CHAPTER 7Chapter 11Audit Procedures in Response to Assessed Risks: Tests of Controls

Learning Check

11-1. a.Assessing control risk is the process of evaluating the effectiveness of an entity's internal controls in preventing or detecting material misstatements in the financial statements.

b.Control risk should be assessed in terms of individual financial statement assertions.

11-2. In assessing control risk for an assertion, the auditor should perform the following five steps:

1. Consider knowledge acquired from procedures to obtain an understanding about whether controls pertaining to the assertion have been designed and placed in operation by the entity's management.

2. Identify the potential misstatements that could occur in the entity's assertion.

3. Identify the necessary controls that would likely prevent or detect the misstatements.

4. Perform tests of controls on the necessary controls to determine the effectiveness of their design and operation.

5. Evaluate the evidence and make the assessment.

11-3. a.In identifying both potential misstatements and necessary controls, the auditor typically uses either (1) computer software that analyzes responses to specific questions input for computerized internal control questionnaires or (2) checklists developed for the same purpose.

b.Most completeness controls compare information that is obtained when a transaction is authorized, and compare the information with information that is created when goods or services are shipped or received, and again with information when the transaction is recorded. Completeness controls will also compare information created with the transaction is recorded with information associated with receipt or payment of cash (consideration). For example, a control over completeness of sales might create a report of all goods that are ordered that have not been shipped, a separate report of all items that have been shipped but not billed, and a third report of all billings that have not been collected.

c.The occurrence, accuracy cutoff, and classification objectives are normally controlled by comparing information input for recording a transaction with information that is entered into the system when the transaction is authorized or when goods or services are shipped or received. For example, sales invoice information will usually be compared with information associated with the sales order (authorization) or the bill of lading and packing slip (shipment of goods).

11-4. a.Evidence obtained from procedures to obtain an understanding should be used by the auditor to (1) identify types of potential misstatements and (2) consider factors that affect the risk of material misstatements, such as whether controls necessary to prevent or detect the misstatements have been designed and placed in operation. This knowledge should enable the auditor to make an initial assessment of control risk for an assertion. During this process the auditor may obtain some evidence about the effectiveness of the design and operation of internal controls. However, such evidence rarely is sufficient to allow the auditor to assess control risk at moderate or low.

b.Evidence obtained from tests of controls pertains to the effectiveness of the design and/or operation of the control tested and may be used in making a final assessment of control risk for an assertion.

11-5.When evaluating the significance of any deficiency in internal control the auditor should consider the likelihood (frequency of deviations) and the magnitude of potential misstatements. For example, when evaluating a deficiency in internal controls related to revenue recognition, the auditor needs to evaluate the percentage of the time that the control might fail (likelihood or probability) and the dollar amount of misstatement that could happen when the control fails (magnitude or materiality). The auditor will normally classify deficiencies as (1) deficiencies, (2) significant deficiencies, or (3) material weaknesses depending on the likelihood and magnitude of potential misstatements that might result from an internal control weakness.

11-6. a.Three strategies that the auditor might use when testing a system of internal controls that use information technology include:

1. Assessing control risk based on user controls.

2. Planning for a low control risk assessment based on application controls.

3. Planning for a high control risk assessment based on general controls and manual follow-up.

b.The auditor might assess control risk as low based on two of the three above strategies, assuming that the evidence shows that the controls are effectively designed and placed in operation. First the auditor can assess control risk as low based on user controls, such as effective performance reviews by management. Second, the auditor can assess control risk as low based on effective computer application controls. This strategic also involved effective manual follow-up of exceptions noted by application controls.

c.The auditor can assess control risk as high based on evidence obtained about both computer controls and manual follow-up procedures. The auditor may be able to develop implications about the effective operation of application controls based on inspection of exception reports and inquiries of those who follow-up on exception reports. However, the auditor must perform direct tests of application controls in order to assess control risk below a high level.

11-7. a.The advantages of using computer assisted audit technique in performing tests of controls include:

A significant part of the entitys system of internal controls is imbedded in computer programs.

There are significant gaps in the visible audit trail.

There are large volumes of records to be tested.

b.The major disadvantages of using computer-assisted audit techniques are the special knowledge and skills required, and the possible disruption of the clients IT operations while the auditor uses IT equipment, programs and files. The auditor must also test the effectiveness of manual follow-up procedures in order to determine how effectively the computer controls are at preventing or detecting and correcting misstatements in assertions.

11-8.The advantages of parallel simulation include the following:

Because real data are used, the auditor can verify the transactions by tracing them to source documents and approvals.

The size of the sample can be greatly expanded at relatively little additional cost.

The auditor can independently run the test.

The disadvantages include the fact that the auditor may need special training to understand the clients program and develop a program that simulates the clients program. The auditor must also take care to determine that the data selected for simulations are representative of actual client transactions.

