Chapter IV: The Auditor's Responses to Assessed Risks and Other Planning Considerations I. OVERALL RESPONSES (PSA 330) 4.0 The auditor should design and implement overajj responses to address the risks of material misstatement at the financial statement level which includes: e Emphasizing to the audit team the need to maintain professional skepticism during the entire duration of the audit e Assigning more experienced staff or those with special skills or using experts e Providing more supervision e Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed ¢ Making general changes to the nature, timing or extent of audit procedures. ll. AUDIT PROCEDURES RESPONSIVE TO RISKS OF MATERIAL MISSTATEMENTS AT THE ASSERTION LEVEL 1.0 The auditor should consider the following in designing further audit procedures: 1.1 Consider the reasons for the assessment given to the risks of material misstatements at the assertion level for each class of transactions, account balance, and disclosure including: o Inherent Risk © Reliance to Controls in determining Substantive Tests 104|Page12 Obtain More persuasive evidence when the auditor's assessed risk is higher. 2.0 Considering the Nature, Extent and Timing of further audit procedures: 2.1 Nature of an audit Procedure involve: 2.1.1 Purpose — tests of control or substantive tests 2.1.2 Type — FIVE CARROT CARS ° Footing Inquiry Vouching Examination (Inspection) Confirmation Analytical Procedures Reperformance Reconciliation Observation Tracing Cut-off Review Auditing Related Accounts Simultaneously Representation Letter ° Subsequent Events Review 2.2 Extent — includes the quantity of a specific audit procedure to be performed. 2.3 Timing — refers to when audit procedures are performed or the period or date to which the audit evidence applies. ° For a period of time — more on reliance or non-reliance ° At a point in time — either interim or year- end @©o000000 00000 105|PageUl. INTERNAL CONTROL CONSIDERATION AND TESTS OF CONTROL 4.0 Limitations in an Internal Control : 4.1 Reasonable assurance — cost of an internal contro} should not exceed the expected benefits to be derived ; 1.2 Focuses on routine transactions than non-routine transactions i 4.3. Potential for human error is always present 4.4 Circumvention of internal controls through collusion 1.5 Management override 1.6 Obsolescence of internal control 2.0 Responsibility of Management 2.1 Effectiveness and efficiency of Internal Control 2.2 Ability of internal controls to prevent errors/misstatements 2.3 If unable to prevent, the ability to detect and correct the errors/misstatements 3.0 Responsibility of Those Charged with Governance 3.1 Oversight function towards the management 3.2 Determine the reliability of the financial reporting process 4.0 Focus of an Auditor in an Internal Control © Those that directly affect the preparation of financial statements ° Those other controls which are irrelevant to the audit may be considered if they may affect the financial statements in one way or another 106| PageVV. peeled OF AN INTERNAL CONTROL (CRIME) ; Hein wb Uislas (ICHAMPO) - the tone at the attitudes, awareness and actions of management and those charged with governance concerning the entity's internal control and its importance in the entity. ° Integrity and ethical behavior — essential element which influence the effectiveness of the design, administration and Monitoring of controls © Commitment to competence -— management's Consideration of the competence levels for particular jobs and how those levels translate into requisite and knowledge o Human resource practices - recruitment, orientation, training, evaluating, promoting, compensating and remedial actions © Assignment of responsibility and authority — how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established o Management operating __style/philosophy — management's approach to taking and managing business risks, and management's attitudes and actions toward financial reporting, information processing and accounting functions and personnel © Participation of those charged with governance — independence from management, their experience and stature, the extent of their involvement and scrutiny of activities, the information they receive, the degree to which difficult questions are raised and pursued with management and their interaction with internal and external auditors Organizational structure - the framework within which an entity's activities for achieving its 107|Pageobjectives are planned, executed, controlled ang reviewed. 