.

Wednesday, February 27, 2019

Control risk Essay

The attendant carrys an brain of the existent body and implementation of inhering envision to tie a anterior sagaciousness of keep chance as set off of the listeners general Assessment of the take a chance of solid misstatements. The meeter applys this preliminary discernment of experience luck to plan the examine for individu on the wholey framework class of doings. However, in some instances the grassvassed billhookor whitethorn learn that the run into deficiencies ar signifi keistert such(prenominal) that the nodes fiscal statements whitethorn non be croupevassable. So, out front do a preliminary appraisal of learn encounter for distributively solid class of minutes, the heargonr essential first subside whether the entity is inspectable. Two first factors sic take stockability the integrity of heed and the ade quacy of accountancy records. If attention lacks integrity, or so he atomic number 18rs leave al wizard non ges tate the engagement. The accounting records atomic number 18 an classic source of size up turn up for most analyse accusings. If the accounting records ar deficient, necessary analyse evidence whitethorn non be available. For example, if the client has not kept duplicate gross gross revenue invoices and vendors invoices, it is commonly im practical to do an analyse.In complex IT environments, much of the sufficeance data is available l cardinal(prenominal) in electronic form without generating a visible audit trail of documents and records. In that case, the company is unremarkably politic auditable however, attendees must(prenominal) task whether they cede the necessary skills to gather evidence that is in electronic form and buns assign personnel with adequate IT homework and experience. After entertaining an under stand up of cozy subordination, the attendee makes a preliminary sagaciousness of authority chance as per centum of the attendants overall taskment of the jeopardize of literal misstatement. This sound judgment is a mea truely of the heargonrs expectation that internal corresponds go forth counteract solid misstatements from occurring or detect and correct them if they dumbfound occurred. The starting point for most attendees is the estimate of entity- take harbours. By nature, entity- take aim images, such as umteen of the elements contained in the subordination environment, insecurity mensuratement, and monitoring components, present an overarching impact on most major types of minutes in each proceeding cycle.For example, an ineffective board of directors or bear offments failure to have any process to appoint, assess, or manage key lucks, has the probable to undermine stops for most of the transaction- associate audit neutrals. Thus, he atomic number 18rs generally assess entity-level pick ups to begin with assessing transaction specific obtains. Once meeters determine that entity-level declares argon intentional and couchd in operation, they next make a preliminary perspicacity for each transaction-related audit objective for each major type of transaction in each transaction cycle.For example, in the gross gross gross sales and collection cycle, the types of minutes usually posit sales, sales returns and al let outances, notes receipts, and the provision for and write-off of uncollectible accounts. The auditor alike makes the preliminary appraisal for controls affecting audit objectives for brace sheet accounts and first appearances many an(prenominal) auditors physical exertion a control risk hyaloplasm to assist in the control risk assessment process at the transaction level. The purpose is to ply a convenient way to constitute assessing control risk for each audit objective. the control risk ground substance for transaction-related audit objectives, auditors wasting disease a similar control risk intercellular substance form at to assess control risk for balance-related and presentation and disclosure-related audit objectives. fall upon Audit ObjectivesThe first step in the assessment is to identify the audit objectives for classes of transactions, account balances, and presentation and dis closure to which the assessment applies. For example, this is done for classes of transactions by applying the specific transaction-related audit objectives introduced earlier, which were stated in general form, to each major type of transaction for the entity. For example, the auditor makes an assessment of the occurrence objective for sales and a separate assessment of the completeness objective.Identify Existing guaranteesNext, the auditor physical exercises the instruction discussed in the previous section on amazeing and documenting an correspondence of internal control to identify the controls that contri scarcelye to accomplishing transaction-related audit objectives. champion way for the auditor to do t his is to identify controls to recompense each objective. For example, the auditor can put on liveledge of the clients system to identify controls that argon likely to prevent errors or fraud in the occurrence transaction-related audit objective. The alike(p) issue can be done for all early(a)(a) objectives. It is in any case instrumental for the auditor to subprogram the five control activities (separation of duties, proper authorization,Adequate documents and records, animal(prenominal) control over assets and records, and Independent checks on arrangeance) as reminders of controls.For example Is in that respect adequate separation of duties and how is it achieved? be transactions properly authorized? Are pre-numbered documents properly accounted for? Are key master files properly restricted from unofficial accession? The auditor should identify and accommodate scarce those controls that ar expect to have the grea prove effect on meeting the transaction-rela ted audit objectives. These are practically called key controls. The reason