ACC 640 Keystone Case Study Engagement Overview Keystone Inc., a listed company on a U.S. stock exchange (publicly traded) in the United States, is looking to expand. XBroker was seen as a potential target. In 2015, Ron Smith started XBroker in Columbia, Maryland, for trading equities, options, and derivatives on the financial markets. He borrowed from the bank to start a company, using his house as security. Over the years, he worked very hard to establish a profitable niche in the highly competitive trading market. In February 2023, Ron received a call from Linda Alvarez, the senior vice president of Keystone. Linda expressed an interest in buying XBroker. Linda has asked XBroker for its audited financial statements. XBroker came to an arrangement with Keystone to sell the company to Keystone in 2024. Your accounting firm, Penmen Associates, will be conducting the audit of Keystone. The partner responsible for the audit is Jo Wadley with team members Alice Cooper (audit manager) and Sally Brown (audit senior) to assist. Penmen Associates discussed its own independence to confirm that there are no independence problems associated with either its investments or relationship with Keystone or the investments or relationships associated with immediate family members or close relatives. At the first planning meeting, Jo, Alice, and Sally focused on the risk assessment phase for the new audit, the audit team needs to gain an understanding of Keystone's structure and its business environment, determine materiality, and assess the risk of material misstatement. Once the initial high level risk assessment is complete, Penmen Associates needs to have an audit program it can use for the Keystone audit to address how risks are mitigated and to ensure quality evidence is gathered for the accounts that are most at risk of being misstated. Keystone Inc. Company Background Keystone Inc. is a financial services company based in Sacramento, California. In 2024, Keystone purchased XBroker from Ron Smith. As part of the sale agreement, Ron was appointed to the Keystone board of directors. Keystone businesses also operate in various international markets. Keystone has wholly owned subsidiaries in Canada and Japan and has built a reputation for reliable trading technology. Keystone receives about 25% of its total revenue from Canada, 10% total revenue from Japan, with the remainder coming from the United States. Keystone launched a new data product line that included selling options and equities data to other financial markets and broker dealers. The Keystone corporate office has 358 full-time employees but only five in the accounting department. The company employs two full-time managers and some part-time staff. Key positions in the Keystone accounting and IT area are as follows. CFO: Henry Carpenter Financial controller: Bob Carpenter IT manager: Kyle Johnson The company does have an internal audit department. Keystone set a goal to increase revenue by 3% each year. One of the critical success factors for the company to achieve this 3% increase is to grow its share of the U.S. equities trading business. However, with the new data products business there is an increase in costs, as well as the costs related to marketing and product branding. As a result, the management team is projecting a decline in earnings for the year. The company recently took out an additional loan of $7 million with Windsor Bank to help fund expansion efforts and to purchase additional real estate and hire personnel. This loan is repayable over five years. The company's other debt relates to loans issued more than five years ago from various lending institutions. The most recent financial statements for Keystone are provided in separate files. CPA Firm Penmen Associates Penmen Associates is a U.S.-based accounting firm with offices located in most major cities. Penmen Associates will be conducting the January 31 audit for Keystone, Inc., a publicly traded company. The firm has begun the planning phase of the external audit for Keystone and has assigned you the task of preparing for the audit. As part of the audit's detailed risk assessment phase, you will evaluate Keystone's internal control structure, financial accounts, business environment, materiality, and any inherent risks that may impact the company. You will review external and other factors and interview data that could impact the audit. This understanding will help you develop an audit program and design its nature. Transcript of Meeting With Keystone CFO Henry Carpenter Present: Keystone CFO Henry Carpenter Penmen Associates Audit Senior Sally Brown Sally: As part of our due diligence in deciding to take on a new client, I need to ask you some questions about your company's key risks, major business operations, financial strength, and internal controls over financial reporting. Let's start with some risks related to your business and industry. Henry: We are in the financial services industry, which is highly competitive. We face intense price competition in all areas of our business. In particular, the trading industry is characterized by price competition. We have in the past lowered prices, and, in the United States, increased rebates for trade executions to attempt to gain or maintain market share. These strategies have not always been successful and have at times hurt operating performance. Additionally, we have also been, and may once again be, required to adjust pricing to respond to actions by competitors and new entrants, or due to new SEC (Securities and Exchange Commission) regulations, which could adversely impact operating results. Sally: How about your risk for cyberattacks? Henry: Our role in the global marketplace may place us at greater risk for a cyberattack. Our systems and operations are vulnerable to damage or interruption from security breaches. Due to COVID-19, most of our workforce has worked, and may continue to work, from home, creating a broader and more distributed network footprint and increased reliance on the home networks of employees. While we continue to employ resources to monitor our systems and protect our infrastructure, these measures may prove insufficient depending upon the attack or threat posed. Any system issue, whether because of an intentional breach, collateral damage from a new virus or a non-malicious act, could damage our reputation and cause us to lose customers. There can be no assurance we will be able to identify and mitigate every incident involving cybersecurity attacks, breaches, or incidents. Sally: How about your ability to attract and retain key personnel? Henry: Our future success depends, in large part, upon our ability to attract and retain highly qualified and skilled professional personnel that can learn and embrace new technologies. In the current tight labor market, we have intensified our efforts to recruit and retain talent. There is