You are on page 1of 45

University of New South Wales Department of Accounting Auditing and Assurance Services 2013

LECTURE 6 Internal Controls III Tests of Controls

Lecture Summary
This lecture covers the techniques that auditors use to test controls We will cover
General control testing requirements in ASA 330 Specific control tests in for manual controls. Links between tests of controls and assertions Differences in errors between manual and computer systems Specific control tests for computerised controls.
2

The Audit Process


An Audit consists of 3 basic steps:
Planning
Assessment of business risk Assessment of the internal control environment

Evidence Gathering and Evaluation


Tests of controls Substantive tests

Formation of the Audit Opinion


3

Evidence Gathering and Evaluation


The framework for evidence gathering and evaluation is covered in the following standard
ASA 330 The Auditors Responses to Assessed Risks

The Objective of the auditor is to obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement through designing and implementing appropriate responses to these risks.
(ASA 330.3)
4

Tests of Controls
Tests of controls means an audit procedure designed to evaluate the operating effectiveness of controls in preventing or detecting and correcting material misstatements at the assertion level.
ASA 330.4(b)

Requirement for Tests of Controls


The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls if;
(a) The auditors assessment of the risk of material misstatement, at the assertion level, includes an expectation that controls are operating effectively ... (b) Substantive audit procedure alone cannot provide sufficient appropriate audit evidence ...
ASA 330.8
6

Extent of Testing
In designing and performing tests of controls, the auditor shall obtain more pervasive audit evidence the greater the reliance the auditor places on the effectiveness of a control.
ASA 330.9

Nature of Tests
In designing and performing tests of controls, the auditor shall:
(a) Perform other audit procedures in combination with enquiry to obtain audit evidence about the operating effectiveness of controls, including:
(i) How the controls were applied at relevant times during the period under audit; (ii) The consistency with which they were applied; and (iii) By whom and by what means they were applied. ASA 330.10
8

Basic Tests of Controls


Inquiry
Verbal
May not get truthful answers

Policies and procedures manuals


Reflects what should happen, not what does happen.

Observation Inspection of records Reperformance of procedures


9

Testing Authorisation Controls


Authorisation is usually evidenced by a signature.
Check policies and procedures manuals or enquire to determine who has the authority over a particular procedure. Obtain a specimen signature Take a sample of documents and check that they are all signed by the appropriate authority.

10

Testing Review Controls


Determine who performs the review
From enquiry or policies and procedures manuals, determine who does the review and how frequently. Observe the review
If it is practical (i.e. not frequent)

Reviews are often indicated by a signature.


Look for signature on sample of documents.
11

Testing Reconciliation Controls


Reconciliations (almost) always result in the preparation of a reconciliation document.
View the document.
Check signature of the person who performed it.

Reperform the reconciliation Check that any adjusting entries have been made in the relevant journal.

12

Testing Stocktaking Controls


Stocktaking is usually only performed once or twice a year.
Stocktake should be observed
At a sample of locations.

Stocktake worksheets should be reviewed


Signatures should be checked

Check that any adjusting entries have been made in the relevant journal.
13

Testing Physical Controls


Physical controls involve
Safes, locked storage rooms etc. Locks, keys, swipe cards and access codes CCTV and other monitoring devices Alarm systems Guards and use of (external) security services

Physical inspection and testing should be used.


14

Testing Segregation of Duties


Segregation of duties can be tested by.
Reviewing organisation charts and lists of responsibilities to see who performs which task. Inquiry of personnel to determine who actually performs particular tasks.

Segregation of duties is often not explicitly stated so the auditor will need to analyse tasks to see if they should be segregated.
15

Tests of Controls Example


XYZ requires the warehouse manager to conduct these procedures when inventory is received:
Count and compare the count to the order quantity and note any discrepancies, Check and note any damage, Immediately transfer to the locked warehouse. Sign the companys copy of the order form, indicating that the above procedures have been carried out, Attach the signed order form to the goods received note and send it to the accounts department.
16

Tests of Controls Example


To test these controls
Check the policy manual to see if they are required Enquire of the manager and other staff to see if they are carried out in practice Observe the receipt of inventory to see if the control procedures are carried out Examine the orders to see if a goods received note is attached and if the order is signed Observe whether the warehouse is kept locked

These tests must be done throughout the year.


17

Tests of Controls Examples


How would you test the following controls?
All customer credit limit increases must be authorised by the credit manager. All cash is banked on a daily basis. A fixed asset stocktake is performed on an annual basis and the results are reconciled with the fixed assets register, to ensure that all missing/extra items and write downs are accounted for.
18

Tests of Controls Examples


How would you test the following controls?
All customer credit limit increases must be authorised by the credit manager. How would you test the following controls? Look for credit managers signature on documents that authorise increases in credit limits. All cash is banked on a daily basis Look for daily deposits in the bank statement.

19

Tests of Controls Example


A fixed asset stocktake is performed on an annual basis and the results are reconciled with the fixed assets register, to ensure that all missing/extra items and write downs are accounted for Either observe the stocktake or view the reconciliation documents.

