Audit chapter 13
Procedures to obtain an understanding of internal control
A major part of the auditor's risk assessment procedures is done to obtain an understanding of internal control. Procedures to obtain an understanding of internal control, focus on both the design and implementation of internal control and are used to assess control risk for each transaction-related audit objective.
But with new technology-related developments, the profession is using
ADAs and other advanced technology tools to test manual controls that are reflected in electronic files. Given the extensive testing of controls in audits of accelerated filers, the profession is exploring a variety of ways technology might be used to enhance the effectiveness of test of controls.
To better understand tests of controls and substantive tests, let's examine how they differ.
An exception in a test of control only indicates the likelihood of misstatements affecting the dollar value of the financial statements, whereas an exception in a substantive test of transactions or a test of details of balances is a financial statement misstatement. Exceptions in tests of controls are called control test deviations.
Auditors follow a four-step approach to reduce assessed control risk:
Apply the transaction-related audit objectives to the class of transactions being tested, such as sales. Identify key controls that should reduce control risk for each transaction-related audit objective. Develop appropriate tests of controls for all internal controls that are used to reduce the preliminary assessment of control risk below maximum (key controls). For potential types of misstatements related to each transaction-related audit objective, design appropriate substantive tests of transactions, considering deficiencies in internal control and expected results of the tests of controls in step 3. Figure 13-6 summarizes this four-step approach to
The methodology for evaluating control risk will be applied to both sales and cash receipts in the audit of accounts receivable.
Effective controls will reduce control risk and, along with it, the amount of evidence required for substantive tests of transactions and tests of details of balances. Inadequate controls will increase the substantive evidence needed.
Types of tests
In developing an overall audit strategy, auditors use five types of tests to determine whether financial statements are fairly stated.
Tests of controls, either manual or automated, may include the following types of evidence. (Note that the first three procedures are the same as those used to obtain an understanding of internal control.)
Make inquiries of appropriate client personnel. Examine documents, records, and reports. Observe control-related activities. Reperform client procedures.
We can make several observations about the table:
More types of evidence, six in total, are used for tests of details of balances than for any other type of test. Only tests of details of balances involve physical examination and confirmation.
the auditor will still rely primarily on substantive tests of balances to meet the following balance-related audit objectives:
Realizable value Rights and obligations Presentation
When auditors must decide which type of test to select for obtaining sufficient appropriate evidence, the cost of the evidence is an important consideration. The types of tests are listed below in order of increasing cost:
Substantive analytical procedures Risk assessment procedures, including procedures to obtain an understanding of internal control Tests of controls Substantive tests of transactions Tests of details of balances
The amount of additional evidence required for tests of controls depends on two things:
The extent of evidence obtained in gaining the understanding of internal control The planned reduction in control risk
Auditing standards state that substantive analytical procedures are a type of substantive test, when they are performed to provide evidence about an account balance.
The extent to which auditors may be willing to rely on substantive analytical procedures in support of an account balance depends on several factors, including the precision of the expectation developed by the auditor, materiality, and the risk of material misstatement.
Further audit procedures
The other four types of tests represent further audit procedures performed in response to the risks identified. Each audit procedure falls into one, and sometimes more than one, of these five categories.
Substantive analytical procedures
The two most important purposes of substantive analytical procedures in the audit of account balances are: Indicate possible misstatements in the financial statements. Provide substantive evidence
Tests of controls
To obtain sufficient appropriate evidence to support that assessment, the auditor performs tests of controls.
The planned tests of details of balances include audit procedures, sample size, items to select, and timing. Procedures must be selected and designed for each
account and each balance-related audit objective within each account, including objectives related to presentation and disclosure.
The choice of which types of tests to use and how extensively they need to be performed can vary widely
among audits for differing levels of internal control effectiveness and inherent risks. Even within a given audit, variations may occur from cycle to cycle.
Substantive tests of transactions affect both control risk
and planned detection risk, because they test the effectiveness of internal controls and the dollar amounts of transactions.
Risk assessment procedures, including procedures to obtain an understanding of internal control,
are not as costly as other audit tests because auditors can easily make inquiries and observations and perform planning analytical procedures. Also, examining such things as documents summarizing the client's business operations and processes and management and governance structure are relatively cheaper than other audit tests.
Substantive tests
are procedures designed to test for dollar misstatements (often called monetary misstatements) that directly affect the correctness of financial statement balances and disclosures.
Substantive tests of transactions
are used to determine whether all seven transaction-related audit objectives have been satisfied for each class of transactions
An account balance for which inherent risk has been assessed
as high will result in more evidence accumulation than for an account with low inherent risk.
