Uses of ACL for Audit Evidence

Uses of ACL for Audit Evidence

Using the the guidance on sampling, we will have a large sample to acquire data from.  With ACL and the sample, we are able to use multiple types of tests to test for materiality or any other issues we might find as audit-relevant.


Tests:

• Z-Score
•  Some of the tests we can use to find significance are using a Z-Score analysis.  Using the Z-Score, we can find which numbers are significant and can potentially be inaccurate or fraudulent.
• Statistics
• We are able to see the range of transactions, highs and lows, the median, and the average.  This just gives us an idea of what are the common numbers.
• Stratification
• Using stratification, we can find intervals and see where most of the charges occur.
• Classification
• Using classification, we are able to go through charges and test and see if those charges are potentially fraudulent.
• Either through:
• Dates
• Vendors
• Benford Analysis
• We can also use a Benford Analysis along with the Z-Score to find out which starting digits, either 1 or 2 digit tests, are statistically significant.

Guidance on Sampling

Considering the guidance on sampling, the sampling used by us depends on the assertions being tested, the nature of the population and our assessment of the risk material misstatement. Examples that involve sampling include samples of:

• weekly sales report and review management's response to potential problems in the process
• purchase requisitions and verify proper authorizations
• locations and observe inventory count procedures executed by client personnel
• shift changes within the factory and observe employees clocking in and out
• sales invoices and test the accuracy of individual transactions by verifying quantities and prices against appropriate supporting documentation
• accounts receivable to be confirmed with customers

Although the increased use of  different tests enables us to examine all items in a population and reduces the need for sample based tests, there are many process controls that cannot be tested through tests such as ACL which can consist of the manager actually reviewing the report, a discrepancy, and that the sales system is under control.

As auditors we must address the the size of the population to use when gathering evidence from a larger population because we can't test every single item that we come across. The sample size will depend on two main factors: the assertions being tested and the assessment of risk. Once the sample size is determined, we choose the items or transactions to examine from the population. Common attributes that we would consider when selecting a sample include (similar to what we did in ACL):

• the magnitude of the transaction
• date of a transaction
• parties to the transaction
• nature of underlying assets and liabilities.

References:

• Auditing Assurance & Risk by Knechel, Salterio and Ballou

Substantive Analytical Procedures: Revenue, Cash, and A/R

Substantive Analytical Procedures – the comparison of quantitative relationships among account balances and other indicators to an auditor’s expectations.

If auditor expectations are not met, additional evidence is gathered to identify possible misstatements. (Knechel)

Documentation of Substantive Analytical Procedures (PCAOB):

a.       Form expectation

b.      Results of comparison

c.       Additional procedures to be performed

Expectations:

Revenue - $222,086

Cash - $14,176.25

Accounts Receivable – $4,609

Results:

Account	2011(Unaudited)	Auditor’s Expectations	Expectation Gap
Revenue	$352,523	$222,086	$130,437
Cash	$9,347	$14,176.25	$4,829
Accts. Receivable	$10,846	$4,609	$6,237

 

Expectations were formed based on linear progression.  Information from the Balance Sheet and Income Statement balances to form expectations.

Additional Procedures to be performed:

·         Inquiry

·         Recalculation and re-performance

·         Tests of transactions – verification of details and occurrence of transactions

·         Tests of accounts – test details of year-end balance through test of existence and valuation

·         Tests of presentation and disclosure – examine footnotes and disclosure for better understandability of financial statements

·         Inspection of records and documents – helps support all assertions in financial statements

·         Analytical evidence – examination of relationships among importance account balances, percentages and ratios for unexplained variations

References:

 Linda S. McDaniel and William R. Kinney, Jr. Expectation-Formation Guidance in the Auditor's Review of Interim Financial Information. https://webvpn.ucr.edu/+CSCO+0h756767633A2F2F6A6A6A2E77666762652E626574++/stabe/-CSCO-3p--pdfplus/2491292.pdf?acceptTC=true

AU Section 329 Substantive Analytical Procedure. PCAOB. http://pcaobus.org/Standards/Auditing/Pages/AU329.aspx#ps-pcaob_88942dde-5310-4f3e-88a9-fd8f8a478f54

Presentation 3/22/2012

Dear team, here is our presentation for tomorrow. comments & suggestions are welcome. And our Server Database, hosted in Microsoft Azure.

I hope it will work tomorrow. If not, well, i've wasted five hours working on it... But we still have our Website and this blog to document stuff. Good luck in finals week.
Best regards, Andreas

Tolerable Error and Materiality

As auditors we need to understand that tolerable error can differ from each account because some accounts are more susceptible to error or are more significant to the overall financial results of the organization. Since we do not have formal rules for determining tolerable error for account balances two generally accepted guidelines that we will use are: tolerable error should be less than the overall materiality level, and the sum of tolerable error across all accounts may equal materiality or may exceed materiality.

