Professional Documents
Culture Documents
Webcast objective
Avoiding Common Pitfalls in Auditing Internal Controls
Slide 2
Identify key areas for improvement in evaluating the design and operating effectiveness of internal controls
Overview
Avoiding Common Pitfalls in Auditing Internal Controls
Slide 3
Relevant to all controls-based audits More than incremental improvement needed Requires personal and team commitment Improvement only comes with appropriate focus
Agenda
Avoiding Common Pitfalls in Auditing Internal Controls
Slide 4
Evaluating the effective design of controls Evaluating the operating effectiveness of controls Evaluating control deficiencies
Leadership perspectives
Leadership perspectives
Avoiding Common Pitfalls in Auditing Internal Controls
Slide 6
Leadership perspectives
Avoiding Common Pitfalls in Auditing Internal Controls
Slide 7
Foundation for our audits of financial statements Primary evidence for our audits of ICFR A core competency of every auditor
Up to date understanding of our methodology Subject matter specialists for assigned areas Consistent execution of evaluation of design and operating effectiveness of controls
Presenters
Avoiding Common Pitfalls in Auditing Internal Controls
Slide 9
Slide 11
Major input and output sources Relevant data files, documentation and records Policies and procedures for authorization, segregation of incompatible duties, safeguarding of assets, information processing WCGWs Controls relevant to WCGWs and their description Additional considerations for estimation SCOTs Refer to S03_Documentation
Slide 12
Common pitfalls
Companys documentation is deficient Required documentation elements not retained in workpapers Important sources of information not identified and evaluated Implications of third party service (and sub-service) organizations not evaluated Unique classes of transactions/variations in processing not identified and evaluated WCGWs and identified controls not reconsidered
Use of work of others inhibits our understanding of SCOTs Flow of transactions, WCGWs and controls
Rolling GAMx file without updating WCGWs and controls Starting the annual reassessment with walkthroughs rather than starting with SCOTs, FOTs and relevant WCGWs
Slide 13
Leading practices
Establish procedures to guide the annual reassessment process Involve internal audit or others in the annual reassessment process
Set parameters and protocols for using the work of others Reassess WCGWs and controls as a team
Incorporate up to date understanding of SCOTs and flow of transactions Use Controls Review Tool (CRT) and Audit Strategy Review Tool (ASRT) to facilitate the reassessment
Slide 14
As part of evaluating design effectiveness of each control, we need to consider and document
Our understanding of how the control actually operates Control appropriately addresses the WCGW Control is capable of effectively preventing or detecting and correcting errors that could result in material misstatements Control operates effectively throughout the period of reliance Data subjected to the control is complete and reliable Control is applied on a timely basis Person performing the control possesses the necessary authority and competence
Slide 15
Additional considerations
Our ability to obtain sufficient evidence of operating effectiveness Risk of management override Identify the right combination of controls
Who performs, competence and authority? When and how often is control performed? What IT applications, data, reports or other files are used? What physical evidence, if any, is produced? How are misstatements prevented or detected and corrected?
Slide 16
Whether the controls, if they operated as prescribed by persons possessing the necessary authority and competence to perform the control effectively, satisfy the companys control objectives and can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements AS5, par 42
Common pitfalls
Distinguishing a control from the transaction process Challenging the completeness and accuracy of underlying data used to perform the control Documenting relevant attributes of the controls to support their effective design
Who, when, what and how of the controls Management review/reconciliation controls Evaluating the precision of the control
Slide 17
Transaction Process
Slide 18
Poor
Walkthroughs
Avoiding Common Pitfalls in Auditing Internal Controls
Slide 19
Our understanding of the SCOTs are as we have documented them Points where data is captured, transferred or modified The accuracy of the information we have obtained about the relevant prevent and/or detect and correct controls over the SCOTs Whether the controls have been designed effectively to prevent or detect and correct material misstatements on a timely basis Whether the controls have been implemented
Tests of controls should address relevant attributes of each control to determine whether the controls are operating as designed Control attributes are the characteristics of the design of the controls
Walkthroughs
Avoiding Common Pitfalls in Auditing Internal Controls
Slide 20
Common pitfalls
Walkthrough documentation often needs improvement Out of date, not always clear Nearly non-existent for many nonroutine and estimation processes Additional considerations for estimation SCOTs Excessive carrying forward of documentation Not thoroughly evaluating design effectiveness Controls adequately address the WCGWs Walkthrough each attribute of the control Control performed by persons possessing the necessary authority and competence Control is capable of effectively preventing or detecting and correcting errors that could result in material misstatements
