DOCSLIB.ORG

From: John Kelly Mailto

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
From: John Kelly Mailto

-----Original Message----- From: John Kelly [mailto:[email protected]] Sent: Wednesday, January 22, 2003 3:07 PM To: [email protected] Subject: audit risk

Comments on Proposed ISA - Audit Risk

Comments requested Q-1- Small entities In general, this material is well done.

Q-2 Knowledge of Business Generally well done, and consistent with current Canadian standards.

Q-3 - Time limit Not unreasonable.

Q-4 - Documentation The documentation requirements are virtually identical to current Canadian GAAS. Other than trivial additional matters with respect to the documentation of the discussion of the plan, the rules are satisfactory.

Documentation of how and when discussion of the plan occurred is trivial and can be deleted. If it remains, such documentation will be done in a perfunctory manner to comply with the written rule, which is of no value.

Q-5 Internal Control The only existing Canadian standard missed is 5210.20, though this may be presumed to be implied.

Q-6 Significant Risks As a "significant risk" has the same meaning as "inherent risk is assessed as high" there is no difference between this and current standards. Hence, there will ne no change (or improvement) in audit quality. Indeed, as this material is in all significant respects identical to current Canadian standards, there will be no effect on audits in Canada - with the possible exception that there may be more pages of documentation. The work, however, will remain the same.

Overall Comment In general the material is consistent with Canadian GAAS. However, often the discussion is more detailed, and as it is often difficult to explain the risk model, this additional detail is useful.

Detailed Comments of an Editorial Nature It is inconvenient that the ISA refers to all three documents as ISA XX. In the future, the ISA should have a separate indexing scheme for each document, if there are a series of document exposed at the same time. X-2 - paragraphs .37 and .38 - "Rely" "Rely" means to "depend upon with confidence or assurance." (Oxford English Dictionary) The auditor should never rely; the auditor should obtain evidence. Which is indeed what these two paragraphs say; they describe the nature of the evidence the auditor needs to collect to use prior evidence. All that is needed is an editorial fix to remove the word "rely" and the implication that testing need not be done. Wording similar to that used in paragraph 36 should be used. Failure to remove the word rely would lower Canadian standards.

For instance: 37. If the auditor plans to use evidence obtained on a prior audit about controls that have changed since they were last tested, the auditor should test the operating effectiveness of such controls in the current audit. Changes may affect the relevance of the audit evidence obtained in prior periods such that there may no longer be a basis for continued reliance. For example, changes in a system that enable an entity to receive a new report from the system probably do not affect the relevance of prior period audit evidence; however, a change that causes data to be accumulated or calculated differently does affect it.

38. If the auditor plans to use evidence obtained on a prior audit about controls that have not changed since they were last tested, the auditor should test the operating effectiveness of such controls at least every third audit. In considering the length of time period that may elapse before .....

X-1 - paragraph 73 - use of the word "mitigate" In general, the description of the application of the material to smaller audits is appropriate. In this paragraph however, the use of the word mitigate is pejorative. That word and the phrase "lack of segregation of duties" imply that the owner manager has failed to implement proper controls. (We would not say "The internal audit function helps to mitigate the lack of close supervision by the representatives of the owners in a large corporation.")

Alternate wording might be: Owner-manager controls may play an important part in internal control in a small business, in the same way that an active and independent board of directors may influence the philosophy and operating style of senior management in larger entities.

X-1 - paragraph 82 "The auditor should understand" should be "The auditor should obtain an understanding of" to be consistent with the rest of the document and to remove the absolute nature of the requirement as stated.

X-2 - paragraph 23 "Where" refers to a place. The word should be "when" (as in paragraph 22) or "if."

Separate treatment of IT x-1 paragraphs 61 and following The document takes an old-fashioned approach to IT. It seems to assume that computerized systems are rare and recites old-fashioned advantages and disadvantages of these systems. If it were presumed that computerized systems were the norm, presumably we would not have a special section describing the normal situation. Further, the risks cited exist equally in manual or paper based systems. These paragraphs treat computers as if they were unusual and infrequent intrusions in accounting systems which present strange and unintelligible risks requiring "special skills" not possessed by the average auditor (who presumably has never seen a computer.) For instance, paragraph .64 lists risks specific to IT systems, when the risks described a probably greater in a manual system. The risk of using systems that are inaccurately processing data or are processing inaccurate data exists in manual systems as well. The manual "control environment" is of the same importance as the "compute control environment." Backing up paper based records is as important as backing up computer records. And because back-up of paper based records is so difficult, why is it not given special mention, when the "risk of loss of computer data" is?

It might be more modern to have a section "Risks inherent in the use of manual systems." For instance, the inability of providing off-site backup of paper based records.

Or, paragraphs 61 to 65 need to be rewritten, removing specific reference to computers.

