ch08_ppt_moroney_2e.ppt

8/10/2019 ch08_ppt_moroney_2e.ppt

1/33

CHAPTER 8

EXECUTION OF THE AUDIT

TESTING OF CONTROLS

Prepared by:

Daniella Juric

RMIT university


2/33

LEARNING OBJECTIVES

AFTER STUDYING THIS CHAPTER YOU SHOULD BE ABLE TO:

1. Outline the different types of controls

2. Compare the different techniques for testing controls

3. Describe how to select and design tests of controls4. Compare and contrast the results of testing of controls

5. Discuss how to document tests of controls


3/33

ENTITY LEVEL CONTROLS

ENTITY-LEVEL CONTROLS:

the collective assessment of the clients control

environment, risk assessment process, information

system, control activities and monitoring of controls


4/33

ENTITY LEVEL CONTROLS

1. ControlEnvironment

2. Entitysrisk

assessmentprocess

3. IT andcommunicatio

n systems

4. ControlActivities

5.Monitoringof Controls


5/33

TRANSACTION-LEVEL

CONTROLS

TRANSACTION-LEVEL CONTROLSare designed to

reduce the risk of misstatement due to error or

fraud and to ensure that processes are operating

effectively.

Controls can include any procedure used and relied upon

by client to prevent errors occurring, or to detect and

correct errors that occur


6/33

TYPES OF CONTROLS

CONTROLS HAVE TWO MAIN OBJECTIVES:

1. To prevent or detect misstatements in the financial report, or

2. To support the automated parts of the business in the

functioning of the controls in place

CONTROLS ARE CLASSIFIED AS:

1. Manual controls

2. Automated (or application) controls

3. IT general controls (ITGCs)

4. IT-dependent manual controls


7/33

TYPES OF CONTROLS


8/33

MOST IMPORTANT CONTROLS
http://play.viostream.com/?play=c21e0c5e-bd02-415e-baa9-7b7dff1b58c6&player=fv&speed=high


9/33

PREVENTATIVE CONTROLS

TESTS OF CONTROLS

are the audit procedures performed to test the operating

effectiveness of controls in preventingor detectingand

correcting material misstatements at the assertion level.

1) PREVENT CONTROLS can be applied to each

transaction during normal processing to avoid errors

occurring

Commonly automated, e.g. reject duplicate transaction


10/33

PREVENTATIVE CONTROLS

WHAT COULD

GO WRONG

ASSERTION PREVENT CONTROL

Sales occur that are not

recoverableOccurrence

Existence

The computer program will not allow a sale to be

processed if a customer has exceeded its credit

limit

Fictitious employees are

paidOccurrence Amounts are not able to be paid to employees

without first matching a valid tax file number to

the employee master file

Sales are recorded at an

incorrect valueAccuracy Sales invoices are automatically priced using the

information in the price master file

Transactions are classified

and coded to incorrect

accounts

Classification The account coding on each purchase order ischecked by the computer to a table of valid

account numbers, and then various logic tests

are performed by the computer


11/33

DETECTING CONTROLS

2) DETECT CONTROLSare necessary to identify and correct

errors that do enter the records

Usually not applied to transaction during normal flow of

processing, but applied outside normal flow to partially or fullyprocessed transactions

E.g. cheques for payment prepared, and held by system until

approved for payment, then processed

Wide variation in detect controls from client to client,

depending on complexity, preferences

Can be informal and formal


12/33

DETECTING CONTROLS


13/33

DETECTING CONTROLS

DETECT CONTROLS

It is important that detect controls:

Completely and accurately capture all relevant data

Identify all potentially significant errors

Are performed on a consistent and regular basis

Include follow-up and correction on timely basis of any

misstatements or issues detected


14/33

EXAMPLES OF DETECTING

CONTROLS

EXAMPLES OF DETECT CONTROLS:

Management level analysis and follow-upof reviews: actual vs

budgets, prior periods, competitors, industry; anomalies in

performance indicators Reconciliations with follow-upof reconciling, unusual items, to

resolution and correction (e.g. bank reconciliation, subsidiary

ledger to control account)

Review and follow-upof exception reports (automaticallygenerated reports of transactions outside pre-determined

parameters)

Usually can obtain evidence of detect controls operation and effectiveness


15/33

MANUAL CONTROLS

MANUAL AND AUTOMATED CONTROLS

Purely manualcontrols do not rely on IT for operation

e.g. locked cage for inventory

Could rely on IT information from others

e.g. reconcile stock count to computer generated consignment

stock statements


16/33

AUTOMATED CONTROLS

AUTOMATED CONTROLS generally rely on clients IT

IT general controls (ITGCs)

Support functioning of automated controls

Provide basis for relying on electronic evidence in audit

Types of ITGCS:

Program change controls

Logical access controls

Other ITGCs, e.g. data back-up

Application controls apply to processing of individual transactions,

support segregation of duties

e.g. edit checks, validations, calculations, interfaces, authorisations


17/33

IT DEPENDENT MANUAL

CONTROLS

IT-DEPENDENT MANUAL CONTROLS

Has both manual and automated aspects

E.g. management reviews a monthly variance report

(automated) and follows-up (manual) on significantvariances

Auditor must consider both aspectsreport generation and

management follow-up

Consider controls over report generationis report accurate and

complete? If not, follow-up is not effective


18/33

TECHNIQUES FOR TESTING

CONTROLS

AUDITOR USES COMBINATION OF TECHNIQUES

WHEN TESTING CONTROLS

1. ENQUIRY

Auditor questions employee performing control, management

about review of control

2. OBSERVATION

Auditor observes actual control being performed

Employee might be more diligent when observed


19/33

TECHNIQUES FOR TESTING

CONTROLS

3. INSPECTION OF PHYSICAL EVIDENCE

Trace from reconciliation to accounting records or other

documents

Examine reconciling items to determine whether reconciliationdetects error and action to deal with errors