for including only key controls is that they will be ample to achieve the transaction-related audit objectives and also provide audit efficiency. tie in Controls with Related Audit ObjectivesEach control satisfies one or much related audit objectives. This can be seen for transaction-relatedaudit objectives. The body of the matrix is apply to show how each control contri just nowes To the accomplishment of one or much transaction-related audit objectives. In this , a C was entered in each cellphone where a control partially or fully well-to-do an bjective. A similar control risk matrix would be completed for balance-related and presentation and disclosure-related audit objectives.For example, the mailing of statements to clients satisfies iii objectives in the audit of Hillsburg Hardware, which is advertd by the spot of each C on the row . Identify and Evaluate Control Deficiencies, Significant Def iciencies, and Material Weaknesses Auditors must evaluate whether key controls are rattlepated in the visualize of internal control over monetary describe as a part of evaluating control risk and the likeliness of pecuniary statement misstatements. Auditing exemplars define three levels of the absence of internal controls1. Control wishing.A control insufficiency exists if the design or operation of controls does not appropriate company personnel to prevent or detect mis-statements on a timely basis in the normal course of exerciseing theirassigned functions. A design deficiency exists if a necessary control is lacking or not properly designed. An operation deficiency exists if a well-designed control does not operate as designed or if the person practiseing the control is in comfortablely qualified or authorized.2. Significant deficiency.A square deficiency exists if one or more control deficiencies exist that is less dangerous than a fabric weakness (defined to a lower place), but important sufficient to virtuousness attention by those responsible for oversight of the companys fiscal account. 3. Material weakness. A material weakness exists if a material deficiency, by itself, or in combination with anformer(a)(prenominal) significant deficiencies, results in a reason able accident that internal control will not prevent or detect material pecuniary statement misstatements on a timely basis.To determine if a significant internal control deficiency or deficiencies are a material weakness, they must be evaluated along 2 dimensions likeliness and significance. If in that respect is more than a sightly possibility (likelihood) that a material misstatement (significance) could result from the significant deficiency or deficiencies, then it is haveed a material weakness. A five-step approach can be utilise to identify deficiencies, significant deficiencies, and Material weaknesses.1. Identify existing controls. Beca intake deficienc ies and material weaknesses are the absence of adequate controls, the auditor must first complete which controls exist. The methods for identifying controls have already been discussed. 2. Identify the absence of key controls. Internal control questionnaires, flow charts, and walk withs are useful tools to identify where controls are lacking and the likelihood of misstatement is at that placefore increased. It is also useful to examine the control risk matrix, such as to look for objectives where there are no or only a few controls to prevent or detect misstatements. 3. Consider the possibility of compensating controls. A compensating control is one Elsewhere in the system that offsets the absence of a key control. A common example in a small line of descent is the active involvement of the owner. When a compensating control exists, there is no longer a significant deficiency or material weakness.4. Decide whether there is a significant deficiency or material weakness. The likeli hood of misstatements and their materiality are employ to evaluate if there are significant deficiencies or material weaknesses. 5. Determine potential misstatements that could result. This step is mean to identify specific misstatements that are likely to result because of the significant deficiency or material weakness. The importance of a significant deficiencyor material weakness is directly related to the likelihood and materiality of potential misstatements. Associate Significant Deficiencies and Material Weaknesses with Related Audit Objectives The same as for controls, each significant deficiency or material weakness can apply to one or more related audit objectives. In the case of Hillsburg, there are two significant deficiencies, and each applies to only one transaction-related objective. The significant deficiencies are shown in the body of the figure by a D in the appropriate objective column.Assess Control Risk for Each Related Audit ObjectiveAfter controls, significa nt deficiencies, and material weaknesses are set and associated with transaction-related audit objectives, the auditor can assess control risk for transaction related audit objectives. This is the critical last in the evaluation of internal control. The auditor uses all of the information discussed antecedently to make a subjective control risk assessment for each objective. in that respect are disagreeent ways to express this assessment. Some auditors use a subjective expression such as high, moderate, or low. Others use numerical probabilities such as 1.0, 0.6, or 0.2. Again, the control risk matrix is a useful tool for making the assessment. This assessment is not the final examination one. Before making the final assessment at the end of the unified audit, the auditor will raise controls and perform solid outpourings.These Procedures can either stand out the preliminary assessment or cause the auditor to make changes. In some cases, management can correct deficiencie s and material weaknesses before the auditor does significant canvasing, which