Simons Inc. (SIM) is a publicly traded US-based company that files quarterly and annual reports with the Securities and Exchange Commission (SEC). The company has identified three risks of material misstatement relating to the recording of sales and established controls in the cash disbursement process. The present paper aims at overviewing the key considerations with a financial statement audit according to the Auditing Standards of the Public Company Accounting Oversight Board (PCAOB, 2020). Additionally, the paper analyzes the work done by the engagement team in terms of risk identification. The analysis is guided by a set of questions provided at the beginning of each section.
What are the relevant key considerations when evaluating the design of internal controls in conjunction with a financial statement audit?
When testing the design effectiveness, the auditor needs to follow paragraphs 42-43 of Audit Standard AS 2201. Paragraph 42 states that the auditor should determine if internal controls of the company “satisfy the company’s control objectives and can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements.” The auditor should understand that smaller companies may have different control measures to achieve the control objectives in comparison with larger companies. Paragraph 43 of Standard AS 2201 states that evaluation procedures usually include inquiries of employees, observation of the operations, and review of relevant documentation. Additionally, Paragraph 43 states that walkthroughs are usually sufficient to evaluate design effectiveness.
What are the relevant key considerations when testing the operating effectiveness of internal controls in conjunction with a financial statement audit?
There are two central considerations in terms of testing of the operating effectiveness of internal controls stated in Audit Standard AS 2201. Paragraph 44 states that an auditor needs to assess if the internal controls perform as designed and if the designated employee in charge of the control has appropriate qualifications. Paragraph 45 of Standard AS 2201 states that appropriate measures for testing the operating effectiveness are observations of operation, inquiry of personnel, review of the appropriate documentation, and re-performance of the controls.
What are the relevant key considerations when formulating a definition of professional skepticism?
Professional skepticism is one of the key matters that ensure the high quality of the audit. In short, professional skepticism is questioning everything, being alert to the possibility of fraud, error, and misconduct, and critically evaluating all the evidence. Professional skepticism is described in Standard AS 1015, Paragraphs 7-9. According to Paragraph 7, professional skepticism is “an attitude that includes a questioning mind and a critical assessment of audit evidence.” The auditor needs to use all the relevant skills and knowledge to gather and evaluate the evidence objectively. Paragraph 8 of Auditing Standard AS 1015 emphasizes that professional skepticism should be applied throughout the audit, especially when speaking about the evaluation of competency and sufficiency of the acquired evidence. Paragraph 9 of Standard AS 1015 declares that “the auditor neither assumes that management is dishonest nor assumes unquestioned honesty.” This implies that the auditor needs to rely on sufficient evidence rather than on the honesty of stakeholders. In summary, professional skepticism is a complicated but crucial concept for auditors.
What are the relevant key considerations in determining what additional audit evidence to obtain about controls operating during the roll-forward period?
Additional considerations about the roll-forward period are described in Paragraphs 55 and 56 of Audit Standard AS 2201. Paragraph 55 states that it is the auditor’s responsibility to determine what additional evidence is needed during the roll-forward period. Paragraph 56 of Audit Standard AS 2201 states that the scale of evidence required to test the controls depends on the four factors, including:
- Specific control tested before the present period, including associated risks, nature of the control, and test results;
- The sufficiency of information received during testing at an interim date;
- The length of the remaining period;
- The possibility of a significant change in the internal control.
Paragraph 56 also states that when there has been a very low risk that controls are no longer effective and some other circumstances, inquiry alone may be enough as a roll-forward procedure.
What are the relevant key considerations in determining if confirmations are required to be used in a financial statement audit? If so, under what circumstances should they be used? If used, what are the steps?
Confirmations may be crucial for identifying misconduct, fraud, and error in certain circumstances. Paragraph 4 of Audit Standard AS 2310 defines confirmation as “the process of obtaining and evaluating a direct communication from a third party in response to a request for information about a particular item affecting financial statement assertions.” The process includes five steps: selecting relevant items, designing the request, communicating the request to the identified third party, obtaining a response, and evaluating the information, which I stated in the same paragraph. Since confirmation is a complicated process that may increase the time spent on audit, it is crucial to use confirmation to the extent necessary to achieve the goal of the audit. Paragraph 5 of Audit Standard AS 2310 states that the auditor needs to perform audit risk assessment in compliance with Audit Standard AS 1101. The audit procedures need to be selected according to the level of identified audit risks. The general rule applied to determining the extent of confirmation requires is stated in Paragraph 7 of Audit Standard AS 2310. It states that “the greater the combined assessed level of inherent and control risk, the greater the assurance that the auditor needs from substantive tests related to a financial statement assertion.”
