Chapter 15

Chapter
13

Study Notes on Auditing

Responding to the Risk Assessment
[Replaced test of control(ch=13) and substantive procedures(ch=14)]

Rise School of
Accountancy

1
 Chapter 15

1. Responding to the risk assessment

The auditor shall formulate an approach to the assessed risks of material misstatement.

The main objective of ISA 330 The auditor's responses to assessed risks is to obtain sufficient appropriate
audit evidence regarding the assessed risks of material misstatement, through designing and implementing
appropriate responses to those risks.

1.1 Overall responses

Overall responses include issues such as emphasising to the team the importance of professional
skepticism, allocating more staff, using experts or providing more supervision.
Overall responses to address the risks of material misstatement at the financial statement level will be
changes to the general audit strategy or re-affirmations to staff of the general audit strategy. For example:
 Emphasising to audit staff the need to maintain professional skepticism
 Assigning additional or more experienced staff to the audit team
 Providing more supervision on the audit
 Incorporating more unpredictability into the audit procedures
 Making general changes to the nature, timing or extent of audit procedures

The evaluation of the control environment that will have taken place as part of the assessment of the
client's internal control systems will help the auditor determine what type of audit approach to take.

Responses to the risks of material misstatement at the assertion level

The ISA says that the auditor shall design and perform further audit procedures whose nature, timing
and extent are based on and are responsive to the assessed risks of material misstatement at the assertion
level. 'Nature' refers to the purpose and the type of test that is carried out, which include tests of control
and substantive tests.

1.2 Substantive procedures

Substantive procedures are audit procedures designed to detect material misstatements at the assertion
level. They consist of tests of details of classes of transactions, account balances and disclosures, and
substantive analytical procedures.

The auditor shall always carry out substantive procedures on material items. The ISA says that
irrespective of the assessed risk of material misstatement, the auditor shall design and perform substantive
procedures for each material class of transactions, account balance and disclosure.
In addition, the auditor shall carry out the following substantive procedures:

 Agreeing or reconciling the financial statements to the underlying accounting records

 Examining material journal entries
 Examining other adjustments made in preparing the financial statements

Rise School of
Accountancy

2
 Chapter 15

Substantive procedures fall into two categories: analytical procedures and tests of details. The auditor
must determine when it is appropriate to use which type of substantive procedure. We discuss these in
more detail in Chapter 11 but they are introduced below.

1.3 Analytical procedures

As substantive procedures tend to be appropriate for large volumes of predictable transactions (for
example, wages and salaries). Tests of detail may be appropriate to gain information about account
balances for example, inventory or trade receivables.

Tests of detail rather than analytical procedures are likely to be more appropriate with regard to matters
which have been identified as significant risks, but the auditor must develop procedures that are
specifically responsive to that risk, which may include analytical procedures. Significant risks are likely
to be the most difficult to obtain sufficient appropriate audit evidence about.

1.4 Tests of controls

Tests of controls are audit procedures designed to evaluate the operating effectiveness of controls in
preventing, or detecting and correcting, material misstatements at the assertion level.
When the auditor's risk assessment includes an expectation that controls are operating effectively, the
auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence that the
controls were operating.

The auditor shall also undertake tests of control when it will not be possible to obtain sufficient
appropriate audit evidence simply from substantive procedures. This might be the case if the entity
conducts its business using IT systems which do not produce documentation of transactions.
In carrying out tests of control, auditors shall use inquiry, but shall also use other procedures. Re-
performance and inspection will often be helpful procedures.

When considering timing in relation to tests of controls, the purpose of the test will be important. For
example, if the company carries out a year-end inventory count, controls over the inventory count can
only be tested at the year-end. Other controls will operate all year round, and the auditor may need to test
that those controls have been effective throughout the period.

Some controls may have been tested in prior audits and the auditor may choose to rely on that evidence of
their effectiveness. If this is the case, the auditor shall obtain evidence about any changes since the
controls were last tested and shall test the controls if they have changed. In any case, controls shall be
tested for effectiveness at least once in every three audits.

If the related risk has been designated a significant risk, the auditor shall not rely on testing done in prior
years, but shall perform testing in the current year.

Rise School of
Accountancy

3
 Chapter 15

2 IT controls are grouped under two broad categories ‘Application Controls’ and General IT
Controls’.

2.1 Application controls

Application controls relate to processing of individual applications. Applications are the computer programs
and processes, including manual processes that enable us to conduct essential activities: buying products,
paying vendors, accounting for travelling expenses, and forecasting and monitoring budgets.

