In complex IT environments, much of the transaction information is available only in electronic form without generating a visible audit trail of documents and records. In that case, the company is usually still auditable; however, auditors must assess whether they have the necessary skills to gather evidence that is in electronic form and can assign personnel with adequate IT training and experience. After obtaining an understanding of internal control, the auditor makes a preliminary assessment of control risk as part of the auditors overall assessment of the risk of material misstatement. This assessment is a measure of the auditors expectation that internal controls will prevent material misstatements from occurring or detect and correct them if they have occurred. The starting point for most auditors is the assessment of entity-level controls. By nature, entity-level controls, such as many of the elements contained in the control environment, risk assessment, and monitoring components, have an overarching impact on most major types of transactions in each transaction cycle.
For example, an ineffective board of directors or managements failure to have any process to identify, assess, or manage key risks, has the potential to undermine controls for most of the transaction-related audit objectives. Thus, auditors generally assess entity-level controls before assessing transaction specific controls. Once auditors determine that entity-level controls are designed and placed in operation, they next make a preliminary assessment for each transaction-related audit objective for each major type of transaction in each transaction cycle.
For example, in the sales and collection cycle, the types of transactions usually involve sales, sales returns and allowances, cash receipts, and the provision for and write-off of uncollectible accounts. The auditor also makes the preliminary assessment for controls affecting audit objectives for balance sheet accounts and presentations Many auditors use a control risk matrix to assist in the control risk assessment process at the transaction level. The purpose is to provide a convenient way to organize assessing control risk for each audit objective. the control risk matrix for transaction-related audit objectives, auditors use a similar control risk matrix format to assess control risk for balance-related and presentation and disclosure-related audit objectives.
Identify Audit Objectives
The first step in the assessment is to identify the audit objectives for classes of transactions, account balances, and presentation and dis closure to which the assessment applies. For example, this is done for classes of transactions by applying the specific transaction-related audit objectives introduced earlier, which were stated in general form, to each major type of transaction for the entity. For example, the auditor makes an assessment of the occurrence objective for sales and a separate assessment of the completeness objective.
Identify Existing Controls
Next, the auditor uses the information discussed in the previous section on obtaining and documenting an understanding of internal control to identify the controls that contribute to accomplishing transaction-related audit objectives. One way for the auditor to do this is to identify controls to satisfy each objective. For example, the auditor can use knowledge of the clients system to identify controls that are likely to prevent errors or fraud in the occurrence transaction-related audit objective. The same thing can be done for all other objectives. It is also helpful for the auditor to use the five control activities (separation of duties, proper authorization, Adequate documents and records, physical control over assets and records, and Independent checks on performance) as reminders of controls.
For example: Is there adequate separation of duties and how is it achieved? Are transactions properly authorized? Are pre-numbered documents properly accounted for? Are key master files properly restricted from unauthorized access? The auditor should identify and include only those controls that are expected to have the greatest effect on meeting the transaction-related audit objectives. These are often called key controls. The reason for including only key controls is that they will be sufficient to achieve the transaction-related audit objectives and also provide audit efficiency.
Associate Controls with Related Audit Objectives
Each control satisfies one or more related audit objectives. This can be seen for transaction-relatedaudit objectives. The body of the matrix is used to show how each control contributes To the accomplishment of one or more transaction-related audit objectives. In this , a C was entered in each cell where a control partially or fully satisfied an bjective. A similar control risk matrix would be completed for balance-related and presentation and disclosure-related audit objectives.
For example, the mailing of statements to customers satisfies three objectives in the audit of Hillsburg Hardware, which is indicated by the placement of each C on the row . Identify and Evaluate Control Deficiencies, Significant Deficiencies, and Material Weaknesses Auditors must evaluate whether key controls are absent in the design of internal control over financial reporting as a part of evaluating control risk and the likelihood of financial statement misstatements. Auditing standards define three levels of the absence of internal controls:
1. Control deficiency.
A control deficiency exists if the design or operation of controls does not permit company personnel to prevent or detect mis-statements on a timely basis in the normal course of performing theirassigned functions. A design deficiency exists if a necessary control is missing or not properly designed. An operation deficiency exists if a well-designed control does not operate as designed or if the person performing the control is insufficiently qualified or authorized.
