Chapter 8- Execution Of The Audit – Testing Of Controls PDF

Preview

Summary

Download Chapter 8- Execution Of The Audit – Testing Of Controls PDF

Description

Chapter 8- Execution of The Audit Testing of Controls Types of controls ENTITY-LEVEL CONTROLS: the collective assessment of the client’s control environment, risk assessment process, information system, control activities and monitoring of controls TRANSACTION-LEVEL CONTROLS are designed and implemented by management to reduce the risk of misstatement due to error or fraud and to ensure that processes are operating effectively. • Controls can include any procedure used and relied upon by client to prevent errors occurring, or to detect and correct errors that occur CONTROLS ARE CLASSIFIED AS: 1. Manual controls 2. Automated (or application) controls 3. IT general controls (ITGCs): The overall controls put in place to manage changes to applications and programs as well as limit access to those applications to only appropriate users of the IT applications 4. IT-dependent manual controls: a combination of control types

Objective of Controls: 1. To prevent or detect misstatements in the financial report, or 2. To support the automated parts of the business in the functioning of the controls in place

PREVENTATIVE & DETECTIVE CONTROLS TESTS OF CONTROLS: are the audit procedures performed to test the operating effectiveness of controls in preventing or detecting and correcting material misstatements at the assertion level. Ideally to be effective transaction controls should include both prevent & detect controls as detective controls alone may not be sufficient enough to identify and correct misstatements.

Prevent controls PREVENT CONTROLS can be applied to each transaction during normal processing to avoid errors occurring - Preventing errors during processing is an important objective of every accounting system - When designing controls consideration is given to what can go wrong with transactions (the risk of material misstatement), which will result in error. o Also known as WCGWs (what can go wrongs) Effective controls should prevent the WCGWs from occurring or detect and correct if they do occur as soon as possible - Preventive controls may not always have physical evidence indicating if the control was performed and who by. o However, if there is evidence (signature on delivery docket) it is hard to determine the effectiveness of it. •

An absence of effective preventive controls increases the risk that errors or fraud will occur. Therefore, increasing the need for controls that are sensitive enough to detect errors should they occur. Preventative controls are often driven by software used by the company and therefor there is no physical evidence of the control - commonly automated, e.g. reject duplicate transaction

Detect Controls Purpose: to discover fraud and errors that may have occurred during transaction process (in spite of any prevent controls) and to rectify those errors. They are necessary to identify and correct errors that do enter the records 2) Usually not applied to transaction during normal flow of processing, but applied outside normal flow to partially or fully processed transactions – E.g. cheques for payment prepared, and held by system until approved for payment, then processed – Once the cheques have been signed as approved for payment, the payables clerk will process the rest of the transactions by ‘releasing’ the payment and recognizing the debit to payables and credits to cash 3) Wide variation in detect controls from client to client comparison to prevent controls 4) Detect Controls also depending on complexity, preferences and imagination of those who perform the controls 5) Can be informal (List of standard month end journal entries and formal (Preparation of monthly reconciliation with subsequently follow up) It is important that detect controls: • Completely and accurately capture all relevant data • Identify all potentially significant errors • Are performed on a consistent and regular basis • Include follow-up and correction on timely basis of any misstatements or issues detected EXAMPLES OF DETECT CONTROLS:  Management level analysis and follow-up of reviews: actual vs budgets, prior periods, competitors, industry; anomalies in performance indicators  Reconciliations with follow-up of reconciling, unusual items, to resolution and correction (e.g. bank reconciliation, subsidiary ledger to control account)  Review and follow-up of exception reports (automatically generated reports of transactions outside predetermined parameters) o Usually can obtain evidence of detect controls’ operation and effectiveness

-

Detect controls are often accompanied by physical evidence such ad monthly reconciliations When assessing detect controls it is not necessary for the auditor to re perform all of the steps in the procedures in order to gain sufficient evidence that the control is operating efficiently. It is normally enough to to examine evidence that the reconciliation was properly completed and that the appropriate reviews and follows up were carried out by the client in a timely manner.

Manual Controls   

Purely manual are those controls that do not rely on the client’s IT environment for their operation o e.g. locked cage for inventory Could rely on IT information from others (third Parties) o e.g. reconcile stock count to computer generated consignment stock statements Most controls rely on IT in some way o But in most situations Purely manual controls are prevent controls and therefore the consideration for an effective prevent control listed in the prevent control section are particularly important

Automated Controls AUTOMATED CONTROLS generally rely on client’s IT. It is important to identify the extent of reliance a control places on IT to determine the effect of IT on the evaluation of controls. The key consideration for relying on automated aspects of controls is to determine whether or not the client had effective ITGCs

