Test of Control PDF

Test of Control INTRODUCTION This unit is now moving from the planning and risk assessment phase of the audit to the next phase: the response to risk phase. In this phase, the auditor performs audit procedures to respond to the assessed risks of material misstatement. These procedures include tests of controls, which are discussed in this unit, and substantive procedures, which are discussed in the next unit. What are tests of controls? ISA 330 defines a test of controls as ‘an audit procedure designed to evaluate the operating effectiveness of controls in preventing or detecting and correcting, material misstatements at the assertion level’. Tests of controls do not directly measure monetary error in the accounting records. Instead, tests of controls determine whether or not a control activity is being performed as designed. DESIGNING TESTS OF CONTROLS When taking a controls-based audit approach, the auditor is designing tests of controls to obtain evidence about the operating effectiveness of those controls. Testing controls confirms the auditor’s assessment of control risk as has been determined in the overall audit strategy. Methods to test controls include the following: Method Example(s) in the context of tests of controls Reperformance The auditor reperforms the three-way match performed by the accountant. This includes inspecting the same documents the accountant used (purchase invoice, purchase order and goods received note) and reperforming the steps to agree the respective details (date, customer, description, price, quantity). Recalculation The auditor recalculates a value automatically calculated by an IT application control to ensure the IT system is programmed correctly. Inspection The auditor inspects a sample of purchase orders to ensure they are supported by a purchase requisition form that has been approved in accordance with the company’s purchasing policy. Observation The auditor watches the inventory count being performed by the company’s warehouse staff. Enquiry The auditor asks the financial controller whether there have been any changes to the authorisation limits during the year. Note that enquiry alone is not sufficient to test the operating effectiveness of controls − the auditor must perform other procedures in conjunction with enquiry to enhance the reliability of audit evidence. Enquiry performed together with either reperformance or inspection provides greater assurance than enquiry together with observation. This is because observation is only relevant at the point in time at which it occurs. In addition, when a person performing a control activity knows they are being observed, they are less likely to bypass certain activities or ‘cut corners’. Example – Tests of controls Key assertion Risk Process and key Control Test of control account at risk Fictitious Sales Occurrence Control 1: Sale is Control 1: Select a sample sales are and recorded only if the of sales transactions from created Accuracy of details (date, the sales ledger and and revenue. customer, ensure the details (date, recorded. description, price, customer, description, Existence quantity), recorded in price, quantity) agree to Sales are and the following agree: the sales invoice, shipping invoiced at Accuracy, sales invoice, goods document and customer incorrect Valuation & delivery note and the order. amounts Allocation, customer sales order. of accounts Control 2: Select 10 weekly receivable Control 2: If details exception reports and do not agree, an determine if the reports exception report is include evidence of the generated. The review by the financial financial controller controller. Discuss with the reviews the exception financial controller the report weekly and action taken to resolve any investigates the exceptions to determine exceptions. whether the transactions were recorded correctly Customers Sales Accuracy, Control 1: Every Control 1: Select two who buy on Valuation & quarter, the financial customer credit limit credit may Allocation of controller reviews the listing reports and not have accounts customers’ credit determine if the reports the ability receivable limits based on their include evidence of the to pay for payment history and review by the financial their produces a listing of controller. Discuss with the orders all customer credit financial controller the limits process used to review Control 2: Based on credit limits for each the listing, credit customer limits for each customer are set in Control 2: Using a copy of the sales ordering the client’s system, create a system. The system is dummy customer with a configured so that it particular credit limit. does not allow a Create a sales order that customer order to be exceeds the credit limit and processed if the order attempt to place the order. exceeds the Determine that the order is customer’s credit rejected by the system. limit. Create a sales order that does not exceed the credit limit and determine that the sales order is accepted Using data analytics in designing tests of controls Due to changing business models and developments in how entities are using technology in their financial processes, auditors are expected to use technology to facilitate a more effective and efficient audit and to increase audit quality. Many audit firms currently have ongoing projects around transforming their audits through the use of technology. Where applicable, data analytics provide a more effective and efficient way of performing audit procedures than manual testing. Where the controls are automated, the auditor may use data analytics to test these controls, as shown in the following example. Example – Using data analytics to identify duplicate or missing invoices Most accounting software have sequence checks that allocate numbers to individual transactions in sequential order. This is a common type of IT application control over completeness. From the auditor’s perspective: - Missing sales invoices could indicate that revenue