An example of a high-risk situation is provided in Paragraph 8 of Audit Standard AS 2310. In the situation when an entity enters into an unusual, complicated transaction, an auditor should confirm the transaction with the other party and review the appropriate documentation. Paragraph 8 of Audit Standard AS 2310 recommends that after receiving evidence from the third party, the auditor needs to assess if provided information lowers the audit risk. If the provided evidence does not lower the audit risk sufficiently, the auditor should consider using additional control procedures, such as performing the accounts receivable cut-off test. Paragraphs 9 and 10 of Audit Standard AS 2310 state that if the identified audit risks are low, the auditor may substitute costly but effective procedures with less effective but less costly procedures. If the auditor decides that evidence provided by confirmations alone is sufficient, additional procedures may be avoided.
In summary, confirmations are used only when they appear necessary after the audit risk assessment procedure. The higher the audit risk, the more likely confirmations are needed. The confirmation process consists of five steps, with the last one being an evaluation of the evidence provided by confirmation. If the evidence is considered insufficient, the auditor may select conducting additional procedures to lower the audit risks to the extent necessary.
What are the relevant key considerations when evaluating the severity of a deficiency in control that directly addresses a risk of material misstatement?
When evaluating controls, it is crucial to evaluate the severity of deficiencies in controls that directly addresses a risk of material misstatement. Paragraph 62 of Audit Standard AS 2201 states that the auditor needs to evaluate each of the control deficiencies to determine if they are alone or with combination of other deficiencies are a material weakness as of the date of management’s assessment. Paragraphs 63 and 64 of Audit Standard AS 2201 explain that the severity of the deficiency depends on the reasonable probability that the company’s control will fail and on the magnitude of potential misstatement; however, it does not depend on the fact that misstatement has occurred.
Paragraphs 65 and 66 of Audit Standard AS 2201 provide examples of risk factors that may increase the probability of control failure and the magnitude of potential misstatement, including nature of financial statement accounts, susceptibility of assets to fraud, subjectivity and complexity, the interaction of controls or deficiencies, and volume of activity and account balance exposed. Paragraph 68 of Audit Standard AS 2201 provides crucial insights that “auditor should evaluate the effect of compensating controls when determining whether a control deficiency or combination of deficiencies is a material weakness.”
Does the Controller’s failure to adequately review the Vendor Change Form represent a deficiency in the design or operating effectiveness of the control? Explain your answer with relevant guidance.
The controller’s failure to adequately review the Vendor Change Form represents a deficiency in the design effectiveness. According to Paragraph 42 of Audit Standard AS 2201, the auditor should test if the design can effectively prevent or detect errors and fraud. The described procedure cannot effectively prevent fraud or error, as employees of the accounts payable department may follow different verification standards depending on their individual judgment and level of proficiency. This implies that there may be high variability in the actual procedure performed, while all the employees of the accounts payable department strictly follow the internal control protocol. This implies that the design is flawed, as it does not provide a clear, unified response to misstatement prevention, which can increase the probability of fraud or error.
The identified deficiency does not affect the operating effectiveness of the control procedure. According to Paragraph 44 of Audit Standard AS 2201, the auditor should test if the control is operated as designed and if the people responsible for exercising the control have appropriate qualifications. There was no evidence that the responsible employees did not exercise the controls as it was designed by C5C control in cash disbursement process. Additionally, it appears that employees from the accounts payable department have the necessary qualifications to perform controls connected to their duties. Thus, the identified deficiency is not connected to the operating effectiveness.
Is the vendor request change form failure indicative of a material weakness in internal control over financial reporting? Explain your answer with relevant guidance.
