Learning objectives

After studying this presentation, you should be able to:

10.1 explain the relationship between control risk
assessment and audit strategy
10.2 describe the purpose of tests of controls and the
nature, timing and extent of such tests
10.3 clarify how the work of internal auditing may be used
in tests of controls
10.4 explain the process of assessing control risk and
documenting the conclusion
Learning objectives

10.5 indicate the appropriate communications the auditor

makes on internal control matters
10.6 describe the types of controls you would expect to see in
an information technology environment
10.7 identify the alternate types of computer-assisted audit
techniques.
LO#1
• Explain the relationship between control risk assessment
and audit strategy.
• In every financial statement audit, there is a requirement that the
auditor assess the controls operating within the entity that are
also relevant to the audit.
• This is primarily to help auditors to better understand if there are
risks of material misstatement, which will therefore also affect
audit procedures to be used.
• However, this assessment of controls can also affect the audit
strategy, primarily in relation to decisions made on whether to
focus more work on testing of controls or on substantive audit
procedures.
Assessing the control risk
• In order to place reliance on the internal controls to
support the audit opinion, the auditor must test controls to
ensure that they have been implemented as they were
designed.
• In order to complete the work on internal controls the
auditor must carry out the further steps:
• Perform tests of controls
• Evaluate the evidence obtained and assess the level of control
risk.
Audit strategy
• When an auditor chooses a predominantly substantive
approach, he/she should have sufficient knowledge or the
system of internal control to understand the potential
causes of misstatements.
• This approach is associated with a planned assessed level
of control risk of high based on one of the following:
• No significant internal controls that relate to the assertion
• Relevant internal controls are unlikely to be effective
• Inefficient to obtain evidence to evaluate the effectiveness of
relevant internal controls.
Audit strategy
• In some cases a lower assessed level of control risk
approach is planned because the client has effective
internal controls and the auditor plans to test those
controls, reduce control risk; and modify the nature, timing
or extent of substantive tests accordingly.
• In some circumstances the auditor might find that contrary
to expectations the control appears to be ineffective – in
such a case, it is appropriate to change the strategy to a
predominantly substantive approach.
LO #2 Tests of controls
• Describe the purpose of tests of controls and the nature,
timing and extent of such tests.
• Purpose - Tests of controls are carried out to evaluate the
operating effectiveness of the design and operation of
internal controls
• The lower the assessment of control risk, the more
support the auditor should obtain that internal control
systems are suitably designed and operating effectively.
• The auditor must decide on the nature, timing and extent
of tests of control
Tests of controls
• Tests of controls relating to design:
• Concerned with whether the control is designed to prevent or
detect misstatements in specific assertions.
• Tests of controls relating to the operating effectiveness of
the control procedures:
• Concerned with whether the controls are actually working
• How was the control applied?
• Was it applied consistently during the year?
• Failures referred to as deviations.
Designing tests
• Nature of tests of controls include:
• enquiring of personnel about the performance of their duties
• observing personnel perform their duties
• Limitation: evidence applies only to the time the
observation occurs as employees may perform the
control differently when not being observed
• inspecting documents and reports indicating performance of
controls
• re-performing the control (dual-purpose test).
Designing tests
• Timing of tests of controls:
• performed during interim period
• only provides evidence of the effectiveness of controls from the
beginning of the year to the date of the tests
• should be performed as late in the interim period as possible
• if control risk is assessed as less than high, the assessment on
the controls must be performed for the whole period
Designing tests

• Timing of tests of controls:

• An advantage of performing these tests during interim work is
that the auditor can get an early idea as to whether the controls
are operating as expected.
• If they are not, there is sufficient time to change the extent of
substantive tests before final audit work.
Designing tests

