Wednesday, June 5, 2019
Control risk Essay Example for Free
Control seek of exposure EssayThe attendee detects an understanding of the blueprint and implementation of cozy Control to make a feeler sound judgment of bear put on the line as agency of the scrutinizeors overall legal opinion of the lay on the line of real misstatements. The analyzeor uses this preliminary perspicacity of softenler gamble to plan the seek for severally cloth class of proceedings. However, in some instances the he ber whitethorn learn that the accommodate deficiencies ar signifi lott much(prenominal) that the thickenings pecuniary statements may non be scrutinizeable. So, before making a preliminary judging of run try for distributively(prenominal) solid class of transactions, the so-and-sovassor must first nail down whether the entity is scrutiniseable. Two primary factors come up canvasability the right of perplexity and the ade quacy of accounting records. If management lacks integrity, more(prenominal) or less inspectors leave behind not accept the engagement. The accounting records ar an important source of audit essay for most audit accusatorys. If the accounting records ar deficient, necessary audit evidence may not be available. For example, if the client has not kept imitation gross gross revenue invoices and vendors invoices, it is comm tho impractical to do an audit.In complex IT environments, much of the transaction information is available alone in electronic form without generating a visible audit trail of documents and records. In that case, the company is usually still auditable however, auditors must assess whether they give the necessary skills to gather evidence that is in electronic form and roll in the hay assign personnel with adequate IT training and experience. aft(prenominal) obtaining an understanding of inner authority, the auditor makes a preliminary appraisal of take cargon risk as division of the auditors overall assessment of the risk of existent misstatement. This assessment is a measure of the auditors expectation that ingrained sways depart celebrate material misstatements from occurring or witness and correct them if they have occurred. The starting point for most auditors is the assessment of entity-level controls. By nature, entity-level controls, such as many of the elements contained in the control environment, risk assessment, and monitoring components, have an overarching impact on most major eccentric persons of transactions in each transaction round of golf.For example, an ineffective board of directors or managements failure to have any process to station, assess, or manage key risks, has the potential to undermine controls for most of the transaction- cerebrate audit object lenss. Thus,auditors popularly assess entity-level controls before assessing transaction specific controls. Once auditors determine that entity-level controls are designed and placed in operation, they next make a pre liminary assessment for each transaction- colligate audit objective for each major type of transaction in each transaction cycle.For example, in the gross revenue and collection cycle, the types of transactions usually involve sales, sales returns and allowances, cash receipts, and the provision for and write-off of uncollectible accounts. The auditor as well makes the preliminary assessment for controls usurping audit objectives for balance sheet accounts and presentations Many auditors use a control risk ground substance to assist in the control risk assessment process at the transaction level. The purpose is to result a comfortable way to organize assessing control risk for each audit objective. the control risk matrix for transaction-related audit objectives, auditors use a similar control risk matrix format to assess control risk for balance-related and presentation and disclosure-related audit objectives. station examine ObjectivesThe first step in the assessment is to i dentify the audit objectives for classes of transactions, account balances, and presentation and dis closure to which the assessment applies. For example, this is done for classes of transactions by applying the specific transaction-related audit objectives introduced earlier, which were stated in general form, to each major type of transaction for the entity. For example, the auditor makes an assessment of the incident objective for sales and a separate assessment of the go offness objective. bring up Existing ControlsNext, the auditor uses the information discussed in the anterior section on obtaining and documenting an understanding of inner(a) control to identify the controls that contri exactlye to accomplishing transaction-related audit objectives. One way for the auditor to do this is to identify controls to satisfy each objective. For example, the auditor can use knowledge of the clients system to identify controls that are likely to prevent errors or fraud in the occurr ence transaction-related audit objective. The same thing can be done for all other(a) objectives. It is too helpful for the auditor to use the five control activities (separation of duties, prim authorization,Adequate documents and records, corporal control over assets and records, and Independent checks on commitance) as reminders of controls.For example Is there adequate separation of duties and how is it achieved? Are transactions justly accepted? Are pre-numbered documents properly accounted for? Are key master files properly restricted from unauthorized access? The auditor should identify and let in only those controls that are judge to have the grea try effect on meeting the transaction-related audit objectives. These are often called key controls. The reason for including only key controls is that they will be suitable to achieve the transaction-related audit objectives and also provide audit efficiency.Associate Controls