Chapter 12 Revised
Similarly, auditors should evaluate the effectiveness of
IT general controls before evaluating automated application controls or manual controls dependent on IT output. Ineffective general controls create the potential for material misstatements across all system applications, regardless of the quality of individual application controls. For example, if the auditor observes that data files are inadequately safeguarded, the auditor may conclude that there is a significant risk of loss of data for every class of transaction that relies on that data to conduct application controls. On the other hand, if general controls are effective, the auditor may be able to place greater reliance on application controls whose functionality is dependent on IT.
An internal control questionnaire
asks a series of questions about the controls in each audit area as a means of identifying internal control deficiencies. Most questionnaires require a "yes" or a "no" response, with "no" responses indicating potential internal control deficiencies. By using a questionnaire, auditors cover each audit area reasonably quickly. The two main disadvantages of questionnaires are their inability to provide an overview of the system and their inapplicability for some audits, especially smaller ones.
Because Section 404 of the Sarbanes-Oxley Act requires management to
assess and document the design effectiveness of internal control over financial reporting, they have usually already prepared this documentation. Narratives, flowcharts, and internal control questionnaires, used by the auditor separately or in combination to document internal control, are discussed next.
The starting point for most auditors is the
assessment of entity-level controls. By their nature, entity-level controls, such as many of the elements contained in the control environment, risk assessment, and monitoring components, have an overarching impact on most major types of transactions in each transaction cycle. For example, an ineffective board of directors or management's failure to have any process to identify, assess, or manage key risks has the potential to undermine controls for most of the transaction-related audit objectives (for an example, see the vignette below related to Livent, Inc.). Thus, auditors generally assess entity-level controls before assessing transaction-specific controls.
Auditors should ask management and other personnel to explain their duties. Careful questioning of appropriate personnel helps
auditors evaluate whether employees understand their duties and do what is described in the client's control documentation.
Significant risks are those risks that the auditor
believes require special audit consideration. When the auditor's risk assessment procedures identify significant risks, the auditor is required to test the operating effectiveness of controls that mitigate these risks in the current year audit, if the auditor plans to rely on those controls to support a control risk assessment below 100%. The greater the risk, the more audit evidence the auditor should obtain that controls are operating effectively.
As part of understanding internal control and assessing control risk, the auditor is required to
communicate certain matters to those charged with governance. This information and other recommendations about controls are also often communicated to management.
This assessment is not the final one. Before making the final assessment at the end of an audit, the auditor will
test controls and perform substantive tests. These procedures can either support the preliminary assessment or cause the auditor to make changes. In some cases, management can correct deficiencies and material weaknesses before the auditor does significant testing, which may permit a reduction in control risk.
When auditors plan to use evidence about the operating effectiveness of internal control obtained in prior audits, auditing standards require
tests of the controls' effectiveness at least every third year. If auditors determine that a key control has been changed since it was last tested, they should test it in the current year. This applies to both manual and automated controls. When there are a number of controls tested in prior audits that have not been changed, auditing standards require auditors to test some of those controls each year to ensure there is a rotation of controls testing throughout the three-year period.
The five components of internal control all involve
the creation of many documents and records. By examining completed documents, records, and computer files, the auditor can evaluate whether information described in flowcharts, narratives, and questionnaires has been implemented.
When auditors observe client personnel carrying out their normal accounting and control activities, including
their preparation of documents and records, it further improves the auditors' understanding and knowledge that controls have been implemented.
The auditor should identify and include only
those controls that are expected to have the greatest effect on meeting the transaction-related audit objectives. These are often called key controls. The reason for including only key controls is that they will be sufficient to achieve the transaction-related audit objectives and also provide audit efficiency.
When obtaining an understanding of and testing the service center's controls, the auditor should
use the same criteria that was used in evaluating a client's internal controls. The depth of the auditor's understanding depends on the complexity of the system and the extent to which the control is relied upon to reduce control risk. The depth of understanding also depends on the extent to which key controls over transaction-related audit objectives reside at the service center for audits of internal control for public companies. If the auditor concludes that active involvement at the service center is the only way to conduct the audit, it may be necessary to obtain an understanding of internal controls at the service center and test controls using test data and other tests of controls.
