When is Tests of Controls appropriate?
- Control(s) mitigates significant IT
- Tests of operating effectiveness of control(s) could provide basis for lowering assessed risk levels, enabling auditor to apply CAATS effectively and/or reduce substantive procedures
- Increasing probability that controls are going to be automated controls and entity will be relying on system to provide control structure
- Need to determine IT-related controls implemented properly and obtain audit evidence about operating effectiveness of controls
What are examples of tests auditor perform to determine deployment and effectiveness of IT controls (ITGCs and/or app controls)?
• Inspection of:
- Change mgmt Policies
- Doc of change mgmt controls
- Log files of user access rights associated w/ new objects in production
- System-generated admin access rights list
• Observation of:
- Walk-through review of entity’s data center to observe physical and environmental controls, and orderliness of data center
- Automated controls performed for situations req’d per design of control
• Inquiry of:
- Interviewing personnel to determine if responsibilities regarding performance of control procedures are understood and person(s) capable of effectively performing control(s)
• Confirmation of:
- Performing function w/in an app (usually test environment) to confirm existence of automated control
For IT controls, what is the best standard to follow if controls are ICFR or are associated with FS?
- AT501, “Reporting on Entity’s IC Over
Financial Reporting”
What are examples of AT501 engagements?
• Examine suitability of design of ICFR
• Examining design and operational effectiveness of ICFR (providing private
company the equiv of AS5 audit for public company)
• Examine design and operational effectiveness of selection of entity’s ICFR
• Examine design and operational effectiveness of ICFR based on criteria established by 3rd party (reg agency, business partner)
What is CAATs?
- Computer-aided audit tools, or computer-assisted audit techniques
- Employment of computers and technologies to automate audit procedures or processes
- Primary advantage of CAATs is it evaluates 100% of population of transactions and not limited to examining samples
- Increases audit effectiveness
- Beneficial when certain analyses needed
- Useful in examining thresholds and cutoffs associated w/ approvals
What are 3 basic purposes of CAATs?
(1) To replace or supplement substantive procedures in audit plan
(2) To gain audit efficiencies or effectiveness
(3) To obtain value-add recommendations for mgmt or client
What are considerations to be made before using CAATs?
(1) Ensure data integrity
- At data extraction point, assurance that data extracted is EXACTLY data set on operational computer
- Use batch control total approach to data processing
(2) Ensure data integrity throughout process of testing and reporting
- Lock down spreadsheet data or use read-only (RO) data in CAAT tool
Describe some possible CAATs techniques:
- Compare or combine data from diff sources or financial and non-financial data
- Duplicates testing: payments, inventory sold, issued, or received, payroll checks
- Gaps testing: AR, sales invoices, checks, inventory tickets
- Matching: cross check master file w/ transaction file (vendors to disbursements, employees to payroll checks)
- Statistical sampling
- Cutoff: yr -end GL and JE, inventory transactions, test for dates or sequence numbers at yr end
- Examine thresholds and cutoffs associated w/ approvals: PO, dual approval, check approval
Describe some CAATs Tools:
(1) Simple Tools:
- Db queries, db report writers, electronic spreadsheets and spreadsheet plug-ins
- Simple tools useful for small data sets
and simple procedures (extract suitable sample)
- Affordable and simple to use
- But susceptible to error, so steps s/b implemented to ensure data integrity both at data extraction and throughout testing usage of data
(2) Sophisticated Tools:
- ACL, IDEA, Arbutus and PanAudit
- Specialized testing, use of very large data sets
-
Risk Assessment (a)9
-
Fraud Considerations12
-
Internal Controls & IT General Controls 115
-
Evaluate, Test and Report 1(a)(iii)13
-
Information Management and BI 3(b)10
-
Information Management and BI 2(b) - SAELC13
-
Fraud Considerations 212
-
Risk Assessment 310
-
Internal Controls & IT General Controls 2(b)(ii) - SDLC12
-
Information Management and BI 3(c)(i)12
-
Evaluate, Test and Report 1(b)-1(d) - SOC11
-
Evaluate, Test and Report 2(d)9
-
Information Management and BI 1(a)11
-
Random7
-
Information Management and BI 1(b)15
-
Information Management and BI 2(a)10
-
Information Management and BI 3(c)(iii) & 412
-
Information Management and BI 1(b) (Part 2)6
-
Internal Controls & IT General Controls 1 (Part 2)10
-
Internal Controls & IT General Controls 2(a)9
-
Internal Controls & IT General Controls 2(b)(iii) to 2(b)(vi)12
-
Internal Controls & IT General Controls 2(c) and 2(d)13
-
Internal Controls & IT General Controls 3 & CDLC8
-
Evaluate, Test and Report 1(a)(iv)5
-
Risk Assessment (b)10
-
Risk Assessment (c)(i) and (c)(ii)14
-
Risk Assessment (c)(iii) and (d)9
-
Evaluate, Test and Report 2(a)-2(c)15
-
Evaluate, Test and Report 1(a)(i)-(ii) and 411
