Assignment 3: Audit Risk and Sampling Due Week 6 and worth 100 points In this assignment, you will prepare a two to three (2-3) page report that addresses the requirements specified in the case. Fully

Assignment two

During an interview Josh and Sharon held with David Collier, CFO of Cloud 9, they learned a lot about the tone at the top at Cloud 9. Top-level management and the board of directors adopted a code of conduct that emphasizes the importance of management and other employees acting with integrity. Cloud 9's board members and senior managers attend training and awareness sessions on the code at least annually. In addition, there has been a rigorous process of embedding the code's main points throughout the company's policies and procedures, most of which have been rewritten in the previous two years. Josh intentionally conducts interviews with employees at all levels within Cloud 9. He finds that all employees have attended training on the code of conduct. Several accounting personnel add that while the company has financial goals to achieve, the emphasis from the top has been getting the financial numbers right. Accurate financial reporting is a top priority. A copy of the company's code of conduct and the policies and procedures are included in the audit working papers. Josh also writes a description of the company's efforts to communicate its approach to management integrity in the report. He assesses the control environment at Cloud 9 as likely to be effective.

Susan Larson, a senior manager, was having lunch with Linh Sun (an audit senior) and Peter Miller (a new audit staff). All three were working on an audit of a pharmaceutical client. Both Linh and Peter were focused on understanding the client's system of internal control for a new audit client. Susan commented, “I want you to get a good feel for the control environment and the tone at the top about financial reporting by talking to employees at all levels of the organization, particularly in accounting. Wells Fargo has been in the news recently because the tone at the top focused on hitting targets at any cost, and there were significant negative consequences for those who did not meet artificially high expectations. At one end of the spectrum, you have companies like Wells Fargo with a poor tone at the top. At the other end of the spectrum, I had a client that I approached with a misstatement that was significant, but probably had not met our materiality threshold. After the controller understood the underlying cause of the misstatement, and how their control system failed to detect the problem, the controller announced that the company would book the adjustment, even though it decreased unaudited earnings that had previously been announced. When I asked the controller about his reasoning, he stated, ‘We are more concerned about our credibility with investors than one earnings announcement.‛ These are the two ends of the spectrum, and our new audit client may be somewhere in between these two examples. I want you to determine where on this control environment spectrum this new client is.”

In their interview, Josh and Sharon ask David Collier about Cloud 9's risk assessment process. They want to know which risks management has identified so that they can consider whether those risks could cause a material misstatement in the accounts. They also want to know about the company's methods of responding to the identified risks. David Collier tells them that Cloud 9's management continually monitors its competitors' activities. It also considers the risk of interruption to supplies because of shipping problems and labor disputes at production plants or transport companies. Other examples of risks that could have a major impact on the accounts are the use of forward exchange contracts to control the risks caused by purchasing in foreign currencies. Cloud 9 management is also very aware of risks associated with the just-in-time inventory system, which has had some problems lately, and has planned some changes to deal with those problems. Management is monitoring the risks of using a soccer player as a spokesperson for the brand, plus the broader risks arising from sponsorship of the soccer team, because there has been a lot of adverse publicity about soccer players' behavior over the past year. Such adverse publicity could impact negatively on sales. Cloud 9's management ensures that the soccer team's management keeps the company's management informed of players' activities, where appropriate. Management has also assessed fraud risks, and it believes that between the company's code of conduct, tone at the top about its code of conduct, and strong system of internal controls, the incentives for fraud and the opportunity to commit fraud are minimal. Josh concludes from the interview and from Suzie's review of documents including company plans, board minutes, and significant contracts and agreements that Cloud 9 has a potentially effective system of risk assessment because it actively searches out and considers potential risks to the business, and it has developed action plans to deal with each risk depending on its likely occurrence.

Josh has significant experience in understanding information systems and, based on the interview with David Collier, which covered the information systems at a high level, Josh can conclude that the entity-level controls in this area are likely to be effective. Josh will gather further information in an interview with Cloud 9's financial controller, Carla Johnson. Based on this second interview and a review of the company's documents, he and Suzie will write a description of their understanding of the processes used in each of the major transaction cycles.