The use of questionnaires and flowcharts together is
useful for understanding the client's internal control design and identifying internal controls and deficiencies. Flowcharts provide an overview of the system, while questionnaires offer useful checklists to remind the auditor of many different types of internal controls that should exist.
A five-step approach can be used to identify deficiencies, significant deficiencies, and material weaknesses:
1. Identify existing controls. Because deficiencies and material weaknesses are the absence of adequate controls, the auditor must first know which controls exist. The methods for identifying controls have already been discussed. 2. Identify the absence of key controls. Internal control questionnaires, flowcharts, and walkthroughs are useful tools to identify where controls are lacking and the likelihood of misstatement is therefore increased. It is also useful to examine the control risk matrix, such as the one in Figure 12-3, to look for objectives where there are no or only a few controls to prevent or detect misstatements. 3. Consider the possibility of compensating controls. A compensating control is one elsewhere in the system that offsets the absence of a key control. A common example in a small business is the active involvement of the owner. When a compensating control exists, there is no longer a significant deficiency or material weakness. 4. Decide whether there is a significant deficiency or material weakness. The likelihood of misstatements and their potential materiality are used to evaluate if there are significant deficiencies or material weaknesses. 5. Determine potential misstatements that could result. This step is intended to identify specific misstatements that are likely to result because of the significant deficiency or material weakness. The importance of a significant deficiency or material weakness is directly related to the likelihood and materiality of potential misstatements.
There is a significant overlap between tests of controls and procedures to obtain an understanding. Both include inquiry, inspection, and observation. There are two primary differences in the application of these common procedures.
1. In obtaining an understanding of internal control, the procedures to obtain an understanding are applied to all controls identified during that phase. Tests of controls, on the other hand, are applied only when the assessed control risk has not been satisfied by the procedures to obtain an understanding. 2. Procedures to obtain an understanding are performed only on one or a few transactions or, in the case of observations, at a single point in time. Tests of controls are performed on larger samples of transactions (perhaps 20 to 100), and often, observations are made at more than one point in time. For key controls, tests of controls other than reperformance are essentially an extension of procedures to obtain an understanding. Therefore, assuming the auditors plan to obtain a low assessed control risk from the beginning of the audit, they will likely combine both types of procedures and perform them simultaneously. One option is to perform the audit procedures separately, as shown in Table 12-1, where minimum procedures to obtain an understanding of design and operation are performed, followed by additional tests of controls. An alternative is to combine both columns and do them simultaneously. The same amount of evidence is accumulated in the second approach, but more efficiently.
The auditor is likely to use four types of procedures to support the operating effectiveness of internal controls. Management's testing of internal control will likely include the same types of procedures. The four types of procedures are as follows:
1. Make inquiries of appropriate client personnel. Although inquiry is not a highly reliable source of evidence about the effective operation of controls, it is still appropriate. For example, to determine that unauthorized personnel are denied access to computer files, the auditor may make inquiries of the person who controls the computer library and of the person who controls online-access security-password assignments. 2. Examine documents, records, and reports. Many controls leave a clear trail of documentary evidence (both electronic and paper) that can be used to test controls. Suppose, for example, that when a customer order is received, it is used to create a customer sales order, which is approved for credit. (See the first and second key controls in Figure 12-3 on page 373.) Then the customer order is attached to the sales order as authorization for further processing. The auditor can test the control by examining the documents to make sure that they are complete and properly matched and that required signatures or initials are present. 3. Observe control-related activities. Some controls do not leave an evidence trail, which means that it is not possible at a later date to examine evidence that the control was executed. For example, separation of duties relies on specific persons performing specific tasks, and there is typically no documentation of the separate performance. (See the third key control in Figure 12-3.) For controls that leave no documentary evidence, the auditor generally observes them being applied at various points during the year. 4. Reperform client procedures. There are also control-related activities for which there are related documents and records, but their content is insufficient for the auditor's purpose of assessing whether controls are operating effectively. For example, assume that prices on sales invoices are obtained from the master price list, but no indication of the control is documented on the sales invoices. (See the seventh key control in Figure 12-3.) In these cases, it is common for the auditor to reperform the control activity to see whether the proper results were obtained. For this example, the auditor can reperform the procedure by tracing the sales prices to the authorized price list in effect at the date of the transaction. If no misstatements are found, the auditor can conclude that the procedure is operating as intended.