with colligate Audit ObjectivesEach control satisfies one or more related audit objectives. This can be seen for transaction-relatedaudit objectives. The tree trunk of the matrix is employ to show how each control contributes To the accomplishment of one or more transaction-related audit objectives. In this , a C was entered in each cell where a control partially or fully satisfied an bjective. A similar control risk matrix would be completed for balance-related and presentation and disclosure-related audit objectives.For example, the mailing of statements to customers satisfies third objectives in the audit of Hillsburg Hardware, which is indicated by the placement of each C on the row . Identify and Evaluate Control Deficiencies, Significant Deficiencies, and fabric Weaknesses Auditors must evaluate whether key controls are absent in the design of internal control over financial reporting as a part of evaluating control risk and the likelihood of financial statement misstatements. Auditing standards define three levels of the absence of internal controls1. Control deficiency.A control deficiency exists if the design or operation of controls does not permit company personnel to prevent or detect mis-statements on a well-timed basis in the normal course of exerciseing theirassigned functions. A design deficiency exists if a necessary control is missing or not properly designed. An operation deficiency exists if a well-designed control does not operate as designed or if the person performing the control is in fittedly qualified or authorized.2. Significant deficiency.A strong deficiency exists if one or more control deficiencies exist that is less severe than a material weakness (defined below), but important enough to merit attention by those responsible for oversight of the companys financial reporting. 3. Material weakness. A material weakness exists if a meaning(a) deficiency, by itself, or in combination with other significant deficiencies, results in a reason able casualty that internal control will not prevent or detect material financial statement misstatements on a timely basis.To determine if a significant internal control deficiency or deficiencies are a material weakness, they must be evaluated along two dimensions likelihood and significance. If there is more than a reasonable possibility (likelihood) that a material misstatement (significance) could result from the significant deficiency or deficiencies, thusly it is ascertained a material weakness. A five-step onrush can be utilize to identify deficiencies, significant deficiencies, and Material weaknesses.1. Identify existing controls. Because deficiencies and material weaknesses are the absence of adequate controls, the auditor must first know which controls exist. The methods for identifying controls have already been discussed. 2. Identify the absence of key controls. Internal control questionnaires, flow charts, and walkthroughs are useful tools to identify where controls are lacking and the likel ihood of misstatement is accordingly incr eternal restd. It is also useful to examine the control risk matrix, such as to look for objectives where there are no or only a few controls to prevent or detect misstatements. 3. Consider the possibility of compensating controls. A compensating control is one Elsewhere in the system that offsets the absence of a key control. A common example in a small business is the active involvement of the owner. When a compensating control exists, there is no longer a significant deficiency or material weakness.4. Decide whether there is a significant deficiency or material weakness. The likelihood of misstatements and their materiality are used to evaluate if there are significant deficiencies or material weaknesses. 5. Determine potential misstatements that could result. This step is intended to identify specific misstatements that are likely to result because of the significant deficiency or material weakness. The importance of a significant defic iencyor material weakness is directly related to the likelihood and materiality of potential misstatements. Associate Significant Deficiencies and Material Weaknesses with Related Audit Objectives The same as for controls, each significant deficiency or material weakness can apply to one or more related audit objectives. In the case of Hillsburg, there are two significant deficiencies, and each applies to only one transaction-related objective. The significant deficiencies are shown in the body of the figure by a D in the grab objective column.Assess Control Risk for Each Related Audit ObjectiveAfter controls, significant deficiencies, and material weaknesses are identified and associated with transaction-related audit objectives, the auditor can assess control risk for transaction related audit objectives. This is the critical conclusiveness in the evaluation of internal control. The auditor uses all of the information discussed previously to make a casingive control risk assess ment for each objective. on that point are different ways to express this assessment. Some auditors use a subjective expression such as high, moderate, or low. Others use numerical probabilities such as 1.0, 0.6, or 0.2. Again, the control risk matrix is a useful tool for making the assessment. This assessment is not the closing one. Before making the final assessment at the end of the integrated audit, the auditor will test controls and perform material tests.These Procedures can either support the preliminary assessment or cause the auditor to make changes. In some cases, management can correct deficiencies and material weaknesses before the auditor does significant testing, which may permit a reduction in control risk. After a preliminary assessment of control risk is made for sales and cash receipts, the auditor can complete the three control risk rows of the