11-9. a.Under the test data approach, dummy transaction are prepared by the auditor and processed under auditor control by the clients computer program. This is often performed during a time when the auditor can take full control over the clients computer operations. In an integrated tests facility approach the auditor does not control computer operations and dummy transactions are processed simultaneously with real transactions. This usually requires the creation of a small subsystem (a mini-company) within the regular IT system. It may be accomplished by creating dummy master files or appending dummy master records to existing client files. Test data, specially coded to correspond to the dummy master files, are introduced into the system together with actual transactions.

b.A common way to test programmed controls in an on-line, real-time system is to create some form of continuous monitoring. For example, an audit module might be created to tag transactions for subsequent testing, or an audit log (frequently called a systems control audit review file or SCARF) might be used to record transactions that meet particular audit criteria.

11-10.In comparison to the methodology for assessing control risk under the primarily substantive approach, the methodology under the lower assessed level of control risk approach involves obtaining and documenting a more extensive understanding of relevant policies and procedures for all five components of internal control. The component control activities often may be skipped in some cases when the primarily substantive approach is used. In addition, under the lower assessed level of control risk approach, additional or planned tests of controls must be performed in order to obtain the evidence needed to support the planned assessed level of control risk of moderate or low.

11-11. When the auditor evaluates the effectiveness of a control the auditor should assess (1) how the control was applied, (2) the consistency with which it was applied during the period, and (3) by whom it was applied.

11-12.

Types of evidence to evaluate the effectiveness of internal control

Factors that affect the

reliability of the evidence.

Inquiries of appropriate entity personnel

Inquiry is most effective for determining an employees understanding of computer controls or of his or her duties, the individuals performance of those duties, and the frequency, causes, and disposition of deviation.

The results of inquiry is a form of representation by management or employees and should be corroborated by other evidence

Inspection of documents, reports, or electronic files, indicating performance of the control.

Inspection of documents may leave documentary evidence of the audit trail, such as notations on exception reports, signatures or validation stamps that indicate whether a control was performed.

Not all controls leave a documentary audit trail. Further, in some systems, documents may be retained only for a short period of time.

Observation of the application of the control

Observation also is effective for determining how an employee uses computer output and how an employee performs his or her duties.

Observation may be affected by the fact that an employee may perform procedures differently when the auditor is present.

Observation applies only to the time at which it is performed.

Reperformance of the application of the control by the auditor, including CAATS

Reperforming a control, particularly using CAATs, provides evidence about the effective functioning of the control at that point in time.

CAATs only provides evidence about the point in time at when it was performed.

11-13. a.The timing of tests of controls relates to when it was obtained and the portion of the audit period to which it applies. For example, performing CAATs, such as the use of test data, applies only to the point in time when the test was performed.

b.When the auditor obtains evidential matter about the design or operation of controls during an interim period, he or she should determine what additional evidential matter should be obtained for the remaining period. Professional standards suggest that the auditor should consider the following factors when determining the evidence that needs to be obtained during the remaining period.

The significance of the assertion involved

The specific controls that were evaluated during the interim period

The degree to which the effective design and operation of those controls were evaluated

The results of the tests of controls used to make that evaluation

The length of the remaining period

The evidential matter about design or operation that may result from the substantive test performed in the remaining period.

The auditor should also obtain evidential matter about the nature and extent of any significant changes in internal control, including its policies, procedures, and personnel that occur subsequent to the interim period.

c.The auditor of a private company may consider evidence about the effective design or operation of internal controls obtained during prior audits in assessing control risk in the current audit. Professional standards state that when evaluating the use of evidence obtained in prior audits the auditor should consider:

The significance of the assertion involved.

The specific controls that were evaluated during the prior audits.

The degree to which the effective design and operation of those controls were evaluated

The results of the tests of controls used to make those evaluations

The evidential matter about design or operation that may result from substantive tests performed in the current audit.

The auditor should also consider that the longer the time elapsed since the performance of tests of controls, the less assurance it may provide. Finally, the auditor needs to evaluate evidence in the current period about whether changes have occurred in internal control, including its policies, procedures, and personnel, subsequent to the prior audits, as well as the nature and extent of any such changes.

Evidence obtained in the prior period is not a substitute for evidence obtained in the current period. After considering the factors that affect evidence obtained in the prior period and evidence obtained about changes in the current period, the evidence may support either increasing or decreasing the additional evidential matter about the effectiveness of design and operation to be obtained in the current period.

Students should note that standards are different for auditors of public companies. If the auditor is issuing an opinion on the effectiveness of internal controls over financial reporting, evidence supporting that opinion must be obtained from the current audit period.

11-14. a. In general, the lower the planned assessed level of control risk, the greater the extent of tests of controls.

b.Three factors bear on the auditors decisions about test of controls: (1) the nature of the control, (2) the frequency of operation of the control, and (3) the importance of the control.

