over significant accounts at
each location.
15 Yes
130 Evaluate documents and test
controls over specific risks.
5 Yes
No further action required.70
60 Yes
Evaluate documents and test
company-level controls over group.
Some testing of controls at
individual locations.
Yes
Total number of units = 150
LO# 20
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 46/65
7-46
Use of Service OrganizationsMany companies use service organization to
process transactions. If the service organization’s
services make up part of a company’s information
system, then they are considered part of the
information and communication component of thecompany’s internal control over financial report.
Thus, both management and the auditor must
consider the activities of the service organization.
LO# 20
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 47/65
7-47
Use of Service Organizations
Management and the auditor should perform thefollowing procedures with respect to the activities
performed by the service organization:
(1) obtain an understanding of the controls at
the service organization that are relevant to theentity’s internal control and the controls at
the user organization over the activities of
the service organization and
(2) obtain evidence that the controls whichare relevant to management’s assessment
and the auditor’s opinion are operating effectively.
LO# 21
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 48/65
7-48
Safeguarding of Assets
Safeguarding of assets is defined as policiesand procedures that “provide reasonable
assurance regarding prevention or timely
detection of unauthorized acquisition, use or disposition of the company’s assets that could
have a material effect on the financial
statements.”
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 49/65
7-49
Advanced Module 2:
Computer-Assisted Audit Techniques
Computer-assisted audit techniques include:
• Generalized audit software packages.
• Custom audit software.
• Test data.
Other techniques include parallel simulation,
integrated test facility, and concurrent auditing
techniques. These are discussed in advanced
IT auditing books.
G li d A dit S ftLO# 22
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 50/65
7-50
Generalized Audit Software
Function Description
File or data accessReads and extracts data from aclient's computer files or databases
for further audit testing.
Selection operators
Select from files or databases
transactions that meet certain
criteria.
Arithmetic functions
Perform a variety of arithmetic
calculations (addition, subtraction,
and so on) on transactions, files, and
databases.
Statistical analyses Provide functions supporting varioustypes of audit sampling.
Report generationPrepares various types of documents
and reports.
LO# 22
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 51/65
7-51
Custom Audit Software
Custom audit software is generally written byauditors for specific audit tasks.
It may be required when the client’s computer
system is not compatible with the auditor’s
generalized audit software.
Custom software:
(1) Is expensive to develop.(2) Requires extended development time.
(3) Is limited in scope of functions.
T DLO# 22
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 52/65
7-52
Test Data
This is data developed by the auditor to test
the application controls in the client’scomputer programs. The technique can be
used to check
1.data validation controls and error detection routines,
2.processing logic controls,
3.arithmetic calculations, and
4. the inclusion of transactions in
records, files, and reports.
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 53/65
7-53
Test Data
The objective of this method is to insure theaccuracy of the computer processing of
transactions.
This technique can be used to check:
1. Data validation controls and error detection
routines.
2. Processing logic controls.
3. Arithmetic calculations.
4. Inclusion of transactions in records, files, and
reports.
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 54/65
7-54
Test Data
The main advantage of this method is that it provides
direct evidence of the effectiveness of controls in the
client’s application programs.
However, it has a number of potential disadvantages:
1. It can be very time consuming to create the data.2. The auditor may not be certain that all relevant
conditions or controls are tested.
3. The auditor must be certain that the test data are
processed using the client’s regular production
programs.
4. The auditor must be sure to remove the valid test
data from the client’s files.
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 55/65
7-55
Integrated Test Facility
Auditor merges it data with client live data.
The advantage is that the auditor probably has
greater assurance that he/she is testing the
program(s) that the client actually uses.
The auditor must be sure to remove the test
data from the client’s files. If the auditor is
testing a payroll application, I would hate tohave the client pay social security and
Medicare taxes based on test data.
C t A i t d A dit
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 56/65
7-56
Computer-Assisted Audit
Techniques - Substantive Tests
Generalized audit software (GAS)
1. Can be used on a number of different computersand can access files with may differing file/record
formats.
2. Auditor does not have to have a completeunderstanding of the client's hardware andsoftware features.
3. Each different generalized software system has itsown characteristics which the auditor mustcarefully consider before using in a given auditsituation.
C t A i t d A dit
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 57/65
7-57
Computer-Assisted Audit
Techniques - Substantive Tests
Advantages of using computer audit software:
1. Can be used to access client data that is maintained on
client files, especially since some client data that is of
interest to the auditor may exist only temporarily and
only in machine-readable form.