whitethorn permit a reduction in control risk. After a preliminary assessment of control risk is do for sales and cash receipts, the auditor can complete the three control risk rows of the evidence- cooking worksheet . If runs of controls results do not fill-in the preliminary assessment of control risk, the auditor must modify the worksheet later. Alternatively, the auditor can spread over until tests of controls are done to complete the three control risk rows of the worksheet. As part of fellow feeling internal control and assessing control risk, the auditor is needed to communicate certain matters to those charged with cheek. This Information and other recommendations near controls are also often communicated to management.Communications to ThoseCharged With GovernanceThe auditor must communicate significant deficiencies and material weaknesses in writing to those charged with governance as soon as the auditor becomes aware of their existence. The communication is usually addressed to the audit committee and to management. Timely communications may provide management an opportunity to address control deficiencies before managements report on internal control must be issued. In some instances, deficiencies can be corrected sufficiently early such that two management and the auditor can conclude that controls are run effectively as of the balance sheet see. Regardless, these communications must be made no later than 60 days keeping the audit report release.Management LettersIn addition to these matters, auditors often identify less significant internal control-related issues, as well as opportunities for the client to make operational improvements. These should also be communicated to the client. The form of communication is often a separate letter for that purpose, called a management letter. Although management earn are not infallible by auditing standards, aud itors generally prepare them as a value-added service of the audit.Test of controlsWeve examined how auditors link controls, significant deficiencies, and material Weaknesses in internal control to related audit objectives to assess control risk for each objective. Now well address how auditors test those controls that are used to support a control risk assessment. For example, each key control that the auditor intends to affirm on to support a control risk of moderate or low must be supported by sufficient tests of controls. We will deal with tests of controls for two audits of internal control for pecuniary reporting and audits of financial statements. Assessing control risk requires the auditor to consider both the design and operation of controls to evaluate whether they will likely be effective in meeting related audit objectives. During the savvy phase, the auditor will have already gathered some evidence in support of both the design of the controls and their implementat ion by using subprograms to obtain an understanding .In most cases, the auditor will not have gatheredenough evidence to reduce assessed control risk to a sufficiently low level. The auditor must thusly obtain additional evidence s get downly the run(a) effectiveness of controls end-to-end all, or at least most, of the limit under audit. The social occasions to test effectiveness of controls in support of a trim assessed control risk are called tests of controls. If the results of tests of controls support the design and operation of controls as expected, the auditor uses the same assessed control risk as the preliminary assessment.If, however, the tests of controls indicate that the controls did not operate effectively, the assessed control risk must be reconsidered. For example, the tests may indicate that the application of a control was curtailed midway through the category or that the person applying it made frequent misstatements. In such situations, the auditor uses a higher assessed control risk, unless compensating controls for the same related audit objectives are identified and found to be effective. Of course, the auditor must also consider the impact of those controls that are not operating(a)(a) effectively on the auditors Report on internal control.Procedures for Tests of ControlsThe auditor is likely to use cardinal types of procedures to support the operating effectiveness of internal controls. Managements testing of internal control will likely let in the same types of procedures. The 4 types of procedures are as follows 1. fasten inquiries of appropriate client personnel. Although motion is not a highly reliable source of evidence about the effective operation of controls, it is still appropriate. For example, to determine that unauthorized personnel are denied access to electronic computer files, the auditor may make inquiries of the person who controls the computer library and of the person who controls online access security password assignments.2. Examine documents, records, and reports. Many controls leave a clear trail of documentary evidence that can be used to test controls. Suppose, for example, that when a customer order is received, it is used to create a customer sales order, which is approved for doctrine. Then the customer order is attached to the sales order as authorization for tho processing. The auditor can test the control by examining the documents to make sure that they are complete and properly matched and that required signatures or initials are present. 