1
TASMANIAN SCHOOL OF
BUSINESS AND ECONOMICS
BFA303 Auditing
Week 8
Execution of the Audit: Testing
Controls
2
Part A: Types of Controls
3
1 2 3
2
Readings & references
Reading
• Chapter 8 of Moroney et al (Pages 268 to 277)
• ASA 230 Audit Documentation
• ASA 260 Communication with Those Charged with Governance
• ASA 315 Identifying and Assessing the Risks of Material Misstatement
through Understanding the Entity and its Environment
Phases of an Audit
• The main phases of an audit are:
Risk Assessment
Phase
Risk Response
Phase Reporting Phase
Introduction
Phases of an audit
Accepting
the
engagement
Understanding
the client
Risk
identification
and strategy
Risk and
materiality
assessment
Execution Conclusion
and
reporting
Planning Performing Reporting
4 5 6
3
Client Acceptance/continuation decision
Gain an understanding of
the client
Risk Assessment
Identify significant accounts
and transactions Set planning materiality
Identify what can go wrong Gain an understanding of
key internal controls Develop an audit strategy
Gaining an understanding of the client’s system of internal controls
Controls strategy Substantive strategy
Audit Sampling
Concluding and Reporting
Subsequent events Conclusions Reporting
A u d i t E v i d e n c e
Overview of risk response
8
Introduction
9
Introduction
• As we have seen, as part of the planning process, the auditor
conducts an assessment of business risk and the associated
evaluation and assessment of inherent risk and control risk.
• These assessments will identify the classes of transactions
and events, balances and related disclosures that contain a
risk of material misstatement, and consequently through
application of the audit risk model will have determined the
detection risk.
• The auditor then prepares an audit program which outlines the
audit tests that the auditor intend to undertake to reduce the
risk of material misstatement to an acceptable level.
7 8 9
4
10
Introduction
• There are two major types of audit tests: tests of controls and
substantive tests.
• The purpose of tests of controls is to support an assessed level of
control risk.
• The purpose of substantive tests of transactions and balances and
substantive analytical procedures is to reduce the auditor’s
detection risk.
• If control risk is assessed as being at any level less than high, then
tests of controls must be undertaken to provide evidence of the
existence, effectiveness and continuity of key controls.
• Deciding which controls to test will be influenced by the type of
control, the frequency with which the control is being performed
and the level of assurance that the auditor wishes to obtain that
the control has been designed and implemented effectively.
11
Types of Controls
12
Types of Controls
As we saw in week 6, controls are of two types:
• The collective assessment of the client’s environment;
risk assessment process; information system; control
activities and monitoring of controls
• An example of such a control might be the internal
audit function
Entity Level
Controls
• These controls impact a particular transaction, or
group of transactions.
• They are aimed at preventing an error from entering
the records, or detecting errors that do enter the
records.
Transaction
level
Controls
10
11
12
5
13
Types of Controls
As we also saw in week 6, entity level controls are assessed using
the COSO Framework as provided in ASA315:
Five
components of
the internal
control system
Control
environment
The entity’s
risk
assessment
process
The
information
system
Control
activities
Monitoring of
controls
14
Types of Controls
Transaction level controls are related to control activities in the
ASA315 framework:
Five
components of
the internal
control system
Control
environment
The entity’s
risk
assessment
process
The
information
system
Control
activities
Monitoring of
controls
15
Types of Controls
• Transaction level controls are designed to reduce the risk of
misstatement due to error or fraud and to ensure that
processes are operating effectively.
• Such controls can include any procedure used and relied upon
by the client to prevent errors occurring or to detect and
correct errors that occur.
• Such controls have two main objectives:
a. To prevent or detect misstatements in the financial
report;
b. To support the automated parts of the business in the
functioning of the controls in place.
13
14
15
6
16
Types of Controls
• An entity’s control environment consists of a mixture of manual
controls and automated controls (ASA 315:A61)
• Controls can be classified as one of four types (according to
Moroney et al):
Manual
Controls
Automated
(or
Application)
Controls
IT General
Controls
ITDependent
Manual
Controls
17
Types of Controls
18
Types of Controls
| Prevent Controls |
| Detect Controls |
Tests of controls are audit procedures used to test the operating
effectiveness of controls in preventing or detecting and
correcting material misstatements at the assertion level.
