Boynton SM Ch.11

CHAPTER 1 11 1 AUDIT PROCEDURES

IN RESPONSE TO

ASSESSED RISKS: TESTS

OF CONTROLS

Learning Check 11-1 11-1.. a.

b.

Asse Assess ssin ing g con contr trol ol risk risk is the the pro proces cesss of of eva evalu luat atin ing g the the effe effect ctiv ivene eness ss of an enti entity ty's 's internal controls in preventing or detecting material misstatements in the financial statements. Control risk should be assessed in terms of individual individual financial statement assertions.

11-2. In assessing control risk for an assertion, assertion, the auditor should perform the the folloing five five steps! 1. Consider Consider knoledge knoledge ac"uired ac"uired from procedures procedures to obtain obtain an understand understanding ing about hether controls pertaining to the assertion have been designed and placed in operation by the entity's management. 2. Identify Identify the potential potential misstat misstatements ements that that could occur occur in the entity's entity's assertio assertion. n. #. Identify Identify the necessary necessary controls controls that that ould likely likely prevent prevent or detect the the misstatem misstatements. ents. $. %erform %erform tests tests of controls controls on the necessary necessary controls controls to determi determine ne the effectiven effectiveness ess of their design and operation. &. valua valuate te the evide evidence nce and make make the the assessm assessment ent.. 11-# 11-#.. a.

b.

In iden identi tify fyin ing g bot both h pot potent entia iall mis misst stat atem ement entss and and neces necessa sary ry cont contro rols ls,, the the audi audito torr typically uses either (1) computer softare that analy*es responses to specific "uestions input for computeri*ed internal control "uestionnaires or (2) checklists developed for the same purpose. +ost completeness controls compare information that is obtained obtained hen a transaction is authori*ed, and compare the information ith information that is created hen goods or services are shipped or received, and again ith information hen the transaction transaction is recorded. Completeness controls ill ill also compare information created ith the transaction is recorded ith information associated ith receipt receipt or payment of cash (consideration). or eample, a control over completeness of sales might create a report of all goods that are ordered that have not been shipped, a separate report of all items that have been shipped but not billed, and a third report of all billings that have not been collected.

The world’s largest digital library

Try Scribd FREE for 30 days to access over 125 million titles without ads or interruptions! Start Free Trial Cancel Anytime.











c.

he he occu occurr rren ence ce,, accu accura racy cy cut cutof off, f, and clas classi sifi fica cati tion on ob/e ob/ect ctiv ives es are are nor norma mall lly y controlled by comparing information input for recording a transaction ith information that is entered into the system hen the transaction is authori*ed or hen goods or services services are shipped or received. or eample, sales invoice information ill usually be compared ith information associated ith the sales order (authori*ation) or the bill of lading and packing slip (shipment of goods).

11-$ 11-$.. a.

vid viden ence ce obta obtain ined ed from from proc proced edur ures es to obta obtain in an unde unders rsta tand ndin ing g shou should ld be used used by the auditor to (1) identify types of potential misstatements and (2) consider factors that affect the risk of material misstatements, such as hether controls necessary to prevent or detect the misstatements have been designed and placed in operation. his knoledge should enable the auditor to make an initial assessment of control risk for an assertion. 0uring this process the auditor may obtain some evidence about the effectiveness of the design and operation of internal controls. oever, such evidence rarely is sufficient to allo the auditor to assess control risk at moderate or lo.

b.

vidence obtained from tests of controls pertains to the effectiveness effectiveness of the design andor operation of the control tested and may be used in making a final assessment of control risk for an assertion.

11-&. 11-&.

3hen evaluating evaluating the the significanc significancee of any deficiency deficiency in in internal internal control control the auditor auditor should should consider the likelihood (fre"uency of deviations) and the magnitude of potential misstatements. or eample, hen evaluating a deficiency deficiency in internal internal controls related to revenue recognition, the auditor needs to evaluate the percentage of the time that the control might fail (likelihood or probability) and the dollar amount of misstatement that could happen hen the control fails (magnitude or materiality). materiality). he auditor ill normally classify deficiencies as (1) deficiencies, (2) significant deficiencies, or (#) material eaknesses depending on the likelihood and magnitude of potential misstatements that might result from an internal control eakness.

