For more information about a cyberattack on Hillsburg’s ONHAND system and other background information please refer to the Appendix and Question 8-35. Below is a conversation between the audit manager, Fran, and the partner, Joe:
LN: Hi Joe, can I talk to you?
JA: Sure Leslie. Please come inside and close the doors. You know, sometimes I get a sense that staff can hear my conversations even when the doors are closed.
LN: Joe, the walls in this office are paper-thin.
JA: Ha-ha, maybe. For sure the walls will be better once the office renovations are done. So, what’s on your mind?
LN: Joe, I have to be honest with you, sometimes I feel that Avis, Hillsburg’s CFO, is a bit too old-school to be in charge of the IT department.
JA: The ONHAND cyberattack wasn’t her fault! It could have happened to any company. Our IT expert found that it was a sophisticated cyberattack, done by some real professional hackers.
LN: Yes, I know that. However . . . .
JA: However, what?
LN: I just found out from our IT expert that Avis signed off on the launch of the ONHAND system before all of the cybersecurity testing was completed.
JA: No, you didn’t.
LN: Yes, that’s why I came to see you. ONHAND cybersecurity testing was never complete.
JA: Wow, I had no clue.
LN: There is more. Our IT expert found four other cybersecurity vulnerabilities in Hillsburg’s IT system that expose financial information to hackers.
JA: Why would Avis launch a system without making sure that it’s secure? She is such a great and well-respected CFO. Thirty plus years of experience, knows the industry inside-and-out, and runs the accounting department so well.
LN: Joe, I think Avis simply doesn’t understand IT and cybersecurity well. Remember, it wasn’t her choice to look after IT. This responsibility was sort of forced on her during the last senior management reshuffle. Avis is close to retirement age, probably thought that she could handle it for a couple of years before she retires.
JA: You are probably right.
LN: But I am worried. Avis grew up without computers, doesn’t have any social media accounts, and uses an old flip phone. Joe, I think Avis’s lack of IT competence is a problem. Even after everything that happened with ONHAND, Avis still has no plans to hire and pay an external cybersecurity vendor to be on standby just in case Hillsburg is attacked again.
JA: Leslie, I that you may be right.

REQUIRED
1. Describe the auditor’s responsibilities for reporting significant control deficiencies to those in charge of governance.
2. Based on the above scenario, what significant control deficiencies would Joe and Leslie have to report to those charged with governance at Hillsburg?
3. Do you think that the fact that Joe has known Avis, Hillsburg’s CFO, for a number of years, considers her to be a competent CFO, and the two of them have a good working relationship creates a threat to Joe’s independence? If yes, what kind of an independence threat.
4. Explain how the information provided by the IT expert impacts the overall audit strategy for Hillsburg. Explain what updates should be made to Fran’s working paper (Figure 10-2).

Transcribed Image Text:

Figure 10-2 Illustrative Overall Audit Strategy Working Paper WP 430 Client: Hillsburg Hardware Ltd. Period Ended: June 30, 2020 Objective: To document overall audit strategy (scope, timing and direction of audit) to guide development Factor WP ref Comments 415 1. Reporting Requirements a. Applicable financial reporting framework b. Industry-specific or specialized requirements 2. Timing a. Entity's reporting deadline b. Team planning discussions c. Planned fieldwork start/end d. File reviews e. Meeting with management and TCWG 3. Key areas to address in the audit a. Material financial statement areas and disclosures b. Major operational or control changes during the period c. Impact of changes in accounting standards d. Matters raised in past audits e. Significant risks and going concern uncertainties f. Use of audit experts g. Use of service organization reports 4. Identify audit team members assigned and their roles (assign appropriately experienced team members to areas with higher RMM). 5. Budget 6. Audit strategy (including audit planning letter to management and TCWG) 7. Subsequent Changes to Strategy (outline significant changes as a result of performing further procedures or obtaining new evidence) 590 WP 590 WP 431 ASPE No special reporting requirements. audit plan. Final financial statements required: 4/10/20 See Figure 10-4 for documentation of initial audit planning meeting Audit timetable completed (see Figure 10-3) Held preliminary meeting and presented audit plan in June. Partner will meet with the Board to present audit results in October a. See Figure 6-8 for documentation of materiality. Overall materiality is $441 000 and Performance Materiality is $331 000. Significant risks identified are revenue cutoff, valuation of accounts receivable, completeness/occurrence and valuation of inventory. See Figure 10-5 for discussion of fraud and signif- icant risks. Apart from management override and fraud risk in revenue recognition, customer refunds has been assessed as a moderate fraud risk. b. During the current year, a major change occurred. The chief accountant left the company and was replaced by Erma Swanson, who is a qualified CPA with industry experience. There has also been some turnover of accounting personnel. The overall assess- ment by management is that accounting personnel are reasonably competent and highly trustworthy. de pes c. No changes in accounting standards d. No significant matters from past audits, although due to past cut-off errors in revenue, inventory and cost of goods sold, have adjusted performance materiality for those accounts. W e. No past history of management override. See Figure 10-5 for discussion of fraud risk. f. Need to include an information systems specialist to assist with documentation and evaluation of general and application controls and to design tests of controls for automated processes. g. No service organizations used See Figure 10-3 for make-up of audit team See detailed budget and time allocation for each team member on WP 431 Discussed overall audit strategy with Hillsburg manage- ment in February. We are planning to rely upon controls for: sales and receivables and acquisition and payment. Substan- tive procedures are planned for other areas. Areas where substantive procedures are insufficient and tests of internal controls required: • Order entry processing • Electronic data interchange transactions • Automated payments Initials and date FM 2/28/20 FM 2/28/20 FM 2/28/20 FM 2/28/20 FM 2/28/20 FM 2/28/20