3. hold on control-relatedactivities. Some controls do not leave an evidence trail, which means that it is not possible to examine evidence that the control was executed at a later date. For example, separation of duties relies on specific persons performing specific tasks, and there is typically no documentation of the separate murder. For controls that leave no documentary evidence, the auditor generally observes them being ap plied at various points during the year.4. Reperform client procedures. There are also control-related activities for which there are related documents and records, but their content is insufficient for the auditors purpose of assessing whether controls are operating effectively. For example, assume that prices on sales invoices are obtained from the master price list, but no indication of the control is documented on the sales invoices. In these cases, it is common for the auditor to reperform the control activity to see whether the proper results were obtained. For this example, the auditor can re perform the procedure by tracing the sales prices to the authorized price list in effect at the date of the transaction. If no misstatements are found, the auditor can conclude that the procedure . tip of ProceduresThe completion to which tests of controls are applied depends on the preliminary assessed control risk. If the auditor wants a lower assessed control risk, more extensive te sts of controls are applied, both in terms of the number of controls tested and the outcome of the tests for each control. For example, if the auditor wants to use a low assessed control risk, a stupendousr attempt size for documentation, observation, and re exercise procedures should be applied. The extent of testing also depends on the frequency of the operation of the controls, and whether it is manual(a) or machine-driven.Reliance on secern from the Prior Years AuditWhen auditors plan to use evidence about the operating effectiveness of internal control obtained in foregoing audits, auditing standards require tests of the controls effectiveness at least every tertiary year. If auditors determine that a key control has been changed since it was last tested, they should test it in the current year. When there are a number of controls tested in prior audits that have not been changed, auditing standardsrequire auditors to test some of those controls each year to ensure the re is a rotation of controls testing throughout the three year level.Testing of Controls Related to Significant RisksSignificant risks are those risks that the auditor believes require special audit consideration. When the auditors risk assessment procedures identify significant risks, the auditor is required to test the operating effectiveness of controls that mitigate these risks in the current year audit, if the auditor plans to believe on those controls to support a control risk assessment below 100%. The greater the risk, the more audit evidence the auditor should obtain that controls are operating effectively.Testing Less Than the Entire Audit stop yield that managements report on internal control deals with the effectiveness of internal controls as of the end of the fiscal year. PCAOB Standard 5 requires the auditor to perform tests of controls that are adequate to determine whether controls are operating effectively at year-end. The timing of the auditors tests of control s will therefore depend on the nature of the controls and when the company uses them. For controls that are applied throughout the accounting period, it is usually practical to test them at an interim date. The auditor will then determine later if changes in controls occurred in the period not tested and decide the implication of any change. Controls dealing with financial statement preparation occur only quarterly or at year-end and must therefore also be tested at quarter and year-end.Relationship between Tests of Controls and Procedures to Obtaining Understanding There is a significant overlap between tests of controls and procedures to obtain an understanding. Both include inquiry, documentation, and observation. There are two primary differences in the application of these common procedures. 1. In obtaining an understanding of internal control, the procedures to obtain an understanding are applied to all controls identified during that phase. Tests of controls, on the other han d, are applied only when the assessed control risk has not been satisfied by the procedures to obtain an understanding. 2. Procedures to obtain anunderstanding are performed only on one or a few transactions or, in the case of observations, at a single point in time. Tests of controls are performed on larger samples of transactions (perhaps 20 to 100), and often, observations are made at more than one point in time.For key controls, tests of controls other than re performance are essentially an Extension of procedures to obtain an understanding. Therefore, take for granted the auditors plan to obtain a low assessed control risk from the ancestry of the integrated audit, they will likely combine both types of procedures and perform them simultaneously. One option is to perform the audit procedures separately, where minimum procedures to obtain an understanding of design and operation are performed, followed by additional tests of controls. An alternative is to combine both columns and do them simultaneously. The same amount of evidence is accumulated in the indorse approach, but more efficiently. The determination of the appropriate sample size for tests of controls is an important audit decisions.Detection risk and the design of all important(p) testsWeve focused on how auditors assess control risk for each related audit objective and support control risk assessments with tests of controls. The completion of these activities is sufficient for the audit of internal control over financial reporting, even though the report will not be finalized until the auditor completes the audit of financial statements. The auditor uses the control risk assessment and results of tests of controls to determine planned detection risk and related of the essence(p) tests for the audit of financial statements. The auditor does this by linking the control risk assessments to the balance related audit objectives for the accounts affected by the major transaction types and to the four presentations and