Week 7

Question 1

Entity-level controls:

Answer 1

control environment
entity’s risk assessment process
IT and communication systems
control activities
monitoring of controls.

Question 2

Transaction-level controls:

Answer 2

Designed to reduce the risk of misstatement due to error or fraud and to ensure that processes are operating effectively.
Controls can include any procedure used and relied upon by client to prevent errors occurring, or to detect and correct errors that occur

Question 3

Controls have two main objectives:

Answer 3

to prevent or detect misstatements in the financial report

to support the automated parts of the business in the functioning of the controls in place.

Question 4

Controls are classified as:

Answer 4

manual controls
automated (or application) controls
IT general controls (ITGCs)
IT-dependent manual controls.

Question 5

Prevent and detect controls:

Answer 5

The audit procedures performed to test the operating effectiveness of controls in preventing or detecting and correcting material misstatements at the assertion level.

Question 6

Prevent controls

Answer 6

Prevent controls can be applied to each transaction during normal processing to avoid errors occurring:
Commonly automated.
For example reject duplicate transaction

Question 7

Examples of prevent controls

Answer 7

slide 9

Question 8

Detect controls

Answer 8

Detect controls are necessary to identify and correct errors that do enter the records.
Usually not applied to transaction during normal flow of processing, but applied outside normal flow to partially or fully processed transactions.
E.g. cheques for payment prepared, and held by system until approved for payment and then processed.
Wide variation in detect controls from client to client, depending on complexity, preferences.
Can be informal and formal.

Question 9

It is important that detect controls:

Answer 9

Completely and accurately capture all relevant data.
Identify all potentially significant errors.
Are performed on a consistent and regular basis.
Include follow-up and correction on timely basis of any misstatements or issues detected.

Question 10

Examples of detect controls:

Answer 10

Management level analysis and follow-up of reviews: actual vs budgets, prior periods, competitors, industry; anomalies in performance indicators.
Reconciliations with follow-up of reconciling, unusual items, to resolution and correction.
For example bank reconciliation and subsidiary ledger to control account.

Review and follow-up of exception reports (automatically generated reports of transactions outside pre-determined parameters).
Usually can obtain evidence of detect controls’ operation and effectiveness.

Question 11

Examples of detect controls:

Answer 11

Slide 15

Question 12

Manual controls

Answer 12

Purely manual controls do not rely on IT for operation.
E.g. locked cage for inventory.
Could rely on IT information from others.
E.g. reconcile stock count to computer generated consignment stock statements.

Question 13

automated controls

Answer 13

Automated controls generally rely on client’s IT:
IT general controls (ITGCs):
Support functioning of automated controls.
Provide basis for relying on electronic evidence in audit.

IT general controls (ITGCs):
Types of ITGCS:
program change controls
logical access controls
other ITGCs (e.g. data back-up).

Question 14

Application controls apply to processing of individual transactions, support segregation of duties.

Answer 14

E.g. edit checks, validations, calculations, interfaces and authorisations.

Question 15

IT-dependent manual controls:

Answer 15

Both manual and automated aspects.

E.g. management reviews a monthly variance report (automated) and follows-up (manual) on significant variances.

Question 16

Manual and automated controls:

Answer 16

Auditor must consider both aspects:
Report generation and management follow-up.
Consider controls over report generation:
Is report accurate and complete?
If not, follow-up is not effective.

Question 17

Techniques for testing controls

Answer 17

Enquiry:
Auditor questions employee performing control, management about review of control.

Observation:
Auditor observes actual control being performed.
Employee might be more diligent when observed.

Inspection of physical evidence:
Trace from reconciliation to accounting records or other documents.
Examine reconciling items to determine whether reconciliation detects error and action to deal with errors.

Re-performance
Auditor re-performs control (e.g. prepares reconciliation).

Question 18

Selecting and designing tests of controls

Answer 18

Professional judgement is required.

Which controls should be selected for testi

Question 19

Which controls should be selected for testing?

Answer 19

Select controls that will provide most efficient and effective audit evidence.
Increase efficiency by only testing controls that are critical to audit opinion.
Those that address the WCGWs most effectively with least amount of testing.
Select controls that will provide most efficient and effective audit evidence.
More efficient to test controls that address multiple WCGWs.

Question 20

How much testing does the auditor need to do?

Answer 20

Extent of testing based on statistical sampling (see chapter 6) or professional judgement.
Consider:
How often is control performed? 
More often = more testing.
Degree of reliance on control: 
More = more testing.

Consider:
Persuasive of evidence from testing:
More = less testing
Need to be satisfied that control operated as intended throughout period, interim testing might be required.

Existence of combination of controls that could provide increased assurance:
Less reliance on single control = less testing.
Relative importance of WCGW:
Assurance required is based on consideration of several issues.

Also consider other factors that relate to the likelihood that a control operated as intended, including:
Competence of person performing control.
Quality of control environment, for example:
Chance of control override.
Internal auditing work.
Effect on operation of control throughout period.
Changes in accounting system.
Explained changes in related account balances.
Auditor’s prior experience with client.

Evidence of one exception (or deviation) in sample:
investigate cause of exception
increase sample and extend testing
amend decision to rely on control
test other controls and/or increase substantive testing.

Application controls – test using these methods:
Test operating effectiveness:
Test manual follow-up procedures that support the application control.
E.g. investigate how client follows-up on computer-generated exception report for sales with no prices in master file.

Test controls over program changes, and/or access to data files.
Test ITGCs:
E.g. test controls to ensure that all changes to pricing master file are approved.

Application controls:
Benchmarking:
Carry forward benefit of certain application controls testing into future audit periods.
Computer will continue to perform procedure in same way until application program is changed.

Verify that there are no changes to program, no need to repeat audit procedures. More likely when:
specific program can be identified
application is stable
reliable record of program changes available.

Timing of tests of controls:
Usually at interim date, especially if controls relied upon to reduce substantive procedures.
Preferable to test entity-level controls and ITGCs early in audit because results impact other tests.
Update interim results and evaluation at year-end.
Identify relevant changes in environment and controls.

Question 21

Results of the auditor’s testing

Answer 21

Do results of control testing confirm preliminary evaluation of controls and control risk based on internal control documentation?
If so, do not modify planned substantive procedures
If not:
Are compensating controls available? (Test)
Revise audit risk assessment for related account and the planned audit strategy

Question 22

When deciding whether need for additional tests of controls, consider:

Answer 22

Results of enquiries and observations:
Could reveal alternative controls now being relied upon and need to be tested.

Evidence provided by other tests:
Substantive tests can provide evidence about continued functioning of controls.
E.g. examining invoice for evidence of payables balance could provide evidence of controls over purchases and payables.

Changes in overall control environment:
Change in key personnel could make additional control tests necessary.

Question 23

Results of control testing documented in working papers:

Answer 23

test performed
purpose of test of controls
actual controls selected for testing
results of testing – exceptions found.

Question 24

Documenting conclusions

Answer 24

Document in sufficient detail to allow another auditor to perform same test.
Extent of documentation depends on complexity of client’s operations, systems and controls.
Review impact of testing controls on rest of audit.