Page 121 - DCOM509_ADVANCED_AUDITING
P. 121
Advanced Auditing
Notes
vendor to determine that a missing invoice was legitimate, three invoices were not signed,
and two invoices involved dollar errors. Ira has a due diligence requirement to specifically,
“identify, analyze, evaluate, and record sufficient information to achieve the engagement’s
objectives” (Reding 2007) as specified in Standard 2300. Even more specifically it is his
responsibility to, “identify a specific internal control objective and the prescribed control
activity aimed at achieving that objective, define what is meant by a control deviation,
define the population and sampling unit, determine the appropriate values of the
parameters affecting sample size, determine the appropriate sample size, randomly select
the sample, audit the sample items selected and count the number of deviations from the
prescribed control activity, determine the achieved upper deviation limit, and evaluate
the results” (Reding 2007). Also, if Ira did make a mistake he is required to disclose this to
the involved parties as specified in Standard 2421.
Most importantly, Ira skipped the first step of determining which specific control the
audit was testing. For instance he could have been testing to see that all invoices were filed
correctly and one deviation was that an invoice was missing. He could have been testing
to see that all invoices were signed and found three deviations in that respect. And, he
could have been testing to determine that all amounts were correct and found two
deviations. As a result his rate of failure was too high, and the new rate of failure
corresponding with the specific focus should be reported to management.
Otherwise, Ira Icandoit preformed a decent statistical control analysis except, that
simultaneously separating the sample into one quarter with a certain limitation and three
quarters with a different limitation does not determine the appropriate values of the
parameters affecting sample size.
Finally, he should ask if there are at least two supervisors that can sign invoices, and
disclose if the manager actually signed the invoices after he told Ira they were correct.
Lastly, a six percent failure to uphold controls doesn’t sound like it should be relied upon
by management. The upper management of that company was being sued by the employees
for negligence to fraud involving pension money. That example exemplifies why a six
percent failure rate in purchasing is a risk that is too serious to accept.
Source: http://nowwhatresearch.blogspot.in/2011/01/internal-auditing-case-study.html
Define the Deviation Conditions Step 3
If you are performing a direct test of controls, such as checking for supervisor approval before
selling goods free of tax, a deviation will be any noted lapse in the control. In this case if the
control is documented in some way, such as with initials of the supervisor on the invoice, a
deviation would be the lack of initials. If the control is not documented, you will have to rely on
direct observation of the control being performed, or on indirect evidence.
If you are testing controls indirectly, you would look at the error which the control is intended
to prevent and would base your deviation on what defines that error. In the case above, the
control in place is intended to prevent salesmen from not charging tax on sales that should be
taxed. A deviation would therefore be defined as an invoice that did not have tax and should
have.
If you are performing a substantive test, the item(s) you are picking up might not necessarily be
thought of as deviations. For instance, you may be trying to determine the average New Mexico
inventory value over a period for testing the CIT property factor. However, the same principle
applies. You need to define which items meet the criteria necessary to reach the objective of the
test. In this example, that might be inventory control log entries backed up by shipping and
receiving reports.
116 LOVELY PROFESSIONAL UNIVERSITY
