After obtaining and documenting the auditors understanding of the
accounting and internal control systems, the auditor should make a preliminary assessment of control risk, at the assertion level, for each maternal account balance or class transactions. The auditors preliminary assessment of control risk may be at a high level (100%) or less than high level. When the auditors knowledge of the entitys internal control indicates that internal controls related to a particular assertion are not effective, the auditor may simply assess control risk at a high level. Hence, no tests of controls need to be performed and the auditor will rely primarily on substantive tests. On the other hand, if the auditor believes that controls appear to be reliable, the auditor should determine whether it is efficient to obtain the evidence to justify an assessment of control risk at a lower level. If the auditor concludes that it is more efficient to rely on the entitys internal control systems, the auditor would plan to assess control risk at less than high level. For this purpose, the auditor should
Identify specific internal control policies or procedures that are likely
to prevent or detect and correct material misstatement relevant to financial statement assertions, and Perform test of control to determine the effectiveness of such policies or procedures. Performing test of controls Irrespective of how effective internal control procedures may appear to be in preventing material misstatements from occurring in the financial statements, before the auditor can rely on them to reduce substantive tests, the auditor must test these controls to obtain evidence that they are working effectively as the preliminary assessment suggests. Test of controls are performed to obtain evidence about the effectiveness of the
Design of the accounting and internal control systems, or
Operation of the internal controls throughout the period. It is important to note that the auditor will only tests the operating effectiveness of controls that are likely to detect or prevent material misstatement. That is, the auditor will only test those controls that he or she plans to rely upon. According to PSA, the auditor should obtain audit evidence through tests of control to support any assessment of control risk at less than high level. The lower the assessment of control risk, the more support the auditor should obtain that the internal control is suitably designed and operating effectively. Thus, the greater the reliance the auditor plans to place on internal control, the more extensive the tests of those controls that need to be performed.
Nature of tests of control
Test of control generally consist of one (or a combination) of the following evidence gathering techniques- (1) inquiry, (2) observation, (3) inspection, and (4) reperformance. Inquiry consist of searching for the appropriate information about the effectiveness of internal control from knowledgeable persons inside or outside the entity. Observation refers to looking at the process being performed by others. For example the auditor may observe the payroll payoff procedures or the performance of internal control procedures that leave no evidence of performance. Inspection involves the examination of documents and records to provide evidence of reliability depending on their nature and source and the effectiveness of internal control over their processing. Reperformance involves repeating the activity performed by the client to determine whether proper results were obtained. For example, the auditor may reperform the procedure by tracing the sales prices to the authorized price list in effect at the date of the transaction. If no errors are found, the auditor can conclude that the procedure is operating as intended. For certain controls such as segregation of duties, documentary evidence (audit trail) may not exist. In this case, the auditor will have to test the effectiveness of the control procedure by making inquiry of appropriate client personnel and observing the application of the control procedures. There is a significant overlap between the procedures used to obtain understanding and test of controls. Notice that inquiry of client personnel, observation of procedures and inspection of documents are also used when obtaining understanding about the entitys internal control system. In fact, many of the procedures used to understand the design of internal control may provide evidence about the reliability of the clients accounting and internal control systems. Consequently, obtaining understanding of the entitys internal control system and assessing control risks are often done simultaneously. Timing of tests controls Auditors usually perform tests of control during interim visit in advance of period end. However, auditors cannot rely on the results of such tests without considering the need to obtain further evidence relating to the remainder of the period. The evidence may be obtained by performing test of control for the remaining period. This evidence may be obtained by performing test of control for the remaining period or by reviewing whether there are changes affecting the entitys internal control system. In determining whether or not to test the remaining period, the following factors must be considered.
The result of the interim test.
The length of the remaining period. Whether changes have occurred in the accounting and internal control systems during the remaining period.
Extent of test control
The auditor cannot possibly examine all transactions related to certain control procedures. In an audit, the auditor should determine the size of the sample sufficient to support the assessed level of control risk.
Using the result of test control
Based on the results of the tests of control, the auditor should evaluate whether the internal controls are designed and operating as intended. The conclusion as a result of the evaluation is called the assessed level of control risk. The auditor uses the assessed level of control risk (together with the assessed level of inherent risk) to determine the acceptable level of detection risk. For example, if the combined assessed level of inherent and control risk is high, detection risk need to be low to reduce audit risk to an acceptably low level. In this regard, the auditor may considering modifying. The nature of substantive test from less effective to more effective procedures. The timing of substantive tests by performing them at year-end rather than at interim. The extent of substantive tests from smaller to larger sample size. Operating effectiveness vs. implementation Testing the operating effectiveness of controls is different from obtaining audit evidence that controls have been implemented. When obtaining audit evidence of implementation by performing risk assessment procedures, the auditor determines that the relevant controls exist and that the entity is using them. When performing tests of the operating effectiveness of controls, the auditor obtains audit evidence that controls operate effectively. This includes obtaining audit evidence about how controls were applied at relevant times during the period under audit, the consistency with which they were applied, and by whom or by what means they were applied. Documenting the assessed level of control risk After evaluating the results of tests of control and assessing the control risk, the auditor should document his assessment of control risk. If the control risk is assessed at a high level, the auditor should document his conclusion that control risk is at a high level. If control risk is assessed at less than high level, the auditor should document his conclusion that control risk is less than high and the basis for that assessment. This basis is actually the result of test of control. Hence, the auditor cannot assess control risk at less than high level without performing tests of control. Communication of Internal Control Weaknesses As a result of the auditors consideration of the accounting and internal control systems, the auditor may become aware of weakness in the systems. In this regard, the auditor is required to report to the appropriate level of management material weaknesses in the design or operation of the accounting and internal control systems, which have come to the auditors attention. This communication would ordinarily be in writing and should be done at the earliest opportunity so that the appropriate corrective actions may be taken as soon as possible. Oral communications could also be made provided these are adequately documented in the audit working papers. It is to be emphasized that auditors are not required to search for and/or identify internal control weaknesses. The auditors must, however, communicate internal control weaknesses to the client when they come to their attention during the course of the audit. These internal control weaknesses together with other matters of concern are documented in a formal management letter.