evidence- think worksheet . If tests of controls results do not support the preliminary assessment of control risk, th e auditor must modify the worksheet later. Alternatively, the auditor can count until tests of controls are done to complete the three control risk rows of the worksheet. As part of understanding internal control and assessing control risk, the auditor is ask to relegate certain matters to those charged with governance. This education and other recommendations about controls are also often communicated to management.Communications to ThoseCharged With GovernanceThe auditor must communicate significant deficiencies and material weaknesses in writing to those charged with governance as soon as the auditor becomes aware of their existence. The communication is usually addressed to the audit delegacy and to management. Timely communications may provide management an opportunity to address control deficiencies before managements report on internal control must be issued. In some instances, deficiencies can be corrected sufficiently early such that both management and the auditor can leave off that controls are in operation(p) effectively as of the balance sheet date. Regardless, these communications must be made no later than 60 days by-line the audit report release.Management LettersIn addition to these matters, auditors often identify less significant internal control-related issues, as well as opportunities for the client to make operational improvements. These should also be communicated to the client. The form of communication is often a separate letter for that purpose, called a management letter. Although management letters are not required by auditing standards, auditors generally prepare them as a value-added service of the audit.Test of controlsWeve examined how auditors link controls, significant deficiencies, and material Weaknesses in internal control to related audit objectives to assess control risk for each objective. Now well address how auditors test those controls that are used to support a control risk assessment. For example, each key c ontrol that the auditor intends to rely on to support a control risk of medium or low must be supported by sufficient tests of controls. We will deal with tests of controls for both audits of internal control for financial reporting and audits of financial statements. Assessing control risk requires the auditor to consider both the design and operation of controls to evaluate whether they will likely be effective in meeting related audit objectives. During the understanding phase, the auditor will have already gathered some evidence in support of both the design of the controls and their implementation by using procedures to obtain an understanding .In most cases, the auditor will not have gatheredenough evidence to reduce assessed control risk to a sufficiently low level. The auditor must therefore obtain additional evidence about the operating strength of controls throughout all, or at least most, of the period under audit. The procedures to test effectiveness of controls in supp ort of a reduced assessed control risk are called tests of controls. If the results of tests of controls support the design and operation of controls as expected, the auditor uses the same assessed control risk as the preliminary assessment.If, however, the tests of controls indicate that the controls did not operate effectively, the assessed control risk must be reconsidered. For example, the tests may indicate that the application of a control was curtailed midway through the year or that the person applying it made frequent misstatements. In such situations, the auditor uses a higher assessed control risk, unless compensating controls for the same related audit objectives are identified and found to be effective. Of course, the auditor must also consider the impact of those controls that are not operating effectively on the auditors Report on internal control.Procedures for Tests of ControlsThe auditor is likely to use four types of procedures to support the operating effectivene ss of internal controls. Managements testing of internal control will likely include the same types of procedures. The four types of procedures are as follows 1. Make inquiries of conquer client personnel. Although inquiry is not a highly reliable source of evidence about the effective operation of controls, it is still appropriate. For example, to determine that unauthorized personnel are denied access to estimator files, the auditor may make inquiries of the person who controls the computer library and of the person who controls online access security password assignments.2. Examine documents, records, and reports. Many controls leave a introduce trail of documentary evidence that can be used to test controls. Suppose, for example, that when a customer order is received, it is used to create a customer sales order, which is approved for credit. Then the customer order is attached to the sales order as authorization for kick upstairs processing. The auditor can test the control by examining the documents to make sure that they are complete and properly matched and that required signatures or initials are present. 