Wk 7 Ch 8: Types of control

• The collective assessment of the client’s control environment, risk assessment process, information system, control activities and monitoring of controls
• Control activities: (SPAID)

Separation of Duties

Physical Controls

Authorization

Independent Checks

Documents and Records

Designed to reduce the risk of misstatement due to error or fraud and to ensure that processes are operating effectively.

Controls can include any procedure used and relied upon by client to prevent errors occurring, or to detect and correct errors that occur

1.To prevent or detect misstatements in the financial report, or

2.To support the automated parts of the business in the functioning of the controls in place

CONTROLS ARE CLASSIFIED AS:

1.Manual controls

2.Automated (or application) controls  Automated or IT control

3.IT general controls (ITGCs)

4.IT-dependent manual controls

Purely manual controls do not rely on IT for operation e.g. locked cage for inventory

Could rely on IT information from others  e.g. reconcile stock count to computer generated consignment stock statements

Automated controls generally rely on client’s IT

IT general controls (ITGCs)

–Support functioning of automated controls

–Provide basis for relying on electronic evidence in audit

–

• –Types of ITGCS:
• Program change controls
• Logical access controls
• Other ITGCs, e.g. data back-up

Application controls apply to processing of individual transactions, support segregation of duties

–edit checks, validations, calculations, interfaces, authorisations

Are the audit procedures performed to test the operating effectiveness of controls in preventing or detecting and correcting material misstatements at the assertion level.

PREVENT CONTROLS can be applied to each transaction during normal processing to avoid errors occurring

Commonly automated, e.g. reject duplicate transaction

• Occurrence
• Sales are recorded for products not shipped
• Sales are recorded for nonexistent customer (record customer details first)
• Sales are recorded twice (reference sequentially)

• Completeness
• Sales are not recorded for products shipped

• Accuracy
• Sales invoice is recorded using the wrong selling price (have prices automated. no manual component)
• Sales invoice is recorded using the wrong quantity (get someone to double check)

• Cutoff
• Sales are not recorded until the next reporting period
• Sales are recorded in the period before the product is shipped (make sure invoices have dates)

• Classification
• Sales of product are recorded as a non-trade sales (someone manually checks)

DETECT CONTROLS are necessary to identify and correct errors that do enter the records.

• –Usually not applied to transaction during normal flow of processing, but applied outside normal flow to partially or fully processed transactions
• For example, cheques for payment prepared, and held by system until approved for payment, then processed

• –Wide variation in detect controls from client to client, depending on complexity, preferences
• Can be informal and formal

- Cash collections are recorded twice (have unique cheque number so cannot be entered twice)

- Cash collections are recorded for payments not received

• Completeness
• - Cash collections are not recorded
• - Cash collections are stolen

• Accuracy
• - Cash collections are recorded at the wrong amount (problem with foreign currencies)

• Cutoff
• - Cash collections are not recorded until the next reporting period
• - Cash collections are recorded in the period before they were received (look at dates)

• Classification
• - Cash collections on receivables are recorded as other cash collection

• Existence
• Accounts receivables includes nonexistent customer balances

• –Rights/Obligations
• Accounts receivables are sold to third party financing company

• –Completeness
• Accounts receivables omits customer balances

• –Valuation
• Accounts receivables has sales recorded in wrong customers account
• Accounts receivables has cash collections recorded in wrong customers accounts
• Customers cannot pay their outstanding balance
• Accounts receivables includes customer sales recorded twice
• Accounts receivables includes customer balances where cash collections were not recorded
• Accounts receivables includes balances where cash collections were recorded twice
• Accounts receivables omits customer sale that was not recorded

Completely and accurately capture all relevant data

Identify all potentially significant errors

Are performed on a consistent and regular basis

Include follow-up and correction on timely basis of any misstatements or issues detected

Management level analysis and follow-up of reviews: actual vs budgets, prior periods, competitors, industry; anomalies in performance indicators

Reconciliations with follow-up of reconciling, unusual items, to resolution and correction (e.g. bank reconciliation, subsidiary ledger to control account)

Review and follow-up of exception reports (automatically generated reports of transactions outside pre-determined parameters)


–Usually can obtain evidence of detect controls’ operation and effectiveness

ENQUIRY: Auditor questions employee performing control, management about review of control

• OBSERVATION: Auditor observes actual control being performed
• Employee might be more diligent when observed

• INSPECTION OF PHYSICAL EVIDENCE: Trace from reconciliation to accounting records or other documents
• Examine reconciling items to determine whether reconciliation detects error and action to deal with errors

RE-PERFORMANCE: Auditor re-performs control (e.g. prepares reconciliation)

Select controls that will provide most efficient and effective audit evidence

Increase efficiency by only testing controls that are critical to audit opinion – those that address the WCGWs most effectively with least amount of testing

More efficient to test controls that address multiple WCGWs

Testing must provide enough evidence to be able to reasonably conclude that control is effective

• Extent of testing based on statistical sampling (see chapter 6) or professional judgement
• Consider:

–How often is control performed? More often = more testing

–Degree of reliance on control, more = more testing

–Persuasive of evidence from testing, more = less testing

–Need to be satisfied that control operated as intended throughout period, interim testing might be required

–Existence of combination of controls that could provide increased assurance, less reliance on single control = less testing

–Relative importance of WCGW, and assurance required is based on consideration of several issues


Also consider other factors that relate to the likelihood that a control operated as intended, including

–Competence of person performing control

–Quality of control environment,

–Chance of control override

–Internal auditing work

–Effect on operation of control throughout period

–Changes in accounting system

–Unexplained changes in related account balances

–Auditor’s prior experience with client

Attribute sampling allows conclusion about population in terms of frequency of  control being performed

Carry forward benefit of certain application controls testing into future audit periods

–

–Computer will continue to perform procedure in same way until application program is changed

–

• –Verify that there are no changes to program, no need to repeat audit procedures. More likely when
• Specific program can be identified
• Application is stable
• Reliable record of program changes available

Usually at interim date, especially if controls relied upon to reduce substantive procedures

–Preferable to test entity-level controls and ITGCs early in audit because results impact other tests


–Update interim results and evaluation at year-end

Identify relevant changes in environment and controls

• Do results of control testing confirm preliminary evaluation of controls and control risk based on internal control documentation?
• If so, do not modify planned substantive procedures

If not,

–Are compensating controls available? Test

–Revise audit risk assessment for related account and the planned audit strategy

• Results of enquiries and observations - could reveal alternative controls now being relied upon and need to be tested
• Evidence provided by other tests – substantive tests can provide evidence about continued functioning of controls

• For example, examining invoice for evidence of payables balance could provide evidence of controls over purchases and payables
• Changes in overall control environment – change in key personnel could make additional control tests necessary

• Results of control testing documented in working papers
• Test performed
• Purpose of test of controls
• Actual controls selected for testing
• Results of testing- exceptions found

• Document in sufficient detail to allow another auditor to perform same test
• Extent of documentation depends on complexity of client’s operations, systems and controls
• Review impact of testing controls on rest of audit

• Human error
• Collusion
• Management override
• Cost/benefit analysis

There is often a trade-off between the cost and the effectiveness of internal controls.



The concept of reasonable assurance recognizes that the cost of an entity’s internal control should not exceed the benefits that are expected to be derived