Slide 21
Common pitfalls
Lose our institutional knowledge about SCOTs flow of transactions, WCGWs and controls Not identifying and evaluating
Control risk assessments Design of tests of controls Nature, timing and extent (NTE) of substantive procedures
Unique classes of transactions/variations in processing Changes in sources of input, processing procedures, personnel Changes in controls over time
Slide 22
Consider
Refer to 21 June 2012 Audit Matters Improving how we use the work of internal auditors or others
Performing more of our own work in areas with higher risk of material misstatement and higher subjectivity Requiring that our seniors or experienced staff participate with the internal auditors or others as they meet with entity personnel Rotate the walkthroughs for which we use the work of internal auditors or others from year to year Thoroughly review the work of others that is critical to our understanding Dont accept documentation that is not complete and sufficient for our understanding
Slide 24
Common pitfall
The combination of inquiry, observation, inspection and reperformance provides better evidence of the design and operating effectiveness of controls
Failing to use an appropriate combination of testing methods when assessing the design and operating effectiveness of controls
Inquiry (did you do this control?) Observation (I see your sign-off, so the control worked) Reperformance (I tied out the same documents with no exception, so the control must have worked)
Slide 25
Risk that the control might not be effective and, if not effective, the risk that a material misstatement or, for an integrated audit, a material weakness would result Consider
As risk associated with a control increases, the evidence that we need to obtain about the operating effectiveness of the control also increases
Inherent reliability of the control -- the risk that the control might not be effective Importance of the control -- if not effective, the risk that a material misstatement or material weakness would result
Slide 26
Common pitfall
Need to obtain sufficient, appropriate evidence that controls are operating as designed
Direct evidence that controls operate effectively Evidence that the person performing the control possesses the necessary authority and competence to perform the control effectively
Slide 27
Controls:
Audit procedures:
A: The BOD approves all acquisitions B: All acquisitions are subject to due diligence procedures C: Managements acquisition team calculates purchase price allocation and determines all intangibles are identified and properly valued
Obtained copies of all purchase agreements and statements Audited purchase price allocation & verified entry was properly recorded Utilized Valuation team to test completeness and valuation of intangible assets
Slide 28
Example:
ITGC environment: Ineffective Control: The system performs a 3-way match before an invoice is paid
Select 25 transactions and verify invoice, shipping documents and purchase order match
Slide 29
Common pitfall
Control attributes are the characteristics that define the design of the control
Frequency of performance Person responsible for performing the control Inputs and underlying data Precision or sensitivity of the control
Slide 30
Control
Control test Obtained checklist and verified it was properly completed and signed off by the preparer and reviewer
Management performs a quarterly review of each alternative investment and completes a checklist to evidence their review
Slide 31
Control
The investment officer reviews the quarterly statements from investment managers and reconciles the investment assets by type to the balances in the investments ledger. Investment officer investigates all differences (reviews ledger history and /or contacts investment managers). Adjustments to resolve differences are reviewed and approved by the controller.
Reconciliation accurately performed by the investment manager as understood Identification of all differences performed as understood Adjustments to resolve differences prepared and reviewed as understood Inquiries of investment officer and controls corroborate observations and inspection Sample of assets support recording in the correct category
Slide 32
Common pitfall Insufficient testing of management review and reconciliation controls, including:
Relevant attributes of the control Precision, sensitivity Completeness and accuracy of underlying data
Slide 33
Poor
The account reconciliation was completed timely, in accordance with policy There were no material unreconciled items All material reconciling items were supported The preparer possessed appropriate level of competence and authority The reconciliation was timely reviewed and approved
Slide 34
Common pitfall
Does control ever identify errors? Their nature? Examples? Does the control trigger appropriate follow-up? In what circumstances? Examples? What is nature of questions, follow-up and outcome? Can we observe the review process? Is there contradictory evidence indicating control is not sufficiently precise or sensitive to detect errors?
Slide 35
Ask
Have I performed procedures, beyond inquiry, to evaluate the precision of the control?
Does documentation support the conclusion that the review control is sensitive enough to prevent or detect material misstatements?
Procedures the auditor performs to test operating effectiveness include a mix of inquiry of appropriate personnel, observation of the companys operations, inspection of relevant documentation, and re-performance of the control. AS5, par. 45 Does documentation reflect the mix of procedures performed?
