You are part of the independent CPA staff planning the audit of Tivell Inc., an e-commerce...

1. Describe how the audit engagement team would have documented the information obtained about their understanding of Tivell’s system of internal control

The audit engagement team would have understood the flow of transactions, including how transactions are initiated, recorded, authorized, processed, and reported. The team must also have identified and documented the risks within the process, including fraud risk, and identified and documented the controls that should be implemented to manage those risks.

They must have determined which controls are necessary to the process, activity, or system under review in light of the risk profile and desired level of control. Management is responsible for establishing adequate business processes and measuring performance, as well as determining how best to monitor the operating effectiveness of enterprise processes and controls. The audit engagement team must have considered these responsibilities when documenting either formal (written) or informal (undocumented) controls..

2.  Provide at least three examples of documentation

Narrative Descriptions

Narratives describe process flows in written form, without graphical representations. They provide a useful supplement to flowcharting documentation by detailing existing practices and thereby minimizing potential misunderstandings. Independently, however, narrative descriptions do not serve as an effective tool for process description — they can be lengthy and difficult to review, and typically are not considered user-friendly.

Internal Control Questionnaires

Completed ICQs list answers to questions related to the identification and evaluation of internal controls. Effective ICQ documents comprise a carefully structured, logically sequenced series of questions that help management and internal auditors document processes and highlight control gaps, strengths, and weaknesses within a system. Questionnaire results provide a permanent record of the controls at both an entity and process level. Typically, ICQs present information in a format that is easy for external parties — such as external auditors and regulatory review bodies — to understand and help simplify and expedite the control evaluation process.

Risk and Control Matrices

Risk and control matrices link controls with control objectives and related risks. They are designed both to document risks and controls and to facilitate evaluation of the design and effectiveness of the control system. By obtaining an initial understanding of the expected controls in a process, internal auditors can identify gaps between actual controls and specific control objectives and risks.

3. Explain in a brief paragraph, the difference between the design effectiveness of the controls and the operating effectiveness of the controls.

As per Auditing Standard No. 13 The Auditor's Responses to the Risks of Material Misstatement, following are the differences between the design effectiveness of the controls and the operating effectiveness of the controls.

• The auditor should test the design effectiveness of the controls selected for testing by determining whether the company's controls, if they are operated as prescribed by persons possessing the necessary authority and competence to perform the control effectively, satisfy the company's control objectives and can effectively prevent or detect error or fraud that could result in material misstatements in the financial statements.
• The auditor should test the operating effectiveness of a control selected for testing by determining whether the control is operating as designed and whether the person performing the control possesses the necessary authority and competence to perform the control effectively.

• Procedures the auditor performs to test design effectiveness include a mix of inquiry of appropriate personnel, observation of the company's operations, and inspection of relevant documentation. Walkthroughs that include these procedures ordinarily are sufficient to evaluate design effectiveness.
• Procedures the auditor performs to test operating effectiveness include a mix of inquiry of appropriate personnel, observation of the company's operations, inspection of relevant documentation, and re-performance of the control.

4. What would you recommend the audit engagement team do, if they wish to rely on Tivell’s controls with respect to particular financial statements assertions?

As per Auditing Standard No. 13 The Auditor's Responses to the Risks of Material Misstatement, it would be recommended to the audit engagement team to base their work on financial statements assertions which are sufficient for the auditor to identify the types of potential misstatements and to respond appropriately to the risks of material misstatement in each significant account and disclosure that has a reasonable possibility of containing misstatements that would cause the financial statements to be materially misstated, individually or in combination with other misstatements.