Wiley Practitioner's Guide to GAAS 2020. Joanne M. Flood
Чтение книги онлайн.
Читать онлайн книгу Wiley Practitioner's Guide to GAAS 2020 - Joanne M. Flood страница 75
Название: Wiley Practitioner's Guide to GAAS 2020
Автор: Joanne M. Flood
Издательство: John Wiley & Sons Limited
Жанр: Бухучет, налогообложение, аудит
isbn: 9781119596035
isbn:
Sample Sizes for Tests of Other Controls
You also will need to determine sample sizes for controls that are performed less frequently than every transaction or every day. Because the population sizes for these types of controls are so small, traditional sampling methodologies need to be adjusted. Exhibit 12.2 lists the sample sizes that have evolved in practice for tests of smaller populations.
Exhibit 12.2 Sample Sizes for Small Populations
| Frequency of control performance | Typical sample sizes | |
| Annually | 1 | |
| Quarterly | 2 or 3 | |
| Monthly | 2 to 6 | |
| Weekly | 5 to 15 |
Types of Tests
Inquiry and Focus Groups
Formal inquiries of entity personnel—either individually or as part of a focus group—can be a reliable source of evidence about the operating effectiveness of application-level controls. Inquiries can serve two main purposes:
1 To confirm your understanding of the design of the control (what should happen).
2 To identify exceptions to the entity’s stated control procedures (what really happens).
Confirming control design. Typically, this process consists primarily of a review of documentation (such as policies and procedures manuals) and limited inquiries of high-level individuals or those in the accounting department. To confirm this understanding of the processing stream and control procedures, you should expand your inquiries to include operating personnel and those responsible for performing the control.
When conducting your inquiries, consider the following:
Focus first on what should happen and whether the employees’ understanding of the control procedure is consistent with your understanding. This strategy accomplishes two important objectives:
1 It provides you with a baseline understanding of the procedure that everyone can agree on. It helps to start with everyone on the same page. You can then discuss exceptions to the norm later.
2 If the employees’ understanding of what should happen varies significantly from what is documented, that may indicate a weakness in entity-level controls. For example, you may determine that a weakness in the entity’s hiring or training policies is the cause of the lack of understanding of what should happen. This weakness may have implications for the operating effectiveness of other application-level controls.
Differences between the documentation and the employees’ understanding of the procedures also may indicate that the implementation or use of the entity’s automated documentation tool was poorly planned or executed. For example, documentation of a new control may have been created without informing operating personnel of the change.
Ask open-ended questions. Open-ended questions get people talking and allow them to volunteer information. The results of your inquiries are more reliable when individuals volunteer information that is consistent with your own understanding rather than simply confirming that understanding with a direct statement.
Focus on how the procedure is applied and documented. As described earlier, operating effectiveness is determined by how the procedure was applied, the consistency with which it was applied, and by whom (e.g., whether the person performing the control has other, conflicting duties). The last two elements will be the subject of your inquiries to identify exceptions to the stated policy. Questions about what somebody does or how he or she documents control performance (e.g., by initialing a source document) typically are less threatening than questions related to consistency (“Under what circumstances do you not follow the required procedure?”) or possible incompatible functions.
Interviewers should share their findings and observations with each other. Research indicates that the effectiveness of inquiries as an evidence-gathering technique improves when engagement team members debrief the results.
Ask “What could go wrong?” Interviewees will easily understand a line of questioning that starts with: “Tell me what could go wrong in processing this information,” followed by: “What do you do to make sure those errors don’t occur?”Toward that end, consider using the financial statement assertions model to frame your questions. As described previously, one way to organize your understanding of activity-level controls is to link them to financial statement assertions. You can use these assertions to formulate questions. For example, the question “What procedures do you perform to make sure that you capture all the transactions?” is related to the completeness assertion.
Consider the difference between processes and controls. A process changes or manipulates the information in the stream. Processes introduce the possibility of error. Controls detect errors or prevent them from occurring during the processing of information. Your inquiries should confirm your understanding of both the steps involved in processing the information and the related controls.
The duties of an individual employee may include the processing of information (e.g., the manual input of data into the computer system or the preparation of source documents), control procedures (e.g., the performance of a reconciliation or the follow-up on items identified in an exception report), or both. In making your inquiries, you should remain cognizant of the distinction between processes and controls and the responsibilities of the individual being interviewed.
Identify exceptions. In every entity, there will be differences between the company’s stated procedures and what individuals actually do in the course of everyday work. The existence of differences is normal. In testing the effectiveness of application-level controls, you should anticipate that these differences will exist, and you should plan your procedures to identify them and assess how they affect the effectiveness of activity-level controls. Differences between what should happen and what really happens can arise from:
The existence of transactions that were not contemplated in the design of the system.
Different application of the procedure according to division, location, or differences between people.
Changes in personnel or in their assigned responsibilities during the period under review.
Practical, СКАЧАТЬ