Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

MODERN AUDITING 7th Edition

MODERN AUDITING
7th Edition
William C. Boynton
California Polytechnic State
University at San Luis Obispo
Raymond N. Johnson
Portland State University
Walter G. Kell
University of Michigan
Developed by:
Gregory K. Lowry, MBA, CPA
Saint Paul’s College
John Wiley & Sons, Inc.
CHAPTER 10
ASSESSING CONTROL RISK/
TESTS OF CONTROLS
Assessing Control Risk
Assessing Control Risk in an
Information Technology
Environment
Effects of Preliminary Audit
Strategies
Designing Tests of Controls
Additional Considerations
Assessing Control Risk
Assessing Control Risk is the process of
evaluating the effectiveness of an entity’s
internal control in preventing or detecting
material misstatements in the financial
statements (AU 319.47).
The purpose of assessing control risk is to assist
the auditor in making a judgment about the risk
of material misstatement in financial statement
assertions. Assessing control risk involves
evaluating the effectiveness of:
1. the design and
2. the operation of controls.
Assessing Control Risk
In making an assessment of control risk for an
assertion, it is necessary for the auditor to:
1. Consider knowledge acquired from procedures to
obtain an understanding about whether controls
pertaining to the assertion have been designed and
placed in operation by the entity’s management.
2. Identify potential misstatements that could occur
in the entity’s assertion.
3. Identify the necessary controls that would likely
prevent or detect and correct the misstatements.
4. Perform tests of controls on the necessary controls
to determine the effectiveness of their design and
operation.
5. Evaluate the evidence and make the assessment.
Potential Misstatements, Necessary
Controls, and Tests of Controls
— Cash Disbursement Transactions
Figure 10-1
Potential
Misstatements
(Assertion)
A cash disbursement may
be made for unauthorized
purpose (existence or
occurrence of valid
transaction).
Necessary
Controls
Tests
of
Controls
The computer matches the
check information with
information supporting the
voucher and accounts
payable for each
disbursement transaction.
Use computer-assisted
audit techniques such as
test data to test computer
application control.
Only authorized personnel
are permitted to run the
program and handle checks
where the computer prints
and signs checks.
Observe individuals
handling cash
disbursements and
compare with list of
authorized personnel.
Segregation of duties for
approving payment
vouchers and signing
checks.
Observe segregation of
duties.
Potential
Misstatements
(Assertion)
A voucher may be paid
twice (existence or
occurrence of valid
transaction).
Necessary
Controls
Tests
of
Controls
Computer electronically
cancels voucher and
supporting information
when check is issued.
Use computer-assisted
audit techniques such as
test data to test computer
application control.
Stamp payment voucher
and supporting documents
Paid when check is issued.
Observe documents being
stamped and/or inspect
sample of paid documents
for presence of Paid stamp.
Potential
Misstatements
(Assertion)
A check may be issued for
the wrong amount or it may
be recorded in the wrong
account (valuation or
allocation).
Necessary
Controls
Tests
of
Controls
The computer matches the
check information with
information supporting the
voucher and accounts
payable for each
disbursement transaction.
Use computer-assisted
audit techniques such as
test data to test computer
application control.
Computer compares the
sum of checks issued with
the entry to cash
disbursements.
Use computer-assisted
audit techniques such as
test data to test computer
application control.
Periodic independent bank
reconciliations.
Observe performance of
bank reconciliations
and/or inspect bank
reconciliations.
Identify Necessary Controls
An auditor may identify necessary controls that
could likely prevent or detect and correct
specific potential misstatements by using
computer software that processes internal
control questionnaire responses or by manually
using checklists.
When the volume of cash disbursements is light
and timely detection of misstatements is not as
essential, periodic independent bank
reconciliations may adequately compensate for
the lack of a daily independent check. In such
a circumstance, the bank reconciliation might
be referred to as a compensating control.
