Unit 7 - Performing Tests of Controls

Question 1

There are seven steps associated with assessing control risk.

Explain step 1: Understand Entity-Level Controls

Answer 1

At this stage, the auditor conducts interviews throughout the organization to understand the strength of entity level controls and to identify weaknesses at the entity level.

The auditor also wants to understand if weaknesses are so pervasive to offset strengths at a transaction level.

Question 2

There are seven steps associated with assessing control risk.

Explain step 2: Understand the Flow of Transactions

Answer 2

The auditor performs a system walkthrough to understand the flow of transactions and identify potential strengths and weaknesses at the transaction level.

Question 3

There are seven steps associated with assessing control risk.

Explain step 3: Identify What Can Go Wrong (WCGW)

Answer 3

The auditor uses their understanding of assertions to identify what can go wrong at the transaction level.

Question 4

There are seven steps associated with assessing control risk.

Explain step 4: Identify Relevant Controls to Test

Answer 4

Given the auditor’s understanding of entity level and transaction level controls, the auditor should identify key controls for each assertion.

Question 5

There are seven steps associated with assessing control risk.

Explain step 5: Determine Preliminary Audit Strategy

Answer 5

When internal control strengths are present at the assertion level the auditor may want to follow a reliance strategy.

If internal control strengths are not present at the assertion level the auditor will follow a primarily substantive approach.

The auditor may have different strategies for different assertions for the same transaction class.

Question 6

There are seven steps associated with assessing control risk.

Explain step 6: Perform Tests of Controls

Answer 6

The auditor should test controls where the auditor plans a reliance strategy.

Question 7

There are seven steps associated with assessing control risk.

Explain step 7: Evaluate Evidence and Assess Control Risk

Answer 7

The auditor evaluates the evidence obtained from tests of controls.

If evidence shows that controls are strong the auditor should document finding and proceed with a reliance strategy.

If control tests do not support a finding of strong controls, the auditor might identify compensating controls and test those controls.

If control testing does not support the preliminary audit strategy, the auditor should revise his or her audit strategy.

Question 8

What are Preventive Controls?

Answer 8

Preventive controls are those applied to each transaction during normal processing that are intended to stop fraud or errors from occurring.

ex.
Assertion: Valuation and Allocation
WCGW: Sales occur that may not be collectible
Detective Control: The software application will not allow a sale to be processed if a customer has exceeded its credit limit.

If those who are responsible for processing the sales is able to override the credit limit control in the software, the control is not strong.

Question 9

What are Detective Controls?

Answer 9

Detective controls are those applied AFTER transactions have been processed to identify whether fraud or errors have occurred, and to rectify the fraud or errors on a timely basis.

Most companies design detective controls to ensure that if preventive controls are not effective, errors or fraud are detected and corrected on a timely basis.

ex.
Assertion: Completeness, Occurrence, Cutoff
WCGW: Cash is received but not recorded in the general ledger; payments are made but not recorded; cash receipts or cash payments are not real or not recorded on a timely basis
Detective Control: Bank reconciliation identifies unexpected outstanding items which are followed up.

The performance of reconciliations without following up on unusual items is not a control. The control is the follow-up.

Question 10

Detective controls are often accompanied by _________ evidence such as _____________ or _____________. This is in direct contrast to preventive controls, which tend to be ____________.

Answer 10

Detective controls are often accompanied by PHYSICAL EVIDENCE such as EXCEPTION REPORTS or MONTHLY RECONCILIATIONS. This is in direct contrast to preventive controls which tend to be DEPENDENT ON IT.

Question 11

Detective vs. Preventive Controls: Which is more likely for an auditor to identify as “key controls” to test and evaluate?

Answer 11

Detective controls are often accompanied by physical evidence such as exception reports or monthly reconciliations. Preventive controls are often driven by error messages that are part of the particular software used by the company, and therefore there is no physical evidence of the control. Often, a specialist with IT skills is required to audit ITGCs and IT application controls, depending on how sophisticated the client’s IT system is. Therefore, the auditor is more likely to identify DETECTIVE controls as “key controls” to test and evaluate.

Question 12

Example Scenario:

In February, a large group of employees were given a retroactive pay raise. When this payroll was processed, the software application produced an exception report. It turned out that some of the employees who were eligible for the retroactive payment had left the company and did not work during the affected payroll period. The IT application control checked to make sure that an employee actually worked during the period before processing the payroll for the time period.

What must occur for this to be a true detective control?

Answer 12

The financial controller had to personally approve payment of the retroactive payroll that was due to employees who did not work during the affected period.

The software identified a potential misstatement, and the manual follow-up also did its job.

Question 13

If, after an interview with the financial controller, an auditor discovers that the computerized payroll system checks to make sure each employee is on the master payroll file before the transaction is processed further, what must the auditor determine about this preventive control?

Answer 13

Who has access to change the master payroll file?

How does the client ensure the completeness and accuracy of the master payroll files?

Question 14

What are the 5 types of Tests of Controls?

Answer 14

Inquiry

Observation

Inspection of Physical Evidence

Reperformance

Various Data Analytics Techniques

Question 15

When would an auditor most likely perform observation and inquiry procedures on a control?

Answer 15

Inquiry and observation are probably most appropriate for observing segregation of duties. Some controls, such as segregation of duties, may or may not provide physical evidence, in which case the auditor must rely on observation and inquiry.

Question 16

Give an example of the package of evidence that is needed to test an IT application control that matches every sales invoice to an underlying bill of lading to ensure that revenue is properly recognized.