2. Significant deficiency.
A significant deficiency exists if one or more control deficiencies exist that is less severe than a material weakness (defined below), but important enough to merit attention by those responsible for oversight of the companys financial reporting. 3. Material weakness. A material weakness exists if a significant deficiency, by itself, or in combination with other significant deficiencies, results in a reason able possibility that internal control will not prevent or detect material financial statement misstatements on a timely basis.
To determine if a significant internal control deficiency or deficiencies are a material weakness, they must be evaluated along two dimensions: likelihood and significance. If there is more than a reasonable possibility (likelihood) that a material misstatement (significance) could result from the significant deficiency or deficiencies, then it is considered a material weakness. A five-step approach can be used to identify deficiencies, significant deficiencies, and Material weaknesses.
1. Identify existing controls. Because deficiencies and material weaknesses are the absence of adequate controls, the auditor must first know which controls exist. The methods for identifying controls have already been discussed. 2. Identify the absence of key controls. Internal control questionnaires, flow charts, and walkthroughs are useful tools to identify where controls are lacking and the likelihood of misstatement is therefore increased. It is also useful to examine the control risk matrix, such as to look for objectives where there are no or only a few controls to prevent or detect misstatements. 3. Consider the possibility of compensating controls. A compensating control is one Elsewhere in the system that offsets the absence of a key control. A common example in a small business is the active involvement of the owner. When a compensating control exists, there is no longer a significant deficiency or material weakness.
4. Decide whether there is a significant deficiency or material weakness. The likelihood of misstatements and their materiality are used to evaluate if there are significant deficiencies or material weaknesses. 5. Determine potential misstatements that could result. This step is intended to identify specific misstatements that are likely to result because of the significant deficiency or material weakness. The importance of a significant deficiency or material weakness is directly related to the likelihood and materiality of potential misstatements. Associate Significant Deficiencies and Material Weaknesses with Related Audit Objectives The same as for controls, each significant deficiency or material weakness can apply to one or more related audit objectives. In the case of Hillsburg, there are two significant deficiencies, and each applies to only one transaction-related objective. The significant deficiencies are shown in the body of the figure by a D in the appropriate objective column.
Assess Control Risk for Each Related Audit Objective
After controls, significant deficiencies, and material weaknesses are identified and associated with transaction-related audit objectives, the auditor can assess control risk for transaction related audit objectives. This is the critical decision in the evaluation of internal control. The auditor uses all of the information discussed previously to make a subjective control risk assessment for each objective. There are different ways to express this assessment. Some auditors use a subjective expression such as high, moderate, or low. Others use numerical probabilities such as 1.0, 0.6, or 0.2. Again, the control risk matrix is a useful tool for making the assessment. This assessment is not the final one. Before making the final assessment at the end of the integrated audit, the auditor will test controls and perform substantive tests.
These Procedures can either support the preliminary assessment or cause the auditor to make changes. In some cases, management can correct deficiencies and material weaknesses before the auditor does significant testing, which may permit a reduction in control risk. After a preliminary assessment of control risk is made for sales and cash receipts, the auditor can complete the three control risk rows of the evidence-planning worksheet . If tests of controls results do not support the preliminary assessment of control risk, the auditor must modify the worksheet later. Alternatively, the auditor can wait until tests of controls are done to complete the three control risk rows of the worksheet. As part of understanding internal control and assessing control risk, the auditor is required to communicate certain matters to those charged with governance. This Information and other recommendations about controls are also often communicated to management.
Communications to Those Charged With Governance
The auditor must communicate significant deficiencies and material weaknesses in writing to those charged with governance as soon as the auditor becomes aware of their existence. The communication is usually addressed to the audit committee and to management. Timely communications may provide management an opportunity to address control deficiencies before managements report on internal control must be issued. In some instances, deficiencies can be corrected sufficiently early such that both management and the auditor can conclude that controls are operating effectively as of the balance sheet date. Regardless, these communications must be made no later than 60 days following the audit report release.