The auditor's understanding of internal control is used to
assess control risk for each transaction-related audit objective.
Assume that the client's controls require an independent clerk to verify the quantity, price, and extension of each sales invoice, after which the clerk must initial the duplicate invoice to indicate performance. A test of control
audit procedure is to inspect a sample of duplicate sales invoices for the initials of the person who verified the information. If a significant number of documents lack initials, the auditor should consider implications for the audit of internal control over financial reporting and follow up with substantive tests for the financial statement audit.
he combination of these four types of further
audit procedures provides the basis for the auditor's opinion,
These levels of disaggregation range from the overall audit to the
balance-related audit objective for each account
The primary emphasis in most tests of details of
balances is on the balance sheet.
Substantive analytical procedures are the least costly
because of the relative ease of making calculations and comparisons. Often, considerable information about potential misstatements can be obtained by simply comparing two or three numbers.
Typically, auditors use all five types of tests when performing an audit of the financial statements,
but certain types may be emphasized, depending on the circumstances. Recall that risk assessment procedures are required in all audits to assess the risk of material misstatement while the other four types of tests are performed in response to the risks identified to provide the basis for the auditor's opinion.
Inherent risk is assessed by identifying any aspect of the
client's history, environment, or operations that indicates a high likelihood of misstatement in the current year's financial statements. Considerations affecting inherent risk that may apply to accounts receivable include makeup of accounts receivable, nature of the client's business, initial engagement, and other inherent risk factors
Auditors also assess the risk of material misstatement, represented by the
combination of inherent risk and control risk
When auditors are confident that all transactions were correctly recorded in the journals and correctly posted,
considering all seven transaction-related audit objectives, they can be confident that general ledger totals are correct and that transaction-related disclosures in the financial statements are accurate, complete, relevant, and understandable.
The extent of these tests depends on the results of tests of
controls, substantive tests of transactions, and substantive analytical procedures for these accounts.
Additional substantive tests of balances are also likely for the other balance-related audit objectives,
depending on the results of the tests of controls and substantive tests of transactions.
Auditors perform a system walkthrough as part of procedures to obtain an understanding to help them
determine whether controls have been appropriately implemented. The walkthrough is normally applied to one or a few transactions and follows that transaction through the entire process.
When analytical procedures identify unusual fluctuations, auditors should perform substantive tests of transactions or tests of details of balances to
determine whether dollar misstatements have actually occurred. If the auditor performs substantive analytical procedures and believes that the likelihood of material misstatement is low, other substantive tests can be reduced.
The tests of controls and substantive tests of transactions audit program normally includes a descriptive section
documenting the understanding of internal control obtained during the performance of risk assessment procedures. The program is also likely to include a description of the procedures performed to obtain an understanding of internal control and a description of the assessed level of control risk
Auditing standards require that these comparisons be done
during planning and completing the audit. Although not required, analytical procedures may also be performed to audit an account balance.
We discussed earlier that tests of details of balances must be designed to satisfy balance-related audit objectives for
each account and the extent of these tests can be reduced when transaction-related audit objectives have been satisfied by tests of controls or substantive tests of transactions. You also need to understand how each transaction-related audit objective relates to each balance-related audit objective
To obtain sufficient appropriate evidence in response to risks identified through risk assessment procedures, auditors
employ a combination of the four remaining types of tests.
When the auditor develops expectations using substantive analytical procedures and concludes that the client's
ending balances in certain accounts appear reasonable, certain tests of details of balances may be eliminated or sample sizes reduced
Additionally, ADAs are being used to
enhance the depth and breadth of planning analytical procedures performed as part of the auditor's risk assessment procedures
Auditors are also finding that ADAs can be an effective tool to enhance tests of details of account balances. The computing power of technology allows auditors to
examine 100 percent of an account balance, instead of testing only a sample of the items comprising an account balance.
In developing an overall audit strategy, auditors use five types of tests to determine whether
financial statements are fairly stated. Auditors use risk assessment procedures to identify significant risks due to fraud or error, and design tests that address those risks.
Risk assessment procedures are performed to assess the risk of material misstatement in the
financial statements. The auditor performs tests of controls, substantive tests of transactions, substantive analytical procedures, and tests of details of balances in response to the auditor's assessment of the risk of material misstatements.
Tests of details of balances
focus on the ending general ledger balances for both balance sheet and income statement accounts, including related disclosures
The auditor's understanding of internal control performed as part of risk assessment procedures provides the basis
for the auditor's initial assessment of control risk. Assuming that the auditor determines that the design of internal control is effective and the controls are implemented,
After the auditor uses risk assessment procedures to determine the appropriate emphasis on each of the other
four types of tests, the specific audit procedures for each type of test must be designed. These audit procedures are then combined to form the audit program. In most audits, the engagement in-charge auditor recommends the evidence mix to the engagement manager.