3. Observe control-relatedactivities. Some controls do not leave an evidence trail, which office that it is not possible to examine evidence that the control was executed at a later date. For example, separation of duties relies on specific persons performing specific tasks, and there is typically no documentation of the separate performance. For controls that leave no documentary evidence, the auditor generally observes them being applied at various points during the year.4. Reperform client procedures. thither are also control-related activities for which there are related documents and records, but their content is insufficient for the auditors purpose of assessing whether controls are operating effectively. For example, assume that prices on sales invoices are obtained from the master price list, but no indication of the control is document ed on the sales invoices. In these cases, it is common for the auditor to reperform the control activity to see whether the proper results were obtained. For this example, the auditor can re perform the procedure by tracing the sales prices to the authorized price list in effect at the date of the transaction. If no misstatements are found, the auditor can conclude that the procedure .Extent of ProceduresThe extent to which tests of controls are applied depends on the preliminary assessed control risk. If the auditor wants a lower assessed control risk, more extensive tests of controls are applied, both in terms of the number of controls tested and the extent of the tests for each control. For example, if the auditor wants to use a low assessed control risk, a larger sample size for documentation, observation, and re performance procedures should be applied. The extent of testing also depends on the frequency of the operation of the controls, and whether it is manual or automated.Re liance on Evidence from the Prior Years AuditWhen auditors plan to use evidence about the operating effectiveness of internal control obtained in prior audits, auditing standards require tests of the controls effectiveness at least each third year. If auditors determine that a key control has been changed since it was last tested, they should test it in the current year. When there are a number of controls tested in prior audits that have not been changed, auditing standardsrequire auditors to test some of those controls each year to ensure there is a rotation of controls testing throughout the three year period.Testing of Controls Related to Significant RisksSignificant risks are those risks that the auditor believes require special audit consideration. When the auditors risk assessment procedures identify significant risks, the auditor is required to test the operating effectiveness of controls that mitigate these risks in the current year audit, if the auditor plans to rely on t hose controls to support a control risk assessment below 100%. The greater the risk, the more audit evidence the auditor should obtain that controls are operating effectively.Testing Less Than the Entire Audit menstruationRecall that managements report on internal control deals with the effectiveness of internal controls as of the end of the fiscal year. PCAOB Standard 5 requires the auditor to perform tests of controls that are adequate to determine whether controls are operating effectively at year-end. The timing of the auditors tests of controls will therefore depend on the nature of the controls and when the company uses them. For controls that are applied throughout the accounting period, it is usually practical to test them at an interim date. The auditor will then determine later if changes in controls occurred in the period not tested and decide the implication of any change. Controls dealing with financial statement preparation occur only quarterly or at year-end and must therefore also be tested at quarter and year-end.Relationship between Tests of Controls and Procedures to Obtaining Understanding on that point is a significant overlap between tests of controls and procedures to obtain an understanding. Both include inquiry, documentation, and observation. There are two primary differences in the application of these common procedures. 1. In obtaining an understanding of internal control, the procedures to obtain an understanding are applied to all controls identified during that phase. Tests of controls, on the other hand, are applied only when the assessed control risk has not been satisfied by the procedures to obtain an understanding. 2. Procedures to obtain anunderstanding are performed only on one or a few transactions or, in the case of observations, at a single point in time. Tests of controls are performed on larger samples of transactions (perhaps 20 to 100), and often, observations are made at more than one point in time.For key contro ls, tests of controls other than re performance are essentially an Extension of procedures to obtain an understanding. Therefore, assuming the auditors plan to obtain a low assessed control risk from the beginning of the integrated audit, they will likely combine both types of procedures and perform them simultaneously. One option is to perform the audit procedures separately, where marginal procedures to obtain an understanding of design and operation are performed, followed by additional tests of controls. An alternative is to combine both columns and do them simultaneously. The same amount of evidence is accrued in the second approach, but more efficiently. The determination of the appropriate sample size for tests of controls is an important audit decisions.Detection risk and the design of satisfying testsWeve cerebrate on how auditors assess control risk for each related audit objective and support control risk assessments with tests of controls. The completion of these acti vities is sufficient for the audit of internal control over financial reporting, even though the report will not be finalized until the auditor completes the audit of financial statements. The auditor uses the control risk assessment and results of tests of controls to determine planned detection risk and related all-important(a) tests for the audit of financial statements. The auditor does this by linking the control risk assessments to the balance related audit objectives for the accounts bear on by the major transaction types and to the four presentations and disclosure audit objectives. The appropriate level of detection risk for each balance-related audit objective is then decided using the