Você está na página 1de 33

CHAPTER 8

EXECUTION OF THE AUDIT


TESTING OF CONTROLS

Prepared by:
Daniella Juric
RMIT university

LEARNING OBJECTIVES
AFTER STUDYING THIS CHAPTER YOU SHOULD BE ABLE TO:
1. Outline the different types of controls
2. Compare the different techniques for testing controls
3. Describe how to select and design tests of controls
4. Compare and contrast the results of testing of controls
5. Discuss how to document tests of controls
ENTITY LEVEL CONTROLS
ENTITY-LEVEL CONTROLS:
the collective assessment of the clients control
environment, risk assessment process, information
system, control activities and monitoring of controls

ENTITY LEVEL CONTROLS





1. Control
Environment

2. Entitys
risk
assessment
process
3. IT and
communicatio
n systems
4. Control
Activities
5.
Monitoring
of Controls
TRANSACTION-LEVEL
CONTROLS
TRANSACTION-LEVEL CONTROLS are designed to
reduce the risk of misstatement due to error or
fraud and to ensure that processes are operating
effectively.
Controls can include any procedure used and relied upon
by client to prevent errors occurring, or to detect and
correct errors that occur

TYPES OF CONTROLS
CONTROLS HAVE TWO MAIN OBJECTIVES:
1. To prevent or detect misstatements in the financial report, or
2. To support the automated parts of the business in the
functioning of the controls in place
CONTROLS ARE CLASSIFIED AS:
1. Manual controls
2. Automated (or application) controls
3. IT general controls (ITGCs)
4. IT-dependent manual controls

TYPES OF CONTROLS
MOST IMPORTANT CONTROLS
PREVENTATIVE CONTROLS
TESTS OF CONTROLS
are the audit procedures performed to test the operating
effectiveness of controls in preventing or detecting and
correcting material misstatements at the assertion level.
1) PREVENT CONTROLS can be applied to each
transaction during normal processing to avoid errors
occurring
Commonly automated, e.g. reject duplicate transaction
PREVENTATIVE CONTROLS

WHAT COULD
GO WRONG
ASSERTION PREVENT CONTROL
Sales occur that are not
recoverable
Occurrence
Existence
The computer program will not allow a sale to be
processed if a customer has exceeded its credit
limit
Fictitious employees are
paid
Occurrence
Amounts are not able to be paid to employees
without first matching a valid tax file number to
the employee master file
Sales are recorded at an
incorrect value
Accuracy
Sales invoices are automatically priced using the
information in the price master file
Transactions are classified
and coded to incorrect
accounts
Classification
The account coding on each purchase order is
checked by the computer to a table of valid
account numbers, and then various logic tests
are performed by the computer
DETECTING CONTROLS
2) DETECT CONTROLS are necessary to identify and correct
errors that do enter the records
Usually not applied to transaction during normal flow of
processing, but applied outside normal flow to partially or fully
processed transactions
E.g. cheques for payment prepared, and held by system until
approved for payment, then processed
Wide variation in detect controls from client to client,
depending on complexity, preferences
Can be informal and formal

DETECTING CONTROLS
DETECTING CONTROLS
DETECT CONTROLS
It is important that detect controls:
Completely and accurately capture all relevant data
Identify all potentially significant errors
Are performed on a consistent and regular basis
Include follow-up and correction on timely basis of any
misstatements or issues detected

EXAMPLES OF DETECTING
CONTROLS
EXAMPLES OF DETECT CONTROLS:
Management level analysis and follow-up of reviews: actual vs
budgets, prior periods, competitors, industry; anomalies in
performance indicators
Reconciliations with follow-up of reconciling, unusual items, to
resolution and correction (e.g. bank reconciliation, subsidiary
ledger to control account)
Review and follow-up of exception reports (automatically
generated reports of transactions outside pre-determined
parameters)
Usually can obtain evidence of detect controls operation and effectiveness
MANUAL CONTROLS
MANUAL AND AUTOMATED CONTROLS
Purely manual controls do not rely on IT for operation
e.g. locked cage for inventory
Could rely on IT information from others
e.g. reconcile stock count to computer generated consignment
stock statements
AUTOMATED CONTROLS
AUTOMATED CONTROLS generally rely on clients IT
IT general controls (ITGCs)
Support functioning of automated controls
Provide basis for relying on electronic evidence in audit
Types of ITGCS:
Program change controls
Logical access controls
Other ITGCs, e.g. data back-up
Application controls apply to processing of individual transactions,
support segregation of duties
e.g. edit checks, validations, calculations, interfaces, authorisations
IT DEPENDENT MANUAL
CONTROLS
IT-DEPENDENT MANUAL CONTROLS
Has both manual and automated aspects
E.g. management reviews a monthly variance report
(automated) and follows-up (manual) on significant
variances
Auditor must consider both aspects report generation and
management follow-up
Consider controls over report generation is report accurate and
complete? If not, follow-up is not effective
TECHNIQUES FOR TESTING
CONTROLS
AUDITOR USES COMBINATION OF TECHNIQUES
WHEN TESTING CONTROLS
1. ENQUIRY
Auditor questions employee performing control, management
about review of control
2. OBSERVATION
Auditor observes actual control being performed
Employee might be more diligent when observed
TECHNIQUES FOR TESTING
CONTROLS
3. INSPECTION OF PHYSICAL EVIDENCE
Trace from reconciliation to accounting records or other
documents
Examine reconciling items to determine whether reconciliation
detects error and action to deal with errors
4. RE-PERFORMANCE
Auditor re-performs control (e.g. prepares reconciliation)