Answer 16

The package of evidence that support an IT application control usually involves:

-Submitting test data to see that the application control functioned as designed.

-Testing the effectiveness of manual follow-up procedures to determine that items flagged as possible misstatements are clearly on a timely basis.

-Testing IT general controls to ensure that the application functions effectively over time.

Question 17

When there are multiple controls related to one assertion, which control will the auditor determine to be the key control to test?

Answer 17

The control most likely to ensure that fraud or error does not occur if other controls fail.

Question 18

Define the tolerable deviation rate.

Answer 18

The max rate of deviation from a prescribed control that an auditor is willing to accept and still use the planned assessed level of control risk.

Question 19

According to the AICPA Audit Sampling Guide, what is the range of tolerable deviation rate if the planned control risk is low?

Answer 19

2%-7%

Question 20

According to the AICPA Audit Sampling Guide, what is the range of tolerable deviation rate if the planned control risk is moderate?

Answer 20

6%-12%

Question 21

According to the AICPA Audit Sampling Guide, what is the range of tolerable deviation rate if the planned control risk is high?

Answer 21

11%-20%

Question 22

Why do auditors perform tests of controls more often when the expected deviation rate is very low?

Answer 22

If you expect a high rate of deviation in the population for a certain control, then why waste time testing the control only to find out you are right and the control fails at a high rate?

In this situation, it is more efficient for the auditors to take a primarily substantive strategy and focus on auditing transactions and account balances instead of testing controls.

Question 23

Define attribute sampling.

Answer 23

A sampling technique used to reach a conclusion about a population in terms of a rate (frequency) of occurrence.

Question 24

If the audit objective is to obtain evidence directly about a dollar amount being examined, the auditor is performing a _________ test, not a __________.

Answer 24

SUBSTANTIVE

TEST OF CONTROLS

Question 25

Define Benchmarking.

Answer 25

An audit testing strategy that can be used to allow evidence obtained in prior audit periods to support a conclusion about IT application controls in the current audit period.

Question 26

What are the three categories of IT controls?

Answer 26

IT General Controls

IT Application Controls

IT Output Controls

Question 27

Larger or Smaller:

The smaller the rate of deviation from the prescribed control procedure that the auditor can tolerate, the _______ the sample size.

Answer 27

Larger

Question 28

Larger or Smaller:

Higher levels of assurance dictate ______ sample size.

Answer 28

Larger

Question 29

Larger or Smaller:

The closer tolerable deviation rate and expected deviation rate are to each other, the _____ the sample size.

Answer 29

Larger

Question 30

Larger or Smaller:

The larger the population, the _____ the sample size.

Answer 30

Larger

Question 31

Larger or Smaller:

The larger the rate of deviation from the prescribed control procedure that the auditor can tolerate, the ______ the sample size.

Answer 31

Smaller

Question 32

Larger or Smaller:

Lower levels of assurance dictate ________ sample size

Answer 32

Smaller

Question 33

Larger or Smaller:

The greater the amount of difference between tolerable deviation rate and expected deviation rate, the _______ the sample size.

Answer 33

Smaller

Question 34

Larger or Smaller:

The smaller the population, the _______ the sample size.

Answer 34

Smaller

Question 35

For public companies, if the results of the Auditor’s testing shows material weakness in internal controls, the auditor will report an _________ opinion on ICFR.

Answer 35

Adverse

Question 36

For public companies, if the results of the Auditor’s testing shows significant deficiencies in internal controls, the auditor will report a(n) _________ opinion on ICFR.

Answer 36

Unqualified

(significant deficiencies are considered not material but significant)

Question 37

For public companies, if the results of the Auditor’s testing show material weakness in internal controls, the auditor will report a(n) _________ opinion on ICFR.

Answer 37

Adverse

Question 38

For public companies, if the results of the Auditor’s testing show no deficiencies in internal controls, the auditor will report a(n) _________ opinion on ICFR.

Answer 38

Unqualifed

Question 39

Which rate should be used when an auditor anticipates finding internal controls that do not function as planned in the population tested?

a) Expected rate of deviation

b) Actual rate of deviation

c) Tolerable deviation rate

d) Desired level of accuracy rate

Answer 39

a) Expected rate of deviation

The expected rate of deviation is the expected rate at which the auditor expects controls are not functioning as designed.

Question 40

Which type of relationship exists between the assurance level of internal controls and the size of the sample for testing?

a) Indirect

b) Direct

c) Uncorrelated

d) Inverse

Answer 40

b) Direct

The more assurance an auditor wants, the more representative a sample should be of the population.

Question 41

An auditor is reviewing purchase orders during tests of internal controls to provide reasonable assurance that material weaknesses do not exist.

Which level of testing is being used by this auditor?

a) Transaction

b) Entity

c) Financial statement

d) Monitoring

Answer 41

a) Transaction

Error or fraud related to significant accounts is likely a material misstatement and is performed at the transaction level.

Question 42

Which type of control includes a comparison of budgeted versus actual expenses?

a) Management-level analysis

b) Reconciliations with follow-up

c) Performance indicator analysis

d) Application with manual follow-up

Answer 42

a) Management-level analysis

Question 43

An auditor is planning a test of internal controls and is using a planned control risk. The auditor must not move beyond the permitted maximum rate of deviation from a prescribed control during the process.

What is the maximum rate of deviation that should be accepted?

a) Tolerable deviation rate

b) Expected rate of deviation

c) Desired deviation rate

d) Actual rate of deviation

Answer 43

a) Tolerable deviation rate

This rate is the maximum rate of deviation where the auditor will still use the planned control risk.