Evaluate, Test and Report 2(d) Flashcards Preview

CITP > Evaluate, Test and Report 2(d) > Flashcards

Flashcards in Evaluate, Test and Report 2(d) Deck (9):

When is Tests of Controls appropriate?

• Control(s) mitigates significant IT
• Tests of operating effectiveness of control(s) could provide basis for lowering assessed risk levels, enabling auditor to apply CAATS effectively and/or reduce substantive procedures
• Increasing probability that controls are going to be automated controls and entity will be relying on system to provide control structure
• Need to determine IT-related controls implemented properly and obtain audit evidence about operating effectiveness of controls


What are examples of tests auditor perform to determine deployment and effectiveness of IT controls (ITGCs and/or app controls)?

• Inspection of:
- Change mgmt Policies
- Doc of change mgmt controls
- Log files of user access rights associated w/ new objects in production
- System-generated admin access rights list
• Observation of:
- Walk-through review of entity’s data center to observe physical and environmental controls, and orderliness of data center
- Automated controls performed for situations req'd per design of control
• Inquiry of:
- Interviewing personnel to determine if responsibilities regarding performance of control procedures are understood and person(s) capable of effectively performing control(s)
• Confirmation of:
- Performing function w/in an app (usually test environment) to confirm existence of automated control


For IT controls, what is the best standard to follow if controls are ICFR or are associated with FS?

- AT501, “Reporting on Entity’s IC Over
Financial Reporting”


What are examples of AT501 engagements?

• Examine suitability of design of ICFR
• Examining design and operational effectiveness of ICFR (providing private
company the equiv of AS5 audit for public company)
• Examine design and operational effectiveness of selection of entity’s ICFR
• Examine design and operational effectiveness of ICFR based on criteria established by 3rd party (reg agency, business partner)


What is CAATs?

- Computer-aided audit tools, or computer-assisted audit techniques
- Employment of computers and technologies to automate audit procedures or processes
- Primary advantage of CAATs is it evaluates 100% of population of transactions and not limited to examining samples
- Increases audit effectiveness
- Beneficial when certain analyses needed
- Useful in examining thresholds and cutoffs associated w/ approvals


What are 3 basic purposes of CAATs?

(1) To replace or supplement substantive procedures in audit plan
(2) To gain audit efficiencies or effectiveness
(3) To obtain value-add recommendations for mgmt or client


What are considerations to be made before using CAATs?

(1) Ensure data integrity
- At data extraction point, assurance that data extracted is EXACTLY data set on operational computer
- Use batch control total approach to data processing
(2) Ensure data integrity throughout process of testing and reporting
- Lock down spreadsheet data or use read-only (RO) data in CAAT tool


Describe some possible CAATs techniques:

• Compare or combine data from diff sources or financial and non-financial data
• Duplicates testing: payments, inventory sold, issued, or received, payroll checks
• Gaps testing: AR, sales invoices, checks, inventory tickets
• Matching: cross check master file w/ transaction file (vendors to disbursements, employees to payroll checks)
• Statistical sampling
• Cutoff: yr -end GL and JE, inventory transactions, test for dates or sequence numbers at yr end
• Examine thresholds and cutoffs associated w/ approvals: PO, dual approval, check approval


Describe some CAATs Tools:

(1) Simple Tools:
- Db queries, db report writers, electronic spreadsheets and spreadsheet plug-ins
- Simple tools useful for small data sets
and simple procedures (extract suitable sample)
- Affordable and simple to use
- But susceptible to error, so steps s/b implemented to ensure data integrity both at data extraction and throughout testing usage of data
(2) Sophisticated Tools:
- ACL, IDEA, Arbutus and PanAudit
- Specialized testing, use of very large data sets