Chapter 04 - Audit of internal control and substantive audit procedures

• Design effectiveness is achieved when controls enable management or employees to prevent or detect transactions or events in a timely manner, aligned with the control objective.

• A design deficiency occurs when a control fails to achieve its intended objective.

• Design testing involves:

  1. Understanding the existence of controls - Identifying designed and implemented controls.

  2. Assessing the appropriateness of the design - Evaluating the attributes of the controls to determine if they are suitable for their intended purpose.

Relevant controls to an audit primarily relate to the entity's objective of preparing financial statements.

• Additionally, relevant controls may include:

  • Controls over the completeness and accuracy of information if the auditor intends to use it in designing and performing further procedures.

  • Controls over safeguarding assets against unauthorized utilization.

  • Controls over operations and compliance objectives if they pertain to data the auditor evaluates or uses in applying audit procedures.

• To reduce residual risk to an acceptable level, only a subset of control activities that address a specific risk may be necessary.

• Selecting the appropriate mix of controls for a process involves evaluating the associated risks.

• The primary criterion for a key control is whether it individually or in combination with other key controls effectively mitigates one or more key risks to an acceptable level

Assessing the attributes of internal control design:

• Level of control implementation

• Frequency of control

• Time of error detection

• Level of IT involvement

Steps to assess appropriateness:

1. Identify control attributes and how they are set up.

2. Identify attributes for each control.

3. Evaluate if the attributes are appropriate for the controls and their intended purpose.

Example:

- Consider the frequency of a transaction. If a transaction occurs daily, a control that is performed only once a month is not appropriate. The likelihood of detecting an error in a daily transaction is too small with a monthly control. It would be more appropriate to have a control at least once a week or ideally once a day for frequent daily transactions.

Controls that mitigate risk across the organization. They are most prevalent within the components of the COSO Framework and can be further classified as:

Controls that mitigate risks within and around processes, usually by preventing or detecting the occurrence of specific process level risks. They can be further classified as:

Preventive Controls:

• Designed to prevent incorrect financial information.

• Examples:

  • Automated data validation before recording transactions.

  • Review and authorization of sales before recording.

Detective Controls:

• Designed to detect incorrect financial information after it has occurred.

• Examples:

  • Investigation and resolution of exception reports.

  • Reconciliation of subsidiary and general ledger.

Automated Controls:

Performed automatically by an IT system or physical installation.

• Examples:

  • Edit, matching, and reconciliation routines.

  • Restricted system access.

IT Dependent Manual Controls:

Manual controls based on system-generated reports and data.

• Examples:

  • Review of exception reports.

  • Investigation of reconciliation items.

  • Comparing totals between reports.

Manual Controls:

Control activities performed by people without relying on computer-produced information.

• Examples:

  • Written authorization for system changes.

  • Physical inventory of stock.

  • Second approval of manual payment voucher.

• Automated controls are more reliable than manual controls, especially for known or predictable risks.

• Preventive controls are preferable over detective controls because they prevent risks from occurring.

• Automated preventive controls are generally preferred as key controls, but including some detective controls is prudent to catch any transactions or events that may have bypassed preventive controls.

In conclusion, effective controls are designed to prevent or detect errors or fraud that could lead to material misstatements in the financial statements.

• Test of control is an audit procedure to evaluate the effectiveness of controls in preventing or detecting and correcting material misstatements at the assertion level. (ISA 330.4b)

• Tests of controls are designed and performed to obtain sufficient appropriate audit evidence when the risk assessment includes reliance on control effectiveness or when substantive procedures alone are insufficient. (ISA 330.8f)

• The nature, timing, and extent of control tests vary based on the required level of evidence and the reliance on controls to mitigate risks.

• Period of intended reliance: Tests of controls should provide evidence that the control has operated effectively across the period the control is being relied upon.

• Proximity to reporting date: Tests of controls may be performed for an interim period. Test results for the interim period might be relied upon at the reporting date, although evidence is needed that controls have not changed across the stub period (the period between the end of the interim period and reporting date). There is a higher level of reliance, the closer the interim period is to the reporting date.

