Chapter 7

McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved

Chapter 7

Auditing Internal Control over Financial Reporting in Conjunction with an Audit

of Financial Statements

7-2

Management Responsibilities under Section 404

Section 404 of the Sarbanes-Oxley Act requires managements of publicly traded companies to issue

an internal control report that explicitly accepts responsibility for establishing and maintaining

“adequate” internal control over financial reporting.

LO# 1

7-3

Management Responsibilities under Section 404

Management must comply with the following in order for its public accounting firm to complete an audit of

internal control over financial reporting.

1. Accepts responsibility for the effectiveness of the entity’s internal control over financial reporting.

2. Evaluate the effectiveness of the entity’s internal control over financial reporting using suitable control criteria.

3. Support its evaluation with sufficient evidence, including documentation.

4. Present a written assessment of the effectiveness of the entity’s internal control over financial reporting as of the end of the entity’s most recent fiscal year.

1. Accepts responsibility for the effectiveness of the entity’s internal control over financial reporting.

2. Evaluate the effectiveness of the entity’s internal control over financial reporting using suitable control criteria.

3. Support its evaluation with sufficient evidence, including documentation.

4. Present a written assessment of the effectiveness of the entity’s internal control over financial reporting as of the end of the entity’s most recent fiscal year.

LO# 1

7-4

Auditor Responsibilities under Section 404

The entity’s independent auditor must audit and report on management’s assertion about the effectiveness of internal control. The auditor is required to conduct an integrated audit of the entity’s internal control over financial reporting and its financial statements.

LO# 2

7-5

Internal Control over Financial Reporting Defined

Internal control over financial reporting is defined as a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements in accordance with GAAP. Controls include procedures that:

1.1. Pertain to the maintenance of records that fairly reflect the Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company.transactions and dispositions of the assets of the company.

2.2. Provide reasonable assurance that transactions are Provide reasonable assurance that transactions are recorded in accordance with GAAP.recorded in accordance with GAAP.

3.3. Provide reasonable assurance regarding prevention or Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or timely detection of unauthorized acquisition, use or disposition of the company’s assets.disposition of the company’s assets.

1.1. Pertain to the maintenance of records that fairly reflect the Pertain to the maintenance of records that fairly reflect the transactions and dispositions of the assets of the company.transactions and dispositions of the assets of the company.

2.2. Provide reasonable assurance that transactions are Provide reasonable assurance that transactions are recorded in accordance with GAAP.recorded in accordance with GAAP.

3.3. Provide reasonable assurance regarding prevention or Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or timely detection of unauthorized acquisition, use or disposition of the company’s assets.disposition of the company’s assets.

LO# 3

7-6

Internal Control Deficiencies Defined

A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with GAAP such that there is more than a remote likelihood that a misstatement of the entity’s annual or interim financial statements that is more than inconsequential will not be prevented or detected (AS2, ¶9).

LO# 4

7-7


A control deficiency may be serious enough that it is to be considered not only a significant deficiency but also a material weakness in the system of internal control. A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be presented or detected (AS2, ¶10).

As illustrated on the next slide, the auditor must consider two dimensions of the control deficiency: likelihood (remote or more than remote) and magnitude (material, consequential, or inconsequential).

LO# 4

7-8


Material

Consequential

Inconsequential

Remote More than remote

MaterialMaterialweaknessweakness

Significant Significant deficiencydeficiency

Insignificant deficiencyInsignificant deficiency

L I K E L I H O O DL I K E L I H O O D

MMAAGGNNIITTUUDDEE

LO# 4

7-9

Management’s Assessment Process

Management must:Management must:

1.1. Design and implement an effective system of internal control. Design and implement an effective system of internal control. This process involves determining whether a necessary This process involves determining whether a necessary control is missing or an existing control is not properly control is missing or an existing control is not properly designed.designed.

2.2. Develop an ongoing assessment process for the internal Develop an ongoing assessment process for the internal controls in place. Management must assess the likelihood controls in place. Management must assess the likelihood that failure of a control could result in a misstatement.that failure of a control could result in a misstatement.

3.3. Management must decide which business units to include in Management must decide which business units to include in the assessment process.the assessment process.

