Vous êtes sur la page 1sur 8

CHAPTER 11

AUDIT PROCEDURES IN RESPONSE TO


ASSESSED RISKS: TESTS OF CONTROLS
Learning Check
11-1. a.

b.

Assessing control risk is the process of evaluating the effectiveness of an entity's


internal controls in preventing or detecting material misstatements in the financial
statements.
Control risk should be assessed in terms of individual financial statement
assertions.

11-2. In assessing control risk for an assertion, the auditor should perform the following five
steps:
1. Consider knowledge acquired from procedures to obtain an understanding about
whether controls pertaining to the assertion have been designed and placed in
operation by the entity's management.
2. Identify the potential misstatements that could occur in the entity's assertion.
3. Identify the necessary controls that would likely prevent or detect the misstatements.
4. Perform tests of controls on the necessary controls to determine the effectiveness of
their design and operation.
5. Evaluate the evidence and make the assessment.
11-3. a.

b.

In identifying both potential misstatements and necessary controls, the auditor


typically uses either (1) computer software that analyzes responses to specific
questions input for computerized internal control questionnaires or (2) checklists
developed for the same purpose.
Most completeness controls compare information that is obtained when a
transaction is authorized, and compare the information with information that is
created when goods or services are shipped or received, and again with
information when the transaction is recorded. Completeness controls will also
compare information created with the transaction is recorded with information
associated with receipt or payment of cash (consideration). For example, a
control over completeness of sales might create a report of all goods that are
ordered that have not been shipped, a separate report of all items that have been
shipped but not billed, and a third report of all billings that have not been
collected.

c.

The occurrence, accuracy cutoff, and classification objectives are normally


controlled by comparing information input for recording a transaction with
information that is entered into the system when the transaction is authorized or
when goods or services are shipped or received. For example, sales invoice
information will usually be compared with information associated with the sales
order (authorization) or the bill of lading and packing slip (shipment of goods).

11-4. a.

Evidence obtained from procedures to obtain an understanding should be used by


the auditor to (1) identify types of potential misstatements and (2) consider factors
that affect the risk of material misstatements, such as whether controls necessary
to prevent or detect the misstatements have been designed and placed in
operation. This knowledge should enable the auditor to make an initial assessment
of control risk for an assertion. During this process the auditor may obtain some
evidence about the effectiveness of the design and operation of internal controls.
However, such evidence rarely is sufficient to allow the auditor to assess control
risk at moderate or low.

b.

Evidence obtained from tests of controls pertains to the effectiveness of the design
and/or operation of the control tested and may be used in making a final
assessment of control risk for an assertion.

11-5. When evaluating the significance of any deficiency in internal control the auditor should
consider the likelihood (frequency of deviations) and the magnitude of potential
misstatements. For example, when evaluating a deficiency in internal controls related to
revenue recognition, the auditor needs to evaluate the percentage of the time that the
control might fail (likelihood or probability) and the dollar amount of misstatement that
could happen when the control fails (magnitude or materiality). The auditor will
normally classify deficiencies as (1) deficiencies, (2) significant deficiencies, or (3)
material weaknesses depending on the likelihood and magnitude of potential
misstatements that might result from an internal control weakness.
11-6. a.

b.

Three strategies that the auditor might use when testing a system of internal
controls that use information technology include:
1. Assessing control risk based on user controls.
2. Planning for a low control risk assessment based on application controls.
3. Planning for a high control risk assessment based on general controls and
manual follow-up.
The auditor might assess control risk as low based on two of the three above
strategies, assuming that the evidence shows that the controls are effectively
designed and placed in operation. First the auditor can assess control risk as low
based on user controls, such as effective performance reviews by management.
Second, the auditor can assess control risk as low based on effective computer
application controls. This strategic also involved effective manual follow-up of
exceptions noted by application controls.

c.

The auditor can assess control risk as high based on evidence obtained about both
computer controls and manual follow-up procedures. The auditor may be able to
develop implications about the effective operation of application controls based
on inspection of exception reports and inquiries of those who follow-up on
exception reports. However, the auditor must perform direct tests of application
controls in order to assess control risk below a high level.

11-7. a.

The advantages of using computer assisted audit technique in performing tests of


controls include:
A significant part of the entitys system of internal controls is imbedded in
computer programs.
There are significant gaps in the visible audit trail.
There are large volumes of records to be tested.

b.

The major disadvantages of using computer-assisted audit techniques are the


special knowledge and skills required, and the possible disruption of the clients
IT operations while the auditor uses IT equipment, programs and files. The
auditor must also test the effectiveness of manual follow-up procedures in order to
determine how effectively the computer controls are at preventing or detecting
and correcting misstatements in assertions.