With respect to the nature of the control the auditor should subject manual controls to more extensive testing than automated controls. A single test of each condition of a programmed control may be sufficient to obtain a high level of assurance that the control operated effectively if general controls are also operating effectively. However, manual controls usually require more extensive testing. In general, as the level of complexity and the level of judgment in the application of a control increase, the extent of the auditors testing should also increase. If the level of competency of the person performing the control decreases, the extent of testing should also increase.

With respect to the frequency of operation of the control the more frequent the operation of a manual control, the more operations of the control the auditor should test. Controls that operate daily should be tested more extensively than controls that operate monthly (account reconciliations), or quarterly (quarter end reviews).

With respect to the importance of the control, controls that are more important should be tested more extensively. Some controls such as the control environment or computer general controls have a pervasive impact on other controls should be subjected to more extensive tests than controls that are less important to the audit strategy.

11-15.It might be appropriate to use a computer audit specialist to evaluate computer general controls and application controls. It might also be appropriate to bring in a health care industry expert to evaluate the risk of incorrect Medicare billing, or a banking industry expert to evaluate FDIC regulatory compliance.

Entry level staff usually have sufficient qualifications to evaluate internal controls over routine transactions, such as sales, purchases, or payroll.

11-16. Dual-purpose tests occur when the auditor simultaneously performs tests of controls and substantive tests of details of transactions to detect monetary errors on the same transactions.

11-17. a.For an account affected by a single transaction class, the control risk assessment for a particular account balance assertion is the same as the control risk assessment for the same transaction class assertion. Thus, control risk for the existence or occurrence assertion for the sales account balance is the same as the control risk assessment for the existence or occurrence assertion for the sales transactions class. The actual control risk assessment is then compared with the planned control risk assessment for the assertion. If the actual assessment is not greater than the planned assessment for the assertion, the planned level of substantive tests is supported.

b.For an account affected by more than one transaction class (a balance sheet account), the combined control risk assessment is based on the control risk assessment for the transaction class assertions that increase the account balance and the transaction class assertions that decrease the account balance. Thus, control risk for the existence of accounts receivable is based on the combined control risk assessments for the occurrence of sales and the completeness of cash receipts transactions and the completeness of sales returns and allowance.

11-18. When the control risk assessments for the relevant transaction class assertions differ, the auditor may (1) judgmentally weigh the significance of each assessment in arriving at a combined assessment or (2) use the most conservative (highest) of the relevant assessments. The assessment for each related transaction class assertion must be considered because a misstatement in any of the relevant transaction class assertions could produce a misstatement in the account balance assertion.

11-19. a.The requirements for documenting the assessed level of control risk are: (1) control risk at maximum - only this conclusion needs to be documented; (2) control risk below the maximum - the basis for the assessment must also be documented.

b. In practice, documentation of the assessed level of control risk often takes the form of narrative memoranda organized by financial statement assertions.

11-20. a.The auditor is required to identify and report to the audit committee, or other entity personnel with equivalent authority and responsibility, certain conditions that relate to an entity's system of internal control observed during an audit. In particular, the auditor should report significant deficiencies or material weaknesses in internal control.

b.Both significant deficiencies and material weaknesses have more than a remote likelihood of occurrence. They differ in the magnitude of misstatement that might result for the deficiency. The magnitude of misstatement in a significant deficiency is more than inconsequential. The magnitude of misstatement associated with a material weakness is material.

Comprehensive Questions

11-21.(Estimated time 30 minutes)

a.An auditor may assess control risk at the maximum level for some or all assertions because the auditor believes internal controls are unlikely to pertain to an assertion, are unlikely to be effective, or because evaluating their effectiveness would be inefficient.

b.To support assessing control risk at less than the maximum level, an auditor must determine whether internal controls are suitably designed to prevent or detect material misstatements in specific financial statement assertions and obtain evidence through tests of controls that the policies and procedures are operating effectively.

c.When seeking a further reduction in the planned assessed level of control risk, the auditor should consider the likelihood that evidence can be obtained in a cost-efficient manner to support a lower assessment.

d.The auditor's understanding of the internal controls should be documented in the form of completed questionnaires, flowcharts, and/or narrative memoranda. The auditor's decisions regarding the type of evidence, the source of evidence, the timeliness of evidence, the existence of other evidential matter, and audit staffing should be documented in an audit program and related working papers. When the auditor's assessment of control risk is at the maximum level, only that conclusion needs to be documented. When the assessment is that control risk is below the maximum, the basis for the assessment must also be documented.

11-22. If the auditor wants to assess control risk at a low level, the auditor needs to put the following combination of tests of controls together to have compelling evidence that the programmed control functioned effectively throughout the period.

The auditor needs evidence to support the conclusion that computer general controls are effective.