In addition to these matters, auditors often identify less significant internal control-related issues, as well as opportunities for the client to make operational improvements. These should also be communicated to the client. The form of communication is often a separate letter for that purpose, called a management letter. Although management letters are not required by auditing standards, auditors generally prepare them as a value-added service of the audit.
Test of controls
Weve examined how auditors link controls, significant deficiencies, and material Weaknesses in internal control to related audit objectives to assess control risk for each objective. Now well address how auditors test those controls that are used to support a control risk assessment. For example, each key control that the auditor intends to rely on to support a control risk of medium or low must be supported by sufficient tests of controls. We will deal with tests of controls for both audits of internal control for financial reporting and audits of financial statements. Assessing control risk requires the auditor to consider both the design and operation of controls to evaluate whether they will likely be effective in meeting related audit objectives. During the understanding phase, the auditor will have already gathered some evidence in support of both the design of the controls and their implementation by using procedures to obtain an understanding .
In most cases, the auditor will not have gathered enough evidence to reduce assessed control risk to a sufficiently low level. The auditor must therefore obtain additional evidence about the operating effectiveness of controls throughout all, or at least most, of the period under audit. The procedures to test effectiveness of controls in support of a reduced assessed control risk are called tests of controls. If the results of tests of controls support the design and operation of controls as expected, the auditor uses the same assessed control risk as the preliminary assessment.
If, however, the tests of controls indicate that the controls did not operate effectively, the assessed control risk must be reconsidered. For example, the tests may indicate that the application of a control was curtailed midway through the year or that the person applying it made frequent misstatements. In such situations, the auditor uses a higher assessed control risk, unless compensating controls for the same related audit objectives are identified and found to be effective. Of course, the auditor must also consider the impact of those controls that are not operating effectively on the auditors Report on internal control.
Procedures for Tests of Controls
The auditor is likely to use four types of procedures to support the operating effectiveness of internal controls. Managements testing of internal control will likely include the same types of procedures. The four types of procedures are as follows: 1. Make inquiries of appropriate client personnel. Although inquiry is not a highly reliable source of evidence about the effective operation of controls, it is still appropriate. For example, to determine that unauthorized personnel are denied access to computer files, the auditor may make inquiries of the person who controls the computer library and of the person who controls online access security password assignments.
2. Examine documents, records, and reports. Many controls leave a clear trail of documentary evidence that can be used to test controls. Suppose, for example, that when a customer order is received, it is used to create a customer sales order, which is approved for credit. Then the customer order is attached to the sales order as authorization for further processing. The auditor can test the control by examining the documents to make sure that they are complete and properly matched and that required signatures or initials are present. 3. Observe control-related activities. Some controls do not leave an evidence trail, which means that it is not possible to examine evidence that the control was executed at a later date. For example, separation of duties relies on specific persons performing specific tasks, and there is typically no documentation of the separate performance. For controls that leave no documentary evidence, the auditor generally observes them being applied at various points during the year.
4. Reperform client procedures. There are also control-related activities for which there are related documents and records, but their content is insufficient for the auditors purpose of assessing whether controls are operating effectively. For example, assume that prices on sales invoices are obtained from the master price list, but no indication of the control is documented on the sales invoices. In these cases, it is common for the auditor to reperform the control activity to see whether the proper results were obtained. For this example, the auditor can re perform the procedure by tracing the sales prices to the authorized price list in effect at the date of the transaction. If no misstatements are found, the auditor can conclude that the procedure .
Extent of Procedures
The extent to which tests of controls are applied depends on the preliminary assessed control risk. If the auditor wants a lower assessed control risk, more extensive tests of controls are applied, both in terms of the number of controls tested and the extent of the tests for each control. For example, if the auditor wants to use a low assessed control risk, a larger sample size for documentation, observation, and re performance procedures should be applied. The extent of testing also depends on the frequency of the operation of the controls, and whether it is manual or automated.