no guarantee that we will have the continued service of key employees who we rely upon to execute our business strategy and identify and pursue strategic opportunities and initiatives. Sally: I see you outsource services and rely on third parties to perform certain functions. How could this affect your business if the parties fail to perform as expected or experience service interruptions? Henry: We rely on third parties for regulatory, data center, cloud, and data storage. Interruptions or delays in services from our third-party data center hosting facilities or cloud computing platform providers could impair the delivery of our services and harm our business. To the extent that any of our vendors or other third-party service providers experience difficulties or a significant disruption, breach, or outage, that may impact us. Also, changes to their business relationship with us or if they are unable to fulfil their obligations, our business or reputation may be adversely affected. Sally: I've read that your businesses operate in various international markets, including certain emerging markets that are subject to greater political, economic, and social uncertainties than developed countries. Henry: Our businesses operate in various international markets, including Canada and Japan, and our non-U.S. operations are subject to the risk inherent in the international environment. Political, economic, or social events or developments in one or more of our non-U.S. locations could adversely affect our operations and financial results. Sally: Let us turn to your internal operations. What are your risk management procedures? Henry: We utilize widely accepted methods to identify, assess, monitor, and manage our risks, including oversight of risk management by our Global Risk Management Committee, which is comprised of senior executives. Sally: I have some questions about your internal control environment. I see your current auditor gave you an unqualified opinion on internal controls over financial reporting. However, a critical item on revenue recognition was reported. Can you elaborate how you oversee revenue recognition transactions? Henry: We have strong controls in place over the allocation of contract transaction price to performance obligations, including management's review of the estimated margin. We also have several controls that ensure the accuracy of the revenue recognized in the current period by inspecting reports relating to the hours recorded on a project. This includes reviewing all contracts and contract modifications. Sally: One of the things we look at in taking on a new client is the organization's culture, especially the tone at the top. Can you point out some things your company does in this area? Henry: We require that all employees read and attest to the company's code of ethics and the company's commitment to ethics policy. We have a robust whistleblower program where employees have several options to report any aberrant behavior and remain anonymous. Both ethics certification and the whistleblower hotline process are SOX (Sarbanes-Oxley Act) controls assessed every year. Our company also has an ongoing commitment to diversity, equity, and inclusion. We have continued our series, Amplifying All Voices, which we initiated in 2020. This year, the program is a multimedia retrospective featuring works of art and photography documenting diverse cultures and life. Sally: How strong is the company's financial position and its ability to secure credit? Henry: Our latest investor call highlighted: Third quarter 2022 net revenues increased 6% year over year. Our trading segment's revenues increased 8%, including 10% organic growth, partially offset by a negative 2% FX impact. Annualized recurring revenue increased 8% compared to the third quarter of last year. Last quarter's GAAP (Generally Accepted Accounting Principles) diluted earnings per share increased 5% year over year. Last quarter's non-GAAP diluted earnings per share increased 15% year over year. Also of note, our credit rating according to Moody's is Bbaa2 for senior unsecured debt. Sally: We have already met with your previous auditors. They stated no issues that we should be aware of. Thanks again for your time. Henry: No problem, feel free to reach out with any follow-up questions or document requests.ACC 640 AS 2110 Standard Identifying and Assessing Risks of Material Misstatement This standard establishes requirements regarding the process of identifying and assessing risks of material misstatement of financial statements. Risks of material misstatement can arise from a variety of sources, including external factors, such as conditions in the company's industry and environment, and company-specific factors, such as the nature of the company, its activities, and internal control over financial reporting. For example, external or company-specific factors can affect the judgments involved in determining accounting estimates or create pressures to manipulate the financial statements to achieve certain financial targets. Also, risks of material misstatement may relate to personnel who lack the necessary financial reporting competencies, information systems that fail to accurately capture business transactions, or financial reporting processes that are not adequately aligned with the requirements in the applicable financial reporting framework. Thus, the audit procedures that are necessary to identify and appropriately assess the risks of material misstatement include consideration of both external factors and company-specific factors. This standard discusses the following risk assessment procedures: .06 In an integrated audit, the risks of material misstatement of the financial statements are the same for both the audit of internal control over financial reporting and the audit of financial statements. The auditor's risk assessment procedures should apply to both the audit of internal control over financial reporting and the audit of financial statements. Obtaining an Understanding of the Company and Its Environment .07 The auditor should obtain an understanding of the company and its environment ("understanding of the company") to understand the events, conditions, and company activities that might reasonably be expected to have a significant effect on the risks of material misstatement. Obtaining an understanding of the company includes understanding: a. Relevant industry, regulatory, and other external factors. b. The nature of the company. c. The company's selection and application of accounting principles, including related disclosures. d. The company's objectives and strategies and those related business risks that might reasonably be expected to result in risks of material misstatement; and e. The company's measurement and analysis of its financial performance. Industry, Regulatory, and Other External Factors .09 Obtaining an understanding of