Avoiding Common Pitfalls in Auditing Internal Controls 1

July 2012
Avoiding common pitfalls in auditing internal controls
Webcast objective
Avoiding Common Pitfalls in Auditing Internal Controls
Slide 2
Identify key areas for improvement in evaluating the design and operating effectiveness of internal controls
Overview
Slide 3
Important quality matter
Relevant to all controls-based audits More than incremental improvement needed Requires personal and team commitment Improvement only comes with appropriate focus
Agenda
Slide 4
Leadership perspectives Common pitfalls and leading practices
Taking action Questions
Evaluating the effective design of controls Evaluating the operating effectiveness of controls Evaluating control deficiencies
Leadership perspectives
Slide 6
Norm Prestage, CP Wal-Mart Stores
Anne Mootz, CP Caribou Coffee Company
Jose Martinez SESA CAML
Slide 7
Control assessment work
Individual and team responsibilities
Foundation for our audits of financial statements Primary evidence for our audits of ICFR A core competency of every auditor
Up to date understanding of our methodology Subject matter specialists for assigned areas Consistent execution of evaluation of design and operating effectiveness of controls
Common pitfalls and leading practices
Presenters
Slide 9
Mike Neubauer Executive Director ITRAAtlanta
Jennifer McGowan Senior Manager APPAuNew York
Jevon Knowles Senior Manager APPAuNew York
Evaluating the design of controls
Understanding SCOTs flow of transactions, WCGWs and controls

Slide 11
We need to document elements of the critical path
Major input and output sources Relevant data files, documentation and records Policies and procedures for authorization, segregation of incompatible duties, safeguarding of assets, information processing WCGWs Controls relevant to WCGWs and their description Additional considerations for estimation SCOTs Refer to S03_Documentation
Understanding SCOTs, flow of transactions, WCGWs and controls

Slide 12
Common pitfalls
Companys documentation is deficient Required documentation elements not retained in workpapers Important sources of information not identified and evaluated Implications of third party service (and sub-service) organizations not evaluated Unique classes of transactions/variations in processing not identified and evaluated WCGWs and identified controls not reconsidered
Use of work of others inhibits our understanding of SCOTs Flow of transactions, WCGWs and controls
Rolling GAMx file without updating WCGWs and controls Starting the annual reassessment with walkthroughs rather than starting with SCOTs, FOTs and relevant WCGWs
Understanding SCOTs, flow of transactions, WCGWs and controls

Slide 13
Leading practices
Establish procedures to guide the annual reassessment process Involve internal audit or others in the annual reassessment process
Set parameters and protocols for using the work of others Reassess WCGWs and controls as a team
Leverage their insights Develop their understanding and skill sets
Incorporate up to date understanding of SCOTs and flow of transactions Use Controls Review Tool (CRT) and Audit Strategy Review Tool (ASRT) to facilitate the reassessment
Identify relevant controls and their attributes

Slide 14
As part of evaluating design effectiveness of each control, we need to consider and document
Our understanding of how the control actually operates Control appropriately addresses the WCGW Control is capable of effectively preventing or detecting and correcting errors that could result in material misstatements Control operates effectively throughout the period of reliance Data subjected to the control is complete and reliable Control is applied on a timely basis Person performing the control possesses the necessary authority and competence

Slide 15
Additional considerations
As we gather and document our understanding of the control consider
Our ability to obtain sufficient evidence of operating effectiveness Risk of management override Identify the right combination of controls
Who performs, competence and authority? When and how often is control performed? What IT applications, data, reports or other files are used? What physical evidence, if any, is produced? How are misstatements prevented or detected and corrected?

Slide 16
Whether the controls, if they operated as prescribed by persons possessing the necessary authority and competence to perform the control effectively, satisfy the companys control objectives and can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements AS5, par 42
Common pitfalls
Distinguishing a control from the transaction process Challenging the completeness and accuracy of underlying data used to perform the control Documenting relevant attributes of the controls to support their effective design
Who, when, what and how of the controls Management review/reconciliation controls Evaluating the precision of the control
Controls vs. transaction process:


Interface validation checks, including batch totals and date validation, ensure that AR sub-ledger data is uploaded to the general ledger in a complete and timely manner. Interface failures are resolved by the production support team. Department managers are responsible for reviewing and approving time submitted by their employees on a weekly basis. Variances greater than 10% of the expected hours (based on a 40 hour work week) are assessed for appropriateness. Control
Slide 17
The AR sub-ledger is uploaded to the general ledger on a nightly basis.
Employees enter their time in the Kronos application.
Transaction Process
What do properly worded controls look like?


