TESTS OF CONTROLS

CONTROL RISK ASSESSMENT AND AUDIT STRATEGY

ASSESSING THE CONTROL RISK

the nature of risk assessment and the need for the auditor to understand the entity and its
environment to assess risk and design an audit strategy to meet these risks. Part of this
process is the need to understand the entity's internal control environment and assess the
internal control risk. The steps involved are:

1. Perform procedures to obtain an understanding of the internal controls.

2. Identify potential misstatements in the financial statements.
3. Identify the necessary controls that are likely to prevent or detect potential
misstatements.

The auditor can make a preliminary assessment of control risk and then decide on the
audit strategy. If the auditor wishes to rely on internal controls for the purposes of supporting
the audit opinion, the procedures described above are inadequate.

To complete the work on internal controls, the auditor must carry out two further steps:

1. Perform tests of controls.

2. Evaluate the evidence obtained and assess the level of control risk.

AUDIT STRATEGY

There are effectively two audit strategies available to an auditor:

1. The predominantly substantive approach, where the auditor relies on substantive

procedures for audit evidence.
2. The lower assessed level of control risk approach, where the auditor obtains some
evidence from testing controls followed by a reduced level of substantive testing.

TEST OF CONTROLS

• Test of controls are auditing procedures performed to determine the effectiveness of

the design and operation of internal controls. The auditor should obtain audit evidence
through tests of controls to support any assessment of control risk that is less than
high.
 • A control is operating effectively when it has been properly and consistently applied
during the year by the employee(s) authorized to apply it.

• Tests of controls are performed to obtain evidence about the design of the
effectiveness of the internal control structure as well as the operation of internal
controls.

DESIGNING TESTS

In designing tests of the operating effectiveness of controls, the auditor must decide their
nature, timing and extent.

• Nature of tests

The auditor's choices in terms of the nature of tests of controls are:

1. Enquiring of personnel about the performance of their duties

2. Observing personnel perform their duties.

3. Inspecting documents and reports indicating performance of controls

4. Re-performing the control.

• Timing of tests of controls

The need to perform additional tests of controls later in the year depends on:

1. the length of the remaining period

2. the occurrence of significant changes in controls subsequent interim testing

3. the decision to perform substantive tests of details on balances before the year-end

• Extent of tests

The extent of tests of controls is determined by the auditor's planned assessed level of control
risk. More extensive testing will be needed for a low assessed level of control risk than for a
moderate level.

USING INTERNAL AUDITTORS

COORDINATION WITH INTERNAL AUDITORS

 Internal auditors will usually monitor the internal control system in each division or
branch as part of their regular duties. The auditor must first consider the effectiveness of the
internal auditors by considering their organizational status:

1. Do they report to the highest level of management (preferably an audit committee)?

2. Are they free of operating responsibilities?

3. Are they free to communicate fully with the independent auditor?

4. Determining the scope of their work and in particular, whether management acts on
their recommendations

5. Evaluating their technical competence

6. Ensuring that their work is performed with due professional care.

In coordinating work with internal auditors, the auditor may find it efficient to have
periodic meetings with them, review their work schedules, obtain access to their working
papers and review internal auditor's reports.

FINAL ASSESMENT OF CONTROL RISK

The final assessment of control risk for a financial statement assertion is based on
evaluating the evidence gained from:

1. Procedures to obtain an understanding of relevant internal control system components

and

2. Related tests of controls. When different types of evidence support the same
conclusion about the effectiveness of a control, the degree of assurance increases.

In forming a conclusion about the effectiveness of a control procedure, the auditor

often uses guidelines concerning the tolerable frequency of deviations from the proper
performance of a control (usually expressed as a percentage). If the results lead the
auditor to conclude that the frequency of deviations is less than or equal to the
tolerable level, then the operation of the control is considered effective.

DOCUMENTING THE ASSESSED LEVEL OF CONTROL RISK

 The auditor's working papers should include documentation of the control risk. Where
control risk is assessed as high, only this conclusion needs to be documented. Where control
risk is assessed as less than high, the basis for the assessment must be documented.

COMMUNICATION OF INTERNAL CONTROL MATTERS

Although the auditor has no responsibility to provide any level of assurance on the
controls operating within the company as part of the financial statement audit, under ASA
265 Communicating Deficiencies in Internal Control to Those Charged with Governance and
Management, paragraph 9 (ISA 265.9), there is a duty to communicate in writing significant
deficiencies in internal control to those charged with governance.

