Internal Control Guide Sep 2017 - DTT

Internal control
A guide for auditors in DTTL member firms

September 2017 (Version 5)
For internal distribution only

Internal control
Table of contents
What is a guide for auditors in DTTL member firms? ..................5
1 Introduction ......................................................................6
2 Understanding internal control .............................................7
2.1 Introduction .................................................................7
2.2 Process flow for understanding internal control ..................7
2.3 Understand the components of internal control and the
entity’s flows of transactions ................................................8
2.4 Identify relevant control activities .................................. 19
2.5 Evaluate design and determine implementation ............... 31
2.6 Documentation considerations for understanding internal
control ............................................................................ 37
2.7 Appendix A — Reference guide for performing a walkthrough
to understand the likely sources of misstatements ................ 39
2.8 Appendix B — Illustrative examples ............................... 41
3 Testing operating effectiveness of controls .......................... 42
3.1 Introduction ............................................................... 42
3.2 Process flow for testing operating effectiveness of controls 42
3.3 Determine the need to test operating effectiveness of
controls ........................................................................... 43
3.4 Assess the risk associated with the control...................... 47
3.5 Plan the nature, timing, and extent of tests of operating
effectiveness of controls .................................................... 50
3.6 Perform tests of operating effectiveness of controls.......... 65
3.7 Assess findings and conclude on the operating effectiveness
of controls ....................................................................... 65
3.8 Documentation considerations for testing operating
© 2017 For information, contact Deloitte Touche Tohmatsu Limited Page 2 of 186
Internal control
3.9 Appendix A — Illustrative examples: factors to consider in

determining when substantive procedures alone cannot provide
sufficient appropriate audit evidence ................................... 71
3.10 Appendix B — Reference guide for testing operating
3.11 Appendix C — Illustrative examples ............................. 78
4 Evaluating and communicating control deficiencies ............... 79
4.1 Introduction ............................................................... 79
4.2 Process flow for evaluating and communicating deficiencies
in internal control ............................................................. 79
4.3 Accumulate identified control deficiencies ....................... 83
4.4 Evaluate the significance of each control deficiency,
individually and in the aggregate ........................................ 85
4.5 Determine the effect of control deficiencies on the audit of
the financial statements .................................................... 94
4.6 Communicate control deficiencies .................................. 97
4.7 Documenting considerations for evaluating control
deficiencies and concluding ................................................ 98
5 Controls with a review element - Management review controls
..................................................................................... 100
5.1 Introduction ............................................................. 100
5.2 Management review controls explained ........................ 101
5.3 Management review controls: Evaluation and testing
considerations ................................................................ 103
5.4 Management review controls documentation considerations
.................................................................................... 117
6 Information technology considerations .............................. 121
6.1 Introduction ............................................................. 121
6.2 Understand how IT affects the flows of transactions ....... 123
6.3 Identify relevant applications, data warehouses, report
writers, and other technology elements ............................. 127
Internal control
6.4 Identify and assess risks arising from IT ....................... 139

6.5 Understand, identify, and evaluate relevant general IT
controls ......................................................................... 149
6.6 Conclude on risks arising from IT and determine the audit
response ....................................................................... 155
6.7 Evaluate the severity of each general IT control deficiency
identified, individually and in the aggregate........................ 159
6.8 Differences ............................................................... 159
7 Information used in a control .......................................... 163
7.1 Introduction ............................................................. 163
7.2 Process flow for evaluating/testing the accuracy and
completeness of information used in a control relevant to the
audit ............................................................................. 164
7.3 Identifying the relevant information used in a control ..... 164
7.4 Determine which aspects of the information are relevant to
the effectiveness of the control ......................................... 165
7.5 Understand how the relevant information is produced .... 165
7.6 Evaluating the reliability of IUC in evaluating design and
determining the implementation of a control ...................... 170
7.7 Approach to testing the accuracy and completeness of IUC
.................................................................................... 171
7.8 Identify and test the controls that address the accuracy and
completeness of IUC ....................................................... 171
7.9 Testing the accuracy and completeness of IUC directly ... 178
Internal control
What is a guide for auditors in DTTL member firms?

Guides may be issued from time to time. Guides may be used by auditors in Deloitte Touche
Tohmatsu Limited (DTTL) member firms as resource material in respect to general audit information
and background to improve their knowledge when performing an audit, supporting an audit or
understanding aspects of auditing. These guides are developed by DTTL Global Audit & Assurance and
are issued to provide information and background on specific audit topics or issues. Guides do not
establish requirements for the performance of an audit in accordance with DTTL’s audit approach.
These guides are designed only to provide auditors with detailed examples, additional background, or
practical assistance in auditing.
Internal control
1 Introduction
This guide has been developed to assist auditors in enhancing their understanding of the internal
control related requirements in the DTTL Audit Approach Manual (DTTL AAM) and International
Standards on Auditing (ISAs). The chapters of this guide span the entire audit process from
understanding internal control, as part of obtaining an understanding of the entity and its
environment, to concluding and reporting. This guide focuses on issues for which engagement teams
frequently seek guidance on applying the DTTL audit approach. Therefore, it is not intended to provide
comprehensive guidance on all matters related to the auditor’s responsibilities with respect to internal
control in an audit.
The chapters in this guide generally include:

• An overall process flow
• A description of the key activities related to each step within the process flow
• Excerpts of the applicable requirements and guidance
• Guidance on how to address the requirements of the DTTL Audit Approach Manual when planning
and performing the key activities
• Common pitfalls and tips to avoid pitfalls
• Documentation considerations.
Internal control
2 Understanding internal control
2.1 Introduction
This section provides an overview of the approach to understanding internal control during a financial
statement audit, which is required as part of obtaining an understanding of the entity and its
environment. This involves identifying relevant controls and evaluating the design of the controls
identified and determining whether they have been implemented.
2.2 Process flow for understanding internal control
Understand the
Identify Evaluate design
components of internal
relevant control and determine
control and the entity’s
activities implementation
flows of transactions
The following process flow illustrates the steps undertaken to understand the internal control relevant
to the audit, including evaluating the design and determining the implementation for relevant controls.
The evaluation of design and determination of implementation is applied to each of the relevant
controls identified.
2.2.1 Key activities in the process flow for understanding internal control
Key activities for understanding the components of internal control and the entity’s flows of
transactions:
• Obtain or prepare an appropriate documented descriptions of the process
• Obtain or update our understanding of the components of internal control and the identified
relevant flows of transactions or processes that relate to material classes of transactions, account
balances and disclosures, for example:
- Perform a walkthrough
- Trace transaction types throughout the process, from origination until they are reflected in the
entity’s financial records
- Ask questions related to the process, risks, and controls
- Obtain evidence of the design of relevant controls.
Key activities for identifying relevant controls:

• Identify controls that are relevant to the audit giving considering to their nature, approach, and
type.
• Controls that are relevant to the audit, are (1) those that are judged necessary to understand in
order to assess the risks of material misstatement, (2) those that address significant risks, (3)
those that are relevant because substantive testing alone would not provide adequate audit
evidence, and (4) those we plan to rely upon when we design further audit procedures.
Key activities for evaluating design and determining implementation:

• Evaluate the design of each relevant control by considering (1) the nature of the risks of material
misstatement to which the control relates, (2) the detailed description of the control, and (3) the
factors to determine whether the control is appropriately designed.
• Determine the implementation of each of the relevant controls i.e., the control exists and that the
entity is using it.
• Conclude and document the procedures performed, basis for professional judgments, and
conclusions related to each of the above activities.
• Accumulate any control deficiencies for evaluation and classification as to significance.
Internal control
2.3 Understand the components of internal control and the entity’s flows of transactions
Understand the
Identify Evaluate design
components of internal
relevant control and determine
control and the entity’s
activities implementation
flows of transactions
We are required to obtain an understanding of internal control relevant to the audit. Relevant controls
may exist within each of the following components of internal control:
• The control environment; (Section 2.3.1)
• The entity’s risk assessment process; (Section 2.3.2)
• The information system, including the related business processes, relevant to financial reporting,
and communication; (Section 2.3.3)
• Control activities; and (Section 2.4)
• Monitoring of controls. (Section 2.3.4)
General information technology controls (GITCs) are discussed in Chapter 6 of this guide.
Our understanding of these components informs our identification and assessment of risks of material
misstatement at the financial statement level and assertion level, regardless of whether or not we plan
to test operating effectiveness of controls to obtain audit evidence. The first three and last
components relate more pervasively to the financial statements as a whole, and if effective, provide a
strong control foundation for the entity.
Our responses to financial statement level risks might include the following, as provided in DTTL AAM
13300.6:
DTTL AAM Overall responses to address the assessed risks of material misstatement at the
Literature financial statement level and to increased engagement risk may include:
• Emphasizing to the engagement team the need to maintain professional
skepticism.
• Assigning more experienced staff or those with special skills or using experts.
• Providing more supervision.
• Incorporating additional elements of unpredictability in the selection of further
audit procedures to be performed.
• Making general changes to the nature, timing or extent of audit procedures, for
example: performing substantive procedures at the period end instead of at an
interim date; or modifying the nature of audit procedures to obtain more
persuasive audit evidence.
[DTTL AAM 13300.6]
Understanding the relevant controls in these components includes evaluating their design and
determining whether they have been implemented.
2.3.1 Control environment

The control environment can be described as the attitudes, awareness, and actions of management
and those charged with governance concerning the entity’s internal control and its importance in the
entity. DTTL AAM 12200.41 provides the following requirement for understanding the entity’s control
environment:
Internal control
DTTL AAM The auditor shall obtain an understanding of the control environment. As part of
Literature obtaining this understanding, the auditor shall evaluate whether:
(a) Management, with the oversight of those charged with governance, has created
and maintained a culture of honesty and ethical behavior; and
(b) The strengths in the control environment elements collectively provide an
appropriate foundation for the other components of internal control and whether
those other components are not undermined by deficiencies in the control
environment.
[DTTL AAM 12200.41]
The control environment in and of itself does not prevent, or detect and correct, material
misstatements. It may, however, affect our evaluation of the effectiveness of other controls (e.g., the
monitoring of controls and the operation of specific control activities) and, as a result, our
identification and assessment of the risks of material misstatement at the financial statement level
and the assertion level, and our planned audit procedures to respond to those risks.
The following guidance from DTTL AAM 13300.8 addresses the effect of our understanding of the
control environment on the audit:
DTTL AAM The assessment of the risks of material misstatement at the financial statement level,
Literature and thereby the auditor’s overall responses, is affected by the auditor’s understanding
of the control environment. An effective control environment may allow the auditor to
have more confidence in internal control and the reliability of audit evidence generated
internally within the entity and thus, for example, allow the auditor to conduct some
audit procedures at an interim date rather than at the period end. Deficiencies in the
control environment, however, have the opposite effect. The auditor may respond to
an ineffective control environment by:
• Conducting more audit procedures as of the period end rather than at an interim
date.
• Obtaining more extensive audit evidence from substantive procedures.
• Increasing the number of locations to be included in the audit scope.
[DTTL AAM 13300.8]
As noted above, the entity’s control environment is especially important because of its pervasive
impact on the entity’s financial statements and, consequently may have an impact, on our audit,
including our evaluation of design and determination of implementation of relevant controls, our ability
to test operating effectiveness of controls to obtain audit evidence, our scoping of group audits, and
our ability to perform interim testing. The existence of an effective control environment can be a
positive factor when we assess the risks of material misstatement; conversely, an ineffective control
environment may undermine the effectiveness of other controls.
For example, we may conclude that an entity has an ineffective control environment because
management is not committed to accurate financial reporting, including the importance of effective
internal controls. This lack of commitment could negatively affect the effectiveness of a cash
reconciliation control because those performing the control do not possess the appropriate attitude or
awareness of the importance of the control to the entity’s financial reporting objectives. As a result,
we might determine that the reconciliation control is not designed or implemented effectively, which
may affect our planned audit procedures, including our ability to rely on the reconciliation control to
alter the nature, timing, and/or extent of our substantive procedures. Even if we were not planning to
rely on this control, our understanding of the control environment and its effect on the reconciliation
control might lead us to change our planned substantive procedures (e.g., changing the timing of our
Internal control
tests from interim to year-end, performing more extensive substantive tests of details of the cash
reconciliation).
Our evaluation of the entity’s control environment takes into account the nature, size, and complexity
of the entity. For example, those charged with governance in smaller entities may not include an
independent or outside member, and the role of governance may be undertaken entirely by the
owner-manager or a management committee. Similarly, smaller entities might not have a written
code of conduct but, instead, may have developed a culture that emphasizes the importance of
honesty and ethical behavior through oral communications and management’s example. Although
these controls are less formal and less complex than those in larger entities, they may be nevertheless
be effective given the nature, size, and complexity of the entity.
DTTL AAM Elements of the control environment that may be relevant when obtaining an
Literature understanding of the control environment include the following:
(a) Communication and enforcement of integrity and ethical values – These are
essential elements that influence the effectiveness of the design, administration
and monitoring of controls.
(b) Commitment to competence – Matters such as management’s consideration of
the competence levels for particular jobs and how those levels translate into
requisite skills and knowledge.
(c) Participation by those charged with governance – Attributes of those charged
with governance such as:
• Their independence from management.
• Their experience and stature.
• The extent of their involvement and the information they receive, and the
scrutiny of activities.
• The appropriateness of their actions, including the degree to which difficult
questions are raised and pursued with management, and their interaction
with internal and external auditors.
(d) Management’s philosophy and operating style – Characteristics such as
management’s
• Approach to taking and managing business risks.
• Attitudes and actions toward financial reporting.
• Attitudes toward information processing and accounting functions and
personnel.
(e) Organizational structure – The framework within which an entity’s activities for
achieving its objectives are planned, executed, controlled, and reviewed.
(f) Assignment of authority and responsibility – Matters such as how authority and
responsibility for operating activities are assigned and how reporting
relationships and authorization hierarchies are established.
(g) Human resource policies and practices – Policies and practices that relate to, for
example, recruitment, orientation, training, evaluation, counselling, promotion,
compensation, and remedial actions.
[DTTL AAM 12200.43]
We are not required to obtain an understanding of all of these elements for every entity. Accordingly,
we may consider only those elements that are important to our understanding, based on the nature,
size, and complexity of the entity, keeping in mind that the objective of our understanding in DTTL
AAM 12200.41 is to evaluate whether (1) “management, with the oversight of those charged with
Internal control
governance, has created and maintained a culture of honesty and ethical behavior” and (2) “the
strengths in the control environment elements collectively provide an appropriate foundation for the
other components of internal control and whether those other components are not undermined by
deficiencies in the control environment.”
Entities with a less formal control environment also tend to have little or no documentation of their
processes and controls for the control environment, making our tests of implementation challenging.
For example, management may informally communicate the importance of honesty and ethical
behavior through example and day-to-day involvement in the financial reporting of the entity, and
there may be little written evidence of these activities. In these situations we may be able to
corroborate our inquiries of entity personnel with observations of management’s actions and day-to-
day involvement, as well as our own experiences with management. We cannot base our
understanding of controls on inquiry alone, and, as a result, we corroborate our inquiries with
procedures such as inspection of documents and reports used in the control and/or observation of the
operation of the control.
Documentation of our understanding of the elements of the entity’s control environment that we
consider important and our identification and evaluation of relevant controls is a matter of professional
judgment. Nevertheless, the extent of our understanding of the process and relevant controls needs to
be sufficient to inform our identification and assessment of risks of material misstatement related to
the financial statements and our conclusions that management, along with those charged with
governance, has created and maintained a culture of honesty and ethical behavior and that the control
environment provides an appropriate foundation for the other components of internal control.
2.3.2 The entity’s risk assessment process

The entity’s risk assessment process includes how management:
• Identifies business risks relevant to the preparation and fair presentation of financial statements in
accordance with the applicable financial reporting framework
• Estimates their significance
• Assesses the likelihood of their occurrence
• Decides about actions to address them.
Every entity, regardless of size, has certain objectives it seeks to achieve, and thus faces certain
threats or risks, internal and external, to achieving those objectives. Management’s process for
identifying business risks relevant to financial reporting objectives and the actions taken to address
them, including risks related to financial reporting, is important to our audit because management’s
objectives for its risk assessment process are closely aligned with our objective to identify and assess
risks of material misstatement of the financial statements.
For example, how management identifies and responds to the possibility of unrecorded transactions
might cause us to make overall changes to our audit to obtain more persuasive evidence that material
transactions have been captured and reported.
For example, how management monitors and responds to changes in its regulatory environment
might result in identification of a financial statement level risk that management will not identify and
appropriately respond to changes in the regulatory environment that could have a material effect on
the financial statements. The identification and assessment of this risk might cause us to involve
experts on the engagement team who possess expertise in the relevant regulatory matters.
DTTL AAM The auditor shall obtain an understanding of whether the entity has a process for:
Literature
(a) Identifying business risks relevant to financial reporting objectives;
(b) Estimating the significance of the risks;
(c) Assessing the likelihood of their occurrence; and
(d) Deciding about actions to address those risks.
Internal control
[DTTL AAM 12200.64]
If the entity has established such a process (“entity’s risk assessment process”), the
auditor shall obtain an understanding of it and the results thereof. If the auditor
identifies risks of material misstatement that management failed to identify, the
auditor shall evaluate whether there was an underlying risk of a kind that the auditor
expects would have been identified by the entity’s risk assessment process. If there
is such a risk, the auditor shall obtain an understanding of why that process failed to
identify it and evaluate whether the process is appropriate to its circumstances or
determine if there is a significant deficiency in internal control with regard to the
entity’s risk assessment process. [DTTL AAM 12200.68]
Similar to the control environment, smaller entities often have less formal and less complex risk
assessment processes than larger entities. In smaller entities, management is often able to learn
about risks through direct personal involvement in day-to-day business activities as well as through
interactions with employees and outside parties. In contrast, larger, more complex entities may have
formal risk assessment processes with extensive written policies and procedures that are maintained
and monitored by designated employees. Regardless of the formality of management’s risk
assessment process, our understanding of the risks management has identified and its responses to
those risks is important to our identification of risks of material misstatement of the financial
statements in our audit.
As noted in DTTL AAM 12200.68 above, if we identify risks of material misstatement that management
failed to identify, we would evaluate whether the risks should have been identified by the entity’s risk
assessment process.
For example, in performing our risk assessment procedures, we may find that (1) management
entered into an interest rate swap agreement with its primary lender in the current year and (2)
management’s risk assessment process failed to identify the risk associated with the accounting for
and disclosure of the swap. In this case, we would design appropriate audit procedures in response to
this risk of material misstatement at the relevant account and assertion level. We would also obtain an
understanding of why the entity’s process failed to identify this risk and evaluate whether the process
is appropriate to the entity’s circumstances or determine if a deficiency or significant deficiency in
internal control exists regarding the entity’s risk assessment process.
Many smaller entities may not have a formal risk assessment process or may have an ad hoc process.
DTTL AAM If the entity has not established a risk assessment process or has an ad hoc
Literature process, the auditor shall discuss with management whether business risks
relevant to financial reporting objectives have been identified and how they have
been addressed. The auditor shall evaluate whether the absence of a documented
risk assessment process is appropriate in the circumstances or determine whether
it represents a significant deficiency in internal control. [DTTL AAM 12200.69]
Even though a smaller entity has an informal or ad hoc risk assessment process, its process may
nevertheless be appropriate for its nature, size, and complexity because management is able to
identify risks through direct personal involvement in the business.
2.3.3 Information system, including the related business processes, relevant to financial
reporting, and communication
An entity’s information system, including the related business processes, relevant to financial
reporting and communication, supports the identification, capture, and exchange of information in a
form and time frame that enables individuals to carry out their financial reporting responsibilities. An
information system may consist of infrastructure (physical and hardware components), software,
people, procedures, and data. Many information systems make extensive use of information
technology (IT).
Internal control
An entity’s information system policies and procedures might address:

• How the entity captures transactions, events and conditions that are significant to the financial
statements
• The procedures the entity uses to prepare financial statements and related disclosures
• How the entity communicates financial reporting roles and responsibilities and significant matters
related to financial reporting.
DTTL AAM The auditor shall obtain an understanding of the information system, including the
Literature related business processes, relevant to financial reporting, including the following
areas:
(a) The classes of transactions in the entity’s operations that are significant to the
financial statements;
(b) The procedures, within both information technology (IT) and manual systems, by
which those transactions are initiated, recorded, processed, corrected as
necessary, transferred to the general ledger and reported in the financial
statements;
(c) The related accounting records, supporting information and specific accounts in
the financial statements that are used to initiate, record, process and report
transactions; this includes the correction of incorrect information and how
information is transferred to the general ledger. The records may be in either
manual or electronic form;
(d) How the information system captures events and conditions, other than
transactions, that are significant to the financial statements;
(e) The financial reporting process used to prepare the entity’s financial statements,
including significant accounting estimates and disclosures; and
(f) Controls surrounding journal entries, including non-standard journal entries used
to record non-recurring, unusual transactions or adjustments.
This understanding of the information system relevant to financial reporting shall
include relevant aspects of that system relating to information disclosed in the
financial statements that is obtained from within or outside of the general and
subsidiary ledgers.
[DTTL AAM 12200.71]
The auditor shall obtain an understanding of how the entity communicates financial
reporting roles and responsibilities and significant matters relating to financial
reporting, including:
(a) Communications between management and those charged with governance; and
(b) External communications, such as those with regulatory authorities.
[DTTL AAM 12200.85]
Section 2.3.5 and Chapter 6 of this guide address our understanding of the flows of transactions or
processes for material classes of transactions, account balances and disclosures and the role of IT in
the process (DTTL AAM 12200.71(a)-(c) above). This section will address the financial reporting
process in DTTL AAM 12200.71(d)-(f), and the entity’s communication of financial reporting roles and
responsibilities in DTTL AAM 12200.83 above.
The financial reporting process
The financial reporting process, while an undefined term in the professional standards, generally refers
to the process that begins where the underlying flows of transactions at the account balance or
Internal control
assertion level culminate (e.g., typically a subsidiary ledger or the general ledger). The financial
reporting process then encompasses all the steps necessary to prepare, review, and approve the
financial statements, including required disclosures, in accordance with the applicable financial
reporting framework.
Our understanding of the entity’s financial reporting process generally includes its policies and
procedures for:
• Establishing, communicating, and maintaining the entity’s accounting policies and procedures
• Initiating, authorizing, recording, and processing of standard and nonstandard journal entries
• Initiating and recording recurring and nonrecurring adjustments to the financial statements that
are not reflected in formal journal entries
• Combining and consolidating the general ledger data
• Preparing the financial statements and disclosures.
Our understanding of the financial reporting process is closely related to our understanding of the
entity’s flows of transactions. To avoid “gaps” in our understanding and audit documentation it is
important that we clearly understand and document how our process narratives for material classes of
transactions, account balances and disclosures relate to the financial reporting process. As part of this
process, we also consider the role of IT.
Our understanding of the entity’s financial reporting process involves the same thought process and
considerations relating to understanding processes and relevant controls as for material classes of
transactions, account balances and disclosures. Our understanding needs to be sufficient to identify
and assess risks of material misstatement, identify and evaluate design and determine implementation
of relevant controls, and determine our further audit procedures to test the entity’s annual financial
statement presentation. The extent of our understanding of the financial reporting process is a matter
of professional judgment. However, the extent of our understanding of the financial reporting process
will generally need to increase as the complexity of the entity’s process increases.
For example, our understanding of a process with numerous sub-ledgers, multiple layers of
consolidation, and complex IT systems would generally need to be more extensive than the process
for a single-component entity that manually prepares its financial statements. Smaller entities with
active management involvement and relatively simple financial reporting processes, such as a single-
location entity that uses “out of the box” purchased accounting and reporting software, may not need
extensive descriptions of accounting procedures or written policies.
In addition, as part of obtaining an understanding of the entity and its environment, we obtain an
understanding of the entity’s selection and application of accounting policies. This understanding is
often obtained as part of our understanding of the entity’s financial reporting process. Below is the
requirement in DTTL AAM 12100.3(c) for our understanding and guidance on applying this
requirement from DTTL AAM 12100.26:
DTTL AAM The auditor shall evaluate whether the entity’s accounting policies are appropriate
Literature for its business and consistent with the applicable financial reporting framework and
accounting policies used in the relevant industry. [DTTL AAM 12100.3(c)]
An understanding of the entity’s selection and application of accounting policies may

encompass such matters as:
• The methods the entity uses to account for significant and unusual transactions.
• The effect of significant accounting policies in controversial or emerging areas for
which there is a lack of authoritative guidance or consensus.
• Changes in the entity’s accounting policies.
Internal control
• Financial reporting standards and laws and regulations that are new to the entity
and when and how the entity will adopt such requirements.
[DTTL AAM 12100.26]
As noted above, our understanding of the financial reporting process and the relevant controls in the
process informs our identification and assessment of risks of material misstatement and our further
audit procedures. Relevant controls in the financial reporting process include controls over journal
entries, including nonstandard journal entries used to record nonrecurring, unusual transactions, or
adjustments (as required by DTTL AAM 12200.71(f)). See Section 2.4.4 for further discussion of
controls over journal entries.
Relevant controls in the financial reporting process also include controls we judge are necessary to
understand in order to appropriately identify risks and plan further audit procedures (as required by
DTTL AAM 12200.105).
For example, as a result of our understanding of an entity’s financial reporting process and relevant
controls, we might conclude that the entity does not have an appropriate process and controls over
preparation of the statement of cash flows. In this situation, we might plan more extensive procedures
to test and review the statement of cash flows.
Similar to the way in which we obtain an understanding of the processes and relevant controls for
material classes of transactions, account balances and disclosures, performing a walkthrough of the
financial reporting process is likely to be the most effective way to validate our understanding of the
process from end-to-end, and our identification and understanding of relevant controls in the process.
See Section 2.4.3 for further discussion of walkthroughs. In smaller entities, walkthroughs may only
be feasible for the year-end process because the entity does not prepare complete financial
statements in accordance with the applicable financial reporting framework on a monthly or quarterly
basis. In those situations, we might obtain our initial understanding of the process and controls
through inquiries of management and employees involved in the year-end process, and then validate
our understanding when performing audit procedures to test the annual financial statement
presentation.
Communication
As noted in DTTL AAM 12200.85, we are also required to understand how the entity communicates
financial reporting roles and responsibilities and significant matters relating to financial reporting. The
entity’s communication process includes matters such as whether personnel understand how their
roles and responsibilities relate to the work of others in the financial reporting process and how they
would report exceptions to the entity’s financial reporting policies and procedures to an appropriate
higher level within the entity. Open communication channels help to ensure that exceptions are
reported and acted on.
In larger entities, communication is generally a formal process, often consisting of written policies and
financial reporting manuals. In smaller, less complex entities, communication may be less structured
and informal due to fewer levels of responsibility and management’s involvement in daily activities of
the entity and availability to employees.
Our understanding of the communication process is important to our identification of risks of material
misstatement and the design of further audit procedures related to the entity’s information system for
financial reporting.
For example, our understanding of the entity’s communication process and relevant controls may
result in identification of a risk that the financial statements will not be presented in accordance with
generally accepted accounting principles because employees do not understand how and when they
are to communicate exceptions to the entity’s accounting policies and procedures to management. Our
response to this risk might be to assign more experienced personnel to review the annual financial
statement presentation, including the completeness and accuracy of disclosures.
Internal control
Our evaluation of design and determination of implementation of relevant controls within the entity’s
information system, including its financial reporting process, and communication takes into account
the nature, size, and complexity of the entity, while keeping in mind that that system should be
sufficient to support the identification, capture, and exchange of information in a form and time frame
that enables individuals to carry out their financial reporting responsibilities.
In smaller entities that lack formal policies and procedures, it is usually necessary to corroborate our
inquiries of those in financial reporting roles with other procedures, such as observation of the year-
end close and reporting process.
2.3.4 Monitoring of controls

Monitoring of controls refers to the entity’s process for assessing the effectiveness of internal control
relevant to financial reporting over time, including:
• The sources of the information related to monitoring activities
• The basis upon which management considers the information to be sufficiently reliable for their
purposes
• How management initiates remedial actions regarding deficiencies in controls.
Management’s monitoring of controls includes considering whether they are operating as intended and
that they are modified as appropriate for changes in conditions.
Following are the requirements in DTTL AAM 12200.118, 12200.128, 12200.137 related to our
understanding of the entity’s monitoring of controls:
DTTL AAM The auditor shall obtain an understanding of the major activities that the entity
Literature uses to monitor internal control relevant to financial reporting, including those
related to those control activities relevant to the audit, and how the entity initiates
remedial actions to deficiencies in its controls. [DTTL AAM 12200.118]
If the entity has an internal audit function, the auditor shall obtain an
understanding of the nature of the internal audit function’s responsibilities, its
organizational status, and the activities performed, or to be performed. [DTTL AAM
12200.128]
The auditor shall obtain an understanding of the sources of the information used in
the entity’s monitoring activities and the basis upon which management considers
the information to be sufficiently reliable for the purpose. [DTTL AAM 12200.137]
Monitoring of controls may comprise ongoing activities performed by management, such as reviews of
bank reconciliations to determine that they are being prepared accurately and on a timely basis.
Alternatively, monitoring of controls may be a separate, targeted evaluation of the effectiveness of the
entity’s controls, such as internal auditors' evaluation of sales personnel’s compliance with the entity’s
policies with respect to terms of sales contracts, or a legal department’s oversight of compliance with
the entity’s ethical or business practice policies.
In smaller, less complex entities, monitoring activities are generally informal and may be built into
management’s ongoing supervision of the entity’s operations. In these instances, management’s close
involvement in operations and financial reporting often will identify significant variances from
expectations and inaccuracies in financial data.
As with other components of internal control, our evaluation of design and determination of
implementation of the entity’s monitoring of controls takes into account the nature, size, and
complexity of the entity. Our evaluation would consider whether the entity’s procedures and controls
for monitoring are appropriately designed to achieve management’s objective of establishing and
maintaining internal control on an ongoing basis.
Internal control
2.3.5 Understanding the entity’s flows of transactions