2. Utilize the speed and accuracy of the computer.
3. Can deal effectively with large quantities of data.
4. Can reduce the auditor's reliance on client ITpersonnel.
5. Can produce (not always) efficiencies in the audit. This
is especially true where applications can be used in
ensuing years with little or no modifications.
C t A i t d A dit
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 58/65
7-58
Computer-Assisted Audit
Techniques - Substantive Tests
Types of audit tasks (tests) that may be performed
using computer audit software systems include:
1. Selecting and printing confirmations.
2. Selecting and printing audit samples For example, selecting a sample of inventory items
for the purpose of performing pricing tests.
3. Comparing data on separate files to determine if
the data agree For example, comparing theunits of measure on the perpetual inventory file
with the physical count file to see if they agree
for each inventory item.
C t A i t d A dit
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 59/65
7-59
Computer-Assisted Audit
Techniques - Substantive Tests
4. Summarizing and analyzing data For example,
footing the accounts receivable or perpetual
inventory files or aging accounting receivable.
5. Examining records for quality (i.e., completeness,consistency, valid conditions, etc.) For example,
determining all inventory accounts with zero or
negative unit cost amounts or customer records
for which accounts balances exceed credit limits.
6. Testing calculations and making computations
For example, recalculating extensions for
inventory items and comparing these with the
client's values per the inventory file.
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 60/65
7-60
Computer-Assisted Audit
Techniques - Substantive Tests
7. Resequencing records on the computer For example, resequencing inventory itemson the inventory file by location in order to
facilitate test counts of a sample selectedfrom those items.
8. Comparing data on a computer file withdata obtained through other audit
procedures For example, comparinginventory test counts with the respectiveinventory quantities per the inventorymaster file.
U f Mi t
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 61/65
7-61
Use of Microcomputers as an
Audit Tool Microcomputer software has been developed to improve the
efficiency and effectiveness of the audit.
Many types of microcomputer audit software are available toaid in the performance of audit procedures that otherwise
would be performed manually.
Types of microcomputer software used on audits include thefollowing:
1. Electronic spreadsheets programs
2. Trial balance and workpaper generation programs3. Audit program and audit correspondence generator
programs
4. Engagement management programs.
5. Data retrieval and conversion programs
Potential Benefits of Using a
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 62/65
7-62
Potential Benefits of Using a
Microcomputer as an Audit Tool1. Time may be saved by eliminating manual footing,
crossfooting, and other routine comparisons.
2. Calculations, comparisons, and other data manipulationsare more accurately performed.
3. Staff morale and productivity may be improved by
reducing the time spent on clerical tasks such as footingand ticking.
4. The scope of analytical procedures may be broadened.For example, compute ratios or compute ratios for morethan just the current and prior years.
5. Calculating the results analytical procedures may bemore efficiently performed.
6. Graphics capabilities may allow the auditor to generate,display, and evaluate various financial and nonfinancial
relationships graphically.
Potential Benefits of Using a
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 63/65
7-63
Potential Benefits of Using a
Microcomputer as an Audit Tool
7. Facilitate audit sampling by determining optimum samplesize for required levels of precision and reliability andgenerating random numbers.
8. Prepare and revise flowcharts which depict the flow of transactions in a client's system.
9. Potential weaknesses in a client's internal accountingcontrol system may be more readily identified.
10. Allow easier creation of customized working papers.
11. Computer-generated working papers are generally morelegible and consistent.
12. Supervisory-review time may be reduced.
13. Client's personnel may not need to manually prepare asmany working paper schedules.
P t ti l B fit f U i
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 64/65
7-64
Potential Benefits of Using a
Microcomputer as an Audit Tool
14. Allow easier storing & accessing of working papers.
15. Generate and analyze engagement managementinformation such as time budgets and comparisons of actual time vs. budgeted time.
16. Assign personnel to engagements.
17. Allow easier generation of custom audit programs.
18. Allow easier generation and modification of standardizedaudit correspondence such as engagement letters, clientrepresentation letters, and attorney letters.
19. Allow access to and perform audit tests on client datathat are stored in computer files.
7/28/2019 chapter-72746.ppt
http://slidepdf.com/reader/full/chapter-72746ppt 65/65
End of Chapter 7