Chapter 5 Internal Control Evaluation. Chapter 2 Professional Standards

Chapter 5Internal Control Evaluation

Chapter 2Professional Standards

The Firm relied on certain controls, in particular general computer controls, automated application controls and security controls, without performing, or without documenting in the work papers the performance of, sufficient testing to support reliance on those controls. Deficiencies included: (1) the Firm's documented testing of certain controls only covered activities occurring outside the audit period, (2) the Firm's work papers indicated that it used reports generated by the payroll department to perform certain tests of controls, but the Firm did not document any test work over the completeness of those reports, (3) the Firm did not document the sample sizes, or how they were determined, for the testing of certain controls,

PCAOB RELEASE NO. 104-2005-119

Chapter 5 Internal control evaluation

the Firm assessed control risk for revenue as below the maximum, without having performed sufficient tests of the issuer's general computer controls to support that assessment. The issuer's information system processing environment relies heavily on processing of orders through an electronic data interchange that links with an enterprise system that interfaces with a separate accounts receivable system. The Firm failed to perform tests of the electronic data interchange system or the financial statement system. In addition, for the controls that the Firm did test, the work papers did not provide evidence that the systems tested and relied upon during the audit continued to operate effectively throughout the period of intended reliance.



the Firm assessed control risk in one area as "low" without having performed sufficient tests of controls to support that assessment. The Firm's controls testing relied on system-generated reports, without the Firm having tested the underlying data, general IT controls, or related system application controls to gain assurance that the reports were accurate and complete.



There was also no evidence in the work papers to indicate that the Firm (1) audited the income tax provision beyond comparing the issuer's tax schedules to the financial statement disclosures; (2) obtained testing results that supported the Firm's assessment of control risk as below the maximum; (3) considered the effects of distributor agreements on revenue recognition, even though sales to third-party distributors contributed 64 percent of net sales in 2003; or (4) performed required journal entry testing or look-back testing of significant estimates.



PCAOB standards require the auditor to test internal controls before relying on them for the purpose of designing and performing the substantive audit procedures. In 13 instances involving the audits of 10 issuers, the Firm failed to test, or failed to perform sufficient tests of, controls that the Firm relied on in designing and performing its substantive audit procedures. The instances included the following:



• The Firm relied on information technology ("IT") application controls that had not been tested for several years.



The Firm relied on IT system-generated data without testing the IT general computer and/or application controls.



... the Firm inappropriately relied on the IT

general controls at a service organization that managed and operated the infrastructure for the issuer's centralized general ledger system, without sufficient testing of those controls.



• The Firm assessed control risk as "high" for expenses, but ....., failed to perform sufficient substantive procedures on expense balances.


Chapter 3 audit risk model

• the Firm failing to obtain, or failing to document in the work papers that it had obtained, sufficient competent evidential matter to support its audit opinion. Those deficiencies included the following:.


Chapter 4 work paper documentation

Documents

Chapter 5 Internal Control Evaluation. Chapter 2 Professional Standards