Week 7 Flashcards
Entity-level controls:
control environment entity’s risk assessment process IT and communication systems control activities monitoring of controls.
Transaction-level controls:
Designed to reduce the risk of misstatement due to error or fraud and to ensure that processes are operating effectively.
Controls can include any procedure used and relied upon by client to prevent errors occurring, or to detect and correct errors that occur
Controls have two main objectives:
to prevent or detect misstatements in the financial report
to support the automated parts of the business in the functioning of the controls in place.
Controls are classified as:
manual controls
automated (or application) controls
IT general controls (ITGCs)
IT-dependent manual controls.
Prevent and detect controls:
The audit procedures performed to test the operating effectiveness of controls in preventing or detecting and correcting material misstatements at the assertion level.
Prevent controls
Prevent controls can be applied to each transaction during normal processing to avoid errors occurring:
Commonly automated.
For example reject duplicate transaction
Examples of prevent controls
slide 9
Detect controls
Detect controls are necessary to identify and correct errors that do enter the records.
Usually not applied to transaction during normal flow of processing, but applied outside normal flow to partially or fully processed transactions.
E.g. cheques for payment prepared, and held by system until approved for payment and then processed.
Wide variation in detect controls from client to client, depending on complexity, preferences.
Can be informal and formal.
It is important that detect controls:
Completely and accurately capture all relevant data.
Identify all potentially significant errors.
Are performed on a consistent and regular basis.
Include follow-up and correction on timely basis of any misstatements or issues detected.
Examples of detect controls:
Management level analysis and follow-up of reviews: actual vs budgets, prior periods, competitors, industry; anomalies in performance indicators.
Reconciliations with follow-up of reconciling, unusual items, to resolution and correction.
For example bank reconciliation and subsidiary ledger to control account.
Review and follow-up of exception reports (automatically generated reports of transactions outside pre-determined parameters).
Usually can obtain evidence of detect controls’ operation and effectiveness.
Examples of detect controls:
Slide 15
Manual controls
Purely manual controls do not rely on IT for operation.
E.g. locked cage for inventory.
Could rely on IT information from others.
E.g. reconcile stock count to computer generated consignment stock statements.
automated controls
Automated controls generally rely on client’s IT:
IT general controls (ITGCs):
Support functioning of automated controls.
Provide basis for relying on electronic evidence in audit.
IT general controls (ITGCs): Types of ITGCS: program change controls logical access controls other ITGCs (e.g. data back-up).
Application controls apply to processing of individual transactions, support segregation of duties.
E.g. edit checks, validations, calculations, interfaces and authorisations.
IT-dependent manual controls:
Both manual and automated aspects.
E.g. management reviews a monthly variance report (automated) and follows-up (manual) on significant variances.
Manual and automated controls:
Auditor must consider both aspects:
Report generation and management follow-up.
Consider controls over report generation:
Is report accurate and complete?
If not, follow-up is not effective.
Techniques for testing controls
Enquiry:
Auditor questions employee performing control, management about review of control.
Observation:
Auditor observes actual control being performed.
Employee might be more diligent when observed.
Inspection of physical evidence:
Trace from reconciliation to accounting records or other documents.
Examine reconciling items to determine whether reconciliation detects error and action to deal with errors.
Re-performance
Auditor re-performs control (e.g. prepares reconciliation).
Selecting and designing tests of controls
Professional judgement is required.
Which controls should be selected for testi
Which controls should be selected for testing?
Select controls that will provide most efficient and effective audit evidence.
Increase efficiency by only testing controls that are critical to audit opinion.
Those that address the WCGWs most effectively with least amount of testing.
Select controls that will provide most efficient and effective audit evidence.
More efficient to test controls that address multiple WCGWs.
How much testing does the auditor need to do?
Extent of testing based on statistical sampling (see chapter 6) or professional judgement. Consider: How often is control performed? More often = more testing. Degree of reliance on control: More = more testing.
Consider:
Persuasive of evidence from testing:
More = less testing
Need to be satisfied that control operated as intended throughout period, interim testing might be required.
Existence of combination of controls that could provide increased assurance:
Less reliance on single control = less testing.
Relative importance of WCGW:
Assurance required is based on consideration of several issues.
Also consider other factors that relate to the likelihood that a control operated as intended, including:
Competence of person performing control.
Quality of control environment, for example:
Chance of control override.
Internal auditing work.
Effect on operation of control throughout period.
Changes in accounting system.
Explained changes in related account balances.
Auditor’s prior experience with client.
Evidence of one exception (or deviation) in sample:
investigate cause of exception
increase sample and extend testing
amend decision to rely on control
test other controls and/or increase substantive testing.
Application controls – test using these methods:
Test operating effectiveness:
Test manual follow-up procedures that support the application control.
E.g. investigate how client follows-up on computer-generated exception report for sales with no prices in master file.
Test controls over program changes, and/or access to data files.
Test ITGCs:
E.g. test controls to ensure that all changes to pricing master file are approved.
Application controls:
Benchmarking:
Carry forward benefit of certain application controls testing into future audit periods.
Computer will continue to perform procedure in same way until application program is changed.
Verify that there are no changes to program, no need to repeat audit procedures. More likely when:
specific program can be identified
application is stable
reliable record of program changes available.
Timing of tests of controls:
Usually at interim date, especially if controls relied upon to reduce substantive procedures.
Preferable to test entity-level controls and ITGCs early in audit because results impact other tests.
Update interim results and evaluation at year-end.
Identify relevant changes in environment and controls.
Results of the auditor’s testing
Do results of control testing confirm preliminary evaluation of controls and control risk based on internal control documentation?
If so, do not modify planned substantive procedures
If not:
Are compensating controls available? (Test)
Revise audit risk assessment for related account and the planned audit strategy
When deciding whether need for additional tests of controls, consider:
Results of enquiries and observations:
Could reveal alternative controls now being relied upon and need to be tested.
Evidence provided by other tests:
Substantive tests can provide evidence about continued functioning of controls.
E.g. examining invoice for evidence of payables balance could provide evidence of controls over purchases and payables.
Changes in overall control environment:
Change in key personnel could make additional control tests necessary.
Results of control testing documented in working papers:
test performed
purpose of test of controls
actual controls selected for testing
results of testing – exceptions found.
Documenting conclusions
Document in sufficient detail to allow another auditor to perform same test.
Extent of documentation depends on complexity of client’s operations, systems and controls.
Review impact of testing controls on rest of audit.