2.3.5.1 Requirements of the DTTL AAM
DTTL AAM 12200.71 requires that, as part of the risk assessment process, we obtain an understanding
of the entity’s business processes relevant to financial reporting. An entity’s business processes result
in the transactions that are recorded, processed, and reported by the information system, which are
referred to as “flows of transactions” or “processes” within this guide. These terms, while not formally
defined in the professional standards, generally refer to the procedures or steps related to the
processing of transactions from initiation to reporting in the financial statements.
Understanding the entity’s flows of transactions involves understanding the procedures by which
transactions are initiated, authorized, recorded, processed, and reported in the financial statements.
In other words, we need to understand how the debits and credits flow from origination of the
transaction to posting to the general ledger and ultimately reporting in the entity’s financial
statements in order to effectively identify and assess risks of material misstatement and plan our
further audit procedures for material classes of transactions, account balances and disclosures. This
understanding is fundamental to our identification of the risks of material misstatement in the entity’s
processes.
The following is an excerpt of the requirement from DTTL AAM 12200.71 related to understanding the
entity’s information system, specifically to understanding the flows of transactions relevant to financial
reporting. (See Section 2.3.3 for further discussion of the requirements of DTTL AAM 12200.71.)
areas:
(a) The classes of transactions in the entity’s operations that are significant to the
(b) The procedures, within both information technology (IT) and manual systems,
by which those transactions are initiated, recorded, processed, corrected as
statements;
(c) The related accounting records, supporting information and specific accounts in
the financial statements that are used to initiate, record, process and report
manual or electronic form…
Excerpt from: [DTTL AAM 12200.71]
Note that DTTL AAM 12200.71(b) requires that our understanding includes the IT aspects as well as
the manual aspects of the processes. In today’s environment, virtually all entities use IT as part of
their information systems related to financial reporting. As such, our understanding of the entity’s
processes generally includes understanding the role of IT in the initiation, authorization, recording,
processing and reporting of transactions for material classes of transactions, account balances and
disclosures. Chapter 6 of this guide addresses our understanding of IT in an audit.
In addition, our understanding encompasses relevant services performed by service organizations. The
DTTL guide on Shared Service Centers: Component Auditors Using the Work of Shared Service Center
Auditors may provide guidance on determining when services provided by a service organization are
relevant to the audit and the nature and extent of work we would perform in those situations.
2.3.5.2 Impact of our understanding of the flows of transactions on the audit

Even when we are not planning to test operating effectiveness of controls to obtain audit evidence,
understanding the flows of transactions for material classes of transactions, account balances, and
disclosures is an important part of the risk assessment process because it informs our risk
Internal control
assessments and planned further audit procedures. This understanding may cause us to identify a new
risk of material misstatement, determine that a previously identified risk is no longer relevant, modify
a risk assessment (e.g., change our assessment as to whether or not the risk is a significant risk), or
further tailor a risk to the entity’s specific situation. As a result, we may also determine it is
appropriate to alter the nature, timing, and/or extent of planned further substantive procedures.
To illustrate how our understanding of the entity’s flows of transactions informs our identification and
assessment of risks of material misstatement, consider the following. Assume that in performing risk
assessment procedures to update its understanding of the sales process from the prior year, the
engagement team learned that the entity began shipping goods to original equipment manufacturer
(OEM) customers on consignment. Understanding how the entity captures these terms in its sales
order entry system would be important to the team’s understanding of the entity’s policies and
procedures for recording consignment sales transactions and as a result, the team’s identification and
assessment of risks of material misstatement related to revenue recognition. In this case, the team
determined there was a new risk that the entity could inappropriately record these shipments as sales.
As a result, the engagement team decided to alter its planned further audit procedures to include
confirming the terms of sales transactions directly with OEM customers. Even if the engagement team
did not plan to test operating effectiveness of controls to obtain audit evidence, its understanding of
the process and procedures related to consignment sales to OEM customers would affect its
identification and assessment of risks of material misstatement and planned further substantive
procedures. Without this knowledge, the engagement team may not have appropriately identified and
assessed this risk, in which case it also may not have planned the appropriate substantive procedures.
In summary, our understanding of the flows of transactions is fundamental to our risk assessments
and planned further audit procedures, even when we do not plan to test operating effectiveness of
controls to obtain audit evidence.
2.3.5.3 Extent of our understanding of the flows of transactions

The extent of our understanding of the entity’s flows of transactions in an ISA audit is a matter of
professional judgment. However, our understanding will generally be more extensive when we plan to
test operating effectiveness of controls to obtain audit evidence than when do not plan to test
operating effectiveness of controls. When we plan to test operating effectiveness of controls to obtain
audit evidence we need to understand the process in sufficient detail to identify the controls we plan
to rely on to alter the nature, timing, or extent of our substantive procedures. When we do not plan to
test operating effectiveness of controls our understanding may not need to be as extensive, but it
nevertheless needs to be sufficient to inform our risk assessments and plan further substantive
procedures.
For example, assume an engagement team has obtained an understanding of the entity’s inventory
process and has not assessed the risks of material misstatement related to the inventory cutoff as
significant. If the team were not planning to test operating effectiveness of controls to obtain audit
evidence for this risk, it might plan its substantive procedures for inventory cutoff without obtaining an
understanding of the entity’s controls addressing the risks related to cutoff. In other words, the
engagement team may design its procedures for testing inventory shipments and receipts prior to and
after year-end without understanding the entity’s controls related to inventory cutoff. However, if the
team were planning to test operating effectiveness of controls to obtain audit evidence for this
assertion, it would need to obtain a more detailed understanding of the entity’s procedures and
controls related to how the entity achieves an accurate inventory cutoff. For example, the team might
obtain a deeper understanding of how the entity uses pre-numbered shipping and receiving
documents to control inventory cutoff.
In both scenarios, the engagement team gained an understanding of the flows of transactions related
to inventory. However, as noted above, the engagement team’s understanding of the flows of
transactions might be more extensive when planning to test operating effectiveness of controls to
obtain audit evidence than when not.
Internal control
2.4 Identify relevant control activities
Understand the
components of internal Identify Evaluate design
control and the entity’s relevant control and determine
flows of transactions activities implementation
As noted in Section 2.3, as part of our risk assessment process, we are required to understand each of
the five components of internal control: the control environment; the entity’s risk assessment process;
the information system, including the related business processes relevant to financial reporting and
communication; control activities relevant to the audit; and monitoring of controls. This section
addresses the entity’s control activities relevant to the audit.
The following is the requirement in DTTL AAM 12200.105 for obtaining an understanding of control
activities relevant to the audit:
DTTL AAM The auditor shall obtain an understanding of control activities relevant to the
Literature audit, being those the auditor judges it necessary to understand in order to
assess the risks of material misstatement at the assertion level and design
further audit procedures responsive to assessed risks. An audit does not
require an understanding of all the control activities related to each significant
class of transactions, account balance, and disclosure in the financial
statements or to every assertion relevant to them. [DTTL AAM 12200.105]
Controls may vary due to the nature, approach, and type of the control implemented by the entity to
address a risk of material misstatement. Differences in the nature, approach, and type of a control
results in an individual control being more or less reliable, and impacts:
• Procedures performed and timing of testing necessary to support our evaluation of the design of a
control
• Determination of implementation; and
• Our determination of the risk associated with the control (see Section 3.4 for guidance on risk
associated with the control).
We consider the following characteristics when identifying relevant controls:
• Nature: The nature of how the control is performed, i.e., manual or automated
• Approach: The approach management implemented to address the assessed risks, i.e., preventive
or detective
• Type: The type of control activity being performed, i.e., verifications, authorization and approvals,
physical controls and counts, controls over IUC, reconciliations, and controls with a review
element.
See Section 2.4.0 of this guide for additional guidance on nature, approach, and type.
Determining which control activities are relevant to the audit is largely a matter of professional
judgment. Relevant controls may exist within each of the components of an entity’s internal control.
Certain relevant controls are designed to prevent or detect and correct material misstatements and
specifically address the risks of material misstatement. We select the relevant control (or combination
of controls) that are more reliable to address a risk(s) of material misstatement considering the
nature, approach, and type of control. Understanding internal control and identifying relevant controls
assists us in assessing the risks of material misstatement. Risk assessment is not a discrete phase of
the audit, but rather an iterative and nonlinear process that continues throughout the audit
engagement.
Internal control
Certain types of control activities are always relevant for financial statement audits:
• Controls that address significant risks of material misstatement (see DTTL AAM 13150.52)
• Controls that address risks of material misstatement for which substantive procedures alone would
not provide sufficient appropriate audit evidence (see DTTL AAM 13150.58 and Section 2.4.2 and
Section 3.3.1 of this guide)
• Controls we plan to rely upon to alter the nature, timing, and/or the extent of our substantive
procedures (see DTTL AAM 13300.17(b))
• Controls over journal entries, including nonstandard journal entries used to record nonrecurring,
unusual transactions, or adjustments (see DTTL AAM 12200.71(f) and Section 2.4.4 of this guide)
• Controls we believe are necessary to understand in order to appropriately identify risks of material
misstatement and plan further audit procedures (see DTTL AAM 12200.105 and Section 2.4.1 of
this guide). These controls often display one or both of the following characteristics, which are
important to understand in order to appropriately identify risks of material misstatement:
- Their failure could materially affect the relevant assertion, but might not be detected in a
timely manner by other controls.
- Their operation might prevent other control failures or detect such failures before they have an
opportunity to become material to the organization’s objectives.
Note that when a relevant control is automated, the general IT controls related to that control are also
likely to be relevant to the audit. See Chapter 6 of this guide for additional guidance on this topic.
DTTL AAM Control activities that are relevant to the audit are:
Literature
• Those that are required to be treated as such, being control activities that relate
to significant risks and those that relate to risks for which substantive
procedures alone do not provide sufficient appropriate audit evidence, as
required by paragraphs 52 and 58 of Section 13150, respectively; or
• Those that are considered to be relevant in the judgment of the auditor.
[DTTL AAM 12200.106]
The auditor’s judgment about whether a control activity is relevant to the audit is
influenced by the risk that the auditor has identified that may give rise to a material
misstatement and whether the auditor thinks it is likely to be appropriate to test the
operating effectiveness of the control in determining the extent of substantive
testing. [DTTL AAM 12200.107]
A control may be relevant if we believe it is necessary to understand the control in
order to appropriately plan our substantive procedures. For example, controls over
the preparation and review of reconciliations for material account balances may be
relevant controls for us to understand in order to plan substantive procedures as
part of our further audit procedures to obtain sufficient appropriate audit evidence.
For example, controls relating to accuracy and completeness of information
(including general IT-controls) that we intend to use in performing substantive
procedures may be relevant controls to understand in order to obtain sufficient
appropriate audit evidence through the performance of such substantive procedures.
[DTTL AAM 12200.108]
The auditor’s emphasis may be on identifying and obtaining an understanding of
control activities that address the areas where the auditor considers that risks of
material misstatement are likely to be higher. When multiple control activities each
achieve the same objective, it is unnecessary to obtain an understanding of each of
the control activities related to such objective. [DTTL AAM 12200.109]
As noted above, an audit does not require an understanding of all the control activities related to each
material class of transactions, account balance, and disclosure in the financial statements. Some
Internal control
controls may be relevant to the audit in one entity whilst this same control may not be relevant to the
audit in another entity, even for different entities within the same industry. This may depend on the
classification of the risk of material misstatement, what other controls the entity has implemented to
address the risk, the testing approach being adopted by the engagement team, or a number of other
factors including effectiveness and efficiency considerations.
For example, in relation to a risk (which the auditors have assessed as a significant risk) an entity
has implemented only one control to address that risk. As we are required to understand controls that
address significant risks, this control is therefore determined to be relevant to the audit.
For example, another entity has implemented five controls to address the same risk of material
misstatement (which, on this audit, has been assessed as being a higher risk and not as a significant
risk). The engagement team determined that it was an effective and efficient approach to plan to rely
on controls to reduce the extent of substantive procedures. Applying professional judgement, the
engagement team determined that it was not necessary to understand all five controls as some of
them were redundant and achieved the same objective. As such, only two of the five controls were
identified as being relevant to the audit as they collectively addressed the risk of material
misstatement. During the engagement team’s testing of the operating effectiveness of those two
controls, the engagement team determined that one of the selected controls was not operating as
designed. The engagement team identified a deficiency in this control and reconsidered the other
three controls that were initially determined not to be relevant to the audit. Considering the risk of
material misstatement the engagement team determined that by selecting and testing two of those
remaining three controls, assuming they were effective, the original approach to address this risk
could be maintained. These two additional controls are now relevant to the audit. The engagement
team added the replaced control to the deficiency log for further consideration.
2.4.0 Understanding the characteristics of a control: Nature, Approach, and Type

The nature, approach, and type of control generally fall into the categories listed in the table below.
Category Description
Manual Controls performed manually, not through information technology.
Nature Automated Control activities mostly or wholly performed through information

technology (e.g., automated control functions programmed into
computer software).
Preventive Controls that have the objective of preventing errors or fraud that
could result in a misstatement of the financial statements from
occurring.
Approach
Detective Controls that have the objective of detecting errors or fraud that has
already occurred that could result in a misstatement of the financial
statements.
Verifications Compare two or more items with each other or compare an item with
a policy, and perform a follow-up action when the two items do not
match or the item is not consistent with policy.
Authorization An authorization affirms that a transaction is valid (i.e., it represents

and Approvals an actual economic event or is within an entity’s policy). An
Type
authorization typically takes the form of an approval by a higher level
management or a determination that the transaction is valid.
Physical Equipment, inventories, securities, cash, and other assets are

Controls and secured physically (e.g., locked or guarded storage areas with
Counts physical access restricted to authorized personnel) and are
Internal control
periodically counted and compared with amounts shown on control

records.
Controls over Control activities over the processes to populate, update, and
IUC maintain the accuracy, completeness, and validity of IUC so that it is
sufficiently reliable for its purpose.
Reconciliations Compare two or more data elements and, if differences are identified,
action is taken to bring data into agreement.
Controls with Controls with a review element are the controls management has
a Review over the reviews conducted by management or others of estimates
Element and other kinds of financial information for reasonableness. They
(CREs) require judgment, knowledge, and experience. These reviews
typically involve comparing recorded amounts with expectations of
the reviewers based on their knowledge and experience. The
reviewer’s knowledge is, in part, based on history and, in part, may
depend upon examining reports and underlying documents.
The nature, approach, and type of a control leads to the control being more or less reliable. The
identification of a control (or combination of controls) that we determine to be relevant to the audit
should be commensurate with the assessed risk of material misstatement that the control is intended
to address, and therefore the nature, approach and type of control takes into account the reliability
(i.e., precision or the ability of the control to operate consistently) of the control in addressing the
assessed risk of material misstatement.
The nature, approach, and type of a control taken in isolation does not solely dictate the reliability of a
control. This determination requires professional judgment based on the design of the control and the
complexity and subjectivity of the underlying account balance.
For example, a control with a review element can be either more or less reliable when considering
the design of the control and the risk(s) of material misstatement that the control is intending to
address. A control with a review element that involves significant judgment and expertise from the
control performer, or one that aggregates data at a high level, would generally be a less reliable
control. Alternatively, a control with a review element that does not require any specialized knowledge
or judgment which occurs at a transactional level would generally be more reliable.
For example, automated controls are typically more reliable than manual controls, given the nature
of their routine processing. We may therefore consider if it is appropriate to prioritize the identification
of automated controls.
For example, preventive controls are typically more reliable than detective controls, given that they
prevent a fraud or error from occurring whilst a detective control is designed to detect the fraud or
error after it has occurred and then correct it. We therefore consider if it is appropriate to prioritize the
identification of preventive controls.
A control may exhibit traits of more than one category when considering its nature, approach, or type.
When evaluating the nature, approach, and type of a control, we may identify a control that is viewed
by management as a single control with a review element, however each step within the control could
be viewed as a control in itself.
For example, consider an inventory count control which includes the following steps:
• Physical count of inventory (Physical controls and counts),
• Generation of the inventory listing from the system (Controls over IUC),
• Comparison of the physical inventory count to that recorded in the perpetual inventory system
(Reconciliation),
• Review by management to understand differences between the physical inventory count and the
perpetual inventory system (Control with a review element), and
Internal control
• Approval of adjusting journal entry, if necessary (authorization and approval).
In this situation we would evaluate and test each step of the control. The evidence required to
evaluate the design, determine implementation, and test the operating effectiveness of the control will
vary for each step of the control depending on its nature, approach, and type.
The nature, approach, and type of a control will generally correlate with the ease or difficulty of
testing the control and the ability to obtain audit evidence. These characteristics will also drive the
documentary evidence maintained by the entity to evidence the operating effectiveness of the control,
as when a control increases in complexity the level of evidence needed to document the control
increases.
2.4.1 Controls we believe are necessary to understand in order to appropriately identify

risks of material misstatement and plan further audit procedures
Applying the requirement in DTTL AAM 12200.105 to understand controls we believe are necessary to
understand in order to appropriately identify risks of material misstatement and plan further audit
procedures, requires the exercise of professional judgment, particularly when we plan to test
operating effectiveness of controls to obtain sufficient appropriate audit evidence. A practical way to
determine which control activities we believe are necessary to understand in order to identify and
assess the risks of material misstatement and to design further audit procedures (substantive
procedures and/or tests of controls) may be to consider the following three factors. These factors are
intended to assist in making judgments about which control activities might be considered relevant to
the audit; engagement teams are not expected to document their considerations of each factor.
1. Consider the complexity of the process. Generally, the more complex the process, the more
likely it includes controls that would be important to understand in order to design further audit
procedures.
For example, the revenue process in most entities is complex and controls that ensure that all
shipments are billed, that invoices are based on a valid shipment and at prices and other terms
agreed to with the customer, may be important to (1) our assessment of the risks of material
misstatement related to revenue and accounts receivable and (2) the design of our substantive
procedures for addressing risks relating to revenue and accounts receivable.
For example, consider a scenario wherein the engagement team determines prepaid expenses is
a material account balance, has not identified any significant risks for prepaid expenses, and has
deemed the process for recording and amortizing prepaid expenses as not complex. In this case,
we might determine that the reconciliation of the detail records to the general ledger is the only
relevant control, and an understanding of additional controls in the process is not necessary in
order to plan our further audit procedures.
For example, an entity has implemented several complex automated controls in its purchase
process while another entity has implemented only simple manual controls. The manual process is
simple, so we may conclude that it is not necessary to evaluate design and determine
implementation of the controls to inform our risk assessment or to plan further audit procedures.
In the other entity, the overall process and automated controls are complex, so we may decide to
consider some of the automated controls as relevant to the audit in order to gain a better
understanding of the complex process in order to identify and assess the risks of material
misstatement and plan further audit procedures.
2. Consider the nature of the risks of material misstatement in the process that we have
not assessed as significant risks. Not all risks of material misstatement are equal: some may
have been assessed as higher risk, while others may have been assessed as lower risk. As noted
in DTTL AAM 12200.109, we may consider identifying relevant controls that address the related
risks of material misstatement that are likely to be higher, or closer to the significant risk end of
the spectrum.
Internal control
For example, the processes related to Property, Plant and Equipment at an entity include
multiple controls addressing the risks of material misstatement related to the addition of fixed
assets. In the prior year’s audit, the risks of material misstatement related to the addition of fixed
assets were assessed as lower due to a small number of additions. In the prior year’s audit, the
engagement team determined that obtaining an understanding of the controls relating to this risk
was not necessary, considering the lower risk assessment. In the current year’s audit, the
engagement team noted that both the number and value of additions has increased significantly,
and they have also assessed the risks of material misstatement related to additions of fixed assets
as higher. While the engagement team does not plan to rely on controls to alter their substantive
procedures, they have determined in the current year’s audit that certain of the controls
addressing the risks of material misstatement related to the addition of fixed assets are relevant
to the audit.
3. Ask “Which controls, if not effectively designed and implemented, might cause us to
alter the nature, timing, and/or extent of our substantive procedures?”
For example, if controls related to safeguarding of inventories were not well designed, we might
change the timing of our inventory observation from interim to year-end. We might also increase
the extent of our test count procedures by selecting more items than the minimum number
required by our sample size tables (DTTL AAM Figure 23002-4.1 and Figure 23002-4.2). Given this
background, the engagement determined that they needed to identify and understand the
relevant controls related to the risks of material misstatement linked to the existence and
completeness of inventory in order to determine that their planned substantive procedures
adequately address the risks of material misstatement. Even though they did not plan to rely on
those controls, their understanding of them was foundational to planning the nature, timing, and
extent of their substantive procedures.
For example, consider a scenario where we plan to perform substantive analytical procedures to
address the risks of material misstatement related to the accounts payable account. The list of
purchases used within our substantive analytical procedures is information produced by the entity
and will be used as audit evidence. Understanding the controls related to generation of the list of
purchases may influence our judgement on the extent of testing we will perform to obtain audit
evidence about the completeness and accuracy of the list of purchases. While we do not plan to
rely on controls to test the list of purchases, a lack of controls may lead us to perform an
increased level of direct testing to obtain sufficient appropriate audit evidence about the
completeness and accuracy of the list of purchases. In this scenario, we consider the controls to
be relevant to the audit in order to appropriately design our substantive procedures.
2.4.2 Controls that address risks of material misstatement for which substantive
procedures alone would not provide sufficient appropriate audit evidence
In some instances, such as for highly automated processes, we may not be able to design effective
substantive procedures that by themselves would provide sufficient appropriate audit evidence to
address the related risks. In these cases, we would obtain the additional evidence needed from tests
of operating effectiveness of relevant controls that address these risks. Section 3.3.1 of this guide
provides factors to consider in determining when substantive procedures alone cannot provide
sufficient appropriate audit evidence.
The following are the requirements from DTTL AAM 12200.105 and 13300.17 for such situations:
DTTL AAM In respect of some risks, the auditor may judge that it is not possible or practicable
Literature to obtain sufficient appropriate audit evidence only from substantive procedures.
Such risks may relate to the inaccurate or incomplete recording of routine and
significant classes of transactions or account balances, the characteristics of which
often permit highly automated processing with little or no manual intervention. In
such cases, the entity’s controls over such risks are relevant to the audit and the
auditor shall obtain an understanding of them. [DTTL AAM 13150.58]
Internal control
The auditor shall design and perform tests of controls to obtain sufficient appropriate
audit evidence as to the operating effectiveness of relevant controls if:
(a) The auditor’s assessment of risks of material misstatement at the assertion level
includes an expectation that the controls are operating effectively (that is, the
auditor intends to rely on the operating effectiveness of controls in determining
the nature, timing and extent of substantive procedures); or
(b) Substantive procedures alone cannot provide sufficient appropriate audit evidence
at the assertion level.
[DTTL AAM 13300.17]
The following is an example of a situation in which substantive procedures alone may not provide
sufficient appropriate audit evidence:
A telecommunications entity generates revenues based on its customers’ use of the entity’s
telecommunications network (e.g., telephone call, text message, data uploaded or downloaded). The
amount of revenue recorded may be dependent on variables such as call duration and/or timing of the
calls or on the amount of data transferred, and those variables are recorded solely by the entity’s IT
system. No documentation of these variables exists outside of the entity’s IT system. In such a case,
the engagement team may determine it is unable to design effective substantive procedures that by
themselves provide sufficient appropriate audit evidence related to the risks of material misstatement
identified. As a result, in addition to the evidence obtained from substantive procedures, the
engagement team would also obtain evidence from tests of operating effectiveness of controls that
address those risks.
2.4.3 Performing walkthroughs

Walkthroughs are not required by the DTTL AAM; however, they are often an efficient means to:
• Obtain or update our understanding of the entity’s flows of transactions (as required by DTTL AAM
12200.71).
• Identify controls that are relevant to the audit and gain an understanding (including evaluate
design and determine implementation) of those controls (as required by DTTL AAM 12200.13).
[Note: Section 2.5, “Evaluate design and determine implementation”, addresses evaluating design
and determining implementation of relevant controls.]
In some instances, when we are planning to test operating effectiveness of controls to obtain audit
evidence, our walkthrough procedures may be used to obtain evidence about the operating
effectiveness of a control.
The term “walkthrough” is used in this guide to refer to (1) the following of a transaction through the
entity’s process and (2) the procedures we might perform to validate the points in the process at
which a material misstatement could occur and identify controls that may be relevant to the audit.
In performing a walkthrough, we generally follow a single transaction from its origination through the
procedures or steps in the process to the transaction’s ultimate recording in the general ledger.
Following the transaction through the procedures or steps in the process helps validate our
understanding of how transactions are initiated, authorized, recorded, processed, and reported in the
financial statements. The procedures or steps addressed in the walkthrough would correspond to
those in our process narratives or our narratives combined with flowcharts.
2.4.3.1 Process vs. a Control

It is important to differentiate between a step in the process and a control. A process describes the
action of taking a transaction or event through an established and usually routine set of procedures or
steps. A control describes an action or activity taken to prevent or detect misstatements within the
process. DTTL AAM 12200.90 provides the following description and examples of control activities:
Internal control
DTTL AAM Control activities are the policies and procedures that help ensure that management
Literature directives are carried out. Control activities, whether within IT or manual systems,
have various objectives and are applied at various organizational and functional
levels. Examples of specific control activities include those relating to the following:
• Authorization.
• Performance reviews.
• Information processing.
• Physical controls.
• Segregation of duties.
[DTTL AAM 12200.90]
To perform a walkthrough, we would generally:

• Select a single transaction and trace it through the procedures or steps in the process, and the
relevant control activities, from initiation to recording in the general ledger. The walkthrough
would generally begin with the original source document for a selected transaction (e.g., a
revenue walkthrough might begin with a sales order, rather than the sales invoice).
• Make inquiries of the individuals who perform the procedures or steps in the process.
As a result, for the relevant controls within the process, we would corroborate our inquiries of
individuals who perform the controls with additional procedures, such as inspection of relevant
documents or accounting records used by entity personnel in performing the control and/or
observation of individuals performing the control.
2.4.3.2 Extent of a walkthrough

Just as the extent of our understanding of the entity’s processes in an ISA audit is a matter of
professional judgment, so too is the extent of our walkthroughs. However, as with our understanding
of the entity’s processes, the procedures performed in a walkthrough may be more extensive when we
plan to test operating effectiveness of controls to obtain audit evidence than when we do not.
For example, we may obtain a deeper understanding by following more steps and identify more
relevant controls, when we plan to test operating effectiveness of controls to obtain audit evidence
than when we do not.
Consider the inventory example in Section 2.3.5-3, in which the team obtained a more extensive
understanding of the inventory cutoff process to support its plan to test operating effectiveness of
controls to obtain audit evidence. Specifically, the engagement team obtained a more extensive
understanding of the entity’s procedures and controls related to how the entity achieves an accurate
inventory cutoff in order to identify controls to test. In this scenario, the engagement team’s
walkthrough would also be more extensive because it would include the additional procedures or steps
in the process and the relevant controls related to the plans to rely on the operating effectiveness of
controls for inventory cutoff. These additional steps and relevant controls may not have been
addressed in a walkthrough when not relying on the operating effectiveness of controls if the
engagement team did not consider those controls and the steps related to those controls to be
relevant to the audit.
In both scenarios, whether or not the engagement team planned to rely on controls over inventory
cutoff, the walkthroughs followed the key steps and controls identified in the process narrative.
In a first year audit, we might perform walkthroughs of all of the entity’s processes related to material
classes of transactions, account balances and disclosures. In subsequent years, our walkthroughs may
be less robust, especially for noncomplex processes. However, in those situations, our understanding
of the process still needs to be accurate and complete and reflect any significant changes since the
Internal control
prior audit, because those changes might result in changes to our identification and assessment of
risks of material misstatement and identification of relevant controls.
For example, when performing a walkthrough in a continuing audit, rather than walk through every
step in the process, we may instead focus inquiries on identifying any significant changes in the
process or on validating that no significant changes have occurred.
For example, we might inquire as to whether there have been any changes to the information and
reports used in the process, changes to IT applications, or changes in the way entity personnel
perform the steps in the process. [Note that inquiries are often used to obtain or update our
understanding of the steps in a process; however, for purposes of evaluating design and determining
implementation of relevant controls in the process, inquiry alone is not appropriate and we would
corroborate our inquiries with other risk assessment procedures, such as inspection and observation.]
Regardless of the approach we take to update our understanding of the process and relevant controls,
we evaluate design and determine implementation of relevant controls in every audit by performing
procedures in addition to inquiry. See Section 2.5 for further discussion on evaluating design and
determining implementation.
2.4.4 Controls over journal entries

Controls over journal entries may be preventive controls, such as:
• Review, and approval of journal entries (including a review of supporting documentation) prior to
posting
• IT system access rights controlling who is authorized, and not authorized, to record and approve
journal entries electronically in the entity’s accounting system.
Some entities, such as those with a limited number of employees, may determine it is not cost
effective to establish preventive controls over journal entries, and instead they establish detective
controls.
In this situation and situations in which we determine that the entity’s preventive controls are not
effective, we would determine if the entity’s detective controls alone are sufficient to address risks of
material misstatement relating to journal entries.
Examples of such detective controls might include the following, listed in order from those that we
would generally expect to be more effective to those we would generally expect to be less effective:
• Review and approval of journal entries (including a review of supporting documentation)
subsequent to posting to the general ledger, but prior to the issuance of the financial statements,
by an individual who does not have the ability to post entries.
• Timely preparation and review of reconciliations or account analyses of the general ledger
balances for material account balances and classes of transactions.
• Oversight of the financial reporting process by members of management, internal auditors, or
others at a level of precision that would detect material misstatements resulting from journal
entries. For example, management may hold monthly meetings where disaggregated financial
information is reviewed at a level of precision that would detect material misstatements resulting
from journal entries (e.g., entries posted to the wrong account, unauthorized entries, entries
recorded in the wrong period).
• Periodic reviews of financial statements at an appropriate level of precision by those charged with
governance. (Note: This control alone would rarely be sufficient to detect material misstatements
resulting from journal entries. However, this control combined with other preventive or detective
controls may be sufficient to detect material misstatements resulting from inappropriate journal
entries.)
If we determine that controls over journal entries are not effectively designed or not implemented or,
when appropriate, not operating effectively, we would consider the impact on our testing of journal
entries in response to the risk of management override of controls as well as the impact on other
Internal control
aspects of the audit. See Section 2.4a of the DTTL guide on Journal Entry Testing for further
discussion of the effectiveness of internal controls over journal entries.
Note As part of obtaining an understanding of the entity’s financial reporting process, we

understand the different types of journal entries used by the entity and the relevant
controls related to each type of journal entry. This understanding enables us to
determine which populations of journal entries would be included in the scope of our
journal entry testing in response to the risk of management override of controls.
See Section 2.2a of the DTTL guide on Journal Entry Testing for characteristics of
potentially fraudulent journal entries.
2.4.5 Further considerations