Management must:Management must:

1.1. Design and implement an effective system of internal control. Design and implement an effective system of internal control. This process involves determining whether a necessary This process involves determining whether a necessary control is missing or an existing control is not properly control is missing or an existing control is not properly designed.designed.

2.2. Develop an ongoing assessment process for the internal Develop an ongoing assessment process for the internal controls in place. Management must assess the likelihood controls in place. Management must assess the likelihood that failure of a control could result in a misstatement.that failure of a control could result in a misstatement.

3.3. Management must decide which business units to include in Management must decide which business units to include in the assessment process.the assessment process.

LO# 5

7-10

Management’s Documentation

Management must develop sufficient Management must develop sufficient documentation to support its assessment of the documentation to support its assessment of the

effectiveness of internal control. This effectiveness of internal control. This documentation may take many forms, such as documentation may take many forms, such as paper, electronic files, or other media. It also paper, electronic files, or other media. It also

includes policy manuals, job descriptions, includes policy manuals, job descriptions, flowcharts, and process models.flowcharts, and process models.

Management must develop sufficient Management must develop sufficient documentation to support its assessment of the documentation to support its assessment of the

effectiveness of internal control. This effectiveness of internal control. This documentation may take many forms, such as documentation may take many forms, such as paper, electronic files, or other media. It also paper, electronic files, or other media. It also

includes policy manuals, job descriptions, includes policy manuals, job descriptions, flowcharts, and process models.flowcharts, and process models.

LO# 6

7-11

Framework Used by Management to Conduct Its Assessment

Most entities use the framework developed by COSO.Most entities use the framework developed by COSO.This framework identifies three primary objectives of This framework identifies three primary objectives of

internal control: (1) reliable financial reporting;internal control: (1) reliable financial reporting;(2) efficiency and effectiveness of operations;(2) efficiency and effectiveness of operations;and (3) compliance with laws and regulations.and (3) compliance with laws and regulations.

Most entities use the framework developed by COSO.Most entities use the framework developed by COSO.This framework identifies three primary objectives of This framework identifies three primary objectives of

internal control: (1) reliable financial reporting;internal control: (1) reliable financial reporting;(2) efficiency and effectiveness of operations;(2) efficiency and effectiveness of operations;and (3) compliance with laws and regulations.and (3) compliance with laws and regulations.

COSO

LO# 7

7-12

Performing an Audit of Internal Control over Financial Reporting

Plan the engagement.

Evaluate management’sassessment process.

The auditor typically obtains his or her understanding of management’s assessment process through inquiry of

management and others.

LO# 8

7-13



Evaluate management’sassessment process.

Obtain and document anunderstanding of internal control.

As part of gaining this understanding the auditor must:

1. Understand and assess company-level controls.

2. Evaluate the effectiveness of the audit committee.

3. Identify significant accounts.4. Identify relevant financial

statement assertions.

1. Understand and assess company-level controls.

2. Evaluate the effectiveness of the audit committee.

3. Identify significant accounts.4. Identify relevant financial

statement assertions.

5. Identify significant processes and major classes of transactions.

6. Understand the period-end financial reporting process.

7. Perform walkthroughs.8. Identify controls to test.

5. Identify significant processes and major classes of transactions.

6. Understand the period-end financial reporting process.

7. Perform walkthroughs.8. Identify controls to test.

LO# 8

7-14



Evaluate the management’sassessment process.


Evaluate the design effectivenessof internal control.

Controls are effectively designed when they prevent or detect errors or fraud that could result in material

misstatements in the financial statements.

LO# 8

7-15






Test and evaluate the operatingeffectiveness of internal control.

In testing the effectiveness of controls, the auditor needs to consider the nature, timing, and extent of testing.

LO# 8

7-16

Special Consideration:Using the Work of Others

AS2 requires the auditor to perform enough of AS2 requires the auditor to perform enough of the audit so that his or her own work provides the audit so that his or her own work provides the principal evidence for the auditor’s opinion.the principal evidence for the auditor’s opinion.