2.0 Risk Assessment — management assessment of tisks which include: o Business risks © Significant risks © Assessing the likelihood of their occurrence; and © Deciding about actions to address those risks 2.1 Risks can arise or change due to the following circumstances: : 2.1.1. Changes in operating environment 2.1.2 New personnel 2.1.3 New or revamped _ information systems 2.1.4 Rapid growth 2.1.5 New technology 2.1.6 New business models, products, or activities 2.1.7 Corporate restructurings 2.1.8 Expanded operations 2.1.9 New accounting pronouncements 2.1.10 Use of IT 3.0 Information and Communication System consists of infrastructure (hardware components), _ software, people, procedures, and data. Business processes connected to the information and communication system considers the following: 3.1 Classes of transactions in the entity’s operations that are significant to the financial statements 3.2 Procedures, within both IT and manual Statements, by which those transactions ale 108| Pageinitiated, fecorded, processed, corrected as. necessary, transferred to the general ledger and reported in the financial statements Related accounting records, whether electronic or manual, Supporting information and specific accounts in the financial statements that are used to initiate, record, Process and report transactions How the information system captures events and conditions, other than transactions that are Significant to the financial statements Financial reporting process used to prepare the entity's financial statements, including significant accounting estimates and disclosures Controls surrounding journal entries, including non-standard journal entries used to recording non-recurring, unusual transactions or adjustments 3.7. Information quality: e Content is appropriate = Information is timely, current, accurate and accessible 3.3 3.4 3.5 3.6 4.0 Monitoring — process of assessing the quality of internal control performance over time 4.1 Ongoing monitoring — activities are built into the normal recurring activities of an entity and include regular management and supervisory activities. 4.2 Separate evaluation — monitoring activities that are performed on a non-routine basis, such as functions performed by internal auditors 5.0 Existing Control Activities (PAID TIPS) — policies and procedures that help ensure that management directives are carried out 109|PageVv. 5.1. Pre-numbered documents 5.2 Authorization 5.3 Information processing 5.4 Documentation 5.5 Timely and accurate performance review 5.6 Independent checks 5.7 Physical controls 5.8 Segregation of duties (CARE) o Custody o Authorization o Recording o Execution 6.0 Controls in an Accounting System: o Manual - tests of control are for manual controls o IT System — tests of control are for both manual and automated controls UNDERSTANDING INTERNAL CONTROL 1.0 Objective: Evaluate the design of a control and determine whether it has been implemented. 2.0 Procedures: o Inquiries © Inspection o Observation o Walk-through test - confirms the auditor's understanding of how the accounting systems and control procedures function, 3.0 In this phase, the auditor is not required to obtain knowledge about the Operating effectiveness of the entity’s internal control, 10|Page4.0 Uses of understanding the internal control: o Identify types of potential misstatements that can occur © Consider factors that affect the risk of material misstatements o Design the nature, timing and extent of audit Procedures to be performed 5.0 Documenting the auditor’s understanding of internal control — there is no specific requirement for documenting the understanding. (FIN) © Flowcharts — used to see the flow of transactions and documents o Internal Control Questionnaire — used to determine internal control weakness o Narrative description 6.0 Assessment of Control Risk o Document understanding of internal control After documenting, make preliminary assessment of control risk, at the assertion level, for each material account balance or class transactions. o If Control risk is HIGH, use non-reliance approach, meaning no test of control is needed and no need to document the reason why non-reliance approach is used. Automatically proceed to Substantive Testing. o If Control Risk is LOW, use reliance approach, test internal control and document the reasons for assessing control risk as less than high. 7.0 When Test of Control is not necessary: o Control Risk is High 111|Pageo Controls are irrelevant to the audit o Population is too small Vi. TEST OF CONTROL 1.0 When Test of Control is Necessary: o When Initial Assessment of Control risk is less than high o When substantive tests alone cannot provide sufficient appropriate evidence (especially if client is fully automated) 2.0 Tests of operating effectiveness of controls are performed only on those controls that the auditor has determined are suitably designed to prevent, detect or correct, a material misstatement in an assertion. 3.0 Testing the operating effectiveness of controls includes obtaining evidence about: co Howcontrols were applied at relevant times during the period during the audit; The consistency with which they were applied; and By whom or by what means they were applied. 4.0 Nature of Tests of Control: o Inquiry o Observation o Inspection o Reperformance 5.0Normally, obtaining an understanding of the entity's internal control system and assessing control risks are often done simultaneously. 112|PageVil. 6.0 Communication of Internal Control Weaknesses (Management Letter) o Auditor is required to report to the appropriate level of management, the material weaknesses in the design or operation of the accounting and internal control systems which have come to the auditor's attention. 