11-4 11-4.. a.

b.

hre hreee str strat ategi egies es that that the the aud audit itor or might might use use hen hen test testin ing g a syst system em of inte intern rnal al controls that use information technology include! 1. Assessing Assessing control control risk risk based on user user control controls. s. 2. %lanning %lanning for a lo control control risk risk assessm assessment ent based based on application application control controls. s. #. %lanning %lanning for a high high control control risk risk assessm assessment ent based based on general general control controlss and manual follo-up. he auditor might assess control risk as lo based on to of the three above strategies, assuming that the evidence shos that the co ntrols are effectively designed and placed in operation. irst the the auditor can assess control risk as lo based on user controls, such as effective performance revies by management.











c.

11-6 11-6.. a.

b.

11-8. 11-8.

he he audi audito torr can can asse assess ss contr control ol ris risk k as high high bas based ed on on evid evidenc encee obta obtain ined ed abou aboutt both both computer controls and manual follo-up follo-up procedures. he auditor may be able to to develop implications about the effective operation of application co ntrols based on inspection of eception reports and in"uiries of those ho follo-up on eception reports. oever, the auditor must perform direct tests tests of application controls in order to assess control risk belo a high level. he he adva advant ntage agess of of usi using ng compu compute terr ass assis iste ted d audi auditt tech techni ni"ue "ue in perf perfor ormi ming ng test testss of of controls include! A significant part of the entity7s system of internal controls is imbedded in • computer programs. here are significant gaps in the visible audit trail. • here are large volumes of records to be tested. • he ma/or disadvantages of using computer-assisted audit techni"ues are the special knoledge and skills re"uired, and the possible disruption of the client7s I operations operations hile the the auditor uses I e"uipment, programs and files. he auditor must also test the effectiveness of manual follo-up procedures in order to determine ho effectively the computer controls are at preventing or detecting and correcting misstatements in assertions.

he advanta advantages ges of of parall parallel el simula simulation tion include include the the folloi folloing! ng! 9ecause real data are used, the auditor can verify the transactions by tracing them to • source documents and approvals. he si*e of the sample can be greatly epanded at relatively little additional cost. • he auditor can independently run the test. • he disadvantages include the fact that the auditor may need special training to understand the client7s program and develop a program that simulates the client7s program. he auditor must also take care to determine that the data selected for simulations are representative of actual client transactions.

11-: 11-:.. a.

;nde ;nderr the the tes testt dat dataa appr approa oach ch,, dum dummy tra trans nsac acti tion on are are pre prepa pare red d by the the aud audit itor or and and processed under auditor control by the client7s computer program. his is often performed during a time hen the auditor can take full control over the client7s computer operations. In an integrated integrated tests facility approach the auditor does not control computer operations and dummy transactions are processed simultaneously ith real transactions. his usually re"uires the creation of a small subsystem (a mini-company) mini-company) ithin the regular I system. It may be accomplished by creating dummy master files or append ing dummy master records to eisting client files. est est data, specially coded to correspond to the











be created to tag transactions for subse"uent testing, or an audit log (fre"uently called a systems control audit revie file or 5CA<) might be used to record transactions that meet particular audit aud it criteria. 11-1=. In comparison to the methodology for assessing control risk under the the primarily substantive approach, the methodology under un der the loer assessed level of control risk approach involves obtaining and documenting a more etensive understanding of relevant policies and procedures for all five components of internal control. he component control activities often may be skipped in some cases hen the primarily substantive approach is used. In addition, under un der the loer assessed level of control risk approach, additional or planned tests of controls must be performed in order to obtain the evidence needed to support the planned assessed level of control risk of moderate or lo. 11-11. 11-11. 3hen the auditor evaluates the effectiveness of a control the auditor should assess assess (1) ho the control as applied, (2) the consistency ith hich it as applied during the period, and (#) by hom it as applied. 11-12. Types of evidence to evaluate the effectiveness of internal control In"uiries of appropriate entity personnel

Factors that affect the reliability of the evidence. •

•

Inspection of documents, reports, or electronic files, indicating performance of the control.