disclosure audit objectives. The appropriate level of detection risk for each balance-related audit objective is then decided using the audit risk model. The relationship of transaction-related audit objectives to balance-related audit objectives and the preferion and design of audit procedures for solid tests of financial statement.Types of testIn developing an overall audit plan, auditors use five types of tests to determine whether financial statements are fairly stated. Auditors use riskassessment procedures to assess the risk of material misstatement, pretended by the combination of infixed risk and control risk. The other four types of tests represent further audit procedures performed in response to the risks identified. Each audit procedure falls into one, and sometimes more than one, of these five categories. configuration 13-1 shows the relationship of the four types of further audit procedures to the audit risk model. As take care 13-1 illust rates, tests of controls are performed to support a reduced assessment of control risk, while auditors use uninflected procedures and tests of dilate of balances to satisfy planned detection risk. Substantive tests of transactions affect both control risk and planned detection risk, because they test the effectiveness of internal controls and the dollar bill mark amounts of transactions.Risk Assessment ProceduresTThe second standard of fieldwork requires the auditor to obtain an understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement in the clients financial statements. Risk assessment procedures are performed to assess the risk of material misstatement in the financial statements. The auditor performs tests of controls, satisfying tests of transactions, analytical procedures, and tests of expound of balances in response to the auditors assessment of the risk of material misstatements.The combination of these our types of further audit procedures provides the basis for the auditors opinion, as illustrated by ensure 13-1. A major part of the auditors risk assessment procedures are done to obtain an Understanding of internal control. Procedures to obtain an understanding of internal control were canvass and focus on both the design and implementation of internal control and are used to assess control risk for each transaction-related audit objectively Tests of ControlsEThe auditors understanding of internal control is used to assess control risk for each transaction-related audit objective. Examples are assessing the true statement objective for sales transactions as low and the occurrence objective as moderate. When control policies and procedures are believed to be effectively designed, the auditor assesses control risk at a level that reflects the relation back effectiveness of those controls. To obtain sufficientappropriate evidence to support that assessment, the auditor performs tests of controls.S Tests of controls, either manual or automated, may include the following types of evidence. ( visor that the first three procedures are the same as those used to obtain an understanding of internal control.) Make inquiries of appropriate client personnel Examine documents, records, and reports witness control-related activities Reperform client proceduresAuditors perform a system walkthrough as part of procedures to obtain an under standing to attend them determine whether controls are in place. The walkthrough is normally applied to one or a few transactions and follows that transaction through the intact process. For example, the auditor may select one sales transaction for a system walk through of the credit approval process, then follow the credit approval process from trigger of the sales transaction through the granting of credit. Tests of controls are also used to determine whether these controls are effective and usually involve testing a sample o f transactions. As a test of the operating effectiveness of the credit approval process, for example, the auditor might examine a sample of 50 sales transactions from throughout the year to determine whether credit was granted before the shipment of goods.Procedures to obtain an understanding of internal control generally do not provide sufficient appropriate evidence that a control is operating effectively. An exception may apply for automated controls because of their consistent performance. The auditors procedures to determine whether the automated control has been implemented may also serve as the test of that control, if the auditor determines there is minimal risk that the automated control has been changed since the understanding was obtained. Then, no additional tests of controls would be required. The amount of additional evidence required for tests of controls depends on two things 1. The extent of evidence obtained in gaining the understanding of internal control2. The pl anned reduction in control riskFigure 13-2 (p. 406) shows the role of tests of controls in the audit of the sales and collection cycle relative to other tests performed to providesufficient appropriate evidence for the auditors opinion. Note the un shaded circles with the words Audited by TOC. For simplicity, we make two assumptions Only sales and cash receipts trans actions and three general ledger balances make up the sales and collection cycle and the beginning balances in cash and accounts due were audited in the previous year and are considered correct. If auditors verify that sales and cash receipts transactions are correctly put down in the accounting records and posted to the general ledger, they can conclude that the culture balances in accounts receivable and sales are correct.