Chapter 11

Tests of Controls

Objectives

• Explain the relationship between control risk assessment and audit strategy

• Describe the purpose of tests of controls and the nature, timing and extent of such tests

• Clarify how the work of internal auditing may be used in tests of controls

• Explain the process of assessing control risk and documenting the conclusion

Objectives

• Indicate the appropriate communications the auditor makes on internal control matters

• Describe the types of controls you would expect to see in an information technology environment

• Identify the alternate types of computer-assisted audit techniques

4

Preliminary Assessment of Control Risk

• ASA 315 para 25 states:The auditor shall identify and assess the risks of material misstatement at the financial report level, and at the assertion level for classes of transaction, account balances and disclosures

• Assessment to obtain a reasonable understanding of controls in place

• Subsequently, decide on appropriate audit strategy so as to design a detailed audit program

5

Process of assessing control risk

• Use professional judgement to assess the control environment

• Assess the design effectiveness of control procedures and their ability to prevent or correct misstatements

• Assess whether controls were effectively applied throughout the period under audit

6

Assessment of control risk and audit strategy

• In order to place reliance on the internal controls to support the audit opinion, the auditor must test controls to ensure that they have been implemented as they were designed

• In order to complete the work on internal controls the auditor must carry out the following steps:– Perform tests of controls– Evaluate the evidence obtained and assess the

level of control risk

7

• When an auditor chooses a predominantly substantive approach, he or she should have sufficient knowledge or the system of internal control to understand the potential causes of misstatements.

• This approach is associated with a planned assessed level of control risk of high based on one of the following:

– No significant internal controls that relate to the assertion

– Relevant internal controls are unlikely to be effective– Efficient to obtain evidence to evaluate the

effectiveness of relevant internal controls

Assessment of control risk and audit strategy

8

• In some cases a lower assessed level of control risk approach is planned because the client has effective internal controls and the auditor plans to test those controls

• In some circumstances the auditor might find that contrary to expectations the control appears to be ineffective – in such a case, it is appropriate to change the strategy to a predominantly substantive approach

Assessment of control risk and audit strategy

9

Tests of Controls

• Tests of controls are carried out to evaluate the operating effectiveness of the internal control policies and procedures

• The auditor must decide on the nature, timing and extent of tests of control

• ASA 330 The Auditor’s Procedures in Response to Assessed Risks

10

Designing tests

• Tests of controls include:– enquiring of client personnel– observation of activities and procedures– e.g. observation of counting during a stock take– inspection of documents and records– re-performance of procedures

Designing tests

• Tests of controls conduced at interim period as auditor can get an early indication of controls are operating effectively and change tests to substantive tests if required

• Extent of tests is determined by auditors planned assessed level of control risk– More extensive testing is needed for a low assessed

level of control risk

Illustrative partial audit program for tests of controls

13

Using internal auditors

• Internal audit is generally considered a crucial part of the corporate governance structure of the company.

• Effectiveness of internal audit must be considered first in accordance with ASA 610 Considering the Work of Internal Audit

• Issues include organisational status, independence, technical expertise, supervision of work etc.

14

Final assessment

• Need to fully document all tests• Important to communicate all concerns regarding

internal control matters to the entity’s management and board

• Refer ASA 265 on Communication of Audit Matters with Those Charged with Corporate Governance (i.e. to director level)

Communication of internal control matters

• Insert figure 1: monitoring applied to the internal control process

Types of controls in an information technology environment

Overview of computer controls

Types of controls in an information technology environment

• Audit strategies for assessing control risk– assessing control risk based on user controls– Planning for a low control risk assessment based on

application controls– Planning for a high control risk assessment based on

general controls and manual follow-up

Types of controls in an information technology environment

• User controls– Manual procedures designed to test the

completeness and accuracy of computer processed transactions

• Application controls– Use of automated controls and planning of strategies

to assess control risk as low

Computer assisted audit techniques

• Test data• Integrated test facility• Parallel simulation• Continuous monitoring• Tagging transactions• Systems control audit review file

20

Computer assisted audit techniques

• Test data– Dummy transactions are prepared by the auditor

and processed under auditor control by the entity’s software

– e.g. payroll test data may include both a valid and invalid overtime transaction to test how the system processes it

21

• Integrated test facility– requires the creation of a small subsystem with dummy

master files that are subjected to the same programmed controls as are placed on the actual data, and a separate set of outputs is produced for the auditor

– advantage is the integrated test facility allows for ongoing testing

– disadvantage is the risk that errors could be created in the entity’s data files

– accordingly, entities are often reluctant to allow auditors to do this type of testing unless the integrity of the testing can be guaranteed

Computer assisted audit techniques

22

• Parallel simulation– involves reprocessing actual entity data using

auditor-controlled software– advantage is the auditor can independently run

tests and verify transactions by tracing them to source documents and approvals

– must ensure data tested is representative

Computer assisted audit techniques

Computer assisted audit techniques

• Continuous monitoring of online real-time systems– An audit routine is added to the processing programs– Transactions sampled at random intervals – Output is used in testing controls

Computer assisted audit techniques

• Tagging transactions– Indicator placed on selected transactions – Transaction is traced through the system s it is being

processed

Computer assisted audit techniques

• Systems control audit review file– File used to record events that meet auditor

specified criteria as they at occur at designated points in the system

– Also known as an audit log