20

Internal Controls and Audit Assertions


Auditors are interested in internal controls because they can reduce potential errors in the financial statements. If a particular control works, it makes it more likely that a given assertion will be correct. This means that less substantive testing needs to be carried out for that assertion. As noted previously, tests of controls are performed to determine if the control is operating effectively. i.e:
The control must exist, The control must be effective, The control must be effective during all relevant time periods.
21

Internal Controls and Audit Assertions Example


If the warehouse is always locked (an internal control) it is less likely that the inventory will be stolen. This can be tested by periodically checking the warehouse door. If the control works there will need to be less substantive testing directed at existence of inventory.
22

Internal Controls and Audit Assertions Example


If sales invoices are prenumbered then there is less chance of sales invoices going missing. This control can be tested by sequence testing. If the control works the will need to be less substantive testing directed at completeness of sales
23

Internal Controls and Audit Assertions Example


If all entries to the payroll journal are initiated by a timesheet that is signed by the employees supervisor then there is less chance that entries will be made for work that was not done. This can be tested by checking that there is a signed timesheet for each entry in the journal. If this control works, there is less need to test occurrence of wages expense.
24

Internal Controls and Audit Assertions Example


How would you test the following controls? Which audit assertions are affected by the following internal controls?

Account
Interest Expense Inventory

Internal Control
Before interest expense is calculated, the clerk confirms the interest rate with the bank. Stock is periodically reviewed for evidence of obsolescence and obsolete stock is written down The sales order number is entered next to each debit in the receivables sub-ledger
25

Accounts Receivable

Tests of Controls in IT Systems


Control testing in IT systems differs from that in manual systems for two reasons.
The nature of errors differs between manual and computerised systems. There are specific class of general and application controls that only occur in IT systems and that require specific types of tests of controls.
26

Errors in Manual and Computer Systems


The pattern of errors is different in manual and computer systems. The reason for this is that controls are (usually) much stronger in computer systems. This means that
There are far fewer errors. There are patterns in the errors. Errors are less common in routine transactions.
27

Fewer Errors
The most common sources of errors, in manual account systems, are idiosyncratic errors in:
Input, such as entering the wrong amount/details and, Processing, such as poor arithmetic, failure to post from journal to ledger.

The controls, discussed in the previous lecture, go a long way to eliminating these,
if they are well designed and if they work.

Thus, there are fewer errors in computer systems.


28

Patterns in Errors
Computers are consistent. They are either always right or always wrong. Thus, errors come in groups.
All transactions from a particular state might be processed incorrectly.

These patterns are caused by specific control weaknesses.


29

Routine Transactions
Some transactions are processed all the time; sales, purchases, payroll, cash. They follow a few standard patterns.
Cash sales, credit sales, sales returns. Salaries, wages, terminations.

Because of this, they generally have good controls. Errors in these transactions can be very rare, in well designed systems.
30

Non Routine Transactions


Businesses record many uncommon transactions,
Fixed asset purchases and sales, capital raisings, loans and leases, impairments.

As these are uncommon and have no standard structure, they will often have less good controls. Errors are more common here.
31

Testing Strategy
For routine transactions
Errors are rare unless controls are poor
A greater focus on control testing. Substantive testing is limited except where control weaknesses are found.

For non routine transactions


Errors can be more common as controls are limited
Less control testing and more substantive testing
32

Control Testing
The same categories of tests are used as in manual systems
Observation Inquiry Inspection Re-performance

However there are some specific tests for computer controls.


33

Test Data
This is a very simple approach for testing input controls. It involves
Inputting data that should be rejected and seeing if it is. Inputting data that should be accepted and seeing if it is.
34

Test Data - Example


A payroll input screen should only accept fortnightly pays between $1500 and $3000. To test if it works.
Enter $1,499 it should be rejected. Enter $1,500 it should be accepted. Enter $3,000 it should be accepted. Enter $3,001 it should be rejected.
35

Test Data - Limitations


There are several problems with the test data approach.
It can only be done periodically The client knows it is being done so they can ensure that the control works at that time. A large number of transactions may be needed to test the controls in a complex system. It is inconvenient for the client and so they are loath to allow it.
36

Integrated Test Facility


An integrated test facility involves:
Adding a fake entity (such as a fake customer record) to the clients system. Adding fake transactions (such as fake sales) to the regular set of transactions. The fake transactions relate to the fake entity. The results can then be tested to see if these transactions have been processed correctly.
37

Advantages and Disadvantages


It allows control testing to occur throughout the year. The transaction processors dont know the transactions are fake so they cant alter their behaviour The auditor must be careful that the fake transactions dont result in real consequences. Clients dont like having fake entities and transactions in their system.
38

Reprocessing Client Data


Several techniques
Controlled processing Controlled reprocessing Parallel processing

These three techniques are ways of reprocessing the clients data to see if the same result is obtained. If not, there must be something wrong with the clients system.
39

Program Code Review


Every computerised control must be implemented by either
Lines of code in the computer program Settings in the program interface

The most direct way to test these is to examine the code or settings. This can be done by hand or it can be automated.
40

Advanced Techniques
One of the major limitations of computerised accounting systems is lack of an audit trail.
No source documents No record of changes to data No record of how items were processed

Several advanced techniques have been developed to overcome these limitations.


41

SCARF
SCARF (System control audit review file) is a module in the accounting computer system
It is added where errors are most likely to occur It keeps a record of transactions that meet certain criteria, determined by the auditor. The auditor can then use his or her own software to test these transactions

42

Snapshots
Transactions are electronically tagged Randomly Criteria set by auditor When the transaction passes certain points in the program, the time and transaction data are logged. This information can be analysed by the auditor to see how the program processes the transaction.

43

Audit Hooks
Audit hooks are exit points in programs that allow the auditor to insert additional program code
Often supplied by the software manufacturer

Code allows auditor to carry out additional tests without affecting the transaction flow.
Calculation of control totals Flagging unusual transactions
44

Summary
If controls work, the auditor can rely on them to reduce error and perform fewer substantive tests. Before a control can be relied upon the auditor must perform tests of controls.
More reliance requires more tests

Tests of controls determine if a control


Exists Is effective Is continually effective
45

You might also like