The most important differences in evaluating, reporting, and testing internal control for nonpublic companies and smaller public companies that are not subject to Section 404(b) audits of internal control.
1. Reporting requirements. In audits of nonpublic companies and non-accelerated filers, there is no requirement for an audit of internal control over financial reporting. The auditor, therefore, focuses on internal control only to the extent needed to assess the risks of material misstatements and do a quality audit of financial statements. The AICPA Auditing Standards Board recently moved the guidance from the attestation standards to auditing standards that applies when nonpublic entities engage the auditor to conduct an examination of the design and operating effectiveness of internal controls over financial reporting that is integrated with the audit of the financial statements. The approach for an integrated audit of a nonpublic company under the attestation standards is consistent with the approach to an integrated audit of a public company under PCAOB auditing standards. 2. Extent of required internal controls. A company's size has a significant effect on the nature of internal control and the specific controls that are implemented. Obviously, it is more difficult to establish adequate separation of duties in a small company. It is also unreasonable to expect a small firm to have internal auditors. However, if the various components of internal control are examined, it becomes apparent that most are applicable to both large and small companies. Even though it may not be common to formalize policies in manuals, it is certainly possible for a small company to have (1) competent, trustworthy personnel with clear lines of authority; (2) proper procedures for authorization, execution, and recording of transactions; (3) adequate documents, records, and reports; (4) physical controls over assets and records; and, (5) to a limited degree, independent checks on performance. 3. Extent of understanding needed. Auditing standards require that the auditor obtain a sufficient understanding of internal control to assess the risk of material misstatement at the overall financial statement level and at the relevant assertion level. These risks are assessed in order to design effective audit procedures. In practice, the procedures to gain an understanding of internal control vary considerably from client to client. For smaller companies, if the auditor determines that controls are not designed or implemented properly, or not operating effectively, the auditor assesses control risk at maximum and designs and performs detailed substantive procedures. For larger nonpublic clients, the understanding of controls can be the same as that for public companies. 4. Assessing control risk. The most important difference in a nonpublic company in assessing control risk is the assessment of control risk at maximum for any or all control-related objectives when internal controls for the objective or objectives are nonexistent or ineffective. Because of the expectation that public companies should have effective internal controls for all significant transactions and accounts, there is an initial presumption that control risk is low in the audit of public company financial statements. Thus, it is unlikely that a public company auditor will make a preliminary assessment of control risk at maximum. 5. Extent of tests of controls needed. The auditor will not perform tests of controls when the auditor assesses control risk at maximum, either because of inadequate controls, or because the audit can be completed more efficiently by not relying on and testing controls. When control risk is assessed below the maximum, the auditor designs and performs a combination of tests of controls and substantive procedures to obtain reasonable assurance that the financial statements are fairly stated.
When using the test data approach, auditors have three main considerations:
1. Test data should include all relevant conditions that the auditor wants tested. Auditors should design test data to test all key computer-based controls and include realistic data that are likely to be a part of the client's normal processing, including both valid and invalid transactions. For example, assume the client's payroll application contains a limit check that disallows a payroll transaction that exceeds 80 hours per week. To test this control, the auditor can prepare payroll transactions with 79, 80, and 81 hours for each sampled week and process them through the client's system in a manner. If the limit check control is operating effectively, the client's system should reject the transaction for 81 hours, and the client's error listing should report the 81-hour transaction error. 2. Application programs tested by auditors' test data must be the same as those the client used throughout the year. One approach is to run the test data on a surprise basis, possibly at random times throughout the year, even though doing so is costly and time consuming. Another method is to rely on the client's general controls in the librarian and systems development functions to ensure that the program tested is the one used in normal processing. 3. Test data must be eliminated from the client's records. If auditors process test data while the client is processing its own transactions, auditors must eliminate the test data in the client's master files after the tests are completed to prevent master files and transaction files from being permanently contaminated by the auditor's testing. Auditors can do this by developing and processing data that reverses the effect of the test data. Because of the complexities of many clients' application software programs, auditors who use the test data approach often obtain assistance from a computer audit specialist. Many larger CPA firms have staff dedicated to assisting in testing client automated application controls.
Attestation standards provide guidance to auditors who issue reports on the internal control of service organizations (service auditors), while auditing standards provide guidance to auditors of user organizations (user auditors) that rely on the service auditor's report. Service auditors may issue two types of reports:
Report on management's description of a service organization's system and the suitability of the design of controls (referred to as a Type 1 report) Report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls (referred to as a Type 2 report)
The auditor will issue an unqualified opinion on internal control over financial reporting when two conditions exist:
There are no identified material weaknesses as of the end of the fiscal year. There have been no restrictions on the scope of the auditor's work.
When one or more material weaknesses exist, the auditor must express an
adverse opinion on the effectiveness of internal control. The most common cause of an adverse opinion in the auditor's report on internal control is when management identified a material weakness in its report.
As organizations expand their use of IT, internal controls are often embedded in applications that are available only electronically. When traditional source documents such as invoices, purchase orders, billing records, and accounting records such as sales journals, inventory listings, and accounts receivable subsidiary records exist only electronically, auditors must
change their approach to auditing. This approach is often called auditing through the computer. Auditors use three approaches to test the effectiveness of automated controls when auditing through the computer: test data approach, parallel simulation, and embedded audit module approach.
In addition to these matters, auditors often identify less significant internal control-related issues, as well as opportunities for the client to make operational improvements. These should also be
communicated to the client. The form of communication is often a separate letter for that purpose, called a management letter. Although management letters are not required by auditing standards, auditors generally prepare them as a value-added service of the audit.
After a preliminary assessment of control risk is made for sales and cash receipts, the auditor can
complete the three control-risk rows of the evidence-planning worksheet that was introduced in Chapter 9 on page 282. If tests of controls results do not support the preliminary assessment of control risk, the auditor must modify the worksheet later. Alternatively, the auditor can wait until tests of controls are done to complete the three control-risk rows of the worksheet.
Assessing control risk requires the auditor to
consider the design, implementation, and operation of controls to evaluate whether they will likely be effective in meeting related audit objectives. During the understanding phase, the auditor will have already gathered some evidence in support of both the design of the controls and their implementation by using procedures to obtain an understanding In most cases, the auditor will not have gathered enough evidence to reduce assessed control risk to a sufficiently low level. The auditor must therefore obtain additional evidence about the operating effectiveness of controls throughout all, or at least most, of the period under audit. The procedures to test effectiveness of controls in support of a reduced assessed control risk are called tests of controls.
The embedded audit module approach allows auditors to
continuously audit transactions by identifying actual transactions processed by the client, as compared to test data and parallel simulation approaches, which only allow intermittent testing. Internal audit may also find this technique useful. Although auditors may use one or any combination of testing approaches, they typically use: Test data to do tests of controls and substantive tests of transactions Parallel simulation for substantive testing, such as recalculating transaction amounts and footing master file subsidiary records of account balances Embedded audit modules to identify unusual transactions for substantive testing
The auditor obtains an understanding of the
design and implementation of internal control to make a preliminary assessment of control risk as part of the auditor's overall assessment of the risk of material misstatements. As described in Chapter 9, the auditor uses this preliminary assessment of control risk to plan the audit for each material class of transactions. However, in some instances the auditor may learn that the control deficiencies are significant such that the client's financial statements may not be auditable. For example, if management lacks integrity or the accounting records are deficient, most auditors will not accept the engagement.
An internal control flowchart is a
diagram of the client's documents and their sequential flow in the organization. An adequate flowchart includes the same four characteristics identified for narratives. Well-prepared flowcharts are advantageous primarily because they provide a concise overview of the client's system, including separation of duties, which helps auditors identify controls and deficiencies in the client's system. Flowcharts have two advantages over narratives: typically they are easier to read and easier to update. It is unusual to use both a narrative and a flowchart to describe the same system because both present the same information.
In recent years, it has become increasingly common for service centers to
engage a CPA firm to obtain an understanding and test internal controls of the service center (often referred to as "service organization controls" or "SOC") and issue a SOC report for use by all customers and their independent auditors. The purpose of this independent assessment is to provide service center customers reasonable assurance about the adequacy of the service center's general and application controls and to eliminate the need for redundant audits by customers' auditors. If the service center has many customers and each requires an understanding of the service center's internal control by its own independent auditor, the inconvenience and cost to the service center can be substantial.
In addition to understanding the design of the internal controls, the auditor must also
evaluate whether the designed controls are implemented. In practice, the understanding of the design and the implementation are often done simultaneously. Following are common methods.
Once auditors determine that entity-level controls, including
general controls, are designed and placed in operation, they next make a preliminary assessment for each transaction-related audit objective for each major type of transaction in each transaction cycle. For example, in the sales and collection cycle, the types of transactions usually involve sales, sales returns and allowances, cash receipts, and the provision for and write-off of uncollectible accounts. The auditor also makes the preliminary assessment for controls affecting audit objectives for balance sheet accounts and presentations and disclosures in each cycle.
Auditors commonly do parallel simulation testing using
generalized audit software (GAS), which is programs designed specifically for auditing purposes. Commercially available audit software, such as ACL and IDEA, can be easily operated on auditors' desktop or laptop computers. Auditors obtain copies of machine-readable client databases or master files and use the generalized audit software to do a variety of tests of the client's electronic data. Instead of GAS, some auditors use spreadsheet software to do simple parallel simulation tests. Others develop their own customized audit software.
Most audits of a company are done annually by the same CPA firm. After the first year's audit, the auditor begins with a
great deal of information from prior years about the client's internal control. It is especially useful to determine whether controls that were not previously operating effectively have been improved.
The body of the matrix is used to show
how each control contributes to the accomplishment of one or more transaction-related audit objectives. In this illustration, a C was entered in each cell where a control partially or fully satisfied an objective. A similar control risk matrix would be completed for balance-related and presentation and disclosure-related audit objectives
The first step in the assessment is to
identify the audit objectives for classes of transactions, account balances, and presentation and disclosure to which the assessment applies. For example, this is done for classes of transactions by applying the specific transaction-related audit objectives introduced earlier, which were stated in general form, to each major type of transaction for the entity. For example, the auditor makes an assessment of the occurrence objective for sales and a separate assessment of the completeness objective.
Next, the auditor uses the information discussed in the previous section on obtaining and documenting an understanding of internal control to
identify the controls that contribute to accomplishing transaction-related audit objectives. One way for the auditor to do this is to identify controls to satisfy each objective. he same thing can be done for all other objectives. It is also helpful for the auditor to use the five control activities (separation of duties, proper authorization, adequate documents and records, physical control over assets and records, and independent checks on performance) as reminders of controls. For example: Is there adequate separation of duties and how is it achieved? Are transactions properly authorized? Are prenumbered documents properly accounted for? Are key master files properly restricted from unauthorized access? Is an independent verification of processes performed?