  
  

Designing and Performing Tests of Controls:

- Obtain more persuasive audit evidence when relying heavily on control effectiveness (ISA 330.9). The level of reliance on controls depends on the assessment of the control environment (Coherence)

- The impact of control testing affects the amount of substantive testing required.

- A strong control environment and effective control activities reduce the need for extensive substantive analysis and vice versa.

- High controls reliance is planned when sufficient appropriate audit evidence shows effective control operation throughout the reliance period, significantly mitigating risk.

- No controls reliance is planned when there is a weak control environment, controls are ineffective, or substantive procedures are more efficient and effective for obtaining audit evidence.

- Partial controls reliance is planned when controls only partially mitigate risk or when the extent of planned testing does not provide a high level of assurance.

- When multiple assertions are involved or controls address only some of the risks, achieving controls reliance over all assertions or risks may not be possible.

Identification:

• Control exceptions do not necessarily indicate an operating deficiency, as some exceptions are anticipated in control design.

• Manual preventive controls are prone to human error and may not cover all possible risks.

• Controls often have a tolerable exception rate, typically around 1-2%.

Evaluation:

• To determine if an identified exception represents an operating deficiency:

  • Consider the design of the control, control objective, tolerable exception rate, and other controls in place.

  • Differentiate between isolated exceptions (caused by one-time human errors) and systematic exceptions (indicating ongoing issues).

  • Assess the extent of exceptions, including the projected exception rate through statistical sampling.

Substantive Procedures:

• ISA 330.18 requires the auditor to perform substantive procedures for each material class of transaction, account balance, and disclosure, regardless of assessed risks.

• This is because the auditor's risk assessment may not capture all potential risks, and there are limitations to internal controls.

• If a significant risk is identified, specific responsive substantive procedures are required (ISA 330.21)

Definition of Substantive Procedure:

• A substantive procedure is an audit procedure designed to detect material misstatements at the assertion level.

• It includes substantive analytical procedures and tests of details.

Per ISA 330.A43 the auditor may determine that:

• Substantive analytical procedures alone may be sufficient if supported by audit evidence from tests of controls.

• Tests of details alone may be appropriate.

• The combination of substantive analytical procedures and tests of details is most responsive to assessed risks.

Remember: Substantive procedures are necessary for material areas, and they can be performed through analytical procedures, tests of details, or a combination based on risk assessment.

Substantive Test of Details:

• Test of details includes physical examination, inquiry, reperformance, recalculation, and confirmation.

• It is a type of substantive test used to gather evidence beyond tests of controls and substantive analytical procedures.

• Tests of details are suitable for assertions about account balances, such as existence and valuation, while substantive analytical procedures are more useful for large volumes of predictable transactions.

Effective Test of Details:

• An effective test provides sufficient audit evidence.

• The auditor selects items for testing based on relevance and reliability of information.

• The auditor can choose to examine all items (100% examination), select specific items, or use audit sampling (ISA 500.A52).

Selection of Testing Method:

• The choice of testing method depends on factors like the risks of material misstatement and practicality.

Analytical Procedures per ISA 520.3:

• Analytical procedures are evaluations of financial information by analyzing plausible relationships among financial and non-financial data.

• They involve investigating fluctuations, inconsistencies, and significant differences from expected values.

Components of Analytical Procedures per ISA 520.4:

• Comparing the entity's financial information with:

  • Comparable information from prior periods.

  • Anticipated results of the entity, such as budgets or forecasts.

  • Expectations of the auditor, such as estimates of depreciation.

  • Similar industry information, such as comparing ratios to industry averages.

Building Expectations:

The Level of assurance obtained from substantive analytical procedures depends on the precision of the expectation developed and the threshold

The precision of an expectation is affected by four factors (ISA 520.A12):

1. Reliability of source data: More reliable data provides greater assurance.

2. Disaggregation: Different levels of detail affect precision (e.g., monthly vs. annual data).

3. Predictability of the account: Income statement accounts are more predictable than balance sheet accounts.

4. Type of analytical procedure: Different approaches impact precision (e.g., trend analysis vs. reasonableness testing).