The auditor needs evidence from CAATs to conclude that the programmed control is effectively matching sales invoices with underlying shipping information.

The auditor needs evidence that items that appear on exception reports are followed-up upon and corrected on a timely basis.

11.23. (Estimated Time 25 minutes)

Item

Primarily substantive approach

Lower assessed level of control risk approach

a. Obtaining and documenting the understanding

Less extensive, focusing on four of the five components (control procedures may not be relevant)

More extensive with coverage of all five components

b. Performing concurrent tests of controls

The auditor will usually consider the evidence about operating effectiveness while obtained while understanding internal controls.

The auditor will usually consider the evidence about operating effectiveness while obtained while understanding internal controls.

c. Making an initial assessment of control risk

Performed based on evidence obtained while understanding internal controls.

The initial assessment based on evidence obtained while understanding internal controls will probably will not support a low control risk assessment.

d. Performing additional or planned tests of controls

Not usually performed under this strategy

Additional evidence is needed to support lower assessed level of control risk

e. Making a final assessment of control risk

Same as initial assessment under this strategy.

Done after completing additional or planned tests of controls

f. Documenting the control risk assessment

If control risk is at the maximum, only this conclusion needs to be documented. If below the maximum, the basis for the conclusion must also be documented.

If below the maximum, both the conclusion and the basis for the conclusion must be documented.

Designing substantive tests

Tests must be designed for a high level of substantive tests and low level of detection risk.

Tests should be designed for a low level of substantive tests and a moderate or high level of detection risk.

11-24. (Estimated time: 35 minutes)

Category ofGeneral Controls

Possible Misstatement

Possible Test of Controls

1. Organization and operation

Computer operators may modify programs to bypass program controls.

Observe segregation of duties within IT.

2. Access

Unauthorized users may gain access to computer equipment.

Inspect segregation of duties within IT.

3. Hardware and systems software

Unauthorized changes in systems software may result in processing errors.

Examine evidence of approval and documentation of changes.

4. Data and procedural

Continuity of operations may be disrupted by a disaster.

Examine contingency plan.

5. Data and procedural

Errors may be made in inputting, processing, or outputting or data.

Observe operation of data control group.

6. Organization and operation

IT personnel may initiate and process unauthorized transactions.

Observe segregation of duties between user departments and IT.

7. Systems development and documentation

Unauthorized program changes may result in unanticipated processing errors.

Examine evidence ofindependent check of proper authorization, testing, and documentation.

8. Access

Data files and programs may be processed or altered by unauthorized users.

Use of a library, librarian, and logs to restrict access andmonitor usage.

9. Hardware and systems software

Equipment malfunctions may result in processing errors.

Examine hardware and systems software specifications.

10. Systems Development and documentation

Systems designs may not meet the needs of user departments or auditors.

Examine evidence for approvalof new systems.

11. Organization and operation

IT personnel may process unauthorized transactions.

Observe segregation of duties between user departments and IT.

12. Data and procedural

Data files and programs may be lost.

Examine storage facilities.

11-25 (Estimated Time: 30 minutes)

a. Potential Misstatements

b. Computer or manual control

c. Possible test of controls

1.

Bank balance per books may not agree with balance per bank

Manual

Inspect bank reconciliations and test accuracy on a sample basis. Note who prepared the reconciliation and when the reconciliation was prepared.

2.

Checks may not be recorded.

Computer and manual follow-up.

Test computer control generating the daily check summary with CAATs. Inspect daily check summaries and determine effectiveness of manual follow-up.

3.

Vendor may be paid twice from supporting documentation.

Manual.

Inspect supporting documents for evidence of cancellation.

4.

Unused checks may be stolen.

Manual.

Observe physical controls over unused checks.

5.

An issued check may not be accounted for.

Computer

Test computer program listing gaps in check sequence and inspect manual follow-up procedures to determine that gaps in sequence are adequately explained and there are no duplicate check numbers.

6.

Classification errors may be made in journalizing.

Manual

Inquire of supervisor about classifications and inspect evidence of supervisory review.

7.

Check amounts may be altered.

Computer or check protection machine.

Observe use of check protection device; inspect checks for imprinted amounts.

8.

Posting errors could be made.

Manual

Observe segregation of duties.

9.

An issued check may not be journalized.

Computer and manual follow-up.

Test computer control generating the daily check summary with CAATs. Compare daily check summaries and check register entries and determine effectiveness of manual follow-up.

11-26. (Estimated Time 35 minutes)

a. Potential Misstatements

b. Computer or manual control

c. Possible test of controls

1

Sales may be made to customers who cannot pay.

Both manual and computer

Test manual controls over credit checking credit history with inquiry, observation, and inspection of documents.

Submit test data for a sale that exceeds the customers credit limit.

2

Goods might be shipped to unauthorized customers

Manual

Observe segregation of duties

3

Sales may not be recorded

Computer

Submit test data where shipments exceed recorded sales.