Understanding the entity’s flows of transactions
• Plans to test operating effectiveness of controls to obtain audit evidence versus not. As noted
above, the extent of our understanding of the entity’s flows of transactions is a matter of
professional judgment. Our understanding is typically more extensive if we are planning to test
operating effectiveness of controls to obtain audit evidence versus not. However, regardless of the
audit strategy, our understanding of the entity’s flows of transactions need to be sufficient to
inform our identification and assessment of risks of material misstatement and to plan our further
audit procedures.
Relevant controls
• Plans to test operating effectiveness of controls to obtain audit evidence versus not. When we plan
to test operating effectiveness of controls to obtain audit evidence, we identify relevant controls to
inform our identification and assessment risks of material misstatement and to plan our further
substantive procedures. In contrast, when we plan to test operating effectiveness of controls to
obtain audit evidence, we identify relevant controls to test in order to alter the nature, timing and
extent of further substantive procedures or because substantive procedures alone would not
provide sufficient appropriate audit evidence. As a result, in financial statement audits, we
typically identify more relevant controls when we plan to test operating effectiveness of controls to
obtain audit evidence than when we do not.
2.4.6 Pitfalls, and tips for avoiding pitfalls
Pitfalls Tips for avoiding pitfalls
• Insufficient understanding of the flows • Educate management on the importance of

of transactions for material classes of maintaining appropriate process
transactions, account balances and descriptions/flowchart and what constitutes an
disclosures to appropriately identify appropriate description.
the relevant risks and controls.
• Obtain the entity’s narratives or flowcharts as a
• Focusing only on understanding the starting point for our understanding of the flows of
process, not on the identification of transactions and the related risks and controls.
the risks or the relevant controls. Consider annotating the entity’s documentation
(rather than preparing our own) to enhance the
• Failure to appropriately consider the
description of the process as necessary.
nature, approach, and type of a
control and how the control is • When obtaining an understanding of the entity’s
designed to address a risk of material control(s) in its business process, consider the
misstatement. nature, approach, and type of the control(s) in
determining which control(s) will be more reliable in
• The process flows are not clear enough
addressing a risk of material misstatement thus is
to enable a reviewer to understand the
relevant to the audit.
flows of transactions to assess the
completeness of the risks identified
Internal control
and how the controls relate to the • Utilize a flowchart to assist in obtaining our
risks. understanding of the flows of transactions,
including:
- Significant process steps
- The inputs (information used in the control),

control procedures/review activities, and
outputs
- Risks of material misstatement with cross-

references to our working papers, including new
risks identified
- Relevant controls (both automated and manual)

that address the risks of material
misstatement, including new controls identified
during the walkthrough.
• Consider expanding the flowchart to include an
overview of the IT system to identify the relevant
applications, databases, interfaces, and reports
used in the controls (see the DTTL guide A Guide in
Preparing Flowcharts for examples).
• Inappropriately identifying steps in a • Educate management on the importance of

process as relevant controls. maintaining appropriately detailed control
descriptions and what constitutes an appropriate
• The description of the control is
description.
inadequate to demonstrate how the
control addresses the risk or to • Challenge the description of the controls in our
facilitate the proper planning of our working papers:
tests of operating effectiveness of
controls. - If the entity’s description of a control is not
appropriate for our purposes, request that the
• The description of the control entity modify it or, alternatively, create our own
reiterates the process or the control — don’t feel obligated to use the entity’s
description and leaves it to the reader description.
to infer why the design is effective.
- Ask the person performing the control to show
you specifically how he or she performs the
control procedure (evaluate design); enhance
our documentation of the control description as
needed.
- Revise our documentation of a control to

remove the information about the process and
focus only on the description of the control.
- In our documentation of the detailed control

description for a control, document (1) the
inputs (e.g., data or reports), (2) the control
procedures or reviewer activities (i.e., what the
person does to perform the control), and (3)
the outputs (i.e., what the output of the control
is once the control procedures are performed).
Internal control
• Enhance the control description in our working

papers to make it explicit how the control
addresses the identified risk.
• Failure to identify other controls or • Evaluate whether the control is dependent upon IT
information that a control uses, to initiate, record, process, or report transactions to
including automated controls or identify automated components of the control (e.g.,
system-generated data or reports. ask the process/control owners what they are
relying on either within the system or generated
from the system).
• Only obtaining or updating our • Extend our walkthroughs and inquiries to

understanding of the controls, and not individuals outside of the accounting group (e.g.,
using the understanding to sales representatives when performing a
appropriately identify the risks of walkthrough of the revenue process).
material misstatement.
• Consider whether the results of our other audit
• Insufficient procedures performed in procedures (e.g., substantive or interim review
subsequent audits to update our procedures) affect our understanding of the likely
understanding of likely sources of sources of misstatement and identification of
misstatement and identification of relevant controls (i.e., whether significant changes
relevant controls, including: have occurred that would affect our
understanding).
- Limiting our procedures to inquiry
or observation to confirm there • Update our working papers for the risks, controls,
have been no changes to the and information (data and reports) identified.
processes • Consider performing tests of operating
effectiveness of controls in conjunction with
- Relying on our knowledge and
obtaining the understanding, where feasible. For
experience from prior years’ audits
example:
without performing procedures in
the current year to update such - Test automated controls, interfaces, or reports
knowledge. during the walkthrough, as generally a sample
size of one is sufficient.
- Test controls that operate infrequently,

monthly, or quarterly during obtaining the
understanding.
• The procedures performed to • As soon as practicable after completion of obtaining

understand are not adequately the understanding:
documented, including:
- Discuss, as a team, the process and the
- The transaction(s) selected as part identified risks and controls and the evaluation
of performing walkthroughs of design and conclusion about operating
effectiveness, as applicable
- The questions and responses to
questions posed to understand the - Update our audit documentation to reflect the
process flows, risks (including the transaction(s) selected, responses to questions
risk of fraud) and the relevant posed during the walkthrough, and any new
controls. information identified during the walkthrough
Internal control
- Review and finalize working papers timely (e.g.,

before the staff are released or move on to
other phases on the engagement).
• Overreliance on higher-level, less • For higher risk areas, consider whether a

precise review controls; particularly for combination of preventive and detective controls is
more complex, significant areas (e.g., necessary or a combination of lower-level and
accounting estimates or infrequent higher-level detective controls and consider
transactions). consultation.
• Failure to identify sufficiently direct • For any significant infrequent transactions identified
and precise controls to address risks in our risk assessment or addressed in other
related to one-time transactions or auditing procedures, consider whether controls
events. have been appropriately identified.
2.5 Evaluate design and determine implementation
Understand the
components of internal Identify Evaluate design
control and the entity’s relevant control and determine
flows of transactions activities implementation
As discussed in Section 2.3, “Understanding the components of internal control and the entity’s flows
of transactions”, DTTL AAM requires that as part of the risk assessment process, we obtain an
understanding of internal control relevant to the audit. Following are the requirements in DTTL AAM
12200.13 and 12200.30 for understanding controls that are relevant to the audit and evaluating the
design and determining implementation of those controls:
DTTL AAM The auditor shall obtain an understanding of internal control relevant to the audit.
Literature Although most controls relevant to the audit are likely to relate to financial
reporting, not all controls that relate to financial reporting are relevant to the
audit. It is a matter of the auditor’s professional judgment whether a control,
individually or in combination with others, is relevant to the audit. [DTTL AAM
12200.13]
When obtaining an understanding of controls that are relevant to the audit, the
auditor shall evaluate the design of those controls and determine whether they
have been implemented, by performing procedures in addition to inquiry of the
entity’s personnel. [DTTL AAM 12200.30]
Risk assessment procedures to obtain audit evidence about the design and
implementation of relevant controls may include:
• Inquiring of entity personnel.
• Observing the application of specific controls.
• Inspecting documents and reports.
• Tracing transactions through the information system relevant to financial
reporting.
Internal control
Inquiry alone, however, is not sufficient for such purposes.

[DTTL AAM 12200.34]
As noted above, understanding relevant controls involves evaluating the design of the controls and
determining that they have been implemented. Our evaluation of the design and determination of
implementation of relevant controls provides a foundation for our assessment of the risks of material
misstatement and planning our further audit procedures.
2.5.1 Evaluating the design of relevant controls

Evaluating the design of a control involves considering whether the control, individually or in
combination with other controls, is capable of effectively preventing, or detecting and correcting,
material misstatements. The effectiveness of the design of a control depends on the degree to which
the control can mitigate the related risk(s) of material misstatement.
As a result, it is important in evaluating the design of a control to consider the related risk(s) of
material misstatement the control is intended to address.
When evaluating the design of a control, we consider the factors or characteristics of the control that
are most important to its effectiveness. The extent of this evaluation is a matter of professional
judgment and will vary based on the complexity of the control.
The extent of our evaluation of the design of a control may also vary, depending upon whether we
plan to test operating effectiveness of controls to obtain audit evidence or not. Our evaluation of the
design of a control may be more extensive when we plan to test operating effectiveness of controls
because we may need to develop a deeper understanding of the design factors or characteristics of
the control that are important to its effectiveness in order to appropriately design our tests of
operating effectiveness.
2.5.1.1 Factors to consider when determining whether a control is appropriately designed

The DTTL AAM neither includes a list of items to consider nor provides a framework for evaluating
whether a control is effectively designed. Nevertheless, the following factors may be helpful when
considering how to evaluate the effectiveness of the design of many controls. The design factors are
not intended to be a check list of considerations, nor is it intended that each of these is always
relevant or needs to be considered for each control.
• Appropriateness of the purpose of the control and its correlation to the risk
A procedure that functions to prevent or detect misstatements generally is more precise than a
control that is indirectly related to the risk (e.g., a control that merely identifies and explains
differences may not be designed to identify misstatements if there were no fluctuations).
For example, a budget to actual review control over a large revenue balance comprised of a
number of non-homogeneous types of transactions may be concluded to be indirectly related to
the applicable risk(s) (i.e., the purpose of the control is to only explain differences,
notwithstanding the fact that the control might identify a misstatement if there were a significant
variance). When the account balance subject to the review is stable and predictable (e.g., fixed
overhead costs), then the purpose of a review control may be to determine whether the account
balance is materially accurate and therefore, would be directly related to the applicable risk(s)
(i.e., a misstatement would result in a variance).
It is important that this assessment be applied for each risk that a control addresses.
• Competence and authority of the person(s) performing the control

The experience level of the person performing the control, his or her knowledge of the subject
matter and involvement in activities to maintain and update that knowledge, and his or her
organizational position affects the effectiveness of a control.
Internal control
For example, a junior clerk may not have the requisite knowledge of the business or stature
within the organization to perform an effective review control that requires an in-depth
understanding of the business and the ability to raise challenges with superiors and others within
the organization.
• Frequency and consistency with which the control is performed
A control that is performed routinely and consistently is generally more precise than one
performed sporadically.
For example, a control that has clearly defined procedures and is designed to be performed each
quarter would be more precise than a control that has undefined process steps and is performed
infrequently or on an ad-hoc basis.
• Level of aggregation and predictability
A control that is performed at a more detailed level generally is more precise than one performed
at a higher level. The precision of those controls also depends on the predictability (i.e., the more
predictable the expected result, the greater the precision to identify potential material
misstatements).
For example, an analysis of revenue by location or product line is likely to be more precise than
an analysis of total entity revenue.
The precision of those controls also depends on the predictability (i.e., the more predictable the
expected result, the greater the precision to identify potential material misstatements).
For example, some controls are designed to detect misstatements by using key performance
indicators or other information to develop expectations about reported amounts (“detective
controls”). The precision of those controls depends on the ability to develop sufficiently precise
expectations to highlight potential material misstatements.
For example, an analysis of fixed costs of a regulated entity is likely to be more precise than an
analysis of variable costs.
• Criteria for investigation and process for follow-up
The threshold for investigating deviations or differences and its relationship to materiality is an
important but subjective determination of a control’s precision. It is equally important that there is
an appropriate process to follow up on any exceptions or unusual items noted from the review,
including tracking open items for timely resolution and determining that responses are appropriate
and supported as necessary.
For example, a control that investigates items that are near our selected materiality has less
precision and a greater risk of failing to prevent or detect misstatements that could be material
than a control that investigates items that are smaller relative to our selected materiality.
We consider the nature, approach, and type of the control as well as the reliability of the control when
evaluating the above design factors. Which design factors are relevant is a matter of professional
judgment. Generally, a less reliable control will require more consideration of the design factors (i.e.,
either the extent of documentation and/or consideration of additional factors) than a more reliable
control.
For example, an automated three-way match control (automated, preventive, reconciliation) would
typically be considered a more reliable control, and as such, in documenting our evaluation of the
design we may not need to document any further considerations as to the level of the frequency and
consistency with which the control is performed as this is already inherently explicit in the design of
the control given its nature, approach, and type.
For example, when documenting our evaluation of the design of an annual control where
management reviews historical bad debt expense for the previous twelve months to determine if
adjustments are necessary to the allowance for doubtful accounts. Typically it would not be necessary
to document the frequency and consistency with which the control is performed as the design of the
Internal control
control inherently addresses this factor, however, it may be necessary to evaluate the level of
aggregation that this review is performed to ensure it is performed at a sufficiently disaggregated
level.
For example, a control over the review of quarterly aggregated sales data compared to prior-year
(manual, detective, control with a review element) would typically be considered a less reliable
control, and as such, each design factor would generally be relevant and we would document our
consideration of each.
The determination of which design factors are relevant to evaluate is subject to judgment, we would
generally expect that the following design factors would be always be relevant:
• Appropriateness of the purpose of the control and its correlation to the risk/assertion
• Competence and authority of the persons(s) performing the control
• Criteria for investigation and process for follow-up
Management review controls require additional considerations when evaluating design; see Internal
Control Guide Chapter 5: Section 5.3.4, “Evaluating design and determining implementation of a
management review control.”
2.5.2 Determining implementation of a control

When we determine whether a control has been implemented we determine that the control exists and
is being used or operated as it is designed. It is possible for an effectively designed control not to be
effectively implemented for a variety of reasons.
For example, the individuals performing the control may have deviated from its design, or those
individuals may not have an appropriate awareness of the existence of the control procedure and their
responsibility for its performance and/or a sufficient knowledge of how the procedure should be
performed.
Our tests of implementation of a complex control would involve determining that each of the design
factors or characteristics of the control we considered in evaluation of the design of the control is
implemented.
In some cases, it may be beneficial to determine the implementation of a control in conjunction with
performing substantive procedures. For example, in our substantive testing of the reconciliation of the
accounts receivable aging report to the general ledger balance at year end, we might also test the
implementation of the related reconciliation control, such as by examining evidence of timely review of
the reconciliation by the controller.
2.5.3 Considerations in evaluating design and determining implementation of components

of internal control
Evaluating and concluding on the design and implementation of controls that do not directly address
risks of material misstatement is often more subjective than concluding on design and implementation
for control activities that address risks of material misstatement at the assertion level, primarily
because of the pervasiveness of the financial statement-level risks such controls are intended to
address. While control activities generally comprise explicit activities designed to address specific risks
of material misstatement for one or more accounts, such controls are designed to address risks at the
financial statement level and to broadly support all of the entity’s control activities. As a result,
concluding on design and implementation of controls that do not directly address risks of material
misstatement involves considering their broader scope and pervasive nature. This evaluation also
takes into account the nature, size, and complexity of the entity. Many smaller, less complex entities
will likely have informal procedures and documentation for these components, yet they may
nevertheless be designed effectively for the entity’s circumstances.
The procedures we perform to evaluate design and determine implementation of controls that do not
directly address risks of material misstatement include inquiries of those involved in the control
components, combined with inspection and observation procedures. Because inquiry alone does not
provide a sufficient basis for our understanding of relevant controls, we corroborate our inquiries with
Internal control
procedures such as inspection of documents and reports used in the control and/or observation of the
performance of the control. Often in smaller entities, these controls are not formally documented,
which makes performing inspection procedures challenging. In those instances, we would generally
perform observation procedures to corroborate our inquiries.
2.5.4 Procedures for evaluating design and determining implementation of relevant controls
To obtain evidence about the design and implementation of relevant controls, we may inquire of entity
personnel, combined with one or more of the following:
• Observe the performance or application of specific controls.
• Inspect documents and reports.
Inquiry alone is not sufficient for evaluating design and determining implementation. Although
walkthroughs are not required, if we perform walkthroughs, we may design them to include evaluation
of design and determination of implementation of relevant controls. When planning to test the
operating effectiveness of a control, engagement teams will often, for efficiency purposes, test
implementation as part of their operating effectiveness testing, as opposed to performing a separate
test of implementation. When we plan to test the operating effectiveness of a control for the first time,
it is often beneficial to test implementation of the control early in the audit to avoid any need to revise
our planned further audit procedures should we determine the control was not properly implemented.
If, as a result of our procedures to evaluate design and determine implementation of a relevant
control, we determine that a control was not designed effectively or was not properly implemented,
we would first consider whether there are other relevant controls that might address the related
risks(s). If no such controls exist, we would consider whether our understanding of the entity’s flows
of transactions is accurate and complete and whether our risk assessments and planned further audit
procedures are appropriate.
Note See Section 1.1 of the DTTL guide on Journal Entry Testing for the effect on
journal entry testing in response to the risk of management override of
controls when deficiencies in controls over journal entries are identified.
If we identify an ineffective control when evaluating design and determining implementation of

relevant controls, we would also evaluate whether the deficiency in internal control, individually or in
combination with other deficiencies, is a significant deficiency in internal control, and make the
appropriate communications to management and those charged with governance.
2.5.5 Segregation of duties

DTTL AAM 12200.101 states:
Segregation of duties. Assigning different people the responsibilities of authorizing transactions,

recording transactions, and maintaining custody of assets. Segregation of duties is intended to reduce
the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud
in the normal course of the person’s duties.
In obtaining an understanding of the entity’s internal control, we may find that controls are not
effectively designed because the individuals involved have conflicting duties.
For example, the Accounts Payable Manager reviews and approves voucher packages for payment,
and also has the ability to add vendors to the vendor master file. As a result, she could create a
fictitious vendor and submit and approve inappropriate invoices for payment to that vendor.
For example, a Warehouse Manager has physical access to the inventory contained in the warehouse
and is responsible for approving the adjustments to the perpetual inventory records arising from the
physical inventory counts. As such, he could misappropriate inventory and conceal the
misappropriation by directly or indirectly manipulating the physical inventory adjustments related to
the items stolen.
As a result, in evaluating design and determining implementation of the relevant controls in these
examples (the reconciliation of the detailed records to the general ledger and the approval of physical
Internal control
inventory adjustments), we would consider whether the individuals involved in the controls have
conflicting duties.
• Not specifically assessing the • Specifically address in our documentation how the
correlation of the control to each risk control addresses each risk the control is mapped
when evaluating the design of a control to.
that addresses multiple risks.
• Understand the extent the reviewer has identified
• Insufficient consideration of the criteria matters for further follow-up or identified
for investigation and process for follow- misstatements in their review and the magnitude of
up. such misstatements.
• Reference the relevant auditing standards and
guidance utilized within the working papers to
demonstrate your understanding of the standards
and guidance.
• Only considering the person’s • Evaluate and document explicitly what knowledge
education, certification, and tenure the control performer has to perform the control
when evaluating the competence and and how the person obtains and maintains that
authority of the person(s) performing knowledge.
the control.
• Document our observations and interactions with
• Not considering the person’s the control performer when evaluating the subject
knowledge of the specific subject matter expertise.
matter for the relevant control.
• Not explicitly addressing the • Ask management how they establish expectations of
consistency of the information used in the control performer to enhance consistency in the
the control or the control procedure. performance of the control procedures (e.g., written
control procedures, standard templates/agendas).
• Not considering the level of • Review the same information used by the control
disaggregation at which the control is performer to assess the sufficiency of the
performed. data/information used in the control.
• Not considering the predictability of the • Evaluate and document the predictability of the
account the control is mapped to. account/transaction subject to the control, as
applicable.
• The evaluation of the design of controls • Request the control performer to walk through an
is based on inquiry alone. instance of the operation of the control and show us
documentary evidence.
• Insufficient evaluative documentation • Have the same individual(s) obtain the

of why the control is designed understanding (including evaluating the design and
effectively in terms of our determine implementation) and operating
consideration and documentation of effectiveness testing, if applicable, and the related
each of the design factors. Examples substantive procedures for a specific area.
include the following:
• Involve specialists/experts in our evaluation of the
design of the control (e.g., IT, Tax, IFV).
Internal control
- Conclusions on the • Perform the design evaluation earlier in the audit

appropriateness of the design to process in order to timely identify design
address the related risk lack deficiencies and assess the impact on our audit
substance. plan.
• Prepare documentation that is evaluative in nature
- High-level risk and control
(e.g., document what you considered in order to
descriptions that result in high-
conclude on the design factors).
level design evaluations, both of
which are insufficient to support - Refer to the detailed control description
our design conclusion. developed from the understanding obtained to
• Restating the process or control address the design factors (i.e., there is no
description in our evaluation of the need to repeat the actual control description).
effectiveness of the design of the
control.
- Discuss the design evaluation of the control and
related documentation for the more complex or
significant areas as a team or have someone
unrelated to the area review the documentation
with an objective and skeptical mindset.
- Focus on and challenge whether the

documentation clearly articulates why the
design is effective.
• Not considering relevant design factors • Utilize professional judgment when assessing the
for controls deemed to be less reliable nature, approach, and type of a control and when,
based on the nature, approach, and determining which design factors are relevant.
type.
• For controls that are deemed less reliable,
evaluation of each design factor may generally be
necessary.
2.5.7 Deficiency in internal control

If the design, implementation, or operation of a control is not effective (e.g., design, implementation,
or operation is in such a way that it is unable to prevent, or detect and correct, misstatements), then
it is a “deficiency in internal control.”
DTTL AAM Deficiency in internal control—This exists when:

Literature
a) A control is designed, implemented or operated in such a way that it is unable to
prevent, or detect and correct, misstatements in the financial statements on a
timely basis; or
b) A control necessary to prevent, or detect and correct, misstatements in the
financial statements on a timely basis is missing.
[DTTL AAM Glossary]
2.6 Documentation considerations for understanding internal control

The purpose of this section is to provide users with documentation considerations.
Considerations include:
Internal control
1. A description of the procedures performed and results to obtain/update our understanding of

components of internal control and identifying the relevant controls, including:
• The process flows, in such a manner that they are clear enough to enable a reviewer to
understand the flows of transactions to identify controls
• A description of the nature, approach, and type of the controls deemed relevant to the audit
• A description of the controls in a clear manner to demonstrate how the control addresses the
risk(s) of material misstatement
• Description of the other controls upon which the control is dependent or information used in
the control
• The transactions selected for walkthrough, if any
• Nature of the tests performed to test design beyond inquiry (e.g., observation and inspection
of documentation)
Note Additional consideration points:

• Consider depicting the process flows in a flowchart.
• If the process flow is in a narrative format, consider annotating in the
process description the procedures performed, including the transactions
selected and the questions asked and responses, and cross-reference to
the risks of material misstatement working papers.
Include summary-level descriptions of the controls in our working papers with
a cross-reference to the additional details (e.g., narrative).
2. The factors considered that were important in determining whether the control addresses the risks
of material misstatement.
3. A clear statement about whether the design of the control is effective for each control we
determine is relevant to the audit.
• If our conclusion is that the design of the control is ineffective, consider the effect of our
conclusion on tests of other controls that may depend on the control tested and the design of
our substantive procedures.
4. The basis for our conclusions, including the professional judgments important to the conclusion.
Note Engagement teams may consider using the following forms for
documentation:
• Form 1530 – Understand the Financial Reporting Process (AS/2) or form
12200.T04 – Understand the financial reporting process (EMS);
• Form 1561 – Understand the Control Environment (AS/2) or form
12200.T01 – Understand the entity’s control environment (EMS);
• Form 1562 – Understand the Risk Assessment Process (AS/2) or form
12200.T02 – Understand the entity’s risk assessment process (EMS); and
• Form 1563 – Understand the Monitoring of Controls (AS/2) or form
12200.T03 – Understand the entity’s monitoring of controls
to document their understanding of the components of internal control; and
• Form 1570 – Determine Material Classes of Transactions, Account
Balances, and Disclosures (AS/2) or form 13200.T01 – Identify material
classes of transactions, account balances, and disclosures (EMS) to
document their understanding of the flows of transactions for material
classes of transactions, account balances, and disclosures. Also,
engagement teams may use Form Series 158X, RAAP and MAP for
Material Account Balances, Classes of Transactions, Disclosures, which
Internal control
provides guidance and examples to assist engagement teams in

identifying risks of material misstatement at the assertion level and
relevant controls that may address the applicable risks of material
misstatement.
2.7 Appendix A — Reference guide for performing a walkthrough to understand the likely
sources of misstatements
This tool may assist engagement teams in supervising and directing their engagement team members
(e.g., providing on-the-job training), and may be used by individual engagement team members as a
reference guide when performing audit procedures. The following is a reference guide for procedures
typically performed during a walkthrough to understand the likely sources of misstatements.
2.7.1 Objectives when performing a walkthrough

Walkthrough
To further understand the likely sources of potential misstatements the auditor should achieve the
following objectives:
• Understand the flow of transactions, including how the transactions are initiated, authorized,
processed, and recorded;
• Verify that the auditor has identified the points within the company’s processes at which a
misstatement— including a misstatement due to fraud — could arise that, individually or in
combination with other misstatements, would be material;
• Identify the controls relevant to the audit that management has implemented; and
• Identify the controls that management has implemented over the prevention or timely detection of
unauthorized acquisition, use, or disposition of the company’s assets that could result in a material
misstatement of the financial statements.
[Internal Control Guide Chapter 2: Section 2.4]
In performing a walkthrough, the auditor follows a transaction from origination through the company’s
processes, including information systems, until it is reflected in the company’s financial records, using
the same documents and information technology that company personnel use. Walkthrough
procedures usually include a combination of inquiry, observation, and inspection of relevant
documentation. [Internal Control Guide Chapter 2: Section 2.4.3]
Evaluation of design
When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate
the design of those controls and determine whether they have been implemented, by performing
procedures in addition to inquiry of the entity’s personnel. [DTTL AAM 12200.30] [Internal Control
Guide Chapter 2: Section 2.5]
Risk assessment procedures to obtain audit evidence about the design and implementation of relevant
controls may include:
• Inquiring of entity personnel.
• Observing the application of specific controls.
• Inspecting documents and reports.
• Tracing transactions through the information system relevant to financial reporting.
Inquiry alone, however, is not sufficient for such purposes. [DTTL AAM 12200.34]
2.7.2 Information to obtain for the walkthrough

The entity’s documentation related to the process for which we are performing the walkthrough
(updated for changes from the prior year), include, as applicable:
Internal control
• Flowcharts or process narratives

• Detailed control procedure descriptions
• Our documentation related to the process from the prior year
2.7.3 Procedures to perform during a walkthrough

• Follow a transaction from origination through the entity’s process until it is reflected in the entity’s
financial records using the same documents and information technology that entity personnel use
(using and, as necessary, enhancing or clarifying the process descriptions provided by the entity
or those we have developed in the current or prior audits).
• Ask questions of management and other entity personnel related to the process steps and
potential risks of material misstatement, including risks of fraud to identify or update the
following:
- Risks of material misstatement
- Relevant application systems
- Automated and manual controls
- Manual and automated interfaces
- Key databases and reports.
• The following are examples of the nature of the questions that could be asked related to the
process steps (e.g., consider tailoring the questions to the engagement-specific facts and
process):
- Variations in how transactions are processed
- Changes in the process or controls
- Past processing problems or errors
- Reliance on the application system functions and reports
- Identification of the need for corrective actions (e.g., issuing credits or debits)
- The responsibilities of each person involved in the process.
• The existence of or concerns about fraudulent activity, management override, appropriate
segregation of duties, and tone at the top.
• Ask questions of management and other entity personnel related to the relevant controls identified
to obtain and validate the detailed description of such controls.
• The following include types of questions to that could be asked specific to the relevant controls
(consider tailoring to engagement-specific facts and controls):
- Does the person understand the objective of the control and how the control is intended to
operate?
- What is the role of each person or application in the performance of the control?
- If a detective control, what are the extent and nature of exceptions or errors the control is
intended to identify?
- What does the person do once an exception or error has been identified?
- Have there been any instances where the control operated in a way contrary to the manner in
which it is intended or expected to operate?
- Does the person performing the control have the necessary competence and authority to do so
effectively?
- Who performs the control in the absence of the person responsible?
Internal control
- Has the person performing the control ever been asked to override controls? If so, describe
the situation.
• Evaluate whether there is a proper segregation of duties across the process.
• Evaluate the design of each relevant control to validate our understanding of the control by
inquiry, observation, or inspection of documentation (e.g., ask the control owners to demonstrate
to you specifically what they do to perform the control). [Internal Control Guide Chapter 2:
Section 2.5.1]
• Expand the evaluation of design to also obtain evidence of implementation and operating
effectiveness (e.g., reperform the control), where feasible.
2.7.4 Deliverables upon completion of the walkthrough

Upon completion of the walkthrough, we may update our documentation of the following:
1. Updated process narratives
- Updated flowcharts or process narratives
- The walkthrough procedures performed. For example:
- The transaction(s) selected to trace through the process
- The questions asked, with a summary of any responses, including conclusions related to
segregation of duties.
2. Evaluation of design working paper
- Updated detailed control description
- Procedures performed and evidence obtained to evaluate design of controls.
3. Working papers documenting risks of material misstatement and related information
- Revised risks and control descriptions (summary) as applicable, cross-referenced to/from
narratives and flowcharts.
2.8 Appendix B — Illustrative examples

To come in future release of this guide.
Internal control
3 Testing operating effectiveness of controls
3.1 Introduction
This chapter provides an overview of testing the operating effectiveness of relevant controls. When we
test the operating effectiveness of a control, we obtain evidence about whether it is operating as
designed. If the control does not operate effectively (e.g., we are unable to obtain sufficiently
appropriate audit evidence that the control is operating as designed), then it is a control deficiency. If
a control is not designed properly, it cannot operate effectively; therefore, there is no need to
determine implementation or test the operating effectiveness of controls that are improperly designed.
DTTL AAM In designing and performing tests of controls, the auditor shall:
Literature
(a) Perform other audit procedures in combination with inquiry to obtain audit
evidence about the operating effectiveness of the controls, including:
(i) How the controls were applied at relevant times during the period
under audit;
(ii) The consistency with which they were applied; and
(iii) By whom or by what means they were applied.
(b) Determine whether the controls to be tested depend upon other controls
(indirect controls), and, if so, whether it is necessary to obtain audit
evidence supporting the effective operation of those indirect controls.
[DTTL AAM 23001.18]
For purposes of the DTTL AAM, the following terms have the meanings
attributed below:
(a) Deficiency in internal control – This exists when:
(i) A control is designed, implemented or operated in such a way that it
is unable to prevent, or detect and correct, misstatements in the
financial statements on a timely basis; or
(ii) A control necessary to prevent, or detect and correct, misstatements
in the financial statements on a timely basis is missing.
(b) Significant deficiency in internal control – A deficiency or combination of
deficiencies in internal control that, in the auditor’s professional
judgment, is of sufficient importance to merit the attention of those
charged with governance.
[DTTL AAM Glossary]
3.2 Process flow for testing operating effectiveness of controls