Reliance on Evidence from the Prior Years Audit
When auditors plan to use evidence about the operating effectiveness of internal control obtained in prior audits, auditing standards require tests of the controls effectiveness at least every third year. If auditors determine that a key control has been changed since it was last tested, they should test it in the current year. When there are a number of controls tested in prior audits that have not been changed, auditing standards require auditors to test some of those controls each year to ensure there is a rotation of controls testing throughout the three year period.
Testing of Controls Related to Significant Risks
Significant risks are those risks that the auditor believes require special audit consideration. When the auditors risk assessment procedures identify significant risks, the auditor is required to test the operating effectiveness of controls that mitigate these risks in the current year audit, if the auditor plans to rely on those controls to support a control risk assessment below 100%. The greater the risk, the more audit evidence the auditor should obtain that controls are operating effectively.
Testing Less Than the Entire Audit Period
Recall that managements report on internal control deals with the effectiveness of internal controls as of the end of the fiscal year. PCAOB Standard 5 requires the auditor to perform tests of controls that are adequate to determine whether controls are operating effectively at year-end. The timing of the auditors tests of controls will therefore depend on the nature of the controls and when the company uses them. For controls that are applied throughout the accounting period, it is usually practical to test them at an interim date. The auditor will then determine later if changes in controls occurred in the period not tested and decide the implication of any change. Controls dealing with financial statement preparation occur only quarterly or at year-end and must therefore also be tested at quarter and year-end.
Relationship between Tests of Controls and Procedures to Obtaining Understanding There is a significant overlap between tests of controls and procedures to obtain an understanding. Both include inquiry, documentation, and observation. There are two primary differences in the application of these common procedures. 1. In obtaining an understanding of internal control, the procedures to obtain an understanding are applied to all controls identified during that phase. Tests of controls, on the other hand, are applied only when the assessed control risk has not been satisfied by the procedures to obtain an understanding. 2. Procedures to obtain an understanding are performed only on one or a few transactions or, in the case of observations, at a single point in time. Tests of controls are performed on larger samples of transactions (perhaps 20 to 100), and often, observations are made at more than one point in time.
For key controls, tests of controls other than re performance are essentially an Extension of procedures to obtain an understanding. Therefore, assuming the auditors plan to obtain a low assessed control risk from the beginning of the integrated audit, they will likely combine both types of procedures and perform them simultaneously. One option is to perform the audit procedures separately, where minimum procedures to obtain an understanding of design and operation are performed, followed by additional tests of controls. An alternative is to combine both columns and do them simultaneously. The same amount of evidence is accumulated in the second approach, but more efficiently. The determination of the appropriate sample size for tests of controls is an important audit decisions.
Detection risk and the design of substantive tests
Weve focused on how auditors assess control risk for each related audit objective and support control risk assessments with tests of controls. The completion of these activities is sufficient for the audit of internal control over financial reporting, even though the report will not be finalized until the auditor completes the audit of financial statements. The auditor uses the control risk assessment and results of tests of controls to determine planned detection risk and related substantive tests for the audit of financial statements. The auditor does this by linking the control risk assessments to the balance related audit objectives for the accounts affected by the major transaction types and to the four presentations and disclosure audit objectives. The appropriate level of detection risk for each balance-related audit objective is then decided using the audit risk model. The relationship of transaction-related audit objectives to balance-related audit objectives and the selection and design of audit procedures for substantive tests of financial statement.
Types of test
In developing an overall audit plan, auditors use five types of tests to determine whether financial statements are fairly stated. Auditors use risk assessment procedures to assess the risk of material misstatement, represented by the combination of inherent risk and control risk. The other four types of tests represent further audit procedures performed in response to the risks identified. Each audit procedure falls into one, and sometimes more than one, of these five categories. Figure 13-1 shows the relationship of the four types of further audit procedures to the audit risk model. As Figure 13-1 illustrates, tests of controls are performed to support a reduced assessment of control risk, while auditors use analytical procedures and tests of details of balances to satisfy planned detection risk. Substantive tests of transactions affect both control risk and planned detection risk, because they test the effectiveness of internal controls and the dollar amounts of transactions.