IT General Controls (ITGCs) • •

•

Support the ongoing functioning of automated aspects of prevent and detect controls Provide the auditor with a basis for relying on electronic evidence in audit. The auditor also needs to identify, understand, walkthrough, test and evaluate ITGCs that have been implemented for computer application they plan to rely on ITGCs are important because they impact the effectiveness of both application of controls and IT dependent manual controls. Also, potentially affecting the reliability of electronic audit evidence the auditor may wish to rely upon

Types of ITGCS: Program change controls Only appropriately authorized, tested and approved changes are made to applications interfaces databases and operating systems - Example of Tests: Examine documentation for evidence that changes were authorised, tested and approved by appropriate personnel. Logical access controls Only authorized personnel have access to data and applications and can perform authorized tasks and functions - Example: The accounts receivable clerk does not have access to authorization to the cash payments application - Example of TESTs: check effectiveness of control software, test/observe login history of staff ID against those with authorized access & violation or exception reports Other ITGCs, e.g. data back-up Ensuring that regular and timely backups are made, following up program errors and faults, planning upgrades to programs and applications on a timely basis Application Controls The fully automated controls that apply to processing of individual transactions, support segregation of duties.  They are controls that are driven by the particular software application being used (hence the name)  e.g. edit checks, validations, calculations, interfaces, authorizations  Application controls may also be important in the enforcement of segmentation of incomparable duties o Easier in large organisations, difficult in smaller IT DEPENDENT MANUAL CONTROLS • The auditor identifies a prevent and detect control that has both manual and automated aspects – Consideration has to be given to both manual and automated aspects – E.g. management reviews a monthly variance report (automated) and follows-up (manual) on significant variances – Clients rely on both application and IT general controls to ensure computer produced information is complete and accurate • When evaluating the completeness and accuracy of computer-produced information they need to identify the source and the controls that ensure the information is complete and accurate. • Auditors need to consider both Application controls and ITGCs to determine the effectiveness – If they do not, they run the risk of placing undue reliance on reports or data produced by the client – Auditors need to ensure they plan to rely upon is accurate and complete.

TECHNIQUES FOR TESTING CONTROLS AUDITOR USES COMBINATION OF TECHNIQUES WHEN TESTING CONTROLS 1. ENQUIRY  Questioning skills to determine how the control is completed to determine how the control is completed and weather it appears to have been carried out properly and on a timely basis. o The auditor may ask the employee that prepares the reconciliation how reconciliation items are identified, the reason for them and the procedures in place to ensure that the accounting records are correct and completed on a timely basis o Auditors may question management how they make sure the reconciliation is prepared correctly 2. OBSERVATION – Auditor observes actual control being performed such as the observing the preparation of aa bank reconciliation – A limitation is that Employee might be more diligent when observed 3. INSPECTION OF PHYSICAL EVIDENCE – Relying on the auditor testing the physical evidence to verify that a control has been performed properly  Eg: the auditor may Trace amounts on the reconciliation to accounting records or other documents.  This gains evidence of the procedure being performed properly – Examine reconciling items to determine whether reconciliation routinely detects error and action to deal with errors 4. RE-PERFORMANCE – Auditor re-performs control to test the effectiveness (e.g. prepares reconciliation) – The auditor tests the application control for cash payments to ensure an unauthorized employee is unable to make a cash payment and the unauthorized attempt is recorded on an exception report

Selecting and Designing Tests of Controls A large degree of professional judgement is to be applied when deciding which controls should be selected for testing and the extent of the audit testing to be performed

Which Controls Should Be Selected for Testing   



Controls are put in place to prevent and detect An auditor decides to includes controls testing in the approach they select controls that will provide most efficient and effective audit evidence To Improve Efficiency: auditors test only those controls that they believe are critical to their opinion o That is which controls that provide reasonable assurance that the controls are operating effectively throughout the period To improve effectivity: test controls that address multiple WCGWs o If one test address multiple WCGWs then it stands to reason that the control would be selected instead of several different control – obtaining the same level of assurance

How Much Does the Auditor Do? • • • • •

Extent of testing based on statistical sampling (see chapter 7) or professional judgement How much testing should have performed is aligned with the frequency of the control performed The more assurance the auditor wants from the performance of controls the more testing they need to do If they intend to reduce control risk to the lowest level possible they perform more testing that if they are planning to obtain only limited assurance for their testing Consider factors such as o How often is control performed? Daily, weekly, monthly etc.: More often = more testing o Degree of reliance on control the auditor intends to rely on the control as a basis for limiting their substantive tests, more = more testing o Persuasive of evidence produced from control, more = less testing o Need to be satisfied that control operated as intended throughout period, interim testing might be required for certain controls o Existence of a combination of controls that may reduce the level of assurance that may be needed from any one control  could provide increased assurance, less reliance on single control = less testing o Relative importance of WCGW, and assurance required is based on consideration of several issues • Also consider other factors that relate to the likelihood that a control operated as intended, including – Competence and integrity of person performing control – Quality of control environment, e.g. • Chance of management to override controls • Internal auditing work • Effect on operation of control throughout period – Changes in accounting system – Explained changes in related account balances – Auditor’s prior experience with client •