Slide 36
Common pitfall
The effectiveness of the review control is dependent on the completeness and accuracy of the data supporting the control
Consider
Not challenging the completeness and accuracy of the underlying data used in the controls
Does the control rely on EAE? What was our evaluation of ITGCs? Have we tied the data to underlying reports (e.g., subledgers, general ledgers, approved forecasts)? Have we tested the underlying data (e.g., the AR aging in a control over the allowance for doubtful accounts)?
Slide 37
Common pitfall
Examples
Failing to design dual-purpose tests to demonstrate that relevant attributes of the control were evaluated and tested
Slide 38
Clerically test the reconciliation Tie the reconciliation to the subledger and general ledger Obtain support for significant reconciling items Ensure there are not significant unreconciled differences
Risk: Work program does not identify procedures to test all relevant attributes of controls
Determine whether the reconciliation was: Completed timely Prepared by person with appropriate competence and authority Reviewed and approved
Workpapers should evidence our testing of the relevant attributes of the controls in addition to the substantive procedures
Slide 39
Obtain, clerically test, and tie the companys quarterly warranty reserve calculation to the general ledger Test the underlying data supporting the calculation Evaluate whether assumptions are reasonable Inquire of legal counsel and operational personnel for unreserved claims
Risk: We infer that controls are effective from results of substantive procedures
What controls have we tested that assure the completeness of the reserve? What controls have we tested that assure the reasonableness of the assumptions?
Slide 40
Consider
Did we obtain an understanding of the SCOT flow of transactions, WCGWs and controls? Do the identified controls address the WCGWs? Have we identified the controls in GAMx? Have we walked through the flow of transactions and controls, evaluated design and determined the controls have been implemented? Does our documentation reflect that we have tested the controls in addition to auditing the account balance?
Slide 41
Common pitfall
The nature and extent of our update procedures are a matter of professional judgment
Observations
Procedures do not reflect characteristics of, and risks associated with, the controls Significant reliance on inquiry vs. a mix of procedures Focusing only on length of time since interim testing
Slide 42
Length of time since interim testing Whether we are reporting on the effectiveness of ICFR Whether the control addresses a higher inherent risk or significant risk Changes in the control environment Evaluation of ITGCs Degree of reliance on the control Identification of control exceptions Changes to controls since the interim period
Slide 44
Common pitfall
Not sufficiently documenting our evaluation of control deficiencies both individually and in the aggregate for their potential to be significant deficiencies or material weaknesses
Both quantitative and qualitative factors Possibility of undetected control deficiencies in untested population (components) Other negative evidence (recorded and unrecorded adjustments) Control deficiencies affecting same accounts, disclosures and assertions
Slide 45
Common pitfall
Possible causes
Not evaluating the effect of control deficiencies on the control risk assessment and nature, timing and extent of substantive audit procedures
Not taking time to document linkage of control work to nature, timing and extent of substantive procedures and our rationale
Effect on control risk assessment? Need to adjust nature, timing and extent (e.g., scope) of planned procedures?
Taking action
Taking action
Avoiding Common Pitfalls in Auditing Internal Controls
Slide 47
We each need to take personal responsibility and actions to improve the quality of our audit procedures over internal controls
What are possible underlying causes in your particular circumstance? What practices might your team adopt to address those underlying causes?
Taking action
Avoiding Common Pitfalls in Auditing Internal Controls
Slide 48
GAM resources
It is a personal responsibility of each member of the team to be subject matter specialist on the flow of transactions, risks and design of controls for his or her assigned areas
Understanding significant classes of transactions (S03) Perform walkthroughs (S04) Select controls to test (S06) Design tests of controls (S09) Execute tests of controls (E02) Update tests of controls (E04) Prepare summary of control deficiencies (I03)
Taking action
Avoiding Common Pitfalls in Auditing Internal Controls
Slide 49
Begin now to take the incremental steps that will lead to higher quality audits
Sub-area resources
CAML network Internal controls specialist pilot project Pre-report issuance guidance effectiveness and implementation reviews Coaching program
Slide 50
Group participants only: Email your typed group sign-in sheet with program title and date, and each participants name, UPN/GPN, and start/end time by close of business tomorrow to TCW_eFax_Docs/EYAPP/US (Lotus Notes) or fax to (866) 284-7074 (North America only) Click the feedback button and give us your comments on this virtual presentation.