Risk Assessment Procedures
TThe second standard of fieldwork requires the auditor to obtain an understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement in the clients financial statements. Risk assessment procedures are performed to assess the risk of material misstatement in the financial statements. The auditor performs tests of controls, substantive tests of transactions, analytical procedures, and tests of details of balances in response to the auditors assessment of the risk of material misstatements.
The combination of these our types of further audit procedures provides the basis for the auditors opinion, as illustrated by Figure 13-1. A major part of the auditors risk assessment procedures are done to obtain an Understanding of internal control. Procedures to obtain an understanding of internal control were studied and focus on both the design and implementation of internal control and are used to assess control risk for each transaction-related audit objectively Tests of Controls
EThe auditors understanding of internal control is used to assess control risk for each transaction-related audit objective. Examples are assessing the accuracy objective for sales transactions as low and the occurrence objective as moderate. When control policies and procedures are believed to be effectively designed, the auditor assesses control risk at a level that reflects the relative effectiveness of those controls. To obtain sufficient appropriate evidence to support that assessment, the auditor performs tests of controls.S Tests of controls, either manual or automated, may include the following types of evidence. (Note that the first three procedures are the same as those used to obtain an understanding of internal control.) ¢ Make inquiries of appropriate client personnel
¢ Examine documents, records, and reports
¢ Observe control-related activities
¢ Reperform client procedures
Auditors perform a system walkthrough as part of procedures to obtain an under standing to help them determine whether controls are in place. The walkthrough is normally applied to one or a few transactions and follows that transaction through the entire process. For example, the auditor may select one sales transaction for a system walk through of the credit approval process, then follow the credit approval process from initiation of the sales transaction through the granting of credit. Tests of controls are also used to determine whether these controls are effective and usually involve testing a sample of transactions. As a test of the operating effectiveness of the credit approval process, for example, the auditor might examine a sample of 50 sales transactions from throughout the year to determine whether credit was granted before the shipment of goods.
Procedures to obtain an understanding of internal control generally do not provide sufficient appropriate evidence that a control is operating effectively. An exception may apply for automated controls because of their consistent performance. The auditors procedures to determine whether the automated control has been implemented may also serve as the test of that control, if the auditor determines there is minimal risk that the automated control has been changed since the understanding was obtained. Then, no additional tests of controls would be required. The amount of additional evidence required for tests of controls depends on two things: 1. The extent of evidence obtained in gaining the understanding of internal control
2. The planned reduction in control risk
Figure 13-2 (p. 406) shows the role of tests of controls in the audit of the sales and collection cycle relative to other tests performed to provide sufficient appropriate evidence for the auditors opinion. Note the un shaded circles with the words Audited by TOC. For simplicity, we make two assumptions: Only sales and cash receipts trans actions and three general ledger balances make up the sales and collection cycle and the beginning balances in cash and accounts receivable were audited in the previous year and are considered correct. If auditors verify that sales and cash receipts transactions are correctly recorded in the accounting records and posted to the general ledger, they can conclude that the ending balances in accounts receivable and sales are correct.
(Cash disbursements transactions will OF have to be audited before the auditor can reach a conclusion about the ending balance in the cash account.) One way the auditor can verify recording of transactions is to perform tests of controls. If controls are in place over sales and cash receipts transactions, the auditor can perform tests of controls to determine whether the six transaction-related audit objectives are being met for that cycle. Substantive tests of transactions, which we will examine in the next section, also affect audit assurance for sales and cash receipts transactions.