Materiality is subject to a great deal of judgment so as auditors we have to develop numerous rules of thumbs for setting an initial quantitative materiality level. Since every person looking at financial statements will have a different idea to what constitutes as a material misstatement we will use what is generally suggested for net income or net assets as the base for establishing quantitative materiality with percentages between 5 and 10 for net income and 1 and 3 for percent of net sales.

As auditors, rather than increase the sum of allocated tolerable errors and tolerating a larger error in some accounts we will instead decrease the sum of allocated tolerable errors because we want to decrease the overall risk that a material misstatement will remain undetected. So when all audit procedures are considered, we can conclude with reasonable assurance that the financial statements are not materially misstated. Looking at the audit documentation requirement we see that we have complied with most of them, therefore we should not have as many errors since we have documentation that would support our conclusions with respect to financial statement assertions and documentation that show that accounting records agree with financial statements, etc. Since our audit team also uses ACL to detect potential fraud, material misstatements and weaknesses this should also help keep the tolerable error and materiality low.

The tolerable error level for an account reflects the maximum size of a misstatement that could exist before the auditor would conclude that the account is materially misstated. As auditors we can set tolerable errors in one of two ways: by directly allocating a portion of overall materiality to the account in dollar terms; or calculating TEL as a specified percentage of the account where the smaller values of TEL are associated with lower detection risk.

References:

·         http://www.hkicpa.org.hk/file/media/section6_standards/standards/sas430.pdf

·         Auditing Assurance & Risk by Knechel, Salterio and Ballou

 

Calculator

Here are two simple calculators that allow us to calculate AR and DR. Or you can download the excel file below.

Audit Risk Calculator

Enter Inherent Risk:

Enter Control Risk:

Enter Detection Risk:

Click this button to calculate audit risk:

The audit risk is:

Detection Risk Calculator

Enter Audit Risk:

Enter Inherent Risk:

Enter Control Risk:

Click this button to calculate detection risk:

The detection risk is:

file upload

Material Weakness Detection Risk

Material weakness detection risk should not be a significant risk due our audit team’s checklist of things to look out for when auditing a client and ACL. When analyzing the material weakness detection risk that our audit team faces, our audit team concludes that the likelihood of a major material weakness not being detected is unlikely due our team’s auditing procedures. To see our audit team’s checklist and auditing procedures, refer to our internal control checklist located in our blog. When plotting material weakness detection risk on a risk map, we can conclude that the likelihood of a major missed material weakness not being detected is not likely going to occur; however, the impact of a major material weakness not being detected could moderately impact SDE’s financial reports. Figure 1A shows the impact and likelihood of material weakness detection risk.

Figure 1A

Material weakness detection risk would be located in the low likelihood and the moderate impact box. 

Material Weakness Detection Using ACL

Temecula Auditors, like many other auditing firms, use Auditing Computing Language (ACL), because ACL is one of the most widely used auditing products for fraud detection and prevention. Not only can our audit team use ACL to detect potential fraud, but also material misstatements and weaknesses. ACL would allow our audit team to view SDE’s numerous accounts and to see if there are any accidental double account transactions that were created. For example, an accountant who is in charge of SDE’s journal entries could have accidently made a double entry of a certain transaction. Auditors analyze payment amounts to test duplicate payments, missing check amounts, and incorrect invoice numbers. Not only can our audit team detect material errors in certain accounts, but can also detect unusual transactions. ACL has many options the auditor can use when trying to discover any unusual material misstatements in accounts. One of the tools that ACL offers is Benford’s Analysis. This allows the auditor to look at an entire account to determine if the account’s numbers fall into an expected distribution. One of the major potential material weaknesses is accidental duplicate accounts with shipped products. Our team will need to look closely to the product transactions, because SDE has been having trouble with over and under shipments of products.

Audit Sampling

Another way that our audit firm can lower the risk of not detecting material weaknesses is by conducting audit sampling. To conduct audit sampling for an account that deals with shipped products, our team will need to follow these standard audit sampling procedures:

1)      Audit less than 100 percent of the items within an account balance or class of transactions for the purpose of evaluating some characteristic of the balance.

2)      The auditor needs to be aware of account balances and transactions that may be more likely to contain misstatement.

3)      There are two general approaches to audit sampling: non-statistical and statistical. Both approaches require that the auditor use professional judgment in planning, performing, and evaluating a sample and in relating the audit evidence produced by the sample to other audit evidence when forming a conclusion about the related account balance or class of transactions.