16
17
18
7
19
Prevent Controls
• Prevent controls can be applied to each transaction during
normal processing to avoid errors occurring.
• To be effective, controls over transactions should ideally
include both prevent and detect controls.
• Effective controls should prevent WCGWs (what can go
wrong) from occurring, or if they do occur that the errors are
detected and corrected as quickly as possible.
• In some cases there may be evidence that the control was
performed, but evidence as to the effectiveness of the control
is not available (e.g. a signature on a delivery docket may not
indicate that the goods were actually checked)
20
Prevent Controls
Examples of prevent controls from Moroney et al:
21
Detect Controls
• Detect controls are necessary to identify and correct errors
that DO enter the records.
• They are usually not applied to the transaction during the
normal flow of processing, but applied outside the normal flow
to partially or fully processed transactions.
• An example would be cheque payments being prepared and
held by the system until approved for payment (by an
authorized person) and then processed.
• There are a wide variety of detect controls from client to client
and depend on the client complexity and preferences.
19
20
21
8
22
Detect Controls
It is important that detect controls:
• Completely and accurately capture all relevant data;
• Identify all potentially significant errors;
• Are performed on a consistent and regular basis;
• Include follow up and correction on a timely basis if any
misstatements or issues are detected.
Examples of detect controls:
• Management level analysis and follow-up of reviews: actual vs
budgets, prior periods, competitors, industry; anomalies in
performance indicators.
• Reconciliations with follow-up of reconciling, unusual items, to
resolution and correction.
• Review and follow-up of exception reports (automatically
generated reports of transactions outside pre-determined
parameters).
23
Prevent Controls
Examples of detect controls from Moroney et al:
24
Types of Controls
• Controls in IT systems are a combination of automated controls
(e.g. automatically generated exception reports) and manual
controls (e.g. reviews conducted on automatically generated
exception reports)
• The mix of manual and automated controls will vary between
entities.
22
23
24
9
25
Types of Controls
System of Internal control
Manual control
elements
Suitable where
judgement and discretion
are required:
– large, unusual or nonrecurring transactions
– Errors are difficult to
define, anticipate or
predict
Examples: approval of
transactions; review of
transactions; follow up of
reconciliations
Automated
control elements
Suitable for:
– High volume or
recurring
transactions
Errors can be
anticipated or
predicted
Example:
controls
embedded in
computer
programs
26
Manual v Automated Controls
| Manual Controls | Automated Controls |
| Benefits (ASA 315:A64) | Benefits (ASA 315:A62) |
| Suitable for: -Large, unusual transactions – Circumstances where errors are difficult to predict -Monitoring of internal controls |
Arise from: -Consistently applying predefined business rules and perform complex calculations – reducing the risk that controls will be overridden |
| Risks (ASA 315:A65) | Risks (ASA 315: A63) |
| -More easily ignored or overridden -Less suited for high volume or recurring transactions |
-Reliance on systems or programs that are inaccurately processing data or processing inaccurate data -Inappropriate manual intervention – Unauthorised changes to data in master files or to systems or programs. |
| 27 |
IT Application Controls and IT General
Controls
| IT Application Controls (ITAC) | IT General Controls (ITGC) |
| Procedures that occur when transactions are processed by individual applications. ASA 315: A109 |
Controls that support effective functioning of application controls ASA 315: A108 |
| Designed to ensure the integrity of data recorded |
Examples and auditor would be interested in: Security access controls to the network where the finance systems operate. |
| Auditors are concerned with ITACs that relate to initiation, recording, processing and reporting of transactions |
– Security access controls to the network where the finance systems operate. |
| ITAC provide evidence to support assertions about classes of transactions; account balances; and presentation and disclosure |
– Application change controls |
| Examples: Edit checks of input data; numerical sequence checks with manual follow up |
– Application development and maintenance controls |
25
26
27
10
Part B: Testing of Controls
28
Readings & references
Reading
• Chapter 8 of Moroney et al (Pages 277to 283)
• ASA 230 Audit Documentation
• ASA 260 Communication with Those Charged with Governance
• ASA 315 Identifying and Assessing the Risks of Material Misstatement
through Understanding the Entity and its Environment
Introduction
Phases of an audit
Accepting
the
engagement
Understanding
the client
Risk
identification
and strategy
Risk and
materiality
assessment
Execution Conclusion
and
reporting
Planning Performing Reporting
28
29
30
11
Client Acceptance/continuation decision
Gain an understanding of
the client
Risk Assessment
Identify significant accounts
and transactions Set planning materiality
Identify what can go wrong Gain an understanding of
key internal controls Develop an audit strategy
Gaining an understanding of the client’s system of internal controls
Controls strategy Substantive strategy
Audit Sampling
Concluding and Reporting
Subsequent events Conclusions Reporting
A u d i t E v i d e n c e
Overview of risk response
32
Techniques for Testing Controls
33
Tests of Controls
• Tests of controls are auditing procedures performed to determine the
effectiveness of the design and operation of internal controls. The
auditor should obtain audit evidence through tests of controls to support
any assessment of control risk which is less than high.