X-1 - paragraph 63 Advantages of a computerized system should also include: The ability to prevent or detect unauthorized access to prevent in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions. (In an manual system, if unauthorized persons gain access to the records there are no simple ways of determining if such access has occurred or if changes to ledgers or manually prepared master files have occurred.) The ability to back-up programs and data at an offsite location, often effectively instantaneously. (In a manual system, there are no reasonable ways of backing up accounting records.)

Inappropriate manual intervention. - probably a greater risk - though hard to quantify because it is so hard to detect - in a manual system Failure to make necessary changes to systems or programs. Normally not considered, or considered only informally, in manual systems. Potential loss of data or inability to access data as required. The greatest risk in a manual system.

Indeed, almost all of the points in 63 could be re-written in the negative as disadvantages of manual systems.

Paragraph .63 describes the advantages of a well-designed system, which would probably have to have many computer elements.

Paragraph 64 describes the risks of badly designed systems, all of which are greater in a manual system. Indeed, some of the risks are uncontrollable in a manual system - access to master files (other than keeping them in a bank vault) and loss of data.

In a computerized environment, further, we are more likely to test changes to systems and consider user input than we are in a manual system. Manual systems are often changed without testing and without user input, to the later chagrin of those making the changes.

A suggestion

Effect of the Nature of Information Systems on Internal Control 61. The nature of the entity's information systems will affect the five components of internal control relevant to the achievement of the entity's financial reporting, operations, or compliance objectives, and its operating units or business processes. For example, an entity may use discrete systems that support only particular business units, processes, or activities, such as a unique accounts receivable system for a particular business unit or a system that controls the operation of factory equipment. Alternatively, an entity may have complex, highly integrated systems that share data and that are used to support all aspects of the entity's financial reporting, operations, and compliance objectives.

62. The nature of the information systems also affects the manner in which transactions are initiated, recorded, processed, and reported. In a manual system, an entity uses manual procedures and records in paper format (for example, individuals may manually record sales orders on paper forms or journals, authorize credit, prepare shipping reports and invoices, and maintain accounts receivable records). Controls in such a system also are manual and may include such procedures as approvals and reviews of activities, and reconciliations and follow-up of reconciling items. Alternatively, an entity may have information systems that use automated procedures to initiate, record, process, and report transactions, in which case records in electronic format replace such paper documents as purchase orders, invoices, shipping documents, and related accounting records. Controls in systems that use IT consist of a combination of automated controls (for example, controls embedded in computer programs) and manual controls. Further, manual controls may be independent of IT, may use information produced by IT, or may be limited to monitoring the effective functioning of IT and of automated controls, and to handling exceptions. An entity's mix of manual and automated controls varies with the nature and complexity of the entity's use of IT.

63. Computerized systems may allow for effectiveness and efficiency for an entity's internal control because an entity can: Consistently apply predefined business rules and perform complex calculations in processing large volumes of transactions or data. Enhance the timeliness, availability, and accuracy of information. Facilitate the additional analysis of information. Enhance the ability to monitor the performance of the entity's activities and its policies and procedures. Reduce the risk that controls will be circumvented. Enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems. Back-up programs and data at an offsite location, often effectively instantaneously. Prevent or detect unauthorized access to prevent in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions by use of controls such as fire-walls and virus protection software. (In an manual system, if unauthorized persons gain access to the records there are no simple ways of determining if such access has occurred or if changes to ledgers or manually prepared master files have occurred.)

64. Regardless of the nature of the system there are risks to an entity's internal control, including: Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both. In either manual or computer systems, there is a need for procedures such as testing new systems and obtaining user input into systems design.

Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions. In computerized systems, access to data or destruction of data is controlled through means such as fire walls and virus protections software. In manual systems, physical means are used to protect data, such as fireproof safes. Unauthorized changes to data in master files. Unauthorized changes to systems or programs. Failure to make necessary changes to systems or programs. Inappropriate manual intervention. Potential loss of data or inability to access data as required. In a computerized system , there is the possibility of off-site backup of programs and data. In a manual system, physical safeguards are used.

65. The extent and nature of these risks to internal control vary depending on the nature and characteristics of the entity's information system. For example, multiple users, either external or internal, may access a common database of information that affects financial reporting. In such circumstances, a lack of control at a single user entry point might compromise the security of the entire database, potentially resulting in improper changes to or destruction of data. When any personnel or users are given, or can gain, access privileges beyond those necessary to perform their assigned duties, a breakdown in segregation of duties can occur. This could result in unauthorized transactions or changes to programs or data that affect the financial statements. Therefore, the nature and characteristics of an entity's information system affect the entity's internal control.

Yours sincerely

John F. Kelly, CA

Load more

Recommended publications