4

Revenue may be recognized before goods are shipped.

Computer

Submit test data for recorded sales that are not supported by shipments.

5

Sales may be recorded in wrong amounts

Computer

Submit test data for sales invoices that do not match underlying quantities or prices.

6

Sales may be recorded in the wrong accounting period.

Computer

Submit test data to record sales invoices in a period other than when goods are shipped.

7

Sales may be billed to the wrong customer

Computer

Submit test data to record sales invoices for customers other than the customer to whom goods were shipped.

8

Various errors may occur in the process of recording sales

Manual

Review notes made by management on weekly sales reports and determine the extent of management follow-up of errors noted.

9

The company can systematically recognize revenue in the wrong accounting period.

Manual

Review the minutes of a disclosure committee and make inquires of disclosure committee members as to their review of revenue recognition policies.

10

The company may under or over provide for doubtful accounts.

Manual

Reperform controls over the process of estimating the provision for doubtful accounts.

11-27 (Estimate Time: - 30 minutes)

a. Control Function

b. Control Procedure

c. Possible Test of Controls

1. Input

Online edit checks..

Test edit routine with CAATs and observe responses to on-line edit messages.

2. Output

Reconciliation of totals by data control group and user departments.

Examine evidence of reconciliations performed.

3. Processing

Use of limit and reasonableness checks.

Test limit and reasonableness tests with CAATs and observe and inspect evidence of manual follow-up procedures.

4. Processing

Use of external and internal file labels.

Observe use of external file labels.

5. Output

Use of report distribution control sheets.

or

Use of passwords to limit access to data and report writing capabilities.

Inspect distribution control sheets.

or

Observe control over passwords and test effectiveness in limiting access to data files.

6. Input

Use of error logs; return to user department for correction.

Inspect logs and evidence of user correction of data.

7. Processing

Use of control totals.

Examine evidence of control total reconciliations.

8 Input

Use of password to limit access to user by departments.

Observe control over passwords and test effectiveness in limiting access to data files.

9. Input

Follow-up by data control group.

Inspect evidence of follow-up by data control group

11-28 (Estimated Time 20 minutes)

Control

Assertion

1. Computer generates prenumbered control over requisitions and purchase orders and checks numerical sequence.

Completeness

2. Computer compares account distribution on the voucher with account distribution on purchase requisition or purchase order.

Presentation and disclosure

3. Computer checks batch totals and run-to-run totals to ensure that all transactions are processed.

Completeness

4. Computer match of voucher information regarding vendor, type of good, quantity of goods, and dollar amount against authorized purchase order and receiving report.

Valuation and allocation

5. Computer checks for a valid purchase order in order to initiate receiving report.

Existence and occurrence

6. Computer verification of employee authorization code to enter requisition or purchase order.

Existence and occurrence

7. Computer performs limit test on requisitions and purchase orders. Necessary approvals tied to limit test.

Valuation and allocation

8. Computer checks the mathematical accuracy of the voucher and supporting documents.

Valuation and allocation

9. Computer compares vendor on purchase order to master vendor file.

Existence and occurrence

10. Computer checks for goods ordered and not received within a reasonable period of time.

Completeness

11. Computer checks for goods received but not recorded as a liability within a reasonable period of time. In the case of services, the computer check for services ordered but not recorded as a liability within a reasonable period of time.

Completeness

12. Computer compares accounting period in which the voucher is recorded with the accounting period received.

Existence and occurrence or Completeness

13. Computer checks the mathematical accuracy of the voucher and supporting documents.

Valuation and allocation

14. Computer compares sum of subsidiary ledger accounts with general ledger control account.

Valuation and allocation

11-29. (Estimated Time 30 minutes)

a. Auditing "around" the computer generally refers to examinations of transactions in which a representative sample of transactions is traced from the original source documents, perhaps through existing intermediate records in hard copy, to output reports or records, or from reports back to source documents. Little or no attempt is made to audit the computer program or procedures employed by the computer to process the data. This audit approach is based on the premise that the method of processing data is irrelevant as long as the results can be traced back to the input of data and the input can be validated. If the sample of transactions has been handled correctly, then the system outputs can be considered to be correct within a satisfactory degree of confidence.

The auditor might also audit around the computer when testing manual controls over computer output. If such controls are effective, the auditor can test these controls directly rather than testing computer application controls.

b.The CPA would decide to audit "through" the computer instead of "around" the computer (1) when the computer applications become complex, or (2) when transaction trails become partly obscured and external evidence is not available. Auditing "around" the computer would be inappropriate and inefficient in the examination of transactions when the major portion of the system of internal control is embodied in the IT system. Auditing "around" the computer will also be ineffective if the sample of transactions selected for auditing does not cover unusual transactions that require special treatment.

c. 1.Test data usually represent a full range of simulated transactions, some of which may be erroneous, to test the effectiveness of the programmed controls in identifying misstatements and to ascertain how transactions would be handled (accepted or rejected). The auditor also wants to determine, if accepted, the effect they would have on the accumulated accounting data and, if rejected, the output that is generated for manual follow-up.