4)      The auditor must obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements under audit.

5)      The sufficiency of audit evidence is related to the design and size of an audit sample, among other factors. The size of a sample necessary to provide sufficient audit evidence depends on both the objectives and the efficiency of the sample.

6)      Evaluating the appropriateness of audit evidence is solely a matter of auditing judgment and is not determined by the design and evaluation of an audit sample. In a strict sense, the sample evaluation relates only to the likelihood that existing monetary misstatements or deviations from prescribed controls are proportionately included in the sample, not to the auditor's treatment of such item.¹

Works Cited

¹“Audit Sampling.” AICPA website.

http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments

Website created

Hello team, i created a website as a presentation tool for Thursday. I wanted to add some risks calculator in it but the website builder currently do not have that feature on it yet. I tried to download some free trial Adobe CS DW to get some javascript calculator running, but that feature is not available on trial version. So, i think a website and a prezi is good enough for the automation part...

CLICK ME!

Compliance with Auditing Standard No. 3

Auditing Standard 3 outlines the requirements for audit documentation that an auditor should prepare and retain.

In general, we have made progress in meeting As No. 3 standards. We've accomplished the objectives of audit documentation, generally met the audit documentation requirements, and have provided documentation of specific matters if it was necessary. The retention of and subsequent changes to audit documentation part of the standard may not have yet been met.

Objectives of Audit Documentation
The objectives of audit documentation are to (1) have a written record of the basis for auditor conclusions and (2) have information that might be reviewed. Having a written record or evidence supporting auditors conclusions is important because it facilitates planning of the audit, audit performance, supervision of the engagement, and is the basis for the review of the quality of work done. Audit documentation should be documented in such a way that it can be easily reviewed by by others including but not limited to members of the engagement team.
Our audit has been documented via this blog and the information can be easily reviewed.

Audit Documentation Requirement

The main ideas of audit documentation requirements are:

Have we complied?	Audit Documentation Requirements
Yes	Document in compliance with PCAOB Standards.
Yes	Document in a clear and organized enough manner so that the reviewer may understand.
Yes	Documentation should support auditor conclusions with respect to every relevant financial statement assertion.
Yes	Documentation should show that accounting records agree with financial statements. Procedures performed, evidence obtained, and conclusions reached need to be documented.
Yes	Documentation must have enough information for an experienced auditor with no previous connection to the engagement to be able to understand what went on during the engagement, who performed and reviewed the work and when.
Yes	Documentation must include information the related to significant findings or issues that is inconsistent with final conclusions.
N/A, but should we encounter this issue we will comply	If after the documentation completion date (explained in the next section), the auditor discovers “that audit procedures may not have been performed, evidence may not have been obtained, or appropriate conclusions may not have been reached, the auditor must demonstrate that all those things were done with respect to relevant financial statement assertions via persuasive evidence. o    If the problem is lack of documentation, then documentation must be provided.
N/A, but should we encounter this issue we will comply	In terms of documentation of risk assessment procedures and responses to risks of misstatement, the following must be included o    summary of identified risks of misstatement and the auditor's assessment of risks of material misstatement o    and the auditor's responses to the risks of material misstatement

Documentation of Specific Matters
The main ideas of documentation of specific matters are:

Have we complied?	Documentation of Specific Matters
Yes	Documentation of auditing procedures that involve the inspection of documents or confirmation, including tests of details, tests of operating effectiveness of controls, and walkthroughs, should include identification of the items inspected. Documentation of auditing procedures related to the inspection of significant contracts or agreements should include abstracts or copies of the documents.
N/A, we are not auditing such matters but should we encounter this issue we will comply	Certain matters, such as auditor independence, staff training and proficiency and client acceptance and retention, may be documented in a central repository for the public accounting firm ("firm") or in the particular office participating in the engagement.
N/A, but should we encounter this issue we will comply	The auditor must document significant findings or issues* actions taken to address them (including additional evidence obtained), and the basis for the conclusions reached in connection with each engagement. *More information on what significant findings or issues are available on PCAOB website.
N/A, but should we encounter this issue we will comply	The auditor must identify all significant findings or issues in an engagement completion document which must be as specific as possible for the reviewer to be able to understand the significant findings or issues.

Retention of and Subsequent Changes to Audit Documentation

This section of AS No. 3 is irrelevant to us at this time as it pertains to retention of documentation and procedures for any changes made. We have not yet finished our audit but we do intend to keep copies of our documentation and follow the correct procedures in making any changes if necessary.


