Presentation on theme: "MODERN AUDITING 7th Edition"— Presentation transcript:
1 MODERN AUDITING 7th Edition William C. BoyntonCalifornia Polytechnic State University at San Luis ObispoRaymond N. JohnsonPortland State UniversityWalter G. KellUniversity of MichiganDeveloped by:Dr. Raymond N. Johnson, CPAGregory K. Lowry, MBA, CPAJohn Wiley & Sons, Inc.
2 CHAPTER 10 ASSESSING CONTROL RISK/ TESTS OF CONTROLS Assessing Control Risk in an Information Technology EnvironmentEffects of Preliminary Audit StrategiesDesigning Tests of ControlsAdditional Considerations
3 Assessing Control Risk Assessing Control Risk involves evaluating the effectiveness of:1. the design and2. the operation of controls.
4 Assessing Control Risk In making an assessment of control risk for an assertion, it is necessary for the auditor to:Consider knowledge acquired from procedures to obtain an understandingIdentify potential misstatements that could occur in the entity’s assertion.Identify the necessary controls that would likely prevent or detect and correct the misstatements.Perform tests of controls (Effective design and operation).Evaluate the evidence and make the assessment.
5 Assertions and Controls CompletenessStart HereAuthorizeExecuteRecordStart Here For Existence & Occurrence,Valuation, Rights and Obligations,Classification (P&D)Consideration
6 Assertions and Controls CompletenessStart HereAuthorizeExecuteRecordConsiderationStart Here For Existence & Occurrence,Valuation, Rights and Obligations,Classification (P&D)
7 Identify Necessary Controls Knowledge of audit objectives and potential misstatement that can result.Knowledge of controls that will prevent or detect and correct misstatements.Use of computer software with internal control questionnaire or other decision aidsWritten checklists
8 Compensating Controls Completeness of sales might normally be checked by developing a report of all shipments that are not recorded as sale invoices.A mining company might reconcile tonnage shipped with tonnage billed, which would be referred to as a compensating control.
9 Identify Necessary Controls Relevant Internal Control ComponentsControl environmentRisk assessmentInformation and communicationControl activitiesMonitoringAssessment of Control RiskEach assertion
10 Assessing Control Risk in an IT Environment Figure 10-2
11 Strategies for Performing Tests of Controls The following 3 strategies related to assessing control risk are discussed below:1. Assessing control risk based on user controls.2. Planning for a low control risk assessment based on application controls.3. Planning for a high control risk assessment based on general controls and manual follow-up.
13 Low CR Assessment based on Application Controls Figure 10-2
14 High CR Assessment based on Application Controls Figure 10-2 Inference
15 Computer-Assisted Audit Techniques Computer-assisted audit techniques (CAATs) involve using the computer to directly test application controls, and is also known as auditing through the computer. The auditor may find that using the computer in tests of controls is advantageous when:1. A significant part of the internal controls is imbedded in a computer program.2. There are significant gaps in the visible audit trail.3. There are large volumes of records to be tested.
16 Computer-Assisted Audit Techniques Important CAATs used to test the operation of specific programmed application controls include:1. parallel simulation2. test data
18 Computer-Assisted Audit Techniques Important CAATs used to test the operation of specific programmed application controls include:1. parallel simulation2. test data3. integrated test facility4. Continuous monitoring of on-linereal-time systems.Tagging TransactionsSystems Control Audit Review File
19 Methodologies for Meeting the Second Standard of Field Work Figure 10-6
20 Designing Tests of Controls Tests of controls that are designed to evaluate the operating effectiveness of a control are concerned with:how the control was applied,the consistency with which it was applied during the period, andby whom it was applied.
21 Designing Tests of Controls AU recognizes that the evaluation of evidential matter is a matter of auditing judgment.The following factors bear on the degree of assurance provided by tests of controls:1. The type of evidential matter2. Its source3. Its timeliness4. The existence of other evidential matter related to the conclusion
22 Type of Evidence Addresses reliability of Inquiry Inspection of documentsObservationReperforming controls, including CAATs
23 Source of EvidenceGenerally evidence obtained directly by the auditor, such as through observation, provides more assurance that evidential matter obtained indirectly or by inference, such as through inquiry.
24 Timeliness of Evidence Evidence obtained at interimThe significance of the assertionThe specific controlsThe degree to which the effective design and operation of those controls were evaluatedThe results of tests of controlsThe length of the remaining periodEvidential matter that may result from substantive tests performed in the remaining periodEvidence about the nature and significance of changes in internal control
25 Timeliness of Evidence Evidence obtained in prior auditsThe significance of the assertionThe specific controlsThe degree to which the effective design and operation of those controls were evaluatedThe results of tests of controlsEvidential matter that may result from substantive tests performed in the current auditThe long the time elapsed since performance of tests of control the less assurance it may provideEvaluate evidence about changes in internal control
26 Existence of Other Evidence The auditor should consider the combined effect of various evidence relating to the same assertion. For example,Computer general controlsCAATs applied to application controlsManual follow-up proceduresWhen various types of evidence support the same conclusion about design and operation of controls, the degree of assurance increases.Evidence about all five categories of internal controlThe audit is a cumulative process
27 Using Internal Auditors in Tests of Controls Whenever a client has an internal audit function, the auditor may:1. coordinate his or audit work with the internal auditors, and/or2. use internal auditors to provide direct assistance in the audit.
28 Using Internal Auditors in Tests of Controls Coordination with internal auditorsScope of internal auditor’s workAdequacy of audit programsWorking papers adequately document work performedAppropriateness of conclusionsReports are consistent with work performedDirect assistance from internal auditorsInternal auditors’ competence and objectivitySupervise, review, evaluate, and test the work performedInform the internal auditors of their responsibilitiesInform the internal auditors that all significant account and auditing issues should be brought to the external auditor’s attention.
29 Summary of Relationships between Account Balance Assertions and Transaction Class Assertions Figure 10-9
30 Documenting the Assessed Level of Control Risk The auditor’s working papers should include documentation of the control risk assessment. The requirements are as follows:1. Control risk is assessed at the maximum: Only this conclusion needs to be documented.2. Control risk is assessed at below the maximum: The basis for assessment must be documented.
31 Communicating Internal Control Matters The auditor is required to identify and report to the audit committee, or other entity personnel with equivalent authority and responsibility, certain conditions that relate to an entity’s internal control observed during an audit of the financial statements.
32 Communicating Internal Control Matters A reportable condition may be of such a magnitude as to constitute material weaknesses in internal control. AU defines a material weakness as:…a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.
33 Communicating Internal Control Matters AU 325, Communication of Internal Control Related Matters Noted in an Audit (SAS 60 and SAS 78), defines a reportable condition as:…matters coming to the auditor’s attention that, in his judgment, should be communicated to the audit committee because they represent significant deficiencies in the design or operation of internal control, which could adversely affect the organization’s ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements.
34 Service Organizations Appendix 10A A service organization is an entity that provides services for other entities referred to as user organization (the audit client whose auditor is referred to as the user auditor). A service organization’s services are part of an entity’s information system if they affect:1. How the entity’s transactions are initiated.2. The accounting records, supporting information, and specific accounts in the financial statements involved in the processing and reporting of the entity’s transactions.3. The accounting process involved from the initiation of the transaction to their inclusion in the financial statements, including electronic means.4. The financial reporting process used to prepare the entity’s financial statements.
35 CHAPTER 10 ASSESSING CONTROL RISK/ TESTS OF CONTROLS
36 CopyrightCopyright 2001 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.