2. The auditor may use test data to gain a better understanding of what the data processing system does, and to check its conformity to desired objectives. Test data may be used to test the accuracy of programming by comparing computer results with results predetermined manually. Test data may also be used to determine whether or not errors can occur without observation and thus test the application's ability to detect noncompliance with prescribed procedures and methods. Assurance is provided by the fact that if one transaction of a given type passes a test, then all transactions containing the identical test characteristics will-if the appropriate control features are functioning--pass the same test. Accordingly, the volume of test transactions of a given type is not important. However, the auditor does need to test computer general controls to gain assurance that the program operates consistently over time.

d.In addition to actually observing the processing of data by the client, the auditor can be satisfied that the computer programs presented are actually being used by the client to process its accounting data by requesting the program on a surprise basis from the IT librarian and using it to process a test data.

The CPA may also request on a surprise basis that the program be left in the computer at the completion of processing so that he or she may use the program to process test data. This procedure may reveal computer operator intervention, as well as assuring that a current version of the program is being tested. This is an especially important consideration in newly organized computer systems undergoing many program changes. To gain further assurance about this matter, the CPA should inquire into the client's procedures and controls for making program changes and erasing superseded programs, and should examine logs showing programs used when available.

11-30. (Estimated Time 30 minutes)

a.The internal controls pertaining to input of information that should be in effect because an on-line / real-time computer processing system is employed should include:

A self-checking digit or some other redundant check should be used with every account number to prevent an entry to a wrong account.

A daily record of all transaction inputs from each input terminal should be produced as a by-product of the computer processing so as to provide this supplemental record.

IT personnel should not initiate inputs to the computer (except for testing purposes) so that a proper segregation of duties is maintained. Any testing should be done after regular processing is completed and should be recorded in the computer log.

The internal audit staff should not initiate input because they would be checking their own work.

Computer file security should be provided to assure that entries are not made to the accounts except during normal processing periods.

b.The internal controls which should be in effect pertaining to matters other than information input are as follows:

Account balances should be backed-up or printed at regular intervals to provide for record reconstruction and testing.

Limit tests should be included in the computer program to permit ready identification of obvious exceptions, e.g., a withdrawal from an account should not exceed the balance on deposit in the account.

The internal audit staff should have the responsibility for testing accounts and transactions and checking error listings. Adjustments to the accounts proposed by the internal audit staff should first be approved by a responsible official and then be recorded in the normal manner so as to provide proper segregation of work.

Account balance printouts and transaction records necessary to reconstruct the accounts should be maintained in a separate location from the computer file storage as a precaution against simultaneous destruction.

There should be provision for continued operation to avoid a time loss in case of computer failure, e.g., each terminal should have mechanical registers in addition to the computer's electronic registers.

Security should be provided at each terminal to assure that certain operations could be initiated only by authorized personnel.

Back-up / auxiliary power source to allow orderly shutdown in the event of a loss of electrical power.

11-31.(Estimated time - 20 minutes)

To determine detection risk for an account balance assertion, the auditor should determine a combined control risk assessment for the assertion by considering the control risk assessments for relevant assertions pertaining to the transaction classes that affect (increase or decrease) the account balance. The appropriate relationships are shown in the following tabulation.

Transaction Class That

Account Balance Control Risk Assessment

Account

Increases Account

Decreases Account

Existence or occurrence

Completeness

Valuation or Allocation

Cash

Cash receipts

Cash disbursements

Low (1)

Moderate (5)

Low (9)

Accounts receivable

Credit sales

Cash receipts & Sales Adjustments

Moderate (2)

Low (6)

Moderate (10)

Accounts payable

Purchases

Cash disbursements and Purchase Returns

Low (3)

Low (7)

Low (11)

Sales

Credit Sales

Low (4)

Low (8)

Low (12)

(1) This is the most conservative of the control risk assessments for occurrence of cash receipts (low) and the completeness of cash disbursements (low).

(2) This is the most conservative of the control risk assessments for occurrence of credit sales (low), the completeness of cash receipts (moderate), and the completeness of sales returns and allowances (moderate).

(3) This is the most conservative of the control risk assessments for occurrence of purchases (low), the completeness of cash disbursements (low), and the completeness of purchase returns (moderate).

(4) This is just the control risk assessment for the occurrence of credit sales (low).

(5) This is the most conservative of the control risk assessments for the completeness of cash receipts (moderate), and the occurrence of cash disbursements (low).

(6) This is the most conservative of the control risk assessments for the completeness of credit sales (low), the occurrence of cash receipts (low) and the occurrence of sales returns and allowance (low).