is understated. - The assertion at risk is completeness of revenue. To test this IT application control over the completeness of revenue, the auditor may do the following: - Obtain a list of all sales transactions from the sales ledger for the period under audit. - Use the ‘sort’ function to arrange the list in ascending order by invoice number. - Create a formula in Excel that subtracts each invoice number from the preceding invoice number. A subtraction result equal to 1 indicates there are no duplicate or missing invoice numbers. The same test can be performed manually by inspecting the hard copy register of sales invoices to determine whether invoices numbers are in an unbroken sequence however this will take significantly more time in comparison to the above testing approach. Selecting how many items to test - Sampling Depending on the frequency of the control and its other attributes, the auditor may use different methods to select how many instances of a control’s performance to test. The three main methods for selecting which items to test are as follows: - Testing 100% of items – this approach can be used, for example, when the control operates only once a year (e.g. board approval of senior management’s pay rises). - Testing specific items – this approach is not commonly used in testing controls. - Audit sampling – sampling is commonly used in testing controls. Sampling is the application of audit procedures to less than 100% of items within a population so that all sampling units have a chance of selection. The applicable Standard for audit sampling is ISA 530. Relationship Between Sampling And Audit Risk Model Detection risk arises because of two reasons i.e. sampling risk and non-sampling risk. Therefore in order to reduce detection risk it is necessary to understand and reduce both. Sampling Risk The risk that the auditor’s conclusion based on a sample may be different from the conclusion if the entire population were subjected to the same audit procedure. Sampling risk can lead to two types of erroneous conclusions: Risk of Over Reliance/Incorrect Acceptance (Affecting Audit Effectiveness Leading to Incorrect Opinion) a. Controls are more effective than they actually are in case of TOC. b. Material misstatement does not exist when in fact it does in case of substantive procedures. Risk of Under Reliance/Incorrect Rejection (Affecting Audit Efficiency Leading to Increased Work) a. Controls are less effective than they actually are in case of TOC. b. Material misstatement exists when in fact it does not in case of substantive procedure. Sampling risk can be reduced by increasing sample size and stratification. Non-Sampling Risk The risk that the auditor reaches an erroneous conclusion for any reason not related to sampling risk. Examples of non-sampling risk include use of inappropriate audit procedures. Non-sampling risk can be reduced by proper planning, supervision and review. Audit sampling in testing controls Sampling is typically used to test recurring manual controls over routine, high-volume transactions. The sample needs to be selected without bias so that all items in the population have a chance of selection. In practice, audit software is often used to select a sample. When the auditor uses sampling in tests of controls, they are concerned with the rate of deviation from an internal control. Typically, a deviation would be defined as any instance where the control did not achieve its objective to either prevent, or detect and correct, a misstatement. Understanding what a deviation is and establishing an expectation of the rate of deviation allows the auditor to design the sample and set the sample size. The rate of deviation that the auditor would find acceptable to be able to conclude that the control was operating effectively is known as the tolerable deviation rate (TDR). In practice, auditors will usually plan for an expected rate of deviation of zero. Example – Setting a tolerable deviation rate (TDR) The auditor sets a TDR of 5% in testing that payments were appropriately authorised. An actual deviation rate of 6% means that the control is not operating effectively as the actual deviation rate exceeded the tolerable deviation rate. The auditor defines a deviation as being any one of the following events: - The payment was not authorised. - The payment was not appropriately authorised − for example, company policy requires two authorisations, but only one was provided. - The payment was authorised for a certain amount, while a different amount was paid. Factors influencing sample size ISA 530 requires the size of the sample to be sufficient to reduce sampling risk to an acceptably low level. Sampling risk is the risk that the auditor’s conclusions based on a sample may be different if the entire population were selected for testing. In general, the number of items to be tested increases in the following circumstances: - As the risk of material misstatement increases. - As the auditor’s degree of reliance on the operating effectiveness of the controls increases – the greater the evidence required, the greater the extent of the auditor’s tests of controls. ISA 530 contains a list of the factors that directly influence sample size when performing tests of controls. The table below discusses some of these factors: Effect on Factors Sample Effect on Sample Size for Substantive procedure Size An increase in the Increase The greater the reliance the auditor places on the extent to which the operating effectiveness of controls, the greater the auditor’s risk extent of the auditor’s tests of controls and, therefore, assessment takes into the sample size account relevant An increased sample size provides more evidence by controls lowering the sampling risk, as the auditor is using a larger subset of the population to draw a conclusion about that population. An increase in the Increase The higher the expected rate of deviation in the expected rate of population, the larger the sample size