In the interview with David Collier, Sharon and Josh ask questions about both the control activities and the monitoring of those activities at Cloud 9. Sharon and Josh are particularly interested in the systems used at the company to make sure that information about management's plans is transmitted throughout the organization and that there are policies and procedures to ensure that the appropriate actions are taken and reviewed. In addition to asking David Collier about these matters, Suzie reads the policy and procedures manuals. Josh and Suzie then take a tour of the offices and other facilities. For example, Cloud 9 has a tightly structured system of performance reviews. Managers at each level must report financial and operating performance against budgets at regular intervals. Higher-level managers are able to access information about activities within their area of responsibility for monitoring purposes through the information system. Although there have been some issues with theft of goods from the retail store, the losses have been contained following the installation of additional security, including cameras. Josh and Sharon have been particularly impressed with Cloud 9's thorough approach to appropriate segregation of duties. Josh is able to conclude that, at an entity level, there is sufficient evidence that these controls are potentially effective. He asks Suzie to review the specific controls that affect transaction processes in more detail and document their understanding of these processes.

Josh finds that he is spending a great deal of time with Will Burton, Cloud 9's IT manager. Josh and Suzie have a number of questions for Will about what software programs are designed within the accounting system to process transactions; whether there have been any changes to those programs during the year; how changes are authorized, reviewed, and tested; who has access to programs and data files; and how access to programs and data is protected. Will walks the audit team through Cloud 9's principal data center, showing them various physical controls, and printouts and reports that Will receives regarding changes to system access and changes to various programs. Suzie inspects documentation regarding program changes, their authorization, and testing. The team is focused on adequacy of segregation of duties; controls over program changes, maintenance and updates; access controls, and plans for hardware and software upgrades.

At this point, Suzie and Josh are just trying to obtain an understanding of IT general controls at Cloud 9. They know that testing will come later. When they are finished, Josh is satisfied that Cloud 9 has addressed the control issues that he is most concerned about. Overall the system design appears to be operating as planned, based on their questions, observation of Cloud 9 personnel, and preliminary inspection of reports from Cloud 9's IT system. If tests of controls show that IT general controls are effective, this will make testing applications more efficient, and increase the probability that the audit team can use a reliance on controls approach during the audit. Strong IT general controls are also critical to giving Cloud 9 an unqualified opinion on internal controls over financial reporting.

Suzie will document their understanding of the various transaction processes. By performing a system walkthrough in each major accounting system, Suzie will document the flow of transactions and the documents that the client uses in the accounting system. Josh is particularly focused on transaction and account balance assertions, what can go wrong for each assertion, and the controls that the client has implemented to identify and correct potential misstatements. Suzie asks questions about what exception reports are generated by the system, and how items appearing on exception reports are cleared. She learns that some exceptions are noted only on computer terminals, and corrections must be made before transactions are processed further. Once the types of potential material misstatements and the controls that Cloud 9 has put in place to detect and correct any misstatements are understood, the audit team will consider the magnitude and likelihood of the misstatement in the financial statements. This will help narrow the risk assessment and determine what audit procedures should be performed. In addition, the audit team considers how errors in each financial statement assertion might occur. This analysis will guide the audit planning for additional substantive testing. Sharon and the audit partner can also decide if there are any material weaknesses that should be included in the management letter. Suzie knows that documenting her understanding of the processes is necessary for the team to identify control strengths that can be relied upon to justify reduced substantive testing. Substantive testing will be reduced if tests of those controls confirm that these design strengths are reflected in actual performance of the control system. Josh thinks he will need to discuss his assessment of control strengths and weaknesses with Sharon before finalizing the audit program. He needs her help to determine if some control weaknesses are compensated for by other strengths. They will also identify the most important controls to test. Some controls may actually be redundant; that is, another control exists that performs the same function.

Suzie will prepare a flowchart or narrative to document her understanding of the different transaction processes. This will help her understand the stages at which errors can occur. She will include the entire process from the initiation of the transaction through to recording in the general ledger. Where appropriate, she will link several accounting processes together into one seamless flow of transactions. For example, as a first step she makes a simple diagram of the flow of transactions from initiation of a purchase order through to the cash payment to the supplier. The process comprises three smaller processes: initiating a purchase order through to receiving the goods as they arrive; receiving the purchase invoice from the supplier through to entering the invoice in the general ledger; and requesting cash payment through to recording the payment to the supplier. In the next step, the flow of transaction diagram will be supplemented with additional details of the IT tests and their disposition.

Once Suzie has documented the audit team's understanding of Cloud 9's system of internal controls and her preliminary assessment of the system's strengths and weaknesses, Josh presents the document to Jo Wadley, the engagement partner of the audit. The audit team will gather additional evidence about the system of internal controls during the audit, and at the completion of the audit the senior members of the audit team will make a final assessment of Cloud 9's internal controls and write a management letter. Providing a management letter, including recommendations for future changes to the system of internal controls, is an important part of the auditor's role. The management letter not only discharges the audit team's responsibilities to the client, but helps the client improve its systems. In turn, this will likely increase the quality of its financial reporting in the future and improve the efficiency and effectiveness of future financial statement audits.