(7) This is the most conservative of the control risk assessments for the completeness of purchases (low), the occurrence of cash disbursements (low) and the occurrence of purchase returns (low).

(8)This is just the control risk assessment for the completeness of credit sales (low).

(9)This is the most conservative combination of the valuation or allocation assertions for cash receipts (low) and cash disbursements (low).

(10)This is the most conservative combination of the valuation or allocation assertions for credit sales (low), cash receipts (low), and sales returns (moderate).

(11)This is the most conservative combination of the valuation or allocation assertions for purchases (low), cash disbursements (low), and purchases returns (low).

(12) This is just the control risk assessment for the valuation of credit sales (low).

Cases

11-32.(Estimated Time - 50 minutes)

a.

b.

Weakness

Recommended Improvement

1.

Organization and operation

The EDP manager reports to a significant user department.

EDP manager should report to president or some other nonuser officer.

There is improper segregation of functions between programming and computer operations.

Programming and computer operations should be separated.

There is no data control group.

A data control group should be established.

2.

Systems development and documentation controls

Program documentation is inadequate.

All programs should be fully documented.

An operator's manual is not provided.

An operator's manual should be provided to facilitate the running of computer programs.

Operators can change programs.

Only programmers should be able to change programs.

User department is not involved in the design or approval of new systems.

User department representatives should be included in system design, and system specifications should be reviewed and approved by user department.

Undocumented "patch" changes are made in programs by a programmer.

All program changes should be documented and approved by the EDP manager or a designated supervisor.

3.

Hardware controls and systems software controls

There is no mention of the existence of these controls.

Essential hardware controls such as dual read, parity check, echo check, and read after write should be installed.

4.

Access Controls

EDP department is located above an explosive chemical department.

EDP should have separate facilities with special protection against theft, vandalism, and possible disasters.

4.

Information on program and data tape files is stored in machine room.

Such information should be stored in a locked and fireproof library with restricted access.

Too many people are permitted in the machine room.

Only authorized operators and supervisory personnel should be allowed into the machine room, which should be locked at all times.

Operators have unlimited access to data, files, etc.

Operators should only have restricted access to tape files, programs, and operating instructions.

5.

Data and procedural controls

Operators are not properly supervised and their work is not reviewed.

Console sheets should be reviewed and a log of machine activity should be maintained.

Operators can make changes in operating procedures when they encounter difficulties.

Changes in operating procedures should be approved by a supervisor or the EDP manager.

No back-up equipment is provided.

Back-up equipment should be provided at another location and the capability of such equipment should be tested periodically.

There is no definite retention plan.

A definite plan, such as the grandfather-father-son, should be implemented.

There is no provision for a data control group to monitor EDP activity.

A data control group should be established.

6.

Input Controls

There apparently are no controls over input data.

A data control group should control input data through review of data and control totals.

No mention is made of controls over conversion of input data into machine-readable form.

There should be computer editing and verification.

No provision seems to be made for resubmission of incorrect data.

Error logs should be kept and there should be prompt follow-up of incorrect data.

7.

Processing Controls

Tapes are not adequately labeled.

File identification labels should be used on all files.

No provision appears to be made for control totals and limit and reasonableness tests.

Provision should be made for these controls.

8.

Output Controls

There is no controlover the distributionof output.

The data control group should review and control the distribution of output to users.

A report distribution sheet is not maintained.

Some type of a report distribution sheet should be kept.

11-33.See separate file with answers to the comprehensive case related to the audit of Mt. Hood Furniture that is included with this chapter.

Professional Simulation

Research

Situation

Internal Control

Deficiencies

Communication

With respect to understand computer controls AU 319.43 reads as follows:

.43 The auditor should obtain an understanding of how IT affects control activities that are relevant to planning the audit. Some entities and auditors may view the IT control activities in terms of application controls and general controls. Application controls apply to the processing of individual applications. Accordingly, application controls relate to the use of IT to initiate, record, process, and report transactions or other financial data. These controls help ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed. Examples include edit checks of input data, numerical sequence checks, and manual follow-up of exception reports.

The most extensive discussion of computer general control relates to designing tests of controls. AU 310.74, .77-.79 reads as follows:

.74General controls relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. The auditor should consider the need to identify not only application controls directly related to one or more assertions, but also relevant general controls.

.77In designing tests of automated controls, the auditor should consider the need to obtain evidence supporting the effective operation of controls directly related to the assertions as well as other indirect controls on which these controls depend. For example, the auditor may identify a user review of an exception report of credit sales over a customers authorized credit limit as a direct control related to an assertion. In such cases, the auditor should consider the effectiveness of the user review of the report and also the controls related to the accuracy of the information in the report (for example, the general controls).