On a monthly basis, the Accounting Manager performs an account reconciliation using an Account Detail report from the Lawson application. Reconciling items greater than $1,000 are resolved within 3 business days. Better All direct purchases are processed via a 3-way match in the JD Edwards application. All variances with an overage less than $25 are posted to the Cost of Goods Sold account (#123.45). All variances with an overage equal to $25 or greater result in a vendor invoice requesting a credit from the vendor. Access to modify the 3-Way match tolerances is limited to the system support group.
Slide 18
An account reconciliation is performed.
The application is configured to perform a 3-way match.
Poor
Walkthroughs
Slide 19
We perform walkthroughs to confirm:
Walkthroughs also inform the design of our planned tests of controls
Our understanding of the SCOTs are as we have documented them Points where data is captured, transferred or modified The accuracy of the information we have obtained about the relevant prevent and/or detect and correct controls over the SCOTs Whether the controls have been designed effectively to prevent or detect and correct material misstatements on a timely basis Whether the controls have been implemented
Tests of controls should address relevant attributes of each control to determine whether the controls are operating as designed Control attributes are the characteristics of the design of the controls
Walkthroughs
Slide 20
Common pitfalls
Walkthrough documentation often needs improvement Out of date, not always clear Nearly non-existent for many nonroutine and estimation processes Additional considerations for estimation SCOTs Excessive carrying forward of documentation Not thoroughly evaluating design effectiveness Controls adequately address the WCGWs Walkthrough each attribute of the control Control performed by persons possessing the necessary authority and competence Control is capable of effectively preventing or detecting and correcting errors that could result in material misstatements
Use of work of internal auditors or others

Slide 21
Common pitfalls
Inaccurate understanding and evaluation of controls potentially affects:
Lose our institutional knowledge about SCOTs flow of transactions, WCGWs and controls Not identifying and evaluating
Control risk assessments Design of tests of controls Nature, timing and extent (NTE) of substantive procedures
Unique classes of transactions/variations in processing Changes in sources of input, processing procedures, personnel Changes in controls over time
Use of work of internal auditors or others

Slide 22
Consider
Refer to 21 June 2012 Audit Matters Improving how we use the work of internal auditors or others
Performing more of our own work in areas with higher risk of material misstatement and higher subjectivity Requiring that our seniors or experienced staff participate with the internal auditors or others as they meet with entity personnel Rotate the walkthroughs for which we use the work of internal auditors or others from year to year Thoroughly review the work of others that is critical to our understanding Dont accept documentation that is not complete and sufficient for our understanding
Evaluating the operating effectiveness of controls
Designing appropriate tests of controls

Slide 24
Common pitfall
Consider the evidence each procedure provides:
The combination of inquiry, observation, inspection and reperformance provides better evidence of the design and operating effectiveness of controls
Failing to use an appropriate combination of testing methods when assessing the design and operating effectiveness of controls
Inquiry (did you do this control?) Observation (I see your sign-off, so the control worked) Reperformance (I tied out the same documents with no exception, so the control must have worked)

Slide 25
Consider risk associated with the control
Risk that the control might not be effective and, if not effective, the risk that a material misstatement or, for an integrated audit, a material weakness would result Consider
As risk associated with a control increases, the evidence that we need to obtain about the operating effectiveness of the control also increases
Inherent reliability of the control -- the risk that the control might not be effective Importance of the control -- if not effective, the risk that a material misstatement or material weakness would result

Slide 26
Common pitfall
Observing no misstatements when performing substantive procedures does not provide
Need to obtain sufficient, appropriate evidence that controls are operating as designed
Testing controls through inference
Direct evidence that controls operate effectively Evidence that the person performing the control possesses the necessary authority and competence to perform the control effectively

Slide 27
Exampleacquisition process (effective and tested)
Controls:
Audit procedures:
Have we adequately tested the controls?
A: The BOD approves all acquisitions B: All acquisitions are subject to due diligence procedures C: Managements acquisition team calculates purchase price allocation and determines all intangibles are identified and properly valued
Obtained copies of all purchase agreements and statements Audited purchase price allocation & verified entry was properly recorded Utilized Valuation team to test completeness and valuation of intangible assets

Slide 28
Example:
Audit testing procedure:
Have we adequately tested the controls?
ITGC environment: Ineffective Control: The system performs a 3-way match before an invoice is paid
Select 25 transactions and verify invoice, shipping documents and purchase order match
Testing attributes of controls

Slide 29
Common pitfall
Control attributes are the characteristics that define the design of the control
Failing to test each control attribute identified in our walkthrough procedures
Frequency of performance Person responsible for performing the control Inputs and underlying data Precision or sensitivity of the control

Slide 30
Control
Control test Obtained checklist and verified it was properly completed and signed off by the preparer and reviewer
Have we tested each relevant attributes of the control?
Management performs a quarterly review of each alternative investment and completes a checklist to evidence their review