However, a major consideration for the external However, a major consideration for the external

auditor is how much the work performed by auditor is how much the work performed by others (internal auditors or others working for others (internal auditors or others working for management) can be relied on in adjusting the management) can be relied on in adjusting the nature, timing, or extent of the auditor’s worknature, timing, or extent of the auditor’s work ..

7-17

Special Consideration:Using the Work of Others

In determining the extent to which the auditor may use the In determining the extent to which the auditor may use the work of others, the auditor should:work of others, the auditor should:

1)1) evaluate the nature of the controls subjected to the work evaluate the nature of the controls subjected to the work of others, of others,

2)2) evaluate the competence and objectivity of the evaluate the competence and objectivity of the individuals who performed the work, and individuals who performed the work, and

3)3) test some of the work performed by others to evaluatetest some of the work performed by others to evaluatethe quality and effectiveness of their work.the quality and effectiveness of their work.

In determining the extent to which the auditor may use the In determining the extent to which the auditor may use the work of others, the auditor should:work of others, the auditor should:

1)1) evaluate the nature of the controls subjected to the work evaluate the nature of the controls subjected to the work of others, of others,

2)2) evaluate the competence and objectivity of the evaluate the competence and objectivity of the individuals who performed the work, and individuals who performed the work, and

3)3) test some of the work performed by others to evaluatetest some of the work performed by others to evaluatethe quality and effectiveness of their work.the quality and effectiveness of their work.

LO# 9

7-18






Test and evaluate the operatingeffectiveness of internal control.

Form an opinion of theeffectiveness of internal control.

The auditor should evaluate all evidence

before forming an opinion on internal control,

including (1) the adequacy of management’s

assessment, (2) the results of the auditor’s evaluation, (3) the negative results of substantive procedures

performed, (4) any control deficiencies.

LO# 8

7-19

Written Representations

In addition to the management representations obtained as part of a financial statement audit, the auditor also

obtains written representations from management related to the audit of internal control over financial reporting.

Failure to obtain written Failure to obtain written representations from representations from

management, including management, including management’s refusal to management’s refusal to

furnish them, constitutes a furnish them, constitutes a limitation on the scope of the limitation on the scope of the audit sufficient to preclude an audit sufficient to preclude an

unqualified opinion.unqualified opinion.

Failure to obtain written Failure to obtain written representations from representations from

management, including management, including management’s refusal to management’s refusal to

furnish them, constitutes a furnish them, constitutes a limitation on the scope of the limitation on the scope of the audit sufficient to preclude an audit sufficient to preclude an

unqualified opinion.unqualified opinion.

LO# 10

7-20

Auditor Documentation Requirements

The auditor must properly document the processes, procedures, judgments, and results relating to the audit

of internal control.

When an entity has effective internal control over financial reporting, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level.

When an entity has effective internal control over financial reporting, the auditor should be able to perform sufficient testing of controls to assess control risk for all relevant assertions at a low level.

LO# 11

7-21

Reporting on Internal ControlSarbanes-Oxley requires management’s description of

internal control to include:

1. A statement of management’s responsibility for establishing and maintaining adequate internal control.

2. A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company’s internal control.

3. An assessment of the effectiveness of the company’s internal control as of the end of the most recent fiscal year, including an explicit statement as to whether internal control is effective.

4. A statement that the public account firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of internal control.

1. A statement of management’s responsibility for establishing and maintaining adequate internal control.

2. A statement identifying the framework used by management to conduct the required assessment of the effectiveness of the company’s internal control.

3. An assessment of the effectiveness of the company’s internal control as of the end of the most recent fiscal year, including an explicit statement as to whether internal control is effective.

4. A statement that the public account firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of internal control.

LO# 12

7-22

The Auditor’s Report on Internal Control over Financial Reporting

Once the auditor has completed the audit of internal control, he or she must issue an appropriate report to accompany management’s assessment, published in

the company’s annual report.

LO# 13

7-23

Types of Reports Relating to the Audit of Internal Control

The auditor’s report contains opinions on two separate items:

1) management’s assessment of the effectiveness of internal control over financial reporting, and

2) the effectiveness of internal control over financial reporting based on the auditor’s independent audit work.