•

•

Even if the test reduces the risk of errors, they main object should be met in - Testing must provide enough evidence to be able to reasonably throughout the period of reliance – concluding that control is effective Large Sample sizes are generally unnecessary for testing – 20/30 items are normally tested – This sample size is calculated via Attribute sampling Attribute sampling is a sampling technique that is used to reach a conclusion about a population in terms of a frequency of occurrence – E.g. attribute being tested could be presence/absence of authorizing signature on document – Most often used for testing of controls rather than substantive testing. – Evidence of one exception (or deviation) in sample • Investigate cause of exception, • Increase sample and extend testing, or • Amend decision to rely on control – test other controls and/or increase substantive testing

Control exception: an observed condition that provides evidence that the control did not operate as intended.

Application Controls Rely on application controls identified and evaluated earlier in the audit. It determines whether it can be relied upon as an effective control. The auditor also tests the operating effectiveness of the control over the period of reliance by one or both of the following methods

1. Test operating effectiveness – Test manual follow-up procedures that support the application control  E.g. Investigate how client follows-up on computer-generated exception report for sales with no prices in master file 2. Test controls over program changes, and/or access to data files – Test ITGCs  E.g. test controls to ensure that all changes to pricing master file are approved 







If these tests are not feasible – the auditor can still rely on application controls by testing them over a period. – Eg: using a master file of prices and comparing them to the prices changed on a sample of invoices When the client relies on controls over program changes and/or access to data files, it is efficient for the auditor to test these controls as they may support reliance based on several other applications of controls The Auditor, regardless of auditing strategy selected, the auditor establishes a basis for concluding that the underlying processing of data is complete and accurate. – This usually involves enquiry, observation and examination of physical evidence Recognizing that application controls in a systematic manner, the auditor may be able to limit their testing of those controls to the significant transaction types

Bench Marking –

–

–

–

– –

Carry forward benefit of certain application controls testing into future audit periods • It can also assist in reducing or eliminating certain substantive audit procedures in the current and following audit periods Computer will continue to perform procedure in same way until application program is changed • If the auditor can verify that a given program that executes a process or control has not changed since last tested – they may decide not to repeat a certain audit procedure • Most likely occurs when • Specific program can be identified • Application is stable • Reliable record of program changes available The Auditor establishes a benchmark as at a point intimae by performing test of application controls using normal auditing procedures • Then at a later point they determine that the application has not been changed or modified since they performed their test of the application control It is a matter of professional judgement as to when it is neccassary to re – benchmark an application • Factors is considering effectiveness: Nature, timing, of other related tests and consequence of associated errors Benchmarking is relied on yearly or interim by the auditor Benchmarking may not be an effective strategy if the complexity of the application makes it difficult to easily identify and test function or application the auditor wants to test and rely upon.

Timing of tests of controls • • •

Usually at interim date, especially if controls relied upon to reduce substantive procedures Preferable to test entity-level controls and ITGCs early in audit because results impact other tests the auditor plans to perform Update interim results and evaluation at year-end

•

Identify relevant changes in environment and controls

EXAMPLE EXTENT OF TESTING TABLE Table 8.3 Example extent of testing table Table 8.3 Is an example of how two different auditors are likely to design their own extents of testing.

Results of the Auditors Testing Do results of control testing confirm preliminary evaluation of controls and control risk based on internal control documentation? • If so, do not modify planned substantive procedures • If not, • Are compensating controls available? Test • Revise audit risk assessment for related account and the planned audit strategy

When deciding whether need for additional tests of controls, consider: a) Results of enquiries and observations - could reveal alternative controls now being relied upon and need to be tested b) Evidence provided by other tests – substantive tests can provide evidence about continued functioning of controls – E.g. examining invoice for evidence of payables balance could provide evidence of controls over purchases and payables c) Changes in overall control environment – change in key personnel could make additional control tests necessary

Document conclusions Results of control testing documented in working papers • Test performed • Purpose of test of controls • Actual controls selected for testing • Results of testing- exceptions found Document in sufficient detail to allow another auditor to perform same test • Extent of documentation depends on complexity of client’s operations, systems and controls • Review impact of testing controls on rest of audit Figure 8.3 Example tests of control working paper

IMPACT OF CONTROLS TESTING ON LEVEL OF SUBSTANTIVE TESTING Figure 8.4 Impact of controls testing on level of substantive testing...