Professional Documents
Culture Documents
Chapter
13
Rise School of
Accountancy
1
Chapter 15
The main objective of ISA 330 The auditor's responses to assessed risks is to obtain sufficient appropriate
audit evidence regarding the assessed risks of material misstatement, through designing and implementing
appropriate responses to those risks.
Overall responses include issues such as emphasising to the team the importance of professional
skepticism, allocating more staff, using experts or providing more supervision.
Overall responses to address the risks of material misstatement at the financial statement level will be
changes to the general audit strategy or re-affirmations to staff of the general audit strategy. For example:
Emphasising to audit staff the need to maintain professional skepticism
Assigning additional or more experienced staff to the audit team
Providing more supervision on the audit
Incorporating more unpredictability into the audit procedures
Making general changes to the nature, timing or extent of audit procedures
The evaluation of the control environment that will have taken place as part of the assessment of the
client's internal control systems will help the auditor determine what type of audit approach to take.
Substantive procedures are audit procedures designed to detect material misstatements at the assertion
level. They consist of tests of details of classes of transactions, account balances and disclosures, and
substantive analytical procedures.
The auditor shall always carry out substantive procedures on material items. The ISA says that
irrespective of the assessed risk of material misstatement, the auditor shall design and perform substantive
procedures for each material class of transactions, account balance and disclosure.
In addition, the auditor shall carry out the following substantive procedures:
Rise School of
Accountancy
2
Chapter 15
Substantive procedures fall into two categories: analytical procedures and tests of details. The auditor
must determine when it is appropriate to use which type of substantive procedure. We discuss these in
more detail in Chapter 11 but they are introduced below.
As substantive procedures tend to be appropriate for large volumes of predictable transactions (for
example, wages and salaries). Tests of detail may be appropriate to gain information about account
balances for example, inventory or trade receivables.
Tests of detail rather than analytical procedures are likely to be more appropriate with regard to matters
which have been identified as significant risks, but the auditor must develop procedures that are
specifically responsive to that risk, which may include analytical procedures. Significant risks are likely
to be the most difficult to obtain sufficient appropriate audit evidence about.
Tests of controls are audit procedures designed to evaluate the operating effectiveness of controls in
preventing, or detecting and correcting, material misstatements at the assertion level.
When the auditor's risk assessment includes an expectation that controls are operating effectively, the
auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence that the
controls were operating.
The auditor shall also undertake tests of control when it will not be possible to obtain sufficient
appropriate audit evidence simply from substantive procedures. This might be the case if the entity
conducts its business using IT systems which do not produce documentation of transactions.
In carrying out tests of control, auditors shall use inquiry, but shall also use other procedures. Re-
performance and inspection will often be helpful procedures.
When considering timing in relation to tests of controls, the purpose of the test will be important. For
example, if the company carries out a year-end inventory count, controls over the inventory count can
only be tested at the year-end. Other controls will operate all year round, and the auditor may need to test
that those controls have been effective throughout the period.
Some controls may have been tested in prior audits and the auditor may choose to rely on that evidence of
their effectiveness. If this is the case, the auditor shall obtain evidence about any changes since the
controls were last tested and shall test the controls if they have changed. In any case, controls shall be
tested for effectiveness at least once in every three audits.
If the related risk has been designated a significant risk, the auditor shall not rely on testing done in prior
years, but shall perform testing in the current year.
Rise School of
Accountancy
3
Chapter 15
2 IT controls are grouped under two broad categories ‘Application Controls’ and General IT
Controls’.
Application controls relate to processing of individual applications. Applications are the computer programs
and processes, including manual processes that enable us to conduct essential activities: buying products,
paying vendors, accounting for travelling expenses, and forecasting and monitoring budgets.
Application controls help to ensure that transactions are authorised, complete and accurately recorded.
Controls over input means that data that is input into the system is authorized, complete and accurate.
Control over input is very important because if the input data is not correct, the output data processed
will also be incorrect.
Examples of input controls are authorization controls, completeness controls and accuracy controls.
These examples are explained below:
Authorization controls include authorization of input documents and input to be fed into the
system only by authorized persons.
Rise School of
Accountancy
4
Chapter 15
An example of an input document for payroll would be the increment list based on which
annual increments would be made to the employees of an entity. The increment list is to be
approved by an authorized person.
Only then will the increment amounts be recorded as an input in the payroll application
software.
Such a control ensures that errors and fraud committed by unauthorized users will be
avoided.
Examples of completeness controls are document counts, and review of output against
expected value.