•

•

?bservation of the application of the control

•

•

•

In"uiry is most effective for determining an employee7s understanding of computer controls or of his or her duties, the individual7s performance performance of those duties, and the fre"uency, fre"uency, causes, and disposition of deviation. he results of in"uiry is a form of representation by management or employees and should be corroborated by other evidence Inspection of documents may leave documentary evidence of the audit trail, such as notations on eception reports, signatures or validation stamps that indicate hether a control as performed. >ot all controls leave leave a documentary audit trail. trail. urther, in some systems, documents may be retained only for a short period of time. ?bservation also is effective for determining ho an employee uses computer output and ho an employee performs his or her duties. duties. ?bservation may be affected by the fact that an employee may perform procedures differently hen the auditor is present. ?bservation applies only to the time at hich it is performed.











hen it as performed.

11-1 11-1#. #. a. a.

b.

he he timi timing ng of of tes tests ts of contr control olss rela relate tess to hen hen it it as as obta obtain ined ed and and the the por porti tion on of of the audit period to hich it applies. or eample, performing CAA CAAs, such as the use of test data, applies only to the point in time hen the test as performed. 3hen the auditor obtains evidential matter about the design or operation of controls during an interim period, he or she should determine hat additional evidential matter should be obtained for the remaining period. %rofessional standards suggest that the auditor should consider the folloing factors hen determining the evidence that needs to be obtained during the remaining period. he significance of the assertion involved he specific controls that ere evaluated during the interim period he degree to hich the effective design and operation of those controls ere evaluated he results of the tests of controls used to make that evaluation he length of the remaining period he evidential matter about design or operation o peration that may result from the substantive test performed in the remaining period. he auditor should also obtain evidential matter about the nature and etent of any significant changes in internal control, including its policies, procedures, and personnel that occur subse"uent to the interim period.   

  

c.

he he audi audito torr of of a priv privat atee comp compan any y may may con consi side derr evi evide denc ncee abou aboutt the the eff effec ecti tive ve design or operation of internal controls obtained during prior audits in assessing control risk in the current current audit. %rofessional standards state state that hen evaluating the use of evidence obtained in prior audits the auditor should consider! he significance of the assertion involved. he specific controls that ere evaluated during the prior audits. he degree to hich the effective design and operation of those controls ere evaluated he results of the tests of controls used to make those evaluations he evidential matter about design or operation o peration that may result from substantive tests performed in the current audit.   

 

he auditor should also consider that the longer the time elapsed since the performance of tests of controls, the less assurance it may may provide. inally, the auditor needs to evaluate evidence in the current period about hether changes have occurred in internal control, including its policies, procedures, and personnel, subse"uent to the prior audits, as ell as the nature and etent of any such changes.











matter about the effectiveness of design and operation to be obtained in the current period. Students should note that standards are different for auditors of public companies. If the auditor is issuing an opinion on the effectiveness of internal controls over financial reporting, evidence supporting that opinion must be obtained from the current audit period.

11-1$. a.

b.

In general, the loer the planned assessed level of control risk, the greater the etent of tests of controls. hree factors bear on the auditor7s decisions about test of controls! controls! (1) the nature of the control, (2) the fre"uency of operation of the control, and (#) the importance of the control. 3ith respect to the nature of the control the auditor should sub/ect manual controls to more etensive testing than automated controls. A single test of each condition of a programmed control may be sufficient to obtain a high level of assurance that the control operated effectively if general controls are a lso operating effectively. effectively. oever, manual controls usually re"uire more etensive testing. In general, as the level of compleity and the level of /udgment /udgment in the application of a control increase, the etent of the auditor7s testing should also increase. If the level of competency competency of the person performing the control control decreases, the etent of testing should also increase. 3ith respect to the fre"uency of operation of the control the more fre"uent the operation of a manual control, con trol, the more operations of the control the a uditor should test. Controls that operate daily daily should be tested more etensively etensively than controls that operate monthly (account reconciliations), or "uarterly ("uarter end revies). 3ith respect to the importance of the control, controls that are more important should be tested more etensively. etensively. 5ome controls such as the the control environment or computer general controls have a pervasive impact on other controls should be sub/ected to more etensive e tensive tests than controls that are less important to the audit strategy.

11-1&. It might be appropriate to use a computer audit specialist to evaluate computer general controls and application controls. It might also be appropriate to bring in a health care industry epert to evaluate the risk of incorrect +edicare billing, or a banking industry epert to evaluate 0IC regulatory compliance.