Identify Necessary Controls
The auditor must assimilate information about the
wide variety of possible controls related to any
internal control component in considering the risk
of potential misstatements in particular assertion.
This concept may be represented graphically as
follows:
Relevant Internal Control
Components
Control environment
Risk assessment
Information and communication
Control activities
Monitoring
Assessment of Control Risk
Each assertion
Overview of Computer Controls
Figure 10-2
Strategies for Performing
Tests of Controls
The following 3 strategies related to
assessing control risk are discussed below:
1. Assessing control risk based on user
controls.
2. Planning for a low control risk
assessment based on application
controls.
3. Planning for a high control risk
assessment based on general controls
and manual follow-up.
Computer-Assisted
Audit Techniques
Computer-assisted audit techniques (CAATs)
involve using the computer to directly test
application controls, and is also known as
auditing through the computer. The auditor
may find that using the computer in tests of
controls is advantageous when:
1. A significant part of the internal controls is
imbedded in a computer program.
2. There are significant gaps in the visible
audit trail.
3. There are large volumes of records to be
tested.
Computer-Assisted
Audit Techniques
Important CAATs used to test the
operation of specific programmed
application controls include:
1. parallel simulation,
2. test data,
3. integrated test facility, and
4. Continuous monitoring of on-line
real-time systems.
Reconstruction of Data Files
Figure 10-3
Control Risk Assessment Considerations
for IT General Controls
Figure 10-4
Potential
Misstatements
Possible
Tests of
Controls
Necessary
Controls
ORGANIZATION AND OPERATION CONTROLS
Computer operators may
modify programs to bypass
programmed controls.
Segregation of duties within
IT for computer
programming and
computer operations.
Observe segregation of
duties within IT.
IT personnel may initiate
and process unauthorized
transactions.
Segregation of duties
between user departments
and IT for initiating and
processing transactions.
Observe segregation of
duties between user
departments and IT.
SYSTEMS DEVELOPMENT AND DOCUMENTATION CONTROLS
Systems designs may not
meet the needs of user
departments or auditors.
Participation of personnel
from user departments and
internal audit in designing
and approving new
systems.
Inquire about participants
involved in designing new
systems; examine evidence
for approval of new
systems.
Unauthorized program
changes may result in
unanticipated processing
errors.
Approval and
documentation of all
systems software changes.
Examine evidence of
internal verification; trace
selected program changes
to supporting
documentation.
Potential
Misstatements
Necessary
Controls
Possible
Tests of
Controls
HARDWARE AND SYSTEMS SOFTWARE CONTROLS
Equipment malfunctions
may result in processing
errors.
Built-in hardware and
systems software controls
to detect malfunctions.
Examine hardware and
systems software
specifications.
Unauthorized changes in
system software may result
in processing errors.
Approval and
documentation of all
systems software changes.
Examine evidence of
approval and
documentation changes.
Unauthorized users may
gain access to IT
equipment.
Physical security of IT
facilities; management
review of utilization reports.
Inspect security
arrangements and
utilization reports.
Data files and programs
may be processed or altered
by unauthorized users.
Use of a library, librarian,
and logs to restrict access
and monitor usage.
Inspect facilities and logs.
ACCESS CONTROLS
Potential
Misstatements
Necessary
Controls
Possible
Tests of
Controls
DATA AND PROCEDURAL CONTROLS
Errors may be made in
inputting or processing
data or distributing output.
Use of data control group
responsible for maintaining
control over data input,
processing, and output.
Observe operation of data
control group.
Continuity of operations
may be disrupted by a
disaster such as a fire or
flood.
Contingency plan including
arrangements for use of
off-premises backup
facilities.
Examine contingency plan.
Data files and programs
may be damaged or lost.
Storage of backup files and
programs off premises;
provision for reconstruction
of data files.
Examine storage facilities;
evaluate file reconstruction
capability.
Control Risk Consideration for
Computer Application Controls
Figure 10-5
Necessary
Controls
Possible
Tests of
Controls
Data for unauthorized
transactions may be
submitted for processing.