0 Significant control deficiency — must be in writing o Non-significant control deficiency — either in writing or verbal o Auditors are not required to search for and/or identify internal control weaknesses, only those that come to their attention during the audit. o Internal control weaknesses are communicated through a Management Letter. Communicating Deficiencies in Internal control to Those Charged with Governance and to the Management (PSA 260 and 265) 1.0 The auditor must communicate appropriately to those charged with governance and management deficiencies in internal control that the auditor has identified in an audit of financial statements. 2.0 Deficiency in internal control exists when: 2.1 A control is designed, implemented or operated in such a way that it is unable to prevent, or detect and correct, misstatements in the financial statements on a timely basis; or 2.2 A control necessary to prevent, or detect and correct, misstatements in the financial statements on a timely basis is missing. 113|Page3.0 Significant deficiency in internal contro] _ a deficiency or combination of deficiencies in internay control that, in the auditor's professional judgment, i of sufficient importance to merit the attention of thogg charged with governance. 4.0 The auditor shall communicate in writing significant deficiencies in internal contro} identified during the audit to those charged with governance ona timely basis. 5.0 The auditor shall also communicate to the management at an appropriate level of responsibility on a timely basis: 5.1 In writing, significant deficiencies in internal control that the auditor has communicated or intends to communicate to TCWG, unless it would be inappropriate to communicate directly to management in the circumstances; and 5.2 Other deficiencies in internal control identified during the audit that have not been communicated to management by other parties and that, in the auditor's professional judgment, are of sufficient importance to merit management's attention. 6.0 An auditor shall include in the written communication of significant deficiencies in internal control: 6.1 Description of the deficiencies and an explanation of their potential effect; and 114|Page 46.2 Sufficient information to enable TCWG and Management to understand the context of the communication. 7.0 Indicators of significant deficiencies in internal control may include: 7.1 Evidence of ineffective aspects of the control environment 7.2 Absence of a risk assessment process within the entity 7.3 Evidence of an ineffective entity risk assessment process 7.4 Evidence of an ineffective response to identified significant risks 7.5 Misstatements detected by the auditor's procedures that were not prevented, or detected and corrected, by the entity's internal control 7.6 Restatement of previously issued financial statements to reflect the correction of a material misstatement due to error or fraud 7.7 Evidence of management's inability to oversee the preparation of the financial statements Vill. AREAS THAT REQUIRE SPECIAL AUDIT CONSIDERATION: SIGNIFICANT RISKS 1.0 Areas with a risk of fraud; 2.0 Areas with risks related to recent significant economic, accounting or other developments and therefore, requires specific attention; 3.0 Complexity of transactions; 4.0 Transactions with related parties; 11S|Page5.0 Degree of subjectivity in the measurement of financia, information which includes a wide range of measurement uncertainty; and 6.0 Transactions outside the normal course of business o, those that are unusual. OTHER AUDIT CONSIDERATIONS 1.0 Audit Plan — an overview of the expected scope anq conduct of the audit ¢ The overall audit plan sets out in broad terms the nature, timing and extent of the audit procedures to be performed. 2.0 Audit Program — executes the audit strategy, sets out in detail the audit procedures to be performed in each segment of the audit which includes: e Detailed lists of procedures e Audit objectives per assertion e Working papers needed 3.0 Time Budget — estimate of the time that will be spent in executing the audit procedures listed in the audit program, which shall be the basis for billing the client. 4.0 Changes to audit plan and audit program - since planning is continuous throughout the audit engagement the audit plan and the audit program must be revised when pieces of evidence and information come to the attention of the auditor which will need a change in the procedures and the reasons for such change must be written, 116|Page ”Multiple Choice Questions le stage. further audit performed derived from it. through collision. Instructions: Choose the BEST answer. The auditor should design and implement overall fresponses to address the misstatement at the financial includes (choose the wrong a. Emphasizing to the audit team the need to maintain _ professional skepticism during the Planning and execution risks of material Statement level which b. Assigning more experienced staff or those with special skills or using experts c. Providing more supervision d. Incorporating additional elements of unpredictability in the selection of be 2. The following are the inherent limitations in an