11-14. 0ual-purpose tests occur hen the auditor simultaneously performs performs tests of controls and substantive tests of details of transactions to detect monetary errors on the same transactions. 11-1 11-16. 6. a. a.

or an acc accoun ountt affe affect cted ed by a singl singlee tran transa sact ctio ion n clas class, s, the the con contr trol ol ris risk k asse assess ssme ment nt for a particular account balance assertion is the same as the control risk assessment for the same transaction class assertion. hus, control risk for the eistence or occurrence assertion for the sales account balance is the same as the control risk assessment for the eistence or occurrence assertion for the sales transactions class. he actual control risk assessment is then compared ith the planned control risk assessment for the assertion. assertion. If the actual assessment is not greater than the planned assessment for the assertion, the planned level of substantive tests is supported.

b.

or an account affected by more than one transaction class (a balance sheet account), the combined control risk assessment is based on the control risk assessment for the transaction class assertions that increase the account balance and the transaction class assertions assertions that decrease the account balance. balance. hus, control risk for the eistence of accounts receivable is based on the combined control risk assessments for the occurrence of sales and the completeness of cash receipts transactions and the completeness of sales returns and alloance.

11-18. 3hen the control risk assessments for the relevant transaction class assertions differ, the auditor may (1) /udgmentally eigh the significance of each assessment in arriving at a combined assessment or (2) use the most conservative (highest) of the relevant assessments. he assessment for each related transaction class assertion must be considered because a misstatement in any of the relevant transaction class assertions could produce a misstatement in the account balance assertion. 11-1 11-1:. :. a. a.

he he re"u re"uir irem emen ents ts for for doc docum umen enti ting ng the the ass asses esse sed d leve levell of cont contro roll ris risk k are! are! (1) (1) control risk at maimum - only this conclusion needs to be documented@ (2) control risk belo the maimum - the basis for the assessment must also be documented.











deficiency is more than inconse"uential.B he magnitude of misstatement associated ith a material eakness is material.B

Comprehensive Questions 11-21. 11-21. (stimate (stimated d time  #= minutes) minutes) a.

An audi audito torr may may asse assess ss cont contro roll ris risk k at at the the mai maimu mum m leve levell for for some some or all all assertions because the auditor believes internal controls are unlikely to pertain to an assertion, are unlikely to be effective, or b ecause evaluating their effectiveness ould be inefficient.

b.

o support support assessing control risk at less than than the maimum level, an auditor must determine hether internal controls are suitably designed to preven t or detect material misstatements in specific financial statement assertions and obtain evidence through tests of controls that the policies and procedures are operating effectively.

c.

3hen 3hen see seeki king ng a furt further her redu reduct ctio ion n in the the plann planned ed ass asses esse sed d leve levell of contr control ol risk risk,, the the auditor should consider the likelihood that evidence can be obtained in a costefficient manner to support a loer assessment.

d.

he he audit auditor or's 's und under erst stan andi ding ng of of the the inte intern rnal al con contr trol olss shoul should d be doc docum umen ente ted d in the the form of completed "uestionnaires, flocharts, andor narrative memoranda. he auditor's decisions regarding the type of evidence, the source of evidence, the timeliness of evidence, the eistence of other evidential matter, and audit staffing should be documented in an audit program and related orking papers. 3hen the auditor's assessment of control risk is at the maimum level, only that conclusion needs to be documented. 3hen the assessment is that control risk is belo the maimum, the basis for the assessment must also be documented.











11.2#. 11.2#. (stimate (stimated d ime ime  2& minutes) minutes) rimarily substantive Item approach a. ?btaining and documenting the understanding

Lo!er assessed level of control risk approach

Dess etensive, focusing on four of the five components (control procedures may not be relevant) he auditor ill usually consider the evidence about operating effectiveness hile obtained hile understanding internal controls.

+ore etensive ith coverage of all five components

c. +aking an initial assessment of control risk

%erformed based on evidence obtained hile understanding internal controls.

d. %erforming additional or planned tests of controls e. +aking a final assessment of control risk f. 0ocumenting the control risk assessment

>ot usually performed performed under this strategy

he initial assessment based on evidence obtained hile understanding internal controls ill probably ill not support support a lo control risk assessment. Additional evidence is needed to support loer assessed level of control risk

b. %erforming concurrent tests of controls

0esigning substantive tests

he auditor ill usually consider the evidence about operating effectiveness hile obtained hile understanding internal controls.

5ame as initial assessment under this strategy.

