You are on page 1of 26

Chapter 11

Tests of Controls

Objectives
• Explain the relationship between control risk assessment
and audit strategy
• Describe the purpose of tests of controls and the nature,
timing and extent of such tests
• Clarify how the work of internal auditing may be used in
tests of controls
• Explain the process of assessing control risk and
documenting the conclusion

Objectives • Indicate the appropriate communications the auditor makes on internal control matters • Describe the types of controls you would expect to see in an information technology environment • Identify the alternate types of computer-assisted audit techniques .

account balances and disclosures • Assessment to obtain a reasonable understanding of controls in place • Subsequently.Preliminary Assessment of Control Risk • ASA 315 para 25 states: The auditor shall identify and assess the risks of material misstatement at the financial report level. decide on appropriate audit strategy so as to design a detailed audit program 4 . and at the assertion level for classes of transaction.

Process of assessing control risk • Use professional judgement to assess the control environment • Assess the design effectiveness of control procedures and their ability to prevent or correct misstatements • Assess whether controls were effectively applied throughout the period under audit 5 .

the auditor must test controls to ensure that they have been implemented as they were designed • In order to complete the work on internal controls the auditor must carry out the following steps: – Perform tests of controls – Evaluate the evidence obtained and assess the level of control risk 6 .Assessment of control risk and audit strategy • In order to place reliance on the internal controls to support the audit opinion.

he or she should have sufficient knowledge or the system of internal control to understand the potential causes of misstatements.Assessment of control risk and audit strategy • When an auditor chooses a predominantly substantive approach. • This approach is associated with a planned assessed level of control risk of high based on one of the following: – No significant internal controls that relate to the assertion – Relevant internal controls are unlikely to be effective – Efficient to obtain evidence to evaluate the effectiveness of relevant internal controls 7 .

it is appropriate to change the strategy to a predominantly substantive approach 8 .Assessment of control risk and audit strategy • In some cases a lower assessed level of control risk approach is planned because the client has effective internal controls and the auditor plans to test those controls • In some circumstances the auditor might find that contrary to expectations the control appears to be ineffective – in such a case.

Tests of Controls • Tests of controls are carried out to evaluate the operating effectiveness of the internal control policies and procedures • The auditor must decide on the nature. timing and extent of tests of control • ASA 330 The Auditor’s Procedures in Response to Assessed Risks 9 .

g. observation of counting during a stock take – inspection of documents and records – re-performance of procedures 10 .Designing tests • Tests of controls include: – enquiring of client personnel – observation of activities and procedures – e.

Designing tests • Tests of controls conduced at interim period as auditor can get an early indication of controls are operating effectively and change tests to substantive tests if required • Extent of tests is determined by auditors planned assessed level of control risk – More extensive testing is needed for a low assessed level of control risk .

Illustrative partial audit program for tests of controls .

independence. supervision of work etc.Using internal auditors • Internal audit is generally considered a crucial part of the corporate governance structure of the company. • Effectiveness of internal audit must be considered first in accordance with ASA 610 Considering the Work of Internal Audit • Issues include organisational status. technical expertise. 13 .

e.Final assessment • Need to fully document all tests • Important to communicate all concerns regarding internal control matters to the entity’s management and board • Refer ASA 265 on Communication of Audit Matters with Those Charged with Corporate Governance (i. to director level) 14 .

Communication of internal control matters • Insert figure 1: monitoring applied to the internal control process .

Types of controls in an information technology environment Overview of computer controls .

Types of controls in an information technology environment • Audit strategies for assessing control risk – assessing control risk based on user controls – Planning for a low control risk assessment based on application controls – Planning for a high control risk assessment based on general controls and manual follow-up .

Types of controls in an information technology environment • User controls – Manual procedures designed to test the completeness and accuracy of computer processed transactions • Application controls – Use of automated controls and planning of strategies to assess control risk as low .

Computer assisted audit techniques • • • • • • Test data Integrated test facility Parallel simulation Continuous monitoring Tagging transactions Systems control audit review file .

g. payroll test data may include both a valid and invalid overtime transaction to test how the system processes it 20 .Computer assisted audit techniques • Test data – Dummy transactions are prepared by the auditor and processed under auditor control by the entity’s software – e.

entities are often reluctant to allow auditors to do this type of testing unless the integrity of the testing can be guaranteed 21 .Computer assisted audit techniques • Integrated test facility – requires the creation of a small subsystem with dummy master files that are subjected to the same programmed controls as are placed on the actual data. and a separate set of outputs is produced for the auditor – advantage is the integrated test facility allows for ongoing testing – disadvantage is the risk that errors could be created in the entity’s data files – accordingly.

Computer assisted audit techniques • Parallel simulation – involves reprocessing actual entity data using auditor-controlled software – advantage is the auditor can independently run tests and verify transactions by tracing them to source documents and approvals – must ensure data tested is representative 22 .

Computer assisted audit techniques • Continuous monitoring of online real-time systems – An audit routine is added to the processing programs – Transactions sampled at random intervals – Output is used in testing controls .

Computer assisted audit techniques • Tagging transactions – Indicator placed on selected transactions – Transaction is traced through the system s it is being processed .

Computer assisted audit techniques • Systems control audit review file – File used to record events that meet auditor specified criteria as they at occur at designated points in the system – Also known as an audit log .