LO#

13 & 14

7-24


OpinionOpinion

An An unqualifiedunqualified opinion opinion signifies that the client’s signifies that the client’s

internal control is internal control is designed and operating designed and operating

effectively.effectively.

An An unqualifiedunqualified opinion opinion signifies that the client’s signifies that the client’s

internal control is internal control is designed and operating designed and operating

effectively.effectively.

A A qualifiedqualified opinion is opinion is issued when there is a issued when there is a

limitation on the scope of limitation on the scope of the auditor’s work. the auditor’s work.

A A qualifiedqualified opinion is opinion is issued when there is a issued when there is a

limitation on the scope of limitation on the scope of the auditor’s work. the auditor’s work.

A serious scope A serious scope limitation requires the limitation requires the auditor to auditor to disclaimdisclaim an an

opinion. opinion.

A serious scope A serious scope limitation requires the limitation requires the auditor to auditor to disclaimdisclaim an an

opinion. opinion.

An An adverseadverse opinion is opinion is required if a material required if a material

weakness is identified. weakness is identified.

An An adverseadverse opinion is opinion is required if a material required if a material

weakness is identified. weakness is identified.

LO#

13 & 14

7-25

Auditor’s Paragraph onInternal Control

We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States), the effectiveness of the Company's internal control over financial reporting as of December 31, 2005, based on criteria established in Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”), and our report dated February 10, 2006, except as to the second, third and fourth paragraphs of Management’s Annual Report on Internal Control over Financial Reporting (as restated), which are as of January 19, 2007, expressed an unqualified opinion on management's assessment of, and an adverse opinion on the effective operation of, internal control over financial reporting as of December 31, 2005.

7-26

Internal Control ReportReport of Independent Registered Public Accounting Firm

on Internal Control Over Financial Reporting

Board of Directors and ShareownersThe Coca-Cola Company

We have audited management's assessment, included in the accompanying Report of Management on Internal Control Over Financial Reporting, that The Coca-Cola Company and subsidiaries maintained effective internal control over financial reporting as of December 31, 2006, based on criteria established in Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (the COSO criteria). The Coca-Cola Company's management is responsible for maintaining effective internal control over financial reporting and for its assessment of the effectiveness of internal control over financial reporting. Our responsibility is to express an opinion on management's assessment and an opinion on the effectiveness of the Company's internal control over financial reporting based on our audit.

7-27

Internal Control Report We conducted our audit in accordance with the standards

of the Public Company Accounting Oversight Board (United States). Those standards require that we plan and perform the audit to obtain reasonable assurance about whether effective internal control over financial reporting was maintained in all material respects. Our audit included obtaining an understanding of internal control over financial reporting, evaluating management's assessment, testing and evaluating the design and operating effectiveness of internal control, and performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion.

7-28

Internal Control Report A company's internal control over financial reporting is a process

designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. A company's internal control over financial reporting includes those policies and procedures that (1) pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company's assets that could have a material effect on the financial statements.

7-29

Internal Control Report

Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.

7-30


As indicated in the accompanying Report of Management on Internal Control Over Financial Reporting, management's assessment of and conclusion on the effectiveness of internal control over financial reporting did not include the internal controls of Kerry Beverages Limited (subsequently renamed Coca-Cola China Industries Limited), Brucephil, Inc., Apollinaris GmbH and TJC Holdings (Pty) Ltd. which are included in the 2006 consolidated financial statements of The Coca-Cola Company and subsidiaries and constituted approximately 6.1 percent of the Company's consolidated total assets as of December 31, 2006 and approximately 1.6 percent of the Company's consolidated net operating revenues for the year then ended. Our audit of internal control over financial reporting of The Coca-Cola Company also did not include an evaluation of the internal control over financial reporting of Kerry Beverages Limited (subsequently renamed Coca-Cola China Industries Limited), Brucephil, Inc., Apollinaris GmbH and TJC Holdings (Pty) Ltd.

7-31


In our opinion, management's assessment that The Coca-Cola Company and subsidiaries maintained effective internal control over financial reporting as of December 31, 2006, is fairly stated, in all material respects, based on the COSO criteria. Also, in our opinion, The Coca-Cola Company and subsidiaries maintained, in all material respects, effective internal control over financial reporting as of December 31, 2006, based on the COSO criteria.

