Step 1 in assessing internal control involves
Evaluating and documenting the DESIGN
of the clients internal control system (obtaining an understanding of the system)
- -review prior year's work papers
- -inquiry of the client's management and staff personnel
- -Observe client activities and operations
- -inspect the client's procedural manuals and system manuals (invoices, bills of lading), and records(accounting)
- -Perform a "walk through"; tracing transactions from beginning will help us determine if we have a good understanding.
What are the 4 ways to test for controls
- -inquiry of client
- -inspection of documentes, reports, electronic files for compliance
- -re-performance of control by the auditor.
If controls appear to be effective, then you will
- -Test controls to verify they are effective
- -Assess control risk at the samelevel less than 100%, if the results of your tests of controls are favorable
- -Plan to perform limitedsubstantive tests
Control risk is assessed at the maximum level whenever you believe:
- (1) there are no controls related to the I/C objective being evaluated, or
- (2) controls are unlikely to be effective, or
- (3) the cost of testing controls would exceed the benefits. Allows you to cut back on the extent of your substantive tests
When testing controls in an IT environment,
there may or may not be visible documentary evidence that control procedures
have been performed. If visible evidence exists (e.g.,source documents, computer-generated
then you can test controls using the same four procedures you listed above.
When testing controls in an IT environment, there may or may not be visible documentary evidence that control procedures have been performed. However, if visible evidence does not exist (as is often the case with controls performed by a computer) you would not be able to test controls by
inspecting documents or by observing the controls being performed, and inquiry alone would not be sufficient. You must...
In these circumstances, you may test controls by using computer-assisted audit techniques (CAATs) to re-perform the control. CAATS stands for computer assisted audit techniques..
There are several CAATs for testing controls, including:
- -parallel simulation
- -test data
- -integrated test facility
- -embedded audit module
taking clients transactions and processing them in their system as well as the auditors system. Compare output of the client's system with output of the auditor's system.
auditor prepares fictitious transactions, some with intentional errors to see if the clients system catches them. Auditor examines the actual output to verify transactions
Integrated Test Facility
A fictitious entity is created by the auditor and inserted in the client's audit system. Transactions are related to the fictitious entity and processed in the clients system throughout the accounting period, dummy results are compared with the expected results.
Embedded Audit Module
Auditor writes a section of software program and embeds it in the client's application software. Purpose is to monitor and gather information about unusual transactions processed by the client's accounting system
Step 4: revise risk assessments, if necessary
If your tests of controls indicate that the controls have been operating during ht period under the audit then you would assess control risk at _______ or _______
Moderate or Low
If tests of controls reveal the controls have not been operating satisfactorily, then your final assessment of control risk would be _______ or _______
high or 100%
If target detection risk increases your control risk must...
Decrease, this means the assurance needed from substantive tests increases.
What are 4 limitations of Internal control?
- -human errors or mistakes can cause internal control break down
- -controls can be circumvented by collusion between two employees
- -management has the ability override controls
- -The relative costs and benefits of controls must be consi