.78Because of the inherent consistency of IT processing, the auditor may be able to reduce the extent of testing of an automated control. For example, a programmed application control should function consistently unless the program (including the tables, files, or other permanent data used by the program) is changed. Once the auditor determines that an automated control is functioning as intended (which could be done at the time the control is initially implemented or at some other date), the auditor should consider performing tests to determine that the control continues to function effectively. Such tests might include determining that changes to the program are not made without being subject to the appropriate program change controls, that the authorized version of the program is used for processing transactions, and that other relevant general controls are effective. Such tests also might include determining that changes to the programs have not been made, as may be the case when the entity uses packaged software applications without modifying or maintaining them.

.79To test automated controls, the auditor may need to use techniques that are different from those used to test manual controls. For example, computer-assisted audit techniques may be used to test automated controls or data related to assertions. Also, the auditor may use other automated tools or reports produced by IT to test the operating effectiveness of general controls, such as program change controls, access controls, and system software controls. The auditor should consider whether specialized skills are needed to design and perform such tests of controls.

Internal Control

Deficiencies

Situation

Research

Communication

What is the auditors responsibility for identifying significant deficiencies in internal control as part of a financial statement audit? Compare and contrast the likelihood that the auditor will identify significant deficiencies in audit areas where the auditor follows a lower assessed level of control risk approach vs. audit areas where you follow a primarily substantive approach.

[Authors Note: This question requires that students not only read the professional standards but apply them to a particular setting. The professional standards to not specifically address various audit strategies. In this question the student must interpret and apply his or her understanding of the professional standards to two differing audit strategies.]

AU 325.04 states that the auditor's objective in an audit of financial statements is to form an opinion on the entity's financial statements taken as a whole. The auditor is not obligated to search for reportable conditions. However, the auditor may become aware of possible reportable conditions through consideration of the components of internal control, application of audit procedures to balances and transactions, or otherwise during the course of the audit. The auditor's awareness of reportable conditions varies with each audit and is influenced by the nature, timing, and extent of audit procedures and numerous other factors, such as an entity's size, its complexity, and the nature and diversity of its business activities.

If the auditor is planning a lower assessed level of control risk approach the auditor will probably obtain a more in depth understanding of control activities and the auditor will perform tests of the operating effectiveness of various control activities. As a result, more information may come to the auditors attention about the significant deficiencies in the operating effectiveness of various aspects of the system of internal control.

If the auditor is planning a primarily substantive approach, the auditor may not study the system of internal control in the same depth, particularly with respect to control activities. However, the auditor still needs a sufficient understanding of the design of the system to plan the audit. This will usually include some level of system walk through. This process will often identify deficiencies in the design of the system of internal control. Further, the auditors substantive tests may reveal misstatements in the accounting records. These tests may also lead the audit to discover significant deficiencies in the system of internal control.

However, under these two audit approaches, the nature, timing and extent of the audit procedures differ. As a result, the likelihood of significant deficiencies coming to the auditors attention may also differ particularly when the auditor has not tested the operating effectiveness of the system of internal control (e.g., when following a primarily substantive approach).

Communication

Situation

Research

Internal Control

Deficiencies

Date

George Alpha

Alpha Corporation

Address

Dear Mr. Alpha,

In planning and performing our audit of the financial statements of the Alpha Corporation for the year ended December 31, 20XX, we considered its internal control in order to determine our auditing procedures for the purpose of expressing our opinion on the financial statements and not to provide assurance on the internal control. However, we noted certain matters involving the internal control and its operation that we consider to be reportable conditions under standards established by the American Institute of Certified Public Accountants. Reportable conditions involve matters coming to our attention relating to significant deficiencies in the design or operation of the internal control that, in our judgment, could adversely affect the organization's ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements.

Expenditures and Accounts Payable

Issue

As part of a strong system of internal control there should be appropriate systems to ensure that all goods ordered are received, and that liabilities are recorded in the correct accounting period for all goods received. This ensures that all appropriate liabilities are recorded.

Findings

When performing a system walk through we did not find controls to ensure that all goods ordered are received, or that goods received are recorded as accounts payable in the proper period.

Recommendation

We suggest that the company establish internal controls to ensure that liabilities are recorded for all goods received. For example, you can have the following controls programmed into the new automated system for expenditures.

A report should be generated on a regular basis of all purchase orders that have not yet been matched with a receiving report. Someone who will use the goods ordered should regularly follow-up on these items that appear on these reports to determine why ordered goods are not received.

A reports should be generated on a regular basis of all receiving reports that have not yet been matched with a voucher. Someone in the accounts payable area should follow-up on items that appear on this report to ensure that all payables are recorded on a timely basis.

This report is intended solely for the information and the use of the owners, management, and others within Alpha Corporation and is not intended to be and should not be used by anyone other than these specified parties.

Sincerely,

Signature

DP Manager

Controller

Programming; Operations

System Analysis

Data Entry