1. MODERN AUDITING 7th Edition Developed by: Gregory K. Lowry, MBA, CPA Saint Paul’s College John Wiley & Sons, Inc. William C. Boynton California Polytechnic State University at San Luis Obispo Raymond N. Johnson Portland State University Walter G. Kell University of Michigan

2. CHAPTER 10 ASSESSING CONTROL RISK/ TESTS OF CONTROLS u Assessing Control Risk u Assessing Control Risk in an Information Technology Environment u Effects of Preliminary Audit Strategies u Designing Tests of Controls u Additional Considerations

3. Assessing Control Risk Assessing Control Risk is the process of evaluating the effectiveness of an entity’s internal control in preventing or detecting material misstatements in the financial statements (AU 319.47). The purpose of assessing control risk is to assist the auditor in making a judgment about the risk of material misstatement in financial statement assertions. Assessing control risk involves evaluating the effectiveness of: 1. the design and 2. the operation of controls.

4. Assessing Control Risk In making an assessment of control risk for an assertion, it is necessary for the auditor to: 1. Consider knowledge acquired from procedures to obtain an understanding about whether controls pertaining to the assertion have been designed and placed in operation by the entity’s management. 2. Identify potential misstatements that could occur in the entity’s assertion. 3. Identify the necessary controls that would likely prevent or detect and correct the misstatements. 4. Perform tests of controls on the necessary controls to determine the effectiveness of their design and operation. 5. Evaluate the evidence and make the assessment.

5. Potential Misstatements, Necessary Controls, and Tests of Controls — Cash Disbursement Transactions Figure 10-1

8. Identify Necessary Controls An auditor may identify necessary controls that could likely prevent or detect and correct specific potential misstatements by using computer software that processes internal control questionnaire responses or by manually using checklists. When the volume of cash disbursements is light and timely detection of misstatements is not as essential, periodic independent bank reconciliations may adequately compensate for the lack of a daily independent check. In such a circumstance, the bank reconciliation might be referred to as a compensating control.

9. Relevant Internal Control Components Control environment Risk assessment Information and communication Control activities Monitoring Assessment of Control Risk Each assertion Identify Necessary Controls The auditor must assimilate information about the wide variety of possible controls related to any internal control component in considering the risk of potential misstatements in particular assertion. This concept may be represented graphically as follows:

10. Overview of Computer Controls Figure 10-2

11. Strategies for Performing Tests of Controls The following 3 strategies related to assessing control risk are discussed below: 1. Assessing control risk based on user controls. 2. Planning for a low control risk assessment based on application controls. 3. Planning for a high control risk assessment based on general controls and manual follow-up.

12. Computer-assisted audit techniques (CAATs) involve using the computer to directly test application controls, and is also known as auditing through the computer. The auditor may find that using the computer in tests of controls is advantageous when: 1. A significant part of the internal controls is imbedded in a computer program. 2. There are significant gaps in the visible audit trail. 3. There are large volumes of records to be tested. Computer-Assisted Audit Techniques

13. Important CAATs used to test the operation of specific programmed application controls include: 1. parallel simulation, 2. test data, 3. integrated test facility, and 4. Continuous monitoring of on-line real-time systems.

14. Reconstruction of Data Files Figure 10-3

15. Control Risk Assessment Considerations for IT General Controls Figure 10-4

18. Control Risk Consideration for Computer Application Controls Figure 10-5

20. Methodologies for Meeting the Second Standard of Field Work Figure 10-6

21. Designing Tests of Controls Tests of controls that are designed to evaluate the operating effectiveness of a control are concerned with: 1. how the control was applied, 2. the consistency with which it was applied during the period, and 3. by whom it was applied. AU 319.53 states that tests to obtain this evidence normally includes: 1. Inquiries of appropriate entity personnel 2. Inspection of documents, reports, or electronic files, indicating performance of the control 3. Observation of the application of the control 4. Reperformance of the application of the control by the auditor

22. Designing Tests of Controls AU 319.64 recognizes that the evaluation of evidential matter is a matter of auditing judgment and that it varies substantially in the assurance it provides to the auditor as he or she develops an assessed level of control risk. The following factors bear on the degree of assurance provided by tests of controls: 1. The type of evidential matter 2. Its source 3. Its timeliness 4. The existence of other evidential matter related to the conclusion

23. Whenever a client has an internal audit function, the auditor may: 1. coordinate his or audit work with the internal auditors, and/or 2. use internal auditors to provide direct assistance in the audit. Using Internal Auditors in Tests of Controls

24. Dual-Purpose Tests It is permissible under GAAS to perform substantive tests of details of transactions to detect monetary errors in the accounts during interim work. When this occurs, the auditor may simultaneously perform tests of controls on the same transactions. This type of testing is referred to as dual-purpose testing.

25. Additional Considerations The process of assessing control risk for account balance assertions is straightforward for accounts that are affected by a single transaction class. This is the case for most income statement accounts. In these cases, the auditor’s control risk assessment for each account balance assertion is the same as the control risk assessment for the same transaction class assertion.

26. Additional Considerations Many balance sheet accounts are significantly affected by more than one transaction class. In these cases, assessing control risk for an account balance assertion requires consideration of the relevant control risk assessments for each transaction class that significantly affects the balance. For an account affected by more than one transaction class, the control risk assessment for a particular account balance assertion is based on the control risk assessment for the same assertion pertaining to each transaction class that affects the account balance, with one major exception. The control risk assessments for existence or occurrence and completeness assertions for a transaction class that decreases an account balance relate to the opposite assertion affected.

27. Combining Account Balance Assertions for the Cash Balance Figure 10-8

28. Summary of Relationships between Account Balance Assertions and Transaction Class Assertions Figure 10-9

29. The auditor’s working papers should include documentation of the control risk assessment. The requirements are as follows: 1. Control risk is assessed at the maximum : Only this conclusion needs to be documented. 2. Control risk is assessed at below the maximum : The basis for assessment must be documented. Documenting the Assessed Level of Control Risk

30. The auditor is required to identify and report to the audit committee, or other entity personnel with equivalent authority and responsibility, certain conditions that relate to an entity’s internal control observed during an audit of the financial statements. AU 325, Communication of Internal Control Related Matters Noted in an Audit (SAS 60 and SAS 78), defines a reportable condition as: …matters coming to the auditor’s attention that, in his judgment, should be communicated to the audit committee because they represent significant deficiencies in the design or operation of internal control, which could adversely affect the organization’s ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements. Communicating Internal Control Matters

31. A reportable condition may be of such a magnitude as to constitute material weaknesses in internal control. AU 325.15 defines a material weakness as: …a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. Applications of Components to Small and Midsize Entities

32. A service organization is an entity that provides services for other entities referred to as user organization (the audit client whose auditor is referred to as the user auditor). A service organization’s services are part of an entity’s information system if they affect: 1. How the entity’s transactions are initiated. 2. The accounting records, supporting information, and specific accounts in the financial statements involved in the processing and reporting of the entity’s transactions. 3. The accounting process involved from the initiation of the transaction to their inclusion in the financial statements, including electronic means. 4. The financial reporting process used to prepare the entity’s financial statements. Service Organizations Appendix 10A

33. CHAPTER 10 ASSESSING CONTROL RISK/ TESTS OF CONTROLS

34. CopyrightCopyright Copyright 2001 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.