Application controls help to ensure that transactions are authorised, complete and accurately recorded.

Application controls include the following:

(a) Control over input

(b) Control over processing and computer data files

(c) Control over output

(d) Control over standing data

Each of the above has been explained in turn below.

2.1.1 Control over input

Controls over input means that data that is input into the system is authorized, complete and accurate.
Control over input is very important because if the input data is not correct, the output data processed
will also be incorrect.

Examples of input controls are authorization controls, completeness controls and accuracy controls.
These examples are explained below:

(a) Authorisation controls

Authorization controls include authorization of input documents and input to be fed into the
system only by authorized persons.

(i) Authorization of input documents

Rise School of
Accountancy

4
Chapter 15

An example of an input document for payroll would be the increment list based on which
annual increments would be made to the employees of an entity. The increment list is to be
approved by an authorized person.

Only then will the increment amounts be recorded as an input in the payroll application
software.

(ii) Data input to be made by authorized persons only

Such a control ensures that errors and fraud committed by unauthorized users will be
avoided.

(b) Completeness Controls

Examples of completeness controls are document counts, and review of output against
expected value.

(i) Document count

A document count is a manual count of the total number of records or transactions before
they are fed into the system; the result is then compared with the number of records
indicated by the computer after processing.

However, if one record is fed twice and another record is not fed, the document count
would not reveal the irregularity.

(ii) Financial control total

The financial control total is the total of the financial amounts processed in a batch. This
involves manual calculation of the total value of a numeric data field in the records. After
the data has been fed into the system, the total for the relevant field will be calculated by
the computer. The two totals will then be compared. If they match then it can be assumed
that all the data to be input have been fed and also the data of the relevant numeric field
has been properly fed.

(iii) Review of output against expected value

This check involves comparison of the output with the expected values. For example
while processing sales invoices; the sales department already has an approximate value
of the sales from independent records. The total sales value calculated as per output
processed will be compared with the expected sales amounts and the completeness of the
records can be determined.

Rise School of
Accountancy

5
Chapter 15

(c) Accuracy Controls

(i) Check digit

Check digits are used to protect against the transposition of data i.e. errors arising due to
accidental reversal of digits. They are redundant digits, produced by mathematical
calculations performed on a particular field of input data. After the check digit is calculated
it is added to the number from which it is calculated. The computer is then programmed to
calculate the check digit in the same manner as it was calculated manually. If the check
digit added to the number does not match the check digit as calculated by the computer, an
error message appears.

(ii) Range checks

This involves checking the data field to determine whether the quantity or the amount
therein, is within the defined limits. For example, if the maximum basic salary of an
organisation is Rs.3,000, the computer program may be designed to reject inputs where
the basic data fed into the computer exceeds Rs.3,000.

(iii) Existence checks

This involves checking the existence of certain specific fields. For example, while
recording purchases, the computer system may be designed to accept the input of the
purchase vouchers only if the field of purchase order number is recorded along with
the purchase invoice.

2.1.2 Control over processing and computer data files

Processing controls ensure that:

(i) Transactions are properly processed by the computer

(ii) Transactions are not lost, added, duplicated or improperly changed

(iii) Processing errors are identified and corrected on a timely basis

Some important processing controls are as follows:

(a) File label

For accuracy of processing, it is essential that the correct master files and program
files are used. A method of ensuring that the correct program and data files are used
for processing is the use of file labels. File labels may be external such as a label
Rise School of
Accountancy

6
Chapter 15

affixed to a CD or an internal like file description written on the computer file and
readable by the computer.

(b) Run to run controls

In the case of those computer applications consisting of more than one computer run,
the controls totals during each run should be accumulated and agreed with the input
totals or with the totals held in the file. This will ensure that data lost during
intermediate processing runs are detected promptly.

(c) Control total

Control totals have been explained above.

(d) Batch total

This is a form of control total. A control total of the inputs recorded in the system is
manually calculated. After the batch has been processed, the total of the same field
which was manually calculated is compared with the total according to the system.
The field on which the control total is made could be the code number of the items of
inventory recorded in the inventory ledger.

(e) On screen prompts

This control is used when data is input into the system. The computer system will
guide the user to make the entry so that transactions are fully processed.

