Chapter 9 Tests of Controls Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-1 Learning Objective 1: Tests of Controls • Provides auditor with evidence to support their assessment of control risk. When control risk assessed at less than high, necessary to gather evidence that controls are working. This evidence is gathered via test of controls. • If control risk is assessed at high, auditor will not undertake test of controls. • Auditor selects most efficient and effective combination of tests of controls, and substantive tests of transactions and balances. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-2 Assessing control risk • To assess control risk as high, auditor must expect that substantive procedures alone will provide sufficient appropriate evidence. • Areas where substantive procedures alone may not provide sufficient appropriate evidence include routine recording of significant classes of transactions, such as revenue or purchases. These areas often highly automated with little or no manual intervention. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-3 Planning the scope of tests of controls • • • • Nature – if controls exist that the auditor expects to rely upon, undertake tests of these controls, otherwise undertake substantive testing. Timing – to aid ability to meet deadlines and scheduling of staff, tests of controls sometimes scheduled before year-end. Testing then extended (rolled forward) until year-end. Extent – the more the auditor relies on controls, the greater the extent of tests of controls. For tests of controls related to documents, extent determined by reference to sampling theory. Controls related to accounting routines (e.g. bank reconciliations) usually tested by re-performing a small number. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-4 Learning Objective 2: Existence, Effectiveness and Continuity of Controls • For internal controls to provide audit evidence about risk of material misstatements at the assertion level, the auditor must collect audit evidence about the existence, effectiveness and continuity of controls. • Evidence of existence of controls is usually gained when auditor is evaluating control risk. • Tests of controls are aimed at establishing their effectiveness and continuity. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-5 Aspects of internal control Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-6 Learning Objective 3: Sufficiency and Appropriateness • Dependent on the level of control risk the tests must support. • The lower the planned assessed level of control risk, the greater the amount of testing that is required. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-7 Others factors affecting sufficiency and appropriateness • Auditor should also consider: – – – type and source of evidence timeliness interrelationship of evidence. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-8 Effect of documentation of controls: audit trail • Methods used by auditor is dependent on whether a documentary audit trail exists. • Where no audit trail exists, greater emphasis is placed on: – – • observation inquiry of the control. If audit trail does exist: – Inspect documentation for evidence of the control. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-9 Relationship between tests of controls and assertions When auditor’s assessment of material misstatement at assertion level includes an expectation that controls are operating effectively, the auditor should perform tests of controls to obtain evidence that the controls were operating effectively at relevant times during the audit. • Controls that relate to the control environment of a company’s internal control system relate less directly to specific financial report assertions. • Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-10 Assertions and testing control activities • The information system, control activities and monitoring of controls are built around major flows of transactions and events. Possible to relate most tests of controls for these elements to assertions about classes of transactions and events: (i) Occurrence – transactions and events that have been recorded, have occurred and pertain to the entity; (ii) Completeness – all transactions and events that should have been recorded have been recorded; (iii) Accuracy – amounts and other data relating to recorded transactions and events have been recorded appropriately (iv) Cutoff – transactions and events have been recorded in the correct accounting period; and (v) Classification – transactions and events have been recorded in the proper accounts. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-11 Learning Objective 4: Revenues, Receivables and Receipts (Sales Cycle) • Sales cycle involves all those transactions and events that are initiated when an entity makes a sale. It is commonly characterised by a high volume of routine transactions. • Audit problems commonly related to clerical processing rather than complex accounting problems. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-12 Key functions in typical sales cycle • • • • • • • Order entry and order approval by credit department Shipping Invoicing General ledger entry Accounts receivable Mail opening Cashier functions. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-13 Typical credit sales flowchart Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-14 Typical cash collection flowchart Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-15 Sales cycle — routine and non-routine transactions • Routine transactions: – • credit sales to customers, cash collections from customers (flowcharts), usually strong control system, auditor considers (and usually undertakes) tests of controls. Non-routine transactions: – adjustments to sales, and provisions for doubtful debts. Less well controlled. Where material, auditor undertakes substantive testing. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-16 Control objectives for sales system • Controls are in place to ensure that: – – – – – Occurrence – all sales recorded are bona fide transactions for merchandise actually shipped to customers; Completeness – all sales shipped are invoiced and recorded in accounting records; Accuracy – invoices have been recorded correctly as to amount and summarised correctly; Cutoff – invoices have been recorded in correct period; Classification – sales classified in accordance with written policies. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-17 Example of linking objectives to control policies and tests of controls for sales (Ref. Table 9.4 p. 411) top of table 9.4 Special control objectives • Occurrence – All sales recorded are bona fide transactions for merchandise actually shipped to customers. Common control policies and procedures Tests of controls • Policy of authorisation of credit and terms • Evidence of quantities shipped reconciled to quantities invoiced • Select sample of sales transactions from sales journal (daily activity report), check for authorisation and trace to shipping document file • Inspect reconciliation of shipments to invoices Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-18 Control objectives for cash receipt system • Controls are in place to ensure: – – – – – Occurrence – recorded cash receipts are for collection of receivables resulting from sales to customers of the entity; Completeness – all cash receipts are recorded and deposited; Accuracy – cash receipts have been recorded correctly as to amount; Cutoff – cash receipts have been recorded in correct period; Classification – cash receipts are classified in accordance with company policy. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-19 Example of linking control objectives to control policies to tests of controls: cash receipts (Ref.: Table 9.5 p. 413) Special control objectives Common control policies and procedures • Occurrence – Recorded • Cash receipts matched cash receipts are for collection of receivables resulting from sales to customers of the entity. to specific sales invoices in posting to accounts receivable master file. Test of controls • Select a sample of entries in cash receipts journal and review evidence that matched to specific sales invoices. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-20 Types of misstatement in sales cycle • Generally result of: – – – – clerical mistakes; employee fraud; misapplied accounting principles, especially around some revenue recognition issues; management fraud. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-21 Learning Objective 5: Expenditures, Payables and Disbursements Expenditure cycle — all transactions and events initiated when an entity acquires assets or services used for cash or credit. • Auditors (and many entities) often separate this cycle into a number of sub-cycles, which reflect various types of services and assets that can be acquired. • Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-22 Sub-cycles in expenditures, payables and disbursements • These sub-cycles are: – – – – – – payroll property, plant and equipment inventory income taxes selling and administrative expenses miscellaneous expenses paid from petty cash. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-23 Key functions within the inventory sub-cycle • Purchasing • Receiving • Accounts payable • Cash disbursements function. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-24 Typical purchases and cash payments flowchart Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-25 Control objectives for purchases of inventory • Controls are in place to ensure: – – – – – Occurrence – all recorded purchases are bona fide transactions in that they relate to goods or services authorised or received; Completeness – all purchases for the period of inventory received are recorded; Accuracy – purchases of goods or services for inventory are recorded correctly as to amount and summarised correctly; Cutoff – purchase invoices have been recorded in correct period; Classification – purchase are classified in accordance with classification policies. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-26 Example of Linking Control Objectives, Controls and Test of Controls: Purchases Special control objectives • Occurrence – All recorded purchases are bona fide transactions in that they relate to goods or services authorised or received. Common controls Tests of controls • Approval of purchase • Examine evidence of order • Goods received are counted, inspected and compared to purchase order before acceptance • Comparison of purchase order, receiving report and supplier’s invoice and recomputation of supplier’s invoice before recording liability approved purchase and service orders • Select a sample of order entries in purchases journal, trace back to vouchers and inspect for existence of supporting document including receiving report, ensuring agreement of details and indication of approval From Table 9.6 (p. 422-3) Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-27 Control objectives in a cash disbursements system • Controls are in place to ensure: – – – – – Occurrence – recorded cash disbursements are for goods or services authorised and received; Completeness – all cash disbursements are recorded; Accuracy – cash disbursements are recorded correctly as to amount; Cutoff – cash disbursements recorded in correct period; Classification – cash disbursements are recorded correctly as to account. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-28 Example of linking control objectives, controls and test of controls: purchases : cash disbursements (Ref.: Table 9.7 p. 423) Special control objectives • Occurrence – Recorded cash disbursements are for goods or services authorised and received. Common control policies and procedures Tests of controls • Cheques printed or prepared • Select a sample of cash only when receipt of goods or services and approval are documented (e.g. supporting documents compared, recomputed and voucher approved) • Cheques signed only after viewing supporting documentation and prior approval • Supporting documentation cancelled and reference to cheque number disbursement transactions from cash payments journal and inspect supporting documentation for indication of checking, review and approval • Observe and inquire about cheque preparation and signing and protection of unissued cheques • For the sample of cash disbursement transactions inspect supporting documents for cancellation, cheque number and endorsement Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-29 Potential misstatements in expenditure cycle • As expenditure cycle involves disbursements of cash there is a greater risk of fraud or irregularity, including: – – – – – classic disbursements fraud kickbacks illegal acts unauthorised executive perks kiting. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-30 Learning Objective 6: Selling and Administrative Expenses • Processing and related control policies and procedures for selling and administrative expenses are similar to those for purchases of inventory. • Auditor will normally obtain comfort from cash disbursement testing for inventory purchases and perform minimal testing in this area. • Analytical procedures (e.g. comparing balance with prior periods) widely used as a key type of testing. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-31 Petty cash disbursements • Petty cash disbursements are usually immaterial in amount and therefore few, if any, audit procedures are applied to this area. • Where the area is significant, emphasis is on ensuring appropriate procedures are in place to safeguard cash. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-32 Payroll • The payroll function is usually audited in either of two ways (or best combination): – – focusing on analytical procedures (there are disaggregated and strong relationships in this area, e.g. comparing fortnightly payrolls); an emphasis is placed on tests of transactions over the payroll area with the key control being appropriate segregation of duties in the hiring function, approval of time worked, payroll preparation and payroll distribution. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-33 Tests of controls in payroll • If tests of controls are necessary the following audit procedures may be undertaken: – – – – authorisation by supervisors of time worked; check signed time cards/sheets; check use of approved pay rates (personnel department); check for reasonableness, compared with awards. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-34 Interest, rent, lease and insurance payments • Auditor usually takes a more substantive approach, which includes checking terms and conditions of contracts; • Auditor interested in the key control of authorisation of the contract; • Accounting treatment of leases is complex, and auditor might check controls that ensure leases are properly accounted for. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-35 Learning Objective 7: Testing Controls in Client Computer Programs • Separate techniques have to be developed for testing programmed controls. These are: – – – – test data integrated test facility controlled processing, reprocessing or parallel processing review program code and results of job processing. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-36 Test data Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-37 Integrated test facility Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-38 Auditing through computer – processing client data Controlled processing – auditor establishes control over processing of client’s data; • Controlled reprocessing – auditor reprocesses client data; • Parallel processing – simultaneously processes client data through client and auditor programs. • Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-39 Auditing through computer – other approaches Program code review — involves reviewing relevant code line by line, considering whether processing steps and control procedures are properly coded and logically correct. • Review of job accounting data — involves reviewing printed log of jobs, looking for excessive processing time, abnormal halts, and etc. • Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-40 Advanced CAATs • Systems control audit review file (SCARF) – • Snapshot – • audit modules embedded in programs to monitor transaction activity. transactions are tagged and then identified at certain points during processing to see how program is treating them. Audit hooks – points in program that allow auditor to insert commands for special processing. Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger Simnett Slides prepared by Roger Simnett 9-41