1. MODERN AUDITING 7th Edition
William C. Boynton
California Polytechnic State University at San Luis Obispo
Raymond N. Johnson
Portland State University
Walter G. Kell
University of Michigan
Developed by:
Dr. Raymond N. Johnson, CPA
Gregory K. Lowry, MBA, CPA
John Wiley & Sons, Inc.

2. CHAPTER 10 ASSESSING CONTROL RISK/ TESTS OF CONTROLS
Assessing Control Risk in an Information Technology Environment
Effects of Preliminary Audit Strategies
Designing Tests of Controls
Additional Considerations

3. Assessing Control Risk
Assessing Control Risk involves evaluating the effectiveness of:
1. the design and
2. the operation of controls.

4. Assessing Control Risk
In making an assessment of control risk for an assertion, it is necessary for the auditor to:
Consider knowledge acquired from procedures to obtain an understanding
Identify potential misstatements that could occur in the entity’s assertion.
Identify the necessary controls that would likely prevent or detect and correct the misstatements.
Perform tests of controls (Effective design and operation).
Evaluate the evidence and make the assessment.

5. Assertions and Controls
Completeness
Start Here
Authorize
Execute
Record
Start Here For Existence & Occurrence,
Valuation, Rights and Obligations,
Classification (P&D)
Consideration

6. Assertions and Controls
Completeness
Start Here
Authorize
Execute
Record
Consideration
Start Here For Existence & Occurrence,
Valuation, Rights and Obligations,
Classification (P&D)

7. Identify Necessary Controls
Knowledge of audit objectives and potential misstatement that can result.
Knowledge of controls that will prevent or detect and correct misstatements.
Use of computer software with internal control questionnaire or other decision aids
Written checklists

8. Compensating Controls
Completeness of sales might normally be checked by developing a report of all shipments that are not recorded as sale invoices.
A mining company might reconcile tonnage shipped with tonnage billed, which would be referred to as a compensating control.

9. Identify Necessary Controls
Relevant Internal Control Components
Control environment
Risk assessment
Information and communication
Control activities
Monitoring
Assessment of Control Risk
Each assertion

10. Assessing Control Risk in an IT Environment Figure 10-2

11. Strategies for Performing Tests of Controls
The following 3 strategies related to assessing control risk are discussed below:
1. Assessing control risk based on user controls.
2. Planning for a low control risk assessment based on application controls.
3. Planning for a high control risk assessment based on general controls and manual follow-up.

12. Direct Tests of User Controls Figure 10-2

13. Low CR Assessment based on Application Controls Figure 10-2

14. High CR Assessment based on Application Controls Figure 10-2
Inference

15. Computer-Assisted Audit Techniques
Computer-assisted audit techniques (CAATs) involve using the computer to directly test application controls, and is also known as auditing through the computer. The auditor may find that using the computer in tests of controls is advantageous when:
1. A significant part of the internal controls is imbedded in a computer program.
2. There are significant gaps in the visible audit trail.
3. There are large volumes of records to be tested.

16. Computer-Assisted Audit Techniques
Important CAATs used to test the operation of specific programmed application controls include:
1. parallel simulation
2. test data

17. Reconstruction of Data Files Figure 10-3

18. Computer-Assisted Audit Techniques
Important CAATs used to test the operation of specific programmed application controls include:
1. parallel simulation
2. test data
3. integrated test facility
4. Continuous monitoring of on-line
real-time systems.
Tagging Transactions
Systems Control Audit Review File

19. Methodologies for Meeting the Second Standard of Field Work Figure 10-6

20. Designing Tests of Controls
Tests of controls that are designed to evaluate the operating effectiveness of a control are concerned with:
how the control was applied,
the consistency with which it was applied during the period, and
by whom it was applied.