11-8. The advantages of parallel simulation include the following:


Because real data are used, the auditor can verify the transactions by tracing them to
source documents and approvals.
The size of the sample can be greatly expanded at relatively little additional cost.
The auditor can independently run the test.
The disadvantages include the fact that the auditor may need special training to
understand the clients program and develop a program that simulates the clients
program. The auditor must also take care to determine that the data selected for
simulations are representative of actual client transactions.
11-9. a.

Under the test data approach, dummy transaction are prepared by the auditor and
processed under auditor control by the clients computer program. This is often
performed during a time when the auditor can take full control over the clients
computer operations. In an integrated tests facility approach the auditor does not
control computer operations and dummy transactions are processed
simultaneously with real transactions. This usually requires the creation of a small
subsystem (a mini-company) within the regular IT system. It may be
accomplished by creating dummy master files or appending dummy master
records to existing client files. Test data, specially coded to correspond to the
dummy master files, are introduced into the system together with actual
transactions.
b.

A common way to test programmed controls in an on-line, real-time system is to


create some form of continuous monitoring. For example, an audit module might

be created to tag transactions for subsequent testing, or an audit log (frequently


called a systems control audit review file or SCARF) might be used to record
transactions that meet particular audit criteria.
11-10. In comparison to the methodology for assessing control risk under the primarily
substantive approach, the methodology under the lower assessed level of control risk
approach involves obtaining and documenting a more extensive understanding of relevant
policies and procedures for all five components of internal control. The component
control activities often may be skipped in some cases when the primarily substantive
approach is used. In addition, under the lower assessed level of control risk approach,
additional or planned tests of controls must be performed in order to obtain the evidence
needed to support the planned assessed level of control risk of moderate or low.
11-11. When the auditor evaluates the effectiveness of a control the auditor should assess (1)
how the control was applied, (2) the consistency with which it was applied during the
period, and (3) by whom it was applied.
11-12.
Types of evidence to
evaluate the effectiveness
of internal control
Inquiries of appropriate entity
personnel

Factors that affect the


reliability of the evidence.

Inspection of documents,
reports, or electronic files,
indicating performance of the
control.

Observation of the application


of the control

Reperformance of the
application of the control by
the auditor, including CAATS

Inquiry is most effective for determining an employees


understanding of computer controls or of his or her duties,
the individuals performance of those duties, and the
frequency, causes, and disposition of deviation.
The results of inquiry is a form of representation by
management or employees and should be corroborated by
other evidence
Inspection of documents may leave documentary evidence
of the audit trail, such as notations on exception reports,
signatures or validation stamps that indicate whether a
control was performed.
Not all controls leave a documentary audit trail. Further,
in some systems, documents may be retained only for a
short period of time.
Observation also is effective for determining how an
employee uses computer output and how an employee
performs his or her duties.
Observation may be affected by the fact that an employee
may perform procedures differently when the auditor is
present.
Observation applies only to the time at which it is
performed.
Reperforming a control, particularly using CAATs,
provides evidence about the effective functioning of the
control at that point in time.
CAATs only provides evidence about the point in time at

when it was performed.

11-13. a.

The timing of tests of controls relates to when it was obtained and the portion of
the audit period to which it applies. For example, performing CAATs, such as the
use of test data, applies only to the point in time when the test was performed.

b.

When the auditor obtains evidential matter about the design or operation of
controls during an interim period, he or she should determine what additional
evidential matter should be obtained for the remaining period. Professional
standards suggest that the auditor should consider the following factors when
determining the evidence that needs to be obtained during the remaining period.
The significance of the assertion involved
The specific controls that were evaluated during the interim period
The degree to which the effective design and operation of those controls were
evaluated
The results of the tests of controls used to make that evaluation
The length of the remaining period
The evidential matter about design or operation that may result from the
substantive test performed in the remaining period.
The auditor should also obtain evidential matter about the nature and extent of
any significant changes in internal control, including its policies, procedures, and
personnel that occur subsequent to the interim period.

c.