the relevant industry, regulatory, and other external factors encompass industry factors, including the competitive environment and technological developments; the regulatory environment, including the applicable financial reporting framework and the legal and political environment; and external factors, including general economic conditions. Nature of the Company .10 Obtaining an understanding of the nature of the company includes understanding: The company's organizational structure and management personnel. The sources of funding for the company's operations and investment activities, including the company's capital structure, noncapital funding (e.g., subordinated debt or dependencies on supplier financing), and other debt instruments. The company's significant investments, including equity method investments, joint ventures, and variable interest entities. The company's operating characteristics, including its size and complexity. Note: The size and complexity of a company might affect the risks of misstatement and how the company addresses those risks. The sources of the company's earnings, including the relative profitability of key products and services; and Key supplier and customer relationships. Company Objectives, Strategies, and Related Business Risks Note: Some relevant business risks might be identified through other risk assessment procedures, such as obtaining an understanding of the nature of the company and understanding industry, regulatory, and other external factors. .15 The following are examples of situations in which business risks might result in a material misstatement of the financial statements: Industry developments (a potential related business risk might be, e.g., that the company does not have the personnel or expertise to deal with the changes in the industry.) New products and services (a potential related business risk might be, e.g., that the new product or service will not be successful.) Use of information technology ("IT") (a potential related business risk might be, e.g., that systems and processes are incompatible.) New accounting requirements (a potential related business risk might be, e.g., incomplete, or improper implementation of a new accounting requirement.) Expansion of the business (a potential related business risk might be, e.g., that the demand for the company's products or services has not been accurately estimated.) The effects of implementing a strategy, particularly any effects that will lead to new accounting requirements (a potential related business risk might be, e.g., incomplete, or improper implementation of the strategy.) Obtaining an Understanding of Internal Control Over Financial Reporting .18 The auditor should obtain a sufficient understanding of each component of internal control over financial reporting ("understanding of internal control") to (a) identify the types of potential misstatements, (b) assess the factors that affect the risks of material misstatement, and (c) design further audit procedures. .19 The nature, timing, and extent of procedures that are necessary to obtain an understanding of internal control depend on the size and complexity of the company; the auditor's existing knowledge of the company's internal control over financial reporting; the nature of the company's controls, including the company's use of IT; the nature and extent of changes in systems and operations; and the nature of the company's documentation of its internal control over financial reporting. Procedures the auditor performs to obtain evidence about design effectiveness include inquiry of appropriate personnel, observation of the company's operations, and inspection of relevant documentation. Walkthroughs, as described in paragraphs .37-.38, that include these procedures ordinarily are sufficient to evaluate design effectiveness. Note: Determining whether a control has been implemented means determining whether the control exists and whether the company is using it. The procedures to determine whether a control has been implemented may be performed in connection with the evaluation of its design. Procedures performed to determine whether a control has been implemented include inquiry of appropriate personnel, in combination with observation of the application of controls or inspection of documentation. Control Environment .23 The auditor should obtain an understanding of the company's control environment, including the policies and actions of management, the board, and the audit committee concerning the company's control environment. .24 Obtaining an understanding of the control environment includes assessing: Whether management's philosophy and operating style promote effective internal control over financial reporting. Whether sound integrity and ethical values, particularly of top management, are developed and understood; and Whether the board or audit committee understands and exercises oversight responsibility over financial reporting and internal control. The Company's Risk Assessment Process Obtaining an understanding of the company's risk assessment process includes obtaining an understanding of the risks of material misstatement identified and assessed by management and the actions taken to address those risks. Information and Communication .28 Information System Relevant to Financial Reporting. The auditor should obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including: f. The classes of transactions in the company's operations are significant to the financial statements. g. The procedures, within both automated and manual systems, by which those transactions are initiated, authorized, processed, recorded, and reported. h. The related accounting records, supporting information, and specific accounts in the financial statements that are used to initiate, authorize, process, and record transactions. i. How the information system captures events and conditions, other than transactions, that are significant to financial statements. j. Whether the related accounts involve accounting estimates and if so, the processes used to develop accounting estimates, including: o The methods used may include models. o The data and assumptions used, including the source from which they are derived; and o The extent to which the company uses third parties (other than specialists), including the nature of the service provided and the extent to which the third parties use company data and assumptions; and k. The period-end financial reporting process. The auditor also should obtain an understanding of how IT affects the company's flow of transactions. The identification of risks and controls within IT is not a separate evaluation. Instead, it is an integral part of the approach used to identify significant accounts and disclosures and their relevant assertions and, when applicable, to select the controls to test, as well as to assess risk and allocate audit