BA 427

1
BA 427 Assurance and Attestation Services

• Lecture 21
• Tests of Controls

2
Lecture 21 Tests of Controls

• Managements assertions
• Existence or occurrence.
• Completeness.
• Rights and obligations.
• Valuation or allocation.
• Presentation and disclosure.

3
Lecture 21 Tests of Controls

• Audit risk
• Inherent Risk
• Control Risk
• Detection Risk

4
Lecture 21 Tests of Controls

• Audit risk
• Inherent Risk
• The susceptibility of an assertion to a material
  misstatement assuming no related controls exist.
• Control Risk
• Detection Risk

5
Lecture 21 Tests of Controls

• Audit risk
• Inherent Risk
• Control Risk
• The risk that a material misstatement that could
  occur in an assertion will not be prevented or
  detected on a timely basis by the entitys
  internal control system.
• Detection Risk

6
Lecture 21 Tests of Controls

• Audit risk
• Inherent Risk
• Control Risk
• Detection Risk
• The risk that the external auditor will not
  detect a material misstatement that exists in an
  assertion.
• Can be broken down into TD x AP
• TD the risk for tests of details
• AP the risk for analytical procedures and other
  procedures

7
Lecture 21 Tests of Controls
The audit risk model AR Audit Risk AR IR
x CR x DR The auditor establishes AR as an
overall goal, assesses IR, and then plans the
audit to achieve levels of CR and DR that results
in the targeted AR.
8
Lecture 21 Tests of Controls

• Control risk An evaluation of the effectiveness
  of internal controls in preventing or detecting
  material misstatements.
• Control risk is stated in terms of the financial
  statement assertions
• Existence or occurrence.
• Completeness.
• Rights and obligations.
• Valuation or allocation.
• Presentation and disclosure.

9
Lecture 21 Tests of Controls

• Reasons to set control risk at 100 (primarily
  pertains to nonpublic companies)
• Controls are unlikely to pertain to an assertion.
• Controls are unlikely to be effective.
• Evaluating effectiveness would be inefficient.

10
Lecture 21 Tests of Controls

• Procedures necessary to set control risk below
  100
• Identify specific controls relevant to specific
  assertions.
• Some controls have pervasive effects, whereas
  other controls affect only a specific assertion.
• Test controls.
• Reach a conclusion on the assessed level of
  control risk.

11
Lecture 21 Tests of Controls

• Test controls
• There are procedures to evaluate the
  effectiveness of a controls design, which are
  concerned with whether the control is suitably
  designed to prevent or detect material
  misstatements.
• There are procedures to evaluate the operating
  effectiveness of controls.
• In some cases, the same procedure can serve
  either or both purposes.

12
Lecture 21 Tests of Controls

• Test controls
• In general, sample sizes will be larger when
  testing the operating effectiveness of controls
  than when obtaining evidence about the design of
  controls.
• Also, tests of the operating effectiveness of
  controls need to cover an adequate time period.
  Tests of the design of controls can be drawn from
  a single point in time.

13
Lecture 21 Tests of Controls

• Test controls
• The following procedures can be used to evaluate
  the design of controls
• Inquiry of entity personnel
• Inspection of documents and reports
• Observation of the application of the control
• Narratives
• Internal control questionnaires
• Flowcharts

14
Lecture 21 Tests of Controls

• Test controls
• The following procedures can be used to test the
  operating effectiveness of controls
• Inquiry of entity personnel
• Inspection of documents and reports
• Observation of the application of the control
• Reperformance by the auditor

15
Lecture 21 Tests of Controls

• Inquiry of entity personnel
• This procedure is legitimate, although it
  provides relatively weak evidence that the
  control is operating as described.

16
Lecture 21 Tests of Controls

• Inspection of documents and reports
• This procedure provides strong evidence that the
  control is operating.
• Requires that the control leaves an audit trail.

17
Lecture 21 Tests of Controls

• Observation of the application of the control
• Particularly helpful if there is an identified
  control that does not leave an audit trail.
• Example segregation of duties.

18
Lecture 21 Tests of Controls

• Reperformance by the auditor
• Particularly helpful if there is an identified
  control that does not leave an audit trail.
• Example Trace sales prices to an authorized
  price list.

19
Lecture 21 Tests of Controls

• Walkthroughs
• The auditor
• selects one or a few documents for the initiation
  of a transaction type.
• traces the documents through the entire
  accounting process.
• makes inquiries and observes current activities
  at each stage of the processing of the
  transaction.
• examines completed documentation for the
  transactions.

20
Lecture 21 Tests of Controls

• Walkthroughs
• PCAOB Auditing Standard No. 2 requires
  walkthroughs for each major class of transactions.

21
Lecture 21 Tests of Controls

• Sarbanes-Oxley Section 404
• There is an obvious and close connection between
  tests of controls in support of the auditors
  assessment of control risk in the Audit Risk
  Model, and tests of controls in connection with
  the auditors reporting requirements under
  Section 404.

22
Nonpublic Company Public Company
Sufficient to audit financial statements
Sufficient to audit internal control over
financial reporting
Obtain an understanding of internal control
design and operation
23
Nonpublic Company Public Company
Sufficient to audit financial statements
Sufficient to audit internal control over
financial reporting
Obtain an understanding of internal control
design and operation
Decide on control risk for each transaction type
Low, medium or high
Select low
24
Nonpublic Company Public Company
Sufficient to audit financial statements
Sufficient to audit internal control over
financial reporting
Obtain an understanding of internal control
design and operation
Decide on control risk for each transaction type
Low, medium or high
Select low
Extensive tests for all objectives
Extent of testing depends on cost-benefit analysis
Plan and perform tests of controls and evaluate
results
25
Nonpublic Company Public Company
Extensive tests for all objectives
Extent of testing depends on cost-benefit analysis
Plan and perform tests of controls and evaluate
results
Revise assessed control risk, if necessary
26
Nonpublic Company Public Company
Extensive tests for all objectives
Extent of testing depends on cost-benefit analysis
Plan and perform tests of controls and evaluate
results
Revise assessed control risk, if necessary
Plan detection risk and perform substantive tests
in accordance with the A.R.M.
Likely to be less substantive testing
Likely to be more substantive testing, depending
on control risk
27
Nonpublic Company Public Company
Must issue a report on internal control over
financial reporting and issue a written
communication to the audit committee describing
significant deficiencies and material weaknesses.
Must communicate, preferably in writing, to the
audit committee or its equivalent, describing
significant deficiencies and material weaknesses.
Issue internal control report or letter