internal contro! except which one? a. Cost of an internal control should not exceed the expected benefits to be b. Internal controls generally focus on routine transactions. c. There is potential for human error who is part of the internal controls. d. Circumvention of controls 3. The following are the responsibilities of the management in relation to internal controls except which one? 117|Pagee management should consider the Th d efficiency of controls effectiveness an in place. The management must assess and improve the ability of internal controls to prevent errors or misstatements. The management must ensure that controls in place can eliminate errors or fraud. If the control is unable to prevent errors or misstatements, the management must place other controls that has the ability to detect and correct the errors or misstatements. 4. The following are the responsibilities of those charged with governance in relation to internal controls. Oversight function towards the internal controls in place. Determine the reliability of the financial reporting process. I. a. b. Cc. d. Both statements are correct. Both statements are incorrect. Only statement | is incorrect. Only statement II is incorrect. 5. The auditor must focus on which of the following internal controls? Those that directly affect the financial reporting process Those controls which may indirectly affect the financial reporting process such as controls relating to tax reporting. 118] Page =Both statements are correct. Both statements are incorrect. Only statement | is incorrect. Only statement II is incorrect. aoon The following are the components of an internal control under the COSO framework except which one? a. Control Environment b. Risk Assessment of the business c. Information and Communication d. Organizational Structure This is a component of an internal control where the top management sets the tone of the Company to which the middle and lower management follows. a. Existing Control Activities b. Risk Assessment c. Control Environment d. Human Resource Practices The following are the elements of an effective control environment except which one? a. Communication and enforcement of Integrity and ethical values b. Commitment to competence c. Participation of those charged with governance d. Very aggressive management reporting Among the choices, one statement correctly pertains to internal controls, which one is it? 119| Pagea. Internal control system refers to all the policies and procedures adopted by the auditor to assist in achieving management's objective. b. A strong environment, by itself, ensure the effectiveness of the internal control system. c. Inthe audit of financial statements, the auditor is only concerned with those policies and procedures within the accounting and internal control systems that are relevant to the financial statements. d. The internal control system is confined to those matters which relate directly to the functions of the accounting system. 140. All except one of the following is incorrect. Which of the following is correct in relation to internal controls? a. Accounting and internal control systems provide management with conclusive evidence that objectives are reached. b. One of the inherent limitations of accounting and internal control systems is the possibility that the procedures may become inadequate due to changes in conditions, and compliance with procedures may deteriorate. c. Most internal controls tend to be directed at non-routine transactions. d. Management does not consider costs of the accounting and internal control systems, 120| Page ad11. Various stakeholders Play a different role in a Company including the top management. The top management has a Primary role for. a. Establishing a Proper tone at the top. b. Reviewing the reliability and integrity of financial information. c. Ensuring that external and_ internal auditors adequately monitor the control environment. d. Implementing and monitoring controls designed by the board of directors. 12. It is essential for the management and those charged with governance to design and implement effective and efficient internal controls. Effective internal controls are necessary to. a. Eliminate risks and possible losses to the organization. b. Cannot be circumvented by management. c. Is unaffected by changing circumstances and conditions encountered by the organization. d. Reduces the need for management to review exception reports on a day-to- day basis. 13. What audit evidence concerning segregation of duties ordinarily is best obtained? a. Vouching supporting documents that corroborate management's financial statement assertions 121|Pageb. Observing the employees as they apply specific controls. c. Obtaining narratives and company policies and procedures. d. Developing audit objectives that reduce control risk. 44. When considering internal controls during the interim period, the auditor has assessed the control risk at a minimum and performed interim substantive tests. The records and procedures would most likely be tested again at year-end for the intervening period if a. Tests of controls were not performed by the internal auditor during the remaining period. b. Internal control provides a basis for limiting the extent of substantive testing. c. The auditor erroneously selected samples. d. Audit procedures conducted resulted for the auditor to believe that conditions have changed. 