Substantive Tests of TransactionsSTS
Substantive tests are procedures designed to test for dollar misstatements (often called monetary misstatements) that directly affect the correctness of financial statement balances. Auditors rely on three types of substantive tests: substantive tests of transactions, substantive analytical procedures, and tests of details of balances. Substantive tests of transactions are used to determine whether all six transactions related audit objectives have been satisfied for each class of transactions. Two of those objectives for sales transactions are recorded sales transactions exist (occurrence objective) and existing sales transactions are recorded (completeness objective for the six transaction-related audit objectives.
When auditors are confident that all transactions were correctly recorded in the journals and correctly posted, considering all six transaction-related audit objectives, they can be confident that general ledger totals are correct. Figure 13-2 illustrates the role of substantive tests of transactions in the audit of the sales and collection cycle by lightly shaded circles with the words Audited by STOT. Observe that both tests of controls and substantive tests of transactions are performed for transactions in the cycle, not on the ending account balances. The auditor verifies the recording and summarizing of sales and cash receipts transactions by performing substantive tests of transactions. Figure 13-2 shows one set of tests for sales and another for cash receipts.
analytical procedures involve comparisons of recorded amounts to expectations developed by the auditor. Auditing standards require that they be done during planning and completing the audit. Although not required, analytical procedures may also be performed to audit an account balance. The two most important purposes of analytical procedures in the audit of account balances are to: 1. Indicate possible misstatements in the financial statements
2. Provide substantive evidence
Analytical procedures done during planning typically differ from those done in the testing phase. Even if, for example, auditors calculate the gross margin during planning, they probably do it using interim data. Later, during the tests of the ending balances, they will recalculate the ratio using full-year data. If auditors believe that analytical procedures indicate a reasonable possibility of misstatement, they may perform additional analytical procedures or decide to modify tests of details of balances. When the auditor develops expectations using analytical procedures and concludes that the clients ending balances in certain accounts appear reasonable, certain tests of details of balances may be eliminated or sample sizes reduced.
Auditing standards state that analytical procedures are a type of substantive test (referred to as substantive analytical procedures), when they are performed to provide evidence about an account balance. The Extent to which auditors may be willing to rely on substantive analytical procedures in support of an account balance depends on several factors, including the precision of the expectation developed by the auditor, materiality, and the risk of material misstatement. Figure 13-2 illustrates the role of substantive analytical procedures in the audit of the sales and collection cycle by the dark shaded circles with the words Audited by AP. Observe that the auditor performs substantive analytical procedures on sales and Cash receipts transactions, as well as on the ending balances of the accounts in the cycle.
Tests of Details of Balances
Tests of details of balances focus on the ending general ledger balances for both balance sheet and income statement accounts. The primary emphasis in most tests of details of balances is on the balance sheet. Examples include confirmation of customer balances for accounts receivable, physical examination of inventory, and examination of vendors statements for accounts payable. Tests of ending balances are essential because the evidence is usually obtained from a source independent of the client, which is considered highly reliable. Much like for transactions, the auditors tests of details of balances must satisfy all balance-related audit objectives for each significant balance sheet account.
Figure 13-2 illustrates the role of tests of details of balances by the circles with half dark and half light shading and the words Audited by TDB. Auditors perform detailed tests of the ending balances for sales and accounts receivable, including procedures such as confirmation of account receivable balances and sales cutoff tests. The extent of these tests depends on the results of tests of controls, substantive tests of transactions, and substantive analytical procedures for these accounts. Tests of details of balances help establish the monetary correctness of the accounts they relate to and therefore are substantive tests. For example, confirmations test for monetary misstatements in accounts receivable and are therefore substantive tests. Similarly, counts of inventory and cash on hand are also substantive tests.
OSelect the appropriate types of audit tests
Typically, auditors use all five types of tests when performing an audit of the financial statements, but certain types may be emphasized, depending on the circumstances. Recall that risk assessment procedures are required in all audits to assess the risk of material misstatement while the other four types of tests are performed in response to the risks identified to provide the basis for the auditors opinion. Note also that only risk assessment procedures, especially procedures to obtain an understanding of controls, and tests of controls are performed in an audit of internal control over financial reporting. Several factors influence the auditors choice of the types of tests to select, including the availability of the eight types of evidence, the relative costs of each type of test, the effectiveness of internal controls, and inherent risks. Only the first two are discussed further because the last two were discussed in earlier chapters. Availability of Types of Evidence for Further Audit Procedures OEach of the four types of further audit procedures involves only certain types of evidence (confirmation, documentation, and so forth. ¢ More types of evidence, six in total, are used for tests of details of balances than for any other type of test.
¢ Only tests of details of balances involve physical examination and confirmation. ¢ Inquiries of the client are made for every type of test. ¢ Documentation is used in every type of test except analytical procedures. ¢ Re performance is used in every type of test except analytical procedures. Auditors may re perform a control as part of a transaction walkthrough or to test a control that is not supported by sufficient documentary evidence. ¢ Recalculation is used to verify the mathematical accuracy of transactions when per forming substantive test of transactions and account balances when per forming tests of details of balances.
When auditors must decide which type of test to select for obtaining sufficient appropriate evidence, the cost of the evidence is an important consideration. The types of tests are listed below in order of increasing cost:
¢ Analytical procedures
¢ Risk assessment procedures, including procedures to obtain an understanding of internal control
¢ Tests of controls
¢ Substantive tests of transactions
¢ Tests of details of balances
Analytical procedures are the least costly because of the relative ease of making calculations and comparisons. Often, considerable information about potential misstatements can be obtained by simply comparing two or three numbers. Risk assessment procedures, including procedures to obtain an understanding of internal control, are not as costly as other audit tests because auditors can easily make inquiries and observations and perform planning analytical procedures. Also, examining such things as documents summarizing the clients business operations and processes and management and governance structure are relatively cheaper than other audit tests. Because tests of controls also involve inquiry, observation, and inspection, their relative costs are also low compared to substantive tests.
However, tests of controls are more costly relative to the auditors risk assessment procedures due to a greater extent of testing required to obtain evidence that a control is operating effectively, especially when those tests of controls involve re performance. Often, auditors can perform a large number of tests of controls quickly using audit software. Such software can test controls in clients computerized accounting systems, such as in computerized accounts receivable systems that automatically authorize sales to existing customers by comparing the proposed sales amount and existing accounts receivable balance with the customers credit limit. Substantive tests of transactions cost more than tests of controls that do not include re performance because the former often require recalculations and tracings.
In a computerized environment, however, the auditor can often perform substantive tests of transactions quickly for a large sample of transactions. Tests of details of balances almost always cost considerably more than any of the Other types of procedures because of the cost of procedures such as sending confirmations and counting inventories. Because of the high cost of tests of details of balances, auditors usually try to plan the audit to minimize their use. Naturally, the cost of each type of evidence varies in different situations. For example, the cost of an auditors test-counting inventory (a substantive test of the details of the inventory balance) often depends on the type and dollar value of the Inventory, its location, and the number of different items.
Relationship between Tests of Controls and Substantive Tests To better understand tests of controls and substantive tests, lets examine how they differ. An exception in a test of control only indicates the likelihood of misstatements affecting the dollar value of the financial statements, whereas an exception in a substantive test of transactions or a test of details of balances is a financial statement misstatement. Exceptions in tests of controls are called control test deviations. From the three levels of control deficiencies: deficiencies, significant deficiencies, and material weaknesses. Auditors are most likely to believe material dollar misstatements exist in the financial statements when control test deviations are considered to be significant deficiencies or material weaknesses. Auditors should then perform substantive tests of transactions or tests of details of balances to determine whether material dollar misstatements have actually occurred.
Assume that the clients controls require an independent clerk to verify the quantity, price, and extension of each sales invoice, after which the clerk must initial the duplicate invoice to indicate performance. A test of control audit procedure is to inspect a sample of duplicate sales invoices for the initials of the person who verified the information. If a significant number of documents lack initials, the auditor should consider implications for the audit of internal control over financial reporting and follow up with substantive tests for the financial statement audit. This can be done by extending tests of duplicate sales invoices to include verifying prices, extensions, and footings (substantive tests of transactions) or by increasing the sample size for the confirmation of accounts receivable (substantive test of details of balances).