7-32


We also have audited, in accordance with the standards of the Public Company Accounting Oversight Board (United States), the consolidated balance sheets of The Coca-Cola Company and subsidiaries as of December 31, 2006 and 2005, and the related consolidated statements of income, shareowners' equity, and cash flows for each of the three years in the period ended December 31, 2006, and our report dated February 20, 2007, expressed an unqualified opinion thereon.

Atlanta, Georgia

February 20, 2007

7-33

1. A title that includes the word “independent.”2. An identification of management’s conclusion about the

effectiveness of the company’s internal control over financial reporting.

3. A definition of internal control over financial reporting.4. A statement that the auditor planned and performed the

audit to obtain reasonable assurance about whether effective internal control is maintained.

5. A statement that an audit includes obtaining an understanding of internal control, valuating management’s assessment of testing the design and effectiveness of internal control and any other procedures.

LO# 15

7-34

Elements of the Auditor’s Report1. A title that includes the word “independent.”

2. An identification of management’s conclusion about the effectiveness of the company’s internal control over financial reporting.

3. A definition of internal control over financial reporting.

4. A statement that the auditor planned and performed the audit to obtain reasonable assurance about whether effective internal control is maintained.

5. A statement that an audit includes obtaining an understanding of internal control, valuating management’s assessment of testing the design and effectiveness of internal control and any other procedures.

7-35

Elements of the Auditor’s Report

6. A paragraph stating that internal control may not prevent or detect misstatements because of inherent limitations.

7. The auditor’s opinion on whether management’s assessment of the effectiveness of internal control is fairly stated.

8. The auditor’s opinion on whether the company maintained effective internal control.

7-36


Report Modification Based on Control DeficienciesReport Modification Based on Control Deficiencies

Likelihood/MagnitudeLikelihood/Magnitudeof Misstatementof Misstatement

Type ofType ofAudit ReportAudit Report

InconsequentialInconsequentialdeficiencydeficiency

SignificantSignificantdeficiencydeficiency

MaterialMaterialweaknessweakness

UnqualifiedUnqualifiedopinionopinion

AdverseAdverseopinionopinion

LO# 15

7-37


Report Modification Based on Scope LimitationReport Modification Based on Scope Limitation

Reason forReason forScope LimitationScope Limitation

Type ofType ofAudit ReportAudit Report

MinorMinoreffecteffect

Management imposed/Management imposed/more than minor effectmore than minor effect

SeverSeverlimitationlimitation

UnqualifiedUnqualifiedopinionopinion

DisclaimDisclaimopinion oropinion orwithdrawwithdraw

QualifiedQualifiedopinionopinion

LO# 15

7-38

Modifications to Unqualified Report on Effectiveness of Internal Control

The auditor should modify the standard report if any of the following conditions exists:

•There is a material weakness in the company’s internal control over financial reporting.

•There is a restriction on the scope of the engagement.

•The auditor decides to refer to the report of other auditors as the basis, in part, for the auditor’s own report.

•A significant subsequent event has occurred since the date being reported on.

•There is other information contained in management’s report on internal control.

LO# 16

7-39

Additional Required Communications in an Audit of Internal Control over

Financial ReportingThe auditor must communicate in writing to management and the audit committee all significant deficiencies and material weaknesses identified during the audit (AS2). This communication should be made prior to the issuance of the auditor’s report on internal control over financial reporting. In addition, the auditor should communicate to management, in writing, all control deficiencies identified during the audit and inform the audit committee when such a communication has been made.

LO# 17

7-40

Integrating the Audits of Internal Control and Financial Statements

An integrated audit is composed of the audits of internal control and the financial statements. The control testing impacts the planned substantive procedures. Also, the results of the substantive procedures are considered in

the evaluation of internal control.