audit risk model. The relationship of transaction-related audit objectives to balance-related audit objectives and the selection and design of audit procedures for hearty tests of financial statement.Types of testIn developing an overall audit plan, auditors use five types of tests to det ermine whether financial statements are fairly stated. Auditors use riskassessment procedures to assess the risk of material misstatement, represented by the combination of inherent risk and control risk. The other four types of tests represent further audit procedures performed in response to the risks identified. Each audit procedure falls into one, and sometimes more than one, of these five categories. Figure 13-1 shows the relationship of the four types of further audit procedures to the audit risk model. As Figure 13-1 illustrates, tests of controls are performed to support a reduced assessment of control risk, while auditors use analytic procedures and tests of details of balances to satisfy planned detection risk. Substantive tests of transactions affect both control risk and planned detection risk, because they test the effectiveness of internal controls and the dollar amounts of transactions.Risk Assessment ProceduresTThe second standard of fieldwork requires the auditor t o obtain an understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement in the clients financial statements. Risk assessment procedures are performed to assess the risk of material misstatement in the financial statements. The auditor performs tests of controls, substantial tests of transactions, analytic procedures, and tests of details of balances in response to the auditors assessment of the risk of material misstatements.The combination of these our types of further audit procedures provides the basis for the auditors opinion, as illustrated by Figure 13-1. A major part of the auditors risk assessment procedures are done to obtain an Understanding of internal control. Procedures to obtain an understanding of internal control were studied and focus on both the design and implementation of internal control and are used to assess control risk for each transaction-related audit objectively Tests of ControlsEThe audito rs understanding of internal control is used to assess control risk for each transaction-related audit objective. Examples are assessing the accuracy objective for sales transactions as low and the occurrence objective as moderate. When control policies and procedures are believed to be effectively designed, the auditor assesses control risk at a level that reflects the relative effectiveness of those controls. To obtain sufficientappropriate evidence to support that assessment, the auditor performs tests of controls.S Tests of controls, either manual or automated, may include the following types of evidence. (Note that the first three procedures are the same as those used to obtain an understanding of internal control.) Make inquiries of appropriate client personnel Examine documents, records, and reports Observe control-related activities Reperform client proceduresAuditors perform a system walkthrough as part of procedures to obtain an under standing to help them determine whet her controls are in place. The walkthrough is normally applied to one or a few transactions and follows that transaction through the entire process. For example, the auditor may select one sales transaction for a system walk through of the credit approval process, then follow the credit approval process from initiation of the sales transaction through the granting of credit. Tests of controls are also used to determine whether these controls are effective and usually involve testing a sample of transactions. As a test of the operating effectiveness of the credit approval process, for example, the auditor might examine a sample of 50 sales transactions from throughout the year to determine whether credit was granted before the shipment of goods.Procedures to obtain an understanding of internal control generally do not provide sufficient appropriate evidence that a control is operating effectively. An exception may apply for automated controls because of their accordant performance. The auditors procedures to determine whether the automated control has been implemented may also serve as the test of that control, if the auditor determines there is minimal risk that the automated control has been changed since the understanding was obtained. Then, no additional tests of controls would be required. The amount of additional evidence required for tests of controls depends on two things 1. The extent of evidence obtained in gaining the understanding of internal control2. The planned reduction in control riskFigure 13-2 (p. 406) shows the role of tests of controls in the audit of the sales and collection cycle relative to other tests performed to providesufficient appropriate evidence for the auditors opinion. Note the un shaded circles with the words Audited by TOC. For simplicity, we make two assumptions Only sales and cash receipts trans actions and three general al-Quran balances make up the sales and collection cycle and the beginning balances in cash and accou nts receivable were audited in the previous year and are considered correct. If auditors verify that sales and cash receipts transactions are correctly recorded in the accounting records and posted to the general ledger, they can conclude that the ending balances in accounts receivable and sales are correct.