attach relative notes

And please answer the questions part by part (separate)

Case: Far East Plastics Ltd.

You are the audit manager in charge of the audit of Far East Plastics ("FEP") Ltd., for the year ended 31 December 2016. Your CPA firm, Au & Au, has been the auditors for FEP for ten years from the time it only produced two products to today when it is a successful diverse company. FEP was started by Joe Lee who owns 51% of the shares with the balance held by about ten silent partners with no operational responsibilities.

Historically, the company presented no unusual audit problems and Au & Au had issued an unmodified report every year. The audit approach used has always been a "substantive" audit approach. Under this approach, the in-charge auditor obtained an understanding of internal controls as part of the risk assessment procedures, but control risk was assessed at the maximum (100%). Extensive analytical procedures were done on the income statement and unusual fluctuations were investigated. Detailed audit procedures emphasized statement of financial position accounts. The theory was that if the statement of financial position accounts were correct at year-end and had been audited as of the beginning of the year, then retained earnings and the income statement must be correct.

In evaluating the audit approach for FEP for the current year's audit, you considered that a substantive approach was really only appropriate for the audits of small non-public companies. In your judgement, FEP with sales of HK$200 million and 75 employees, had reached the size where it was not economical, and probably not wise, to concentrate all the testing on the statement of financial position. Therefore, you designed an audit program that emphasized identifying internal controls in all major transaction cycles and included tests of controls. The intended economic benefit of this "reliance"/"compliance" approach was that the time spent testing controls will be more than offset by reduced tests of details of balances on the statement of financial position accounts.

In planning tests of inventories, you used the audit risk model to determine the number of inventory items you should test at year-end. FEP maintains 2,450 items in its perpetual inventory management system.

You determined that overall audit risk should be low (say 5%). For inherent risk, you determined that it is high because inventory, by its nature, is subject to many types of misstatements. Based on your understanding of the relevant transaction cycles, you believed that internal controls are effective. Therefore, you assess control risk as moderate before performing tests of controls. Of course, you also plan to use analytical procedures for tests of inventory. These planned tests include comparing gross profit margins by month and reviewing for slow-moving items. Substantive tests of details will include tests of inventory quantities, costs and net realizable values at an interim date 2 months before year-end. Cut-off tests will be done at year-end. Inquiries and analytical procedures will be relied on for assurance about events between the interim audit date and year-end date.

Required:

(a) Discuss whether you need to perform the following steps(1-5) if you are using (a) a compliance/reliance audit approach and (b) a substantive audit approach.

1) Assess inherent risk

2) Obtain an understanding of internal control

3) Perform tests of control

4) Perform analytical procedures

5) Assess planned detection risk

(10 marks)

(b) Discuss the advantages that you foresee in using the reliance/compliance approach versus the substantive approach previously used in the audit of FEP.

(8 marks)

(c) What advantages did the substantive approach have over the reliance/compliance approach? (6 marks)

(d) Assume the audit partner agrees with your recommended approach. Using the audit risk model in the planning the audit evidence for detailed inventory tests, the conclusion is that detection risk should be moderate/low. Discuss what this means in this audit. (6 marks)

(e) Now assume(only for this part) that instead of your original control risk assessment of moderate, you assessed control risk at high and all other risks as they are stated, explain the impact on the planned audit procedures and sample size in the audit of inventory as compared to your procedures in step (d) above.

(8 marks)

(f) Although the planning went well, the actual testing yielded some surprises. When conducting tests of controls over acquisition and additions to the perpetual inventory, the audit staff found deviations/exceptions for several key controls that were higher than expected. Discuss the actions you should take in relation to arriving at the appropriate audit opinion.