The following process flow illustrates the steps applicable to testing the operating effectiveness of a
control. It is applied for each relevant control for which we are required, or for which we elect, to test
operating effectiveness. Applying each of these steps requires professional judgment (see the Using
Professional Judgment practice aid for further guidance).
Internal control
3.2.1 Key activities in the process flow for testing operating effectiveness of controls
Plan the nature, Assess findings

Determining the need Assess the risk timing, and Perform tests
and conclude
to test operating associated with extent of tests of operating
of operating
on operating
effectiveness of control the control effectiveness
effectiveness effectiveness
Key activities for determining the need to test operating effectiveness of controls:
• Determine the need to test controls, considering whether:
- We intend to rely on the operating effectiveness of controls in determining the nature, timing
and extent of substantive procedures); or
- Substantive procedures alone cannot provide sufficient appropriate audit evidence.
Key activities for assessing the risk associated with the control:
• Assess the risk associated with each relevant control using the factors listed below in Section 3.4.
Key activities for planning the nature, timing, and extent of tests of operating effectiveness:
• Plan the nature of our tests, considering the relevant risk and the available evidence.
• Plan the timing of our tests, considering the relevant risk, including the period to be covered.
• Plan the extent of our tests considering the relevant risk and the frequency with which the control
operates.
• Plan dual-purpose tests that explicitly achieve the objectives of both the test of the control and the
substantive procedures.
Key activities for performing tests of operating effectiveness:

• Define the test objective, including a clear understanding of what constitutes a deviation.
• Identify the population to be sampled.
• Select the sample such that all items in the population have a chance of selection.
• Obtain sufficient and appropriate audit evidence, including evidence to address the completeness
and accuracy of any information produced by the entity that we use in testing the control.
• Apply professional skepticism when evaluating the persuasiveness of the evidence obtained.
• Key activities for assessing findings and concluding on operating effectiveness:
• Evaluate the nature of any deviations, apply professional skepticism, and conclude on whether
they represent control deficiencies.
• Accumulate any deficiencies for evaluation and classification as to severity and further assessment
of the effect on our risk assessment and audit.
3.3 Determine the need to test operating effectiveness of controls

and conclude
of operating
on operating
We are not required to test controls, except in either of the following situations:
Internal control
• We plan to rely on the controls to alter the nature or timing, or reduce the extent, of our
substantive procedures to address risks of material misstatement.
• Substantive procedures alone cannot provide sufficient appropriate audit evidence.
For example, consider the approach for addressing the risk of material misstatement relating to
completeness of revenues in an entity that sells software applications solely over the internet, where
customer orders are entered, processed, and recorded electronically, and there is no physical
documentary evidence of the customer order and related sale. In such instances, substantive
procedures alone will likely not provide sufficient appropriate audit evidence about whether we have a
basis to conclude that a risk of material misstatement related to the completeness of revenue has
been addressed; accordingly, we would also need to identify and test the relevant controls addressing
this risk of material misstatement.
Following is the related requirement from DTTL AAM 13300.17:
DTTL AAM The auditor shall design and perform tests of controls to obtain sufficient
Literature appropriate audit evidence as to the operating effectiveness of relevant
controls if:
(a) The auditor’s assessment of risks of material misstatement at the
assertion level includes an expectation that the controls are operating
effectively (that is, the auditor intends to rely on the operating
effectiveness of controls in determining the nature, timing and extent of
substantive procedures); or
(b) Substantive procedures alone cannot provide sufficient appropriate audit
evidence at the assertion level.
[DTTL AAM 13300.17]
Unless we determine that substantive procedures alone cannot provide sufficient audit evidence,
testing of operating effectiveness of controls is not required. The decision to test controls is generally
based on whether the benefits of altering the nature (e.g., performing a substantive analytical
procedure rather than a test of details), altering the timing (e.g., performing substantive procedures
at interim rather than at year-end) or reducing the extent of our substantive procedures exceeds the
effort required to perform tests of operating effectiveness of controls. The benefits and effort of
performing tests of controls will vary in each engagement and for each risk of material misstatement
for which we consider testing operating effectiveness of controls to obtain audit evidence. In making
this decision, we may consider a number of factors, including the following:
• The impact on substantive testing — Will testing controls allow us to increase audit efficiency by
altering the nature or timing, or reducing the extent of substantive procedures?
• The effort required to test the control — Is the control we plan to test an automated control that,
in conjunction with effective relevant general IT controls that we have also tested (see Chapter 6),
will permit us to test only one instance of the operation of the control in order to conclude as to its
effectiveness, or is it a manual control performed many times a day that will necessitate the use of
a larger sample size to enable us to conclude as to its operating effectiveness?
• The need to test other controls — Will testing operating effectiveness of the control also require
testing operating effectiveness of other controls that the control being tested is dependent upon?
• The need to test completeness and accuracy of information produced by the entity that we will be
using in our tests of operating effectiveness, particularly when the information produced by the
entity is not relevant to any of our other audit procedures.
• The ability to use audit evidence from a previous audit about the operating effectiveness of a
relevant control — Can we use evidence from a prior year, or do we expect to be able to use
evidence from tests of the control performed in the current audit to reduce testing in future
audits?
Internal control
• Management expectations — Has management asked us to test one or more controls as part of
our audit?
Our analysis of whether to test operating effectiveness of controls may have focused only on reducing
the sample size for a substantive test of details; however, testing operating effectiveness of controls
may also allow us to alter the nature of the substantive procedure (e.g., from a test of details to a
more efficient substantive analytical procedure) or allow us to alter the timing of the substantive
procedures (e.g., to efficiently move work out of our busy season by performing substantive testing at
an interim date, together with appropriate rollforward procedures).
3.3.1 Substantive procedures alone cannot provide sufficient appropriate audit evidence
In certain circumstances, substantive procedures alone cannot provide sufficient appropriate audit
evidence and tests of controls are required as a response to the assessed risk of material
misstatement at the assertion level (see DTTL AAM 13300.17 above). The application of professional
judgement is required in order to determine that this is the case. The existence of certain facts and
circumstances (factors) may lead to the determination that substantive procedures alone cannot
provide sufficient appropriate audit evidence.
Below are factors to consider in determining when substantive procedures alone cannot provide
sufficient appropriate audit evidence as a response to the assessed risk of material misstatement at
the assertion level. The presence of these factors will be informed by the risk assessment procedures
performed as part of our understanding the entity and its environment, including its internal control.
The more prevalent these factors are the more likely it might be concluded that substantive
procedures alone cannot provide sufficient appropriate audit evidence and that tests of controls are
also required. When considering the factors some may carry more weight, i.e., are more important to
the determination that tests of controls are required. The factors have been divided into two
categories:
Primary factors
Those factors that ordinarily have a predominant influence or importance and as a result tend to have
a more persuasive impact when determining that substantive procedures alone cannot provide
sufficient appropriate audit evidence.
Contributing factors
Those factors that impact the ability to obtain sufficient appropriate audit evidence through
substantive procedures alone; however individually these factors may not result in a determination
that substantive procedures alone cannot provide sufficient appropriate audit evidence but rather in
combination with one or more contributing and/or primary factors may result in such determination.
For example, the presence of the factor, high volumes of transactions processed, by itself may not
result in a determination that substantive procedures alone cannot provide sufficient appropriate audit
evidence; however, where there are high volumes of transactions processed, these transactions are
initiated electronically, and the processing itself requires limited or no manual intervention, it may
result in a such a determination.
Primary factors
Factor Description
Conduct of business Business is conducted in such a manner that transactions are initiated
using IT electronically with little or no other documentation or audit trail outside of
the IT system.
Significant information supporting one or more relevant assertions is
electronically initiated, recorded, processed, or reported. For such
assertions, significant audit evidence may be available only in electronic
form. In such cases, the sufficiency and appropriateness of the audit
Internal control
evidence may depend on the effectiveness of controls over the accuracy

and completeness of the processing of the transactions. In addition, the
potential for improper initiation or alteration of information to occur and
not be detected may be greater if information is initiated, recorded,
processed, or reported only in electronic form and appropriate controls are
not operating effectively.
Electronic records Only electronic records of transactions or events are produced, exist,
only and/or are maintained (through IT).
Automated Transactions or events are recorded automatically with little or no manual

recording of intervention.
transactions
Contributing factors
Factor Description
High volume of The volume of transactions (e.g., a high volume of transactions may occur
transactions in a large bank or telecommunication entity making it more difficult to
processed design substantive procedures that, by themselves, provide sufficient
appropriate audit evidence at the assertion level).
Measurements Some entities, such as large banks, insurers, telecommunication entities,

(including related and other entities make extensive use of IT to conduct their business or
calculations) which have a high number of accounting estimates, many of which are
are complex and/or judgmental or complex, in their financial reports. For audits of these
judgmental entities, it is not likely to be possible or practicable to design effective
substantive procedures that, by themselves, provide sufficient appropriate
audit evidence at the assertion level.
For example:
• Some models may be developed by specialists and are highly
automated/system driven in order to execute complex formulae; large
volumes of data are used to build and support assumptions. It may be
necessary to rely on controls surrounding inputs, processing, and
outputs and when updates are made to models and data supporting
assumptions.
• Where there is complexity and management makes significant
judgements or where the assumptions used in the calculation cannot
be externally verified (e.g., no observable data).
Use of enterprise ERP systems are a suite of integrated applications that connect business
resource planning activities. When implementing ERP systems, entities can also standardize
(ERP) systems and automate many business processes and controls within those
processes.
The use of ERP systems provides an integrated view of core business
processes for operational and reporting purposes. Transactions processed
in ERP systems are often real-time, and the ERP system facilitates and
manages information flow between functions within the business as well as
third parties (stakeholders). Key characteristics include using common
databases which are provided by and shared with the various functions
Internal control
(business and third party). The ERP system can also integrate and
interface with various organizational systems.
Refer to Section 6.3.1 of this guide for additional guidance on application
systems (including ERP systems) and IT infrastructure in the IT
environment. Example engagement scenarios for determining when
applications, data warehouses, or report writers are relevant to the audit
are provided in Figure 6.5. Example #3 could be referred to as example of
how the implementation of the same ERP system (for example SAP) may
vary based on business needs (use of automation functionalities of the
ERP system vs use of ERP system without automation).
Examples of types of entities where the above factors may be more prevalent include:
• Telecommunications
• Financial services
• Retail
• Online or web-based entities
• Utilities (power and water).
We make the decision to test controls, either because it is a cost-effective strategy or it is necessary
because substantive procedures alone will not provide sufficient audit evidence. As such, we might
rely on controls for some, but not all, significant classes of transactions, account balances, and
disclosures, and further, we may rely on controls related to some, but not all, risks of material
misstatement for a particular class of transactions, account balance, or disclosure.
3.4 Assess the risk associated with the control
Plan the nature,

Assess findings
Determining the need to Assess the risk timing, and Perform tests of
and conclude on
test operating associated with extent of tests of operating
operating
effectiveness of control the control operating effectiveness
effectiveness
effectiveness
When we have determined to test the operating effectiveness of a control for purposes of the financial
statement audit, we consider the risk of material misstatement as well as the risk associated with the
control (RAWC). The risk associated with the control is the risk that the control might not be effective
and, if not effective, the risk that a significant deficiency in internal control would result.
The assessment of the risk of material misstatement and the risk associated with the control
determines the nature, timing, and extent of the operating effectiveness of the control.
We assess the risk associated with the control as either “higher” or “not higher” considering the
following factors:
• The nature and materiality of misstatements that the control is intended to prevent or detect;
• Whether there have been changes in the volume or nature of transactions that might adversely
affect control design or operating effectiveness;
• Whether the account balance, class of transactions, or disclosures has a history of errors;
• The effectiveness of entity-level controls, especially controls that monitor other controls;
- Note: The entity-level controls include controls related to the control environment; the company’s
risk assessment process; centralized processing and controls; controls over the period-end
financial reporting process; and controls to monitor other controls.
• The nature of the control and the frequency with which it operates;
Internal control
• The degree to which the control relies on the effectiveness of other controls (e.g., the control
environment or general IT controls);
• The competence of the personnel who perform the control or monitor its performance and whether
there have been changes in key personnel who perform the control or monitor its performance;
• Whether the control relies on performance by an individual or is automated (i.e., an automated
control would generally be expected to be a lower risk if relevant general IT controls are
effective); and,
• The complexity of the control and the significance of the judgments that must be made in
connection with its operation.
It is important to note that in determining the risk associated with the control, while we consider each
of the above factors, some of the factors are more relevant than others as discussed further in the
table below.
RAWC factor Example
The nature and materiality of Controls that operate at a level of precision

misstatements that the control is intended intended to prevent or detect errors with
to prevent or detect smaller dollar values or are highly apparent
(i.e., requires limited judgment) have a reduced
risk associated with them than controls that
address risks related to accounts with large
transactions that occur on a non-routine basis.
Whether there have been changes in the A significant increase in sales volume may
volume or nature of transactions that increase the likelihood of failure of a manual
might adversely affect the control’s design control that addresses the risks related to the
or operating effectiveness sales account, which in turn likely increases the
risk associated with such a manual control.
Whether the account balance, class of Errors in an account are indicators that relevant
transactions, or disclosure has a history of controls that address the risks of material
errors misstatement relating to such an account may
not be operating effectively, which likely
increases the risk associated with such controls.
The effectiveness of entity-level controls, When evaluating process level controls if an

especially controls that monitor other entity effectively monitors the periodic
controls preparation of account reconciliations
throughout the year (i.e., all account
reconciliations are submitted to corporate who
monitors the timely completion), the risk
associated with the preparation and review of
each account reconciliation is likely reduced.
The nature of the control and the We may assess the risk associated with controls
frequency with which it operates that operate routinely as not higher compared
to those that operate only on an ad hoc basis
(e.g., controls related to accounting for an
acquisition or a divestiture, when the entity
enters into such transactions on an infrequent
basis, likely have a higher risk associated with
Internal control
RAWC factor Example
them than other controls that operate more on

a routine basis).
The degree to which the control relies on Automated controls depend upon the
the effectiveness of other controls (e.g., effectiveness of general IT controls, and if such
the control environment or general IT general IT controls are determined to be
controls) ineffective, the risk associated with the
automated controls may be higher.
The competence of the personnel who If a new assistant controller is performing a

perform the control or monitor its control for the first time or if the person
performance and whether there have been performing the control has not been trained
changes in key personnel who perform the either in how to perform the control or in the
control or monitor its performance
subject matter to which it pertains, the risk
associated with the control is likely higher, as
there is greater likelihood that the control might
not be performed appropriately, particularly as
the complexity of the subject matter of the
control increases (e.g., financial instruments).
Whether the control relies on performance Automating a control increases its reliability
by an individual or is automated (i.e., precision and consistency) and thus,
generally, would likely have a not-higher risk
associated with it when general IT controls
(e.g., program change controls and security
access controls) are effective than an equivalent
manual control that is prone to deviation.
A control that comprises a three-way match

(i.e., a control whereby invoices are matched to
a valid purchase order and an approved packing
slip or received note), generally is not complex
and requires minimal judgment in its operation,
even if it is performed manually. Alternatively, a
control with a review element related to an
asset impairment analysis is more likely to have
a higher risk associated with it, because of the
complexity and significant judgments that are
likely to be involved in the operation of the
review. Accordingly, the nature, timing, and
extent of operating effectiveness tests for the
three-way match and the control with a review
will likely be different in order to respond to the
assessed risk that each of these controls might
not be effective.
The complexity of the control and the Controls that operate routinely, with little
significance of the judgments that must be subjectivity, at the transaction level likely have
made in connection with its operation a not-higher risk associated with them as
contrasted to highly subjective controls with a
review that are complex because of the subject
matter they address and the significant
Internal control
RAWC factor Example
judgments involved, including the possibility for

implicit or explicit bias in the reviewer’s
judgments in identifying deviations or
differences for investigation and follow-up.
While we consider each of the factors listed above, we only need to conclude overall as to whether the
risk associated with the control is “higher” or “not higher” (i.e., we do not need to make a conclusion
with respect to our consideration of each factor).
3.5 Plan the nature, timing, and extent of tests of operating effectiveness of controls
Plan the nature,

Assess findings
and conclude on
operating
effectiveness
effectiveness
When we plan the nature, timing, and extent of operating effectiveness of a relevant control that
addresses one or more risks of material misstatement, we design tests to address the risk of material
misstatement and the risk associated with the control.
As the risk associated with the control increases, we may do one or more of the following:
• Increase the persuasiveness of the nature of the audit evidence we will obtain from our tests
(e.g., utilize a combination of procedure types or perform more persuasive procedures)
• Increase the extent of our testing
• Perform our procedures closer to the period end or balance-sheet date, or obtain more
persuasive evidence of the operation of the control during the rollforward period
• Identify and test other redundant controls
• Perform the procedures ourselves rather than using the work of others.
Illustrated below are ways in which we can vary the nature, timing, and extent of our procedures in
response to the assessed risk of material misstatement and the assessed risk associated with the
control. We exercise professional judgment when determining how to vary the nature, timing, and
extent of our procedures.
To obtain evidence about whether a selected control is effective, the control must be tested directly;
the effectiveness of a control cannot be inferred from the absence of misstatements detected by
Internal control
substantive procedures, however, should inform the auditor’s risk assessments in determining the
testing necessary to conclude on the operating effectiveness of a control.
Our planning for tests of operating effectiveness begins with the detailed description of the control
procedure (i.e., the details of how the control is performed (e.g., who, what, and when)).
When we evaluate the design of the control, we conclude whether the control, as documented, is
designed effectively. Testing operating effectiveness simply means obtaining evidence, either positive
or negative, to determine whether the control procedure was performed properly (i.e., whether all of
the important steps identified in the detailed control description, in fact, operated as designed or
intended, and for the period of intended reliance).
DTTL AAM Inquiry alone is not sufficient to test the operating effectiveness of controls.
Literature Accordingly, other audit procedures are performed in combination with inquiry. In
this regard, inquiry combined with inspection or reperformance may provide more
assurance than inquiry and observation, since an observation is pertinent only at
the point in time at which it is made. [DTTL AAM 23001.21]
The evidence provided by the auditor’s tests of the operating effectiveness of controls depends upon
the mix of the nature, timing, and extent of the auditor’s procedures. Further, for an individual
control, different combinations of the nature, timing, and extent of testing may provide sufficient
evidence.
The characteristics of the control that we consider when planning and performing tests of operating
effectiveness also include information produced by the entity that we use in our tests of operating
effectiveness of relevant controls. We may obtain information to use in performing our tests of certain
controls, such as reports on system settings (e.g., access, profiles, passwords) or reports used to
define the population of interest (e.g., a list of program changes). We are required to obtain sufficient
audit evidence relating to the accuracy and completeness of such information produced by the entity.
3.5.1 Nature of procedures

Planning the nature of the operating effectiveness tests that we are going to perform depends on two
considerations:
1. The risk of material misstatement and the risk associated with the control
Our assessment of the risk of material misstatement and risk associated with the control
influences the persuasiveness of the evidence that we need to obtain to support a conclusion that
the control is operating effectively. Certain procedures will, by their nature, provide more
persuasive evidence than other procedures. Inquiry alone will not provide sufficient appropriate
audit evidence to conclude that a control is operating effectively. Depending on our assessment of
the risk of material misstatement and risk associated with the control and the nature of the
control, we therefore perform other audit procedures in combination with inquiry, including
observation, inspection of documentation, or reperformance of the control to obtain sufficient
appropriate audit evidence.
For example, if the risk of material misstatement is determined to be lower and the risk
associated with the control is determined to be not higher we may obtain sufficient evidence from
a combination of inquiry and inspection, and may use the work of others. However if the risk
associated with the control is determined to be higher we obtain more persuasive evidence
through a combination of inquiry, inspection and/or observation, and reperformance procedures.
DTTL AAM Inquiry alone is not sufficient to test the operating effectiveness of controls.
Literature Accordingly, other audit procedures are performed in combination with inquiry. In
this regard, inquiry combined with inspection or reperformance may provide more
assurance than inquiry and observation, since an observation is pertinent only at
the point in time at which it is made. [DTTL AAM 23001.21]
Internal control
2. The availability of evidence
DTTL AAM The nature of the particular control influences the type of procedure required to
Literature obtain audit evidence about whether the control was operating effectively. For
example, if operating effectiveness is evidenced by documentation, the auditor
may decide to inspect it to obtain audit evidence about operating effectiveness.
For other controls, however, documentation may not be available or relevant. For
example, documentation of operation may not exist for some factors in the
control environment, such as assignment of authority and responsibility, or for
some types of control activities, such as control activities performed by a
computer. In such circumstances, audit evidence about operating effectiveness
may be obtained through inquiry in combination with other audit procedures such
as observation or the use of CAATs. [DTTL AAM 23001.22]
When determining the nature of the procedures we plan to perform, it is important to select
procedures that will provide evidence that the control procedure operated as designed (i.e.,
addresses each of the important steps of the control identified in the detailed control description).
Obtaining evidence for only a portion of the control procedure (e.g., limiting our tests of operating
effectiveness to one step of the procedure, such as evidence of a sign-off) will often be insufficient
evidence that the control operated as designed. Obtaining evidence of one step of the procedure
(e.g., the sign-off) does not, in most cases, provide evidence of other relevant steps of the
control, including who performed the control and how it was performed (e.g., what the person
performing the control considered or the basis for their conclusions in support of his or her sign-off
evidencing the completion of the control).
DTTL AAM Appropriateness is the measure of the quality of audit evidence; that is, its
Literature relevance and its reliability in providing support for the conclusions on which the
auditor’s opinion is based. The reliability of evidence is influenced by its source
and by its nature, and is dependent on the individual circumstances under which
it is obtained. [DTTL AAM 00100.9]
The reliability of information to be used as audit evidence, and therefore of the

audit evidence itself, is influenced by its source and its nature, and the
circumstances under which it is obtained, including the controls over its
preparation and maintenance where relevant. Therefore, generalizations about
the reliability of various kinds of audit evidence are subject to important
exceptions. Even when information to be used as audit evidence is obtained from
sources external to the entity, circumstances may exist that could affect its
reliability. For example, information obtained from an independent external
source may not be reliable if the source is not knowledgeable, or a management’s
expert may lack objectivity. While recognizing that exceptions may exist, the
following generalizations about the reliability of audit evidence may be useful:
• The reliability of audit evidence is increased when it is obtained from
independent sources outside the entity.
• The reliability of audit evidence that is generated internally is increased when
the related controls, including those over its preparation and maintenance,
imposed by the entity are effective.
• Audit evidence obtained directly by the auditor (for example, observation of
the application of a control) is more reliable than audit evidence obtained
indirectly or by inference (for example, inquiry about the application of a
control).
• Audit evidence in documentary form, whether paper, electronic, or other
medium, is more reliable than evidence obtained orally (for example, a
Internal control
contemporaneously written record of a meeting is more reliable than a

subsequent oral representation of the matters discussed).
• Audit evidence provided by original documents is more reliable than audit
evidence provided by photocopies or facsimiles, or documents that have
been filmed, digitized or otherwise transformed into electronic form, the
reliability of which may depend on the controls over their preparation and
maintenance.
[DTTL AAM 00100.36]
Because evidence of operating effectiveness may be obtained from various activities (e.g., evaluating
design and determining implementation, using the work of others, and our own operating
effectiveness testing), it is also important to clearly identify the nature of the evidence that we plan to
obtain and the location of that evidence, or our description thereof, in our working papers. We may
request management to retain evidence that a control operated in order to provide more persuasive
evidence (e.g., for a control with a review element, we may request reviewers to retain their notes
from their review and other evidence supporting their follow up procedures and resolution of issues
identified until the completion of our audit).
3.5.2 Timing of tests of controls

The timing of our tests of controls is typically influenced by the following considerations:
1. The period that is to be covered by the tests
When relying on the operating effectiveness of controls to reduce the extent of substantive
testing, we obtain audit evidence of the operating effectiveness of the control for the period of
intended reliance.
DTTL AAM The auditor shall test controls for the particular time, or throughout the period,
Literature for which the auditor intends to rely on those controls, subject to paragraph 17
and paragraph 47 in order to provide an appropriate basis for the auditor’s
intended reliance. [DTTL AAM 23001.45]
Audit evidence pertaining only to a point in time may be sufficient for the
auditor’s purpose, for example, when testing controls over the entity’s physical
inventory counting at the period end. If, on the other hand, the auditor intends to
rely on a control over a period, tests that are capable of providing audit evidence
that the control operated effectively at relevant times during that period are
appropriate. Such tests may include tests of the entity’s monitoring of controls.
[DTTL AAM 23001.46]
2. The risk of material misstatement and the risk associated with the control
Our assessment of the risk of material misstatement and the risk associated with the control
influences the timing of when we obtain our evidence. As the risk of material misstatement and
the risk associated with the control increases, it may be more likely that we will plan to test
operating effectiveness closer to the balance-sheet date. Alternatively, if we plan to perform our
testing as of an interim date, then our rollforward procedures need to provide more persuasive
evidence as the risk of material misstatement and the risk associated with the control increases.
3. When we choose to perform the tests
Our testing of the operating effectiveness of controls is generally performed after the controls
have operated. However, for some controls, it may be necessary to obtain the evidence about
their effectiveness when the control operates (or soon thereafter), as the evidence we need to
perform the testing and support our conclusions may not be accessible at a later date.
Internal control
For example, we test controls with a review element as soon as possible after their occurrence
(e.g., in conjunction with our quarterly reviews) as management will be in a better position to
describe what they considered and the basis for their conclusions and provide documentary
evidence (e.g., notes, emails).
The timing of our tests may also be affected by the frequency with which specific controls operate
and specific policies are applied. Some controls operate continuously or many times a day (e.g.,
controls over sales transactions), while others operate only at certain times or at periodic intervals
(e.g., controls over the preparation of monthly or quarterly financial statements and controls over
physical inventory counts) or even only after the balance-sheet date (e.g., controls over the
preparation of certain footnote disclosures). Evidence of the operation of a control that relates to a
period subsequent to the balance-sheet or period-end date cannot be considered evidence of its
operating effectiveness at the balance-sheet or period-end date unless the control is designed to
operate only after the balance-sheet date or period-end.
For example, as controls over the December 31, 20X1, year-end financial close and reporting
process only operate in January 20X2, we may use the evidence of the controls operating in
January 20X2 to conclude on operating effectiveness of such controls as of December 31, 20X1.
Note: Because the annual period-end financial reporting process normally occurs after the balance-
sheet date, those controls usually cannot be tested until after the balance-sheet date.
When we choose to perform testing of the operating effectiveness of controls as of an interim date,
there are typically two alternative approaches we may consider:
1. Apportion the control test over the year (i.e., spread the total number of selections throughout the
year). Under this approach, the operating effectiveness result is determined only upon completion
of the test at year-end. Performing our testing in this manner provides the basis to support our
conclusions as to the effectiveness of the controls throughout the period of intended reliance. As
the testing is apportioned over the entire year, rollforward procedures are not necessary.
For example, for a test of a relevant control using a sample size of 25, we may choose to
perform a portion of the test at interim by selecting 20 items over the first nine months and then
selecting the five remaining items in the fourth quarter. We cannot reach a conclusion on the
operating effectiveness of the control at the interim date (end of the third quarter), as we did not
complete the testing of all 25 items; we can only reach a conclusion on the operating effectiveness
of the control when our testing of all sample selections is complete at year-end. However, as we
selected our sample to cover the entire period, we are not required to perform separate
rollforward procedures.
2. Perform a complete test of the control (i.e., test all selections) at an interim date. This approach
requires us to perform sufficient testing to enable us to reach a preliminary conclusion regarding
the operating effectiveness of the control tested at the interim date. Under this approach,
additional procedures are required to be performed to assess the operating effectiveness of the
control during the rollforward period or as of the balance-sheet date. The earlier in the year the
interim tests are performed, the more persuasive the rollforward procedures will likely need to be,
particularly when the complexity of the control is higher.
For example, for a test of a relevant control using a sample size of 25, we may choose to
perform the entire test at interim by selecting 25 items over the first nine months. Therefore, we
can reach a conclusion on the operating effectiveness of the control at the interim date (end of the
third quarter), as we completed our testing of all 25 items; however, we need to perform separate
rollforward procedures to determine whether the control continues to operate effectively
throughout the period if intended reliance.
Note Engagement teams are encouraged to consider apportioning the operating

effectiveness testing over the year, as such an approach is likely to be the most
efficient and effective approach to achieving the balance between obtaining
evidence throughout the period for control reliance.
Internal control
Similarly, when we choose to perform a complete test of the control at an interim

date, engagement teams are encouraged to consider performing their interim tests
at a date later in the year to minimize the length of the remaining period.
As noted above, when the second approach is used (i.e., test 100 percent of the selections through or
as of the interim period), rollforward procedures are required. The rollforward period (also referred to
as the “remaining” period) is the period from the date of the interim preliminary conclusion about
operating effectiveness to the balance-sheet date. In this scenario, we would perform audit
procedures on the rollforward period to extend the conclusion from the interim date to the balance-
sheet date.
Following are the requirements and application guidance from DTTL AAM 23001.47-.49 related to
obtaining evidence about operating effectiveness of controls during an interim period:
DTTL AAM If the auditor obtains audit evidence about the operating effectiveness of controls
Literature during an interim period, the auditor shall
a. obtain audit evidence about significant changes to those controls subsequent to
the interim period; and
b. determine the additional audit evidence to be obtained for the remaining
period.
[DTTL AAM 23001.47]
Relevant factors in determining what additional audit evidence to obtain about

controls that were operating during the period remaining after an interim period,
include:
• The significance of the assessed risks of material misstatement at the assertion
level
• The specific controls that were tested during the interim period, and significant
changes to them since they were tested, including changes in the information
system, processes, and personnel
• The degree to which audit evidence about the operating effectiveness of those
controls was obtained
• The length of the remaining period
• The extent to which the auditor intends to reduce further substantive
procedures based on the reliance of controls
• The control environment.
[DTTL AAM 23001.48]
Additional audit evidence may be obtained, for example, by extending tests of
controls over the remaining period or testing the entity’s monitoring of controls.
[DTTL AAM 23001.49]
Rollforward procedures are required for each control for which we perform a complete test as of an
interim date (i.e., the second approach above). As noted in DTTL AAM 23001.47 above, we are
required to obtain audit evidence about significant changes in controls that have occurred during the
remaining period. We are also required to determine what additional audit evidence we need to obtain
for the remaining period. DTTL AAM 23001.48 above provides factors the auditor might consider in
making the determination of what additional evidence is needed.
Internal control
Determining the additional audit evidence needed for the remaining period is a matter of professional
judgment. In some cases, inquiry of the individuals who perform the control may be sufficient to
conclude that the control operated effectively through the remaining period, such as when the control
is a routine control, we did not identify any deviations in the control in our interim tests of operating
effectiveness and the remaining period is only three months. In other cases, such as when the control
addresses a significant risk or when other factors in DTTL AAM 23001.48 apply, additional audit
evidence may be necessary. In most cases, this additional audit evidence would be obtained through
additional testing of the operating effectiveness of the control during the remaining period, as
indicated in DTTL AAM 23001.49.
If we determine a control is not operating effectively during the remaining period, we would reconsider
our risk assessments and the effect on the nature, timing, and extent of substantive testing.
3.5.3 Extent of procedures
DTTL AAM When more persuasive audit evidence is needed regarding the effectiveness of a
Literature control, it may be appropriate to increase the extent of testing of the control. Excerpt
from: [DTTL AAM 23001.28]
We are required to determine a sample size sufficient to reduce sampling risk to an acceptably low
level.
In designing an audit sample to test controls, the auditor is required to consider the purpose of the
audit procedure and the characteristics of the population from which the sample will be drawn. The
auditor’s consideration of the purpose of a test of controls includes a clear understanding of what
constitutes a deviation so that all, and only, those deviations that are relevant to the purpose of the
auditor’s test are included in the evaluation of deviations.
When determining a sufficient sample size for tests of operating effectiveness we consider the
following, in accordance with DTTL AAM Section 23001, Figures 23001.1, 23001.2, and 23001.3:
• The nature of the control
• The frequency of performance of the control
• The risks of material misstatement addressed by the control, and
• The risk associated with the control
• Planned number of deviations, if any (applicable only for controls that operate many times a day).
First, we would determine the nature (i.e., manual or automated) and the frequency of performance of
the control and use the corresponding rows in the sample size tables. We would then use the sample
size in the column that corresponds with the assessed risk of material misstatement and risk
associated with the control (RAWC).
Internal control
Figure 23001.1—Suggested sample sizes for inspection of documentation to support our

inquiries for the purpose of testing the operating effectiveness of controls – Lower and
higher risks of material misstatement
Frequency of Lower Risk of Material Higher Risk of Material