Authorization and approval
of data in user
departments; application
controls compares data
with previous
authorization.
Examine source documents
and batch transmittals for
evidence of approval; test
application control with
CAATs and test manual
follow-up.
Valid data may be
incorrectly converted to
machine-sensible form.
Verification (rekeying);
computer editing, control
totals.
Observe data verification
procedures; use CAATs to
test edit routines and test
manual follow-up; examine
control total
reconciliations.
Errors on source
documents may not be
corrected and resubmitted.
Maintenance of error logs;
return to user department
for correction; manual
follow-up.
Inspect logs and evidence of
follow-up.
Potential
Misstatements
INPUT CONTROLS
Potential
Misstatements
Necessary
Controls
Possible
Tests of
Controls
PROCESSING CONTROLS
Wrong files may be
processed and updated.
Use of external and internal
file labels.
Observe use of external
file labels; examine
documentation for internal
file labels.
Data may be lost, added,
duplicated, or altered
during processing.
Use of control totals, limit
and reasonableness
checks, sequence tests.
Examine evidence of
control total
reconciliations, use CAATs
to test computer checks
and test manual follow-up.
Ouput may be incorrect.
Reconciliation of totals by
data control group or user
department.
Examine evidence of
reconciliations.
Output may be distributed
to unauthorized users.
Use of report distribution
control sheets; data control
group monitoring.
Inspect report distribution
control sheets, observe data
control group monitoring.
OUTPUT CONTROLS
Methodologies for Meeting the
Second Standard of Field Work
Figure 10-6
Designing Tests of Controls
Tests of controls that are designed to evaluate the
operating effectiveness of a control are concerned with:
1. how the control was applied,
2. the consistency with which it was applied during the
period, and
3. by whom it was applied.
AU 319.53 states that tests to obtain this evidence
normally includes:
1. Inquiries of appropriate entity personnel
2. Inspection of documents, reports, or electronic files,
indicating performance of the control
3. Observation of the application of the control
4. Reperformance of the application of the control by the
auditor
Designing Tests of Controls
AU 319.64 recognizes that the evaluation of
evidential matter is a matter of auditing
judgment and that it varies substantially in
the assurance it provides to the auditor as he
or she develops an assessed level of control
risk. The following factors bear on the degree
of assurance provided by tests of controls:
1. The type of evidential matter
2. Its source
3. Its timeliness
4. The existence of other evidential matter
related to the conclusion
Using Internal Auditors
in Tests of Controls
Whenever a client has an internal
audit function, the auditor may:
1. coordinate his or audit work
with the internal auditors,
and/or
2. use internal auditors to provide
direct assistance in the audit.
Dual-Purpose Tests
It is permissible under GAAS to
perform substantive tests of details
of transactions to detect monetary
errors in the accounts during
interim work. When this occurs, the
auditor may simultaneously perform
tests of controls on the same
transactions.
This type of testing is referred to as
dual-purpose testing.
Additional Considerations
The process of assessing control risk
for account balance assertions is
straightforward for accounts that are
affected by a single transaction class.
This is the case for most income
statement accounts. In these cases,
the auditor’s control risk assessment
for each account balance assertion is
the same as the control risk
assessment for the same transaction
class assertion.
Additional Considerations
Many balance sheet accounts are significantly affected
by more than one transaction class. In these cases,
assessing control risk for an account balance assertion
requires consideration of the relevant control risk
assessments for each transaction class that significantly
affects the balance.
For an account affected by more than one transaction
class, the control risk assessment for a particular
account balance assertion is based on the control risk
assessment for the same assertion pertaining to each
transaction class that affects the account balance, with
one major exception. The control risk assessments for
existence or occurrence and completeness assertions for
a transaction class that decreases an account balance
relate to the opposite assertion affected.
