Flashcards in Evaluate, Test and Report 2(d) Deck (9):
When is Tests of Controls appropriate?
• Control(s) mitigates significant IT
• Tests of operating effectiveness of control(s) could provide basis for lowering assessed risk levels, enabling auditor to apply CAATS effectively and/or reduce substantive procedures
• Increasing probability that controls are going to be automated controls and entity will be relying on system to provide control structure
• Need to determine IT-related controls implemented properly and obtain audit evidence about operating effectiveness of controls
What are examples of tests auditor perform to determine deployment and effectiveness of IT controls (ITGCs and/or app controls)?
• Inspection of:
- Change mgmt Policies
- Doc of change mgmt controls
- Log files of user access rights associated w/ new objects in production
- System-generated admin access rights list
• Observation of:
- Walk-through review of entity’s data center to observe physical and environmental controls, and orderliness of data center
- Automated controls performed for situations req'd per design of control
• Inquiry of:
- Interviewing personnel to determine if responsibilities regarding performance of control procedures are understood and person(s) capable of effectively performing control(s)
• Confirmation of:
- Performing function w/in an app (usually test environment) to confirm existence of automated control
For IT controls, what is the best standard to follow if controls are ICFR or are associated with FS?
- AT501, “Reporting on Entity’s IC Over
What are examples of AT501 engagements?
• Examine suitability of design of ICFR
• Examining design and operational effectiveness of ICFR (providing private
company the equiv of AS5 audit for public company)
• Examine design and operational effectiveness of selection of entity’s ICFR
• Examine design and operational effectiveness of ICFR based on criteria established by 3rd party (reg agency, business partner)
What is CAATs?
- Computer-aided audit tools, or computer-assisted audit techniques
- Employment of computers and technologies to automate audit procedures or processes
- Primary advantage of CAATs is it evaluates 100% of population of transactions and not limited to examining samples
- Increases audit effectiveness
- Beneficial when certain analyses needed
- Useful in examining thresholds and cutoffs associated w/ approvals
What are 3 basic purposes of CAATs?
(1) To replace or supplement substantive procedures in audit plan
(2) To gain audit efficiencies or effectiveness
(3) To obtain value-add recommendations for mgmt or client
What are considerations to be made before using CAATs?
(1) Ensure data integrity
- At data extraction point, assurance that data extracted is EXACTLY data set on operational computer
- Use batch control total approach to data processing
(2) Ensure data integrity throughout process of testing and reporting
- Lock down spreadsheet data or use read-only (RO) data in CAAT tool
Describe some possible CAATs techniques:
• Compare or combine data from diff sources or financial and non-financial data
• Duplicates testing: payments, inventory sold, issued, or received, payroll checks
• Gaps testing: AR, sales invoices, checks, inventory tickets
• Matching: cross check master file w/ transaction file (vendors to disbursements, employees to payroll checks)
• Statistical sampling
• Cutoff: yr -end GL and JE, inventory transactions, test for dates or sequence numbers at yr end
• Examine thresholds and cutoffs associated w/ approvals: PO, dual approval, check approval