Misstatement Misstatement
Performance of
Nature of the Control

Control
Risk Associated Not Higher Higher Not Higher Higher
with the Control
Manual Many times per day 10 15 25 35
Manual Daily 7 10 15 20
Manual Weekly 5 5 5 8
Manual Monthly 2 2 2 3
Manual Quarterly 2 2 2 2
Manual Annually 1 1 1 1
Automated Controls Test one instance of each automated control.
Indirect Controls (e.g., indirect entity- For those indirect entity-level controls that do not themselves
level controls, general IT controls) directly address risks of material misstatement, the higher risk
of material misstatement column, along with the appropriate
column for the assessed risk associated with the control (i.e.,
higher or not higher) is the suggested minimum sample size for
the test of operating effectiveness.
For general IT controls, assess the risk arising from IT as lower,

higher, or significant and use the corresponding sample size
from the appropriate risk of material misstatement column in
Figure 23001.1 (i.e., lower or higher) or Figure 23001.2 (i.e.,
significant), along with the appropriate column for the assessed
risk associated with the control (i.e., higher or not higher) as
the suggested minimum sample size for the test of operating
effectiveness.
In the event that the indirect control is directly responsive to a

significant risk (e.g., management override of controls), the
significant risk of material misstatement column, along with the
appropriate column for the assessed risk associated with the
control, in Figure 23001.2 is the suggested minimum sample
size for the test of operating effectiveness.
Internal control
The table assumes zero deviations.

inquiries for the purpose of testing the operating effectiveness of controls – Significant
risks of material misstatement
Frequency of
Significant Risk of Material Misstatement
Performance of
the Control
Nature of Control
Risk Associated Not Higher Higher
with the Control
Manual Many times per day 45 60*
Manual Daily 25 40*
Manual Weekly 8 10
Manual Monthly 3 4
Manual Quarterly 2 2
Manual Annually 1 1
Automated Controls Test one instance of each automated control.
Indirect Controls (e.g., indirect entity-level For those indirect entity-level controls that do not
controls, general IT controls) themselves directly address risks of material misstatement,
the higher risk of material misstatement column, along with
the appropriate column for the assessed risk associated
with the control (i.e., higher or not higher) in Figure
23001.1 is the suggested minimum sample size for the test
of operating effectiveness.
For general IT controls, assess the risk arising from IT as

lower, higher, or significant and use the corresponding
sample size from the appropriate risk of material
misstatement column in Figure 23001.1 (i.e., lower or
higher) or Figure 23001.2 (i.e., significant), along with the
appropriate column for the assessed risk associated with
the control (i.e., higher or not higher) as the suggested
minimum sample size for the test of operating effectiveness
In the event that the indirect control is directly responsive

to a significant risk (e.g., management override of
controls), the significant risk of material misstatement
Internal control
column, along with the appropriate column for the assessed

risk associated with the control is the suggested minimum
sample size for the test of operating effectiveness.
The table assumes zero deviations.
*In the event that we identify a control that operates many times a day or daily that addresses a
significant risk for which the risk associated with the control is assessed as higher, consider whether this
is the most appropriate control to address the risk.

inquiries for the purpose of testing the operating effectiveness of controls when planning
for one deviation in a control that occurs “Many times per day”
Lower Risk of Material Higher Risk of Material Significant Risk of

Misstatement Misstatement Material Misstatement
Risk Associated with Risk Associated with Risk Associated with the
Nature Frequency of the Control the Control Control
of Performance
Control of the Control Not Higher Higher Not Higher Higher Not Higher Higher
Many times
Manual 25 35 40 60 70 95
per day
The table assumes one deviation in a control that occurs “Many times per day” has been planned for.
When the control is performed less than “Many times per day” it is likely not appropriate to plan for
deviations.
If a sample is designed to allow for no deviations and one is discovered, or is designed for one
deviation and two are discovered, we may not be able to conclude that the control is effective and
reliance on the control may not be appropriate. Expansion of a sample that was initially designed to
allow for no (one) deviations but in which one (two) deviation(s) is (are) found may not be
appropriate because it is likely that we will continue to discover deviations in the expanded sample.
We may choose to identify and test alternative controls that address one or more applicable risks of
material misstatement or to modify our planned substantive procedures related to such risk(s) of
If the engagement team plans for more than one deviation for a control that occurs “Many times per
day”, we are required to consult with the NPPD or their designee.
In situations where a control addresses multiple risks of material misstatement with varying risk levels
(e.g., lower, higher, or significant), the determination of the appropriate sample size is based on the
greater risk of material misstatement in Figures 23001.1, 23001.2, and 23001.3 above.
For example, if a control addresses both a higher and significant risk of material misstatement, we
use the significant risk of material misstatement column along with our assessed risk associated with
the control (i.e., higher or not higher) when determining the appropriate sample size from Figure
23001.2 above.
The sample size tables represent minimum sample sizes. Using professional judgment we may choose
to increase the extent of our test of controls, including using larger sample sizes than those
recommended in Figures 23001.1, 23001.2, and 23001.3, for example, when we are performing tests
of controls that address one or more significant risks.
Internal control
When one or more exceptions are identified that clearly indicate that the control is not operating
effectively, it is generally not necessary to complete the test.
Determining the frequency of a control
The sampling tables for testing controls in Figures 23001.1 and 23001.2 above were labeled as if the
control operates only once for each period indicated.
For example, if a relevant control consists of the bank account being reconciled monthly and there is
only one bank account, then, assuming that the risk associated with that control is not higher, the
suggested sample size for testing a control that operates 12 times a year would be 2, based on the
table.
However, in many circumstances the same control may operate multiple times each period when it is
applied. Accordingly, to determine an appropriate sample size in these circumstances using the
sampling table in Figures 23001.1 and 23001.2 above, we consider the number of times the control is
applied to determine the frequency of performance of the control.
For example, if there are 100 bank accounts that are subject to the same processes and risks and
the same monthly reconciliation control, then there are two potential approaches to sampling:
• Scenario #1: If the sampling unit is defined as each month, then the population is 12 months
and therefore all 100 bank reconciliations are tested for each of the 2 months selected.
• Scenario #2: If the sampling unit is defined as each reconciliation, then the control operates
1200 times a year which equates to a “many times a day” control and thus, a sample size of 25
reconciliations may be appropriate when the risk of material misstatement is assessed as higher
and the risk associated with the control is assessed as not higher. We may spread the 25
selections across the intended period of reliance or we may make pick two (or a different number)
of months and apportion the selections accordingly.
3.5.4 Using audit evidence obtained in previous audits
DTTL AAM In determining whether it is appropriate to use audit evidence about the operating
Literature effectiveness of controls obtained in previous audits, and, if so, the length of the time
period that may elapse before retesting a control, the auditor shall consider the
following:
(a) The effectiveness of other elements of internal control, including the control
environment, the entity’s monitoring of controls, and the entity’s risk assessment
process;
(b) The risks arising from the characteristics of the control, including whether it is
manual or automated;
(c) The effectiveness of general IT controls;
(d) The effectiveness of the control and its application by the entity, including the
nature and extent of deviations in the application of the control noted in previous
audits, and whether there have been personnel changes that significantly affect
the application of the control;
(e) Whether the lack of a change in a particular control poses a risk due to changing
circumstances; and
(f) The risks of material misstatement and the extent of reliance on the control.
[DTTL AAM 23001.8]
These considerations guide engagement teams in determining whether it is appropriate to use audit
evidence from a previous audit about operating effectiveness of specific controls, and, if so, the length
of time before operating effectiveness of the control would be re-tested.
Internal control
For example, we might decide it is appropriate to use audit evidence from the prior audit’s operating
effectiveness tests of a manual control to approve changes to a standard price list because of the
following:
• The characteristics of the control are not complex.
• Our operating effectiveness testing in the prior audit did not result in any deviations.
• Our risk assessment procedures, including evaluation of design and determination of
implementation of the control, in the current audit indicated there are no changes in
circumstances that would affect the effectiveness of the control.
In this instance, we might determine we would not need to test the operating effectiveness of the
control in the current audit. Note that in this situation, our current year’s evaluation of design and
determination of implementation of this control enabled us to draw our conclusion that it was
appropriate to use audit evidence about the operating effectiveness of the control from the prior audit.
In contrast, we might determine that the operating effectiveness of a more complex control with
multiple characteristics, such as the CFO’s review of the Controller’s and Credit Manager’s
determination of the provision for allowance for doubtful accounts, should be performed each year.
DTTL AAM 23001.11 and 23001.17 below address conditions that are required to be met and
procedures the auditor is required to perform when using audit evidence from a previous audit about
the operating effectiveness of relevant controls.
DTTL AAM If the auditor plans to use audit evidence from a previous audit about the operating
Literature effectiveness of specific controls, the auditor shall establish the continuing relevance
of that evidence by obtaining audit evidence about whether significant changes in
those controls have occurred subsequent to the previous audit. The auditor shall
obtain this evidence by performing inquiry combined with observation or inspection,
to confirm the understanding of those specific controls, and:
(a) If there have been changes that affect the continuing relevance of the audit
evidence from the previous audit, the auditor shall test the controls in the current
audit.
(b) If there have not been such changes, the auditor shall test the controls at least
once in every third audit, and shall test some controls each audit to avoid the
possibility of testing all the controls on which the auditor intends to rely in a
single audit period with no testing of controls in the subsequent two audit
periods.
[DTTL AAM 23001.11]
If the auditor plans to rely on controls over a risk the auditor has determined to be a
significant risk, the auditor shall test those controls in the current period. [DTTL AAM
23001.17]
As noted in DTTL AAM 23001.11 above, if we determine that use of audit evidence from a previous
audit about operating effectiveness of specific controls is appropriate, we would perform audit
procedures (generally consisting of the current year’s risk assessment procedures, including
evaluation of design and determination of implementation of relevant controls) to determine if
changes have occurred that would affect the relevance of our prior years’ audit evidence in the current
year. Such changes would include a change to the control itself or a change in the entity or its
environment that would require a change to the control.
Not all changes in a control or in the entity or its environment would preclude reliance on prior year’s
evidence.
Internal control
For example, a change in the employee responsible for a non-complex control to another employee
who possesses the same competency and authority may be considered an insignificant change that
does not preclude relying on prior year’s evidence of operating effectiveness of that control.
In contrast, installation of a new sales order entry and billing system could likely result in significant
changes to manual or IT controls in the revenue process or in new controls altogether. In this case,
using audit evidence from a previous audit about the operating effectiveness of controls related to
revenue generally would not be appropriate.
The procedures we perform to make our determination with respect to the ongoing relevance of
evidence of operating effectiveness obtained in previous audits would generally include a combination
of inquiry, observation, and inspection. Inquiry alone is not sufficient to determine if a change in the
control has occurred. In most cases, we may expect to be able to leverage the procedures performed
as part of the design and determination of implementation evaluation in the current year to determine
whether the control has changed in a way that would affect our ability to use the audit evidence from
the previous audit about its operating effectiveness. If we determine that there have been changes
such that information obtained in prior audits is not relevant in the current audit (e.g., the control
changed significantly in the current period, the control should have changed but did not), we would
not be able to use the audit evidence from a previous audit and would need to either test the control
in the current year, or change the strategy to not rely on the operating effectiveness of controls for
the related risks.
In addition, as noted in DTTL AAM 23001.11 and 23001.17, the following requirements apply when
using audit evidence obtained in previous audits:
• The operating effectiveness of each control on which we plan to rely is required to be tested at
least once every three years.
• The operating effectiveness of some of the controls on which we intend to rely is required to be
tested in each audit (i.e., it is not appropriate to test the operating effectiveness of all controls
upon which we intend to rely in one audit, with no testing of those controls in the next two
audits).
• We cannot use audit evidence obtained in previous audits about the operating effectiveness of
controls that address significant risks. To rely on these controls, we are required to test their
operating effectiveness each year.
3.5.5 Dual-purpose tests

DTTL AAM 13300.21 provides the following description of a dual-purpose test.
DTTL AAM In addition, the auditor may design a test of controls to be performed concurrently
Literature with a test of details on the same transaction. Although the purpose of a test of
controls is different from the purpose of a test of details, both may be accomplished
concurrently by performing a test of controls and a test of details on the same
transaction, also known as a dual-purpose test. For example, the auditor may design,
and evaluate the results of, a test to examine an invoice to determine whether it has
been approved and to provide substantive audit evidence of a transaction. A dual-
purpose test is designed and evaluated by considering each purpose of the test
separately. [DTTL AAM 13300.21]
Typically, dual-purpose testing means that two tests, with different purposes and objectives, are
planned to be performed concurrently, and there may or may not be some level of “overlap.”
For example, a substantive test of fixed asset additions has the primary purpose of assessing
whether the transaction selected for testing has been properly recorded. The operating effectiveness
test of relevant controls over fixed asset additions has the primary purpose of assessing whether the
control(s) operated as designed which may include testing procedures or steps such as:
1. Evidence of authorization
Internal control
2. Review of the proper recording

3. Process for follow up on exceptions.
Performing the substantive test may also include reperforming the review control (step 2) but would
likely not address control steps 1 or 3.
There are two main objectives when using dual-purpose tests for control purposes:
• Objective #1: The test directly provides evidence that the control procedure operated (i.e., it
addresses the important steps identified in the detailed control description).
• Objective #2: The test is contemplated and documented as a dual-purpose test when the work
was planned and performed, not after the fact, such that the documentation clearly demonstrates
how the combined test addresses the test objectives of both the substantive procedure and tests
of operating effectiveness of controls.
Engagement teams planning to use dual-purpose testing are advised to carefully consider whether a
single test results in obtaining sufficient appropriate audit evidence for both the intended substantive
procedure and the test of operating effectiveness of controls or whether it would be more appropriate
to design and apply separate procedures to the same sample selections that more specifically meet
the applicable objectives of the substantive procedure and the test of operating effectiveness of
controls. The performance of substantive procedures that results in no misstatements being identified
does not provide sufficient evidence of the effectiveness of related controls per se; however, the
identification of misstatements during the performance of substantive procedures is an indication that
the related controls are not effective.
• The nature, timing, and extent of our • Design the tests of operating effectiveness
tests of controls are not commensurate based on the detail control description to
with the assessment of the risk of address all the important steps of the control
material misstatement and the risk procedure.
associated with the control.
• Clearly document the evidence obtained for
• Tests of operating effectiveness do not each of the important steps of the control
address all the important steps of the procedure. For example:
control, particularly controls with a
review element (e.g., tests do not - If we tested a control by observation, a
address what was specifically reviewed, description of what we observed.
identified for follow-up, and the final
resolution). - If we tested a control by reperformance,
refer to the control description to
• Reports (i.e., information produced by reperform the same steps as the person
the entity) provided by the entity that who performed the control.
we use in performing operating
effectiveness tests of controls are not
tested for accuracy and completeness.
• Testing controls too early in the year, • When the risk associated with the control is
particularly when the risk associated higher, plan to obtain more persuasive
with the control is higher. evidence of the operating effectiveness of the
control closer to the balance-sheet date. For
example, allocate our selections closer to the
balance-sheet date when we have
apportioned our tests.
Internal control
• Failure to test controls with a greater • Consider increasing the sample size above
extent when the risk of material the minimums, including increasing sample
misstatement and the risk associated sizes when our testing strategy includes
with the control is higher or significant. testing controls in multiple locations as part
of a common control testing strategy.
• Defaulting to the minimum sample sizes
in all cases.
• Testing operating effectiveness of • Label procedures using the terms “inquiry,”

relevant controls through inquiry alone. “observation,” “inspection,” and
“reperformance.”
• Performing inquiries that are not
sufficiently detailed to understand what - “Inspection” means inspecting
was specifically considered by the documentary evidence that demonstrates
control performer or the basis for the the control procedures/review activities
control performer’s conclusions. operated as designed.
• Inappropriately assuming that no errors
identified from our substantive testing is
- “Reperformance” means reperforming
the control as described in the control
evidence that the control is operating
description (e.g., in the same manner
effectively.
and using the same inputs as the control
• Using reperformance as a testing owner is supposed to have
approach but not actually reperforming used/performed the control).
the control procedure using the same
• Consider whether our other audit procedures
information that the person performing
(e.g., substantive procedures) indicate that
the control used.
the control may not be operating effectively.
For example:
- When our evaluation of the subject

matter for substantive testing purposes
is more encompassing than
management’s review of the subject
matter as part of the control.
- When we require additional information

from management to enable us to reach
a conclusion that management’s review
(as part of the performance of the
control) did not consider.
• Dual-purpose testing is not properly • Document our dual-purpose tests during

designed and does not provide direct planning such that the documentation clearly
evidence of the operating effectiveness demonstrates how the combined test
of the control. addresses both the substantive test and
internal control test objectives.
• Sample sizes for dual-purpose testing
are insufficient to meet the objectives of • When using a single sample size, use the
both tests. larger sample size for both.
Internal control
3.6 Perform tests of operating effectiveness of controls
Plan the nature,

Assess findings
and conclude on
operating
effectiveness
effectiveness
Considerations when performing tests of operating effectiveness of controls include:

1. Clearly defining the test objective, including establishing a clear understanding of what constitutes
a deviation.
2. Defining the sampling unit.
3. Identifying the population to be sampled.
4. Selecting the sample such that all items in the population have a chance of selection.
5. Obtaining sufficient and appropriate audit evidence.
6. Applying professional skepticism when evaluating the persuasiveness of the evidence obtained,
including what constitutes a deviation or exception (see further discussion in Section 3.7).
7. We consider the complexity of the control when assigning engagement team members to perform
testing.
• Improperly defining the • Document the population to be sampled when planning

population of interest. the nature, timing, and extent of our tests of operating
effectiveness.
• Not testing the completeness
and accuracy of the • Document our procedures for selecting the sample (e.g.,
population to be sampled. use of random sampling or ACL).
• Inappropriately biasing our • Consider an apprenticeship approach by teaming more
sample such that not every experienced engagement team members with less
item in the population has a experienced engagement team members for testing
chance of being selected. controls addressing risks that have been assessed as
higher risk.
• Lack of appropriate
professional skepticism when • Consider and document our assessment of contradictory
inconsistent or contradictory evidence and its impact on our conclusions.
evidence is identified.
3.7 Assess findings and conclude on the operating effectiveness of controls

and conclude
of operating
on operating
Considerations when assessing findings and concluding on the operating effectiveness of controls
include:
1. Determining whether a deviation is identified
2. Determining the nature and cause of the deviation
Internal control
3. Evaluating whether the deviation is a control deficiency.
When we identify a deviation (or exception), we consider the circumstances and reasons for the
deviation and evaluate the effect of the deviation to determine whether:
• The tests of controls that have been performed successfully provide an appropriate basis for
reliance on the controls (e.g., the deviation is not a control deficiency)
• Additional evidence needs to be obtained to develop a better estimate of the projected deviation
rate and assess whether the deviation is a deficiency (e.g., we may consider increasing our
sample sizes)
• The deviation is a control deficiency and whether the potential risks of material misstatement need
to be addressed by other controls
• The deviation is a control deficiency and whether, absent other relevant controls, the potential
risks of material misstatement need to be addressed using substantive procedures (e.g., the
control is not effective and thus control reliance is not appropriate).
DTTL AAM If deviations from controls upon which the auditor intends to rely are detected, the
Literature auditor shall make specific inquiries to understand these matters and their potential
consequences, and shall determine whether:
(a) The tests of controls that have been performed provide an appropriate basis for
reliance on the controls;
(b) Additional tests of controls are necessary; or
(c) The potential risks of misstatement need to be addressed using substantive
procedures.
[DTTL AAM 23001.54]
The auditor shall investigate the nature and cause of any deviations or
misstatements identified, and evaluate their possible effect on the purpose of the
audit procedure and on other areas of the audit. [DTTL AAM 23005.26]
The following decision tree depicts the thought process of determining whether a control deficiency
exists as a series of steps, each of which is discussed further.
Internal control
Decision tree — Determine whether a control deficiency exists
A.1
Determine whether a
deviation exists.
A.2
Determine the nature
and cause of the
deviation(s).
A.3
Evaluate whether the
deviation is a control
deficiencyl.
Does a Control is operating

deficiency No effectively. No further
exist? action.
Yes
Chapter 41
1
See Chapter 4, Evaluating and communicating control
deficiencies
3.7.1 Determining whether a deviation exists

(Box A.1 on decision tree)
In designing an audit sample to test controls, we define the objective of the audit procedure (i.e., the
test objective) and the characteristics of the population from which the sample will be drawn. Our
determination of the objective of a test of a control includes a clear understanding of what constitutes
a deviation so that all, and only, those deviations that are relevant to the purpose of our test are
included in the evaluation of deviations.
Internal control
Generally, any failure in the operation of a control from (1) established policy and procedure, (2) a
regulatory requirement or (3) the expectation of the operation based on peer or industry comparison
is likely a deviation (which is then further evaluated as described below). Examples of instances in
which a failure in the operation of a control may not be a deviation may include the following
circumstances:
• When the control operates effectively in addressing the risk, even though the control does not
operate completely in accordance with the prescribed procedure (e.g., an authorization form was
not properly completed and signed off, but there is other evidence that clearly reflects the
transaction was authorized).
• When the departure from policy or procedure is authorized by the appropriate level of
management based on particular circumstances (e.g., in an employee’s absence, the normal
control process was not followed; however, management is aware of this and has compensated for
it).
• If a document is selected that has been validly cancelled prior to operation of the control (i.e., the
document does not constitute a deviation), it may be excluded from the sample and an
appropriately chosen replacement may be examined. However, if the deviation relates to a
document that cannot be located, we make every possible effort to locate it or to ascertain, using
suitable alternative procedures that the control in this specific instance was operating properly. If
evidence supporting operation of the control for the selected sampling unit is not available,
another sampling unit cannot be substituted for the missing unit and it is generally necessary to
treat this item as a deviation from the prescribed control.
3.7.2 Determining the nature and cause of the deviation

When investigating the nature and cause of a deviation, it may be helpful to consider the following:
• Is the nature of the deviation limited to certain types of transactions (e.g., infrequent exceptions
as opposed to the norm)? Consider the nature and volume of the exceptions that may be subject
to other deviations.
• Has a change in roles or responsibilities of the person performing or monitoring the control
contributed to the deviation? Consider the significance and breadth of the role and responsibility of
the new person and the likelihood that other deviations in other controls operated by the new
person could exist.
• Has a lack of competency of the person performing the control contributed to the deviation?
Consider the significance and breadth of the role and responsibility of the person for which other
deviations could exist.
• Was management aware of the circumstances causing the deviation? A deviation that
management is not aware of and not monitoring may result in an increased likelihood that other
deviations will occur.
• Have changes in volume of activity or transactions (e.g., significant seasonal fluctuations)
contributed to the deviation? A deviation during a limited period of heavy volume may not be
indicative of what might more typically occur during normal volume periods.
3.7.3 Evaluate whether the deviation is a control deficiency

The concept of effectiveness of the operation of controls recognizes that some deviations in the way
controls are applied by the entity may occur. Deviations from prescribed controls may be caused by
factors such as changes in key personnel, significant seasonal fluctuations in volume of transactions,
and human error. Accordingly, DTTL AAM 23001 acknowledges that a control could still be concluded
to be effective, even when some level of deviation may exist.
Internal control
DTTL AAM The concept of effectiveness of the operation of controls recognizes that some
Literature deviations in the way controls are applied by the entity may occur. Deviations from
prescribed controls may be caused by such factors as changes in key personnel,
significant seasonal fluctuations in volume of transactions and human error. The
detected rate of deviation, in particular in comparison with the expected rate, may
indicate that the control cannot be relied on to reduce risk at the assertion level to
that assessed by the auditor. [DTTL AAM 23001.55]
The following considerations are relevant when considering the level of “acceptable” deviations (i.e.,
such that a control deficiency does not exist):
• Risk of material misstatement and risk associated with the control: The higher the risks, the more
reliable the control needs to be.
• Extent of reliance on the control: When a risk of material misstatement is addressed solely by one
control, the control generally needs to be more reliable, particularly when the risk being addressed
is a significant risk.
• Testing approach: When we test the operating effectiveness of a control by sampling, our sample
sizes (see DTTL AAM Figures 23001.1, 23001.2, and 23001.3) are based on an acceptable
tolerable deviation rate; therefore, when we discover more deviations than we had planned for,
the test objective is generally not met. At this point we cannot conclude the control is effective
and therefore, the existence of deviations beyond what we planned for would generally represent
a control deficiency, absent performing additional testing. If a sample is designed to allow for no
deviations and one is discovered, or is designed for one deviation and two are discovered, we may
not be able to conclude that the control is effective and reliance on the control may not be
appropriate. We may choose to identify and test alternative controls that address one or more
applicable risks of material misstatement or to modify our planned substantive procedures related
to such risk(s) of material misstatement. Expansion of a sample that was initially designed to
allow for no (one) deviation but in which one (two) deviation(s) is (are) found may not be
appropriate because it is likely that we will continue to discover deviations in the expanded
sample.
For example, if a test of a control that operates many times a day is designed to not allow for
any deviations and the actual number of deviations is one or more, the test objective is generally
not met. We then conclude that the control is not effective and determine whether alternative
controls exist and, if so, evaluate the design, determine implementation, and test operating
effectiveness of the alternative control.
If we are able to test the entire population, we use our professional judgment to determine
whether the actual deviation rate is indicative of a control deficiency based on the complexity of
the control (e.g., an actual deviation rate up to five percent may be concluded to be acceptable).
For example, we assessed the appropriateness of access privileges for all 300 system users and
noted three exceptions. We evaluated the exceptions qualitatively and noted no significant
concerns as the three users' inappropriate access was limited to one application. As it is not
expected that the control would operate without deviation, and as the actual rate of deviation in
the entire population is quantified or known (3 out of 300, or 1%), we may conclude that the
deviation rate is acceptable and not indicative of a control deficiency.
• Nature of the control: Relevant points when considering the nature of the control include:
- The relative importance of the deviations to the overall performance of the control (i.e., the
deviation is related to only one of many steps tested when assessing the related control).
For example, controls with a review element typically have multiple steps that need to be
tested; therefore, our testing of such controls may result in deviations related to certain steps
and not others. Determining whether such controls are nevertheless effective, even if some
level of deviation has been identified, requires significant professional judgment.
- Whether misstatements have actually occurred.
Internal control
- Whether the deviation has a potential effect on the effectiveness of other controls.
Based on the above considerations, deviations are evaluated and concluded upon to be either:
1. Only a deviation and not a control deficiency: In this case, no further consideration is necessary
(this is expected to be rare, particularly when we are using a sampling approach) or
2. A control deficiency: In this case, the control deficiency is further evaluated to assess its
significance and implications on our audit (i.e., our risk assessment and plans to rely on the
operating effectiveness of controls in determining the nature, timing, and extent of substantive
procedures). See Chapter 4 of this guide.
3.7.4 Pitfalls and tips for avoiding pitfalls
Pitfall Tip for avoiding pitfall
• Deviations are improperly • Highlight any exceptions and discuss with

concluded to be isolated engagement management to evaluate whether the
exceptions. deviation represents a control deficiency.
3.8 Documentation considerations for testing operating effectiveness of controls