(8 marks)

(g) Regarding (f) above, describe one other action you should take in relation to the completion of the audit. (Hint: Audit committee) (4 marks)

Internal Controls: Systems and evaluation (3) Auditing I B 416 F Summer 2017 Lecture 8 Sources: Messier, OU audit module guide 1 Learning objectives 1) Assessment of control risk(3 steps, see next slide) 2) Timing of audit procedures 3) Limitations of internal control 4) Communication of significant control deficiencies to TCWG Sources: Messier, OU audit module guide 2 Understanding internal control and assessing control risks 4 steps: 1. obtain a preliminary understanding of internal controls (last two lectures) Assessing control risks: 2. assess control risks - identify specific controls that will be relied upon 3. perform tests of controls Sources: Messier, OU audit module guide 4. compute the desired level of detection risk and determine the nature, timing and extent of substantive tests (concluding on the achieved level of control risk) 3 step 1 Lecture 6 part II & 7 step 2 Figure 6-2 Flowchart of the Auditor's Consideration of Internal Control and its Relation to Substantive Procedures step 3 step 4 Figure 6-2 Flowchart of the Auditor's Consideration of Internal Control and its Relation to Substantive Procedures (Messier) 4 Understanding internal control and assessing control risks Step 1 Obtain a preliminary understanding of internal controls (see last two lectures) Sources: Messier, OU audit module guide 5 Understanding internal control and assessing control risks Step 2 assess control risks - identify specific controls that will be relied upon Sources: Messier, OU audit module guide 6 Step 2: assess control risks - Identify specific controls that will be relied upon After obtaining an understanding of the internal control, auditors make a preliminary assessment of the control risk (CR) Noted that the preliminary assessment of control risk for a financial statement must be high initially Sources: Messier, OU audit module guide 7 Step 2: assess control risk Identify specific controls that will be relied upon See S8 Q 6-5,6-15 If auditors do NOT want to rely on client's internal controls, they will set the CR at (maximum / below maximum) maximum = 100% Document the assessed level of control risk. No need to document the basis of the conclusion. Auditor will directly design and perform substantive tests. This is substantive strategy Sources: Messier, OU audit module guide 8 When will auditors adopt a substantive strategy or set the control risk at the maximum level? i.e. Auditors do NOT want to rely on client's internal controls, because 1. There are few numbers of material transactions in an account balance and procedures are simple (evaluations of internal control will be inefficient) e.g. PPE additions, long-term investment, bank loan additions 2. Auditors consider the internal control pertaining to that assertion is ineffective Sources: Messier, OU audit module guide 9 When will auditors adopt a substantive strategy or set the control risk at the maximum level? i.e. Auditors do NOT want to rely on client's internal controls, because 3. There is no internal control or none can be relied on (e.g. small companies, lack of segregation of duties) Sources: Messier, OU audit module guide 10 Step 2: assess control risks identify specific controls that will be relied upon See S8 Q6-5, 6-15, 6-22 If auditors want to rely on client's internal control, auditors (will / will not) set the CR at (maximum / below maximum) level (i.e. less than 100%) Reliance strategy will be adopted Sources: Messier, OU audit module guide 11 Step 2: assess control risks identify specific controls that will be relied upon If Reliance strategy will be adopted, 1) auditors will identify specific controls that will be relied upon and 2) identify internal controls that can prevent or detect material misstatements in specific assertions, especially those controls that have pervasive effects on many assertions. Sources: Messier, OU audit module guide 12 Reminder: Audit risk model Remember the audit planning tool - audit risk model What are the relationships between the IR, CR, DR and planned audit procedures? If RMM (note 1)is high, DR is low, more planned substantive procedures or larger sample sizes are required If RMM (note 1) is low, DR is high, fewer planned substantive procedures or smaller samples sizes are required If RMM (note 1) is moderate, DR is moderate/low, medium amount of planned substantive procedures (except analytical procedures are extensive) are required to reduce audit risk to acceptably low level. (may be low or very low, see p. 28, L5 and S 5 Q 3) Note 1: RMM or CR assessment is only preliminary after the understanding of client's business and internal controls or BEFORE performing tests of controls , implying that the RMM or CR may be revised when more updated information are obtained. The planned amount of substantive procedures may also be revised. See the flowchart on p. 4 13 step 1. Understanding internal control and assessing control risks Step 3 perform tests of controls (reliance strategy) Sources: Messier, OU audit module guide 14 Step 3: Perform tests of controls 1. If auditors intend to rely on controls, auditors will set the CR at (maximum / below maximum) 2. Then perform tests of controls to confirm that his preliminary