A document count is a manual count of the total number of records or transactions before
they are fed into the system; the result is then compared with the number of records
indicated by the computer after processing.
However, if one record is fed twice and another record is not fed, the document count
would not reveal the irregularity.
The financial control total is the total of the financial amounts processed in a batch. This
involves manual calculation of the total value of a numeric data field in the records. After
the data has been fed into the system, the total for the relevant field will be calculated by
the computer. The two totals will then be compared. If they match then it can be assumed
that all the data to be input have been fed and also the data of the relevant numeric field
has been properly fed.
This check involves comparison of the output with the expected values. For example
while processing sales invoices; the sales department already has an approximate value
of the sales from independent records. The total sales value calculated as per output
processed will be compared with the expected sales amounts and the completeness of the
records can be determined.
Rise School of
Accountancy
5
Chapter 15
Check digits are used to protect against the transposition of data i.e. errors arising due to
accidental reversal of digits. They are redundant digits, produced by mathematical
calculations performed on a particular field of input data. After the check digit is calculated
it is added to the number from which it is calculated. The computer is then programmed to
calculate the check digit in the same manner as it was calculated manually. If the check
digit added to the number does not match the check digit as calculated by the computer, an
error message appears.
This involves checking the data field to determine whether the quantity or the amount
therein, is within the defined limits. For example, if the maximum basic salary of an
organisation is Rs.3,000, the computer program may be designed to reject inputs where
the basic data fed into the computer exceeds Rs.3,000.
This involves checking the existence of certain specific fields. For example, while
recording purchases, the computer system may be designed to accept the input of the
purchase vouchers only if the field of purchase order number is recorded along with
the purchase invoice.
For accuracy of processing, it is essential that the correct master files and program
files are used. A method of ensuring that the correct program and data files are used
for processing is the use of file labels. File labels may be external such as a label
Rise School of
Accountancy
6
Chapter 15
affixed to a CD or an internal like file description written on the computer file and
readable by the computer.
In the case of those computer applications consisting of more than one computer run,
the controls totals during each run should be accumulated and agreed with the input
totals or with the totals held in the file. This will ensure that data lost during
intermediate processing runs are detected promptly.
This is a form of control total. A control total of the inputs recorded in the system is
manually calculated. After the batch has been processed, the total of the same field
which was manually calculated is compared with the total according to the system.
The field on which the control total is made could be the code number of the items of
inventory recorded in the inventory ledger.
This control is used when data is input into the system. The computer system will
guide the user to make the entry so that transactions are fully processed.
This is a very important detective control. An audit trail means maintaining a record
of all actions. An audit trail places responsibility on a person who has access to
resources. It helps to determine who initiated the transaction, when the transaction
was recorded (time, day, date), what files were updated as a result of that transaction
etc.
The input data always fall within a certain limit. For example, the normal hours
worked by workers per day can range from 0 to 9 hours. Data can therefore be tested
against such limits or reasonable ranges.
Rise School of
Accountancy
7
Chapter 15
Access to outputs from the system needs to be restricted to authorised persons. For
example, the salary sheet which is generated by the computer system should be
accessed only by authorised persons from the payroll section and personnel
department.
A report should be prepared for the errors noticed in the output report. The report
should contain details of the errors e.g. description of the error, date of the error,
corrective action taken etc.
(i) Amendments to the data should be made by the authorised person only.
(ii) A log should be maintained for all amendments made to the standing data.
3 General IT controls
General IT controls are the polices and procedures that relate to many applications and support the
effective functioning of application controls by helping to ensure the continued proper operation of
information systems.
The purpose of IT controls is to establish a framework of overall control over IT activities and to
provide reasonable assurance that the overall objectives of internal controls are achieved.
General IT controls apply to many applications. General IT controls are controls over the
environment in which the computer functions. They enable the continued proper operation of
information systems by ensuring the effective functioning of application controls.
General IT controls apply to mainframe, mini-frame, and end-user environments. These controls
apply to the whole information system and the data stored in the information system.
Rise School of
Accountancy
8
Chapter 15
These controls are designed to establish an organisational framework over IT activities. They
include controls over policies and procedures and segregation of duties.
(a) Authorisation
(b) Testing
Rise School of
Accountancy
9
Chapter 15
(b) Authorised structure over transaction entered into system needs to be ensured.
Order received
(b) Verify that the credit rating sheet was available on record
Payment made
Inventory storage
Rise School of
Accountancy
10
Chapter 15
(a) Verify the variance reports and ask for reasons behind why the capital expenditure
exceeds the budget
Rise School of
Accountancy
11