In terms of determining what is a ‘significant deficiency’, some possible considerations

(summarised from ASA 265, paragraph A6 (ISA 265)) include:

 likelihood of the deficiencies leading to material misstatements in the financial

statements in the future
 susceptibility to loss or fraud of the related asset or liability
 subjectivity and complexity of determining estimated amounts, such as fair value
accounting estimates
 financial report amounts exposed to the deficiencies
 volume of activity that has occurred or could occur in the account balance or class of
transactions exposed to the deficiency or deficiencies
 balance or class of transactions exposed to the deficiency or deficiencies
 the importance of the controls to the financial reporting process.

The auditor shall also communicate this information to management unless there are
circumstances which would make it inappropriate to do so. This shall include other
deficiencies that are of sufficient importance to merit management's attention. When this
communication is made, it is important that the auditor communicates that the purpose of the
audit was to express an opinion on the financial report and not on the effectiveness of internal
control.

The importance of internal control is such that the auditor may sometimes be employed
by management to give an opinion on the effectiveness of the organisation's internal controls.
This is a separate engagement from the work carried out for the purposes of the financial
statements audit, and therefore a new engagement letter is required. The specific engagement
to give an opinion on the internal controls requires work beyond that needed for the purposes
of the financial statement audit, and a specific report is required. These procedures are
covered by AUS 810 Special Purpose Reports on the Effectiveness of Control Procedures.

TYPES OF CONTROLS IN AN INFORMATION TECHNOLOGY ENVIRONMENT

The auditor should choose among the following three strategies when assessing control risk:

1. assessing control risk based on user controls

2. planning for a low control risk assessment based on application controls
3. planning for a high control risk assessment based on general controls and manual
follow-up.

Each strategy is now explained.

User controls

In many cases, the client may design manual procedures to test the completeness and
accuracy of transactions processed by the computer. For example, managers who are familiar
with transactions that they have authorised may review a list of purchases that have been
charged to their responsibility centre. Alternatively, an individual in a user department may
compare computer-generated output with source documents supporting the transaction.
Although both of these controls may detect and correct misstatements, the latter may be
performed with a greater level of detail and may provide a higher level of assurance that
misstatements are detected and corrected.

If user controls exist, the auditor can test the controls directly, similar to testing other
human controls. This is also known as ‘auditing around the computer’. The advantage of this
strategy for testing controls is that there is no need to test the complexities of computer
programs.

Application controls

Many auditors take advantage of automated controls and plan strategies for assessing
control risk at a low level based on computer application controls. In order to execute this
strategy, the auditor should:

 test the computer application controls

 test computer general controls
  test the manual follow-up of exceptions noted by application controls.

The effectiveness of all three levels of controls is important to a low control risk
assessment. First, the auditor should test computer application controls using some form of
computer-assisted audit techniques (CAATs). The purpose is to determine that the application
control properly identifies exceptions.

Second, computer general controls must also be tested. General controls provide
assurance that application controls are properly designed and tested, and any changes are
authorised. In essence, they provide increased assurance that application controls function
consistently over time. PTr she will usually learn about the effectiveness of the design and
testing of application controls. In addition, the auditor may be able to make inferences about
the effectiveness of application controls in identifying exceptions through enquiry of
knowledgeable individuals who perform manual follow-up procedures. For example,
individuals who follow up on exceptions might understand the transaction stream in sufficient
detail that they can predict and correct transactions that might otherwise appear on exception
reports. When such transactions do appear on exception reports, the auditor may be able to
draw an inference about the programmed control. This evidence may be sufficient to allow
the auditor to assess control risk at a high level, but the auditor should test programs directly
with computer-assisted audit techniques if he or she wants to assess control risk as medium or
low

CAATs (Computer-Assisted audit techniques)

Test data

Under the test data approach, dummy transactions are prepared by the auditor and processed
under auditor control by the entity's software. The test data consist of one transaction for each
valid or invalid condition that the auditor wants to test. Payroll test data, for example, may
include both a valid and an invalid overtime pay condition. The output from processing the
test data is then compared with the auditor's expected output to determine whether the
controls are operating effectively. The test data approach has the following advantages.

 It is a way of auditing ‘through the computer’.

 It is simple to use.
 There is not much disruption to the client's computer system.
However, the method has the following audit deficiencies:

 The method is a test only of the presence and functioning of controls in the program
tested.
 There is no examination of documentation actually processed by the system.
 Computer operators know that test data are being run, which could reduce the validity
of the output.
 It is a test at a specific time and therefore does not show how the system operated
throughout the period.