0one after completing additional or planned tests of controls

If control risk is at the maimum, only this conclusion needs to be documented. If belo the maimum, maimum, the basis for the conclusion must also be documented. ests must be designed for a high level of substantive tests and lo level of detection risk.

If belo the maimum, both the conclusion and the basis for the conclusion must be documented.

ests ests should be designed for a lo level of substantive tests and a moderate or high level of detection risk.











Category of "eneral Controls procedural 4. ?rgani*ation and operation 6. 5ystems development and documentation 8. Access

ossible #isstatement

ossible Test of Controls

processing, or outputting outputting or data. group. I personnel may initiate and ?bserve segregation of duties process unauthori*ed transactions. transactions. beteen user departments departments and I. ;nauthori*ed program changes may amine evidence of result in unanticipated processing independent check of proper errors. authori*ation, authori*ation, testing, and documentation. 0ata files and programs may be ;se of a library, librarian, and logs processed or altered by to restrict access and unauthori*ed users. monitor usage.

:. ardare and systems softare 1=. 5ystems 0evelopment and documentation 11. ?rgani*ation and operation 12. 0ata and procedural

"uipment malfunctions may result in processing errors. 5ystems designs may not meet the needs of user departments or auditors. I personnel may process unauthori*ed transactions. 0ata files and programs may be lost.

11-2& (stimated ime! ime! #= minutes) a. otential b. Computer or #isstatements manual control 1.

9ank 9ank balan alance ce per book bookss may not agree ith balance per bank

+anual

2.

Checks may not be recorded.

Computer and manual follo-up.

amine hardare and systems softare specifications. specifications. amine evidence for approval of ne systems. ?bserve segregation of duties beteen user departments departments and I. amine storage facilities.

c. ossible test of controls

Inspect bank reconciliations and test accuracy on a sample basis. basis. >ote ho prepared the reconciliation reconciliation and hen the reconciliation as prepared. est est computer control generating the daily check summary ith CAAs. CAAs. Inspect daily check summaries and determine effectiveness of manual follo-up.











8. :.

a. otential #isstatements

b. Computer or manual control


%ost %ostiing erro rrors coul could d be be made. An issued sued chec check k may may not not be /ournali*ed.

+anual

?bserve segregation of duties.

Computer and manual follo-up.

est est computer control generating the daily check summary ith CAAs. CAAs. Compare daily check summaries and check register entries and determine effectiveness of manual follo-up.

11-24. (stimated ime ime  #& minutes) a. otential #isstatements

1

2

# $

& 4

6

5ales may be made to customers ho cannot pay.

Foods mi might be be sh shipped to unauthori*ed customers 5ales may not be recorded
b. Computer or manual control 9oth manual and computer

+anual

Computer Computer

Computer Computer

Computer


est est manual controls over credit checking credit history ith in"uiry, in"uiry, observation, and inspection of documents. 5ubmit test data for a sale that eceeds the customer7s credit limit. ?bserve segregation of duties

5ubmit te test da data h here sh shipments e eceed recorded sales. 5ubmit test data for recorded sales that are not supported by shipments. 5ubmit test data for sales invoices that do not match underlying "uantities or prices. 5ubmit test data to record sales invoices in a period other than hen hen goods are shipped. 5ubmit te test data to to record sales invoices for













11-26 (stimate ime! - #= minutes) a. Control Function b. Control rocedure 1. In Input

?nline edit checks..

2. ?utput

#. %rocessing

$. %rocessing &. ?u ? utput

4. In Input 6. %r % rocessing

;se of eternal and internal file labels. ;se of report distribution control sheets. or ;se of passords to limit access to data and report riting capabilities. ;se of error logs@ return to user department for correction. ;se of control totals.

c. ossible Test of Controls est edit routine ith CAAs and observe responses to on-line edit messages. amine evidence of reconciliations performed. est limit and reasonableness tests ith CAAs and observe and inspect evidence of manual folloup procedures. ?bserve use of eternal file labels. Inspect distribution control sheets. or ?bserve control over passords and test effectiveness in limiting access to data files. Inspect logs and evidence of user correction of data. amine evidence of control total