assessment of CR is correct and whether the internal control is reliable or not (reliance strategy) Sources: Messier, OU audit module guide 15 What are tests of controls? Tests of controls are performed to provide evidence to support a lower assessed level of control risk Tests of controls tests the effectiveness of the design of accounting and internal control systems during the stage of understanding Test of controls - Used to test the operating effectiveness of controls in preventing, detecting or correcting material misstatements at the relevant assertion level. Tests of controls evaluates whether the internal controls can prevent material misstatements Sources: Messier, OU audit module guide 16 How to perform tests of controls? (Audit techniques) Procedures used as tests of controls include: See S8 6-22c, Q4, 1. Inquiry appropriate client's staffs 2. Inspect documents, records and reports Sources: Messier, OU audit module guide 17 How to perform tests of controls? (Audit techniques) Procedures used as tests of controls include: 3.Observation of the application of the control 4. Walkthrough test (tracing a transaction from its origination to its inclusion in financial statements through a combination of audit procedures including inquiry, observation, and inspection) Sources: Messier, OU audit module guide 18 How to perform tests of controls? (Audit techniques) Procedures used as tests of controls include: (con't) 5.Re- performance of the application of the control by the auditor 6.Use of computer-assisted -audit technique (CAAT) to test automated controls. Sources: Messier, OU audit module guide 19 Exceptions, isolated case, control breakdown If exceptions (error) were found, auditors will: Investigate the reasons Discuss with client If not satisfied with the client's explanation, select more samples and perform the tests Sources: Messier, OU audit module guide 20 Exceptions, isolated case, control breakdown If no more exceptions are found, conclude the exceptions as isolated case If more exceptions are found, conclude that the control has not operated effectively or even a control breakdown happened Sources: Messier, OU audit module guide 21 Timing to perform tests of controls Tests of controls usually are performed before the year end (i.e. the interim visit or audit) Auditors should also perform tests of controls after the year end to ensure client's internal control operates effectively throughout the period (samples are spread out over the accounting period) Sources: Messier, OU audit module guide 22 Understanding internal control and assessing control risks Step 4: compute the desired level of detection risk and determine the nature, timing and extent of substantive tests (concluding on the achieved level of control risk Sources: Messier, OU audit module guide 23 Step 4:conclude the results of achieved level of control risk 1. After the tests of controls have been completed, auditor should make a conclusion on the achieved level of control risk. 2. If the achieved level of control risk support or is consistent with the planned level of control risk, no need to revise the nature, timing or extent of substantive tests. (implied that the substantive procedures are at the same volume as planned.) Sources: Messier, OU audit module guide 24 Step 4:conclude the results of achieved level of control risk 3. If the results of the test of control (achieved level of control risk) shows that the level of control risk is lower/higher than the preliminary one, can reassess the control risk to a lower/higher level. Sources: Messier, OU audit module guide 25 Step 4:conclude the results of achieved level of control risk In both cases, the achieved level of control risk does NOT support the planned level of control risk. Auditors have to revise the planned level of substantive procedures. What are the impact on the planned audit procedures? See next two slides. Sources: Messier, OU audit module guide 26 Step 4 : if low DR Client 1: low detection risk (achieved CR or RMM is high) Planned substantive procedures (TOD + AP) * Nature: physical inspection, review external documents, confirmation, re-performance Why? Sources: Messier, OU audit module guide Timing: All significant work completed at year end Significant increase in/large sample size Extent: *Extensive amount of testing of material accounts or transactions (implied small amount or none of tests of controls) MORE substantive evidence!! See L9 * See L 9 for further details of the evidence mix - audit testing hierarchy TOD = Tests of details, AP = Substantive analytical procedures27 Step 4 : if high DR Client 2: High detection risk (achieved CR or RMM is low) Planned substantive procedures (TOD + AP)* Nature: physical inspection, analytical procedures, substantive tests of transactions and balances Why? Timing: Interim and year end Extent: Limited or small to moderate amount of testing of accounts or transactions (implied large to moderate tests of controls) Sources: Messier, OU audit MORE controls evidence!! See L9 module guide *See L 9 for the further details of evidence mix - audit testing hierarchy TOD = Tests of details, AP = Substantive analytical procedures 28 Hierarchy of evidence mix 4. Auditor should document the achieved level of control risk, the basis of the conclusion that the controls support the assessed level. 