21. Designing Tests of Controls
AU recognizes that the evaluation of evidential matter is a matter of auditing judgment.
The following factors bear on the degree of assurance provided by tests of controls:
1. The type of evidential matter
2. Its source
3. Its timeliness
4. The existence of other evidential matter related to the conclusion

22. Type of Evidence Addresses reliability of Inquiry
Inspection of documents
Observation
Reperforming controls, including CAATs

23. Source of Evidence
Generally evidence obtained directly by the auditor, such as through observation, provides more assurance that evidential matter obtained indirectly or by inference, such as through inquiry.

24. Timeliness of Evidence
Evidence obtained at interim
The significance of the assertion
The specific controls
The degree to which the effective design and operation of those controls were evaluated
The results of tests of controls
The length of the remaining period
Evidential matter that may result from substantive tests performed in the remaining period
Evidence about the nature and significance of changes in internal control

25. Timeliness of Evidence
Evidence obtained in prior audits
The significance of the assertion
The specific controls
The degree to which the effective design and operation of those controls were evaluated
The results of tests of controls
Evidential matter that may result from substantive tests performed in the current audit
The long the time elapsed since performance of tests of control the less assurance it may provide
Evaluate evidence about changes in internal control

26. Existence of Other Evidence
The auditor should consider the combined effect of various evidence relating to the same assertion. For example,
Computer general controls
CAATs applied to application controls
Manual follow-up procedures
When various types of evidence support the same conclusion about design and operation of controls, the degree of assurance increases.
Evidence about all five categories of internal control
The audit is a cumulative process

27. Using Internal Auditors in Tests of Controls
Whenever a client has an internal audit function, the auditor may:
1. coordinate his or audit work with the internal auditors, and/or
2. use internal auditors to provide direct assistance in the audit.

28. Using Internal Auditors in Tests of Controls
Coordination with internal auditors
Scope of internal auditor’s work
Adequacy of audit programs
Working papers adequately document work performed
Appropriateness of conclusions
Reports are consistent with work performed
Direct assistance from internal auditors
Internal auditors’ competence and objectivity
Supervise, review, evaluate, and test the work performed
Inform the internal auditors of their responsibilities
Inform the internal auditors that all significant account and auditing issues should be brought to the external auditor’s attention.

29. Summary of Relationships between Account Balance Assertions and Transaction Class Assertions Figure 10-9

30. Documenting the Assessed Level of Control Risk
The auditor’s working papers should include documentation of the control risk assessment. The requirements are as follows:
1. Control risk is assessed at the maximum: Only this conclusion needs to be documented.
2. Control risk is assessed at below the maximum: The basis for assessment must be documented.

31. Communicating Internal Control Matters
The auditor is required to identify and report to the audit committee, or other entity personnel with equivalent authority and responsibility, certain conditions that relate to an entity’s internal control observed during an audit of the financial statements.

32. Communicating Internal Control Matters
A reportable condition may be of such a magnitude as to constitute material weaknesses in internal control. AU defines a material weakness as:
…a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.

33. Communicating Internal Control Matters
AU 325, Communication of Internal Control Related Matters Noted in an Audit (SAS 60 and SAS 78), defines a reportable condition as:
…matters coming to the auditor’s attention that, in his judgment, should be communicated to the audit committee because they represent significant deficiencies in the design or operation of internal control, which could adversely affect the organization’s ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements.

34. Service Organizations Appendix 10A
A service organization is an entity that provides services for other entities referred to as user organization (the audit client whose auditor is referred to as the user auditor). A service organization’s services are part of an entity’s information system if they affect:
1. How the entity’s transactions are initiated.
2. The accounting records, supporting information, and specific accounts in the financial statements involved in the processing and reporting of the entity’s transactions.
3. The accounting process involved from the initiation of the transaction to their inclusion in the financial statements, including electronic means.
4. The financial reporting process used to prepare the entity’s financial statements.

35. CHAPTER 10 ASSESSING CONTROL RISK/ TESTS OF CONTROLS

36. Copyright
Copyright 2001 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.