• Extent of tests is determined by auditor’s planned

assessed level of control risk:
• More extensive testing is needed for a low assessed level of
control risk
• Testing only confirms the preliminary assessment of control risk
• Increasing the extent of the testing cannot cause the auditor to
lower the assessed level of control risk.
Partial audit program for tests of
controls – credit sales
Audit programs for tests of
controls
• Auditor documents the nature, timing and extent of tests
of controls in an audit program and related working
papers to provide evidence to support their reliance on
controls.
• Audit program lists the procedures to be used:
– testing is linked back to management assertions
– cross-references to the working papers
– notes who performed the tests
– states the date on which the tests were completed.
LO# 3 - Using internal auditors
• Clarify how the work of internal auditing may be used in
tests of controls.
• Internal audit is generally considered a crucial part of the corporate governance
structure of the company.
• Effectiveness of internal audit must be considered first in accordance with ASA
610 Using the Work of Internal Auditors.
• Issues include organisational status (who do they report to – highest level of
management), independence (are they free to communicate freely with
external auditors), technical competence, supervision of work (ensure work
done is with due professional care) etc.
• In coordinating work with internal auditors, the auditor may find it efficient to
have periodic meetings with them, review their work schedules, obtain access
to their working papers and review internal auditor’s reports.
LO # 4 Final assessment of
control risk
• Explain the process of assessing control risk and documenting the
conclusion.
• Final assessment of control risk for a financial statement assertion is
based on evaluating the evidence gained from:
• procedures to obtain an understanding of relevant internal control
system components
• related tests of controls.
• Evaluation of evidence involves both quantitative and qualitative
considerations:
• is frequency of deviations less than tolerable level?
• is deviation attributable to unintentional errors or deliberate
misrepresentations?
Documenting the assessed level
of control risk
• If CR assessed as high – only conclusion needs to be
documented.
• If CR assessed as less than high – the basis for the
assessment must be documented.
• Common approach is to use narrative memoranda
organised by financial statement assertions.
LO # 5 Communication of
internal control matters
• Indicate the appropriate communications the auditor
makes on internal control matters.
• Important to communicate all concerns regarding internal
control matters to the entity’s management and board of
directors
• Refer to ASA 265 Communicating Deficiencies in Internal Control
to Those Charged with Governance and Management.
Communication of internal
control matters
• The purpose of the audit is to express an opinion on the
financial report and not on the effectiveness of internal
control
• sometimes the auditor will be employed by management to give
an opinion on the effectiveness of internal controls
• but, this is a separate engagement from financial statement
audit.
LO # 6 - Types of controls in an information
technology environment
• Describe the types of controls you would expect to see in
an information technology environment.

• Audit strategies for assessing control risk:

• assessing control risk based on user controls
• planning for a low control risk assessment based on application
controls
• planning for a high control risk assessment based on
general controls and manual follow-up.
Types of controls in an information
technology environment
• User controls:
• manual procedures designed to test the completeness and
accuracy of computer processed transactions
• known as auditing around the computer
• Application controls:
• use of automated controls and strategies to assess control risk
as low based on computer application controls
Types of controls in an information
technology environment
• Application controls:
• the auditor should:
• test computer application controls - The purpose is to determine that
the application control properly identifies exceptions.
• test computer general controls - provide assurance that application
controls are properly designed and tested, and that any changes are
authorised.
• test the manual follow-up of exceptions noted by application controls - If
the manual follow-up is ineffective in correcting items that appear on the
exception report, then the application control becomes ineffective in
detecting and correcting misstatements.
LO # 7 Computer-assisted audit
techniques
• Identify the alternative types of computer-assisted audit
techniques.
• Test data
• Integrated test facility
• Parallel simulation
• Continuous monitoring of online real-time systems:
– Tagging transactions
– Systems control audit review file.
Test data
• Dummy transactions are prepared by the auditor and
processed under auditor control by the entity’s software
– example: payroll test data may include both a valid
and invalid overtime transaction to test how the
system processes it.
•Test data advantages:
• it is a way of auditing through the computer
• it is simple to use
• there is minimal disruption to the client’s computer system.
Test data
•Test data audit deficiencies:
• method only tests the presence and functioning of controls in
the program tested at a specific time
• no examination of documentation actually processed by the
system
• computer operators know test data being run – reduce validity
of output
Integrated test facility
• Requires the creation of a small subsystem with dummy master files
that are subjected to the same programmed controls as are placed
on the actual data, and a separate set of outputs is produced for
the auditor.
•Advantage:
– allows for ongoing testing and requires minimal disruption to
the client.
•Disadvantage:
– risk that errors could be created in the entity’s data files
– the entity’s programs may need to be modified to
accommodate the dummy data.
Parallel simulation
• Involves reprocessing actual entity data using auditor-
controlled software
• Does not corrupt the entity’s files and may be conducted
at an independent computer facility
• Advantages:
• as real data are used, the auditor can verify transactions by
tracing them to source documents and approvals
Parallel simulation