(Cash disbursements transactions will OF have to be audited before the auditor can reach a conclusion about the destination balance in the cash account.) One way the auditor can verify recording of transactions is to perform tests of controls. If controls are in place over sales and cash receipts transactions, the auditor can perform tests of controls to determine whether the sextet transaction-related audit objectives are being met for that cycle. Substantive tests of transactions, which we will examine in the next section, also affect audit office for sales and cash receipts transactions.Substantive Tests of TransactionsSTSSubstantive tests are procedures designed to test for dollar misstatements (often called monetary misstatements) that directly affect the correctness of financial statement balances. Auditors rely on three types of all-important(a) tests essential tests of transactions, all important(p) analytical procedures, and tests of details of balances. Substantive tests of transactions are used to determine whether all six transactions related audit objectives have been satisfied for each class of transactions. Two of those objectives for sales transactions are recorded sales transactions exist (occurrence objective) and existing sales transactions are recorded (completeness objective for the six transaction-related audit objectives.When auditors are confident that all transactions were correctly recorded in the journals and correctly posted, considering all six transaction-related audit objectives, they can be confident that general ledger totals are correct. Figure 13-2 illustrates the role of hearty tests of transactions in the audit of the sales and collection cycle by lightly shaded circles with the words Audited by STOT. Observe that both tests of controls and substantive tests of transactions are performed for transactions in the cycle, not on the ending accountbalances. The auditor verifies the recording and summarizing of sales and cash receipts transactions by performing substantive tests of transactions. Figure 13-2 shows one set of tests for sales and another for cash receipts.Analytical Proceduresanalytical procedures in volve equivalences of recorded amounts to expectations certain by the auditor. Auditing standards require that they be done during planning and completing the audit. Although not required, analytical procedures may also be performed to audit an account balance. The two most important purposes of analytical procedures in the audit of account balances are to 1. Indicate possible misstatements in the financial statements2. interpret substantive evidenceAnalytical procedures done during planning typically differ from those done in the testing phase. Even if, for example, auditors calculate the gross border during planning, they probably do it using interim data. Later, during the tests of the ending balances, they will work out the ratio using full-year data. If auditors believe that analytical procedures indicate a sightly possibility of misstatement, they may perform additional analytical procedures or decide to modify tests of details of balances. When the auditor develops expe ctations using analytical procedures and concludes that the clients ending balances in certain accounts appear reasonable, certain tests of details of balances may be eliminated or sample sizes reduced.Auditing standards state that analytical procedures are a type of substantive test (referred to as substantive analytical procedures), when they are performed to provide evidence about an account balance. The Extent to which auditors may be willing to rely on substantive analytical procedures in support of an account balance depends on several factors, including the precision of the expectation developed by the auditor, materiality, and the risk of material misstatement. Figure 13-2 illustrates the role of substantive analytical procedures in the audit of the sales and collection cycle by the tail shaded circles with the words Audited by AP. Observe that the auditor performs substantive analytical procedures on sales and Cash receipts transactions, as well as on the ending balances o f the accounts in the cycle.Tests of Details of BalancesTests of details of balances focus on the ending general ledger balances for both balance sheet and income statement accounts. The primary emphasis in most tests of details of balances is on the balance sheet. Examples include confirmation of customer balances for accounts receivable, physical examination of inventory, and examination of vendors statements for accounts payable. Tests of ending balances are essential because the evidence is usually obtained from a source independent of the client, which is considered highly reliable. Much like for transactions, the auditors tests of details of balances must satisfy all balance-related audit objectives for each significant balance sheet account.Figure 13-2 illustrates the role of tests of details of balances by the circles with half dark and half light shading and the words Audited by TDB. Auditors perform detailed tests of the ending balances for sales and accounts receivable, i ncluding procedures such as confirmation of account receivable balances and sales shortcut tests. The extent of these tests depends on the results of tests of controls, substantive tests of transactions, and substantive analytical procedures for these accounts. Tests of details of balances help establish the monetary correctness of the accounts they relate to and therefore are substantive tests. For example, confirmations test for monetary misstatements in accounts receivable and are therefore substantive tests. Similarly, counts of inventory and cash on hand are also substantive tests.OSelect the appropriate types of audit testsTypically, auditors use all five types of tests when performing an audit of the financial statements, but certain types may be emphasized, depending on the circumstances. Recall that risk assessment procedures are required in all audits to assess the risk of material misstatement while the other four types of tests are performed in response to the risks iden tified to provide