Chapter 8
Planning and Testing Operating
Effectiveness of Internal Control
over Financial Reporting
Prepared by Richard J. Campbell
Copyright 2011, Wiley and Sons
Learning Objectives
1. Learn the relationships of a control, evidence available, and
tests of the control, including IT impacts.
2. Recognize the importance of audit considerations such as
fraud, illegal acts, related parties, multiple locations, and
service providers in controls tests.
3. Learn how sampling is applied to controls tests and the
risks associated with sampling.
4. Understand the audit risk model.
5. Learn what is included in audit documentation and why it is
important.
Chapter 8 -1
Learning Objectives
6. Understand the important judgments involved in evaluating
test results and the impact of the severity of ICFR
deficiencies.
7. Discuss the practical application of control concepts to ICFR
audits.
8. Apply the results of ICFR tests to financial statement audit
plans.
Chapter 8 -2
SELECTING THE CONTROLS TO TEST
Exhibit 8-1
Tests of ICFR
Operating
Effectiveness
Chapter 8 -3
Learning Objective #1
TESTING METHODS
 Testing controls include inquiry, inspection, observation, and
reperformance.
 The auditor performs the audit procedure that tests whether
the control objective is achieved. A control objective is
 a specific target against which to evaluate the effectiveness
of controls. A control objective…relates to a relevant
assertion and states a criterion for evaluating whether the
company’s control procedures in a specific area provide
reasonable assurance. (AS 5.A2)
Chapter 8 -4
Learning Objective #1
Computer-Assisted Audit Techniques (CAATs)
Chapter 8 -5
Learning Objective #1
Computer-Assisted Audit Techniques (CAATs)
Chapter 8 -6
Learning Objective #1
Examples of Management Assertions, Control Objectives, and
Evaluation Criteria
EXHIBIT 8-2
Chapter 8-7
Learning Objective #1
PLANNING THE TESTS
• Define the potential error that results from failure of
the control and the appropriate evidence related to
the error.
• Identify when testing should be performed.
• Determine the extent of testing needed—how many
different types of tests should be performed and
how many items to test.
Chapter 8 -8
Learning Objective #1
Define the Error and Identify Evidence Related to the Error
 Direct documentary evidence does not exist for
some controls.
 Audit evidence regarding management’s
philosophy and operating style might be inferred
from documents such as the company’s mission
statement and code of conduct.
 For these types of soft controls, the appropriate
tests are inquiry of appropriate personnel,
corroborated by observing company activities and
reading any related documents.
Chapter 8 -9
Learning Objective #1
Plan the Timing and Extent of Testing
 Next the auditor decides the timing of the test—when it is to
be performed—and the extent of testing. These decisions
are affected by the risk related to the control. Risks
associated with a control are:
1. the risk that a control might not be effective and
2. the risk that if a control is not effective a material
weakness would result.
(AS 5.46)
Chapter 8 - 10
Learning Objective #1
TIMING OF TESTS
 The frequency with which controls operate affects
not only the time frame in which the operation of
the control is tested, but also the sample size
required.
 The audit procedures for testing automated
controls that operate continuously or frequently
differ from those that are used for manual
controls that operate with similar frequency.
 Auditors limit the extent of tests of automated
controls because the controls function in a
consistent manner.
Chapter 8-11
Learning Objective #1
Benchmarking
 Benchmarking, a testing strategy for completely
automated controls, relies on the assumption that
automated controls are going to continue to
function in a consistent manner unless something
changes within the program or in the surrounding
environment
 Benchmarking is only appropriate when
• both ITGC and application controls are effective.
• ITGC remain strong from year to year.
• the application programs do not change.
Chapter 8-12
Learning Objective #1
Document Availability
 Some controls can be tested at any time after their
operation by inspection of documents— either
paper or electronic—and reperformance of the
control steps
 When a company’s documentary evidence is
retained for limited periods of time or hardcopy
records are changed into electronic format, the
auditor considers this policy when developing
the audit plan.
Chapter 8-13
Learning Objective #1
Updating Interim Audit Work
 When auditors perform control testing at an
interim date, additional tests are usually needed
closer to the end of the fiscal period.
 The auditor may not need to test controls that
were in place earlier in the year if they have
been changed or were replaced later during the
year under audit
 If the controls in place early in the year were not
effective and the auditor did not test them, more
substantive evidence about the affected account
balances is needed.
Chapter 8-14
Learning Objective #1
EXTENT OF TESTS
 Each audit must collect persuasive evidence about
the effectiveness of all controls for relevant assertions
for all significant accounts and disclosures every year.
 The extent of testing needed to provide the
auditor with evidence that a control is performing
effectively depends on the nature of the control
 Manual controls—those relying on the company’s
personnel—generally require more testing than
automated controls.
