BIT004 ACCOUNTING INFORMATION SYSTEM

CONTROL TESTS

The objective of the tests of controls phase is to determine whether adequate internal controls
are in place and functioning properly. To accomplish this, the auditor performs various tests of
controls. The evidence-gathering techniques used in this phase may include both manual
techniques and specialized computer audit techniques.
At the conclusion of the tests of controls phase, the auditor must assess the quality of the
internal controls. The degree of reliance the auditor can ascribe to internal controls affects the
nature and extent of substantive testing.

SUBSTANTIVE TESTS

The third phase of the audit process focuses on financial data. This involves a detailed
investigation of specific account balances and transactions through what are called
substantive tests. For example, a customer confirmation is a substantive test sometimes
used to verify account balances. The auditor selects a sample of accounts receivable
balances and traces these back to their source—the customers—to determine
if in fact a bona fide customer owes the amount stated. By so doing, the auditor can
verify the accuracy of each account in the sample. Based on such sample findings, the
auditor is able to draw conclusions about the fair value of the entire accounts receivable
asset. Some substantive tests are physical, labor-intensive activities such as counting
cash, counting inventories in the warehouse, and verifying the existence of stock
certificates in a safe. In an IT environment, the information needed to perform
substantive tests (such as account balances and names and addresses of individual
customers) is contained in data files that often must be extracted using computer
assisted audit tools and techniques software.

The Relationship between Tests of Controls

and Substantive Tests

Tests of controls and substantive tests are auditing techniques used for reducing total
audit risk. The relationship between tests of controls and substantive tests varies
according to the auditor’s risk assessment of the organization.

The stronger the internal control structure, the lower the control risk and the less
substantive testing the auditor must do. This is because the likelihood of errors in the
accounting records is reduced. In other words, when controls are strong, the auditor
may limit substantive testing. However, the weaker the internal control structure, the
greater the control risk and the more substantive testing the auditor must perform
to reduce total audit risk. Evidence of weak controls forces the auditor to extend
substantive testing to search for misstatements in financial data that control errors as
well as business problems inherent to the organization. Because substantive tests are
labor-intensive and time-consuming, they are expensive. Increased substantive
testing translates into longer and more disruptive audits and higher audit costs.

Substantive Testing Techniques

Substantive tests are so named because they are used to substantiate dollar amounts
in account balances.
Substantive tests include but are not limited to the following:
1. Determining the correct value of inventory.
2. Determining the accuracy of prepayments and accruals.
3. Confirming accounts receivable with customers.
4. Searching for unrecorded liabilities.
Before substantive tests can be performed, these data must first be extracted from their
host media and presented to the auditor in usable form. The two CAATTs examined in
this section assist the auditor in selecting, accessing, and organizing data used for
performing substantive tests.
THE EMBEDDED AUDIT MODULE
Embedded audit module (EAM) techniques use one or more programmed modules embedded
in a host application to select, for subsequent analysis, transactions that meet predetermined
conditions. As the host application processes the selected transaction, a copy of it is stored on
an audit file for subsequent review. The EAM approach allows material transactions to be
captured throughout the audit period. The auditor retrieves captured transactions at period-end
or at any time during the period, thus significantly reducing the amount of work the auditor must
do to identify significant transactions for substantive testing. To begin data capturing, the auditor
specifies to the EAM the parameters and materiality threshold of the transactions set to be
captured. For example, assume that the auditor establishes a $50,000 materiality threshold for
transactions that a sales order processing system has processed. Transactions equal
to or greater than $50,000 will be copied to the audit file. From this set of transactions, the
auditor will select a subset to be used for substantive tests. The EAM will ignore transactions
that fall below this threshold. Although primarily a substantive testing technique, EAMs may also
be used to monitor application controls on an ongoing basis as recommended in the SAS
78/COSO framework. For example, transactions the EAM selects can be reviewed for proper
authorization, completeness and accuracy of processing, and correct posting to accounts.

GENERALIZED AUDIT SOFTWARE

GAS is the most widely used CAATT for IT auditing. GAS allows auditors to access
electronically coded data files and perform various operations on their contents. ACL and IDEA
are currently the leading products, but others exist with similar features. The following audit
tasks can be performed using GAS:

1. Footing and balancing entire files or selected data items.

2. Selecting and reporting detailed data contained on files.
3. Selecting stratified statistical samples from data files.
4. Formatting results of tests into reports.
5. Printing confirmations in either standardized or special wording.
6. Screening data and selectively including or excluding items.
7. Comparing two files and identifying any differences.
8. Recalculating data fields.
The widespread popularity of GAS is due to four factors:
(1) GAS languages are easy to use and require little IT background on the part of the auditor,
(2) GAS may be used on any type of computer because it is hardware independent,
(3) auditors can perform their tests on data independent of client IT professional, and
(4) GAS can be used to audit the data files of many different applications (in contrast with
EAMs, which are application-specific).

