In: Accounting
Bridgette, a new audit associate, and recent graduate, has been assigned to a major insurance company for a two-week period to help the existing audit team complete the audit. Although the company is not her client, Bridgette is excited about the opportunity.
Everyone on the engagement is professional and pleasant; however, the team is constrained to complete the audit in a short time period to meet the filing deadline. Being the newest staff member on the client, Bridgette is feeling overwhelmed. She has asked a few questions to other team members, but she is concerned her interruptions are slowing them. Also, she does not want to give a negative impression of her abilities and skills.
On Bridgette's last day at the insurance client, Eddy, the audit in charge, asked Bridgette to document the internal control system for the payroll system, because the company changed their payroll software during the year currently being audited. Bridgette starts her task by reviewing last year's documentation, but she knows the process is different from the prior year. Bridgette is uncomfortable with her ability to document the system properly, and she does not believe the changes are that important. Considering someone else will have to review her work, Bridgette is considering simply replicating last year's workpapers.
What should Bridgette do?
Required:
As per ISA 315 (Identifying and Assessing the risk of material misstatement through understanding the entity and it's environment), the auditor shall obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. It is a matter of the auditor’s professional judgment whether a control, individually or in combination with others, is relevant to the audit. (Ref: Para. A42–A65)
When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate the design of those controls and determine whether they have been implemented, by performing procedures in addition to an inquiry of the entity’s personnel. (Ref: Para. A66–A68).
As per ISA 330 (Auditor's responses to assessed risks), the auditor has to test the controls at relevant times to ensure that the evidence obtained is sufficient and appropriate. ISA 330 indicates that the auditor may perform tests of control or substantive procedures at an interim date or at the period end.
If the auditor wants to use the evidence obtained in previous audits, he shall take the following into consideration w.r.t re-testing of the controls.
1. The effectiveness of other elements of internal control including risk assessment process
2. The risk from the control characteristics –manual or automated
3. General IT-controls effectiveness
4. Control effectiveness and its application including nature and deviation in the application noted in previous audits
5. If there are any personnel changes which may affect control application
6. If lack of change in a particular control poses a risk due to changing circumstances
7. Risk of material misstatement and the extent of reliance on the control
8. Continuance relevance of evidence by inquiring for any significant changes in those controls subsequent to previous audits
9. If no changes, the auditor should test the control at-least once in every third audit and some controls each audit to test effectively
However, if there are any changes to the controls established, the same shall be tested for operating effectiveness during the current audit period.
In the given case, Bridgette wants to use the previous year's documentation for obtaining the audit evidence related to the internal control system for the payroll. Since the company has changed the entire process of payroll, Bridgette can't use the prior period's documentation. The controls are to be re-tested. Hence, Bridette's view is not correct.