effort. Control Activities The auditor should obtain an understanding of control activities that is sufficient to assess the factors that affect the risks of material misstatement and to design further audit procedures, as described in paragraph .18 of this standard. As the auditor obtains an understanding of the other components of internal control over financial reporting, he or she is also likely to obtain knowledge about some control activities. The auditor should use his or her knowledge about the presence or absence of control activities obtained from the understanding of the other components of internal control over financial reporting in determining the extent to which it is necessary to devote additional attention to obtaining an understanding of control activities to assess the factors that affect the risks of material misstatement and to design further audit procedures. Note: A broader understanding of control activities is needed for relevant assertions for which the auditor plans to rely on controls. Also, in the audit of internal control over financial reporting, the auditor's understanding of control activities encompasses a broader range of accounts and disclosures than what is normally obtained in a financial statement audit. Monitoring of Controls The auditor should obtain an understanding of the major types of activities that the company uses to monitor the effectiveness of its internal control over financial reporting and how the company initiates corrective actions related to its controls. An understanding of the company's monitoring activities includes understanding the source of the information used in the monitoring activities. Performing Walkthroughs As discussed in paragraph .20, the auditor may perform walkthroughs as part of obtaining an understanding of internal control over financial reporting. For example, the auditor may perform walkthroughs in connection with understanding the flow of transactions in the information system relevant to financial reporting, evaluating the design of controls relevant to the audit, and determining whether those controls have been implemented. In performing a walkthrough, the auditor follows a transaction from origination through the company's processes, including information systems, until it is reflected in the company's financial records, using the same documents and IT that company personnel use. Walkthrough procedures usually include a combination of inquiry, observation, an inspection of relevant documentation, and re-performance of controls. Relationship of Understanding of Internal Control to Tests of Controls .39 The objective of obtaining an understanding of internal control, as discussed in paragraph .18 of this standard, is different from testing controls for the purpose of assessing control risk or for the purpose of expressing an opinion on internal control over financial reporting in the audit of internal control over financial reporting. The auditor may obtain an understanding of internal control concurrently with performing tests of controls if he or she obtains sufficient appropriate evidence to achieve the objectives of both procedures. Also, the auditor should consider the evidence obtained from understanding internal control when assessing control risk and, in the audit of internal control over financial reporting, forming an opinion about the effectiveness of internal control over financial reporting. ACC 640 Project One Guidelines and Rubric Competencies In this project, you will demonstrate your mastery of the following competencies: Apply Generally Accepted Auditing Standards to the audit planning process Apply audit strategies considering risk assessments of an organization Overview This project is divided into two parts that will focus on the audit planning process. Completion of the audit will come in Project Two. Scenario The CPA firm of Penmen Associates is planning to take over the audit of financial statements of Keystone, Inc. As a senior auditor for the firm, you have been tasked with evaluating Keystone, using generally accepted auditing standards (GAAS), best practices, and risk assessment techniques to identify the objectives and scope of the audit for this client. After completion, Penmen Associates has asked you to prepare for the audit. You will gain an understanding of Keystone's internal control structure, financial accounts, business environment, materiality, and any inherent risks that may impact the company. You will also review external and other factors, as well as interview data that could impact the audit. Directions For this project, you will create a working paper. A working paper is an informational report prepared by accountants and auditors as supporting documents for formal reports and financial statements. Part One: Planning Review the Keystone case study and the client suitability interview to validate Keystone as a viable client; both documents are linked in the Supporting Materials section. Apply GAAS to the audit planning process. Determine potential internal risk factors for conducting the external audit. Include the following: Risk related to structure of the company based on the client interview Risk discovered during due diligence process Client risk profile Determine potential external risk factors for conducting the external audit. Include the following: Industry and market research that informs risk factors Regulatory standards Client risk profile Describe the controls that are in place to minimize risk to the client. Consider the following: How do these controls impact the audit plan? Utilize auditing standards to determine potential issues for further analysis. Consider the following: How is GAAS used to identify issues? Determine the objectives and scope of the external audit. Include the following: Processes that need to be audited Associated deliverables needed for the audit Data type to be investigated Part Two: Field Work Using the Keystone financial data, client suitability interview, and AS 2110 standards provided in the Supporting Materials section, perform an analysis of the company data. Describe the next steps in the audit based on the risk assessment.Consider the following: How do the internal and external risk factors inform the audit to be performed? Determine the audit tests needed through financial data analysis. What tests are needed? What issues were found warranting the need for selected tests? Analyze audit evidence for errors from financial data. Include the following: Found errors Impact of errors on the external audit Explanation of possible errors from financial data Describe how these audit strategies support the client profile and risk areas. Determine evidence needed for substantive testing and risk assessment based on audit findings. Consider the following: What other sample reports or materials need to be requested to fulfill this audit? What to Submit To complete