4. RE-PERFORMANCE

Auditor re-performs control (e.g. prepares reconciliation)


20/33

SELECTING AND DESIGNING

TESTS OF CONTROLS

PROFESSIONAL JUDGEMENT IS REQUIRED TO

DECIDE:

A. Which controls to select for testing?

Select controls that will provide most efficient and effective

audit evidence

Increase efficiency by only testing controls that are critical to

audit opinionthose that address the WCGWs most effectively

with least amount of testing

More efficient to test controls that address multiple WCGWs

B. How much testing of controls is required?


21/33


TESTS OF CONTROLS

HOW MUCH TESTING?

Extent of testing based on statistical sampling (see chapter 6) or

professional judgement

Consider: How often is control performed? More often = more testing

Degree of reliance on control, more = more testing

Persuasive of evidence from testing, more = less testing

Need to be satisfied that control operated as intended throughout period, interim

testing might be required Existence of combination of controls that could provide increased assurance, less

reliance on single control = less testing

Relative importance of WCGW, and assurance required is based on consideration of

several issues


22/33


TESTS OF CONTROLS

HOW MUCH TESTING?

Also consider other factors that relate to the likelihood

that a control operated as intended, including

Competence of person performing control

Quality of control environment, e.g.

Chance of control override

Internal auditing work

Effect on operation of control throughout period Changes in accounting system

Explained changes in related account balances

Auditors prior experience with client


23/33


TESTS OF CONTROLS

HOW MUCH TESTING?

Testing must provide enough evidence to be able to reasonably

conclude that control is effective

Attribute sampling allows conclusion about population in terms offrequency of control being performed

E.g. attribute being tested could be presence/absence of authorising

signature on document

Evidence of one exception (or deviation) in sample

Investigate cause of exception,

Increase sample and extend testing, or

Amend decision to rely on controltest other controls and/or increase

substantive testing


24/33


TESTS OF CONTROLS

HOW MUCH TESTING?

APPLICATION CONTROLStest using these methods:

1. Test operating effectiveness

Test manual follow-up procedures that support the applicationcontrol

E.g. Investigate how client follows-up on computer-generated

exception report for sales with no prices in master file

2. Test controls over program changes, and/or access to data files Test ITGCs

E.g. test controls to ensure that all changes to pricing master file are

approved


25/33


TESTS OF CONTROLS

HOW MUCH TESTING?

APPLICATION CONTROLS

Benchmarking

Carry forward benefit of certain application controls testing intofuture audit periods

Computer will continue to perform procedure in same way until

application program is changed

Verify that there are no changes to program, no need to repeat audit

procedures. More likely when

Specific program can be identified

Application is stable

Reliable record of program changes available


26/33


TESTS OF CONTROLS

HOW MUCH TESTING?

Timing of tests of controls

Usually at interim date, especially if controls relied upon to reduce

substantive procedures Preferable to test entity-level controls and ITGCs early in audit

because results impact other tests

Update interim results and evaluation at year-end

Identify relevant changes in environment and controls

O S G


27/33

EXAMPLE EXTENT OF TESTING

TABLE

Table 8.3 Example extent of testing table


28/33

RESULTS OF AUDITORS TESTING

Do results of control testing confirm preliminary

evaluation of controls and control risk based on

internal control documentation?

If so, do not modify planned substantive procedures

If not,

Are compensating controls available? Test

Revise audit risk assessment for related account and the plannedaudit strategy


29/33

RESULTS OF AUDITORS TESTING

When deciding whether need for additional tests of

controls, consider:

a) Results of enquiries and observations - could reveal alternative

controls now being relied upon and need to be testedb) Evidence provided by other testssubstantive tests can provide

evidence about continued functioning of controls

E.g. examining invoice for evidence of payables balance could provide

evidence of controls over purchases and payablesc) Changes in overall control environmentchange in key

personnel could make additional control tests necessary


30/33

DOCUMENTING CONCLUSIONS

Results of control testing documented in working papers

Test performed

Purpose of test of controls

Actual controls selected for testing Results of testing- exceptions found

Document in sufficient detail to allow another auditor to

perform same test Extent of documentation depends on complexity of clients operations, systems

and controls

Review impact of testing controls on rest of audit


31/33

DOCUMENTING CONCLUSIONS

Figure 8.3 Example tests of control working paper


32/33

IMPACT OF CONTROLS TESTING ON

LEVEL OF SUBSTANTIVE TESTING

Figure 8.4 Impact of controls testing on level of substantive testing


33/33

SUMMARY

AFTER STUDYING THIS CHAPTER YOU SHOULD BE ABLE TO:

1. Outline the different types of controls

2. Compare the different techniques for testing controls

3. Describe how to select and design tests of controls4. Compare and contrast the results of testing of controls

5. Discuss how to document tests of controls

ch08_ppt_moroney_2e.ppt

Documents