needs to be. deviation of the population to be tested Factors relevant to the auditor’s consideration of the expected rate of deviation include: - The auditor’s understanding of the business - Changes in personnel or internal control - The results of audit procedures applied in previous periods, and of other audit procedures An increase in the Increase The larger the sample size, the greater the level of desired level of assurance the auditor receives that results of the assurance that the sample are, in fact, indicative of the population. This actual deviation rate in means that if the auditor desires an increased level of the population is not assurance, the sample size will need to be increased. more than the TDR. An increase in the TDR Decrease Assuming there is no change to the auditor’s expected rate of deviation in the population where the auditor is willing to tolerate a higher rate of deviation, less evidence is required from the sample in order to reach a conclusion By contrast, the lower the TDR, the larger the sample size needs to be. Performing tests of controls Once the audit procedure has been designed, the auditor obtains the required documentation from the client (e.g. copies of contracts for payroll controls testing over the new hires process) and then performs testing on each item selected. In the following circumstances, it may not be possible to perform testing on the item: If the audit procedure is not applicable to the selected item, then the auditor needs to perform the procedure on a replacement item. An example of this is when a customer order that has been cancelled is selected by the auditor when testing for evidence of approval of customer orders. If the auditor is satisfied that the customer order actually has been cancelled and therefore is not a deviation, an appropriate replacement item will be chosen and tested. If the auditor is not able to perform the audit procedure on the selected item (e.g. documentation has been lost), then a suitable alternative procedure may need to be performed on the selected item. Otherwise, this item would be treated as a deviation from the prescribed control. Evaluating the results of controls testing For each control tested, the auditor will need to determine whether the results support the initial assessment of control risk by concluding that either: the control is operating effectively, or the control is not operating effectively. No deviation(s) found Where there is no deviation or control breakdown found during controls testing, the auditor can conclude that the control is operating effectively. Therefore, the planned audit approach would continue as originally planned. Deviation(s) found A deviation may result in two ways: - The control is not operating as designed over the selected item. - The auditor is unable to perform either the audit procedure on the selected item (or a replacement item) or an alternative suitable procedure on the selected item. Assessing the impact of a control deviation requires the auditor to use professional judgment. The detection of a control deviation or breakdown does not automatically result in the control being ineffective. Where a control deviation or breakdown is found during controls testing, the auditor needs to consider the following courses of action: Action Explanation Investigate the The auditor will need to carefully consider the nature and cause of each nature and deviation. For example, is there an indication of management override of cause of the controls or possible fraud? Or was the problem simply a result of the person deviation responsible being on vacation? ISA 330 recognises that deviations in controls can occur as a result of a variety of factors, such as changes in key personnel, significant seasonal fluctuations in the volume of transactions, and human error. All these factors are important when determining whether the deviation is an anomaly and whether the control is operating effectively or not. Determine ISA 530 operates on the presumption that it is very rare for a deviation from whether the a prescribed control in audit sampling to be considered an anomaly. To deviation is an conclude that the deviation is an anomaly, the auditor must perform anomaly. additional procedures to obtain a high degree of certainty that the item sampled is not representative of the population. Where the auditor concludes that the deviation is an anomaly, they may conclude that the item sampled is not representative of the population and exclude its result from their overall assessment of the effectiveness of the control. The auditor would then need to select and test another item from the population as a replacement for the anomaly in order to complete the test of the control. Compare the When using audit sampling, the auditor would need to compare the ADR to actual deviation the TDR. rate (ADR) to the If the ADR < TDR, the auditor … TDR. can conclude that the control is operating effectively If the ADR > TDR, the auditor … needs to consider whether to: - increase the sample size for the test of control (in the expectation that further tests will result in ADR < TDR), or - conclude that the control is not operating effectively. Determine any If the auditor concludes that the control is not operating effectively, the other impact of planned audit approach would need to change from that originally planned. the control Therefore, the assessment of control risk would increase and more deviation or substantive procedures would need to be performed over the assertion breakdown on tested. the audit. * Sampling typically used. However, note that the auditor may test 100% of the population. ** Depending on the nature and cause of the deviation for a sampled item, there may be a potential impact on the audit work e.g. a deviation as a result of a system error may require extending the sample size and/or revising the planned reliance on the system.

Test of Control PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue