Study Guides (248,043)
Canada (121,253)
York University (10,190)
Accounting (98)
ACTG 4620 (4)

Final Exam Notes - Chapter 10-12.docx

10 Pages
Unlock Document

ACTG 4620
David Chan

Chapter 10: Control and Audit Implications of Outsourcing Audit Risks of Outsourcing  Inherent risk o Employees have to get used to new processes o Change  uncertainty and learning curve o Unreliable processing  Control risk  control activities are part of business activities o Even more risk if service provider in turn outsources  Detection risk o Auditors have to understand new processes o Audit trail is now in the service organization  Foreign legislation  confidentiality of information? Control Implications  Considerations o Risk vs. benefit o Business case o Vendor selection o Contingency plan if service organization fails o Contract should not prevent effective audits o Process to monitor contract compliance o Train employees o Internal control expectations and requirements o Approval from BoD Audit Implications  Look for compensating controls  Directly test controls of service organization  Rely on independent control assurance report o CAS 402  Understand services provided by service organization  Whether service organization has reported non-compliance with laws and regulations and/or uncorrected misstatements, effect on audit risk  User auditor’s opinion not diminished by service auditor  Allows user auditor to rely on CSAE 3416/SSAE 16 report (or similar) o CSAE 3416/SSAE 16  Assurance based on a set of control objectives and supporting procedures, system description + control description  Assess reasonableness of system description and control objectives first, if deficient withdraw from engagement  Type 1  internal control design and point-in-time assurance  Example: disaster recovery plan  Marginal reliance on controls, still have to do substantive testing  Type 2  internal control operational effectiveness and period of 6+ months  Control is tested throughout the period of 6+ months  Disclose audit tests to map methodology for f/s audit  Under SSAE 16, audit opinion also covers comprehensiveness of control objectives  High level of assurance for both reports  Material fraud and subsequent events should be disclosed to management and other external parties  Materiality is NOT applicable  Should be a requirement in the contract, as well as the scope and frequency of such reports o User auditor can refer to service organization control assurance report only if the f/s qualified opinion results directly from qualified control assurance report  Substantive audit (as much control assurance as possible, but still substantive test) Reporting Deficiencies in Control Procedures  Identify compensating control  Stop the review until next year  Eliminate control objective o Impractical for SSAE 16 audit b/c auditor has to attest to the adequacy of internal control objectives  Correct deficiency prior to review completion o Manual, procedural controls can be retroactively fixed Management Checklist 1. Risk analysis 2. Cost benefit analysis 3. Approval from BoD 4. Review outsourcing contract with lawyers 5. Outsourcing contract includes at least one of the following: a. Right of audit b. Annual independent control assurance report c. Semi-annual written control assurance checklist 6. Review financial stability of service organization 7. Reference checks 8. Signing authority levels before awarding contract 9. Executive ownership of each contract 10. Annual compliance/satisfaction review Outsourcing External Audit Checklist 1. Assess f/s materiality of outsourced business process 2. Ability to meet regulatory requirements (privacy/public company reporting requirements) 3. Compensating controls 4. Availability of audit right and control assurance report 5. Intellectual property and valuation 6. CAS 402 or equivalent 7. Computer audit specialist on outsourced IT 8. Assess comprehensiveness of internal control procedures 9. Assess qualification of auditors preparing independent control assurance report 10. Assess implication of qualified independent control assurance opinion on f/s Outsourcing Internal Audit Checklist 1. Assess inherent and control risk 2. If inherent or control risk is material, is there right of audit? 3. Management approval to test internal controls 4. Review control assurance report to assess impact on outsourcing risk & ensure management knows 5. Follow up with management on qualified opinion 6. Make sure invoices consistent with contract 7. Review internal control checklists and assess impact on inherent and control risk 8. Assist s/h auditors to assess outsourcing risks and obtain necessary control assurance 9. Assist s/h auditors to perform substantive testing Chapter 11: Systrust and Payment Card Industry Control Assurance Systrust Audit  System assurance service developed by CICA and AICPA  New systems in an organization or systems shared by a number of partner organizations  Point-in-time or period of not less than 6 consecutive months  High control assurance Systrust Principles  Security  system is protected against unauthorized access (physical & logical)  Availability  accessibility to the defined system, products or services as advertised or committed by contract, service-level or other agreements  Processing integrity  completeness, accuracy, timeliness, authorization of system processing including processing of electronic commerce transactions  Confidentiality  no unauthorized viewing  Privacy  confidentiality of personal information Policies Communication Procedures Monitoring Security The entity defines The entity The entity has put The entity Availability and documents its communicates its in place operation monitors the Processing policies for the policies to - procedures to system and takes integrity relevant principle responsible parties achieve its action to maintain and authorized objectives in compliance with its Confidentiality users accordance with defined system policies security policies Privacy Protect the personal information about customers, employees and other individuals; generally accepted privacy principles Reasons for Systrust Audit  Conflict of interest between system operator and system user/owner  Complex system  Remoteness of system  Consequences of system unreliability Process of Systrust Engagement – Service Auditor 1. System description  withdraw 2. N/A criteria a. Mandatory principle  withdraw b. Optional principle  scope out 3. Internal control procedures (correct) a. Mandatory principle  withdraw or qualify b. Optional principle  scope out 4. Control deficiency a. Cannot correct retroactively  qualify b. No compensating control  qualify Difference between CSAE 3416/SSAE 16 and Systrust CSAE 3416/SSAE 16 Systrust •Addresses F/S assertions •Addresses system reliability •Uses control objectives set by •Rigid set of control criteria, each of management instead of principles set which must be met to get an by CICA/AICPA (more flexible) unqualified opinion •Audience: S/H auditors •Audience: management •Restricted distribution •Can be displayed publicly BOTH: •Provide high level of assurance on a system hosted by one organization that is used by another organization (outsourcing) Management (Service Organization) Checklist 1. Document s
More Less

Related notes for ACTG 4620

Log In


Join OneClass

Access over 10 million pages of study
documents for 1.3 million courses.

Sign up

Join to view


By registering, I agree to the Terms and Privacy Policies
Already have an account?
Just a few more details

So we can recommend you notes for your school.

Reset Password

Please enter below the email address you registered with and we will send you a link to reset your password.

Add your courses

Get notes from the top students in your class.