(Cash disbursements transactions will OF have to be audited before the auditor can form a conclusion about the ending balance in the cash account.) One way the auditor can verify enter of transactions is to perform tests of controls. If controls are in place over sales and cash receipts transactions, the auditor can perform tests of controls to determine whether the six transaction-related audit objectives are being met for that cycle. Substantive tests of transactions, which we will examine in the next section, also affect audit assurance for sales and cash receipts transactions.Substantive Tests of TransactionsSTSSubstantive tests are procedures designed to test for dollar mi sstatements (often called monetary misstatements) that directly affect the correctness of financial statement balances. Auditors rely on three types of material tests substantive tests of transactions, substantive analytical procedures, and tests of details of balances. Substantive tests of transactions are used to determine whether all six transactions related audit objectives have been satisfied for each class of transactions. Two of those objectives for sales transactions are recorded sales transactions exist (occurrence objective) and existing sales transactions are recorded (completeness objective for the six transaction-related audit objectives.When auditors are confident that all transactions were correctly recorded in the journals and correctly posted, considering all six transaction-related audit objectives, they can be confident that general ledger totals are correct. Figure 13-2 illustrates the role of substantive tests of transactions in the audit of the sales and colle ction cycle by lightly shaded circles with the words Audited by STOT. Observe that both tests of controls and substantive tests of transactions are performed for transactions in the cycle, not on the ending accountbalances. The auditor verifies the recording and summarizing of sales and cash receipts transactions by performing substantive tests of transactions. Figure 13-2 shows one set of tests for sales and another for cash receipts.analytical Proceduresanalytical procedures involve comparisons of recorded amounts to expectations developed by the auditor. Auditing standards require that they be done during planning and completing the audit. Although not required, analytical procedures may also be performed to audit an account balance. The two most important purposes of analytical procedures in the audit of account balances are to 1. Indicate possible misstatements in the financial statements2. Provide substantive evidenceAnalytical procedures done during planning typically differ from those done in the testing phase. Even if, for example, auditors calculate the gross margin during planning, they probably do it using interim data. Later, during the tests of the ending balances, they will recalculate the ratio using full-year data. If auditors believe that analytical procedures indicate a reasonable possibility of misstatement, they may perform additional analytical procedures or decide to modify tests of details of balances. When the auditor develops expectations using analytical procedures and concludes that the clients ending balances in certain accounts come out reasonable, certain tests of details of balances may be eliminated or sample sizes reduced.Auditing standards state that analytical procedures are a type of substantive test (referred to as substantive analytical procedures), when they are performed to provide evidence about an account balance. The Extent to which auditors may be willing to rely on substantive analytical procedures in support of an account balance depends on several factors, including the precision of the expectation developed by the auditor, materiality, and the risk of material misstatement. Figure 13-2 illustrates the role of substantive analytical procedures in the audit of the sales and collection cycle by the stern shaded circles with the words Audited by AP. Observe that the auditor performs substantive analytical procedures on sales and Cash receipts transactions, as well as on the ending balances of the accounts in the cycle.Tests of Details of BalancesTests of details of balances focus on the ending general ledger balances for both balance sheet and income statement accounts. The primary emphasis in most tests of details of balances is on the balance sheet. Examples include deterrent of customer balances for accounts receivable, physical examination of list, and examination of vendors statements for accounts payable. Tests of ending balances are essential because the evidence is usually obtaine d from a source independent of the client, which is considered highly reliable. Much like for transactions, the auditors tests of details of balances must satisfy all balance-related audit objectives for each significant balance sheet account.Figure 13-2 illustrates the role of tests of details of balances by the circles with half dark and half light shading and the words Audited by TDB. Auditors perform detailed tests of the ending balances for sales and accounts receivable, including procedures such as confirmation of account receivable balances and sales cutoff tests. The extent of these tests depends on the results of tests of controls, substantive tests of transactions, and substantive analytical procedures for these accounts. Tests of details of balances help establish the monetary correctness of the accounts they relate to and therefore are substantive tests. For example, confirmations test for monetary misstatements in accounts receivable and are therefore substantive tests. Similarly, counts of inventory and cash on hand are also substantive tests.OSelect the appropriate types of audit testsTypically, auditors use all five types of tests when performing an audit of the financial statements, but certain types may be emphasized, depending on the circumstances. Recall that risk assessment procedures are required in all audits to assess the risk of material misstatement while the other four types of tests are performed in response to the risks identified to provide the basis for the auditors opinion. Note also that only risk assessment procedures, especially