Tests of ending balances are essential because the evidence is usually obtained
from a source independent of the client, which is considered highly reliable. Much like for transactions, the auditor's tests of details of balances must satisfy all balance-related audit objectives for each significant balance sheet account.
For automated controls, the auditor's procedures to determine whether the automated control has been
implemented may also serve as the test of that control, if the auditor determines that general controls are effective and there is minimal risk that the automated control has been changed since the understanding was obtained. Then, no additional tests of controls would be required.
Several factors influence the auditor's choice of the types of tests to select,
including the availability of the eight types of evidence, the relative costs of each type of test, the effectiveness of internal controls, and inherent risks.
An increased risk of material misstatement should be
incorporated in the auditor's evaluation of inherent risk or control risk, which will then affect the appropriate extent of evidence.
Audit data analytics (ADAs) and other technologies are
increasingly being used throughout the audit and the accounting profession is rapidly addressing how ADAs can strengthen all types of audit procedures used to gather sufficient appropriate evidence.
Because the audit of financial statements and the audit of internal control over financial reporting are
integrated, accelerated filer public company audits will most likely be represented by point B
Analytical procedures
involve comparisons of recorded amounts to expectations developed by the auditor
To design tests of details of balances audit procedures, auditors use a
methodology oriented to the balance-related audit objectives
For accounts with small balances and only
minimal potential for material misstatements, such as many supplies and prepaid expense accounts, auditors often limit their tests to substantive analytical procedures if they conclude the accounts are reasonably stated.
A difficulty auditors face in designing tests of details of balances is the need to predict the outcome of the tests of controls, substantive tests of transactions, and substantive analytical procedures before they are performed. This is
necessary because the auditor should design tests of details of balances during the planning phase, but the appropriate design depends on the outcome of the other tests. In planning tests of details of balances, the auditor usually predicts few or no exceptions will occur in tests of controls, substantive tests of transactions, and substantive analytical procedures
Tests of controls and substantive tests of transactions are designed with the expectation that certain results will be
obtained. These predicted results affect the design of tests of details of balances
One way the auditor can verify recording and disclosure of transactions is to
perform tests of controls. If controls are in place over sales and cash receipts transactions, the auditor can perform tests of controls to determine whether the seven transaction-related audit objectives are being met for that cycle. Substantive tests of transactions, which we will examine in the next section, also affect audit assurance for sales and cash receipts transactions.
Because substantive analytical procedures are relatively inexpensive, many auditors
perform them on all audits. Analytical procedures performed during substantive testing, such as for the audit of accounts receivable, are typically more focused and more extensive than those done as part of planning.
Inherent risk also can be extended to individual balance-related audit objectives, including those related to
presentation and disclosure
If the results of the tests of controls, substantive tests of transactions, and substantive analytical
procedures are not consistent with the predictions, auditors will need to change the tests of details of balances as the audit progresses
After the evidence mix is approved, the in-charge prepares the audit
program or modifies an existing program to satisfy all audit objectives, considering such things as materiality, evidence mix, inherent risk, control risk, and any identified significant risks, as well as the need for an integrated audit for larger public companies. The in-charge is also likely to get approval from the manager before performing the audit procedures or delegating their performance to an assistant.
Later, during the tests of the ending balances, they will
recalculate the ratio using full-year data. If auditors believe that analytical procedures indicate a reasonable possibility of misstatement, they may perform additional analytical procedures or decide to modify tests of details of balances.
The other four types of tests represent further audit procedures performed in response to the
risks identified. Each audit procedure falls into one, and sometimes more than one, of these five categories.
As part of gaining an understanding of the client's business and industry, the auditor identifies and evaluates
significant client business risks to determine whether they result in a significant risk or increased risk of material misstatements in the financial statements. If the auditor identifies a significant risk due to either fraud or error, the auditor should identify client controls to mitigate the risk, and design substantive procedures to determine whether material misstatements occurred due to the significant risk.
Auditors are most likely to believe material dollar misstatements exist in the financial
statements when control test deviations are considered to be significant deficiencies or material weaknesses. Auditors should then perform substantive tests of transactions or tests of details of balances to determine whether material dollar misstatements have actually occurred.
The auditor uses this information to develop the tests of controls and
substantive tests of transactions audit program.
Auditors rely on three types of substantive tests:
substantive tests of transactions, substantive analytical procedures, and tests of details of balances.
Tests of details of balances help establish the monetary correctness of the accounts they relate to and therefore are
substantive tests.