5. Based on the reassessed level of control risk (final assessment of control risk), auditors can determine the detection risk and the nature, timing and extent of substantive procedures Source: Messier 29 Advantages of reliance approach lower overall audit cost suitable for large companies - time and costs, controls must be relied on requires a more detailed understanding of internal controls than substantive approach, impact on planned substantive procedures ? internal control weaknesses ? client ? reveals and deters employee defalcations through substantive tests of transactions 30 Advantages of substantive approach More suitable for smaller client lack of key internal controls to rely on, e.g. segregation of duties More efficient audit for smaller client focus on SOFP, tests of details of account balances at year end going to client's office once for the entire audit easier staff scheduling fewer disruptions on client 31 Timing of Audit Procedures See seminar 8 Q 6-10 Source: Messier Source: Messier 32 Timing of Audit Procedures Interim tests of controls are conducted from 31/7/13 to 30/11/13. Substantive procedures are planned for the time period from 30/11/13 to 15/2/14. Auditors will consider some factors to conduct the tests of controls and substantive tests at an interim date. Please see seminar 8 Q 6-10 Sources: Messier, OU audit module guide 33 Limitations of internal control 1. Management override of internal control for example, a senior-level manager can require a lower-level employee to record entries in the accounting records that are not genuine and violate the company's control Sources: Messier, OU audit module guide 34 Limitations of internal control 2. Human errors or mistakes - internal control breakdown because of human errors or mistakes e.g. a staff who does not understand the calculation of sales discount will issue a sales invoice which is not accurate 3. Collusion - destroys the effectiveness of segregation of duties e.g. a staff who receives cash receipts can collude with a staff who records cash receipts to steal cash from the company Sources: Messier, OU audit module guide 35 Communication of significant deficiencies to TCWG Auditors may identify deficiencies in internal controls throughout the audit, particularly during the evaluation of system design and implementation. Sources: Messier, OU audit module guide 36 Communication of significant deficiencies to TCWG According to HKSA 265.6, deficiency in internal control exists when: 1) a control is designed, implemented or operated in such a way that it is unable to prevent, or detect and correct, misstatements in the financial statements on a timely basis; or 2) a control necessary to prevent, or detect and correct, misstatements in the financial statements on a timely basis is missing. Sources: Messier, OU audit module guide 37 Communication of significant deficiencies to TCWG A significant control deficiency is a deficiency or combination of deficiencies in internal control that, in the auditor's professional judgment, is of sufficient importance to merit the attention of those charged with governance (TCWG). Sources: Messier, OU audit module guide 38 Communication of significant deficiencies to TCWG Thus, auditors will evaluate the significance of each internal control deficiency. For the factors to consider a significant deficiency, please refer to HKSA 265.A6 for details. Examples of indicators of significant deficiencies in internal control, please see HKSA 265.A7 Sources: Messier, OU audit module guide Two of the examples are: 1) absence of a risk assessment process within the entity where such a process would ordinarily be expected to have been established. 2) the entity's risk assessment process cannot identify a RMM 39 that the auditor would expect that it has identified Communication of significant deficiencies to TCWG According to HKSA 265, auditors are obliged to communicate significant deficiencies they See S 8 Q 6-11 discovered to those charged with governance(TCWG) and management on a timely basis in writing. Auditors should also communicate to management other control deficiencies judged to be of sufficient importance to merit management's attention. Sources: Messier, OU audit module guide 40 Examples of Reportable Conditions Sources: Messier 41 Communication of significant deficiencies to TCWG The writing is usually in a letter format - management letter (from auditor to management) If in writing, include a copy of such communication in the audit documentation (audit work papers). If communicated orally, include in the audit work paper about when and to whom they were communicated. Please see HKSA 260 \"Communication with Those Charged with Governance\" for details. Sources: Messier, OU audit module guide 42 A separate audit memorandum internal control memorandum, which include the points in a formal report to the audit committee. Details include: a description of the deficiency actual /potential impact on financial reporting management's response and actions to be taken auditor's recommendations auditor's further audit procedures to mitigate the Sources: Messier, OU audit impact of the deficiencies. module guide 43 References Elifisen/Messier/Glover/Prawitt Ch. 6 OU audit module guide unit 3 HKSA 315 (revised), HKSA 260 (revised), HKSA 265 (clarified) Sources: Messier, OU audit module guide 44