The purpose of this section is to provide users with documentation considerations which include:
1. Our consideration of the relevant factors in Sections 3.4-3.7 for each control selected for testing
and our conclusions on the assessment of the risk associated with the control.
2. A description of the planned procedures that clearly describes the nature, timing, and extent of
testing for each control, including information produced by the entity that we use in our testing.
Note Consider addressing the nature, timing, and extent, including rollforward
considerations in the risk of material misstatement or other working papers.
3. Identification of dual-purpose tests that clearly addresses the objectives of both substantive
procedures and test of controls.
4. A description of the procedures performed, including whether they were inquiry, observation,
examination of documents, reperformance, or some combination thereof.
5. A description of the evidence obtained, including descriptions of any controls with a review
element observed or reperformed.
6. Where applicable, the design of the sample and the method of selection.
7. The specific items selected for testing (e.g., the date/period that our test selections relate to).
8. A statement that there were no exceptions or a clear description of any deviations noted.
9. A clear statement about whether the control is effective.
10. If our conclusion is that the control is ineffective, consideration of the effect of our conclusion on
tests of other controls that may depend on the control tested and the design of our substantive
procedures.
11. The basis for the conclusion reached.
Internal control
3.9 Appendix A — Illustrative examples: factors to consider in determining when

substantive procedures alone cannot provide sufficient appropriate audit evidence
Section 3.3.1 of this guide provides factors to consider in determining when substantive procedures
alone cannot provide sufficient appropriate audit evidence. The illustrative examples demonstrates
how identification and consideration the factors may assist you in applying professional judgement in
determining when substantive procedures alone cannot provide sufficient appropriate audit evidence in
order to respond to a risk of material misstatement at the assertion level. In the illustrative examples,
a determination that substantive procedures can provide sufficient appropriate audit evidence is
unlikely.
Industry Online revenue

• Conduct of business using IT
Primary
factors • Electronic records only
• Automated recording of transactions
Contributing • High volume of transactions processed

factors
Business Online booking Internet revenue: Web based Online

types agencies Advertising or App reservation and
based review services
services
Transactional The agencies A platform is used as a Service is Selling of online

understanding have a medium for advertising, accessed via tools and services
completely e.g., social media, websites website or for example,
paperless or search engines. Users application restaurant
environment in are brought to a central (app) and the reservations and
respect of how area and continuously client is reviews. These
purchases are exposed to charged for services can
conducted and advertisements. The use of the include for
recorded. platform charges a fee for service based example, tools
Booking providing the central area on a that are sold to
agencies or advertising space. predefined fee restaurants to
generally work Platforms use user profiles structure. manage
with an agent and search histories to Payment is reservations or
model whereby tailor the advertising that made through provide an online
the service the user is exposed to and the website, reservation service
provider pays also use other websites to web based (using their own
the agent a advertise supplementary platform or sites and/or
percentage of products, e.g., the user application. through partner
the total goes to a yoga site, in The initiation sites). The
reservation which ads for merchandise and payment reservations are
value. appear on the site. of the service free for consumers
is web based but restaurants
Example billing structures:
or app based. pay a fee for
Click based Advertising: reservations that
Customers pay a fee on go through the
the basis of number of online platform
clicks that has been made (website or Apps).
in a time period.
Display Advertising: The
firms display their banner
or any other shape ads of
Internal control
specific size that cover

some space of webpage.
Affiliate Model: Website
uses information of a
specific group of individuals
and provides content and
services to attract and
retain the patronage of the
group.
Examples • Booking.com • Google • Uber • Opentable

• Airbnb • Facebook
• Expedia • Twitter
• Linked-In
• Uber (website)
• TripAdvisor
Internal control
Industry Telecommunications
Primary • Conduct of business using IT

Contributing
• High volume of transactions processed
factors
Business
Revenue; and
processes/
Related trade receivables
accounts
Transactional Revenue transactions are incurred based on the transmission of signs, signals,
understanding messages, writings, images and sounds or intelligence of any nature by wire, radio,
optical or other electromagnetic systems. A revenue transaction involves the use of
technology and takes place when there is an exchange of information between
communication participants. The calculation of billings is based on ratings tables
which are embedded within the technology. The different technologies interface and
for financial reporting purposes, transactions are therefore initiated electronically
based on the data created by the use of different technologies (i.e., there is limited
or no manual intervention from the initiation of the single transaction through to the
period end aggregation for billing). Vast quantities of data support transactions and
is created and maintained electronically due to nature and economic viability. No
business use to convert data to any other format.
Examples • Vodafone
• Deutsche Telekom
• AT&T
• Verizon Communications
Internal control
Industry Financial services

Contributing • High volume of transactions processed

factors • Measurements (including related calculations) which are complex and /or
judgmental
Business Loans and Advances

processes/ Allowance for loan losses
accounts Interest expense
Interest income
Deposits
Swift transactions
Relationship with jurisdictional Central Bank (regulating reserves)
Transactional Various systems may support the operations and reporting of the financial services
understanding provider; resulting in high reliance on IT systems.
SWIFT
the SWIFT system (Interbank Financial Telecommunications), a vast messaging
network used by banks and other financial institutions to securely transmit
information and instructions (such as money transfer instructions) through a
standardized system of codes. SWIFT connections enable access to a variety of
applications which include real-time instruction matching for treasury and forex
transactions, banking market infrastructure for processing payment instructions
between the banks, and securities market infrastructure for processing clearing and
settlement instructions for payments, securities, forex, and derivatives transactions.
Loans and deposits (considered in combination with related interest)
Balances are determined using payments and receipts that take place in various
forms (cash, EFT etc.). Balances are determined and maintained using the IT system
(electronically).
Allowance for loan losses
Determination of expected credit losses on loans (or similar instruments) using
multiple data sets that are voluminous (account details, product terms and
conditions, other credit information such as history of payments etc.).
Interest income and Interest expense
Various products exist, combined with various accounts and balances and high
number of customers, the interest is likely determined by the system and
automatically recorded with no manual intervention.
Examples • HSBC
• JP Morgan Chase
Internal control
Industry Retail (online sale of goods)

Contributing
• High volume of transactions processed
factors
Business
processes/ Revenue
accounts
Transactional Providing a platform for buyers and sellers to meet, i.e., buying and selling goods
understanding and services online. Independent platforms generally charge a listing fee which is a
percentage of the sales prices. Other sellers may include any store with their own
online site which includes a fee or delivery fee.
Examples • EBay
• Store chains with their online store platform
3.10 Appendix B — Reference guide for testing operating effectiveness of controls

This tool may assist engagement teams in supervising and directing their engagement team members
(e.g., providing on-the-job training), and may be used by individual engagement team members as a
reference guide when performing audit procedures. The following is a reference guide for procedures
typically performed for testing operating effectiveness of relevant controls.
3.10.1 Objectives when testing the operating effectiveness of a control

Risk associated with the control
• For each relevant control, the evidence necessary to persuade the auditor that the control is
operating effectively depends upon the risk associated with the control. The risk associated with a
control consists of the risk that the control might not be effective and, if not effective, the risk that
a significant deficiency in internal control would result. As the risk associated with the control
being tested increases, the evidence that the auditor should obtain also increases.
• Factors that affect the risk associated with a control include those that are described in Section 3.4
of this guide and the following:
- The nature, timing, and extent of procedures performed in previous audits,
- The results of the previous years' testing of the control, and
- Whether there have been changes in the control or the process in which it operates since the
previous audit.
After taking into account the risk factors identified above, the additional information available
in subsequent years' audits might permit the auditor to assess the risk as lower than in the
initial year. This, in turn, might permit the auditor to reduce testing in subsequent years.
Testing operating effectiveness of a control

• The auditor should test the operating effectiveness of a control by determining whether the
control is operating as designed and whether the person performing the control possesses the
necessary authority and competence to perform the control effectively.
Internal control
• Procedures the auditor performs to test operating effectiveness include a mix of inquiry of
appropriate personnel, observation of the company’s operations, inspection of relevant
documentation, and reperformance of the control.
Nature of tests of controls

• The evidence provided by the auditor’s tests of the effectiveness of controls depends upon the
mix of the nature, timing, and extent of the auditor’s procedures.
• Some types of tests, by their nature, produce greater evidence of the operating effectiveness of
controls than other tests. The following tests that the auditor might perform are presented in
order of the evidence that they ordinarily would produce, from least to most: inquiry,
observation, inspection of relevant documentation, and reperformance of a control.
• Note: Inquiry alone does not provide sufficient evidence to support a conclusion about the
operating effectiveness of a control.
• [Internal Control Guide Chapter 3: Section 3.5.1]
• The nature of the tests of operating effectiveness that will provide appropriate evidence depends,
to a large degree, on the nature of the control to be tested, including whether the operation of
the control results in documentary evidence of its operation. Documentary evidence of the
operation of some controls, such as management’s philosophy and operating style, might not
exist. [Internal Control Guide Chapter 3: Section 3.5.1]
Timing of tests of controls

• The timing of tests of controls relates to when the evidence about the operating effectiveness of
the controls is obtained and the period of time to which it applies. The auditor must obtain
evidence that the controls selected for testing are designed effectively and operated effectively
during the entire period of reliance. [Internal Control Guide Chapter 3: Section 3.5.2]
• Prior to the period end, the entity might implement changes to their controls to make them more
effective or efficient or to address control deficiencies. In that case, we may consider how such
changes affect our reliance on specific controls and the period of time in which the control was
operating effectively. [Internal Control Guide Chapter 3: Section 3.5.2]
Extent of tests of controls

• When more persuasive audit evidence is needed regarding the effectiveness of a control, it may
be appropriate to increase the extent of testing of the control. [Internal Control Guide Chapter 3:
Section 3.5.3]
• Matters that could affect the necessary extent of testing of a control, see Section 3.5.3.
[Internal Control Guide Chapter 3: Section 3.5.3]
When the auditor identifies deviations from the company’s controls, he or she should determine the
effect of the deviations on his or her assessment of the control being tested and the evidence to be
obtained, as well as on the operating effectiveness of the control. [Internal Control Guide Chapter 3:
Section 3.6]
3.10.2 Information to obtain/utilize when testing the operating effectiveness of a control

• Risk of material misstatement working papers
• Detailed control description
• Prior year’s operating effectiveness testing
Note: If the entity’s documentation of operating effectiveness is lacking, consider the implications on
the effectiveness of their monitoring of controls.
3.10.3 Procedures to test the operating effectiveness of a control

1. Assess the risk associated with the control (RAWC)
Internal control
• Consider all of the factors listed in Section 3.4 and Section 3.10.1 to conclude whether the
RAWC is “higher” or “not higher”.
2. Plan the test of operating effectiveness:
• Design the test of operating effectiveness to address the important steps of the control
procedure as described in the detailed control description.
• Nature of audit procedures performed, including the manner in which we obtain audit
evidence. See Internal Control Guide Chapter 3: Section 3.5.1.
- Determine whether to perform observation, inspection of documentation, and/or
reperformance in addition to inquiry (i.e., audit procedures for obtaining audit evidence).
- For controls where the RAWC is higher, obtain more persuasive evidence (e.g., reperform
the control procedures exactly as the control owner performs the procedures).
• Timing of our tests. See Internal Control Guide Chapter 3: Section 3.5.2.
-Determine whether to:
i. Perform a complete test at an interim date (i.e., perform full sample size and reach
a conclusion) and perform rollforward procedures through the balance-sheet date,
or
ii. Apportion selections throughout the year.
iii. For controls where the RAWC is higher, it may likely be more appropriate to obtain
evidence closer to the balance-sheet date.
• Extent of our tests. See Internal Control Guide Chapter 3: Section 3.5.3.
- Determine the frequency of operation of the control.
- Based on the assessment of the risk of material misstatement and RAWC, determine the
sample size using DTTL AAM Figures 23001.1, 23001.2, and 23001.3. The samples sizes
in DTTL AAM Figures 23001.1, 23001.2, and 23001.3 are minimums; consider increasing
the sample size.
3. Perform tests of operating effectiveness (See Internal Control Guide Chapter 3: Section 3.6):
• Define the test objective, including a clear understanding of what constitutes a deviation.
• Identify the population to be sampled.
• Select the sample such that all items in the population have a chance of selection.
• Obtain sufficient and appropriate audit evidence.
• Apply professional skepticism when evaluating the persuasiveness of the evidence obtained.
• Evaluate the nature and cause of any deviations identified.
• Conclude on the results of the tests of operating effectiveness.
3.10.4 Deliverables upon completion of the tests of operating effectiveness

1. Risk of material misstatement working papers:
• A description of the planned procedures that clearly describes the nature, timing, and extent
of testing for each control or a reference to where the test of operating effectiveness is
documented.
2. Documentation of the test of operating effectiveness for each relevant control:
• A description of the evidence obtained.
• The period covered by the testing.
• The basis for the sample size, including the frequency of the control (i.e., the number of times
it operates).
• The procedures performed and the evidence of operating effectiveness obtained for each
selection.
Internal control
• A statement that there were no exceptions and therefore the control is effective or a clear
description of any deviations noted and evaluation of whether the deviation is a control
deficiency.
3.11 Appendix C — Illustrative examples

To come in future release of this guide.
Internal control
4 Evaluating and communicating control deficiencies
4.1 Introduction
This chapter addresses the accumulation of identified control deficiencies and our evaluation of the
significance of the accumulated control deficiencies (both individually and in the aggregate). This
chapter also addresses our responsibility to communicate control deficiencies to management and
those charged with governance.
DTTL AAM For purposes of the DTTL AAM, the following terms have the meanings attributed
below:
Literature
Deficiency in internal control – This exists when:
(i) A control is designed, implemented or operated in such a way that it is
unable to prevent, or detect and correct, misstatements in the financial
statements on a timely basis; or
(ii) A control necessary to prevent, or detect and correct, misstatements in
the financial statements on a timely basis is missing.
Significant deficiency in internal control – A deficiency or combination of
deficiencies in internal control that, in the auditor’s professional judgment, is of
sufficient importance to merit the attention of those charged with governance.
[DTTL AAM Glossary]
4.2 Process flow for evaluating and communicating deficiencies in internal control
Evaluate the Determine the

significance of effect of control
Communicate
Accumulate identfied each control deficiencies on
control
control deficiencies deficiency, the audit of the
deficiencies
individually and in financial
the aggregate statements
This process flow illustrates the steps undertaken to accumulated and evaluate the significance of the
control deficiencies to determine whether a significant deficiency in internal control exists, to
determine the effect of control deficiencies on the audit of the financial statements, and to
communicate control deficiencies. Each of these steps requires professional judgment and we may use
the Using Professional Judgment practice aid to support our judgments.
Internal control
4.2.1 Chapter quick summary
Considerations for key Examples / Additional Guidance Reference

activities
Understand the entity’s process to identify and accumulate control Section 4.3
deficiencies
• Understand the major Insights provided may include:
activities that the entity uses • Whether control deficiencies indicate possible risks
to monitor internal control and of material misstatement
how the entity initiates • Whether the plan to rely on controls remains
remedial actions. appropriate. For example, a control deficiency may
• Understanding control have been identified during the financial reporting
Accumulate identified control deficiencies
deficiencies identified through period and remediated. Therefore reliance may still
this process provides valuable be possible, however not for the entire financial
insights that may inform risk reporting period.
assessment and the design of
responses.
Accumulate control deficiencies identified by us, and bring such Section 4.3
deficiencies to the entity’s attention for management’s consideration
and evaluation.
• Accumulate all unremediated Deficiencies that relate to relevant controls may impact
control deficiencies identified other areas of the audit as noted in the example above.
by us, the entity and Unremediated deficiencies in controls that are relevant
regulators. to the audit may or may not be known to management.
• Discuss control deficiencies All unremediated deficiencies in controls that are
identified by us with the entity relevant to financial reporting are to be accumulated.
on a timely basis.
Gather/confirm the relevant facts for each control deficiency Section 4.3
necessary for our quantitative and qualitative evaluation of its
significance
• Obtain a full understanding of Consideration of both qualitative (e.g., nature of control
the facts and circumstances that failed, whether the deficiency is in design or
related to the nature and operating effectiveness, etc.) and quantitative (e.g., the
cause of the control deficiency size of the ABCOTD, etc.) perspectives. It is also
that informs our judgement as important to consider whether the deficiency relates to
to the significance of the an indicator of a significant deficiency in internal control.
control deficiency.
Document considerations and conclusions. Section 4.7
Internal control
Considerations for key Examples / Additional Guidance Reference

activities
For each control deficiency, consider:
• Whether the deficiency relates to indicators of a significant Section 4.4
deficiency in internal control
Identification of instance(s) of management fraud, whether or not material, that was not
prevented by the entity’s internal control; Misstatements detected by the auditor’s
procedures that were not prevented, or detected and corrected, by the entity’s internal
control, etc.
• The likelihood and potential magnitude of one or more Section 4.4
Evaluate the significance of each control deficiency, individually and in the aggregate
misstatements as a result of the control deficiency

The section provides criteria to evaluate the significance of a control deficiency(ies):
• The likelihood • The nature of the ABCOTD, and relevant Section
(possibility) of one or assertions and the assessment of the risk of 4.4.1
more misstatements material misstatement.
occurring. • The susceptibility to loss or fraud of the
related asset or liability.
• The subjectivity, complexity, or extent of
judgment required to determine the amount
involved.
• The importance of the controls to the financial
reporting process.
• The interaction of the control with other
controls.
• The interaction of control deficiencies.
• The possible future consequences of the
control deficiency.
• The potential • The financial statement amounts or total of Section
magnitude of the transactions exposed to the control 4.4.2
misstatement(s) deficiency.
resulting from the • The volume of activity in the account balance
control deficiency(ies) or class of transactions exposed to the control
(i.e., material or deficiency that has occurred in the current
immaterial). period or that is expected in future periods.
The existence of compensating controls that might mitigate the significance of Section
the control deficiency. 4.4.3
• Whether compensating controls exist that might mitigate the Section
significance of the control deficiency (and if so, obtain sufficient 4.4.3
evidence of the effectiveness of such controls)
A compensating control is one that does not by itself fully respond to a risk of material
misstatement, but nevertheless reduces the likelihood of a material misstatement (i.e.,
magnitude of the misstatement).
An alternative control is one that, by itself, fully responds to a risk of material

misstatement, and if effective (in design and operation), can be relied on to respond to the
risk of material misstatement. The deficient control replaced by the alternative control is
however still a control deficiency and should be communicated accordingly.
Conclude on the significance of each control deficiency. Section 4.4
Conclude on the significance of deficiencies in the aggregate. Section 4.4
• Control deficiencies that directly relate to a risk of material misstatement, aggregate by
material ABCOTD and relevant assertion e.g., the revenue ABCOTD and the
completeness of revenue (and not the completeness assertion across multiple ABCOTDs
or all assertions related to revenue)
• Control deficiencies that indirectly relate to a risk of material misstatement, aggregate by
internal control component.
Internal control
Considerations for key activities Reference

Identify the material ABCOTDs and related risks of material Section 4.5
misstatement affected by the control deficiency.
Determine the effect of control deficiencies on the audit of the
For those deficiencies in direct controls, we consider the effect of the Section
identified control deficiencies on each risk of material misstatement affected 4.5.1
by the control deficiency
Generally, a deficiency in a relevant control precludes a control reliance

strategy for the related risk of material misstatement unless the risk of
material misstatement is addressed by other controls.
For those deficiencies in indirect controls, we consider the effect of the Section
identified control deficiencies on the effectiveness of the relevant direct 4.5.2
financial statements
controls.
Reconsider our plan to rely on the operating effectiveness of controls Section 4.5
in determining the nature, timing, and extent of substantive
procedures related to the risks of material misstatement addressed by
the deficient control. If applicable (i.e., where there are other
relevant controls that are dependent on the deficient control),
consider whether it is necessary to reassess our assessment of the
risk associated with other controls affected by the control deficiency
We consider control deficiencies identified during the period (both those identified by us and
the entity) that may affect:
• Our risk assessment (e.g., better understanding of the entity’s process(es) and controls,
identification of new risks of material misstatement or increase our assessed of risks of
material misstatement as a result of the identified control deficiencies).
• Our plan to take a control reliance strategy (and, if not, the impact on the nature, timing,
and extent of our substantive tests).
Our assessment of the risk associated with other controls affected by the control deficiency
(e.g., assess whether more persuasive evidence is necessary to conclude that the other
controls were not affected by the control deficiency and that such controls continue to be
effective).
Considerations for key activities Reference

Communicate significant deficiencies in internal control to those Section 4.6
Communication to those charged with governance should be in writing. The auditor shall
include in the written communication of significant deficiencies in internal control:
Communicate control deficiencies
• A description of the deficiencies and their potential effects.

• Sufficient information to enable those charged with governance and management to
understand the context of the communication. In particular:
o The purpose of the audit was for the auditor to express an opinion on the financial
statements.
o The audit included consideration of internal control relevant to the preparation of
the financial statements in order to design audit procedures that are appropriate in
the circumstances, but not for the purpose of expressing an opinion on the
effectiveness of internal control.
o The matters being reported are limited to those deficiencies that the auditor has
identified during the audit and that the auditor has concluded are of sufficient
importance to merit being reported to those charged with governance.
Communicate significant deficiencies in internal control and other Section 4.6
deficiencies to management in writing (to the extent not already
communicated to them by others).
Communicated to management as, in the auditor’s professional judgment, are of sufficient
importance to merit management’s attention.
Internal control
4.3 Accumulate identified control deficiencies

Communicate
control
deficiencies
Understand the entity’s process to identify and accumulate control deficiencies
As part of our risk assessment procedures, we are required to obtain an understanding of the major
activities that the entity uses to monitor internal control relevant to financial reporting, including those
related to those control activities relevant to the audit, and how the entity initiates remedial actions to
deficiencies in its controls.
DTTL AAM The auditor shall obtain an understanding of the major activities that the entity
Literature uses to monitor internal control relevant to financial reporting, including those
related to those control activities relevant to the audit, and how the entity
initiates remedial actions to deficiencies in its controls.
[DTTL AAM 12200.118]
It is also important to discuss any control deficiencies that we have identified with the entity on a
timely basis to enable the entity to (1) perform appropriate research to confirm the facts and consider
the root cause (e.g., whether the control deficiency was caused in part by a deficiency in another
control), (2) include the deficiency in the entity’s process for accumulation, (3) evaluate the
significance of the control deficiency, and (4) remediate the control deficiency, as appropriate. It may
also be necessary to understand to whom the communication of control deficiencies and resulting
remediation is communicated and whether this is appropriate given the significance of the remediated
control deficiency.
Obtaining an understanding of control deficiencies identified and remediated provides valuable

insights, such as:
• Whether control deficiencies indicate possible risks of material misstatement
• Whether the plan to rely on controls remain appropriate. For example, a control deficiency may
have been identified during the financial reporting period and remediated. Therefore reliance may
still be possible, however not for the entire financial reporting period. See Section 3.5.2 Timing of
tests of controls of this guide.
Accumulate control deficiencies identified, and bring such deficiencies to the entity’s
attention for management’s consideration and evaluation.
We accumulate all control deficiencies identified during the audit. Similar to capturing proposed
adjustments in an audit, when we identify a control deficiency, it is important that we timely capture
the control deficiency in our working papers.
Control deficiencies may be identified in a number of different ways or from a variety of different
sources, including:
• By the entity: Through its monitoring activities, such as (1) internal audit or similar functions, (2)
periodic self-assessments, or (3) other ongoing monitoring activities. Accordingly, we should read
all reports issued during the year by internal audit (or similar functions) that address relevant
controls and evaluate any control deficiencies identified in those reports. In addition, in may be
useful to obtain and consider other documentation that the entity maintains in order to execute on
Internal control
their responsibility to monitor internal control relevant to financial reporting and remediate control
deficiencies.
• By regulators: Via discussion or issuance of their reports to the entity.
• By us:
- From our evaluation of design and determination of implementation of relevant controls and
other risk assessment procedures, such as obtaining an understanding of the entity and its
environment
- From our tests of operating effectiveness of relevant controls
- From our other audit procedures — We consider evidence (including contradictory evidence)
from our other audit procedures (e.g., results of our substantive procedures).
The identification of a misstatement is an indicator that one or more controls may have been
ineffective. If this misstatement is concluded to be a material misstatement, this is a strong indicator
of the existence of a significant deficiency in internal control; therefore, in understanding the nature
and cause of the misstatement we have identified, we also consider the control-related implications.
Gather/confirm the relevant facts for each control deficiency necessary for our quantitative
and qualitative evaluation of its significance.
Obtaining a full understanding of the facts and circumstances related to the nature and cause of a
control deficiency is important to forming our judgment as to its significance, which includes
consideration of both qualitative and quantitative perspectives. The following represents information
that we typically gather when a control deficiency is identified:
• A description of the control deficiency, including when it was identified, who identified it, and the
location/business unit where it was identified
• The nature of the control that failed (e.g., manual or automated)
• Where a control reliance approach is planned, the frequency of deviations in the operating
effectiveness of the control (e.g., the number of deviations found relative to the number of
selections and the total number of instances of the control within the relevant population)
• Whether the deficiency is a deficiency in design or operating effectiveness
• Whether the deficiency was caused in part by a deficiency in another control
• The risk of material misstatement and the relevant assertion
• Whether the related risk of material misstatement that the control is intended to address is a
significant risk, including a fraud risk
• For general IT control deficiencies, the general IT control area and the related IT risk and
technology elements affected
• Whether the deficiency relates to an indicator of a significant deficiency in internal control (see
Section 4.4 and DTTL AAM 23001.66).
• The size of the ABCOTD, or total of transactions that is subject to the deficient control or the
volume of activity in the account balance or class of transactions exposed to the control deficiency,
as applicable
• Whether the control deficiency relates to an actual misstatement; if so, the actual amount of the
misstatement.
Internal control
4.4 Evaluate the significance of each control deficiency, individually and in the aggregate

Communicate
control
deficiencies
We are required to evaluate the significance of each control deficiency, on the basis of audit work
performed, individually and then in the aggregate, to classify it as a deficiency or significant deficiency
in internal control.
DTTL AAM If the auditor has identified one or more deficiencies in internal control, the auditor
Literature shall determine, on the basis of the audit work performed, whether, individually or in
combination, they constitute significant deficiencies. [DTTL AAM 23001.64]
The significance of a deficiency or a combination of deficiencies in internal control

depends not only on whether a misstatement has actually occurred, but also on the
likelihood that a misstatement could occur and the potential magnitude of the
misstatement. Significant deficiencies may therefore exist even though the auditor
has not identified misstatements during the audit. [DTTL AAM 23001.65]
Note Although we are not required to formally evaluate and classify the significance of
control deficiencies that are identified and remediated during the period covered by
our audit, we do need to consider how such control deficiencies affect our ability to
rely on the operating effectiveness of controls to determine the nature, timing and
extent of substantive procedures (i.e., take a control reliance approach).
Consider whether the deficiency relates to indicators of a significant deficiency
DTTL AAM Indicators of significant deficiencies in internal control include, for example:
Literature
• Evidence of ineffective aspects of the control environment, such as:
- Indications that significant transactions in which management is financially
interested are not being appropriately scrutinized by those charged with
governance.
- Identification of management fraud, whether or not material, that was not
prevented by the entity’s internal control.
- Management’s failure to implement appropriate remedial action on
significant deficiencies previously communicated.
• Absence of a risk assessment process within the entity where such a process
would ordinarily be expected to have been established.
• Evidence of an ineffective entity risk assessment process, such as management’s
failure to identify a risk of material misstatement that the auditor would expect
the entity’s risk assessment process to have identified.
• Evidence of an ineffective response to identified significant risks (for example,
absence of controls over such a risk).
Internal control
• Misstatements detected by the auditor’s procedures that were not prevented, or

detected and corrected, by the entity’s internal control.
• Restatement of previously issued financial statements to reflect the correction of
a material misstatement due to error or fraud.
• Evidence of management’s inability to oversee the preparation of the financial
statements.
[DTTL AAM 23001.67]
Controls may be designed to operate individually or in combination to effectively

prevent, or detect and correct, misstatements (paragraph 31 of Section 12200). For
example, controls over accounts receivable may consist of both automated and
manual controls designed to operate together to prevent, or detect and correct,
misstatements in the account balance. A deficiency in internal control on its own may
not be sufficiently important to constitute a significant deficiency. However, a
combination of deficiencies affecting the same account balance or disclosure, relevant
assertion, or component of internal control may increase the risks of misstatement to
such an extent as to give rise to a significant deficiency. [DTTL AAM 23001.68]
Consider the likelihood and potential magnitude of one or more misstatements as a result
of the control deficiency
When applying professional judgement in evaluating the significance a deficiency or deficiencies the
following matters may be useful as part of such consideration:
DTTL AAM Examples of matters that the auditor may consider in determining whether a
Literature deficiency or combination of deficiencies in internal control constitutes a significant
deficiency include:
• The likelihood of the deficiencies leading to material misstatements in the
financial statements in the future.
• The susceptibility to loss or fraud of the related asset or liability.
• The subjectivity and complexity of determining estimated amounts, such as fair
value accounting estimates.
• The financial statement amounts exposed to the deficiencies.
• The volume of activity that has occurred or could occur in the account balance or
class of transactions exposed to the deficiency or deficiencies.
• The importance of the controls to the financial reporting process; for example:
- General monitoring controls (such as oversight of management).
- Controls over the prevention and detection of fraud.
- Controls over the selection and application of significant accounting policies.
- Controls over significant transactions with related parties.
- Controls over significant transactions outside the entity’s normal course of
business.
- Controls over the period-end financial reporting process (such as controls
over non-recurring journal entries).
Internal control
• The cause and frequency of the exceptions detected as a result of the

deficiencies in the controls.
• The interaction of the deficiency with other deficiencies in internal control.
[DTTL AAM 23001.66]
The application of the considerations above requires the exercise of professional judgement. Below are
criteria that may be used to evaluate the significance of deficiencies.
The criteria to evaluate the significance of each deficiency, individually and in the aggregate, consist of
three elements that are not viewed discretely, but rather in combination:
• The likelihood (possibility) of one or more misstatements occurring
• The potential magnitude of the misstatement(s) resulting from the deficiency or deficiencies (i.e.,
material or immaterial)
• The existence of compensating or alternative controls that might mitigate the significance of the
deficiency in internal control.
We consider the likelihood and the magnitude in combination, not separately (e.g., we do not need to
quantify the probability of occurrence as a specific percentage or as a range; rather we determine
whether the deficiency or deficiencies represent a reasonable or remote likelihood of a material
misstatement). This relationship is depicted in Figure 4.1.
Figure 4.1
The criteria to evaluate the significance of a deficiency or deficiencies, set out above, assists in
classifying the deficiency as significant, which will require specific documentation and communication
(refer to Section 4.6 and 4.7 of this guide); however also provides guidance in determining the effect
on the financial statements.
Internal control
Note In evaluating the magnitude of the potential misstatement, the maximum amount by
which an account balance or total of transactions can be overstated is generally the
recorded amount, while understatements could be larger. Also, in many cases, the
probability of a small misstatement will be greater than the probability of a large
misstatement.
4.4.1: The likelihood (possibility) of one or more misstatements occurring

