Flashcards in Evaluate, Test and Report 1(a)(iv) Deck (5):
What is SAS 94 (SAS 109)?
- Adoption of SAS 94, “The Effect of IT on Auditor’s Consideration of IC in a FS Audit” (SAS 94) addressed issues of control risk embedded in IT
- Basic IT consideration in SAS 94 was that auditor must gain understanding of how IT impacts system of IC, like SAS 109 did later (SAS 109-110 supersede SAS 94)
What are Key Principles under SAS 94 (SAS 109)?
(1) Need to audit systems more often
- “Not practical to restrict detection risk to acceptable level by performing only substantive tests”
- CAATs needed to test automated systems controls, and states when not appropriate to use CAATs
(2) Concept of sample size of one being sufficient to test automated control
- SAS 94 states sample size of one may be sufficient to gain assurance over effectiveness of certain automated controls
- Key factor in test of controls (ToC)
- PCAOB stipulate same principle in AS2
(3) Key statement about IT risk and control risk: level of IT risk is proportional to nature and complexity of IT in systems and not entity size
- Small size company w/ complex IT in systems and business processes has high IR revolving around IT
- PCAOB agrees w/ this concept in “AS5 Guidance”
What are 2 effective applications of the "Risk-Based Audit" (RBA) approach that auditors are required to do?
(1) Understand risks represented by IT and to link risks to FS assertions
(2) Incorporate IT risk assessment and IT control tests into audit plans
What is the primary objective of the Risk-Based Audit (RBA) Standards?
- To enhance auditors' application of audit risk model in practice by specifying, among other things:
• More in-depth understanding of entity and its environment including its internal control, to ID RMM in FS and what entity is doing to mitigate them
• More rigorous assessment of the RMM of the FS based on that understanding
• Improved linkage btwn assessed risks and nature, timing and extent of audit procedures performed in response to those risks