Chapter 11
Tests of Controls
Objectives
• Explain the relationship between control risk assessment and audit strategy
• Describe the purpose of tests of controls and the nature, timing and extent of such tests
• Clarify how the work of internal auditing may be used in tests of controls
• Explain the process of assessing control risk and documenting the conclusion
Objectives
• Indicate the appropriate communications the auditor makes on internal control matters
• Describe the types of controls you would expect to see in an information technology environment
• Identify the alternate types of computer-assisted audit techniques
4
Preliminary Assessment of Control Risk
• ASA 315 para 25 states:The auditor shall identify and assess the risks of material misstatement at the financial report level, and at the assertion level for classes of transaction, account balances and disclosures
• Assessment to obtain a reasonable understanding of controls in place
• Subsequently, decide on appropriate audit strategy so as to design a detailed audit program
5
Process of assessing control risk
• Use professional judgement to assess the control environment
• Assess the design effectiveness of control procedures and their ability to prevent or correct misstatements
• Assess whether controls were effectively applied throughout the period under audit
6
Assessment of control risk and audit strategy
• In order to place reliance on the internal controls to support the audit opinion, the auditor must test controls to ensure that they have been implemented as they were designed
• In order to complete the work on internal controls the auditor must carry out the following steps:– Perform tests of controls– Evaluate the evidence obtained and assess the
level of control risk
7
• When an auditor chooses a predominantly substantive approach, he or she should have sufficient knowledge or the system of internal control to understand the potential causes of misstatements.
• This approach is associated with a planned assessed level of control risk of high based on one of the following:
– No significant internal controls that relate to the assertion
– Relevant internal controls are unlikely to be effective– Efficient to obtain evidence to evaluate the
effectiveness of relevant internal controls
Assessment of control risk and audit strategy
8
• In some cases a lower assessed level of control risk approach is planned because the client has effective internal controls and the auditor plans to test those controls
• In some circumstances the auditor might find that contrary to expectations the control appears to be ineffective – in such a case, it is appropriate to change the strategy to a predominantly substantive approach
Assessment of control risk and audit strategy
9
Tests of Controls
• Tests of controls are carried out to evaluate the operating effectiveness of the internal control policies and procedures
• The auditor must decide on the nature, timing and extent of tests of control
• ASA 330 The Auditor’s Procedures in Response to Assessed Risks
10
Designing tests
• Tests of controls include:– enquiring of client personnel– observation of activities and procedures– e.g. observation of counting during a stock take– inspection of documents and records– re-performance of procedures
Designing tests
• Tests of controls conduced at interim period as auditor can get an early indication of controls are operating effectively and change tests to substantive tests if required
• Extent of tests is determined by auditors planned assessed level of control risk– More extensive testing is needed for a low assessed
level of control risk
Illustrative partial audit program for tests of controls
13
Using internal auditors
• Internal audit is generally considered a crucial part of the corporate governance structure of the company.
• Effectiveness of internal audit must be considered first in accordance with ASA 610 Considering the Work of Internal Audit
• Issues include organisational status, independence, technical expertise, supervision of work etc.
14
Final assessment
• Need to fully document all tests• Important to communicate all concerns regarding
internal control matters to the entity’s management and board
• Refer ASA 265 on Communication of Audit Matters with Those Charged with Corporate Governance (i.e. to director level)
Communication of internal control matters
• Insert figure 1: monitoring applied to the internal control process
Types of controls in an information technology environment
Overview of computer controls
Types of controls in an information technology environment
• Audit strategies for assessing control risk– assessing control risk based on user controls– Planning for a low control risk assessment based on
application controls– Planning for a high control risk assessment based on
general controls and manual follow-up
Types of controls in an information technology environment
• User controls– Manual procedures designed to test the
completeness and accuracy of computer processed transactions
• Application controls– Use of automated controls and planning of strategies
to assess control risk as low
Computer assisted audit techniques
• Test data• Integrated test facility• Parallel simulation• Continuous monitoring• Tagging transactions• Systems control audit review file
20
Computer assisted audit techniques
• Test data– Dummy transactions are prepared by the auditor
and processed under auditor control by the entity’s software
– e.g. payroll test data may include both a valid and invalid overtime transaction to test how the system processes it
21
• Integrated test facility– requires the creation of a small subsystem with dummy
master files that are subjected to the same programmed controls as are placed on the actual data, and a separate set of outputs is produced for the auditor
– advantage is the integrated test facility allows for ongoing testing
– disadvantage is the risk that errors could be created in the entity’s data files
– accordingly, entities are often reluctant to allow auditors to do this type of testing unless the integrity of the testing can be guaranteed
Computer assisted audit techniques
22
• Parallel simulation– involves reprocessing actual entity data using
auditor-controlled software– advantage is the auditor can independently run
tests and verify transactions by tracing them to source documents and approvals
– must ensure data tested is representative
Computer assisted audit techniques
Computer assisted audit techniques
• Continuous monitoring of online real-time systems– An audit routine is added to the processing programs– Transactions sampled at random intervals – Output is used in testing controls
Computer assisted audit techniques
• Tagging transactions– Indicator placed on selected transactions – Transaction is traced through the system s it is being
processed
Computer assisted audit techniques
• Systems control audit review file– File used to record events that meet auditor
specified criteria as they at occur at designated points in the system
– Also known as an audit log