AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls
description
Transcript of AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls
![Page 1: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/1.jpg)
Chapter 11
Tests of Controls
![Page 2: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/2.jpg)
Objectives
• Explain the relationship between control risk assessment and audit strategy
• Describe the purpose of tests of controls and the nature, timing and extent of such tests
• Clarify how the work of internal auditing may be used in tests of controls
• Explain the process of assessing control risk and documenting the conclusion
![Page 3: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/3.jpg)
Objectives
• Indicate the appropriate communications the auditor makes on internal control matters
• Describe the types of controls you would expect to see in an information technology environment
• Identify the alternate types of computer-assisted audit techniques
![Page 4: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/4.jpg)
4
Preliminary Assessment of Control Risk
• ASA 315 para 25 states:The auditor shall identify and assess the risks of material misstatement at the financial report level, and at the assertion level for classes of transaction, account balances and disclosures
• Assessment to obtain a reasonable understanding of controls in place
• Subsequently, decide on appropriate audit strategy so as to design a detailed audit program
![Page 5: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/5.jpg)
5
Process of assessing control risk
• Use professional judgement to assess the control environment
• Assess the design effectiveness of control procedures and their ability to prevent or correct misstatements
• Assess whether controls were effectively applied throughout the period under audit
![Page 6: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/6.jpg)
6
Assessment of control risk and audit strategy
• In order to place reliance on the internal controls to support the audit opinion, the auditor must test controls to ensure that they have been implemented as they were designed
• In order to complete the work on internal controls the auditor must carry out the following steps:– Perform tests of controls– Evaluate the evidence obtained and assess the
level of control risk
![Page 7: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/7.jpg)
7
• When an auditor chooses a predominantly substantive approach, he or she should have sufficient knowledge or the system of internal control to understand the potential causes of misstatements.
• This approach is associated with a planned assessed level of control risk of high based on one of the following:
– No significant internal controls that relate to the assertion
– Relevant internal controls are unlikely to be effective– Efficient to obtain evidence to evaluate the
effectiveness of relevant internal controls
Assessment of control risk and audit strategy
![Page 8: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/8.jpg)
8
• In some cases a lower assessed level of control risk approach is planned because the client has effective internal controls and the auditor plans to test those controls
• In some circumstances the auditor might find that contrary to expectations the control appears to be ineffective – in such a case, it is appropriate to change the strategy to a predominantly substantive approach
Assessment of control risk and audit strategy
![Page 9: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/9.jpg)
9
Tests of Controls
• Tests of controls are carried out to evaluate the operating effectiveness of the internal control policies and procedures
• The auditor must decide on the nature, timing and extent of tests of control
• ASA 330 The Auditor’s Procedures in Response to Assessed Risks
![Page 10: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/10.jpg)
10
Designing tests
• Tests of controls include:– enquiring of client personnel– observation of activities and procedures– e.g. observation of counting during a stock take– inspection of documents and records– re-performance of procedures
![Page 11: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/11.jpg)
Designing tests
• Tests of controls conduced at interim period as auditor can get an early indication of controls are operating effectively and change tests to substantive tests if required
• Extent of tests is determined by auditors planned assessed level of control risk– More extensive testing is needed for a low assessed
level of control risk
![Page 12: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/12.jpg)
Illustrative partial audit program for tests of controls
![Page 13: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/13.jpg)
13
Using internal auditors
• Internal audit is generally considered a crucial part of the corporate governance structure of the company.
• Effectiveness of internal audit must be considered first in accordance with ASA 610 Considering the Work of Internal Audit
• Issues include organisational status, independence, technical expertise, supervision of work etc.
![Page 14: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/14.jpg)
14
Final assessment
• Need to fully document all tests• Important to communicate all concerns regarding
internal control matters to the entity’s management and board
• Refer ASA 265 on Communication of Audit Matters with Those Charged with Corporate Governance (i.e. to director level)
![Page 15: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/15.jpg)
Communication of internal control matters
• Insert figure 1: monitoring applied to the internal control process
![Page 16: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/16.jpg)
Types of controls in an information technology environment
Overview of computer controls
![Page 17: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/17.jpg)
Types of controls in an information technology environment
• Audit strategies for assessing control risk– assessing control risk based on user controls– Planning for a low control risk assessment based on
application controls– Planning for a high control risk assessment based on
general controls and manual follow-up
![Page 18: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/18.jpg)
Types of controls in an information technology environment
• User controls– Manual procedures designed to test the
completeness and accuracy of computer processed transactions
• Application controls– Use of automated controls and planning of strategies
to assess control risk as low
![Page 19: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/19.jpg)
Computer assisted audit techniques
• Test data• Integrated test facility• Parallel simulation• Continuous monitoring• Tagging transactions• Systems control audit review file
![Page 20: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/20.jpg)
20
Computer assisted audit techniques
• Test data– Dummy transactions are prepared by the auditor
and processed under auditor control by the entity’s software
– e.g. payroll test data may include both a valid and invalid overtime transaction to test how the system processes it
![Page 21: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/21.jpg)
21
• Integrated test facility– requires the creation of a small subsystem with dummy
master files that are subjected to the same programmed controls as are placed on the actual data, and a separate set of outputs is produced for the auditor
– advantage is the integrated test facility allows for ongoing testing
– disadvantage is the risk that errors could be created in the entity’s data files
– accordingly, entities are often reluctant to allow auditors to do this type of testing unless the integrity of the testing can be guaranteed
Computer assisted audit techniques
![Page 22: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/22.jpg)
22
• Parallel simulation– involves reprocessing actual entity data using
auditor-controlled software– advantage is the auditor can independently run
tests and verify transactions by tracing them to source documents and approvals
– must ensure data tested is representative
Computer assisted audit techniques
![Page 23: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/23.jpg)
Computer assisted audit techniques
• Continuous monitoring of online real-time systems– An audit routine is added to the processing programs– Transactions sampled at random intervals – Output is used in testing controls
![Page 24: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/24.jpg)
Computer assisted audit techniques
• Tagging transactions– Indicator placed on selected transactions – Transaction is traced through the system s it is being
processed
![Page 25: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/25.jpg)
Computer assisted audit techniques
• Systems control audit review file– File used to record events that meet auditor
specified criteria as they at occur at designated points in the system
– Also known as an audit log
![Page 26: AF304 Week 9Lecture # 1 - Chapter_11 Test of Controls](https://reader036.fdocuments.in/reader036/viewer/2022062321/563db7c2550346aa9a8db1c9/html5/thumbnails/26.jpg)