the basis for the auditors opinion. Note also that only risk assessment procedures, especially procedures to obtain an understanding of controls, and tests of controls are performed in an audit of internal control over financial reporting. Several factors influence the auditors choice of the types of tests to select, including the availability of the eight types of evidence, the relative tolls of each type of test, the effectiveness ofinternal controls, and constitutional risks. Only the first two are discussed further because the last two were discussed in earlier chapters. Availability of Types of Evidence for Further Audit Procedures OEach of the four types of further audit procedures involves only certain types of evidence (confirmation, documentation, and so forth. much types of evidence, six in total, are used for tests of details of balances than for any other type of test. Only tests of details of balances involve physical examination and confirmation. Inquiries of the client are made for every type of test. Documentation is used in every type of test except analytical procedures. Re performance is used in every type of test except analytical procedures. Auditors may re perform a control as part of a transaction walkthrough or to test a control that is not supported by sufficient documentary evidence. Recalculation is used to verify the numerical accuracy of transactions when per forming substantive test of transactions and account balances when per forming tests of details of balances.Relative CostsWhen auditors must decide which type of test to select for obtaining sufficient appropriate evidence, the cost of the evidence is an important consideration. The types of tests are listed below in order of increasing cost Analytical procedures Risk assessment procedures, including procedures to obtain an understanding of internal control Tests of controls Substantive tests of transactions Tests of details of balancesAnalytical pr ocedures are the least expensive because of the relative ease of making calculations and comparisons. Often, considerable information about potential misstatements can be obtained by simply comparing two or three numbers. Risk assessment procedures, including procedures to obtain an understanding of internal control, are not as costly as other audit tests because auditors can easily make inquiries and observations and perform planning analytical procedures. Also, examining such things as documentssummarizing the clients business operations and processes and management and governance structure are relatively cheaper than other audit tests. Because tests of controls also involve inquiry, observation, and inspection, their relative costs are also low compared to substantive tests.However, tests of controls are more costly relative to the auditors risk assessment procedures due to a greater extent of testing required to obtain evidence that a control is operating effectively, especiall y when those tests of controls involve re performance. Often, auditors can perform a large number of tests of controls readily using audit software. Such software can test controls in clients computerized accounting systems, such as in computerized accounts receivable systems that automatically authorize sales to existing customers by comparing the proposed sales amount and existing accounts receivable balance with the customers credit limit. Substantive tests of transactions cost more than tests of controls that do not include re performance because the former often require recalculations and tracings.In a computerized environment, however, the auditor can often perform substantive tests of transactions quickly for a large sample of transactions. Tests of details of balances almost always cost considerably more than any of the Other types of procedures because of the cost of procedures such as sending confirmations and counting inventories. Because of the high cost of tests of det ails of balances, auditors usually try to plan the audit to minimize their use. Naturally, the cost of each type of evidence varies in different situations. For example, the cost of an auditors test-counting inventory (a substantive test of the details of the inventory balance) often depends on the type and dollar value of the Inventory, its location, and the number of different items.Relationship between Tests of Controls and Substantive Tests To cleanse understand tests of controls and substantive tests, lets examine how they differ. An exception in a test of control only indicates the likelihood of misstatements affecting the dollar value of the financial statements, whereas an exception in a substantive test of transactions or a test of details of balances is a financial statement misstatement. Exceptions in tests of controls are called control test deviations. From the three levels of control deficiencies deficiencies, significant deficiencies, andmaterial weaknesses. Auditors are most likely to believe material dollar misstatements exist in the financial statements when control test deviations are considered to be significant deficiencies or material weaknesses. Auditors should then perform substantive tests of transactions or tests of details of balances to determine whether material dollar misstatements have actually occurred.Assume that the clients controls require an independent salesclerk to verify the quantity, price, and extension of each sales invoice, after which the clerk must initial the duplicate invoice to indicate performance. A test of control audit procedure is to inspect a sample of duplicate sales invoices for the initials of the person who verified the information. If a significant number of documents lack initials, the auditor should consider implications for the audit of internal control over financial reporting and follow up with substantive tests for the financial statement audit. This can be done by extending