15. Substantive tests generally do not provide any affirmative evidence as to the segregation of duties due to the fact that: a. Substantive tests rarely guarantee the accuracy of the records if only a person who performs incompatible functions. b. The records may be accurate even though they are maintained by a person who performs incompatible functions. 122|Pagec Substantive tests relate to the entire Period under audit, but tests of controls ordinarily are confined to the period during which the auditor is on the client's premises. d. Many computerized Procedures leave no audit trail of who performed them, so substantive tests may necessarily be limited to inquiries and observation of office personnel. 16. Which of the following is the responsibility of an audit committee? a. Oversight of the internal control structure. b. Oversight of the financial reporting process. c. Working with the internal and external auditors. d. All the choices above are responsibilities of the audit committee. 17. Based on the procedures performed, the auditor decided not to perform additional tests of controls. The possible reason for such conclusion is that the a. Additional evidence to support a further reduction in control risk was not cast- beneficial to obtain. b. Assessed level of inherent risk exceeded the assessed level of control risk. c. Internal control was properly designed and justifiably may be relied on. 123|Paged. Evidence obtainable through tests of controls would not support an increased assessment of control risk. 18. The following factors may influence business risks except which one? a. Changes in operating environment b. Hiring of new personnel c. New or revamped Information systems d. Slow growth 49. This component of internal control consists of infrastructure, software, people, procedures and data. a. Control Environment b. Entity’s risk assessment procedure c. Information and Communication d. Monitoring 20. This is a type of a monitoring activity where the monitoring activities are performed on a non-routine basis. a. Ongoing monitoring b. Separate Evaluation c. CCTV Monitoring d. Batch monitoring 21. These are policies and procedures that help | that management directives are carried out. Control Activities Internal Controls System of Quality Controls Internal Audit Function aogp 124|Page id22. The auditor's objective when understanding the internal controls of the audit client is? a. Evaluate the design of the control and determine its Operating effectiveness b. Assess control risk c. Assess the design of the control and determine that such control has been implemented d. To determine the nature timing and extent of test of controls 23. This procedure confirms the auditor's understanding of how the accounting systems and control procedures function. Reperformance Waik-through test Observation Vouching aoc 24. When understanding the control, the following items are considered except which one? a. Operating effectiveness of the control b. Identify types of potential misstatements that can occur c. Consider factors that affect the risk of material misstatements d. Design the nature, timing and extent of audit procedures to be performed. following is a way of 25. All but one of the ; itor’s understanding of the documenting the aud audit client's internal controls: a. Flowcharts 125|Pageb._ Internal Control Questionnaires c. Narrative Description d. Pictograph 26. Test of control is not necessary for all of the 27. 28. 29. following except: Control risk is high Controls are irrelevant to the audit Population is too small The audit client is highly automated aos The following are the audit procedures to be done in performing a test of control except which one? a. Confirmation b. Inquiry c. Observation d. Inspection Which of the choices is considered a test of control rather than a substantive test? a. Send confirmation letters to banks. b. Count and list cash on hand. c. Examine signatures on checks. d. Obtain or prepare reconciliations of bank accounts as of the balance sheet date. When the auditor evaluates internal controls, what is the sequence of the enumerated steps that is logically correct? Determine whether the necessary procedures are prescribed and are being followed satisfactorily, 126|PageI. Consider the types of errors and fraud that could occur, Determine the internal control policies and procedures that should prevent or detect errors and fraud, Evaluate any weakness to determine its effect on the Nature, timing, or extent of auditing procedures to be applied and Suggestions to be made to the client. a. HIV, 1,1 b. IIL, 1, ILIV c. I, Ill, LIV d. HI, M,IV 30. What is the secondary objective of the auditor's study and evaluation of internal control? a. To provide a basis for constructive suggestions concerning improvements in internal control. b. To provide a basis for reducing the auditor's assessed level of control risk below the maximum level. c. To obtain an assurance that the records and documents have been maintained in accordance with existing company policies and procedures. d. To obtain a basis for determination of the resultant extent of the tests to which auditing procedures are to be restricted. 