Matters that may affect the likelihood (i.e., reasonable or remote likelihood) that a control deficiency,
or a combination of control deficiencies, will result in a misstatement of an ABCOTD include (but are
not limited to) the following:
The nature of the financial statement ABCOTD, and relevant assertions involved and the
related assessment of risk of material misstatement.
The nature of the financial statement ABCOTD (e.g., whether significant subjectivity or complexity is
inherent in the ABCOTD) is a factor that affects the assessment of risks of material misstatement. A
higher risk of material misstatement related to the ABCOTD and assertion to which the deficient
control relates generally increases the likelihood that a misstatement will occur (and in some instances
the magnitude of such a misstatement could be material).
For example, there may be a greater likelihood of a misstatement (and that such a misstatement
could be material), occurring in connection with a complex ABCOTD, such as deferred revenue related
to software revenue recognition, than in an ABCOTD arising from routinely processed transactions,
such as payroll.
The susceptibility to loss or fraud of the related asset or liability
The likelihood of a misstatement generally increases with the susceptibility of the related asset or
liability to loss or fraud.
For example, the likelihood of a misstatement due to theft of small inventory items of high monetary
value (e.g., jewelry) is likely to be greater as compared to the likelihood of a misstatement arising due
to theft of larger items (e.g., rolls of paper) that are less susceptible to theft.
The subjectivity, complexity, or extent of judgment required to determine the amount
involved
The likelihood of a misstatement generally increases as the subjectivity, complexity, or extent of

judgment required to determine the amount involved increases.
For example, the likelihood of a misstatement related to the determination of the proper accounting
for a complex derivative or financial instrument is typically higher than the likelihood of a
misstatement occurring in an account resulting from routinely processed transactions (e.g., recording
fixed asset additions).
The importance of the controls to the financial reporting process
Specific considerations may include whether the control deficiency relates to:
• General monitoring controls (e.g., oversight of management)
• Controls over the prevention and detection of fraud
• Controls over the selection and application of significant accounting policies
• Controls over identification of related-party relationships and transactions with related parties
• Controls over significant unusual transactions outside the entity’s normal course of business
• Controls over the period-end financial reporting process (e.g., controls over non-recurring journal
entries).
Internal control
The interaction or relationship of the control with other controls, including whether they
are interdependent or alternate
Redundancy generally reduces the likelihood of misstatements, because if one control fails, the
alternate (redundant or back-up) control would still prevent or detect the misstatement. Accordingly,
there is a greater likelihood of a misstatement when a control is found to be deficient and it is the only
control implemented to address a risk of material misstatement or when there are other controls that
are dependent upon the deficient control, which undermines the effectiveness of such other controls.
For example, the potential for unauthorized payments is reduced when both a preventive control
(e.g., a three-way match) and a detective control (e.g., review of checks and supporting
documentation before release) exist, such that if there is a deficiency in one of the controls, the
existence of the other control reduces the likelihood of a misstatement. However, if only the
preventive or the detective control existed and was determined to be deficient, then the likelihood of a
misstatement would generally be higher.
The interaction of the control deficiencies
The existence of deficiencies in two or more controls that affect the same ABCOTD and the relevant
assertion generally increases the likelihood of a misstatement in the ABCOTD.
For example, deficiencies in more than one control related to the accuracy of the billing process may
increase the likelihood of a misstatement in the related revenue account (see Section 4.4.5 for further
discussion).
The possible future consequences of the control deficiency
Consider the likelihood of the control deficiency leading to material misstatements in the financial
statements in the future.
DTTL AAM The significance of a deficiency or a combination of deficiencies in internal control

Literature depends not only on whether a misstatement has actually occurred, but also on the
likelihood that a misstatement could occur and the potential magnitude of the
misstatement. Significant deficiencies may therefore exist even though the auditor
has not identified misstatements during the audit.
[DTTL AAM 23001.65]
The considerations made to assess the potential magnitude of a misstatement for future periods are
similar to the considerations for the period the control deficiency existed. We determine whether there
is a reasonable likelihood that a material misstatement could occur in the future by considering the
following:
• The expected future financial statement amounts or total of transactions exposed to the control
deficiency
• The magnitude of such amounts or transactions that are reasonably likely to occur in future
periods as a result of the control deficiency
• Whether the potential misstatement would be material to the financial statements
- Based on the volume of activity in the account balance or class of transactions exposed to the
control deficiency that is expected in future periods, what is the magnitude of a potential
misstatement that is reasonably likely to occur in the future, considering factors such as:
- What are management’s expectations of the volume of activity in the account balances or
class of transactions (e.g., an expectation of the volume of activity based on budgeted or
projected activity)?
- Will the amount of the actual misstatement increase or decrease in future periods (e.g., the
potential misstatement related to the improper capitalization of a depreciable asset decreases
Internal control
over time as the asset is depreciated (assuming no other new errors occur) as opposed to a
misstatement that is increasing over time which could grow to become material in the future)?
For example, a significant but immaterial misstatement occurred in the accounting for debt issuance
costs associated with a significant debt offering in the current period which was identified by the
engagement team. The entity has a history of issuing significant debt to finance operations and has
budgeted for another significant offering next year to take advantage of favourable interest rates.
Since management’s controls did not detect or prevent the misstatement in the recent debt issuance,
there is a reasonable likelihood that the misstatement could occur in the future, which could result in a
future material misstatement.
4.4.2: The potential magnitude of the misstatement(s) resulting from the control deficiency
or control deficiencies (i.e., material or immaterial)
Matters that may affect the magnitude of the misstatement that might result from a deficiency or
deficiencies in controls, include (but are not limited to) the following:
• The financial statement amounts (or total of transactions) exposed to the deficiency
• The volume of activity that has occurred or could occur in the ABCOTD exposed to the control
deficiency or control deficiencies.
The financial statement amounts (or total of transactions) exposed to the control deficiency
The larger the ABCOTD subject to the control deficiency, the greater the potential magnitude of a
misstatement may be. Accordingly, it is important to identify the ABCOTDs that are subject to the
control deficiency to assess the potential magnitude of a misstatement.
For example, a deficiency related to controls over internet sales may not affect the effectiveness of
controls over onsite store sales, thereby limiting the assessment of the magnitude of misstatement
that might occur as a result of the control deficiency within internet sales. Conversely, a deficiency in
a control related to accounting for a complex hedging transaction may also affect the accounting for
other complex transactions related to other accounts, which in turn may increase the potential
magnitude of misstatement that might occur as a result of the control deficiency.
The volume of activity that has occurred or could occur in the ABCOTD exposed to the
control deficiency or control deficiencies
The larger the volume of transactions exposed to the control deficiency (regardless of the size of the
recorded account balance), the greater the potential magnitude of a misstatement may be.
Accordingly, it is important to consider the volume of activity exposed to the control deficiency to
assess the potential magnitude of a misstatement that might result from the control deficiency.
For example, a cash account may have a relatively small balance at any point in time, but may have
a very high volume of transactions flowing through it; therefore, in evaluating a control deficiency
related to the cash account, the magnitude of a misstatement may need to consider the volume of
activity exposed to the control deficiency. Similarly, the fair value of a "mark-to-market" asset or
liability may have a small recorded value at a particular point in time, but the fair value at other or
future points in time could be much greater, thereby increasing the magnitude of misstatement that
might result from a deficiency in the controls related to that account.
4.4.3: The existence of compensating and alternative controls that might mitigate the
significance of the control deficiency
Compensating control
A compensating control is one that does not by itself fully respond to a risk of material misstatement,
but nevertheless reduces the likelihood of a material misstatement (i.e., magnitude of the
misstatement). For example, the existence of the compensating control causes the evaluation of
potential misstatement to move to either quadrant 3 or 4 of Figure 4.1). A compensating control does
not therefore "take the place" of the deficient control, but may result in limiting the significance of the
Internal control
control deficiency (e.g., may result in the control deficiency classified as only a deficiency in internal
control instead of a significant deficiency in internal control).
For example, deficiencies are identified in the controls related to the processing of accounts payable
for payment; however, the supporting documentation for all amounts above $X is reviewed prior to
release of payment. In this case, the review of items above $X is a compensating control that may
result in a remote likelihood of a material misstatement occurring and not being detected (because $X
is set at a sufficiently low level for this purpose); however, it would not prevent or detect
misstatements in payments that are less than $X. Therefore, when evaluating the significance of the
control deficiencies we have identified, and taking into account the compensating control we have
identified (and have tested to confirm its effectiveness), we may conclude that even though the
magnitude of a potential misstatement is not material (i.e., immaterial), there is a reasonable
likelihood of an immaterial misstatement occurring and not being detected. Accordingly, the existence
of the compensating control may limit the deficiencies in the payable processing controls to less than a
significant deficiency in internal control.
Alternative control
An alternative control is one that, by itself, fully responds to a risk of material misstatement (i.e., the
risk of material misstatement is addressed by the alternative control). For example where a control
reliance approach is planned and the alternative control is operating effectively in may be concluded
that there is a remote likelihood of an immaterial or material misstatement — demonstrated in
quadrant 1 or quadrant 3 of Figure 4.1). When there is an effective alternative control that responds
to the same risk of material misstatement as the deficient control, the deficient control is typically
classified as only a deficiency in internal control. In the future, the alternative control may be
identified as the relevant control in place of the deficient control.
For example, deficiencies are identified in the controls related to the processing of accounts payable
for payment; however, the supporting documentation for all disbursements is reviewed by the
payables supervisor prior to release of payment (the review of the support for the disbursements prior
to release of the payment is the alternative control in this situation). Because this alternative control
operates with respect to each transaction, its precision is such that the likelihood of misstatement may
be considered remote.
If we are planning to rely on the effectiveness of alternate or compensating controls in evaluating the
significance of deficiencies in other controls, we evaluate the design and determine the
implementation, and where control reliance was planned test the operating effectiveness of such
controls. Compensating controls identified by management are often management review controls;
thus, the precision of these controls are important to carefully assess (see Chapter 5).
Note The auditor should evaluate the effect of compensating controls when assessing a
control deficiency, individually and in the aggregate. To have a mitigating effect, the
controls should operate at a level of precision that would prevent or detect and correct
misstatements in the financial statements on a timely basis.
4.4.4: Special considerations

Auditor judgment is imperative in assessing a control deficiency. When any of the circumstances below
are present, we evaluate the circumstances, with professional skepticism, to determine the
assessment of the identified control deficiency, either individually or in the aggregate, and the impact
on the audit.
Identification of fraud, whether or not material, on the part of senior management
Since fraud involves incentive or pressure to commit fraud, a perceived opportunity to do so or some
rationalization of the act, an instance of fraud is unlikely to be an isolated occurrence. The implications
Internal control
of identified fraud depend on the circumstances. For example, an otherwise insignificant fraud may be
significant if it involves senior management. In such circumstances, the reliability of evidence
previously obtained may be called into question, since there may be doubts about the completeness
and truthfulness of representations made and about the genuineness of accounting records and
documentation. There may also be a possibility of collusion involving employees, management or third
parties. [Adapted from DTTL AAM 29600.44 and .46]
Restatement of previously issued financial statements to reflect the correction of a material
misstatement
The restatement of previously issued financial statements to reflect a correction of a material

misstatement is generally indicative of a significant deficiency in internal control, as the entity’s
internal control did not prevent or detect a material misstatement that actually occurred. However,
when an entity restates its previously issued financial statements to reflect a correction of a
misstatement that did not have a material effect on any of the presented financial statements, we
nonetheless evaluate the control deficiency to determine if the misstatement could have been
material.
Note A restatement to reflect the correction of a material misstatement does not include
restatements to reflect a change in accounting principle or a voluntary change from
one generally accepted accounting principle to another generally accepted accounting
principle.
Identification by us of a material misstatement of financial statements in the current period

in circumstances that indicate that the misstatement would not have been detected by the
entity’s internal controls
Similar to the restatement scenario previously discussed, an auditor-identified adjustment(s) that is

material is indicative of a significant deficiency in internal control, as the entity’s internal control did
not prevent or detect a material misstatement that actually occurred. However, unlike the restatement
scenario, which is a situation identified "after the fact," in the case of an auditor-identified adjustment,
we often perform our audit procedures concurrently with the operation of certain of the entity’s
controls. It is therefore possible that certain of the entity’s controls may not have yet operated, but if
they were to have operated, the misstatement would have been identified through their operation.
Professional skepticism is warranted in this circumstance as it is often difficult to obtain persuasive
evidence that management’s controls that had not yet operated would have prevented or detected the
Ineffective oversight of the entity’s external financial reporting and internal control over
financial reporting by the entity’s audit committee
Ineffective oversight by the audit committee of the entity’s financial reporting and internal control over
financial reporting is indicative of a deficiency in internal control, given the nature of the oversight and
governance responsibilities of the audit committee.
• Failure to accumulate all control deficiencies • Develop a process for accumulating and
identified and documented in our working tracking control deficiencies identified by us or
papers or identified by the entity. the entity throughout the audit. For example:
• Failure to adequately understand the nature − Designate a team member to accumulate
and cause of the control deficiency to enable a all control deficiencies reported by other
proper evaluation of its significance. team members for evaluation
• Identifying the actual misstatement as the
control deficiency rather than identifying the
Internal control
deficient control that failed to prevent or detect − Hold regular status meetings with the
the misstatement in the first place, thereby entity to communicate control deficiencies
incorrectly assuming that simply correcting the identified by us and the entity.
misstatement eliminates or remediates the • Obtain an understanding of the causal factors
control deficiency. that contributed to the misstatement and/or
control deficiency
• The identification of a misstatement is an
indicator that one or more controls may have
been ineffective to prevent or detect the
misstatement. The control deficiency is not the
misstatement itself; rather, the deficiency is
the control that is either (1) missing or not
sufficiently detailed or precise enough to
prevent or detect the misstatement (i.e., a
design deficiency) or (2) effectively designed,
but failed to operate as intended (i.e., an
operating effectiveness deficiency).
4.4.5 Aggregating control deficiencies

Once the significance of each individual control deficiency has been evaluated, we then aggregate the
control deficiencies to consider their significance in combination, as follows:
• For control deficiencies that directly relate to a risk of material misstatement, we aggregate by
material ABCOTD and relevant assertion e.g., the revenue ABCOTD and the completeness of
Revenue (and not the completeness assertion across multiple ABCOTDs or all assertions related to
Revenue)
• For control deficiencies that indirectly relate to a risk of material misstatement, we aggregate by
internal control component.
Note For general IT control deficiencies that indirectly relate to a risk of material
misstatement, see Section 6.7, "evaluate the significance of each general IT control
deficiency identified, individually and in the aggregate," for further information regarding
the consideration of the significance of general IT control deficiencies in the aggregate.
4.4.5.1 Controls that directly respond to risks of material misstatement — aggregate by

material ABCOTD and relevant assertion
We aggregate and evaluate deficiencies in controls that directly respond to a risk of material
misstatement by relevant assertion for each material ABCOTD. A combination of control deficiencies
affecting the same assertion or material ABCOTD may increase the possibility of material
misstatement to such an extent as to give rise to a higher classification for the control deficiencies on
a collective basis (e.g., a significant deficiency in internal control, even though the significance of the
control deficiencies individually may have been assessed as less significant).
For example, if we had two control deficiencies related to completeness and three control deficiencies
related to occurrence for revenue, we would first aggregate by each assertion and then consider the
overall impact of all five control deficiencies in terms of the possibility of a material misstatement to
revenue occurring and not being prevented or detected.
The elements and factors we consider when evaluating the control deficiencies individually are the
same as those we consider when evaluating control deficiencies in the aggregate — we simply
reassess and conclude for each aggregated group of control deficiencies.
Internal control
4.4.5.2 Controls that indirectly respond to a risk(s) of material misstatement

Aggregate by component of internal control
We consider the control deficiencies relevant to each internal control component and conclude on the
component. The factors we considered when evaluating the control deficiencies individually are the
same as those we consider when evaluating deficiencies in the aggregate — we simply reassess and
conclude.
In addition, a significant deficiency in internal control in one component cannot be mitigated to an

acceptable level by the presence and functioning of another component.
Operating together in an integrated manner
A consideration of whether the components operate together in an integrated manner or collectively

reduce, to an acceptable level, the risk of not achieving an objective. We consider the control
deficiencies and conclusions for each internal control component and across internal control
components. However, even when each component is concluded to be effective on its own merit, we
also consider whether there are themes in the control deficiencies across the components that may
indicate that internal control overall is deficient and that the control deficiencies should be re-
assessed. Additionally, consider whether there is a greater impact on the audit. The factors we
considered when evaluating the control deficiencies individually are the same as those we consider
when evaluating control deficiencies in the aggregate.
Finally, given the significance of judgments inherent in evaluating the significance of control
deficiencies we document our considerations, and the evidence, both positive and negative, we
obtained to support our conclusions.
4.5 Determine the effect of control deficiencies on the audit of the financial statements

Communicate
control
deficiencies
We consider control deficiencies identified during the period (both those identified by us and the
entity), regardless of whether the control deficiency was remediated during the year, which may
affect:
• Our risk assessment and whether the identification of a control deficiency and our understanding
of the factors that caused the control deficiency may provide us with a better understanding of the
entity’s process(es) and controls, which, in turn, may cause us to identify new risks of
misstatement or risks of material misstatement or increase our assessed inherent risk for the risks
of material misstatement affected by the control deficiency (i.e., whether such risks that were
higher are now significant or such risks that were lower are now higher).
• Our plan to rely on the operating effectiveness of controls in determining the nature, timing, and
extent of substantive procedures (i.e., take a control reliance approach) and, if not, the impact on
the nature, timing, and extent of our substantive procedures. Our consideration of whether we can
take a control reliance approach when we have identified one or more control deficiencies
depends, in part, on the nature and significance of the control deficiencies.
• Our assessment of the risk associated with other controls affected by the control deficiency (e.g.,
assess whether more persuasive evidence is necessary to conclude that the other controls were
not affected by the control deficiency and that such controls continue to be effective).
Note When a deficiency in general IT controls results in an unaddressed IT risk,

additional considerations are relevant. See Section 6.6, "Conclude on risks
Internal control
arising from IT and determine the audit response," for further information,
including the effect of general IT control deficiencies on the audit of the financial
statements.
4.5.1: Deficiencies in direct controls

For those deficiencies in direct controls (controls that directly address a risk of material
misstatement), we consider the effect of the identified control deficiencies on each risk of material
misstatement affected by the control deficiency (i.e., we do not determine the effect of the control
deficiencies at an overall process or ABCOTD level). Generally, a deficiency in a relevant control
precludes a control reliance approach (i.e., precludes us from relying on the operating effectiveness of
controls in determining the nature, timing and extent of substantive procedures) for the related risk of
material misstatement unless the risk of material misstatement is addressed by other controls. While
this is determined by professional judgment, the following may be useful to inform our assessment of
the effect of the control deficiency on our control reliance approach:
• When a control deficiency has been classified as only a deficiency in internal control, a control
reliance approach may still be appropriate if the risk of material misstatement has otherwise been
addressed by the alternative control or sufficiently limited in magnitude by a compensating
control. (Note that careful consideration of the precision of the compensating control is required
when determining if this is appropriate.)
• Typically, we expect that when a significant deficiency in internal control exists or existed, we will
not determine the nature, timing and extent of substantive procedure with the expectation that we
intend to rely on the operating effectiveness of controls (i.e., the expectation that controls are
operating effectively) and not take a control reliance approach in responding to the related risk of
material misstatement. An exception to this is when the risk of material misstatement has been
addressed by an alternative control or sufficiently limited in magnitude by a compensating control,
but because we judged it important enough to warrant the attention of those charged with
governance, we classified the control deficiency as a significant deficiency in internal control.
For example, a deficient process level control for an account balance may be compensated by a
detective control that limits the potential misstatement related to the deficient process level
control to an immaterial amount. Upon careful consideration, the compensating control has been
judged to be sufficiently precise to address the risk of material misstatement sufficiently to take a
control reliance approach in addressing the related risk of material misstatement. However, given
the entity’s (and our) expectation that the deficient process level control should operate more
reliably and due to the significance of the account, the deficiency in internal was elevated to a
significant deficiency in internal control and communicated to those charged with governance.
4.5.2: Deficiencies in indirect controls

For those deficiencies in indirect controls, we consider the effect of the identified control deficiencies
on the effectiveness of the relevant direct controls. While this is determined by professional judgment,
the following may be useful to inform our assessment of the effect of the control deficiency on our
control reliance approach:
Note When a deficiency in a general IT control is not directly related to a risk of material
misstatement but instead addresses an IT risk, additional considerations are relevant.
See Section 6.7, "Evaluate the significance of each general IT control deficiency
identified, individually and in the aggregate," for information regarding the effect of
general IT control deficiencies on our financial statement audit.
• When a control deficiency is classified as only a deficiency in internal control, consider whether it
is appropriate to conclude that there is no need to reassess our control reliance approach or to
increase the risk associated with direct controls that may be impacted by the deficiencies in the
indirect controls.
Internal control
• When a significant deficiency in internal control exists or existed, we reconsider our audit plan,
including our risk assessment, our planned tests of controls (including reassessing the risk
associated with controls that may be impacted by the significant deficiency in internal control) and
our planned substantive procedures (including the appropriateness of a control reliance approach)
for the risk of material misstatements that may be indirectly affected by the significant deficiency
in internal control. Whether a control reliance approach is appropriate depends on the nature of
the significant deficiency in internal control and its relationship to direct controls we are relying on.
For example, we identify a significant deficiency in control(s) related to the organisation’s
commitment to attract, develop, and retain competent individuals in alignment with objectives.
Even though an indirect control, we consider which ABCOTDs are more likely to be affected by the
significant deficiency in internal control (e.g., infrequent transactions or complex accounting such
as revenue recognition in the software industry) and consider whether to increase the risk
associated with the direct controls that may have been affected by the significant deficiency in
internal control and whether it is still appropriate to apply a control reliance approach.
4.5.3 The effect on the audit when a control deficiency exists and substantive procedures
alone cannot provide sufficient appropriate audit evidence
The decision tree below provides guidance when a deficiency exists and substantive procedures alone
cannot provide sufficient appropriate audit evidence and tests of controls are required as a response to
the assessed risk of material misstatement at the assertion level (note that in order to provide a
complete thought process in the decision tree, the consideration of the effect of deviations have been
included – refer to Chapter 3 of this guide for specific guidance on deviations):
Internal control
Decision tree – The effect on the audit when a control deficiency exists and substantive
procedures alone cannot provide sufficient appropriate audit evidence
Test of control required

Substantive procedures alone cannot provide sufficient
appropriate audit evidence
Has a deviation
been identified? NO No further action.
See Section 3.6.1.
YES
Is the deviation
a control deficiency? NO No further action.
See Section 3.6.3.
YES
When we conclude that relevant control(s) that we
Communicate to had planned to rely upon are not designed or
management Control operating effectively (i.e., control deficiencies have
deficiencies that are of
been identified), consider whether alternative
sufficient importance.
control(s) exist, that could address the risk of
material misstatement. When such control(s) are
identified, evaluate the design and test the
Do alternative operating effectiveness. Determine and conclude
control(s) exist? whether the risk(s) of material misstatement is
YES addressed by the alternate control(s).
NO*
Consider the impact on the audit engagement, including:

• The impact on our audit report - qualification or disclaimer of opinion.
(Refer to DTTL AAM 30500-2 Modifications to the auditor’s opinion for
requirements and guidance related to when the auditor is unable to
obtain sufficient appropriate audit evidence to conclude that the financial
statements as a whole are free from material misstatement.)
• Communication and reporting responsibilities to management and those
* This situation occurs only when substantive procedures alone cannot provide sufficient appropriate audit evidence and there are no other relevant
controls that are responsive to the RoMM(s) that are operating effectively. It is not expected that this will be a common occurrence.
4.6 Communicate control deficiencies

Communicate
control
deficiencies
The significance of a control deficiency triggers different professional responsibilities with respect to
communicating control deficiencies to management and those charged with governance. The level of
Internal control
detail at which to communicate significant deficiencies in internal control is a matter of professional

judgment. See DTTL AAM 30600-2, Communicating deficiencies in internal control to those charged
with governance and management, for further information on requirements and guidance specific to
the communication of matters related to deficiencies in internal control.
DTTL AAM The auditor shall communicate in writing significant deficiencies in internal control
Literature identified during the audit to those charged with governance on a timely basis. [DTTL
AAM 30600-2.5]
The auditor shall also communicate to management at an appropriate level of

responsibility on a timely basis:
(a) In writing, significant deficiencies in internal control that the auditor has
communicated or intends to communicate to those charged with governance,
unless it would be inappropriate to communicate directly to management in the
circumstances; and
(b) Other deficiencies in internal control identified during the audit that have not
been communicated to management by other parties and that, in the auditor’s
professional judgment, are of sufficient importance to merit management’s
attention.
[DTTL AAM 30600-2.14]
The auditor shall include in the written communication of significant deficiencies in

internal control:
(a) A description of the deficiencies and an explanation of their potential effects;
and
(b) Sufficient information to enable those charged with governance and
management to understand the context of the communication. In particular, the
auditor shall explain that:
(i) The purpose of the audit was for the auditor to express an opinion on the
(ii) The audit included consideration of internal control relevant to the
preparation of the financial statements in order to design audit procedures
that are appropriate in the circumstances, but not for the purpose of
expressing an opinion on the effectiveness of internal control; and
(iii) The matters being reported are limited to those deficiencies that the auditor
has identified during the audit and that the auditor has concluded are of
sufficient importance to merit being reported to those charged with
governance.
[DTTL AAM 30600-2.23]
4.7 Documenting considerations for evaluating control deficiencies and concluding

The purpose of this section is to provide users with documentation considerations:
Considerations include:
1. Summary of all relevant control deficiencies and the relevant facts, including:
- Control deficiencies identified by the engagement team
- Control deficiencies identified by the entity
Internal control
- Control deficiencies identified by the engagement team and the entity that have been
remediated
- Significant deficiencies in internal control identified in prior years that have not been
remediated
- Control deficiencies related to actual misstatements, including those identified when
performing substantive procedures
- Whether other controls (including indirect controls) contributed to the control deficiency
2. Our consideration and basis for conclusions regarding the evaluation of the significance of each
control deficiency
3. Our consideration and basis for conclusions regarding the evaluation of the significance of control
deficiencies in the aggregate by:
- Direct controls: ABCOTD and assertion
- Indirect controls: component of internal control
4. Basis for conclusions resulting from our reconsideration of the effect on the financial statement
audit approach of control deficiencies identified during the year, including those remediated during
the year
- Direct controls: risk of material misstatement (s)
- Indirect controls: considerations of the effect of the identified control deficiencies on the
effectiveness of the relevant direct controls.
5. Subsequent event procedures performed and conclusions
6. Written communications to management and those charged with governance of control
deficiencies identified
7. Written representation letter.
Internal control
5 Controls with a review element - Management review controls
5.1 Introduction
This chapter is designed to assist the auditor in understanding the nature of controls with a review
element, but more specifically complex management review controls as part of our risk assessment
procedures and, where applicable, designing further audit procedures to test those controls with an
appropriate level of challenge.
Controls with a review element operate for different purposes and at different levels in an entity. They
can operate at the transactional level, i.e., reviews of account reconciliations or account analyses, or
operate at a higher-level, such as reviews of financial information of a component or subsidiary by
senior management. Controls with a review element, also vary in complexity based on the subjectivity
and complexity of the underlying transaction, such as the review of a significant accounting estimate
or the accounting for an infrequent transaction or event. In addition, the position of the control
performer (i.e., management or others) may also impact how we refer to the control with a review
element.
Management review controls are a type of control with a review element (refer to Section 2.4 of this
guide for the categories in which types of controls generally fall). Management review controls are
controls with a review element that are performed by management and require more judgement,
knowledge, and experience in their performance and often relate to the more difficult and subjective
areas of an audit and are frequently intended to address multiple risks of material misstatement.
Figure 5.1 – Controls with a review element and management review controls
For example, a control with a review element in which management reviews the key assumptions
supporting the discounted cash flow analysis used to support the company goodwill impairment
assessment is a complex control with a review element that is a management review control.
For example, a control with a review element in which the accounting clerk reviews the calculation of
bonus provision for personnel is a less complex control with a review element performed by others.
The bonus provision calculation is simple, it is one month’s salary and the personnel qualify if they are
employed by the entity at a specified date. The entity does not experience high personnel turnover.
Internal control
While still a control with a review element, since performed by others and since not complex, it would
not require as extensive documentation and consideration.
While this chapter focuses on the more complex management review controls, many of the concepts
covered herein would also apply to other types of controls with a review element and therefore may
be considered, as necessary.
For management review controls, we may therefore spend an increased amount of effort evaluating
the role of relevant management review controls during risk assessment (including obtaining a better
understanding of the description of the control and what the reviewer specifically does and considers
when performing their review) and when evaluating the design and determining implementation, and,
as necessary, testing their operating effectiveness.
These types of controls may not be sufficiently direct and precise on their own to address risks of
material misstatement, so appropriate evaluation needs to be done in order for us to be able to assess
the precision of these controls. Our assessment may lead us to conclude that the management review
control on its own is not sufficiently precise and is thus dependent on one or more other process level
controls or other management review controls to appropriately address a particular risk of material
misstatement.
For example, often the only controls identified to mitigate the significant risk of management
override of control are management review controls. However, often the control is not sufficiently
direct and precise. Therefore insufficient audit evidence may be obtained and the significant risk may
not be addressed.
Bearing in mind the above considerations, it may still be efficient and effective to identify
management review controls as relevant because they may address multiple risks of material
misstatement.
5.2 Management review controls explained