(f) Audit trail

This is a very important detective control. An audit trail means maintaining a record
of all actions. An audit trail places responsibility on a person who has access to
resources. It helps to determine who initiated the transaction, when the transaction
was recorded (time, day, date), what files were updated as a result of that transaction
etc.

2.1.3 Controls over output

(a) Reasonableness checks

The input data always fall within a certain limit. For example, the normal hours
worked by workers per day can range from 0 to 9 hours. Data can therefore be tested
against such limits or reasonable ranges.

(b) Authorised users to output files

Rise School of
Accountancy

7
Chapter 15

Access to outputs from the system needs to be restricted to authorised persons. For
example, the salary sheet which is generated by the computer system should be
accessed only by authorised persons from the payroll section and personnel
department.

(c) Error listing

A report should be prepared for the errors noticed in the output report. The report
should contain details of the errors e.g. description of the error, date of the error,
corrective action taken etc.

2.1.4 Controls over standing data

(i) Amendments to the data should be made by the authorised person only.

(ii) A log should be maintained for all amendments made to the standing data.

3 General IT controls

General IT controls are the polices and procedures that relate to many applications and support the
effective functioning of application controls by helping to ensure the continued proper operation of
information systems.

The purpose of IT controls is to establish a framework of overall control over IT activities and to
provide reasonable assurance that the overall objectives of internal controls are achieved.

General IT controls apply to many applications. General IT controls are controls over the
environment in which the computer functions. They enable the continued proper operation of
information systems by ensuring the effective functioning of application controls.

General IT controls apply to mainframe, mini-frame, and end-user environments. These controls
apply to the whole information system and the data stored in the information system.

General IT controls include

(a) Organisation and management controls

(b) Application systems development and maintenance controls

(c) Computer operation controls

(d) System software controls

(e) Data entry and program controls

Rise School of
Accountancy

8
Chapter 15

(f) Other controls

These are explained in turn.

3.1 Organisation and management controls

These controls are designed to establish an organisational framework over IT activities. They
include controls over policies and procedures and segregation of duties.

Application systems development and maintenance controls

(a) Testing of system

(b) Control over program changes

(c) Authorisation and maintenance of new versions

(d) Training staff to use new programs

(e) Maintenance of program log.

(f) Consideration of appropriate standards while designing

(g) Restricted access to system documentation.

3.2 Computer operation controls

(a) Processing errors detected and corrected

(b) Only authorised users – access to computer operations

(c) Use of system for authorised purposes only

(d) Authorised programs need to be used.

3.3 System software controls

(a) Authorisation

(b) Testing

(c) Documentation of new system software

(d) Restricted access to software

3.4 Data entry and program controls

Rise School of
Accountancy

9
Chapter 15

(a) Access to data and program

(b) Authorised structure over transaction entered into system needs to be ensured.

3.5 Other controls

(a) Virus protection for all programs

(b) Back-up of all system programs

(c) Control environment

(d) Disaster recovery controls

(e) Network security

(f) Access controls.

Order received

(a) Sale orders are sequentially

(b) Verify that the credit rating sheet was available on record

(c) Verify that they are authorised

Payment made

(a) Observe whether segregation of duties is followed

(b) Verify whether bill to bill payments are made.

Inventory storage

(a) Proper storage facility

(b) Cross-check the issue slip with the production plan

(c) Verify the issue slip

Issue of finished goods

(a) Check the missing sales invoice numbers

(b) Check the report of sales return

Rise School of
Accountancy

10
Chapter 15

(c) Verify the insurance policies for the inventories

General points – capital expenditure

(a) Verify the variance reports and ask for reasons behind why the capital expenditure
exceeds the budget

(b) Check whether these expenses are properly authorised by management.

(c) View the organisation structure

(d) View the organisation’s policies.

Calculation of gross wages

(a) Staff attendance machine to be kept near the security gate.

(b) Verify overtime is authorised.

(c) Check salary calculations.

(d) Access to software restricted by use of password.

(e) Verify the changes to master file.

(f) Staff cards to be properly sequenced.

(g) Verify company policy for changes to pay rates.

(h) Re-perform comparison of payroll data.

(i) Examine termination notices with payroll.

Custody and control of cash, cheque books and bank accounts

(a) Verify physical verification of cash every week.

(b) Procedure for safe custody of cash

(c) Review daily cash balance versus maximum cash balance

(d) Verify the insurance policy.

Rise School of
Accountancy

11