this project, you must submit the following: Working Paper Use the Project One Template to submit an Excel spreadsheet that contains all the sections above. This assignment should include references cited according to APA style. Consult the Shapiro Library APA Style Guide for more information on citations. Supporting Materials The following resources support your work on the project: Resource: Keystone Case Study (Part One) Resource: Client Suitability Interview (Parts One and Two) Resource: Keystone Financial Data (Part Two) Resource: AS 2110 Standard (Part Two) Refer to the following statements for this assignment:Internal Risk Factors Possible Risks Proposed Internal Control / Description Type of Control Frequency? How to test the control? What occurs if the control is working properly and what audit standard applies? What happens if the control is not working? What audit standard(s) apply? How does the control improve operating effectiveness? "Preventive/ Detective" "Manual/ Automated" Possible Internal Risk Factors Identify the internal risks and related financial statement risks (Existence or Occurrence, Completeness, Valuation, Rights and Obligations, Presentation and Disclosure, Accuracy, Classification, Cutoff) that is applicable. "Identify the control objective and description of procedures in place that is relevant to mitigate the identified risk of material misstatement and achieve the objective. Include a detailed description of the control procedures noting the following: 1) Who performs the control procedures? 2) How is/are the procedure(s) performed? 3) How is the performance of the control activity documented (i.e., what forms are used)? 4) How is performance of the control activity evidenced (i.e., signature and date on form)?" Note whether control is preventive (i.e., acts before error, omission, or misstatement may occur) or detective (acts after error/misstatement has occurred). Identify whether the control activity is performed manually (e.g., manual authorization or review of a reconciliation), is automated (i.e., system edit checks, system access restrictions and authorizations, automated review and approvals, etc.), or performed manually using system generated information (i.e., physically verifying existence of inventory using system generated inventory report). Indicate the frequency in which the control takes place (e.g., annual, quarterly, monthly, daily, every time a transaction is processed). Indicate whether the control is designed effectively (i.e., is the control, individually or in combination with other controls, capable of effectively mitigating the key risk(s) of material misstatement and achieving the control objective?). What outcomes occur if the control works effectively? "What outcomes occur if the control is not working properly or is deficient? Note: Design deficiency occurs when the control is not effectively designed to meet its objective (e.g., the control, individually or in combination with other controls, is not capable of effectively preventing or detecting and correcting material misstatements). " What applicable Statement of Standards for Attestation Engagements apply? "Indicate how the control improves operating effectiveness. " 1. Employees 2. Technology used 3. Operations 4. Physical (computer damage) 5. Physical theft External Risk Factors Possible Risks of External Risks Proposed Control to Mitigate External Risk / Description Type of Control Frequency? How to test the control? What occurs if the control is working properly and what audit standard applies? What happens if the control is not working? What audit standard(s) apply? How does the control improve operating effectiveness? "Preventive/ Detective" "Manual/ Automated" Possible External Risk Factors Identify the external risks and related financial statement risks (Existence or Occurrence, Completeness, Valuation, Rights and Obligations, Presentation and Disclosure, Accuracy, Classification, Cutoff) that are applicable. "Identify the control objective and description of procedures in place that is relevant to mitigate the identified risk of material misstatement and achieve the objective. Include a detailed description of the control procedures noting the following: 1) Who performs the control procedures? 2) How is/are the procedure(s) performed? 3) How is the performance of the control activity documented (i.e., what forms are used)? 4) How is performance of the control activity evidenced (i.e., signature and date on form)?" Note whether control is preventive (i.e., acts before error, omission, or misstatement may occur) or detective (acts after error/misstatement has occurred). Identify whether the control activity is performed manually (e.g., manual authorization or review of a reconciliation), is automated (i.e., system edit checks, system access restrictions and authorizations, automated review and approvals, etc.), or performed manually using system generated information (i.e., physically verifying existence of inventory using system generated inventory report). Indicate the frequency in which the control takes place (e.g., annual, quarterly, monthly, daily, every time a transaction is processed). Indicate whether the control is designed effectively (i.e., is the control, individually or in combination with other controls, capable of effectively mitigating the key risk(s) of material misstatement and achieving the control objective?). What outcomes occur if the control works effectively? "What outcomes occurs if the control is not working properly or is deficient? Note: Design deficiency occurs when the control is not effectively designed to meet its objective (e.g., the control, individually or in combination with other controls, is not capable of effectively preventing or detecting and correcting material misstatements). " What applicable Statement of Standards for Attestation Engagements apply? "Indicate how the control improves operating effectiveness. " 1. Pricing pressure 2. Natural (e.g., earthquakes) 3. Political (law and legislation) 4. Competitor 5. Emergent technology 6. Changes in environment Controls Possible Risks Proposed Internal Control / Description Type of Control Frequency? How to test the control? What occurs if the control is working properly and what audit standard applies? What happens if the control is not working? What audit standard(s) apply? How does the control improve operating effectiveness? "Preventive/ Detective" "Manual/ Automated" Controls Identify existing controls and the related financial statement risks (Existence or Occurrence, Completeness, Valuation, Rights and Obligations, Presentation and Disclosure, Accuracy, Classification, Cutoff) that are applicable. "Identify the control objective and description of procedures in place that is relevant to mitigate the identified risk of material misstatement and achieve the objective. Include a detailed description of the control procedures noting the following: 1) Who performs the control procedures? 