MODERN AUDITING 7th Edition William C. Boynton California Polytechnic State University at San Luis Obispo Raymond N. Johnson Portland State University Walter G. Kell University of Michigan Developed by: Dr. Raymond N. Johnson, CPA Gregory K. Lowry, MBA, CPA John Wiley & Sons, Inc.
CHAPTER 10 ASSESSING CONTROL RISK/ TESTS OF CONTROLS Assessing Control Risk in an Information Technology Environment Effects of Preliminary Audit Strategies Designing Tests of Controls Additional Considerations
Assessing Control Risk Assessing Control Risk involves evaluating the effectiveness of: 1. the design and 2. the operation of controls.
Assessing Control Risk In making an assessment of control risk for an assertion, it is necessary for the auditor to: Consider knowledge acquired from procedures to obtain an understanding Identify potential misstatements that could occur in the entity’s assertion. Identify the necessary controls that would likely prevent or detect and correct the misstatements. Perform tests of controls (Effective design and operation). Evaluate the evidence and make the assessment.
Assertions and Controls Completeness Start Here Authorize Execute Record Start Here For Existence & Occurrence, Valuation, Rights and Obligations, Classification (P&D) Consideration
Assertions and Controls Completeness Start Here Authorize Execute Record Consideration Start Here For Existence & Occurrence, Valuation, Rights and Obligations, Classification (P&D)
Identify Necessary Controls Knowledge of audit objectives and potential misstatement that can result. Knowledge of controls that will prevent or detect and correct misstatements. Use of computer software with internal control questionnaire or other decision aids Written checklists
Compensating Controls Completeness of sales might normally be checked by developing a report of all shipments that are not recorded as sale invoices. A mining company might reconcile tonnage shipped with tonnage billed, which would be referred to as a compensating control.
Identify Necessary Controls Relevant Internal Control Components Control environment Risk assessment Information and communication Control activities Monitoring Assessment of Control Risk Each assertion
Assessing Control Risk in an IT Environment Figure 10-2
Strategies for Performing Tests of Controls The following 3 strategies related to assessing control risk are discussed below: 1. Assessing control risk based on user controls. 2. Planning for a low control risk assessment based on application controls. 3. Planning for a high control risk assessment based on general controls and manual follow-up.
Direct Tests of User Controls Figure 10-2
Low CR Assessment based on Application Controls Figure 10-2
High CR Assessment based on Application Controls Figure 10-2 Inference
Computer-Assisted Audit Techniques Computer-assisted audit techniques (CAATs) involve using the computer to directly test application controls, and is also known as auditing through the computer. The auditor may find that using the computer in tests of controls is advantageous when: 1. A significant part of the internal controls is imbedded in a computer program. 2. There are significant gaps in the visible audit trail. 3. There are large volumes of records to be tested.
Computer-Assisted Audit Techniques Important CAATs used to test the operation of specific programmed application controls include: 1. parallel simulation 2. test data
Reconstruction of Data Files Figure 10-3
Computer-Assisted Audit Techniques Important CAATs used to test the operation of specific programmed application controls include: 1. parallel simulation 2. test data 3. integrated test facility 4. Continuous monitoring of on-line real-time systems. Tagging Transactions Systems Control Audit Review File
Methodologies for Meeting the Second Standard of Field Work Figure 10-6
Designing Tests of Controls Tests of controls that are designed to evaluate the operating effectiveness of a control are concerned with: how the control was applied, the consistency with which it was applied during the period, and by whom it was applied.
Designing Tests of Controls AU 319.64 recognizes that the evaluation of evidential matter is a matter of auditing judgment. The following factors bear on the degree of assurance provided by tests of controls: 1. The type of evidential matter 2. Its source 3. Its timeliness 4. The existence of other evidential matter related to the conclusion
Type of Evidence Addresses reliability of Inquiry Inspection of documents Observation Reperforming controls, including CAATs
Source of Evidence Generally evidence obtained directly by the auditor, such as through observation, provides more assurance that evidential matter obtained indirectly or by inference, such as through inquiry.
Timeliness of Evidence Evidence obtained at interim The significance of the assertion The specific controls The degree to which the effective design and operation of those controls were evaluated The results of tests of controls The length of the remaining period Evidential matter that may result from substantive tests performed in the remaining period Evidence about the nature and significance of changes in internal control
Timeliness of Evidence Evidence obtained in prior audits The significance of the assertion The specific controls The degree to which the effective design and operation of those controls were evaluated The results of tests of controls Evidential matter that may result from substantive tests performed in the current audit The long the time elapsed since performance of tests of control the less assurance it may provide Evaluate evidence about changes in internal control
Existence of Other Evidence The auditor should consider the combined effect of various evidence relating to the same assertion. For example, Computer general controls CAATs applied to application controls Manual follow-up procedures When various types of evidence support the same conclusion about design and operation of controls, the degree of assurance increases. Evidence about all five categories of internal control The audit is a cumulative process
Using Internal Auditors in Tests of Controls Whenever a client has an internal audit function, the auditor may: 1. coordinate his or audit work with the internal auditors, and/or 2. use internal auditors to provide direct assistance in the audit.
Using Internal Auditors in Tests of Controls Coordination with internal auditors Scope of internal auditor’s work Adequacy of audit programs Working papers adequately document work performed Appropriateness of conclusions Reports are consistent with work performed Direct assistance from internal auditors Internal auditors’ competence and objectivity Supervise, review, evaluate, and test the work performed Inform the internal auditors of their responsibilities Inform the internal auditors that all significant account and auditing issues should be brought to the external auditor’s attention.
Summary of Relationships between Account Balance Assertions and Transaction Class Assertions Figure 10-9
Documenting the Assessed Level of Control Risk The auditor’s working papers should include documentation of the control risk assessment. The requirements are as follows: 1. Control risk is assessed at the maximum: Only this conclusion needs to be documented. 2. Control risk is assessed at below the maximum: The basis for assessment must be documented.
Communicating Internal Control Matters The auditor is required to identify and report to the audit committee, or other entity personnel with equivalent authority and responsibility, certain conditions that relate to an entity’s internal control observed during an audit of the financial statements.
Communicating Internal Control Matters A reportable condition may be of such a magnitude as to constitute material weaknesses in internal control. AU 325.15 defines a material weakness as: …a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.
Communicating Internal Control Matters AU 325, Communication of Internal Control Related Matters Noted in an Audit (SAS 60 and SAS 78), defines a reportable condition as: …matters coming to the auditor’s attention that, in his judgment, should be communicated to the audit committee because they represent significant deficiencies in the design or operation of internal control, which could adversely affect the organization’s ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements.
Service Organizations Appendix 10A A service organization is an entity that provides services for other entities referred to as user organization (the audit client whose auditor is referred to as the user auditor). A service organization’s services are part of an entity’s information system if they affect: 1. How the entity’s transactions are initiated. 2. The accounting records, supporting information, and specific accounts in the financial statements involved in the processing and reporting of the entity’s transactions. 3. The accounting process involved from the initiation of the transaction to their inclusion in the financial statements, including electronic means. 4. The financial reporting process used to prepare the entity’s financial statements.
CHAPTER 10 ASSESSING CONTROL RISK/ TESTS OF CONTROLS
Copyright Copyright 2001 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.