The auditor of a private company may consider evidence about the effective
design or operation of internal controls obtained during prior audits in assessing
control risk in the current audit. Professional standards state that when evaluating
the use of evidence obtained in prior audits the auditor should consider:
The significance of the assertion involved.
The specific controls that were evaluated during the prior audits.
The degree to which the effective design and operation of those controls were
evaluated
The results of the tests of controls used to make those evaluations
The evidential matter about design or operation that may result from
substantive tests performed in the current audit.
The auditor should also consider that the longer the time elapsed since the
performance of tests of controls, the less assurance it may provide. Finally, the
auditor needs to evaluate evidence in the current period about whether changes
have occurred in internal control, including its policies, procedures, and
personnel, subsequent to the prior audits, as well as the nature and extent of any
such changes.
Evidence obtained in the prior period is not a substitute for evidence obtained in
the current period. After considering the factors that affect evidence obtained in
the prior period and evidence obtained about changes in the current period, the
evidence may support either increasing or decreasing the additional evidential

matter about the effectiveness of design and operation to be obtained in the


current period.
Students should note that standards are different for auditors of public
companies. If the auditor is issuing an opinion on the effectiveness of
internal controls over financial reporting, evidence supporting that opinion
must be obtained from the current audit period.
11-14. a.
b.

In general, the lower the planned assessed level of control risk, the greater the
extent of tests of controls.
Three factors bear on the auditors decisions about test of controls: (1) the nature
of the control, (2) the frequency of operation of the control, and (3) the
importance of the control.
With respect to the nature of the control the auditor should subject manual
controls to more extensive testing than automated controls. A single test of each
condition of a programmed control may be sufficient to obtain a high level of
assurance that the control operated effectively if general controls are also
operating effectively. However, manual controls usually require more extensive
testing. In general, as the level of complexity and the level of judgment in the
application of a control increase, the extent of the auditors testing should also
increase. If the level of competency of the person performing the control
decreases, the extent of testing should also increase.
With respect to the frequency of operation of the control the more frequent the
operation of a manual control, the more operations of the control the auditor
should test. Controls that operate daily should be tested more extensively than
controls that operate monthly (account reconciliations), or quarterly (quarter end
reviews).
With respect to the importance of the control, controls that are more important
should be tested more extensively. Some controls such as the control
environment or computer general controls have a pervasive impact on other
controls should be subjected to more extensive tests than controls that are less
important to the audit strategy.

11-15. It might be appropriate to use a computer audit specialist to evaluate computer general
controls and application controls. It might also be appropriate to bring in a health care
industry expert to evaluate the risk of incorrect Medicare billing, or a banking industry
expert to evaluate FDIC regulatory compliance.
Entry level staff usually have sufficient qualifications to evaluate internal controls over
routine transactions, such as sales, purchases, or payroll.

11-16. Dual-purpose tests occur when the auditor simultaneously performs tests of controls and
substantive tests of details of transactions to detect monetary errors on the same
transactions.
11-17. a.

For an account affected by a single transaction class, the control risk assessment
for a particular account balance assertion is the same as the control risk
assessment for the same transaction class assertion. Thus, control risk for the
existence or occurrence assertion for the sales account balance is the same as the
control risk assessment for the existence or occurrence assertion for the sales
transactions class. The actual control risk assessment is then compared with the
planned control risk assessment for the assertion. If the actual assessment is not
greater than the planned assessment for the assertion, the planned level of
substantive tests is supported.

b.

For an account affected by more than one transaction class (a balance sheet
account), the combined control risk assessment is based on the control risk
assessment for the transaction class assertions that increase the account balance
and the transaction class assertions that decrease the account balance. Thus,
control risk for the existence of accounts receivable is based on the combined
control risk assessments for the occurrence of sales and the completeness of cash
receipts transactions and the completeness of sales returns and allowance.

11-18. When the control risk assessments for the relevant transaction class assertions differ, the
auditor may (1) judgmentally weigh the significance of each assessment in arriving at a
combined assessment or (2) use the most conservative (highest) of the relevant
assessments. The assessment for each related transaction class assertion must be
considered because a misstatement in any of the relevant transaction class assertions
could produce a misstatement in the account balance assertion.
11-19. a.

b.
11-20. a.

b.

The requirements for documenting the assessed level of control risk are: (1)
control risk at maximum - only this conclusion needs to be documented; (2)
control risk below the maximum - the basis for the assessment must also be
documented.
In practice, documentation of the assessed level of control risk often takes the
form of narrative memoranda organized by financial statement assertions.
The auditor is required to identify and report to the audit committee, or other
entity personnel with equivalent authority and responsibility, certain conditions
that relate to an entity's system of internal control observed during an audit. In
particular, the auditor should report significant deficiencies or material
weaknesses in internal control.
Both significant deficiencies and material weaknesses have more than a remote
likelihood of occurrence. They differ in the magnitude of misstatement that might
result for the deficiency. The magnitude of misstatement in a significant

deficiency is more than inconsequential. The magnitude of misstatement


associated with a material weakness is material.