Integrated test facility

The integrated test facility (ITF) approach overcomes some of the limitations of the use of
test data. It requires the creation of a small subsystem (a mini-company) within the regular
computer accounting system. This may be accomplished by creating dummy master files or
appending dummy master records to existing entity files. Dummy records, specially coded to
correspond to the dummy master files, are introduced into the system, together with actual
transactions. The dummy records should include all kinds of transaction errors and
exceptions that may be encountered. In this manner, the dummy records are subjected to the
same programmed controls as are placed on the actual data. A separate set of outputs is
produced for the subsystem of dummy files. The results can be compared with those expected
by the auditor.

The advantages of the ITF approach are that it allows for ongoing testing of the internal
control system and requires minimal disruption to the client. It is a popular approach for
internal auditors.

A disadvantage of the ITF approach is the risk that errors could be created in entity data. In
addition, the entity's programs may need to be modified to accommodate the dummy data.

Parallel simulation

Parallel simulation involves reprocessing actual entity data using auditor-controlled software.
This method is so named because the software is designed to reproduce or simulate the
entity's processing of real data. A graphic portrayal of this approach is shown on the left half
of figure 11.5. This approach does not corrupt the entity's files and may be conducted at an
independent computer facility. It has the following advantages.

 Because real data are used, the auditor can verify transactions by tracing them to
source documents and approvals.
 The size of the sample can be greatly expanded at relatively little additional cost.
 The auditor can independently run the test.

If the auditor decides to use parallel simulation, care must be taken to determine that the data
selected for simulation are representative of actual entity transactions and include errors
intended to be detected by the application of programmed controls. The auditor must ensure
that the input data used for testing are complete. That is, they should not have been subject to
corrections or adjustments because of the application of input controls when they were
processed in the real system.

Continuous monitoring of online real-time systems

Test data may be used to test controls in an online entry/online processing system (also
known as an online real-time system (OLRT)). However, this approach is not widely used by
auditors because of the contamination of file data and the difficulty of reversing the
hypothetical data. Parallel simulation may also be used, but the availability of generalised
audit software that can be used to simulate OLRT processing is very limited.

In lieu of traditional testing, the auditor often arranges for continuous monitoring of the
system. Under this technique, an audit routine is added to the client's processing programs.
Transactions entering the system are sampled at random intervals, and the output from the
routine is used in testing the controls.

To provide for the integration of audit software into a real-time processing system, audit hook
capabilities must be built into the client's computer programs — both the operating systems
and application programs — at the time they are created. Audit hooks are points in a program
that allow audit modules, or programs, to be integrated into the system's normal processing
activities. These audit modules provide the auditor with a means of selecting transactions
possessing characteristics of interest to the auditor, such as a transaction of a certain kind or
an amount greater or lesser than a given value. Once a particular transaction has been
identified as being of interest, a record of it can be retained by one of several methods. Two
of these are tagging transactions and a systems control audit review file.
Tagging transactions

The tagging transactions method involves placing an indicator, or tag, on selected

transactions. The presence of this tag enables a transaction to be traced through the system as
it is being processed. The system must be programmed to provide for the creation of a
hardcopy printout of all paths followed by the transaction. Data with which the tagged
transaction interacts at designated steps in the processing can be captured as well.

Systems control audit review file

A systems control audit review file (SCARF) (sometimes called an audit log) is a record of
certain processing activities. The file is used to record events that meet auditor-specified
criteria as they occur at designated points in the system. Identified transactions or events are
logged onto a file available only to the auditor. The auditor can later analyse the file and
make further tests as appropriate.

Assessing and testing IT controls

Tests of controls are performed to obtain evidence about the effectiveness of the design or
operation of the control. The auditor performs such tests when there is reason to believe that
the evidence will permit a further reduction in the assessed level of control risk. The third
column in both table 11.1 and 11.2 shows possible tests of controls. Tests of computer-
generated controls involve the observations of segregation of duties and inspection of
documentation showing that computer general controls were performed. Tests of computer
application controls involve some form of computer-assisted audit techniques (CAATs) and
testing of manual follow-up procedures.

In a computerised system, controls may or may not produce visible evidence. When the
computer produces visible evidence to verify that procedures were in operation and to
evaluate the propriety of performance, tests of IT controls may include inspection of
documentation. However, if such evidence is not generated by the computer, the tests of
controls must include CAATs. The Professional Environment box discusses some recent
research that evaluated whether control risk assessment and audit firm size influenced the use
of CAATs or computer-related audit procedures.