|
|
 |
|
Sarbanes Oxley Act -
Auditing Standards |
|
Public
Company Accounting Oversight
Board
Bylaws
and Rules – Standards – AS2
Auditing
Standard No. 2: An Audit of Internal Control
Over Financial Reporting Performed in
Conjunction With an Audit of Financial
Statements
Examples of
Extent-of-Testing Decisions
B30.
As discussed throughout this standard,
determining the effectiveness of
a
company's
internal control over financial reporting
includes evaluating the design
and
operating
effectiveness of controls over all relevant
assertions related to all
significant
accounts
and disclosures in the financial statements.
Paragraphs 88 through 107
provide
the auditor with directions about the nature,
timing, and extent of testing of
the
design
and operating effectiveness of internal control
over financial reporting.
B31.
Examples B-1 through B-4 illustrate how to apply
this information in various
situations.
These examples are for illustrative purposes
only.
Example
B-1 – Daily Programmed
Application Control and Daily
Information
Technology-Dependent
Manual Control
The
auditor has determined that cash and accounts
receivable are significant
accounts
to
the audit of XYZ Company's internal control over
financial reporting. Based on
discussions
with company personnel and review of company
documentation, the auditor
learned
that the company had the following procedures in
place to account for cash
received
in the lockbox:
a.
The company receives a download of cash receipts
from the banks.
b.
The information technology system applies cash
received in the lockbox to
individual
customer accounts.
c.
Any cash received in the lockbox and not applied
to a customer's account is
listed
on
an exception report (Unapplied Cash Exception
Report).
Therefore,
the application of cash to a customer's account
is a programmed
application
control, while the review and follow-up of
unapplied cash from the
exception
report is a manual control.
To
determine whether misstatements in cash
(existence assertion) and
accounts
receivable
(existence, valuation, and completeness) would
be prevented or detected on
a
timely basis, the auditor decided to test the
controls provided by the system in
the
daily
reconciliation of lock box receipts to customer
accounts, as well as the control
over
reviewing
and resolving unapplied cash in the Unapplied
Cash Exception Report.
Nature, Timing, and
Extent of Procedures. To test the
programmed application
control,
the
auditor:
•
Identified, through discussion with company
personnel, the software used to
receive
the download from the banks and to process the
transactions and
determined
that the banks supply the download
software.
--
The company uses accounting software acquired
from a third-party supplier.
The
software consists of a number of modules. The
client modifies the
software
only for upgrades supplied by the
supplier.
•
Determined, through further discussion with
company personnel, that the
cash
module
operates the lockbox functionality and the
posting of cash to the general
ledger.
The accounts receivable module posts the cash to
individual customer
accounts
and produces the Unapplied Cash Exception
Report, a standard report
supplied
with the package. The auditor agreed this
information to the supplier's
documentation.
•
Identified, through discussions with company
personnel and review of the
supplier's
documentation, the names, file sizes (in bytes),
and locations of the
executable
files (programs) that operate the functionality
under review. The auditor
then
identified the compilation dates of these
programs and agreed them to the
original
installation date of the
application.
•
Identified the objectives of the programs to be
tested. The auditor wanted to
determine
whether only appropriate cash items are posted
to customers' accounts
and
matched to customer number, invoice number,
amount, etc., and that there is
a
listing of inappropriate cash items (that is,
any of the above items not
matching)
on
the exception report.
In
addition, the auditor had evaluated and tested
general computer controls,
including
program
changes (for example, confirmation that no
unauthorized changes are
undertaken)
and logical access (for example, data file
access to the file downloaded
from
the banks and user access to the cash and
accounts receivable modules)
and
concluded
that they were operating
effectively.
To
determine whether such programmed controls were
operating effectively, the
auditor
performed
a walkthrough in the month of July. The computer
controls operate in a
systematic
manner, therefore, the auditor concluded that it
was sufficient to perform a
walkthrough
for only the one item. During the walkthrough,
the auditor performed and
documented
the following items:
a.
Selected one customer and agreed the amount
billed to the customer to the
cash
received
in the lockbox.
b.
Agreed the total of the lockbox report to the
posting of cash receipts in the
general
ledger.
c.
Agreed the total of the cash receipt download
from the bank to the lockbox
report
and
supporting documentation.
d.
Selected one customer's remittance and agreed
amount posted to the customer's
account
in the accounts receivable subsidiary
ledger.
To
test the detective control of review and follow
up on the Daily Unapplied Cash
Exception
Report, the auditor:
a.
Made inquiries of company personnel. To
understand the procedures in place
to
ensure
that all unapplied items are resolved, the time
frame in which such
resolution
takes place, and whether unapplied items are
handled properly within
the
system, the auditor discussed these matters with
the employee responsible for
reviewing
and resolving the Daily Unapplied Cash Exception
Reports. The auditor
learned
that, when items appear on the Daily-Unapplied
Cash Exception Report,
the
employee must manually enter the correction into
the system. The employee
typically
performs the resolution procedures the next
business day. Items that
typically
appear on the Daily Unapplied Cash Exception
Report relate to payments
made
by a customer without reference to an invoice
number/purchase order
number
or to underpayments of an invoice due to
quantity or pricing
discrepancies.
b. Observed
personnel performing the control. The auditor
then observed the
employee
reviewing and resolving a Daily Unapplied Cash
Exception Report. The
day
selected contained four exceptions – three
related to payments made by a
customer
without an invoice number, and one related to an
underpayment due to a
pricing
discrepancy.
For
the pricing discrepancy, the employee
determined, through discussions
with
a sales person, that the customer had been
billed an incorrect price; a
price
break that the sales person had granted to the
customer was not
reflected
on the customer's invoice. The employee resolved
the pricing
discrepancy,
determined which invoices were being paid, and
entered a
correction
into the system to properly apply cash to the
customer's account
and
reduce accounts receivable and sales accounts
for the amount of the
price
break.
c.
Reperformed the control. Finally, the auditor
selected 25 Daily Unapplied
Cash
Exception
Reports from the period January to September.
For the reports
selected,
the auditor reperformed the follow-up procedures
that the employee
performed.
For instance, the auditor inspected the
documents and sources of
information
used in the follow-up and determined that the
transaction was properly
corrected
in the system. The auditor also scanned other
Daily Unapplied Cash
Exception
Reports to determine that the control was
performed throughout the
period
of intended reliance.
Because
the tests of controls were performed at an
interim date, the auditor had
to
determine
whether there were any significant changes in
the controls from interim to
year-end.
Therefore, the auditor asked company personnel
about the procedures in
place
at year-end. Such procedures had not changed
from the interim period,
therefore,
the
auditor observed that the controls were still in
place by scanning Daily
Unapplied
Cash
Exception Reports to determine the control was
performed on a timely basis
during
the period from September to
year-end.
Based
on the auditor's procedures, the auditor
concluded that the employee was
clearing
exceptions in a timely manner and that the
control was operating effectively
as
of
year-end.
|
|
.
| | |