Using GAS to Access Simple Structures

Accessing flat-file structures (such as a text file) is a simple process, an inventory file is read
directly into the GAS, which extracts key information needed for the audit, including the quantity
on hand, the dollar value, and the warehouse location of each inventory item. The auditor’s task
is to perform a physical count of a representative sample of the inventory on hand to verify the
existence and value of the inventory. Thus, on the basis of a materiality threshold that the
auditor provides, the GAS selects the sample records and prepares a report with the key
information.
FIGURE
17-17 USING GAS TO ACCESS SIMPLE FILE STRUCTUR
Using GAS to Access Complex Structures
Gaining access to complex structures, such as virtual storage access method (VSAM) files and
object oriented database files, poses more of a problem for the auditor. Most DBMSs, however,
have utility features that will reformat complex structures into flat files. In such cases, rather than
accessing the complex structure directly, an intermediate flat file is produced, which the GAS
then accesses. The database structure uses pointers to integrate three related files—Customer,
Sales Invoice, and Test of controls are designed to test the effectiveness of controls in
preventing or detecting material misstatements.

Substantive procedures are designed to detect material misstatement of relevant assertions.

Substantive procedures include analytical procedures and tests of details of account balances,
transactions, and disclosures.
SUBSTANTIVE PROCEDURES
Inspection of records and documents – Audit evidence in paper or electronic form is obtained
through inspection of records and docs -checks, invoices, contracts, minutes of meetings,
litigations
Inquiry of knowledgeable person within or outside the entity
External confirmation
Inspection of tangible assets
Observation of procedures being performed by others
Recalculation of mathematical accuracy
Reperformance of procedures
Analytical procedures

Assessing Audit Risk and Designing Tests of Controls

Audit risk is the probability that the auditor will render an unqualified (clean) opinion on
financial statements that are, in fact, materially misstated. Errors may cause material
misstatements, or irregularities, or both. Errors are unintentional mistakes. Irregularities
are intentional misrepresentations to perpetrate a fraud or to mislead the users of
financial statements. The auditor’s objective is to minimize audit risk by
performing tests of controls and substantive tests.

AUDIT RISK COMPONENTS

The three components of audit risk are inherent risk, control risk, and detection risk.

Inherent Risk
Inherent risk is associated with the unique characteristics of the business or industry of
the client. Firms in declining industries have greater inherent risk than firms in stable or
thriving industries. Auditors cannot reduce the level of inherent risk. Even in a system in
which excellent controls protect financial data,financial statements can be materially
misstated.

To illustrate inherent risk, assume that the audit client’s financial statements show an
accounts receivable balance of $10 million. Unknown to the auditor and the client,
several customers with accounts receivable totaling $2 million are about to go out of
business. These accounts, which are a material component of the total accounts
receivable balance of $10 million, are not likely to be collected. To represent these
accounts as an asset in the financial statements would be a material misstatement of
the firm’s economic position.

Control Risk
Control risk is the likelihood that the control structure is flawed because controls are
either absent or inadequate to prevent or detect errors in the accounts.8 To illustrate
control risk, consider the following partial customer sales record, which the sales order
system processes. Quantity Unit Price Total 10 Units $20 $2,000. Assuming the
Quantity and Unit Price fields in the record are correctly presented, then the extended
amount (Total) value of $2,000 is in error. An AIS with adequate controls should prevent
or detect such an error. If, however, controls are lacking and the value of Total in each
record is not validated before processing, then the risk of undetected errors entering the
data files increases. Auditors reduce the level of control risk by performing tests of
internal controls. In the preceding example, the auditor could create test transactions,
including some with incorrect Total values, which the application processes in a test run.
The results of the test will indicate that price extension errors are not detected and are
being incorrectly posted to the accounts receivable file.

Detection Risk
Detection risk is the risk that auditors are willing to accept that errors not detected or prevented
by the control structure will also not be detected by the auditor.9 Auditors set an acceptable
level of detection risk (called planned detection risk) that influences the level of substantive tests
that they perform. For example, more substantive testing would be required when the planned
detection risk is 1 percent than when it is 5 percent.
FIGURE
17-17 USING GAS TO ACCESS SIMPLE FILE STRU