• The lower the assessment of control risk, the more support the auditor
should obtain that internal control systems are suitably designed and
operating effectively.
• The relevant standard is ASA 330: The Auditor’s Response to
Assessed Risks
• When the auditor’s assessment of risks of material misstatement
at the assertion level includes an expectation that controls are
operating effectively, the auditor shall design and perform tests of
controls to obtain sufficient appropriate audit evidence that the
controls were operating effectively at relevant times during the
period under audit.
31
32
33
12
34
Techniques for Testing Controls
The auditor uses a combination of techniques when testing
controls:
•Trace from
reconciliation to
accounting records
or other documents
•Auditor reperforms the
control (e.g.
prepares a
reconciliation)
•Auditor observes
actual control being
performed (but the
employee might be
more diligent when
observed
•Auditor questions
employee
performing control
and management
about reviewing
controls
Enquiry Observation
Inspection of
physical
evidence
Reperformance
35
Tests of Controls
• The Nature of tests to test the operating effectiveness of controls
include:
• Enquiring of personnel about the performance of their duties;
• Observing personnel perform their duties
• Inspecting documents and reports indicating performance of
controls
• Re-performing the control (or procedures)
• The Timing of tests to test the operating effectiveness of controls relates
to when they are performed:
• Year end
• Interim
• The Extent of tests to test the operating effectiveness of controls (how
much):
• Is directly affected by the auditor’s planned assessed level of
control risk and evidence about the effectiveness of controls from
prior audits.
36
Tests of Controls
• Tests of controls relating to design are concerned with whether
the control is suitably designed to prevent or detect
misstatements in a specific financial statement assertion.
• Tests of controls of operating effectiveness of control
procedures are concerned with whether controls are actually
working.
• Tests of design are normally performed at the ‘obtaining
understanding’ stage, tests of operation are obtained mainly at
interim audit or final audit stage.
34
35
36
13
37
Tests of Controls
With respect to tests of controls in a computer information system to
test operating effectiveness, there are various tests that can be
performed:
• Test data
– Dummy transactions are prepared by the auditor and
processed under auditor control by the entity’s software
• Integrated test facility
– Creation of a small sub-system within the regular
computer system. Dummy files and dummy transactions
with errors are used to see if the system handles
• Parallel simulation
– Reprocessing actual data through auditor controlled
software
38
Selecting and Designing Tests of
Controls
39
Selecting and Designing Tests of
Controls
• The selection and design of tests of controls is an area that
requires a large degree of professional judgement.
• In particular, auditor professional judgement needs to be
exercised in:
1. Deciding which controls should be selected for testing; and
2. Determining the extent of audit testing to be performed.
37
38
39
14
40
Which Controls Should be Selected
for Testing?
• The auditor should select controls that will provide the most
efficient and effective audit evidence.
• The auditor would increase audit efficiency by only testing
controls that are critical to the audit opinion.