The following is a summarized outline of the "Retention of and Subsequent Changes to Audit Documentation" section of AS No. 3 found on the PCAOB site.

1. The auditor must retain audit documentation for seven years from the date

• the auditor grants permission to use the auditor's report in connection with the issuance of the company's financial statements
• that fieldwork was substantially completed is a report is not issued.
• the engagement ceased id the engagement was not completed

2. A final set of audit documentation should be assembled for retention as of a date not more than 45 days after the report release date.

• not 45 days from the date fieldwork was substantially completed if a report is not issued
• not be more than 45 days from the date the engagement ceased if the engagement was not completed

3. Audit documentation must not be deleted or discarded after the documentation completion date. Instead, information may be added and such information must have the date added, the name of the person who added it, and why the information was added.

References:http://pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_3.aspx

Internal Control Checklist

4       Quality Management System
4.1       General requirements
4.1 820.5	Is the quality management system documented, implemented and maintained?	Are processes needed for the quality management system identified and established (process map)? Is the sequence and interaction between these processes determined (process map)? Are criteria and methods for the operation and control of quality system processes established (operational procedures)? Are required resources available? Are quality system processes monitored and measured (internal audit, customer feedback, manufacturing process performance, etc.)?	Y
4.1	Are outsourced processes adequately controlled?	How are outsourced processes controlled? Are outputs of outsourced processes verified? Are subcontractors and suppliers required to operate and maintain quality management systems (ISO 9001, for example)?
4.2       Documentation requirements
4.2.1    General
4.2.1 820.20(e)	Are the following types of documents established, maintained and controlled: § quality policy and quality objectives; § quality manual; § operational procedures; § device specifications including drawings, composition, formulation, components, software etc. (Device Master Record); § production process specifications including equipment, production methods and procedures, operator (work) instructions, production environment specifications, etc. (Device Master Record); § quality assurance procedures and specifications including control plans, inspection equipment and procedures, acceptance criteria, etc. (Device Master Record); § packaging and labeling specifications, including methods and processes used (Device Master Record); § installation, maintenance and servicing procedures and methods (Device Master Record); § other documents needed to ensure the effective planning and operation of the quality system; and § records (ref to ISO 13485 4.2.4)?	Are quality policy and quality objectives documented? Where? Is there a quality manual? Operational procedures? Are drawings, specifications, work instructions, work orders, control plans, etc., issued and maintained as controlled documents (as required in 4.2.3)? Are electronic documents (computer files) backed up?	Y
4.2.2    Sales Process Orders
4.2.2 820.20(e)	Does the Sales Orders   include: § the scope of the quality management system and exclusions, § operational procedures or references to them, § description of the interaction between the processes of the quality system, and § outline of the structure of the quality system documentation?	Is the sales order addressing all relevant requirements? Are exclusions from Section 7, Product Realization, documented in the quality manual (if any)? Are operational procedures included or referenced in the quality manual? How is the interaction between the processes of the quality system documented (process map, flowcharts, etc.)?  How is the structure of the quality system documentation outlined in the manual?	Y
4.2.3    Control of documents
4.2.3 820.40(a)	Is there a written procedure defining the controls needed to § review and approve documents prior to issue, § review, update and re-approved documents, § identify changes and current revisions of documents, § make relevant and current documents available at points of use, § ensure that documents are legible and identifiable, § identify and control the distribution of documents of external origin, and § identify retained obsolete documents and prevent their unintended use? Is the procedure fully implemented?	Is there a written procedure for control of documents? Are controlled documents reviewed and approved? How is the approval evidenced (signature)? Is there a process for reviewing, updating and re-approving documents? Are documents identified with their revision level? How are changes identified (change brief, highlighted, etc.?) What measures are implemented to ensure that relevant and current documents are available at points of use (distribution lists, current master lists, etc.)? Are documents uniquely identified (unique title and /or code-number) and are they legible? Is there a process for receiving, reviewing, approving (for use) and distributing documents of external origin (form customers, regulators, suppliers, etc.)  When obsolete documents are retained, is it for a specific, stated reason? Are obsolete documents clearly marked to distinguish them from current revisions? What other measures are implemented to prevent unintended use of obsolete documents?	Y
4.2.3	Is the period for retention of obsolete controlled documents defined?	Is a retention period defined for each type of controlled documents? How is this period determined? Is the retention period at least equal to the lifetime of the device? Is it coordinated with the retention period for corresponding records? Are regulatory requirements considered?