Slide 31
Control
Attributes of the control
The investment officer reviews the quarterly statements from investment managers and reconciles the investment assets by type to the balances in the investments ledger. Investment officer investigates all differences (reviews ledger history and /or contacts investment managers). Adjustments to resolve differences are reviewed and approved by the controller.
Reconciliation accurately performed by the investment manager as understood Identification of all differences performed as understood Adjustments to resolve differences prepared and reviewed as understood Inquiries of investment officer and controls corroborate observations and inspection Sample of assets support recording in the correct category
Management review/reconciliation controls

Slide 32
Common pitfall Insufficient testing of management review and reconciliation controls, including:
Relevant attributes of the control Precision, sensitivity Completeness and accuracy of underlying data

Slide 33
Consider the following when testing attributes of an account reconciliation control:
Poor
The account reconciliation was completed Better
The account reconciliation was completed timely, in accordance with policy There were no material unreconciled items All material reconciling items were supported The preparer possessed appropriate level of competence and authority The reconciliation was timely reviewed and approved

Slide 34
Common pitfall
How can we gather evidence of precision of a review control?
Failing to perform audit procedures to adequately test the precision of a control
Does control ever identify errors? Their nature? Examples? Does the control trigger appropriate follow-up? In what circumstances? Examples? What is nature of questions, follow-up and outcome? Can we observe the review process? Is there contradictory evidence indicating control is not sufficiently precise or sensitive to detect errors?
Review did not identify misstatements
Slide 35

Precision of a review/reconciliation control
Ask
Have I performed procedures, beyond inquiry, to evaluate the precision of the control?
Does documentation support the conclusion that the review control is sensitive enough to prevent or detect material misstatements?
Procedures the auditor performs to test operating effectiveness include a mix of inquiry of appropriate personnel, observation of the companys operations, inspection of relevant documentation, and re-performance of the control. AS5, par. 45 Does documentation reflect the mix of procedures performed?

Slide 36
Common pitfall
The effectiveness of the review control is dependent on the completeness and accuracy of the data supporting the control
Consider
Not challenging the completeness and accuracy of the underlying data used in the controls
Does the control rely on EAE? What was our evaluation of ITGCs? Have we tied the data to underlying reports (e.g., subledgers, general ledgers, approved forecasts)? Have we tested the underlying data (e.g., the AR aging in a control over the allowance for doubtful accounts)?
Dual purpose tests

Slide 37
Common pitfall
Examples
Failing to design dual-purpose tests to demonstrate that relevant attributes of the control were evaluated and tested
Account reconciliations Warranty reserves
Dual purpose tests Example: Account reconciliations

Slide 38
Clerically test the reconciliation Tie the reconciliation to the subledger and general ledger Obtain support for significant reconciling items Ensure there are not significant unreconciled differences
Risk: Work program does not identify procedures to test all relevant attributes of controls
Determine whether the reconciliation was: Completed timely Prepared by person with appropriate competence and authority Reviewed and approved
Workpapers should evidence our testing of the relevant attributes of the controls in addition to the substantive procedures
Standard substantive procedures
Additional control procedures
Dual purpose tests Example: Warranty reserves

Slide 39
Obtain, clerically test, and tie the companys quarterly warranty reserve calculation to the general ledger Test the underlying data supporting the calculation Evaluate whether assumptions are reasonable Inquire of legal counsel and operational personnel for unreserved claims
Risk: We infer that controls are effective from results of substantive procedures
What controls have we tested that assure the completeness of the reserve? What controls have we tested that assure the reasonableness of the assumptions?
Sample substantive procedures Considerations
Dual purpose tests Example: Warranty reserves (cont.)

Slide 40
Consider
Did we obtain an understanding of the SCOT flow of transactions, WCGWs and controls? Do the identified controls address the WCGWs? Have we identified the controls in GAMx? Have we walked through the flow of transactions and controls, evaluated design and determined the controls have been implemented? Does our documentation reflect that we have tested the controls in addition to auditing the account balance?
Control update procedures

Slide 41
Common pitfall
The nature and extent of our update procedures are a matter of professional judgment
Observations
Insufficiently updating interim tests of controls to assessment date
Procedures do not reflect characteristics of, and risks associated with, the controls Significant reliance on inquiry vs. a mix of procedures Focusing only on length of time since interim testing
Control update procedures

Slide 42
Nature and extent of update procedures should be responsive to:
Refer to 24 May 2011 Audit Matters Control testing reminders
Length of time since interim testing Whether we are reporting on the effectiveness of ICFR Whether the control addresses a higher inherent risk or significant risk Changes in the control environment Evaluation of ITGCs Degree of reliance on the control Identification of control exceptions Changes to controls since the interim period
Evaluating control deficiencies