• That is, testing those controls that address the What Could Go
Wrongs (WCGW) most effectively with the least amount of
testing.
• It is more efficient to test controls that address multiple
WCGWs
41
How Much Testing Does the Auditor
Need to do?
• The extent of control testing can be based on statistical
sample selection (recall an earlier topic) or professional
judgements.
• The more assurance the auditor wants from the performance
of the control, the more testing they need to do.
• If they are intending to reduce control risk to the lowest level
possible, they perform more testing
42
How Much Testing Does the Auditor Need
to do?
Factors to consider:
How often is the control performed? •If it is more often then there will need to be more testing.
•If there is a high degree of reliance, then there will need to be
The degree of reliance on the control more testing.
•If a high degree of persuasiveness is required, then there will
need to be more testing.
The persuasiveness of evidence produced
from the control
•Some controls may only need evidence at year end, others
throughout the year
The need to be satisfied the control
operated as intended throughout the year
•May reduce the level of assurance needed from any one
The existence of a combination of controls control
WCGW questions •The relative importance of WCGW questions or statements
•Competence and integrity of person performing the control; quality of control
environment; changes in the accounting system; unexplained changes in related
account balances; auditor’s prior experience with the client.
Other
40
41
42
15
43
How Much Testing Does the Auditor
Need to do?
• Tests of controls are looking for deviations or exceptions in the
control.
• For the attribute being tested there are generally only two possible
outcomes (e.g. if the attributed being tested is a signature on a
reconciliation, it will either be present or not present)
• Attribute sampling is a sampling technique used to reach a
conclusion about a population in terms of a rate (frequency) of
occurrence (e.g. a sample of cash payments can be examined for
approval signatures) – therefore it is a method used in control
testing.
• The sample size in attribute sampling can be calculated using
audit risk tables.
• Using this sampling method, the auditor is able to determine with a
certain level of confidence (e.g. 90% or more) that the error rate
for control exceptions/deviations is acceptably low.
44
How Much Testing Does the Auditor
Need to do?
• Regardless of the size of the sample, all control
exceptions/deviations need to be investigated by the auditor.
• The detection of one control deviation may result in the
auditor:
– Increasing the sample size and extending control testing;
or
– Amending the decision to rely on the particular control and
considering whether another compensating control is
available and testing that alternative control; or
– Deciding that the initial assessment of control risk is not
appropriate, revising control risk and extend substantive
testing.
45
Application Controls and the Amount
of Testing
• Recall from Part A that application controls are automated controls as
part of the IT system.
• Recall also within the IT system there are two types of controls: IT
application controls (ITAC) and IT general controls (ITGC).
• With respect to application controls, there are two methods that are
used to test:
1. Test operating effectiveness – test the follow-up procedures that
support the application control (e.g. investigate how the client
follows-up on computer generated exceptions reports for sales
with no prices in the master file.
2. Test controls over program changes, and/or access to data files –
test the ITGCs (e.g. test controls to ensure that all changes to the
pricing master file are approved).
43
44
45
16
46
Application Controls –
Benchmarking
• Benchmarking is an audit testing strategy where the benefit of certain
application controls testing can be carried forward into future periods.
• Based on the premise that the computer will continue to perform the
procedure in the same way until the application program is changed.
• If the auditor can verify that a given program that executes a process or
control has not changed since last tested, they may decide not to repeat
certain audit procedures in a subsequent period.
• Benchmarking as an audit testing strategy is more likely to be used
when:
– A programmed control can be matched to a defined program within
an application (e.g. invoice extension calculations);
– The application has not had changes or few changes and is stable;
– There is a reliable record of program changes available.
47
Tests of Controls – Timing
• Usually testing of controls is carried out at an interim date,
especially if controls are relied upon to reduce substantive
testing in the audit process
• It is preferable to test entity-level controls and ITGCs early in
the audit because the results of testing these impact on other
audit testing
• If control testing is carried out at interim dates, then the auditor
will need to confirm that between the interim date and the end
of the year, that no significant changes have occurred in the
control environment or the operation of the control between
these two dates.
48
Tests of Controls – Extent
• The selection of how many instances of each control to test is a matter
of professional judgement on the part of the auditor.
