Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 3


Auditors’ Study & Evaluation of ICS:

Purpose: Understand how system is designed by looking at each account. How?
i. Account Balance Approach
ii. Transaction Cycle Approach [Better approach to use!]
 Breakdown IC activities into groups of interrelated transactions
a) Revenue & Collection Cycle
Sales, Cash, AC/Rec, SRA, Bad Debt Expense
b) Acquisitions & Payment Cycles
Use standard cost system rather than actual
Phase 1: Review and understanding of ICS
I. Obtain understanding of ICS and activities T/Cycle
II. Document your understanding (Flowchart, IC Questionnaire, Narrative Description)
III. Test your understanding (Walkthrough Test)
Phase 2: Preliminary evaluation of ICS
I. What errors, irregularities, and fraud could occur
II. What control activities that should be in place to prevent, detect, and correct
III. Do control activities exist?
a) Adequate control activities exist (strengths)
If it exists, then go to Phase 3
b) Adequate control activities don’t exist – nonexistence (weaknesses) STOP
 Audit Decision (Document!)
1. ICS isn’t effective/is weak (not reliable)
2. IC Risk is high at maximum
3. DR should be low because CR is high
 Impact on Extent, Nature, Timing of Substantive Auditing,
So, DR , then Extent , Nature , Timing
4. Post SOX, Qualify/ Adverse Opinion on ICFR
Phase 3: Perform Test of Controls
The effectiveness of Internal Control Structure (ICS)
i. Control Activities (ICS) are adequate and effective (Step 4)
ii. Control Activities (ICS) are inadequate and ineffective. If this is the issue, go to
Audit Decision in Step 2
Phase 4: If Control Activities are ADEQUATE and EFFECTIVE, then
i. ICS is reliable and effective
ii. IC Risk is low(minimum)
iii. DR can be high
iv. Determine impact on nature, timing, and extent of substantive tests
v. After SOX, issue Unqualified Audit Report on ICFR

Purposes of Assessing Control Risk

Primary Purposes:
1. Assess the effectiveness of ICS
Primary purposes for study & evaluation for system of control
2. Assessment Risk AR=DR x CR x IR
So, when DR then more substantive tests and Vice Versa
3. Determine Timing, Nature, Extent on substantive tests
4. Express opinion on ICS effectiveness – Section 404(b)
5. Public disclosure of material weakness in internal control
Secondary Purposes:
1. To disclose significant deficiencies of internal control
2. Improvement of Internal Control Structure (ICS)

Substantive Tests
 Types:
(i) Analytical Procedures
(ii) Tests of details of transactions
(iii) Tests of details of balances
 Purpose:
 Determine fairness of significant financial statement assertions.
 Nature of Test Measurement:
 Monetary errors in transactions and balances
 Applicable Audit Procedures:
 Same as tests of controls, plus analytical procedures, counting, confirming,
tracing, and vouching
 Timing:
 Primarily at or near balance sheet date
 Audit Risk Component:
 Detection Risk
 Primary field work standard:
 Third
 Required by GAAS?

Tests of Controls
 Tests:
 Concurrent
 Additional
 Purpose:
 Determine effectiveness of design and operation of internal control structure
policies and procedures.
 Nature of test measurement:
 Frequency of deviations from control structure policies and procedures.
 Applicable Audit Procedures:
 Inquiring, observing, inspecting, reperforming, and computer-assisted audit
 Timing:
 Primarily interim work
 Primary field work standard:
 Second
 Required by GAAS?
 NO

 Computer Assisted Auditing Techniques
 CA – Easytrieve (Computer Associates)
 Works in UNIX or LAN (primarily mainframes)
 Uses a background language similar to COBOL
 Statistical analysis
 Data mining

CAATs [on board]

1. Integrated Test Facility – a system that processes test data simultaneously with real
transactions to allow the system to be constantly monitored
 A whole new dummy department
 Simulated data is assigned a special code to distinguish it from real data
 Simulated data is integrated with real data and processed in normal course of
 Weakness – simulated data may be processed differently that real data
2. Parallel Simulation – The use of an auditor-written program to process client data and
comparison of its output to the output generated by the client’s program
3. Testing Data –
 Simulated data is controlled and processed separately from real data
 Output is compared to auditor-calculated output
4. Testing Simulated Data –
 Test deck approach
 Integrated test facility

You might also like