Tests of Tests of internalinternalcontrolcontrol

Tests of Tests of internalinternalcontrolcontrol

SubstantiveSubstantiveauditaudit

proceduresprocedures

SubstantiveSubstantiveauditaudit

proceduresprocedures

LO# 18

7-41

Effect of the Audit of Internal Control on the Financial Statement Audit

When the auditor performs an integrated audit, he or she will have access to a large amount of information about the client’s controls. This information can make the financial statement audit more efficient and result

in reduced substantive procedures.

Regardless of the level of control risk Regardless of the level of control risk in connection with the audit of the in connection with the audit of the

financial statements, auditing financial statements, auditing standards require the auditor to standards require the auditor to

perform some substantive procedures perform some substantive procedures for all significant accounts and for all significant accounts and

disclosures.disclosures.

Regardless of the level of control risk Regardless of the level of control risk in connection with the audit of the in connection with the audit of the

financial statements, auditing financial statements, auditing standards require the auditor to standards require the auditor to

perform some substantive procedures perform some substantive procedures for all significant accounts and for all significant accounts and

disclosures.disclosures.

LO# 18

7-42

Effect of the Financial Statement Audit on the Audit of Internal ControlThe effectiveness of the audit of internal controls should lead the auditor to determine the implications of these findings on the financial statement audit. The auditor’s evaluation should include:

1.1. Misstatements detected.Misstatements detected.

2.2. The auditor’s risk evaluations in connection with the The auditor’s risk evaluations in connection with the selection and application of substantive procedures, selection and application of substantive procedures, especially those related to fraud.especially those related to fraud.

3.3. Findings with respect to illegal acts and related party Findings with respect to illegal acts and related party transactions.transactions.

4.4. Indications of management bias in making accounting Indications of management bias in making accounting estimates and in selecting accounting principles.estimates and in selecting accounting principles.

1.1. Misstatements detected.Misstatements detected.

2.2. The auditor’s risk evaluations in connection with the The auditor’s risk evaluations in connection with the selection and application of substantive procedures, selection and application of substantive procedures, especially those related to fraud.especially those related to fraud.

3.3. Findings with respect to illegal acts and related party Findings with respect to illegal acts and related party transactions.transactions.

4.4. Indications of management bias in making accounting Indications of management bias in making accounting estimates and in selecting accounting principles.estimates and in selecting accounting principles.

LO# 18

7-43

Advanced Module 1: Special Considerations for an Audit of

Internal Control

Special considerationSpecial considerationby managementby managementand the auditorand the auditor

Special considerationSpecial considerationby managementby managementand the auditorand the auditor

Using the work Using the work of others.of others.

Using the work Using the work of others.of others.

Multilocations Multilocations and business and business

units.units.

Multilocations Multilocations and business and business

units.units.

ServiceServiceorganizations.organizations.

ServiceServiceorganizations.organizations.

SafeguardingSafeguardingassets.assets.

SafeguardingSafeguardingassets.assets.

7-44

Using the Work of Others

In determining the extent to which the auditor may use the work of others, the auditor should:

• Evaluate the nature of the controls Evaluate the nature of the controls subjected to the work of others.subjected to the work of others.

• Evaluate the competence and Evaluate the competence and objectivity of the individuals who objectivity of the individuals who performed the work.performed the work.

•Test some of the work performed by Test some of the work performed by others to evaluate the quality and others to evaluate the quality and effectiveness of their work.effectiveness of their work.

• Evaluate the nature of the controls Evaluate the nature of the controls subjected to the work of others.subjected to the work of others.

• Evaluate the competence and Evaluate the competence and objectivity of the individuals who objectivity of the individuals who performed the work.performed the work.

•Test some of the work performed by Test some of the work performed by others to evaluate the quality and others to evaluate the quality and effectiveness of their work.effectiveness of their work.

LO# 9

7-45

Testing Multiple Locations or Business Units

Is unit individually important?

Are there specific significant risks?

Are there units that are not important even when

aggregated?

Are there documented company-level controls over

this group?

No

No

No

No

135135 Evaluate documents and test controls over significant accounts at

each location.

15 Yes

130 Evaluate documents and test controls over specific risks.

5 Yes

No further action required.

7060 Yes

Evaluate documents and test company-level controls over group.

Some testing of controls at individual locations.