4.2.3 820.40(b)	Are document changes reviewed and approved by the same function that performed the original review and approval (unless specifically designated otherwise)? Are change records maintained, including description of the change, identification of the affected documents, approval signatures and date, and when the change becomes effective?	Is there a clearly stated requirement that changes to documents must be reviewed and approved by the same function that issued the original document, or by another, explicitly designated function? Is it implemented? Are changes in documents (mostly product and process specifications) backed by design change and/or process change records, such as engineering change notices? How is it defined/documented when document changes become effective?
4.2.4    Control of Records
4.2.4	Is there a documented procedure for the identification, storage, protection, retrieval, retention, and disposition of records?	Are there documented instructions how to identify, organize, store, protect, and retrieve records?  Are storage locations for records defined?	Y
4.2.4 820.180(b)	Are retention periods for records defined? Are records retained for at least the period of time equivalent to the expected life of the device, and no less than 2 years?	Is a retention period defined for each type of record? How is this period determined? Is the retention period at least two years or equivalent to the lifetime of the device, whichever is greater? Are regulatory requirements considered?	Y
4.2.4 820.180	Are records organized and maintained to ensure that they remain legible, readily identifiable and retrievable, and to prevent deterioration and loss? Are records accessible to the regulatory inspections? Are electronic records backed up?	Are records stored in dry, clean locations to minimize deterioration? Is there a system for organizing the records? Are boxes, drawers, binders holding records properly identified? Are records easily retrievable (test by asking for retrieval of specific records)? Are records kept in a location that is accessible to regulatory inspections? Are electronic records backed up? Are there specific schedules, instructions, etc. for backing up data? Where are the back-up media (tapes, disks, etc.) kept?	Y
4.2.4 820.181	For each type of device, is there a Device Master Record (DMR) including, or referring to appropriate device specifications, production process specifications, quality assurance procedures, packaging and labeling specifications, and installation, maintenance and servicing procedures and methods?	How is the DMR organized? Is it a file containing the actual specifications documents, or is it a list referring to these documents and their locations? Is the DMR complete, e.g., includes all required categories of documents? Who decides, and how, which documents are included in the DMR? Are all documents included in the DMR correctly identified, reviewed, approved and otherwise controlled? Are the DMR documents the same (and the same revisions) as those used in production?	Y
4.2.4 820.184	Are Device History Records (DHR) maintained for each manufactured batch, lot or unit? (Refer also to ISO 13485 Clause 7.5.1 and 820.184)	Are DHR records properly identified to specific batches, lots or units; and are the records easily retrievable? (For other questions refer to 7.5.1)	Y
4.2.4 820.186	Are Quality System Records (QSR) maintained, including current and obsolete quality system manuals and procedures, and records of quality system activities such as management reviews, corrective and preventive actions, internal audits, etc.?	How is it determined and documented what quality system records are maintained (in QMS Manual and lists of procedures and quality forms, and in operational procedures and work instructions)? Are retention periods specified for obsolete quality system documentation and for quality system records?	Y
4.2.4	Are sufficient records maintained to provide evidence of conformity and effectiveness of the quality management system?	Is there a list (or other documented specification) of quality system records that are maintained by the company? Are the records sufficient to demonstrate product and process conformity, and the conformity and effectiveness of the quality management system and its implementation?	Y
5       Management Responsibility
5.1       Management Commitment
5.1	Is the top management § communicating to the organization the importance of meeting customer and other applicable requirements, § establishing the quality policy, § establishing quality objectives, § conducting management reviews, and § ensuring availability of resources?	How is importance of meeting customer and other requirements communicated? Do employees understand the consequences of failing to meet requirements? Is there a quality policy? Are quality objectives defined? Are management reviews being conducted regularly? Are adequate resources necessary for the quality system provided?	Y
5.2       Customer Focus
5.2	Is the top management ensuring that customer requirements are determined and are met?	What measures are implemented to ensure that customer requirements are determined and met (processes, procedures, training, monitoring, auditing, etc.)?	Y
5.3       Quality Policy
5.3 820.20(a)	Is there a documented quality policy; and § Is it appropriate to the purpose of the organization? § Does it include a commitment to comply with requirements and maintain the effectiveness of the quality management system? § Does it provide a framework for establishing the quality objectives? § Is it communicated and understood throughout the organization? § Is it periodically reviewed for continuing suitability?	Is the quality policy appropriate (relevant to the types of products, type of market, customer expectations, etc.)? Does it include explicit commitment to comply with requirements and maintain (or improve) the effectiveness of the quality system? Is it related to quality objectives? Would achievement of the quality objectives bring the company closer to achieving its overall quality policy? Do employees know the meaning of the quality policy and understand how they can contribute to achieving the policy? Is the quality policy periodically reviewed by management reviews? Has the policy ever been modified since it was initially formulated?	Y
Taken from ISO demo