2) How is/are the procedure(s) performed? 3) How is the performance of the control activity documented (i.e., what forms are used)? 4) How is performance of the control activity evidenced (i.e., signature and date on form)?" Note whether control is preventive (i.e., acts before error, omission, or misstatement may occur) or detective (acts after error/misstatement has occurred). Identify whether the control activity is performed manually (e.g., manual authorization or review of a reconciliation), is automated (i.e., system edit checks, system access restrictions and authorizations, automated review and approvals, etc.), or performed manually using system generated information (i.e., physically verifying existence of inventory using system generated inventory report). Indicate the frequency in which the control takes place (e.g., annual, quarterly, monthly, daily, every time a transaction is processed). Indicate whether the control is designed effectively (i.e., is the control, individually or in combination with other controls, capable of effectively mitigating the key risk(s) of material misstatement and achieving the control objective?). What outcomes occur if the control works effectively? "What outcomes occur if the control is not working properly or is deficient? Note: Design deficiency occurs when the control is not effectively designed to meet its objective (e.g., the control, individually or in combination with other controls, is not capable of effectively preventing or detecting and correcting material misstatements). " What applicable Statement of Standards for Attestation Engagements apply? "Indicate how the control improves operating effectiveness. " 1. Company policies 2. Work procedures 3. Guidelines 4. Datasheets 5. Manuals 6. Product documentation Auditing Standards Possible Risks Proposed Internal control / description Type of Control Frequency? How to test the control? What occurs if the control is working properly and what audit standard applies? What happens if the control is not working? What audit standard(s) apply? How does the control improve operating effectiveness? "Preventive/ Detective" "Manual/ Automated" Auditing Standards Identify the auditing standards and related financial statement risks (Existence or Occurrence, Completeness, Valuation, Rights and Obligations, Presentation and Disclosure, Accuracy, Classification, Cutoff) that is applicable. "Identify the control objective and description of procedures in place that is relevant to mitigate the identified risk of material misstatement and achieve the objective. Include a detailed description of the control procedures noting the following: 1) Who performs the control procedures? 2) How is/are the procedure(s) performed? 3) How is the performance of the control activity documented (i.e., what forms are used)? 4) How is performance of the control activity evidenced (i.e., signature and date on form)?" Note whether control is preventive (i.e., acts before error, omission or misstatement may occur) or detective (acts after error/misstatement has occurred). Identify whether the control activity is performed manually (e.g., manual authorization or review of a reconciliation), is automated (i.e., system edit checks, system access restrictions and authorizations, automated review and approvals, etc.), or performed manually using system generated information (i.e., physically verifying existence of inventory using system generated inventory report). Indicate the frequency in which the control takes place (e.g., annual, quarterly, monthly, daily, every time a transaction is processed). Indicate whether the control is designed effectively (i.e., is the control, individually or in combination with other controls, capable of effectively mitigating the key risk(s) of material misstatement and achieving the control objective?) What outcomes occur if the controls works effectively? "What outcomes occurs if the control is not working properly or is deficient? Note: Design deficiency occurs when the control is not effectively designed to meet its objective (e.g., the control, individually or in combination with other controls, is not capable of effectively preventing or detecting and correcting material misstatements). " What applicable Statement of Standards for Attestation Engagements apply? "Indicate how the control improves operating effectiveness? " 1. Identified GAAS 2. Basic assumptions 3. Consistent premises 4. Logical principles 5. Requirements Objectives and Scope Possible Risks Proposed Internal Control / Description Type of Control Frequency? How to test the control? What occurs if the control is working properly and what audit standard applies? What happens if the control is not working? What audit standard(s) apply? How does the control improve operating effectiveness? "Preventive/ Detective" "Manual/ Automated" Objectives and Scope Identify the objectives and scope and related financial statement risks (Existence or Occurrence, Completeness, Valuation, Rights and Obligations, Presentation and Disclosure, Accuracy, Classification, Cutoff) that are applicable. "Identify the control objective and description of procedures in place that is relevant to mitigate the identified risk of material misstatement and achieve the objective. Include a detailed description of the control procedures noting the following: 1) Who performs the control procedures? 2) How is/are the procedure(s) performed? 3) How is the performance of the control activity documented (i.e., what forms are used)? 4) How is performance of the control activity evidenced (i.e., signature and date on form)?" Note whether control is preventive (i.e., acts before error, omission, or misstatement may occur) or detective (acts after error/misstatement has occurred). Identify whether the control activity is performed manually (e.g., manual authorization or review of a reconciliation), is automated (i.e., system edit checks, system access restrictions and authorizations, automated review and approvals, etc.), or performed manually using system generated information (i.e., physically verifying existence of inventory using system generated inventory report). Indicate the frequency in which the control takes place (e.g., annual, quarterly, monthly, daily, every time a transaction is processed). Indicate whether the control is designed effectively (i.e., is the control, individually or in combination with other controls, capable of effectively mitigating the key risk(s) of material misstatement and achieving the control objective?). What outcomes occur if the control works effectively? "What outcomes occur if the control is not working properly or is deficient? Note: Design deficiency occurs when the control is not effectively designed to meet its objective (e.g., the control, individually or in combination