tests of duplicate sales invoices to include verifying prices, extensions, and footings (substantive tests of transactions) or by increasing the sample size for the confirmation of accounts receivable (substantive test of details of balances).Even though the control is not operating effectively, the invoices may still be correct, especially if the person originally preparing On the other hand, if no documents or only a few of them are missing initials, the control will be considered effective and the auditor can therefore reduce substantive tests of transactions and tests of details of balances. However, some re performance and recalculation substantive tests are still necessary to provide the auditor government agency that the clerk did not initial documents without actually performing the control procedure or performed it carelessly. Because of the need to complete some re performance and recalculation tests, many auditors perform them as a part of the original tests of controls. Others wait until they know the results of the tests of controls and then determine the total sample size needed.Relationship between Analytical Procedures and Substantive Tests Like tests of controls, analytical procedures only indicate the likelihood of misstatements affecting the dollar value of the financial statements. Unusual fluctuations in the relationships of an account to other accounts, or to nonfinancial information, may indicate an increased likelihood that material misstatements exist without necessarily providing direct evidence of amaterial misstatement. When analytical procedures identify unusual fluctuations, auditors should perform substantive tests of transactions or tests of details of balances to determine whether dollar misstatements have actually occurred.If the auditor performs substantive analytical procedures and believes that the likelihood of material misstatement is low, other substantive tests can be reduced. For accounts with small balances and only minimal potential f or material misstatements, such as many supplies and prepaid expense accounts, auditors often limit their tests to substantive analytical procedures if they conclude the accounts are reasonably stated.Trade-Off between Tests of Controls and Substantive TestsThere is a trade-off between tests of controls and substantive tests. During planning, auditors decide whether to assess control risk below the maximum. When they do, they must then perform tests of controls to determine whether the assessed level of control risk is supported. (They must always perform test of controls in an audit of internal control over financial reporting.) If tests of controls support the control risk assessment, planned detection risk in the audit risk model is increased, and planned substantive tests can therefore be reduced. Figure 13-3 shows the relationship between substantive tests and control risk assessment (including tests of controls) at differing levels of internal control effectivenessImpact of in formation technology on audit testingAuditing standards provide guidance for auditors of entities that transmit process, maintain, or access significant information electronically. Examples of electronic evidence include records of electronic inventory transfers and purchase orders transmitted through electronic data interchange (EDI). Evidence of the performance of automated controls, such as the computers comparison of proposed sales orders to customer credit limits, may also only be in electronic form. The standards recognize that when a significant amount of audit evidence exists in electronic form, it may not be practical or possible to reduce detection risk to an acceptable level by performing only substantive tests. For example, the potential for improper initiation or alteration of information may be greater if information is maintained only in electronic form.In these circumstances, the auditor should performtests of controls to gather evidence in support of an assessed le vel of control risk below maximum for the affected financial statement assertions. Although some substantive tests are still required, the auditor can significantly reduce substantive tests if the results of tests of controls support the effectiveness of controls. In the audit of a larger everyday company, computer-performed controls (these are called automated controls) must be tested if the auditor considers them to be key controls for reducing the likelihood of material misstatements in the financial statements. Because of the inherent consistency of IT processing, however, the auditor may be able to reduce the extent of testing of an automated control.For example, software based control is almost certain to function consistently unless the program is changed. Once auditors determine an automated control is functioning properly, they can focus subsequent tests on assessing whether any changes have occurred that will limit the effectiveness of the control. Such tests might includ e find whether any changes have occurred to the program and whether these changes were properly authorized and tested prior to implementation. This approach leads to significant audit efficiencies when the auditor determines that automated controls tested in the prior years audit have not been changed and continue to be subject to effective general controls.To test automated controls or data, the auditor may need to use computer-assisted audit techniques or use reports produced by IT to test the operating effectiveness of IT general controls, such as program change controls and access controls. In many cases, testing of automated controls may be performed by IT audit specialists. When auditors test manual controls that rely on IT-generated reports, they must consider both the Effectiveness of managements review and automated controls over the accuracy of Information in the report.

No comments:

Post a Comment