127|Page31. Which of the following may be considered a hysical control? , [ In processing sales orders, the computer is programmed to compare the customer's credit limit minus the prior balance with the current sales order amount. ; b. Sales prices are stored in computer memory and are automatically applied as stock numbers are entered from customer orders. c. Although the payroll is prepared manually, a second employee recalculates gross pay, withholdings, and net pay. d. Negotiable securities are kept in a locked vault and are accessible only by the treasurer accompanied by one of her assistants. 32. The auditor is required to document its review of the audit client’s internal control in order to substantiate a. Conformity of the accounting records with generally accepted accounting principles. b. Representation as to adherence to requirements of | management. c. Representation as to compliance with generally accepted auditing standards. d. The fairness of the financial statement presentation 128| Page33. An internal control questionnaire indicates that an approved receiving report is required to accompany every check request for payment of merchandise. Which of the following procedures provides the greatest assurance that this control is Operating effectively? a. Select and examine canceled checks and ascertain that the related receiving reports are dated no earlier than the checks. b. Select and examine canceled checks and ascertain that the related receiving teports are dated no later than the checks. c. Select and examine receiving reports and ascertain that the related canceled checks are dated no earlier than the receiving reports. d. Select and examine receiving reports and ascertain that the related canceled checks are dated no later than the receiving reports. 34. All except one factor may most likely impact the auditor's judgment as to the quantity, type, and content of working papers? a. The effectiveness of the existing internal control. b. The content of the client's representation letter. c. The timing of substantive tests completed prior to the balance sheet date. 129|Paged. The usefulness of the working papers as a reference source for the client. 35. The professional accountant's report expressing an opinion on an entity's internal controls should state that the a. Objectives of the client's internal controls are being met. b. Consideration of the internal controls was conducted in accordance with generally accepted auditing standards. c. Establishment and maintenance of internal control is the responsibility of management. d. The auditor does not generally provide an opinion on an entity's internal controls unless stipulated in the engagement letter. 36. When obtaining an understanding of the Company's risk assessment policies, the auditor would ordinarily exclude how management a. Identifies risk. b. Eliminates significant risks c. Assesses the likelihood of occurrence of events due to significant risks. d. Relates risk assessment to financial reporting. 37. One of the following statements provides the best description of the auditor's responsibility as regards the detection of material fraud, which is it? a. The auditor has in no case a liability for fraud. b. The auditor is always liable if he/she is unable to detect fraud The auditor should design audit programs that will provide reasonable assurance that material 130|Pageerrors and fraud will be d, Course of the examinatioy d. The audit i B itor is responsible for the fai detect material fr. thors n : ‘aud when the auditor's evaluation Of internal control Procedures indicates that they are ineffective. letected in the ordinary 38. When determining the enumerated conditions below, you will opt to lower account balance materiality threshold for which of which item? a. Study of the business and industry, together with the application of analytical procedures, reveals that the client has enjoyed a surge in sales and gross profit during an industry downturn. b. Application of analytical procedures shows that the client's gross profit rate is significantly below last year and also is materially lower than the industry average. c. Study of internal controls within the revenue cycle reveal material weaknesses. d. Study of internal controls within the payroll cycle confirm the auditor's belief that few errors have occurred. 39. When an accounting function does not leave a transactional trail, the auditor may perform which procedure to obtain an evidence as to the reasonableness of the segregation of duties? a. Inspection. b. Observation. c. Reprocessing. d. Reconciliation. 131] Page40. An auditor can make use of a well-prepared flowchart to aon Prepare audit procedure manuals. Prepare detailed job descriptions. Trace the origin and disposition of documents, Assess the degree of accuracy of financial data, 132|Page