with other controls, is not capable of effectively preventing or detecting and correcting material misstatements). " What applicable Statement of Standards for Attestation Engagements apply? "Indicate how the control improves operating effectiveness. " 1. Purpose or aim of audit 2. Extent 3. Range of activities 4. Period of records Next Steps Possible Risks Proposed Internal Control / Description Type of Control Frequency? How to test the control? What occurs if the control is working properly and what audit standard applies? What happens if the control is not working? What audit standard(s) apply? How does the control improve operating effectiveness? "Preventive/ Detective" "Manual/ Automated" Next Steps Identify the next steps and related financial statement risks (Existence or Occurrence, Completeness, Valuation, Rights and Obligations, Presentation and Disclosure, Accuracy, Classification, Cutoff) that are applicable. "Identify the control objective and description of procedures in place that is relevant to mitigate the identified risk of material misstatement and achieve the objective. Include a detailed description of the control procedures noting the following: 1) Who performs the control procedures? 2) How is/are the procedure(s) performed? 3) How is the performance of the control activity documented (i.e., what forms are used)? 4) How is performance of the control activity evidenced (i.e., signature and date on form)?" Note whether control is preventive (i.e., acts before error, omission, or misstatement may occur) or detective (acts after error/misstatement has occurred). Identify whether the control activity is performed manually (e.g., manual authorization or review of a reconciliation), is automated (i.e., system edit checks, system access restrictions and authorizations, automated review and approvals, etc.), or performed manually using system generated information (i.e., physically verfiying existence of inventory using system generated inventory report). Indicate the frequency in which the control takes place (e.g., annual, quarterly, monthly, daily, every time a transaction is processed). Indicate whether the control is designed effectively (i.e., is the control, individually or in combination with other controls, capable of effectively mitigating the key risk(s) of material misstatement and achieving the control objective?). What outcomes occur if the control works effectively? "What outcomes occur if the control is not working properly or is deficient? Note: Design deficiency occurs when the control is not effectively designed to meet its objective (e.g., the control, individually or in combination with other controls, is not capable of effectively preventing or detecting and correcting material misstatements). " What applicable Statement of Standards for Attestation Engagements apply? "Indicate how the control improves operating effectiveness. " 1. Reviewing the draft audit report 2. Asking questions about auditor's findings 3. Evaluating any recommendations before they are presented to the board in the final report Audit Tests Needed Possible Risks Proposed Internal Control / Description Type of Control Frequency? How to test the control? What occurs if the control is working properly and what audit standard applies? What happens if the control is not working? What audit standard(s) apply? How does the control improve operating effectiveness? "Preventive/ Detective" "Manual/ Automated" Audit Tests Needed Identify the audit tests needed and related financial statement risks (Existence or Occurrence, Completeness, Valuation, Rights and Obligations, Presentation and Disclosure, Accuracy, Classification, Cutoff) that are applicable. "Identify the control objective and description of procedures in place that is relevant to mitigate the identified risk of material misstatement and achieve the objective. Include a detailed description of the control procedures noting the following: 1) Who performs the control procedures? 2) How is/are the procedure(s) performed? 3) How is the performance of the control activity documented (i.e., what forms are used)? 4) How is performance of the control activity evidenced (i.e., signature and date on form)?" Note whether control is preventive (i.e., acts before error, omission, or misstatement may occur) or detective (acts after error/misstatement has occurred). Identify whether the control activity is performed manually (e.g., manual authorization or review of a reconciliaiton), is automated (i.e., system edit checks, system access restrictions and authorizations, automated review and approvals, etc.), or performed manually using system generated information (i.e., physically verfiying existence of inventory using system generated inventory report). Indicate the frequency in which the control takes place (e.g., annual, quarterly, monthly, daily, every time a transaction is processed). Indicate whether the control is designed effectively (i.e., is the control, individually or in combination with other controls, capable of effectively mitigating the key risk(s) of material misstatement and achieving the control objective?). What outcomes occur if the control works effectively? "What outcomes occur if the control is not working properly or is deficient? Note: Design deficiency occurs when the control is not effectively designed to meet its objective (e.g., the control, individually or in combination with other controls, is not capable of effectively preventing or detecting and correcting material misstatements). " What applicable Statement of Standards for Attestation Engagements apply? "Indicate how the control improves operating effectiveness. " 1. Inquiry 2. Observation 3. Examination 4. Re-performance 5. Computer-assisted audit techniques (CAAT) Errors Possible Risks Proposed Internal Control / Description Type of Control Frequency? How to test the control? What occurs if the control is working properly and what audit standard applies? What happens if the control is not working? What audit standard(s) apply? How does the control improve operating effectiveness? "Preventive/ Detective" "Manual/ Automated" Errors Identify any errors and the related financial statement risks (Existence or Occurrence, Completeness, Valuation, Rights and Obligations, Presentation and Disclosure, Accuracy, Classification, Cutoff) that are applicable. "Identify the control objective and description of procedures in place that is relevant to mitigate the identified risk of material misstatement and achieve the objective. Include a detailed description of the control procedures noting the following: 1) Who performs the control procedures? 2) How is/are the procedure(s) performed? 3) How is the performance of the control activity documented (i.e., what forms are used)? 