Upload
votuyen
View
225
Download
0
Embed Size (px)
Citation preview
Modern Auditing: Assurance Services and the Integrity
of Financial Reporting, 8th Edition
William C. Boynton California Polytechnic State
University at San Luis Obispo
Raymond N. Johnson Portland State University
Chapter 11 – Audit Procedures in Response to Assessed
Risks: Tests of Controls
Assessing Control Risk
In assessing control risk, the auditor
must evaluate the effectiveness of :
• Design of internal controls
• Operation of internal controls
Process for Assessing Control
Risk
• Consider Knowledge Acquired from
Procedures to Obtain an
Understanding
• Identify Potential Misstatements
Process for Assessing Control
Risk
• Identify Necessary Controls
– Nature of controls to prevent or detect and
correct misstatements
– Nature of controls implemented by
management
– Significance of each control
– Risk that designed controls may not operate
effectively
Control Design for Specific
Assertions
• Completeness Assertion
• Existence or Occurrence Assertion
• Valuation and Allocation Assertion
• Presentation and Disclosure
Assertion
Process for Assessing Control
Risk
• Perform Tests of Controls
– Evidence about effectiveness of the
design and operation of controls
• Evaluate Evidence and Make
Assessment
– Matter of professional judgment
– Identify strengths and deficiencies
– Express quantitatively or qualitatively
Strategies for Performing Tests
of Controls in an IT Environment
• User Controls
• Application Controls
• General Controls and Manual
Followup Procedures
Computer-Assisted Audit
Techniques (CAATs)
• Auditing through the computer
• Advantageous when:
– Significant part of internal controls is
imbedded in a computer program
– Significant gaps in visible audit trail
– Large volumes of records to be tested
Types of CAATs
• Parallel Simulation
• Test Data
• Integrated Test Facility
• Continuous Monitoring of On-line
Real-time Systems
Continuous Monitoring of On-
Line Real-Time Systems
• Continuous Monitoring
• Audit Hook
• Tagging Transactions
• Audit Log
Effects of Preliminary Audit
Strategies
• Primarily Substantive Approaches
• Lower Assessed Level of Control Risk
Designing Tests of Controls
Designed to evaluate the operating
effectiveness of a control concerned
with:
• How the control was applied
• Consistency with which it was applied
• By whom it was applied
Nature of Tests of Controls
• Inquiries of entity personnel
• Inspection of items indicating
performance of the control
• Observation of the application of the
control
• Reperformance of the application of the
control by the auditor
Timing of Tests of Controls
• One Occasion versus Multiple
Occasions
• Timing Issues
– Interim Period
– Remaining Period
– Results from Prior Periods
Extent of Tests of Controls
• Nature of the Control
• Frequency of Operation
• Importance of the Control
Designing Tests of Controls
• Staffing Tests of Controls
• Audit Programs for Tests of Controls
• Dual-Purpose Tests
Additional Considerations
• Assessing Control Risk for Account
Balance Assertions Affected by a
Single Transaction Class
• Assessing Control Risk for Account
Balance Assertions Affected by
Multiple Transaction Classes
Documenting the Assessed Level
of Control Risk
• Control Risk Assessed at the
Maximum
– Only the conclusion is documented
• Control Risk Assessed at Below the
Maximum
– Basis for assessment must be
documented