• A limited level of assurance for control testing may be planned when
other testing (e.g. substantive testing) is available. This then will lead to
smaller sample sizes for the control testing.
• If on the other hand a more than limited level of assurance for control
testing is planned (i.e. where there is not any additional audit evidence
or substantive testing available) then larger sample sizes will be needed
for control testing.
• Recall that attribute sampling is a statistical sampling methodology (e.g.
through the use of tables, certain confidence levels can be obtained)
• Further, in order to obtain reasonable assurance and to conclude with
95% confidence that the controls are operating effectively, multiple
controls should be tested for each management assertion and material
balance.
46
47
48
17
49
Tests of Controls – Extent
Part C: The Results of Testing of
Controls
50
Readings & references
Reading
• Chapter 8 of Moroney et al (Pages 283 to end)
• ASA 230 Audit Documentation
• ASA 260 Communication with Those Charged with Governance
• ASA 315 Identifying and Assessing the Risks of Material Misstatement
through Understanding the Entity and its Environment
49
50
51
18
Introduction
Phases of an audit
Accepting
the
engagement
Understanding
the client
Risk
identification
and strategy
Risk and
materiality
assessment
Execution Conclusion
and
reporting
Planning Performing Reporting
Client Acceptance/continuation decision
Gain an understanding of
the client
Risk Assessment
Identify significant accounts
and transactions Set planning materiality
Identify what can go wrong Gain an understanding of
key internal controls Develop an audit strategy
Gaining an understanding of the client’s system of internal controls
Controls strategy Substantive strategy
Audit Sampling
Concluding and Reporting
Subsequent events Conclusions Reporting
A u d i t E v i d e n c e
Overview of risk response
54
Results of the Auditor’s Testing
52
53
54
19
55
Control Risk Confirmed or Not?
• If the tests of controls confirm the auditor’s preliminary
evaluation of control risk, the planned level of substantive audit
procedures are not modified.
• If the tests of controls do not confirm the auditor’s preliminary
evaluation of control risk, the auditor revises the overall audit
risk assessment for the related account and the planned audit
strategy (to a more substantive audit procedures).
• See the following diagram
56
Control Risk Confirmed or Not?
For any control exceptions identified are there
compensating controls you can test?
Yes
No
Document the results
and the impact on the
audit strategy
Test these controls
Do these alternative
tests confirm original
assessment of control
risk?
Yes
Do not change audit
approach
No
When deciding whether need for additional tests of controls,
consider:
a) Results of enquiries and observations:
• Could reveal alternative controls now being relied upon and
need to be tested.
b) Evidence provided by other tests:
• Substantive tests can provide evidence about continued
functioning of controls.
• E.g. examining invoice for evidence of payables balance
could provide evidence of controls over purchases and
payables.
c) Changes in overall control environment:
• Change in key personnel could make additional control
tests necessary.
Control Risk Confirmed or Not?
55
56
57
20
58
Documenting Conclusions
• Once the controls have been tested, the auditor documents their
work and results in a working paper as required by ASA 230
Audit Documentation.
• This working paper contains details of:
• tests performed
• purpose of test of controls
• actual controls selected for testing
• results of testing – exceptions found.
• Document in sufficient detail to allow another auditor to perform
same test and reach the same conclusions.
• Extent of documentation depends on complexity of client’s
operations, systems and controls.
Documenting Conclusions
• Example tests of control working paper:
Documenting Conclusions
58
59
60
21
• Impact of controls testing on level of
substantive testing:
Documenting Conclusions
62
Copyright notice
Copyright © 2020
University of Tasmania, Tasmanian School of Business and Economics
All rights reserved.
Commonwealth of Australia Copyright Regulations 1969 – WARNING
This material has been reproduced and communicated to you by or on behalf of the
University of Tasmania pursuant to Part VB of the Copyright Act 1968 (the Act). The
material in this communication may be subject to copyright under the Act. Any further
reproduction or communication of this material by you may be the subject of copyright
protection under the Act. Do not remove this notice.
61
62
The post BFA303 Auditing appeared first on My Assignment Online.