Yes

LO# 19

Total number of units = 150Total number of units = 150

7-46

Use of Service OrganizationsMany companies use service organization to

process transactions. If the service organization’s services make up part of a company’s information

system, then they are considered part of the information and communication component of the company’s internal control over financial report. Thus, both management and the auditor must

consider the activities of the service organization.

LO# 20

7-47

Use of Service OrganizationsManagement and the auditor should perform the following procedures with respect to the activities performed by the service organization: (1) obtain an understanding of the controls at the service organization that are relevant to the entity’s internal control and the controls at the user organization over the activities of the service organization and (2) obtain evidence that the controls which are relevant to management’s assessment and the auditor’s opinion are operating effectively.

LO# 20

7-48

Safeguarding of Assets

Safeguarding of assets is defined as policies and procedures that “provide reasonable assurance regarding prevention or timely

detection of unauthorized acquisition, use or disposition of the company’s assets that could

have a material effect on the financial statements.”

LO# 21

7-49

Advanced Module 2: Computer-Assisted Audit Techniques

Computer-assisted audit techniques include:Computer-assisted audit techniques include:

• Generalized audit software packages.Generalized audit software packages.

• Custom audit software.Custom audit software.

• Test data.Test data.Other techniques include parallel simulation,Other techniques include parallel simulation, integrated test facility, and concurrent auditing integrated test facility, and concurrent auditing techniques. These are discussed in advanced techniques. These are discussed in advanced IT auditing books. IT auditing books.

Computer-assisted audit techniques include:Computer-assisted audit techniques include:

• Generalized audit software packages.Generalized audit software packages.

• Custom audit software.Custom audit software.

• Test data.Test data.Other techniques include parallel simulation,Other techniques include parallel simulation, integrated test facility, and concurrent auditing integrated test facility, and concurrent auditing techniques. These are discussed in advanced techniques. These are discussed in advanced IT auditing books. IT auditing books.

7-50

Generalized Audit SoftwareFunction Description

File or data accessReads and extracts data from a client's computer files or databases for further audit testing.

Selection operators Select from files or databases transactions that meet certain criteria.

Arithmetic functions

Perform a variety of arithmetic calculations (addition, subtraction, and so on) on transactions, files, and databases.

Statistical analysesProvide functions supporting various types of audit sampling.

Report generationPrepares various types of documents and reports.

LO# 22

7-51

Custom Audit SoftwareCustom audit software is generally written by auditors for specific audit tasks.

It may be required when the client’s computer system is not compatible with the auditor’s generalized audit software.

Custom software:Custom software:

(1)(1) Is expensive to develop.Is expensive to develop.

(2)(2) Requires extended development time.Requires extended development time.

(3)(3) Is limited in scope of functions.Is limited in scope of functions.

Custom software:Custom software:

(1)(1) Is expensive to develop.Is expensive to develop.

(2)(2) Requires extended development time.Requires extended development time.

(3)(3) Is limited in scope of functions.Is limited in scope of functions.

LO# 22

7-52

Test Data This is data developed by the auditor to test

the application controls in the client’s computer programs. The technique can be used to check

1.data validation controls and error detection routines,

2.processing logic controls,

3.arithmetic calculations, and

4. the inclusion of transactions in records, files, and reports.

LO# 22

7-53

Test Data

The objective of this method is to insure the accuracy of the computer processing of transactions.

This technique can be used to check:

1. Data validation controls and error detection routines.

2. Processing logic controls.

3. Arithmetic calculations.

4. Inclusion of transactions in records, files, and reports.

7-54

Test Data The main advantage of this method is that it provides

direct evidence of the effectiveness of controls in the client’s application programs.

However, it has a number of potential disadvantages:

1. It can be very time consuming to create the data.

2. The auditor may not be certain that all relevant conditions or controls are tested.

3. The auditor must be certain that the test data are processed using the client’s regular production programs.

4. The auditor must be sure to remove the valid test data from the client’s files.

7-55

Integrated Test Facility

Auditor merges it data with client live data.

The advantage is that the auditor probably has greater assurance that he/she is testing the program(s) that the client actually uses.

The auditor must be sure to remove the test data from the client’s files. If the auditor is testing a payroll application, I would hate to have the client pay social security and Medicare taxes based on test data.

