Deloitte LLP
Walkthroughs and D&I
Testing Design Effectiveness
The design effectiveness of controls is determined by the following:
- Is the control operating as described by personnel of the appropriate authority?
- Is the control owner competent enough to perform the control?
- Does the control satisfies the company's control objectives?
- Does it prevent or detect errors or fraud that could result in material misstatements in the financial statements
Procedures to Test Design Effectiveness
Note: Walkthroughs that include these procedures ordinarily are sufficient to evaluate design effectiveness
Thank you
Current View of Control Apportion
Control Roll Forwards
- Still leaves the potential to make more substantive selections if controls fail - "not relying on control"
Concluding on controls must be done at miniumum 4-3 months prior to the as-of date.
New CW Controls Roll Forward
- Roll forward each site to 9/30 and conclude on controls
- Document all samples as of 9/30 (i.e 5 for weekly) as required by AAM 4200.2
- Conclusion can be made for a period less than one year [PCAOB AS 5.B2]
- Thus, as of 9/30 we can reasonably conclude all substantive testing completed to date can rely on controls
- For the period 10/1-12/31 we obtain sufficient evidence as describe in [PCAOB AS 5.56]
- Conservatively we make 1-2 more selections to corroborate our 9/30 conclusion
- As AAM 4200.2 is a minimum requirement making additional selections would be fine
- If any errors are found in these selections we run a substantive test on the Q4 sample alone not relying on controls and {tm} as to why our 9/30 selections can still reasonably be said to rely on controls
Purpose of Walk-throughs
To understand the likely sources of misstatements, and aid in selecting the controls to test. The auditor should achieve the following objectives:
- Understand the flow of transactions related to relevant assertions, including how transactions are initiated, authorized, processed, and recorded
- Identify the points within the company's processes where a misstatement—including fraud—could arise that, individually or in combination with other misstatements, would be material
Questions
- Identify the controls that management has implemented to address potential misstatements
Selecting Controls to Test
- It is neither necessary to test all controls related to a relevant assertion nor necessary to test redundant controls, unless redundancy is itself a control objective
- Identify controls over the prevention / detection of unauthorized acquisition, use, or disposition of the company's assets that could result in a material misstatement of the financial statements.
- Test only the controls that pertain to our conclusion about how the company's controls address the assessed risk of misstatement to each relevant assertion.
- Selecting a control for testing depends on which controls, individually or in combination, address the assessed risk of misstatement to a given relevant assertion
Top-Down Approach
A top-down should be used to select controls for testing.
Achieving Objectives
- Walkthroughs will frequently be the most effective way of achieving the aforementioned objectives
- Performing a walkthrough, the auditor will:
- follow a transaction from origination through the company's processes to the company's financial records
- Inquire about the process / control
- Observe the process / control being performed
- Inspect relevant documents
- Re-perform the control (highest level of assurance)
Conducting Walkthroughs
In performing a walkthrough an auditor:
- Questions the company's personnel about their understanding of the company's processes and controls.
- Asks probing questions in order to gain an understanding of the process and identify points at which a control is missing or not designed effectively.
- Changes in the process year over year?
- Threshold of investigation?
- Significant transactions?
Examples
Introduction
PCAOB Auditing Standard 5
- ICFR provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes.
- If one or more material weaknesses exist, the company's internal control over financial reporting cannot be considered effective
- In order to gain an understanding of controls auditors will conduct a walkthrough and test the design and implementation of the controls
Example of 6/30 AR control
- Procedures the auditor performs to test design effectiveness include a mix of:
- inquiry of appropriate personnel
- observation of the company's operations
- inspection of relevant documentation
If we obtain Audit Evidence about the operating effectiveness of Controls during an interim period, we shall:
- Obtain Audit Evidence about significant changes to Controls subsequent to the interim period
- Determine the additional Audit Evidence to be obtained for the remaining period. [PCAOB AS 5.56]
Significant Accounts &
Disclosures
- Evaluate the qualitative & quantitative risk factors related to the financial statement line items and disclosures
- Susceptibility to misstatement due to errors or fraud
Examples:
- Size & composition of the account
- related party transactions
Entity Level Controls
- Test ELC's to support the conclusion that the company has effective ICFR.
- Our evaluation of ELC's can result in increasing or decreasing testing.
- Control Environment
- Management override
Examples:
Financial Statement Level
- auditor's understanding of the overall risks to internal control over financial reporting
- Requesting 13 selections for year-end
- Takes time to coordinate with client
- Delayed response from client
- Wasted time with documentation / most info sent in piece meal