4) How is performance of the control activity evidenced (i.e., signature and date on form)?" Note whether control is preventive (i.e., acts before error, omission, or misstatement may occur) or detective (acts after error/misstatement has occurred). Identify whether the control activity is performed manually (e.g., manual authorization or review of a reconciliation), is automated (i.e., system edit checks, system access restrictions and authorizations, automated review and approvals, etc.), or performed manually using system generated information (i.e., physically verfiying existence of inventory using system generated inventory report). Indicate the frequency in which the control takes place (e.g., annual, quarterly, monthly, daily, every time a transaction is processed). Indicate whether the control is designed effectively (i.e., is the control, individually or in combination with other controls, capable of effectively mitigating the key risk(s) of material misstatement and achieving the control objective?). What outcomes occur if the control works effectively? "What outcomes occur if the control is not working properly or is deficient? Note: Design deficiency occurs when the control is not effectively designed to meet its objective (e.g., the control, individually or in combination with other controls, is not capable of effectively preventing or detecting and correcting material misstatements). " What applicable Statement of Standards for Attestation Engagements apply? "Indicate how the control improves operating effectiveness. " 1. Error of principle 2. Errors of commission 3. Errors of omission 4. Errors of duplication 5. Compensating errors Audit Strategies Possible Risks Proposed Internal Control / Description Type of Control Frequency? How to test the control? What occurs if the control is working properly and what audit standard applies? What happens if the control is not working? What audit standard(s) apply? How does the control improve operating effectiveness? "Preventive/ Detective" "Manual/ Automated" Audit Strategies Identify the audit strategies and related financial statement risks (Existence or Occurrence, Completeness, Valuation, Rights and Obligations, Presentation and Disclosure, Accuracy, Classification, Cutoff) that are applicable. "Identify the control objective and description of procedures in place that is relevant to mitigate the identified risk of material misstatement and achieve the objective. Include a detailed description of the control procedures noting the following: 1) Who performs the control procedures? 2) How is/are the procedure(s) performed? 3) How is the performance of the control activity documented (i.e., what forms are used)? 4) How is performance of the control activity evidenced (i.e., signature and date on form)?" Note whether control is preventive (i.e., acts before error, omission, or misstatement may occur) or detective (acts after error/misstatement has occurred). Identify whether the control activity is performed manually (e.g., manual authorization or review of a reconciliation), is automated (i.e., system edit checks, system access restrictions and authorizations, automated review and approvals, etc.), or performed manually using system generated information (i.e., physically verfiying existence of inventory using system generated inventory report). Indicate the frequency in which the control takes place (e.g., annual, quarterly, monthly, daily, every time a transaction is processed). Indicate whether the control is designed effectively (i.e., is the control, individually or in combination with other controls, capable of effectively mitigating the key risk(s) of material misstatement and achieving the control objective?). What outcomes occur if the control works effectively? "What outcomes occur if the control is not working properly or is deficient? Note: Design deficiency occurs when the control is not effectively designed to meet its objective (e.g., the control, individually or in combination with other controls, is not capable of effectively preventing or detecting and correcting material misstatements). " What applicable Statement of Standards for Attestation Engagements apply? "Indicate how the control improves operating effectiveness. " 1. Identified GAAS 2. Basic assumptions 3. Consistent premises 4. Logical principles 5. Requirements Evidence Needed Possible Risks Proposed Internal Control / Description Type of Control Frequency? How to test the control? What occurs if the control is working properly and what audit standard applies? What happens if the control is not working? What audit standard(s) apply? How does the control improve operating effectiveness? "Preventive/ Detective" "Manual/ Automated" Evidence Needed Identify the evidence needed and related financial statement risks (Existence or Occurrence, Completeness, Valuation, Rights and Obligations, Presentation and Disclosure, Accuracy, Classification, Cutoff) that are applicable. "Identify the control objective and description of procedures in place that are relevant to mitigate the identified risk of material misstatement and achieve the objective. Include a detailed description of the control procedures noting the following: 1) Who performs the control procedures? 2) How is/are the procedure(s) performed? 3) How is the performance of the control activity documented (i.e., what forms are used)? 4) How is performance of the control activity evidenced (i.e., signature and date on form)?" Note whether control is preventive (i.e., acts before error, omission, or misstatement may occur) or detective (acts after error/misstatement has occurred). Identify whether the control activity is performed manually (e.g., manual authorization or review of a reconciliation), is automated (i.e., system edit checks, system access restrictions and authorizations, automated review and approvals, etc.), or performed manually using system generated information (i.e., physically verifying existence of inventory using system generated inventory report). Indicate the frequency in which the control takes place (e.g., annual, quarterly, monthly, daily, every time a transaction is processed). Indicate whether the control is designed effectively (i.e., is the control, individually or in combination with other controls, capable of effectively mitigating the key risk(s) of material misstatement and achieving the control objective?). What outcomes occur if the control works effectively? "What outcomes occur if the control is not working properly or is deficient? Note: Design deficiency occurs when the control is not effectively designed to meet its objective (e.g., the control, individually or in combination with other controls, is not capable of effectively preventing or detecting and correcting material misstatements). " What applicable Statement of Standards for Attestation Engagements apply? "Indicate how the control improves operating effectiveness. " 1. Identified GAAS 2. Basic assumptions 3. Consistent premises 4. Logical principles 5. Requirements