Chapter 8-15
Learning Objective #1
Period-End Reporting Process
EXHIBIT 8-3
Examples of Controls
in the Period-End
Financial Reporting
Process
Chapter 8-16
Learning Objective #1
Period-End Reporting Process
EXHIBIT 8-3
Examples of Controls
in the Period-End
Financial Reporting
Process
Chapter 8-17
Learning Objective #1
Period-End Reporting Process
EXHIBIT 8-3
Examples of Controls
in the Period-End
Financial Reporting
Process
Chapter 8-18
Learning Objective #1
Period-End Reporting Process
EXHIBIT 8-3
Examples of Controls
in the Period-End
Financial Reporting
Process
Chapter 8-19
Learning Objective #1
FRAUD
 The auditor’s assessment of fraud risk begins
with the client acceptance and continuance
process and continues as the auditor gains an
understanding of the system and assesses design
of ICFR.
 Results of tests of controls, including anti-fraud
controls, may cause the auditor to perform
additional tests or modify the plan for the
financial statement audit.
Chapter 8-20
Learning Objective #2
FRAUD RISK
Chapter 8-21
Learning Objective #2
ILLEGAL ACTS
Chapter 8-22
Learning Objective #2
RELATED PARTY TRANSACTIONS
Related party transactions are transactions conducted with an
entity or a person meeting the definition of a related party set
forth in the FASB definition of related parties.
Related parties include:
Chapter 8-23
Learning Objective #2
SAMPLING
 Basically, an auditor has the option of examining
100% of a company’s financial evidence and
records or looking at some subset of that
information. Obtaining audit evidence based on a
subset of the information often involves
sampling.
 When the auditor does not examine or test all of
the items in the targeted population of the
account balance or class of transactions,
sampling risk is introduced into the audit
processes.
Chapter 8-24
Learning Objective #3
Planning the Sample
Exhibit 8-4
Impact of
Sampling
Error on
Audit
Decisions
Chapter 8-25
Learning Objective #3
Sampling Risk
Chapter 8-26
Learning Objective #3
Approaches to Sampling
 A sample may be randomly selected based on identifying
document numbers produced by a random number
generator computer program
 Nonsampling risk includes:
• The risk that the auditor will use an audit procedure that is
not appropriate for what the test is intended to accomplish
• The risk that the auditor may fail to detect a problem when
applying an audit procedure
• The risk that the auditor may misinterpret an audit result
Chapter 8-27
Learning Objective #3
Sampling and ICFR Testing
 Attribute sampling is the term often used to describe the audit
process when an auditor applies sampling methods to an
ICFR sampling and testing procedure
 The first decision is how much risk the auditor is willing to
accept of concluding that the internal control is operating
effectively when it is not
 The second decision involves determining the tolerable
deviation rate
 The third decision deals with the likely rate of deviation in the
population. Likely rate of deviation is also called the
expected population deviation rate
Chapter 8-28
Learning Objective #3
Factors Affecting Sample Size
EXHIBIT 8-5
Chapter 8-29
Learning Objective #3
AUDIT RISK MODEL
 Audit risk is the risk that the auditor may
unknowingly fail to appropriately modify the
opinions on ICFR and the financial statements.
 Engagement risk is a term used for the overall risk
to the auditor of being associated with a client
Chapter 8-30
Learning Objective #4
AUDIT RISK MODEL
AR stands for audit risk
RMM is the risk of material financial
statement misstatement
IR stands for inherent risk
CR stands for control risk
DR stands for detection risk.
TD is the risk that a material misstatement will be
missed by the auditor’s tests of details of balances.
AP is the risk that a material misstatement is
missed by the audit’s analytical procedures
Chapter 8-31
Learning Objective #4
Inherent Risk and Control Risk
 Inherent risk results from the nature of the account or
class of transactions
 Control risk deals with the likelihood that any
problems that occur with an account or class of
transactions will not be prevented or detected by the
company’s ICFR.
Chapter 8-32
Learning Objective #4
Relationships of Audit Assurance and Characteristics
EXHIBIT 8-6
Chapter 8-33
Learning Objective #4
AUDIT DOCUMENTATION
Chapter 8-34
Learning Objective #5
AUDIT DOCUMENTATION
 Permanent files include information that is relevant
to the company and its audit for recurring
engagements.
 The current files include all the information and
audit evidence relating to the current integrated
audit engagement
Chapter 8-35
Learning Objective #5
AUDIT DOCUMENTATION
Chapter 8-36
Learning Objective #5
AUDIT DOCUMENTATION
Chapter 8-37
Learning Objective #5
EVALUATING THE RESULTS
 The testing and evaluation process for tests of ICFR operating
effectiveness can be summarized as follows:
• Conduct the control test procedures (e.g., inquiry, inspection,
observation, reperformance) that compare actual operations of ICFR to
the control objective and evaluation criterion.