Even though the control is not operating effectively, the invoices may still be correct, especially if the person originally preparing On the other hand, if no documents or only a few of them are missing initials, the control will be considered effective and the auditor can therefore reduce substantive tests of transactions and tests of details of balances. However, some re performance and recalculation substantive tests are still necessary to provide the auditor assurance that the clerk did not initial documents without actually performing the control procedure or performed it carelessly. Because of the need to complete some re performance and recalculation tests, many auditors perform them as a part of the original tests of controls. Others wait until they know the results of the tests of controls and then determine the total sample size needed.
Relationship between Analytical Procedures and Substantive Tests Like tests of controls, analytical procedures only indicate the likelihood of misstatements affecting the dollar value of the financial statements. Unusual fluctuations in the relationships of an account to other accounts, or to nonfinancial information, may indicate an increased likelihood that material misstatements exist without necessarily providing direct evidence of a material misstatement. When analytical procedures identify unusual fluctuations, auditors should perform substantive tests of transactions or tests of details of balances to determine whether dollar misstatements have actually occurred.
If the auditor performs substantive analytical procedures and believes that the likelihood of material misstatement is low, other substantive tests can be reduced. For accounts with small balances and only minimal potential for material misstatements, such as many supplies and prepaid expense accounts, auditors often limit their tests to substantive analytical procedures if they conclude the accounts are reasonably stated.
Trade-Off between Tests of Controls and Substantive Tests
There is a trade-off between tests of controls and substantive tests. During planning, auditors decide whether to assess control risk below the maximum. When they do, they must then perform tests of controls to determine whether the assessed level of control risk is supported. (They must always perform test of controls in an audit of internal control over financial reporting.) If tests of controls support the control risk assessment, planned detection risk in the audit risk model is increased, and planned substantive tests can therefore be reduced. Figure 13-3 shows the relationship between substantive tests and control risk assessment (including tests of controls) at differing levels of internal control effectiveness
Impact of information technology on audit testing
Auditing standards provide guidance for auditors of entities that transmit process, maintain, or access significant information electronically. Examples of electronic evidence include records of electronic fund transfers and purchase orders transmitted through electronic data interchange (EDI). Evidence of the performance of automated controls, such as the computers comparison of proposed sales orders to customer credit limits, may also only be in electronic form. The standards recognize that when a significant amount of audit evidence exists in electronic form, it may not be practical or possible to reduce detection risk to an acceptable level by performing only substantive tests. For example, the potential for improper initiation or alteration of information may be greater if information is maintained only in electronic form.
In these circumstances, the auditor should perform tests of controls to gather evidence in support of an assessed level of control risk below maximum for the affected financial statement assertions. Although some substantive tests are still required, the auditor can significantly reduce substantive tests if the results of tests of controls support the effectiveness of controls. In the audit of a larger public company, computer-performed controls (these are called automated controls) must be tested if the auditor considers them to be key controls for reducing the likelihood of material misstatements in the financial statements. Because of the inherent consistency of IT processing, however, the auditor may be able to reduce the extent of testing of an automated control.
For example, software based control is almost certain to function consistently unless the program is changed. Once auditors determine an automated control is functioning properly, they can focus subsequent tests on assessing whether any changes have occurred that will limit the effectiveness of the control. Such tests might include determining whether any changes have occurred to the program and whether these changes were properly authorized and tested prior to implementation. This approach leads to significant audit efficiencies when the auditor determines that automated controls tested in the prior years audit have not been changed and continue to be subject to effective general controls.
To test automated controls or data, the auditor may need to use computer-assisted audit techniques or use reports produced by IT to test the operating effectiveness of IT general controls, such as program change controls and access controls. In many cases, testing of automated controls may be performed by IT audit specialists. When auditors test manual controls that rely on IT-generated reports, they must consider both the Effectiveness of managements review and automated controls over the accuracy of Information in the report.