31
Modern Auditing: Modern Auditing: Assurance Services and the Assurance Services and the Integrity of Financial Reporting, Integrity of Financial Reporting, 8 8 th th Edition Edition William C. Boynton William C. Boynton California Polytechnic State California Polytechnic State University at San Luis Obispo University at San Luis Obispo Raymond N. Johnson Raymond N. Johnson Portland State University Portland State University Chapter 11 – Audit Procedures in Response to Assessed Risks: Tests of Controls

ch11

Embed Size (px)

Citation preview

Page 1: ch11

Modern Auditing:Modern Auditing:Assurance Services and the Assurance Services and the

Integrity of Financial Reporting, 8Integrity of Financial Reporting, 8thth EditionEdition

William C. BoyntonWilliam C. BoyntonCalifornia Polytechnic State California Polytechnic State

University at San Luis ObispoUniversity at San Luis ObispoRaymond N. Raymond N.

JohnsonJohnsonPortland State UniversityPortland State University

Chapter 11 – Audit Procedures in Response to Assessed Risks: Tests of Controls

Page 2: ch11

Chapter 11 OverviewChapter 11 Overview

Page 3: ch11

Assessing Control RiskAssessing Control RiskIn assessing control risk, the

auditor must evaluate the effectiveness of :

• Design of internal controls

• Operation of internal controls

Page 4: ch11

Steps in Assessing Control Steps in Assessing Control RiskRisk

Page 5: ch11

Process for Assessing Control Process for Assessing Control RiskRisk

• Consider Knowledge Acquired from Procedures to Obtain an Understanding

• Identify Potential Misstatements

Page 6: ch11

Process for Assessing Control Process for Assessing Control RiskRisk

• Identify Necessary Controls– Nature of controls to prevent or detect

and correct misstatements

– Nature of controls implemented by management

– Significance of each control

– Risk that designed controls may not operate effectively

Page 7: ch11

Control Design for Specific Control Design for Specific AssertionsAssertions

• Completeness Assertion

• Existence or Occurrence Assertion

• Valuation and Allocation Assertion

• Presentation and Disclosure Assertion

Page 8: ch11

Identify Necessary ControlsIdentify Necessary Controls

Page 9: ch11

Process for Assessing Control Process for Assessing Control RiskRisk

• Perform Tests of Controls– Evidence about effectiveness of the

design and operation of controls

• Evaluate Evidence and Make Assessment– Matter of professional judgment– Identify strengths and deficiencies– Express quantitatively or qualitatively

Page 10: ch11

Strategies for Performing Strategies for Performing Tests of Controls in an IT Tests of Controls in an IT

EnvironmentEnvironment• User Controls

• Application Controls

• General Controls and Manual Followup Procedures

Page 11: ch11

Overview of Computer Overview of Computer ControlsControls

Page 12: ch11

Computer-Assisted Audit Computer-Assisted Audit Techniques (CAATs)Techniques (CAATs)

• Auditing through the computer

• Advantageous when:– Significant part of internal controls

is imbedded in a computer program– Significant gaps in visible audit trail– Large volumes of records to be

tested

Page 13: ch11

Types of CAATsTypes of CAATs• Parallel Simulation

• Test Data

• Integrated Test Facility

• Continuous Monitoring of On-line Real-time Systems

Page 14: ch11

Parallel Simulation versus Test Parallel Simulation versus Test DataData

Page 15: ch11

Continuous Monitoring of On-Continuous Monitoring of On-Line Real-Time SystemsLine Real-Time Systems

• Continuous Monitoring

• Audit Hook

• Tagging Transactions

• Audit Log

Page 16: ch11

Methodologies for Meeting the Methodologies for Meeting the Second Standard of FieldworkSecond Standard of Fieldwork

Page 17: ch11

Study BreakStudy Break1. This step in assessing control risk

allows the auditor to consider the points at which errors or fraud could occur.

A. Evaluate EvidenceB. Perform Tests of ControlsC. Identify Potential MisstatementsD. Identify Necessary Controls

C. Identify Potential Misstatements

Page 18: ch11

Study BreakStudy Break2. This CAAT uses dummy transactions

that are processed under auditor control by the client’s computer system and the output is evaluated against expectations.

A. Parallel SimulationB. Test DataC. Integrated Test FacilityD. None of the above

B. Test Data

Page 19: ch11

Effects of Preliminary Audit Effects of Preliminary Audit StrategiesStrategies

• Primarily Substantive Approaches

• Lower Assessed Level of Control Risk

Page 20: ch11

Designing Tests of ControlsDesigning Tests of ControlsDesigned to evaluate the operating

effectiveness of a control concerned with:

• How the control was applied• Consistency with which it was

applied• By whom it was applied

Page 21: ch11

Nature of Tests of ControlsNature of Tests of Controls• Inquiries of entity personnel

• Inspection of items indicating performance of the control

• Observation of the application of the control

• Reperformance of the application of the control by the auditor

Page 22: ch11

Timing of Tests of ControlsTiming of Tests of Controls• One Occasion versus Multiple

Occasions

• Timing Issues– Interim Period

– Remaining Period

– Results from Prior Periods

Page 23: ch11

Extent of Tests of ControlsExtent of Tests of Controls• Nature of the Control

• Frequency of Operation

• Importance of the Control

Page 24: ch11

Designing Tests of ControlsDesigning Tests of Controls• Staffing Tests of Controls

• Audit Programs for Tests of Controls

• Dual-Purpose Tests

Page 25: ch11

Additional ConsiderationsAdditional Considerations• Assessing Control Risk for

Account Balance Assertions Affected by a Single Transaction Class

• Assessing Control Risk for Account Balance Assertions Affected by Multiple Transaction Classes

Page 26: ch11

Account Balance Assertions Account Balance Assertions and Transaction Class and Transaction Class

AssertionsAssertions

Page 27: ch11

Account Balance Assertions Account Balance Assertions and Transaction Class and Transaction Class

AssertionsAssertions

Page 28: ch11

Documenting the Assessed Documenting the Assessed Level of Control RiskLevel of Control Risk

• Control Risk Assessed at the Maximum– Only the conclusion is documented

• Control Risk Assessed at Below the Maximum– Basis for assessment must be

documented

Page 29: ch11

Communicating Internal Communicating Internal Control MattersControl Matters

• Internal Control Deficiency

• Significant Deficiency

• Material Weakness

Page 30: ch11

Study BreakStudy Break3. While evaluating the operating

effectiveness of a control, the tests of controls are concerned with all of the following except:

A. How the control was appliedB. The consistency with which it was appliedC. When it was appliedD. By whom it was applied

C. When it was applied

Page 31: ch11

Study BreakStudy Break4. Auditors are required to report a

deficiency in internal controls to management and the audit committee when there is a(n):

A. Internal Control Deficiency B. Significant DeficiencyC. Material WeaknessD. No Deficiencies

B. Significant Deficiency and C. Material Weakness