:. Computer co compares ve vendor on on pu purchase or order to to ma master ve vendor fi file. 1=. Computer checks checks for goods goods ordered and and not received received ithin a reasonable period of time. time. 11. Computer checks checks for goods received received but not recorded recorded as a liability liability ithin a reasonable period of time. time. In the case of services, services, the computer check for services ordered but not recorded as a liability ithin a reasonable period of time. 12. Computer compares compares accounting accounting period in hich the voucher is is recorded ith the accounting period received. 1#. Computer checks checks the mathematical mathematical accuracy of the voucher and supporting documents. 1$. Computer compares compares sum of subsidiary subsidiary ledger accounts accounts ith general ledger ledger control account.

istence an and oc occurrence nce Completeness Completeness

istence and occurrence or Completeness Ealuation and allocation Ealuation and allocation

11-2:. (stimated ime ime  #= minutes) a. Audit Auditin ing g Garo Garoun undG dG the the com comput puter er gen gener eral ally ly ref refer erss to eam eamin inat atio ions ns of of trans transact actio ions ns in hich a representative sample of transactions is traced from the original source documents, perhaps through eisting intermediate records in hard copy, to output reports or records, or from reports back to source do cuments. Dittle or no attempt is made to audit the computer program or procedures employed by the computer to process the data. his audit approach is based on the premise that the method of processing data is irrelevant as long as the results can be traced back to the input of data and the input can be validated. If the sample of transactions has been handled correctly, then the system outputs can be considered to be correct ithin a











2.

d.

he auditor may use test data to gain a better understanding of hat the data processing system does, and to check its conformity to desired ob/ectives. est data may be used to test the accuracy of programming by comparing computer results ith results predetermined manually. est est data may also be used to determine hether or not errors can occur ithout observation and thus test the application's ability to detect noncompliance ith prescribed procedures and methods. Assurance is provided by the fact that if one transaction of a given type passes a test, then all transactions containing the identical test characteristics ill-if the appropriate control features are functioning--pass the same test. Accordingly, the volume of test transactions of a given type is not important. oever, the auditor auditor does need to test computer computer general controls to gain assurance that the program operates consistently over time.

In addi additi tion on to to actu actual ally ly obs obser ervi ving ng the the pro proces cessi sing ng of of data data by by the the clie client nt,, the the audi audito torr can be satisfied that the computer programs presented are actually being used by the client to process its accounting data by re"uesting the program on a surprise basis from the I librarian librarian and using it to process a test data.

he C%A may also re"uest on a surprise basis that the program be left in the computer at the completion of processing so that he or she may use the program to process test data. his procedure may reveal computer operator intervention, as ell as assuring that a current version











•

b.

Computer file security should be provided to assure that entries are not made to the accounts ecept during d uring normal processing periods.

he internal controls hich should be in effect pertaining to matters matters other than information input are as follos! Account balances should be backed-up or printed at regular intervals to • provide for record reconstruction and testing. Dimit tests should be included in the computer co mputer program to permit ready • identification of obvious eceptions, e.g., a ithdraal from an account should not eceed the balance on deposit in the account. he internal audit staff should have the responsibility for testing accounts and • transactions and checking error listings. Ad/ustments Ad/ustments to the accounts acc ounts proposed by the internal audit staff should first first be approved by a responsible official and then be recorded in the normal manner so as to provide proper segregation of ork. Account balance printouts and transaction records necessary to reconstruct the • accounts should be maintained in a separate location from the computer file storage as a precaution against simultaneous destruction. here should be provision for continued operation to avoid a time loss in case • of computer failure, e.g., each terminal should have mechanical registers in addition to the computer's electronic registers. 5ecurity should be provided at each terminal to assure that certain operations •











(2)

(#)

($) (&) (4)

(6)

(8) (:) (1=) (11) (11) (12)