Auditors incorporate ADAs and other advanced
technologies to enhance their risk assessment procedures.
Procedures to obtain an understanding of internal control generally do not provide sufficient appropriate evidence
that a control is operating effectively. Tests of controls are used to determine whether these controls are effective, and manual controls usually involve testing a sample of transactions.
When control policies and procedures are believed to be effectively designed and implemented,
the auditor assesses control risk at a level that reflects the relative effectiveness of those controls.
The auditor is likely to use disaggregated data to increase the precision of the auditor's expectations. During planning,
the auditor might calculate the gross margin percentage for total sales, while during substantive testing of accounts receivable, the auditor might calculate gross margin percentage by month or by line of business, or possibly both. Analytical procedures calculated using monthly amounts will typically be more effective in detecting misstatements than those calculated using annual amounts, and comparisons by line of business will usually be more effective than companywide comparisons.
If sales and accounts receivable are based on predictable relationships with nonfinancial data,
the auditor often uses that information for analytical procedures
Evidence mix
the combo of the types of tests to obtain sufficient appropriate evidence for a cycle; there are likely to be variations in the mix from cycle to cycle depending on the circumstances of the audit
When the auditor plans to use analytical procedures to provide substantive assurance about an account balance,
the data used in the calculations must be considered sufficiently reliable. This is true for all data, especially nonfinancial data.
One of the most challenging parts of auditing is properly applying the factors that affect tests of details of balances. Each of the factors is subjective. Moreover,
the impact of each factor on tests of details of balances is equally subjective. For example, if inherent risk is reduced from medium to low, there is agreement that tests of details of balances can be reduced. Auditors need to use considerable professional judgment to decide the specific effects of such a change on audit procedures, sample size, items to select, and timing.
Like tests of controls, analytical procedures only indicate
the likelihood of misstatements affecting the dollar value of the financial statements. Unusual fluctuations in the relationships of an account to other accounts, or to nonfinancial information, may indicate an increased likelihood that material misstatements exist without necessarily providing direct evidence of a material misstatement.
This can be done by extending tests of duplicate sales invoices to include verifying prices, extensions, and footings (substantive tests of transactions) or by increasing
the sample size for the confirmation of accounts receivable (substantive test of details of balances). Even though the control is not operating effectively, the invoices may still be correct, especially if the person originally preparing the sales invoices did a conscientious and competent job.
Auditors can perform tests of controls separately from all other tests, but it's often more efficient to do
them at the same time as substantive tests of transactions.
Auditors perform substantive analytical procedures for an account such as accounts receivable for two purposes:
to identify possible misstatements in the account balance and to reduce detailed audit tests. The results of substantive analytical procedures directly affect the extent of tests of details of balances.
Auditors also use visualization software to strengthen their ability
to identify unusual fluctuations flagged by ADAs and to communicate key findings from their substantive analytical procedures
Auditors must decide the preliminary judgment about materiality for the audit as a whole and then allocate the
total to account balances, to establish performance materiality for each significant balance. For a lower materiality level, more testing of details is required, and vice versa. Some auditors allocate performance materiality to individual balance-related audit objectives, but most do not.
Two of those objectives for sales transactions are recorded sales
transactions exist (occurrence objective) and existing sales transactions are recorded (completeness objective).
Computing power and the ability to integrate and analyze massive data sets is providing
tremendous opportunities for auditors to significantly increase their use of ADAs to perform substantive analytical procedures. ADAs allow auditors to analyze more data in a number of disaggregated ways with greater speed, which can help strengthen insights auditors may be able to glean from the substantive analytical procedures they perform.
Analytical procedures done during planning
typically differ from those done in the testing phase.
Collectively, procedures performed to obtain an
understanding of the entity and its environment, including internal controls, represent the auditor's risk assessment procedures.
Auditing standards require the auditor to obtain an
understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement in the client's financial statements.
There is a trade-off between tests of controls and substantive tests. During planning, auditors decide
whether to assess control risk below the maximum. When they do, they must then perform tests of controls to determine whether the assessed level of control risk is supported. (They must always perform tests of controls in an audit of internal control over financial reporting.) If tests of controls support the control risk assessment, planned detection risk in the audit risk model is increased, and planned substantive tests can therefore be reduced.
The audit procedures include both tests of controls and substantive tests of transactions,
which vary depending on assessed control risk. When controls are effective and control risk is assessed as low, auditors put heavy emphasis on tests of controls. Some substantive tests of transactions will also be included. If control risk is assessed at maximum, only substantive tests of transactions will be used, assuming the audit is of a smaller public company, a nonpublic company, or other type of entity.