7-56

Computer-Assisted Audit Techniques - Substantive Tests

Generalized audit software (GAS)

1. Can be used on a number of different computers and can access files with may differing file/record formats.

2. Auditor does not have to have a complete understanding of the client's hardware and software features.

3. Each different generalized software system has its own characteristics which the auditor must carefully consider before using in a given audit situation.

7-57


Advantages of using computer audit software:

1. Can be used to access client data that is maintained on client files, especially since some client data that is of interest to the auditor may exist only temporarily and only in machine-readable form.

2. Utilize the speed and accuracy of the computer.

3. Can deal effectively with large quantities of data.

4. Can reduce the auditor's reliance on client IT personnel.

5. Can produce (not always) efficiencies in the audit. This is especially true where applications can be used in ensuing years with little or no modifications.

7-58


Types of audit tasks (tests) that may be performed using computer audit software systems include:

1. Selecting and printing confirmations.

2. Selecting and printing audit samples For example, selecting a sample of inventory items for the purpose of performing pricing tests.

3. Comparing data on separate files to determine if the data agree For example, comparing the units of measure on the perpetual inventory file with the physical count file to see if they agree for each inventory item.

7-59


4. Summarizing and analyzing data For example, footing the accounts receivable or perpetual inventory files or aging accounting receivable.

5. Examining records for quality (i.e., completeness, consistency, valid conditions, etc.) For example, determining all inventory accounts with zero or negative unit cost amounts or customer records for which accounts balances exceed credit limits.

6. Testing calculations and making computations For example, recalculating extensions for inventory items and comparing these with the client's values per the inventory file.

7-60


7. Resequencing records on the computer For example, resequencing inventory items on the inventory file by location in order to facilitate test counts of a sample selected from those items.

8. Comparing data on a computer file with data obtained through other audit procedures For example, comparing inventory test counts with the respective inventory quantities per the inventory master file.

7-61

Use of Microcomputers as an

Audit Tool Microcomputer software has been developed to improve the

efficiency and effectiveness of the audit.

Many types of microcomputer audit software are available to aid in the performance of audit procedures that otherwise would be performed manually.

Types of microcomputer software used on audits include the following:

1. Electronic spreadsheets programs

2. Trial balance and workpaper generation programs

3. Audit program and audit correspondence generator programs

4. Engagement management programs.

5. Data retrieval and conversion programs

7-62

Potential Benefits of Using a Microcomputer as an Audit Tool

1. Time may be saved by eliminating manual footing, crossfooting, and other routine comparisons.

2. Calculations, comparisons, and other data manipulations are more accurately performed.

3. Staff morale and productivity may be improved by reducing the time spent on clerical tasks such as footing and ticking.

4. The scope of analytical procedures may be broadened. For example, compute ratios or compute ratios for more than just the current and prior years.

5. Calculating the results analytical procedures may be more efficiently performed.

6. Graphics capabilities may allow the auditor to generate, display, and evaluate various financial and nonfinancial relationships graphically.

7-63


7. Facilitate audit sampling by determining optimum sample size for required levels of precision and reliability and generating random numbers.

8. Prepare and revise flowcharts which depict the flow of transactions in a client's system.

9. Potential weaknesses in a client's internal accounting control system may be more readily identified.

10. Allow easier creation of customized working papers.

11. Computer-generated working papers are generally more legible and consistent.

12. Supervisory-review time may be reduced.

13. Client's personnel may not need to manually prepare as many working paper schedules.

7-64


14. Allow easier storing & accessing of working papers.

15. Generate and analyze engagement management information such as time budgets and comparisons of actual time vs. budgeted time.

16. Assign personnel to engagements.

17. Allow easier generation of custom audit programs.

18. Allow easier generation and modification of standardized audit correspondence such as engagement letters, client representation letters, and attorney letters.

19. Allow access to and perform audit tests on client data that are stored in computer files.

7-65

End of Chapter 7

Chapter 7

Documents

provide reasonable

error detection

recent fiscal

kerry beverages

assisted audit

obtain reasonable

processing

interim financial