Combining Account Balance Assertions
for the Cash Balance
Figure 10-8
Cash Balance Assertion
for Which Control Risk
Is Being Assessed
Existence or Occurrence
Completeness
Relevant Control Risk
Assessment for
Transaction Classes that
Effect the Cash Balance
Explanation
Existence or occurrence of
cash receipts increase the
balance
If some recorded cash
receipts did not occur, part
of the cash balance does
not exist.
Completeness of cash
disbursements that
decrease the balance
If some cash disbursements
have not been recorded,
part of the cash balance no
longer exists.
Completeness of cash
receipts that increase the
balance
If some cash receipts have
not been recorded, the cash
balance is not complete.
Existence or occurrence of
cash disbursements that
decrease the balance
If some recorded cash
disbursements did not
occur, the cash balance is
not complete.
Summary of Relationships between
Account Balance Assertions and
Transaction Class Assertions
Figure 10-9
Documenting the Assessed
Level of Control Risk
The auditor’s working papers should
include documentation of the control
risk assessment. The requirements are
as follows:
1. Control risk is assessed at the
maximum: Only this conclusion
needs to be documented.
2. Control risk is assessed at below
the maximum: The basis for
assessment must be documented.
Communicating
Internal
Control Matters
The auditor is required to identify and report to the
audit committee, or other entity personnel with
equivalent authority and responsibility, certain
conditions that relate to an entity’s internal control
observed during an audit of the financial statements. AU
325, Communication of Internal Control Related Matters
Noted in an Audit (SAS 60 and SAS 78), defines a
reportable condition as:
…matters coming to the auditor’s attention that, in his
judgment, should be communicated to the audit
committee because they represent significant
deficiencies in the design or operation of internal
control, which could adversely affect the organization’s
ability to record, process, summarize, and report
financial data consistent with the assertions of
management in the financial statements.
Applications of Components to
Small and Midsize Entities
A reportable condition may be of such a magnitude
as to constitute material weaknesses in internal
control. AU 325.15 defines a material weakness as:
…a reportable condition in which the design or
operation of one or more of the internal control
components does not reduce to a relatively low level
the risk that misstatements caused by error or fraud
in amounts that would be material in relation to the
financial statements being audited may occur and
not be detected within a timely period by employees
in the normal course of performing their assigned
functions.
Service Organizations
Appendix 10A
A service organization is an entity that provides services
for other entities referred to as user organization (the
audit client whose auditor is referred to as the user
auditor). A service organization’s services are part of an
entity’s information system if they affect:
1. How the entity’s transactions are initiated.
2. The accounting records, supporting information, and
specific accounts in the financial statements involved
in the processing and reporting of the entity’s
transactions.
3. The accounting process involved from the initiation of
the transaction to their inclusion in the financial
statements, including electronic means.
4. The financial reporting process used to prepare the
entity’s financial statements.
CHAPTER 10
ASSESSING CONTROL RISK/
TESTS OF CONTROLS
Copyright
Copyright 2001 John Wiley & Sons, Inc. All rights
reserved. Reproduction or translation of this work
beyond that permitted in Section 117 of the 1976
United States Copyright Act without the express
written permission of the copyright owner is
unlawful. Request for further information should
be addressed to the Permissions Department, John
Wiley & Sons, Inc. The purchaser may make backup
copies for his/her own use only and not for
distribution or resale. The Publisher assumes no
responsibility for errors, omissions, or damages,
caused by the use of these programs or from the
use of the information contained herein.
Related documents
Slide 1
Slide 1
9-25
9-25
(financial and operational) auditor internal (financial and operational
(financial and operational) auditor internal (financial and operational
Senior Financial and Operational Auditor
Senior Financial and Operational Auditor
Case
Case
AIS Internal Control
AIS Internal Control
Internal Auditor Job Description
Internal Auditor Job Description
EVANS & TATE LIMITED
EVANS & TATE LIMITED
Illustrative Representation Letter
Illustrative Representation Letter
Accounting 241 Outline
Accounting 241 Outline
Download