When using the embedded audit module approach, auditors
insert an audit module into the client's application system to identify specific types of transactions. For example, auditors might use an embedded module to identify all purchases exceeding $25,000 for follow-up with more detailed examination for the occurrence and accuracy transaction-related audit objectives. In some cases, auditors later copy the identified transactions to a separate data file and then process those transactions using parallel simulation to duplicate the function done by the client's system. The auditor then compares the client's output with the auditor's output. Discrepancies are printed on an exception report for auditor follow-up.
Generalized audit software provides three advantages:
it is relatively easy to train audit staff in its use, even if they have had little audit-related IT training; the software can be applied to a wide variety of clients with minimal customization; and it has the ability to do audit tests much faster and in more detail than using traditional manual procedures. Common uses of generalized audit software: 1. Generalized audit software is used to test automated controls. An auditor obtains copies of a client's customer credit limit master file and a customer order file, and then instructs the auditor's computer to list transactions that exceed the customer's authorized credit limit. The auditor then compares the audit output to the client's list of customer orders that were rejected for exceeding authorized credit limits. 2. Generalized audit software is used to verify the client's account balances. An auditor can use the software to sum the master file of customer accounts receivable to determine whether the total agrees with the general ledger balance.
Auditors must evaluate whether
key controls are absent in the design of internal control over financial reporting as a part of evaluating control risk and the likelihood of financial statement misstatements. Auditing standards define three levels of the absence of internal controls: 1. Control deficiency. A control deficiency exists if the design and implementation or operation of controls does not permit company personnel to prevent or detect misstatements on a timely basis in the normal course of performing their assigned functions. A design deficiency exists if a necessary control is missing, is not properly designed, or is not properly implemented. An operation deficiency exists if a well-designed control does not operate as designed or if the person performing the control is insufficiently qualified or authorized. . Significant deficiency. A significant deficiency exists if one or more control deficiencies exist that are less severe than a material weakness (defined next), but are important enough to merit attention by those responsible for oversight of the company's financial reporting. 3. Material weakness. A material weakness exists if a significant deficiency, by itself or in combination with other significant deficiencies, results in a reasonable possibility that internal control will not prevent or detect material financial statement misstatements on a timely basis. To determine if a significant internal control deficiency or deficiencies are a material weakness, they must be evaluated along two dimensions: likelihood and significance
The impact of general controls and application controls on audits is likely to vary depending on the
level of complexity in the IT environment. Even in a less complex IT environment, the auditor is still responsible for obtaining an understanding of general and application computer controls because such knowledge is useful in identifying risks that may affect the financial statements. However, the extent of testing will depend on the assessment of control risk, as discussed earlier. In this section, we discuss auditing in a more complex IT environment and the opportunities and challenges this provides for auditors.
Auditing standards require auditors to obtain and document their understanding of internal control for every audit. This understanding is necessary for both the audit of internal controls over financial reporting and the audit of financial statements. Management's documentation is a
major source of information in gaining this understanding.
After obtaining an understanding of internal control, the auditor
makes a preliminary assessment of control risk as part of the auditor's overall assessment of the risk of material misstatement. This assessment is a measure of the auditor's expectation that internal controls will prevent material misstatements from occurring or detect and correct them if they have occurred.
In a walkthrough, the auditor selects one or a few documents of a transaction type and traces them from initiation through the entire accounting process. At each stage of processing, the auditor
makes inquiries, observes activities, and examines completed documents and records. Walkthroughs conveniently combine observation, inspection, and inquiry to assure that the controls designed by management have been implemented.
Auditors commonly use three types of documents to obtain and document their understanding of the design of internal control:
narratives, flowcharts, and internal control questionnaires
Many auditors use a control risk matrix
o assist in the control risk assessment process at the transaction level. The purpose is to provide a convenient way to organize assessing control risk for each audit objective.
The scope of the auditor's report on internal control is limited to
obtaining reasonable assurance that material weaknesses in internal control are identified. Thus, the audit is not designed to detect deficiencies in internal control that individually, or in the aggregate, are less severe than a material weakness. The distinction between deficiencies, significant deficiencies, and material weaknesses was discussed earlier.
Auditors often use auditor-controlled software to do the same operations that the client's software does, using the same data files. The purpose is to determine the effectiveness of automated controls and to obtain evidence about electronic account balances. This testing approach is called
parallel simulation testing Whether testing controls or ending balances, the auditor compares the output from the auditor's software to output from the client's system to test the effectiveness of the client's software and to determine if the client's balance is correct. A variety of software is available to assist auditors.
Recall that management's report on internal control deals with the effectiveness of internal controls as of the end of the fiscal year. PCAOB auditing standards require the auditor to
perform tests of controls that are adequate to determine whether controls are operating effectively at year-end. The timing of the auditor's tests of controls will therefore depend on the nature of the controls and when the company uses them. For controls that are applied throughout the accounting period, it is usually practical to test them at an interim date. The auditor will then determine later if changes in controls occurred in the period not tested and decide the implication of any change. Controls dealing with financial statement preparation occur only quarterly or at year-end and must therefore also be tested at quarter-end and year-end.
The auditor uses the control risk assessment and results of tests of controls to determine
planned detection risk and related substantive tests for the audit of financial statements. The auditor does this by linking the control risk assessments to the balance-related audit objectives for the accounts affected by the major transaction types and to the four presentation and disclosure audit objectives. The appropriate level of detection risk for each balance-related audit objective is then decided using the audit risk model.
Based on the auditor's assessment and testing of internal control, the auditor is required to
prepare an audit report on internal control over financial reporting for accelerated filer public companies subject to Section 404(b) reporting requirements. The auditor may issue separate or combined audit reports on the financial statements and on internal control over financial reporting.
As part of the auditor's risk assessment procedures, the auditor uses
procedures to obtain an understanding, which involve gathering evidence about the design of internal controls and whether they have been implemented, and then using that information as a basis for assessing control risk and for the integrated audit. The auditor generally uses four of the eight types of evidence described in Chapter 7 to obtain an understanding of the design and implementation of controls: inspection, inquiry of entity personnel, observation of employees performing control processes, and reperformance by tracing one or a few transactions through the accounting system from start to finish.
In the test data approach, auditors
process their own test data using the client's computer system and application program to determine whether the automated controls correctly process the test data. Auditors design the test data to include transactions that the client's system should either accept or reject. After the test data are processed on the client's system, auditors compare the actual output to the expected output to assess the effectiveness of the application program's automated controls.
Because the audit of the financial statements and the audit of internal control over financial reporting are integrated, the auditor must consider the
results of audit procedures performed to issue the audit report on the financial statements when issuing the audit report on internal control. For example, assume the auditor identifies a material misstatement in the financial statements that was not initially identified by the company's internal controls. The following four responses to this finding are likely: 1. Because there is a material error in the financial statements, the auditor should consider whether the misstatement indicates the existence of a material weakness. Determining if the misstatement is in fact a material weakness or a significant deficiency involves judgment and depends on the nature and size of the misstatement. 2. The auditor can issue an unqualified opinion on the financial statements if the client adjusts the statements to correct the misstatement prior to issuance. 3. Management is likely to change its report on internal control to assert that the controls are not operating effectively. 4. The auditor must issue an adverse opinion on internal control over financial reporting if the deficiency is considered a material weakness. If the material weakness has not been included in management's assessment, the report should note that a material weakness has been identified but not included in management's assessment.