Reliability of Data is influenced by (ISA 520.12):

- Source: Independent sources outside the entity are more reliable.

- Comparability: Broad industry data may need supplementation for meaningful comparison.

- Nature and relevance: Consider whether budgets are expectations or goals.

- Controls: Evaluate controls over the preparation, review, and maintenance of information.

Disaggregation:

- Vertical: Partitioning information based on specific characteristics (cost center, location, customers, products).

- Horizontal: Comparing multiple periods (monthly, quarterly, annual) over 3 to 5 years.

Predictability:

- Balance Sheet: Less consistency expected for point-in-time comparisons.

- Profit and Loss: Greater consistency expected for period-to-period comparisons.

- Items subject to management discretion are less predictable.

Procedures:

- Trend analysis: Comparing changes over time for fairly predictable accounts.

- Ratio analysis: Assessing relationships between financial data over time.

- Reasonableness testing: Developing a model to form expectations based on financial and non-financial data.

- Regression analysis: Using statistical models to quantify expectations.

- Scanning analytics: Identifying anomalous items through the analysis of detailed reports and performing further procedures.

Step 2 - Threshold:

- Threshold: Accepted difference from expectation without investigation (Established by the auditor).

- Influenced by: Materiality and desired level of assurance.

- Higher risk = Lower threshold for investigation.

Calculating the difference may have two possible outcomes…

• Possibility 1: Actual figure is within the threshold

• Possibility 2: Actual figure is outside the threshold

Calculating the difference may have two possible outcomes…

• Possibility 1: Actual figure is within the threshold

No further explanation necessary!

• Possibility 2: Actual figure is outside the threshold

Further explanation of the difference between expectation and the actual

figure necessary

Test of details involves taking a sample:

- Large populations require sampling

- If feasible, test all items (e.g., for a small sample size)

- Determine appropriate sample and sample size

- Execute procedures on the sample

- Consider sampling method before applying procedures

Targeted Testing in Tests of Details:

• Objective: Identify material monetary misstatements

• Preferred method

• Focus on specific part or entire account

• Select items based on monetary value or higher risk

• Do not project results to untested items in population

Targeted Testing Requirements:

• Auditor selects specific items from the population

• Considerations: auditor's understanding of the entity, assessed risks, characteristics of the population

  Specific items selected may include:

• High value or key items

• All items over a certain amount

• Items to obtain specific information

Accept-Reject Testing Objective:

Gather evidence to either accept or reject a characteristic (not a monetary misstatement)

Accept Test Objective if:

- Fewer exceptions than initially determined tolerance level

Reject Test Objective if:

- Exceptions exceed the initially determined tolerance level

- If rejected, the source of the exceptions needs to be identified, reported to the client and then additional work performed to achieve the audit objective

Audit Sampling Objective:

• Provide a reasonable basis to draw conclusions about the population (ISA 530.4)

Two Approaches:

1. Statistical sampling

2. Non-statistical sampling

Advantage of Statistical Sampling:

• Statistically derived sample size and evaluation of sampling risk

Disadvantage of Statistical Sampling:

• Use of formal techniques required for sample size determination and result evaluation

Remember: Judgment is crucial in both approaches, and sample size does not determine the choice between statistical and non-statistical methods. (ISA 530.A9)

Target Testing and Accept-Reject Testing:

• Statistical sampling is suitable for large populations, allowing projection of results to the entire population.

• However, alternative methods like Targeted Testing and Accept-Reject Testing are preferred to reduce sample size.

• Targeted Testing focuses on specific financial information, such as the largest amounts or items exceeding a threshold.

• Accept-Reject Testing is used for non-financial information, setting an acceptance level to determine sample size.

• If these methods are not applicable, non-statistical sampling is considered.

• All methods aim to minimize sample size compared to statistical sampling, reducing the workload while still providing adequate testing.