The vendor request change form failure is indicative of material weakness of internal control over financial reporting. Appendix 7 of the Audit Standards by PCAOB (2020) define material weakness as “a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.” The situation threatens the company will make the changes in the request form without confirming with the bank, which may reasonably lead to a misstatement. Additionally, the deficiency can prevent the officials from concluding that “they have reasonable assurance that transactions are recorded as necessary,” which is a sign of material weakness, according to Paragraph 70 of Audit Standard AS 2201. In this case, the source of the material weakness is the insufficiency of management review procedures. At the same time, the situation is indicative of ineffective internal control over financial reporting. According to Paragraph 2 of Audit Standard AS 2201, if one or several material weaknesses exist, the company’s internal controls over financial reporting cannot be called effective.
Revenue Risk Assessment
This section was guided by for questions provided below:
- Was the engagement team’s assessment of the evaluation of the design of each control appropriate?
- Was the engagement team’s assessment of the risk associated with each control appropriate?
- Was the team’s interim planned procedures to test the operating effectiveness of each control appropriate considering the risk associated with the control?
- Was the team’s roll-forward planned procedures to test the operating effectiveness of each control appropriate considering the risk associated with the control?
- The assessment of the audit team was adequate, as the identified controls were appropriate. The control is automated and continuous, which is crucial for reducing the possibility of material weakness. Additionally, auditors did not overly rely on technology and included the controls of the automated system.
- The associated risk was assessed adequately, as there is a low chance of error or fraud due to the automation of the process of invoicing. If SELLANDSHIP System is reliable, it is unlikely that it fails due to internal errors or outside influence, according to Paragraph B28 of Appendix B of the Audit Standards by PCAOB.
- The engagement team utilized adequate controls for the interim testing, according to the level of risk identified. According to Paragraph B28 of Appendix B of the Audit Standards by PCAOB, fully automated systems have low susceptibility to breakdowns and human errors. Therefore, the auditor can use the benchmarking strategy, which was represented in the interim procedures.
- The procedure for the roll-forward period was also appropriate. Paragraph 56 of Audit Standard AS 2201 notes that “in some circumstances, such as when evaluation of the foregoing factors indicates a low risk that the controls are no longer effective during the roll-forward period, inquiry alone might be sufficient as a roll-forward procedure.” Thus, using inquiries only is appropriate for the roll-forward period.
- The identified controls for the risk appear appropriate, as the timing and format were aimed at detecting fraud and mistakes almost immediately. Additionally, the director of the warehouse has all the required qualifications for performing the control, and the segregation of duties is adequate, which is crucial according to Paragraph A3 of Appendix A of the Audit Standards by PCAOB.
- The risk was evaluated correctly in terms of probability and impact of misstatement, which is in accord with Paragraphs 65-66 of Audit Standard AS 2201.
- The interim planned procedures of the team were appropriate for the level of identified risk. Paragraph 43 of Audit Standard AS 2201 states that evaluation procedures usually include inquiries of employees, observation of the operations, and an overview of relevant documentation. All of these procedures were included in the control measures described by the engagement team, which is crucial to minimizing the risk of misstatement.
- The procedures identified for the roll-forward period control appear questioning. The Audit Standards by PCAOB do not mention if roll-forward controls can be avoided under any circumstances.
- The control seems appropriate for the level of associated risk. However, it is unclear if the 15% threshold is adequate as the trigger for the review. Additional justification may be needed to verify the number.
- The risk assessment seems inadequate, as the engagement team perceived the risk as not higher. According to Paragraph 62 of Audit Standard AS 2201, the severity of deficiency depends on the probability and magnitude of error. While the magnitude of a single error may be comparatively low, the probability is high due to the human factor and low potential impact. While the severity of a single error may be low, there can be numerous errors that can lead to increase the severity of the risk.
- While the planned procedures seem appropriate for the level of identified risk, they are insufficient if the level of risk is increased to higher. Thus, according to Paragraph 43 of Audit Standard AS 2201, the procedures should be comparable with ones identified for Risk 2.
- The roll-forward procedures seem appropriate, as they adequately respond to the level of risk, as inquiry alone would be insufficient, according to Paragraph 56 of Audit Standard AS 2201.
The present paper discussed several crucial questions associated with audit standards, including design and effectiveness of internal controls, professional skepticism, confirmation, the evidence required for the roll-forward period, confirmation, and material weakness. The insights of the analysis of the PCAOB Audit Standards were used to answer three practical questions, including an assessment of the controls for the identified risks. The analysis revealed that the severity of one risk was identified inappropriately, which led to inadequate identification of procedures of the engagement team.
Public Company Accounting Oversight Board. (2020). Auditing standards. Web.