The extent of testing also depends on
the frequency of the operation of the controls, and whether it is manual or automated. For example, some financial reporting controls only operate at the end of the fiscal year, or quarterly, as opposed to operating on a daily basis. The auditor will test year-end controls, but will also test a sample of controls that operate quarterly or monthly. For manual controls, the auditor will select a sample of transactions and test whether the control is operating effectively. As an example, if the client manually compares a purchase order, receiving report, and vendor's invoice before approving payment to a vendor, an auditor may select a sample of recorded purchases throughout the year and verify the documents were properly matched and approved for payment. Because manual controls are performed by people, they are always subject to random error or manipulation. For automated controls, as long as the computer is programmed accurately and that program remains unchanged, automated controls will consistently perform as programmed until the software application is changed. Using the purchases example, the matching of the purchase order, receiving report, and vendor's invoice can be automated and the computer can generate a list of exceptions, rather than an employee manually comparing. As a result, when there are effective general controls and an automated application control, the auditor may be able to justify testing only one transaction and may not need to select a sample of transactions to verify. Therefore, the extent of testing will vary. The auditor will use one of several approaches to determine whether the design and implementation of automated controls are appropriate and that they are operating effectively. These approaches are discussed further later in the chapter when we discuss controls in more complex IT environments.
The extent to which tests of controls are applied depends on
the preliminary assessed control risk. If the auditor wants a lower assessed control risk, more extensive tests of controls are applied, both in terms of the number of controls tested and the extent of the tests for each control. For example, if the auditor wants to use a low assessed control risk, a larger sample size for inspection, observation, and reperformance procedures should be applied.
If the results of tests of controls support the design and operation of controls as expected, the auditor uses the same assessed control risk as
the preliminary assessment. If, however, the tests of controls indicate that the controls did not operate effectively, the assessed control risk must be reconsidered. For example, the tests may indicate that the application of a control was curtailed midway through the year or that the person applying it made frequent misstatements. In such situations, the auditor uses a higher assessed control risk, unless compensating controls for the same related audit objectives are identified and found to be effective. For integrated audits, the auditor must also consider the impact of those controls that are not operating effectively on the auditor's report on internal control.
When clients use a service center for processing transactions, such as a payroll service provider or a broker for processing investment transactions, the auditor faces a difficulty
when obtaining an understanding of the client's internal controls for these transaction areas. Many of the controls reside at the service center, and the auditor cannot assume that the controls are adequate simply because it is an independent enterprise. Auditing standards require the auditor to consider the need to obtain an understanding and test the service center's controls if the service center application involves processing significant financial data. For example, many of the controls for payroll transaction-related audit objectives reside within the software program maintained and supported by the payroll services company, not the audit client.
The auditor must communicate significant deficiencies and material weaknesses in
writing to those charged with governance as soon as the auditor becomes aware of their existence. The communication is usually addressed to the audit committee and to management. Timely communications may provide management an opportunity to address control deficiencies before management's report on internal control must be issued. In some instances, deficiencies can be corrected sufficiently early such that both management and the auditor can conclude that controls are operating effectively as of the balance sheet date. Regardless, these communications must be made no later than 60 days following the audit report release.
A narrative is a
written description of a client's internal controls. A proper narrative of an accounting system and related controls describes four things: 1. The origin of every document and record in the system. For example, the description should state where customer orders come from and how sales invoices are generated. 2. All processing that takes place. For example, if sales amounts are determined by a computer program that multiplies quantities shipped by standard prices contained in price master files, that process should be described. 3. The disposition of every document and record in the system. The filing or electronic archiving of documents, sending them to customers, or destroying them should be described. 4. An indication of the controls relevant to the assessment of control risk. These typically include separation of duties (such as separating recording cash from handling cash), authorizations and approvals (such as credit approvals), and internal verification (such as comparison of unit selling prices to sales contracts).
A Type 1 report helps auditors obtain an understanding of internal control to plan the audit. However, auditors also require evidence about the operating effectiveness of controls to assess control risk, especially when auditing internal control over financial reporting for public companies.
This evidence can: • Be based on the service auditor's Type 2 report, which includes tests of the operating effectiveness of controls • Come from tests of the user organization's controls over the activities of the service organization • Be created when the user auditor does appropriate tests at the service organization If the user auditor decides to rely on the service auditor's report, appropriate inquiries should be made about the service auditor's reputation. Auditing standards state that the user auditor should not make reference to the report of the service auditor in the opinion on the user organization's financial statements.