procedures to obtain an understanding of controls, and tests of controls are performed in an audit of internal control over financial reporting. Several factors influence the auditors choice of the types of tests to select, including the availability of the eight types of evidence, the relative costs of each type of test, the effectiveness ofinternal controls, and inherent risks. Only the first two ar e discussed further because the last two were discussed in earlier chapters. Availability of Types of Evidence for Further Audit Procedures OEach of the four types of further audit procedures involves only certain types of evidence (confirmation, documentation, and so forth. More types of evidence, six in total, are used for tests of details of balances than for any other type of test. Only tests of details of balances involve physical examination and confirmation. Inquiries of the client are made for every type of test. Documentation is used in every type of test except analytical procedures. Re performance is used in every type of test except analytical procedures. Auditors may re perform a control as part of a transaction walkthrough or to test a control that is not supported by sufficient documentary evidence. Recalculation is used to verify the mathematical accuracy of transactions when per forming substantive test of transactions and account balances when per forming tes ts of details of balances.Relative CostsWhen auditors must decide which type of test to select for obtaining sufficient appropriate evidence, the cost of the evidence is an important consideration. The types of tests are listed below in order of increasing cost Analytical procedures Risk assessment procedures, including procedures to obtain an understanding of internal control Tests of controls Substantive tests of transactions Tests of details of balancesAnalytical procedures are the least costly because of the relative ease of making calculations and comparisons. Often, considerable information about potential misstatements can be obtained by simply comparing two or three numbers. Risk assessment procedures, including procedures to obtain an understanding of internal control, are not as costly as other audit tests because auditors can easily make inquiries and observations and perform planning analytical procedures. Also, examining such things as documentssummarizing the clients b usiness operations and processes and management and governance structure are relatively cheaper than other audit tests. Because tests of controls also involve inquiry, observation, and inspection, their relative costs are also low compared to substantive tests.However, tests of controls are more costly relative to the auditors risk assessment procedures due to a greater extent of testing required to obtain evidence that a control is operating effectively, especially when those tests of controls involve re performance. Often, auditors can perform a large number of tests of controls quickly using audit software. Such software can test controls in clients computerized accounting systems, such as in computerized accounts receivable systems that automatically authorize sales to existing customers by comparing the proposed sales amount and existing accounts receivable balance with the customers credit limit. Substantive tests of transactions cost more than tests of controls that do not in clude re performance because the former often require recalculations and tracings.In a computerized environment, however, the auditor can often perform substantive tests of transactions quickly for a large sample of transactions. Tests of details of balances intimately always cost advantageously more than any of the Other types of procedures because of the cost of procedures such as sending confirmations and counting inventories. Because of the high cost of tests of details of balances, auditors usually try to plan the audit to minimize their use. Naturally, the cost of each type of evidence varies in different situations. For example, the cost of an auditors test-counting inventory (a substantive test of the details of the inventory balance) often depends on the type and dollar value of the Inventory, its location, and the number of different items.Relationship between Tests of Controls and Substantive Tests To better understand tests of controls and substantive tests, lets exami ne how they differ. An exception in a test of control only indicates the likelihood of misstatements affecting the dollar value of the financial statements, whereas an exception in a substantive test of transactions or a test of details of balances is a financial statement misstatement. Exceptions in tests of controls are called control test deviations. From the three levels of control deficiencies deficiencies, significant deficiencies, andmaterial weaknesses. Auditors are most likely to believe material dollar misstatements exist in the financial statements when control test deviations are considered to be significant deficiencies or material weaknesses. Auditors should then perform substantive tests of transactions or tests of details of balances to determine whether material dollar misstatements have actually occurred.Assume that the clients controls require an independent work to verify the quantity, price, and extension of each sales invoice, after which the clerk must initi al the duplicate invoice to indicate performance. A test of control audit procedure is to inspect a sample of duplicate sales invoices for the initials of the person who verified the information. If a significant number of documents lack initials, the auditor should consider implications for the audit of internal control over financial reporting and follow up with substantive tests for the financial statement audit. This can be done by extending tests of duplicate sales invoices to include verifying