•Advantages:
• as real data are used, the auditor can verify transactions by
tracing them to source documents and approvals
• the size of the sample can be greatly expanded at relatively
little additional cost
• the auditor can independently run tests.
• Must ensure data tested is representative of actual entity
transactions and include errors intended to be detected.
Continuous monitoring of online
real-time systems
• An audit routine is added to the processing programs
• Transactions sampled at random intervals
• Output is used in testing controls
• Audit hook capabilities must be built into the client’s
computer system at the time they are created e.g.
• tagging transactions to enable tracing through the system
• systems control audit review file aka audit log is a record of
certain processing activities.
Assessing and testing IT controls

• In a computerised system, controls may or may not

produce visible evidence
• When the computer produces visible evidence to verify
that procedures were in operation and to evaluate the
propriety of performance:
• tests of IT controls may include inspection of documentation
• if such evidence is not generated by the computer, the tests of
controls must include CAATs.
Summary
• Internal controls are very important in ensuring that transactions are processed correctly. As
such, internal control is something that should be important for all but the very smallest of
entities.
• The importance of internal control to the effective operation of the entity is the reason that
the auditor is required to obtain an understanding of the controls relevant to the audit.
• At this time the auditor makes a preliminary assessment of control risk. Where the
preliminary assessment of control risk is less than high for a particular assertion, the auditor
may decide to rely on the internal controls in performing the audit.
• Where reliance is placed on internal controls, the auditor can reduce the required level of
substantive procedures that would otherwise be performed to obtain sufficient evidence to
support the audit opinion.
• However, to be able to do this, the auditor must test the operating effectiveness of the
controls to provide evidence supporting the preliminary assessment of control risk.
Revision questions
• Explain the term ‘materiality’ in the context of financial reporting.
• Explain in the context of financial reporting
• In relation to financial reporting, materiality means:
• “…the information which, if omitted, misstated or not disclosed, has the potential to adversely affect decisions
about the allocation of scarce resources made by users of the financial report or the discharge of accountability by
the management, including the governing body of the entity.” (AASB 1031)
• 
• Financial reporting frameworks often discuss the concept of materiality in the context of the preparation and
presentation of a financial report. Although financial reporting frameworks may discuss materiality in different
terms, they generally explain that:
• Misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could
reasonably be expected to influence the economic decisions of users taken on the basis of the financial report;
• Judgements about materiality are made in light of surrounding circumstances, and are affected by the size or
nature of a misstatement, or a combination of both; and
• Judgements about matters that are material to users of the financial report are based on a consideration of the
common financial information needs of users as a group. The possible effect of misstatements on specific
individual users, whose needs may vary widely, is not considered. (ASA320)
• 
Answer cont..
• In applying this definition, the auditor is required to consider both:
• the circumstances pertaining to the entity; and
• the information needs of those who will rely on the audited financial report;
• when:
• (a) Identifying and assessing the risks of material misstatement;
• (b) Determining the nature, timing and extent of further audit procedures; and
• (c) Evaluating the effect of uncorrected misstatements, if any, on the financial
report and in forming the opinion in the auditor’s report. (ASA320)
You must structure your answer so that the core of what is being asked
is highlighted and clear.