SELECTING AND DESIGNING
TESTS OF CONTROLS
PROFESSIONAL JUDGEMENT IS REQUIRED TO
DECIDE:
A. Which controls to select for testing?
Select controls that will provide most efficient and effective
audit evidence
Increase efficiency by only testing controls that are critical to
audit opinion those that address the WCGWs most effectively
with least amount of testing
More efficient to test controls that address multiple WCGWs
B. How much testing of controls is required?
SELECTING AND DESIGNING
TESTS OF CONTROLS
HOW MUCH TESTING?
Extent of testing based on statistical sampling (see chapter 6) or
professional judgement
Consider:
How often is control performed? More often = more testing
Degree of reliance on control, more = more testing
Persuasive of evidence from testing, more = less testing
Need to be satisfied that control operated as intended throughout period, interim
testing might be required
Existence of combination of controls that could provide increased assurance, less
reliance on single control = less testing
Relative importance of WCGW, and assurance required is based on consideration of
several issues

SELECTING AND DESIGNING
TESTS OF CONTROLS
HOW MUCH TESTING?
Also consider other factors that relate to the likelihood
that a control operated as intended, including
Competence of person performing control
Quality of control environment, e.g.
Chance of control override
Internal auditing work
Effect on operation of control throughout period
Changes in accounting system
Explained changes in related account balances
Auditors prior experience with client

SELECTING AND DESIGNING
TESTS OF CONTROLS
HOW MUCH TESTING?
Testing must provide enough evidence to be able to reasonably
conclude that control is effective
Attribute sampling allows conclusion about population in terms of
frequency of control being performed
E.g. attribute being tested could be presence/absence of authorising
signature on document
Evidence of one exception (or deviation) in sample
Investigate cause of exception,
Increase sample and extend testing, or
Amend decision to rely on control test other controls and/or increase
substantive testing
SELECTING AND DESIGNING
TESTS OF CONTROLS
HOW MUCH TESTING?
APPLICATION CONTROLS test using these methods:
1. Test operating effectiveness
Test manual follow-up procedures that support the application
control
E.g. Investigate how client follows-up on computer-generated
exception report for sales with no prices in master file
2. Test controls over program changes, and/or access to data files
Test ITGCs
E.g. test controls to ensure that all changes to pricing master file are
approved
SELECTING AND DESIGNING
TESTS OF CONTROLS
HOW MUCH TESTING?
APPLICATION CONTROLS
Benchmarking
Carry forward benefit of certain application controls testing into
future audit periods
Computer will continue to perform procedure in same way until
application program is changed
Verify that there are no changes to program, no need to repeat audit
procedures. More likely when
Specific program can be identified
Application is stable
Reliable record of program changes available

SELECTING AND DESIGNING
TESTS OF CONTROLS
HOW MUCH TESTING?
Timing of tests of controls
Usually at interim date, especially if controls relied upon to reduce
substantive procedures
Preferable to test entity-level controls and ITGCs early in audit
because results impact other tests
Update interim results and evaluation at year-end
Identify relevant changes in environment and controls
EXAMPLE EXTENT OF TESTING
TABLE









Table 8.3 Example extent of testing table
RESULTS OF AUDITORS TESTING
Do results of control testing confirm preliminary
evaluation of controls and control risk based on
internal control documentation?
If so, do not modify planned substantive procedures
If not,
Are compensating controls available? Test
Revise audit risk assessment for related account and the planned
audit strategy
RESULTS OF AUDITORS TESTING
When deciding whether need for additional tests of
controls, consider:
a) Results of enquiries and observations - could reveal alternative
controls now being relied upon and need to be tested
b) Evidence provided by other tests substantive tests can provide
evidence about continued functioning of controls
E.g. examining invoice for evidence of payables balance could provide
evidence of controls over purchases and payables
c) Changes in overall control environment change in key
personnel could make additional control tests necessary
DOCUMENTING CONCLUSIONS
Results of control testing documented in working papers
Test performed
Purpose of test of controls
Actual controls selected for testing
Results of testing- exceptions found
Document in sufficient detail to allow another auditor to
perform same test
Extent of documentation depends on complexity of clients operations, systems
and controls
Review impact of testing controls on rest of audit
DOCUMENTING CONCLUSIONS









Figure 8.3 Example tests of control working paper
IMPACT OF CONTROLS TESTING ON
LEVEL OF SUBSTANTIVE TESTING










Figure 8.4 Impact of controls testing on level of substantive testing
SUMMARY
AFTER STUDYING THIS CHAPTER YOU SHOULD BE ABLE TO:
1. Outline the different types of controls
2. Compare the different techniques for testing controls
3. Describe how to select and design tests of controls
4. Compare and contrast the results of testing of controls
5. Discuss how to document tests of controls