prices, extensions, and footings (substantive tests of transactions) or by increasing the sample size for the confirmation of accounts receivable (substantive test of details of balances).Even though the control is not operating effectively, the invoices may still be correct, especially if the person originally preparing On the other hand, if no documents or only a few of them are missing initials, the control will be considered effective and the auditor can therefore reduce substantive tests of transactions and tests of details of balances. However, some re performance and recalculation substantive tests are still necessary to provide the auditor assurance that the clerk did not initial documents without actually performing the control procedure or performed it carelessly. Because of the need to complete some re performance and recalculation tests, many auditors perform them as a part of the original tests of controls. Others wait until they know the results of the tests of controls and then determine the total sample size needed.Relationship between Analytical Procedures and Substantive Tests wish tests of controls, analytical procedures only indicate the likelihood of misstatements affecting the dollar value of the financial statements. Unusual fluctuations in the relationships of an account to other accounts, or to nonfinancial information, may indicate an increased likelihood that material misstatements exist without necessarily providing direct evidence of a material misstatement. When analytical procedures identify unusual fluctuations, auditors should perform substantive tests of transactions or tests of details of balances to determine whether dollar misstatements have actually occurred.If the auditor performs substantive analytical procedures and believes that the likelihood of material misstatement is low, other substantive tests can be reduced. For accounts with small balances and only minimal potential for material misstatements, such as many supplies and prepaid expense accounts, auditors often limit their tests to substantive analytical procedures if they conclude the accounts are reasonably stated.Trade-Off between Tests of Controls and Substantive TestsThere is a trade-off between tests of controls and substantive tests. During planning, auditors decide whether to assess control risk below the maximum. When they do, they must then perform tests of controls to determine whether the assessed level of control risk is supported. (They must always perform test of controls in an audit of internal control over financial reporting.) If tests of controls support the control risk assessment, planned detection risk in the audit risk model is increased, and planned substantive tests can therefore be reduced. Figure 13-3 shows the relationship between substantive tests and control risk assessment (including tests of controls) at differing levels of internal control effectiveness daze of information technology on audit testingAuditing standards provide guidance for auditors of entities that transmit process, maintain, or access significant information electronically. Examples of electronic evidence include records of electronic fund transfers and purchase orders transmitted through electronic data interchange (EDI). Evidence of the performance of automated controls, such as the computers comparison of proposed sales orders to customer credit limits, may also only be in electronic form. The standards recognize that wh en a significant amount of audit evidence exists in electronic form, it may not be practical or possible to reduce detection risk to an acceptable level by performing only substantive tests. For example, the potential for improper initiation or alteration of information may be greater if information is maintained only in electronic form.In these circumstances, the auditor should performtests of controls to gather evidence in support of an assessed level of control risk below maximum for the affected financial statement assertions. Although some substantive tests are still required, the auditor can significantly reduce substantive tests if the results of tests of controls support the effectiveness of controls. In the audit of a larger public company, computer-performed controls (these are called automated controls) must be tested if the auditor considers them to be key controls for reducing the likelihood of material misstatements in the financial statements. Because of the inherent consistency of IT processing, however, the auditor may be able to reduce the extent of testing of an automated control.For example, software based control is almost certain to function consistently unless the program is changed. Once auditors determine an automated control is functioning properly, they can focus subsequent tests on assessing whether any changes have occurred that will limit the effectiveness of the control. Such tests might include determining whether any changes have occurred to the program and whether these changes were properly authorized and tested prior to implementation. This approach leads to significant audit efficiencies when the auditor determines that automated controls tested in the prior years audit have not been changed and continue to be subject to effective general controls.To test automated controls or data, the auditor may need to use computer-assisted audit techniques or use reports produced by IT to test the operating effectiveness of IT general controls, such as program change controls and access controls. In many cases, testing of automated controls may be performed by IT audit specialists. When auditors test manual controls that rely on IT-generated reports, they must consider both the Effectiveness of managements review and automated controls over the accuracy of Information in the report.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.