• Identify control errors or deviations from control procedures.
• Determine whether the deviation rate of each control is high enough
to be a control deficiency.
• Consider both qualitative and quantitative factors related to the
deficiency.
• Determine whether any deficiencies identified, either individually or in
combination, meet the threshold of a significant deficiency or material
weakness.
Chapter 8-38
Learning Objective #6
ADDITIONAL DOCUMENTATION CONSIDERATIONS
Chapter 8-39
Learning Objective #5
“BIG PICTURE” TOPICS AND OPERATING EFFECTIVENESS
 When auditing the operating effectiveness of ICFR,
testing entity-level and pervasive controls may or
may not be sufficient to make a conclusion about
operating effectiveness.
 “Softer” internal control components mentioned by
the COSO IC Framework, such as management’s
philosophy and operating style, require a different
kind of testing than controls that produce documents
as evidence.
Chapter 8-40
Learning Objective #7
IMPACT OF OUTSOURCING
 When planning the tests of the operation of controls, the
auditor considers processes that are performed for the client
by service organizations or third-party service providers.
 Examples of service organizations are (AU 324.03):
• bank trust departments that invest and service assets for
employee benefit plans and for others
• mortgage bankers that service mortgages for others
• application service providers that provide packaged
software applications and a technology environment that
enables customers to process financial and operational
transactions.
Chapter 8-41
Learning Objective #7
ICFR EFFECTIVENESS AND THE FINANCIAL STATEMENT AUDIT
If ICFR was effective throughout the entire
year, or even a specified part of the year,
the auditor can, in the financial statement
audit, choose to rely on the controls for
the period that they were effective.
Chapter 8-42
Learning Objective #8
APPENDIX A: TESTING IT APPLICATION CONTROLS AND COMPUTERASSISTED
AUDIT SOFTWARE
 A test data approach, parallel simulation, and integrated test
facility are three well-known examples of automated controls
tests.
 Common input validation controls that the auditor might test using
test data include the following.
 Access control and authorization
 Limit check
 Range check
 Validity check
 Completeness check
Chapter 8-43
Appendix A
Using Computer-Assisted Audit Software to Facilitate Testing
 Some audit software is proprietary; being owned by a specific
audit firm. However, various packages can be purchased and
are widely used by many firms. ACL, short for Audit
Command Language, is a popular and widely used audit
software package.
 An important audit step performed by audit software is to
examine the data for unusual transactions, errors, and
unauthorized transactions
Chapter 8-44
Appendix A
APPENDIX B: STATISTICAL TECHNIQUES AND TESTS OF CONTROLS
 Specific steps and an example of how they can be applied to a control test
for cash disbursements follow:
1. Determine the objective of the audit procedure.
2. Define the population to be sampled
3. Specify the item that is to be selected
4. Define the characteristic the auditor wants to examine
5. Design the test of the control
6. Determine the sample size.
7. Perform the audit procedures and document the results
8. Calculate the rate of deviation found in the sample and the upper
deviation rate.
9. Form final conclusions about the results.
Chapter 8-45
Appendix B
Review Question
Which of the following types of evidence
provides the least assurance regarding the effective operations of
ICFR?
(a) Confirmations of accounts receivable
(b) Computer logs documenting attempts at unauthorized access
to the system
(c) Documents containing initials of the person authorizing the
transaction being examined
(d) Oral responses to auditor inquiry during walkthroughs
Chapter 8-46
Review Question
The operating effectiveness of controls that are intended to
prevent fraud is:
(a) tested based on the initial plan drafted immediately after
client acceptance.
(b) tested as a result of the information on fraud risk obtained
from the internal audit staff.
(c) tested, and results are used as one source of information
for the auditor’s assessment of fraud risk.
(d) will not likely affect subsequent audit procedures that have
already been planned.
Chapter 8-47
Review Question
When the auditor identifies a material misstatement in the financial
statements in the current period that would not have been identified by
the company’s ICFR,
(a) a material weakness in ICFR exists.
(b) the deficiency should be evaluated to determine whether it is a
deficiency.
(c) the situation should be regarded as an indicator of a material
weakness in ICFR.
(d) the auditor should reconsider whether the financial statement
misstatement is actually
material
Chapter 8-48
Copyright
“Copyright © 2011 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted
in Section 117 of the 1976 United States Copyright Act without
the express written permission of the copyright owner is
unlawful. Request for further information should be addressed
to the Permissions Department, John Wiley & Sons, Inc. The
purchaser may make back-up copies for his/her own use only and
not for distribution or resale. The Publisher assumes no
responsibility for errors, omissions, or damages, caused by the
use of these programs or from the use of the information
contained herein.”