his is the most conservative of the control risk assessments for occurrence of credit sales (lo), the completeness of cash receipts (moderate), and the completeness of sales returns and alloances (moderate). his is the most conservative of the control risk assessments for occurrence of purchases (lo), the completeness of cash disbursements (lo), and the completeness of purchase returns (moderate). his is /ust the control risk assessment for the occurrence of credit sales (lo). his is the most conservative of the control risk assessments for the completeness of cash receipts (moderate), and the occurrence of cash disbursements (lo). his is the most conservative of the control risk assessments for the completeness of credit sales (lo), the occurrence of cash receipts (lo) and the occurrence of sales returns and alloance (lo). his is the most conservative of the control risk assessments for the completeness of purchases (lo), the occurrence of cash disbursements (lo) and the occurrence of purchase returns (lo). his his is /ust /ust the the contro controll risk risk asse assessm ssment ent for for the the compl complete eteness ness of cred credit it sale saless (lo) (lo).. his his is the the most most cons conserv ervati ative ve combin combinati ation on of the the valua valuatio tion n or alloc allocati ation on asser assertio tions ns for for cash cash receipts (lo) and cash disbursements (lo). his is is the most conservativ conservativee combination combination of of the valuation valuation or allocation allocation asser assertions tions for credit credit sales (lo), cash receipts (lo), and sales returns (moderate). his is the the most most conserv conservative ative combination combination of the the valuati valuation on or allocation allocation assertions assertions for purchases (lo), cash disbursements (lo), and purchases returns returns (lo). his is /ust the control control risk assessment for the valuation of credit sales (lo).













b. 1.

2.

+eakness ?rgani*ation an and op operation he 0% manager reports to a significant user department. here is improper segregation of functions beteen programming and computer operations. here is is no no da data co control gr group.

5ystems de development an and documentation controls %rogra %rogram m docu docume menta ntatio tion n is is inad inade"u e"uate ate.. An ope opera rato tor' r'ss manu manual al is is not not prov provid ided ed.. ?perators can ch change pr programs.

&ecommended Improvement 0% manager should report to president or some other nonuser officer.

%rogramming and computer operations should be separated. A data co control gr group sh should be be es established.

All progra programs ms should should be fully fully docume documente nted. d. An ope opera rato tor' r'ss manu manual al sho shoul uld d be prov provid ided ed to to facilitate the running of computer programs. ?nly pr programm ammers ers sh should be be ab able to to ch change











b.

+eakness procedures hen they encounter encounter difficulties. >o back-up e"uipment e"uipment is provided.

her heree is no defi defin nite ite rete retent ntio ion n plan plan.. here is no provision for a data control group to monitor 0% activity. 4.

Input Controls here apparently are no controls over input data.

&ecommended Improvement approved by a supervisor or the 0% manager. 9ack-up e"uipment should should be provided at another location and the capability of such e"uipment should be tested periodically. A defi defini nite te plan plan,, suc such h as the the gran grandf dfat athe herrfather-son, should be implemented. A data control group should be established.

A data control group should control input data through revie of data and control totals.











rofessional rofessional Simulation &esearch Situation

Internal Control 'eficiencies

Communication

3ith 3ith respect to understand computer controls A; #1:.$# reads as follos! .$# he auditor should obtain an understanding understanding of ho I affects control activities activities that are relevant to planning the audit. 5ome entities and auditors may vie the I control activities in











program are not made ithout being sub/ect to the appropriate program change controls, that the authori*ed version of the program is used for processing transactions, and that other relevant general controls are effective. 5uch tests also might include determining that changes to the programs have not been made, as may be the case hen the entity uses packaged softare applications ithout modifying or maintaining them. .6: o test test automa automated ted cont control rols, s, the the audito auditorr may need to to use techni techni"ues "ues that that are are differ different ent from from those used to test manual controls. or eample, computer-assisted audit techni"ues may be used to test automated controls or data related to assertions. Also, Also, the auditor may use other automated au tomated tools or reports produced by I to test the operating e ffectiveness of general controls, such as program change controls, access controls, and system softare controls. he he auditor should consider hether speciali*ed skills are needed to design and perform such tests of controls.











auditor still needs a sufficient sufficient understanding of the design of the system to plan the audit. his ill usually include some level of system alk through. his process ill often identify identify deficiencies in the design of the system of internal control. urther, the auditor7s auditor7s substantive tests may reveal misstatements in the the accounting records. hese tests may also lead the audit to discover significant deficiencies in the system of internal control. oever, under these to audit approaches, the nature, timing and etent of the audit procedures differ. differ. As a result, the likelihood likelihood of significant deficiencies coming to the auditor7s attention attention may also differ  particularly hen the auditor has not tested the operating effectiveness of the system of internal control (e.g., hen folloing a primarily substantive approach).

Communication













3hen performing a system alk through e did not find controls to ensure that all goods ordered are received, or that goods received are recorded as accounts payable in the proper period.

Boynton SM Ch.11

Recommend Documents