Slide 44
Common pitfall
Documentation should consider
Not sufficiently documenting our evaluation of control deficiencies both individually and in the aggregate for their potential to be significant deficiencies or material weaknesses
Severity of each control deficiency Relevant compensating controls
Both quantitative and qualitative factors Possibility of undetected control deficiencies in untested population (components) Other negative evidence (recorded and unrecorded adjustments) Control deficiencies affecting same accounts, disclosures and assertions
Indirect and monitoring ELCs generally not sufficiently sensitive

Slide 45
Common pitfall
Possible causes
Not evaluating the effect of control deficiencies on the control risk assessment and nature, timing and extent of substantive audit procedures
Not asking the second questions
Reviewing items on SOCD late in the audit
Not taking time to document linkage of control work to nature, timing and extent of substantive procedures and our rationale
Effect on control risk assessment? Need to adjust nature, timing and extent (e.g., scope) of planned procedures?
Particularly, exceptions identified by IA or others
Taking action
Taking action
Slide 47
Many possible underlying causes for each of the common pitfalls
We each need to take personal responsibility and actions to improve the quality of our audit procedures over internal controls
What are possible underlying causes in your particular circumstance? What practices might your team adopt to address those underlying causes?
Taking action
Slide 48
GAM resources
It is a personal responsibility of each member of the team to be subject matter specialist on the flow of transactions, risks and design of controls for his or her assigned areas
Understanding significant classes of transactions (S03) Perform walkthroughs (S04) Select controls to test (S06) Design tests of controls (S09) Execute tests of controls (E02) Update tests of controls (E04) Prepare summary of control deficiencies (I03)
Taking action
Slide 49
Share your observations and perspectives and determine action steps
Begin now to take the incremental steps that will lead to higher quality audits
Sub-area resources
CAML network Internal controls specialist pilot project Pre-report issuance guidance effectiveness and implementation reviews Coaching program
Thank you for attending!

Slide 50
Group participants only: Email your typed group sign-in sheet with program title and date, and each participants name, UPN/GPN, and start/end time by close of business tomorrow to TCW_eFax_Docs/EYAPP/US (Lotus Notes) or fax to (866) 284-7074 (North America only) Click the feedback button and give us your comments on this virtual presentation.

Avoiding Common Pitfalls in Auditing Internal Controls 1

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Avoiding Common Pitfalls in Auditing Internal Controls 1

Uploaded by

Copyright:

Available Formats

July 2012

Avoiding common pitfalls in auditing internal controls

Important quality matter

Leadership perspectives Common pitfalls and leading practices

Taking action Questions

Norm Prestage, CP Wal-Mart Stores

Anne Mootz, CP Caribou Coffee Company

Jose Martinez SESA CAML

Control assessment work

Individual and team responsibilities

Common pitfalls and leading practices

Mike Neubauer Executive Director ITRAAtlanta

Jennifer McGowan Senior Manager APPAuNew York

Jevon Knowles Senior Manager APPAuNew York

Evaluating the design of controls

Understanding SCOTs flow of transactions, WCGWs and controls

We need to document elements of the critical path

Understanding SCOTs, flow of transactions, WCGWs and controls

Understanding SCOTs, flow of transactions, WCGWs and controls

Leverage their insights Develop their understanding and skill sets

Identify relevant controls and their attributes

Identify relevant controls and their attributes

As we gather and document our understanding of the control consider

Identify relevant controls and their attributes

Controls vs. transaction process:

Identify relevant controls and their attributes

The AR sub-ledger is uploaded to the general ledger on a nightly basis.

Employees enter their time in the Kronos application.

What do properly worded controls look like?

Identify relevant controls and their attributes

An account reconciliation is performed.

The application is configured to perform a 3-way match.

We perform walkthroughs to confirm:

Walkthroughs also inform the design of our planned tests of controls

Use of work of internal auditors or others

Inaccurate understanding and evaluation of controls potentially affects:

Use of work of internal auditors or others

Evaluating the operating effectiveness of controls

Designing appropriate tests of controls

Consider the evidence each procedure provides:

Designing appropriate tests of controls

Consider risk associated with the control

Designing appropriate tests of controls

Observing no misstatements when performing substantive procedures does not provide

Testing controls through inference

Designing appropriate tests of controls

Exampleacquisition process (effective and tested)

Have we adequately tested the controls?

Designing appropriate tests of controls

Audit testing procedure:

Have we adequately tested the controls?

Testing attributes of controls

Failing to test each control attribute identified in our walkthrough procedures

Testing attributes of controls

Have we tested each relevant attributes of the control?

Testing attributes of controls

Attributes of the control

Management review/reconciliation controls

Management review/reconciliation controls

Consider the following when testing attributes of an account reconciliation control:

The account reconciliation was completed Better

Management review/reconciliation controls

How can we gather evidence of precision of a review control?