5.2.1 What are management review controls?
Management review controls are typically detective controls that may be performed by one or more
persons individually or as a group (e.g., in a meeting environment).
As such controls operate for different purposes and at different levels within an organization, the
precision at which they operate may vary. Accordingly, while in some cases a management review
control may be sufficiently precise to address a risk of material misstatement alone, these controls
(for example review of an estimate) may often depend on other controls or information, including
information produced by the entity that the reviewer uses in performing their review (this is referred
to as information used in a control or “IUC”, refer to Chapter 7). We may need to apply a higher
degree of professional skepticism when applying this principle and it is important that we are aware of
and consider relevant facts around other controls that are important to the effectiveness of the
management review control.
We may need to challenge our understanding and conclusion if we determine that a management
review control alone addresses a significant risk of material misstatement. There may be multiple
lower-level controls (both preventive and detective) that support the management review control in
addressing the significant risk of material misstatement. A key consideration, is whether the
management review control is designed to operate at a level of precision to address the applicable
risk(s) of material misstatement identified.
Well controlled entities have layers of controls that range from lower-level review controls that operate
at, or close to, the transactional level (which are more precise) to higher-level controls (which are less
precise). Higher-level management review controls may include reviews by financial reporting
management, senior management, and various committees such as the audit committee.
This section considers management review control activities that operate more broadly than at the
transaction processing level (there will likely be an element of detailed review by the control performer
Internal control
in other process control types such as authorization and approval, reconciliation, verification, and
controls over standing data) and that typically take place at higher levels in the organization. These
broader control activities are usually business performance or analytical reviews involving comparison
of different sets of operational or financial data. The relationships are analyzed and investigated, and
corrective actions are taken when not in line with policy or expectations.
The scope of these business performance reviews is greater than for a transactional control and
typically addresses a number of risks.
An example of a higher-level management review control may be the review of the financial
statements before issue.
An example of a management review control that operates closer to the transaction processing level
may be a review of an accounting estimate.
An example of a detailed review that is performed by the control performer as part of another
process control type may be in an authorization control where the authorizer reviews the detail of an
individual employee expense claim for validity and accuracy including agreeing to appropriate
supporting evidence of expenditure. (Note this type of control is outside the scope of this chapter).
Smaller entities
Management review controls are often used in smaller entities to mitigate a lack of segregation of
duties. In many smaller entities, there may be little or no formal documentation of the design and
implementation of management review controls. We may therefore need to consider management
review controls in the context of our understanding of the control environment of the entity and our
wider understanding of the entity and its operations and think differently about how we may obtain
appropriate audit evidence. A smaller accounting function where duties are not highly segregated or
where the description of management review controls is less formalized does not in itself indicate a
deficiency in their controls. There is often evidence that the reviews took place as designed (e.g.,
emails, management’s informal notes from a meeting, journal entries, other actions taken in response
to the meetings or reviews) and the management review control could be concluded to be designed,
implemented, and operating effectively.
5.2.2 Types of management review controls

The approach to auditing management review controls described in this chapter applies to all of the
types of management review controls below, however we need to consider explicitly the nature of the
risk(s) of material misstatement the management review control is designed to address. The most
fundamental consideration is the purpose of the management review control, i.e., how does the
review control directly address the identified risk(s) of material misstatement? A management review
control that is intended to prevent or detect misstatements is more precise than a control that is
merely intended to identify and explain differences from prior periods or budgeted amounts. See
Section 5.3.4 below.
Internal control
Figure 5.2.2 – Management review control types

Relates to the review of
Relates to the review of a transaction, account
aggregated financial
balance, or event
information to determine
whether there is a material
misstatement (e.g., a direct
and precise entity-level
control)
Review of the Review of Review of Review of the Higher-level
Review of
accounting for variances or transaction financial management
estimates
infrequent fluctuation al activity information of a review
transactions analysis1 processed component or controls.
or events through subsidiary
the entity’s
IT
systems1
1 Review of variances or fluctuation analysis and review of transactional activity could also be included in the review of aggregated financial
information category depending on the level of aggregation.
5.2.3 Factors to consider when planning our approach for management review controls
The risks of material misstatement and assertions that management review controls are designed to
address can be complex and subjective (e.g., management estimates and significant or unusual
transactions). Similarly, management review controls themselves are often designed such that the
review activities involve a high degree of complexity, judgement, and subjectivity.
To appropriately evaluate the design, determine implementation, and, where relevant, plan our tests
of operating effectiveness, we obtain a detailed description of the management review control. Ideally,
management will have already prepared a detailed description of the management review control,
which establishes their expectations of how the review is performed, which we may use as our starting
point.
If the entity does not have an appropriately detailed description of the management review control,
we may need to obtain and document our own detailed description by inquiring of the persons
involved, who should be able to describe a predictable, sufficiently precise control. If management’s
description or explanation is inadequate, this may be an indicator of a deficiency in their controls.
We typically gain our understanding of management review controls when we understand the likely
sources of misstatement (e.g., through performing our walkthroughs). It can also be useful to further
our understanding and risk assessment by using process flow diagrams to document the risks and
relevant controls of a business process including the management review controls.
The key consideration for management review controls is whether they are sufficiently direct and
precise enough to address the related risk(s) of material misstatement.
5.3 Management review controls: Evaluation and testing considerations

5.3.1 Overview
A suggested approach to the audit of management review controls is to break up the evaluation and
testing of management review controls into three steps. These steps are not necessarily different than
those applied when testing any other control, but it is important that we apply the right level of detail
and diligence on each of these steps. Due to the complexity and importance of many of these controls,
the amount of time that we spend on each of these steps is often more significant than when testing a
more simple process level control. Management review controls can be challenging to audit, regardless
of whether we are evaluating their design, determining their implementation, or testing their operating
effectiveness. When these may be the only controls that mitigate a risk of material misstatement,
particularly a significant risk, it is important to assess the design with an appropriate level of
skepticism and obtain more persuasive evidence when testing operating effectiveness due to the
Internal control
subjectivity and extent of judgment involved with these controls. We may also consider involving more
senior members of the engagement team in our work on management review controls.
5.3.2 Three step approach
Evaluate the design If applicable, test and

Obtain a detailed conclude on operating
and determine the
understanding of
implementation of effectiveness of the
the management
the management management review
review control
review control control
The following sections describe the above three step approach for management review controls:
Section 5.3.3-Understanding management review controls
Section 5.3.4-Evaluating design and determining implementation of management review controls
Section 5.3.5-Testing operating effectiveness of management review controls
Section 5.3.3 describes the key points to consider in relation to the three components of management
review controls (inputs, reviewer activities, and outputs).
5.3.3 Understanding management review controls [see also Internal Control Guide Chapter
2]
We need to obtain a detailed understanding of the management review controls considered relevant to
the audit;
• During our work on understanding the entity’s business processes and identifying relevant
controls, we may identify relevant management review controls.
• For each relevant management review control, identify and understand the three components
(inputs, reviewer activities, and outputs)
• Consider applicable information used in the control (which may be the inputs (see below))
• Understand how direct and precise the management review control is
• Consider how the management review control interacts with other controls to address the risk of
material misstatement
• Consider whether our documentation of the control description is sufficiently detailed
• Where we are using process flow diagrams, include management review controls.
In completing our planning work and • Request reviewers to retain documentary

understanding of relevant controls, we do not evidence, such as notes, emails, and draft
illustrate to management, the type of versions of documents.
documentation that we will require to evidence
• Where applicable, attempt to coordinate with
the review.
the reviewer, such that we can update our
understanding or complete walkthroughs while
the control is being performed.
The timing of our audit procedures including Communicate with management at an early stage
planned work to evaluate design, determine in the audit process, including at the end of the
implementation, and test operating prior year audit to effectively plan the timing of our
effectiveness of management review controls evaluation of design, determination of
does not appropriately consider when during the implementation and tests of operating
effectiveness of management review controls,
Internal control
period the relevant management review including consideration of the timing of any interim
controls take place. visits or specific visits to test management review
controls that take place throughout the period.
In identifying relevant controls we do not Challenge our understanding and confirm our
identify a management review control that is conclusions are appropriate where we have
relevant. determined that a management review control is
not relevant to the audit.
Not recognizing that management’s control Discuss with management as to the importance of
procedures (e.g., control description) are clearly established expectations in descriptions of
insufficient to clearly describe what is expected management review controls.
of the control performer. Information that is
often insufficient or missing from control
descriptions includes:
• Types and sources of information that are
used by the reviewer and how the reviewer
ensures that the information is complete
and accurate before performing the control.
• What the reviewer is expected to do or
consider in performing the review.
• How the information is used in the
execution of the control.
• The threshold or criteria to identify items for
follow up.
• The expected outputs of the control
(including the final conclusions).
Failure to demonstrate an appropriate Request that management enhance the description

understanding of the information used in the of the control, specifically focusing on the inputs
management review control and how it was (including the information used in the management
generated. review control), the activities the reviewer
performs, and the outputs. This accomplishes the
following:
• Helps management establish what is expected
of the control performer.
• Provides us with a better starting point for our
evaluation and testing of the control (i.e.,
enhances the quality and efficiency of our
auditing procedures by providing us better
information with which to understand and test
controls).
Failure to obtain a sufficiently detailed or When describing the management review control,
appropriate understanding/description of the use procedural statements and verbs (e.g., review,
management review control; examples include challenge, check, confirm, verify, reconcile,
a control description that: compare).
Internal control
• Reiterates the process, but does not Use the structured data fields in EMS to document
describe the control. control description and control procedure.
• Is overly redundant or confusing (e.g., the Separately perform and document our evaluation
same information is repeated multiple of the design to avoid mixing the facts and our
times, but may be worded differently). evaluation of the facts.
• Mixes the factual control description with
our evaluation and conclusions on the
design of the control, which causes
confusion as to whether the control
description is also an evaluation of design
effectiveness.
5.3.3.1 Three components of a management review control

Due to the further challenges and complexities associated with auditing management review controls
we obtain an understanding of how the control is performed, including the three components (inputs,
reviewer activities, and outputs).
INPUTS Inputs used by the For example: System report or other documents or
reviewer in information (such as Excel spreadsheets or third party
performing the reports). This is likely to be the information used in a
control. control that the control is relying on.
REVIEWER The specific activities For example: Consider the steps performed by the
ACTIVITIES the reviewer is reviewer with respect to such inputs (e.g., items
performing. reconciled, compared, recalculated, or evaluated) and the
extent of challenge.
OUTPUTS Identify the outputs of For example: Documentation that we obtain in order to
the control – by determine whether the review took place in accordance
testing the outputs, with the design of the control including follow up by the
we obtain evidence of reviewer of questions raised (see further detail below).
the review.
Internal control
5.3.3.2 Consider key points specific to management review controls – INPUTS

Steps Audit considerations
In discussions and walkthroughs, ask

1. Identify the information used by a questions and understand how the control
control is working so that we can assess the
information that might be important to the
operation of the control. Without a full
understanding, we could miss an element
and if that happens, our testing may not be
sufficient.
2. Determine which aspects of the In other words, while there may be a
information are relevant to the significant amount of information being
effectiveness of the control used in a control, perhaps some of it is not
relevant for the purposes of the risk it is
addressing or the assertions it is covering
and what we need to understand and test
for our audit.
This requires us to understand how the
3. Understand how the relevant information is used in the control and to
information is produced evaluate its reliability as we would with any
other piece of information used in a control.
The extent and scope of our testing of
information produced by the entity differs
depending on whether we are testing the
operating effectiveness of the management
Consider: review control or not.
• The source data For further information on testing of
information produced by the entity, see
• The report logic (extraction and calculations)
DTTL Information produced by the entity
• User entered parameters practice aid.
Where we are just evaluating the

design and determining the
implementation of the management
review control:
Test the accuracy and completeness of In evaluating the design of a control that is
the information produced by the entity, dependent on information used in a control,
where relevant we also evaluate whether the information
used in a control is sufficiently appropriate
and detailed for its intended purpose. The
For information used in a control, it is unlikely that nature and depth of this evaluation is a
the control performer can validate the accuracy matter of professional judgment, based on
and completeness of the information contained in considerations such as 1) the nature of the
a report simply by reviewing the report. It is information produced by the entity, 2) the
important that we evaluate that the information extent to which the control is dependent on
used in a control is sufficiently reliable early in our the information used in a control, and 3)
testing, because if it is not, then the management history of any errors with the information
review control cannot be effective. used in a control.
It is not ordinarily necessary to perform
procedures to obtain audit evidence about
the accuracy and completeness of the
information used in a control when we are
not testing the operating effectiveness of
Internal control
Steps Audit considerations
the control that is dependent upon the

information produced by the entity.
Where we are testing the operating
effectiveness of the management
review control:
When the review is dependent upon the
accuracy and completeness of the
information used in a control, we obtain
evidence about the accuracy and
completeness of the information used in a
control by either:
1) Testing the operating effectiveness of
controls that address the accuracy and
completeness of the information used in
a control; or
2) Directly testing the information used in
a control.
The term information produced by the entity
may also be referred to as information used
in a control.
Our documentation is unstructured and Documentation of the description of the management

generic such that it doesn’t specifically review control is structured to document inputs,
document the unique attributes of a reviewer activities, and outputs. Documentation
management review control. includes considerations around accountability of the
reviewer, the required level of precision, and the
specific actions undertaken by the reviewer in
performing the review.
Failing to identify the information used in Refer to Chapter 7 of this guide to assist with designing
management review controls, and not procedures to test the information used in a
testing or documenting the information management review control.
used in a control properly (i.e., we only
We need to understand exactly what information the
evaluate if sufficiently appropriate for
reviewer is using, as often they may only use a
evaluation of design and determination of
particular piece of data from a report, and our
implementation purposes) when
procedures to test the information used in a control
performing operating effectiveness testing.
should be focused on that information.
5.3.3.3 Consider key points specific to management review controls – REVIEWER

ACTIVITIES
When evaluating and testing management review controls, we may understand, evaluate, test, and
document how the inputs are used in the reviewer activities.
The followings are the key points we may understand and document:
Internal control
• How the inputs (e.g., the meeting materials such as reports, analyses, assumptions) are used in
the performance of the steps of the review, including, where applicable, controls over the
preparation of such inputs)
• The specific steps performed by the reviewer
• Whether all the important characteristics (or steps) of the control occurred
• Whether the scope and precision of the review activities are in sufficient detail to demonstrate the
substance of the control and the process that took place as a basis for the conclusions reached
(e.g., is it a cursory, quick review, or does the reviewer agree items against the general ledger, or
challenge against appropriate accounting guidance?)
• Consistency of performance including assessment of any changes in reviewer during the period
• The considerations and judgments that are applied by the reviewer when performing the control
(e.g., qualitative factors evaluated)
• Significant results and the basis (or criteria for investigation) for selecting matters that warrant
further attention (consider whether thresholds used are appropriate in relation to the risk the
management review control is addressing)
• The steps involved in investigating and resolving those matters
• The activities performed by the reviewer, if any, to determine whether the information used in a
control is accurate and complete (e.g., reconciling to the source of the data, reviewing the
parameters input into a query tool, or reviewing the formulas in an Excel spreadsheet)
• Whether any bias appears to exist in the discussion or results
• How we corroborated the above information.
Because management review controls often involve many steps and different sources of information,
we consider working closely with management to gain an understanding of each step that is being
performed and how it is being performed. One common issue we find is that the steps performed are
not sufficiently described and documented on the entity’s side, so if we are not challenging this in our
procedures, we may evaluate, test and conclude on a management review control without identifying
potential control deficiencies that exist.
Attribute testing (where we are just listing all the attributes of the control and ticking that they have
performed that control step) is unlikely to provide adequate evidence of operating effectiveness. For a
complex management review control, there is an expectation that the engagement team would
document a detailed description of the management review control so that we can determine whether
the procedures to evaluate design and test operating effectiveness include consideration of the
precision of the review control and are sufficient to be able to conclude on the design and operating
effectiveness of the control. An appropriately detailed analysis and testing would thus need to be
undertaken for each sample that we test.
Insufficient understanding and Understand and document, in detail, what the reviewer
documentation of reviewer activities. specifically does and considers when performing the
review to reach their conclusions.
5.3.3.4 Consider key points specific to management review controls – OUTPUTS

Example outputs of a management review control that we may need to obtain from management
include, but are not limited to, the following:
• Documentation of the breadth and depth of the questions from the review, issues raised, evidence
of questions being resolved, and ultimately if there were any errors identified (Along with
Internal control
corroborative inquiry with others involved in the preparation of input materials or performance of
control activities)
• Reports
• Journal entries
• Detailed meeting minutes (when review control occurs in a meeting) and evidence of follow up of
issues
• Email correspondence
• Notes, challenges, and signatures evidencing procedures performed
• Final memos documenting the outcome of the review (e.g., goodwill impairment memo)
By obtaining the documented output from the review we obtain evidence to assist our evaluation of
design and determination of whether the management review control has been implemented, or, as
applicable, our testing of operating effectiveness of the management review control.
5.3.4 Evaluating design and determining implementation of management review controls

[see also Internal Control Guide Chapter 2: Section 2.5]
When considering our evaluation of design and determination of implementation of management
review controls, the following design factors are generally most relevant:
• Appropriateness of the control considering the nature and significance of the risk
• Competence and authority of the person(s) performing the control
• Level of aggregation and predictability
• Criteria for investigation (i.e., threshold) and process for follow-up
While each of these factors are important to the design of effective management review controls, the
most fundamental factor is the purpose of the management review control; i.e., how does the
management review control directly address the identified risk(s) of material misstatement? When
evaluating the design of a management review control, it is important that we assess whether it
operates at a level of precision that can prevent or detect a material misstatement.
For example, a review of a budget to actual analysis may identify an error if there was an unusual
fluctuation but would not identify misstatements if there were no fluctuations, and thus the purpose of
the control is typically not to directly address a risk of material misstatement.
In addition, for significant judgments, we consider how effectively the management review control
recognizes and responds to bias, which could be unintentional (e.g., the impact of motivations or
pressures that impact a person’s objectivity) or intentional (e.g., through management override). This
bias is often overcome in a management review control by involving multiple people who, having
different motivations, bring and actively express their different perspectives to reach a less biased
outcome.
For example, the determination of whether the goodwill of a significant component is impaired
requires the use of subjective assumptions to prepare the forecast. Accordingly, there likely exists bias
by the preparer in the preparation of the forecast and by a reviewer when reviewing the
appropriateness of the forecast and underlying assumptions. To recognize and compensate for bias,
the review of the forecast might include:
• Component management who is responsible for achieving the forecast,
• The budget and planning group which is responsible for challenging the appropriateness of the
forecast,
• The financial reporting group who is responsible for the fair presentation of the financial
statements,
• Senior management who is responsible for ensuring that the forecast aligns with the current
business strategies, and
Internal control
• The audit committee, all of which, if effective, likely culminates in a forecast that reflects less bias.
For example, the determination of the allowance for doubtful accounts receivable may require
subjective assumptions based on the accounts receivable clerk’s knowledge of individual customers
and payment history. The financial controller may review the allowance calculation on a monthly basis.
To reduce bias in this area, the entity may require reviews by more senior members of management,
such as the CFO, to determine whether the conclusions are consistent with the entity’s current and
expected business environment.
The documentation of our considerations for each of the design evaluation factors needs to be clear
and compelling, to support a conclusion that the control is effectively designed to operate at an
appropriate level of precision.
Obtaining evidence that only supports that a review was performed by management, is generally not
sufficient, and we will need to obtain additional evidence. For example, what the reviewer challenged,
the level of rigor to which the control was performed, and whether the reviewer considered all of the
relevant accounting guidance. Consider evaluating the design and determining the implementation of
each important step in the management review control.
Criteria for investigation/thresholds
When considering the design factors, consider the criteria for investigation/thresholds used by
management in their review controls. Criteria for investigation/thresholds often form a critical part of
these types of controls, so we need to consider when performing our design assessment that such
criteria for investigation/thresholds are appropriate for the risk(s) of material misstatement that they
are addressing. Where a criteria for investigation/threshold is not applied in the management review
control, challenge management about the risk(s) that they believe the control is designed to mitigate
and why they are satisfied that the management review control is direct and precise enough to
address that risk appropriately.
It may be necessary for us to determine the level of misstatement that is likely to be identified by the
person performing the review. In making this determination, we may consider, among other factors,
the level of disaggregation of the data subject to the review, our understanding of the design of the
control, the range of variances the reviewer has historically identified with regard to the operation of
this control, and the criteria for investigation/thresholds that management has established for the
operation of other controls (e.g., the limits used in various exception reports or criteria for
investigation/thresholds established in other similar review controls) as indicators of the level of
misstatement that management believes is relevant.
To assess whether a criterion for investigation/threshold is sufficiently precise, we consider whether it

is applied to each transaction, a portion of the population (e.g., an account, a department, a
component, or amounts above a certain criteria for investigation/threshold) or to the overall balance.
We may consider our guidance in AAM 23002-2 for determining an appropriate criteria for
investigation/threshold when we are performing a substantive analytical procedure and use that as a
“benchmark” for evaluating the appropriateness of the entity’s criteria for investigation/threshold. As
the level of risk increases, we may also adjust how we use the determination of threshold levels table
in AAM 23002-2 to reflect this.
As we consider if the criteria for investigation/threshold is precise enough to identify a material

misstatement, we may consider the criteria for investigation/threshold amount as it relates to
performance materiality or materiality. We would normally expect management’s criteria for
investigation/threshold to be more precise than we would use in our determination of materiality for
the audit. We may also consider the clearly trivial threshold and determine that the criteria for
investigation/threshold is precise enough because the criteria for investigation/threshold is set such
that it would investigate amounts that are less than the clearly trivial threshold.
Remember: Assessment and documentation of each design factor is not mandatory for ISA audits –
however, these factors may be helpful when considering how to evaluate the effectiveness of the
design of many controls.
Internal control
The extent of documentation to support our evaluation of the design of a control is a matter of
professional judgment. More complex controls (e.g., management review controls or direct and
precise entity-level controls) are generally more subjective and may operate at an aggregated level;
therefore, most or all of the above factors may be relevant and may require more extensive
documentation to support our evaluation of such controls. Partners and staff need to use judgement
when considering an appropriate level of documentation for the audit file. Consideration will need to
be given to the relative importance of the control to the particular entity and our audit testing
strategy. If we are testing operating effectiveness of a control the documentation of our understanding
and consideration of design factors will need to be more detailed, in order to support our testing
strategy, particularly if the testing is in response to a significant risk of material misstatement.
Audit documentation does not demonstrate Enhance our assessment and documentation of our
how the engagement team evaluated and evaluation of the design of management review controls
tested the process for follow up and by considering the design factors that are generally
resolving issues identified by the most relevant to management review controls.
management review control.
Management review control evaluation and An important part of our assessment may include
testing does not properly evaluate the consideration of the criteria for investigation or
precision of the control. thresholds used by management and whether they are
direct and precise enough.
We fail to assess whether the reviewer has Enhance our evaluation and documentation of this
enough knowledge and experience to make design factor where this is particularly important to the
informed judgments when performing the design of the management review control.
management review.
We may document the individual’s professional
qualifications as well as those related to the role and
the situation.
Not employing an objective and skeptical Discuss as a team to challenge each other’s thinking
mind-set, considering both positive and and specifically consider whether there is contradictory
negative factors when obtaining sufficient evidence from our other audit procedures. We may
appropriate audit evidence about the consider for example:
design and operation of the management
• Whether management has appropriately involved
review control.
third party experts and whether those experts
qualifications are appropriate
• Whether the reviewer is inexperienced or lacks
appropriate training in respect of the nature of the
review
• Whether in the past, the reviewer has
demonstrated objectivity and appropriately
challenged conclusions
• Whether there is a lack of established protocols for
identifying and communicating required
adjustments or areas to be followed up
• Whether based on the criteria for investigation or
threshold, the reviewer seldom questions anything
or identifies errors
Internal control
• Whether the reviewer does not perform sufficient

due diligence on matters identified for further
investigation and therefore does not resolve the
matter appropriately
• Whether the reviewer is not involved in the detail
of the day to day operation related to the type of
transaction
• Whether there is a history of identified
misstatements in that area
• Whether the review procedures performed are not
applied consistently
• Whether the review depends on IT systems where
management does not perform any checks on the
integrity of the IT systems.
Insufficient evaluative language regarding Focus on documenting a thorough, evaluative

why the management review control is assessment in the context of the specific management
designed effectively. review control. Eliminate “generic” commentary that
makes it difficult to understand the basis for our
conclusion.
Placing undue emphasis on testing Include the purpose of the review control and its
management review controls and other correlation to the risk/assertion as a fundamental
detective controls without considering design factor in our evaluation of all management
whether the controls selected for testing, review controls.
individually, or in combination, adequately
addressed the assessed risks of material
misstatement of the material class of
transaction, account balance, or disclosure,
including financial information for
components in a group audit.
Overreliance on higher-level management Documentation of our understanding and our

review controls (that do not sufficiently consideration of relevant design factors may be more
address the related risk(s) of material detailed for significant risks and will include (as noted
misstatement) for significant risks. above) our evaluation of whether the management
review control is in itself precise enough to address the
risk(s) of material misstatement, or whether it is
dependent on other controls.
Failure to identify controls that a Include cross reference of our evaluation and testing of
management review control is dependent other controls that work in combination with the
upon (e.g., the management review control management review control to our evaluation and
could also be dependent on another control testing of the management review control. Document in
which may typically be the control over the our evaluation of the purpose of the control design
information used in the management factor that this management review control is
review control, or the management review dependent on another control.
control may be well designed apart from
not being precise enough on its own, and
Internal control
thus being dependent on one or more

other process level controls).
Failure to consider bias in our evaluation of For management review controls over significant
management review controls. judgments, explicitly address how the risk of bias is
mitigated by the control, including whether the review
process is dominated by a single individual or view
point.
5.3.5 Testing operating effectiveness of management review controls [see also Internal
Control Guide Chapter 3]
When testing the operating effectiveness of a management review control, it is important to select
procedures that will provide evidence that the control operated as designed throughout the period of
intended reliance.
A robust control description detailing how the control is expected to be performed can be leveraged to
help outline our testing of operating effectiveness. Consider designing procedures to test the operating
effectiveness of each important step in the management review control.
Obtaining evidence for only a portion of the control procedure will often be insufficient evidence that
the control operated as designed and will fail to provide evidence of other relevant steps of the control
(e.g., who performed the control and how it was performed, what the person performing the control
considered or the basis for conclusions in support of his or her sign-off). Consider judgements made
during the execution of the selected control, documented in the control description, and design
procedures to test operating effectiveness. It is critical that we obtain sufficiently persuasive evidence
of operating effectiveness due to the subjectivity and extent of judgement involved with management
review controls.
Not obtaining sufficient persuasive Consider the nature of our operating effectiveness
evidence of the operating effectiveness of procedures. Reperform the management review control
the management review controls, including using the same information considered by the reviewer
what the reviewer looked at and what he (or observation of the management review being
or she considered in operating the control, performed when performed in a meeting).
including support for the final conclusion.
We obtain evidence of the design of the Document for each instance selected the specific
management review control, not that it evidence of the operation, rather than how the control
actually operated in practice. is “supposed to work”
• The judgments made by the individual(s)
performing the control and the factors evaluated by
the individual
• The basis for matters warranting further attention
from management
Internal control
• The steps taken and evidence obtained by

management to make informed decisions on those
matters
• The misstatements identified or conclusions
reached by management based on the procedures
that were performed.
Not documenting what we observed, Consider the nature of our operating effectiveness
including steps taken, judgments made procedures. Whichever type of procedure we use in
and matters warranting further attention. combination with inquiry, we include detailed and
complete documentation of the work performed.
Inspecting signoffs only rather than Consider the nature of our operating effectiveness
inspecting documentation that procedures. Include in our testing and documentation
demonstrates steps taken. all important steps we have identified in the
management review control. Assess whether the
reports and documentation inspected contain the
information necessary to perform the control and
whether the control owner took any action to verify the
information was complete and accurate.
Limiting inquiries to the person performing Our inquiry procedures involve asking probing
the control or not inquiring or questions about the key aspects of the control.
corroborating with other relevant Consider enhancing the evidence obtained through our
personnel, such as the person who resolves inquiry procedures by corroboration with other
the matters identified by the reviewer. Also individuals involved in the review control.
not considering the implications for our
Remember that inquiry alone is not sufficient and the
assessment of the management review
nature of our procedures to test operating effectiveness
control when the reviewer has changed
include inquiry plus one or more of observation,
during the period.
inspection or reperformance.
5.3.6 Situations where the management review control takes place in a meeting
Management review controls may occur in meetings and observation of, or attendance at a meeting
may not be possible, thus making it more difficult to obtain evidence of whether such management
review controls have been performed. Therefore we may consider alternative procedures to obtain
evidence, for example, obtaining:
• Meeting preparation materials
• Invitations sent to attendees
• Inquiries of individuals who attended the meeting
• Correspondence about issues discussed
• Documentation of follow-up actions.
Obtaining minutes or presentation material may not be sufficient as the substance and completeness
of the discussions and thought processes that led to the conclusions in the meeting, which are
important for us to evaluate whether such control is performed properly, may not be included.
Inquiries of the individuals performing the control are also performed to enhance our understanding of
what had been done by management when performing such controls. Evidence from our inquiries is
Internal control
strengthened if we corroborate our inquiry with another individual who attended the meeting. It is
important that we obtain evidence and document that follow up actions resulting from the meeting,
took place.
Where a relevant management review control occurs in a meeting, we may try to attend the meeting
and observe the control in action. We may determine that our attendance at the meeting is required
due to the importance of the review control taking place and the evidence we could obtain from
attending. In determining whether we need to attend the meeting we may consider:
• The size and complexity of the business
• The nature of the meeting
• The purpose of the management review control taking place in the meeting (e.g., we may typically
choose to attend meetings to discuss management reviews of key contract performance in the
construction industry)
• The significance of the associated risk (e.g., we may want to attend a meeting where a
management review control that is designed to address a significant risk of material
misstatement, involving considerable judgement, is performed)
• The availability of alternative forms of audit evidence (including the quality and completeness of
documentation arising from the meeting).
When we determined we needed to attend When we are observing a management review control,
a meeting, not documenting sufficiently structure our documentation to capture the three
what we observed, including the steps components of the management review control: inputs,
taken, judgments made, and matters reviewer activities, and outputs.
warranting further attention.
When we determined we needed to attend Plan and request to attend meetings in which
a meeting, not observing the meeting and management review controls will occur, early in the
not obtaining sufficiently persuasive audit process.
evidence of what occurred in the meeting
If attendance is not possible, design further procedures
(e.g., interviewing attendees and
to obtain sufficient evidence of what will occur in the
requesting attendees to retain their drafts
meeting.
and notes).
Only obtaining evidence of what was Check that follow-up by management is evidenced
discussed in the meeting without through inspection of e-mails, minutes, etc. and that
considering the resulting actions. there is clear evidence that the issue is resolved.
Inquiry of the persons performing the control in
addition to obtaining support for findings and follow-up
will increase the reliability of audit evidence to support
conclusions reached in a meeting.
Inspection of documentation alone is Consider carefully the nature of our operating

usually not sufficient to obtain evidence effectiveness procedures where we cannot observe the
about the substance and completeness of management review control. Inquiry plus inspection
the discussions and thought processes that increases the persuasiveness of the audit evidence.
led to the conclusions reached in a
meeting.
Internal control
5.3.7 Evaluating deficiencies in management review controls [see also Internal Control
Guide Chapter 4]
The general considerations when evaluating deficiencies in controls are detailed in Chapter 4 of this
guide. Due to the complex nature of many management review controls (e.g., possibly having multiple
steps and frequently intended to address multiple risks of material misstatement), determining
whether deviations exist in certain steps or whether there are deficiencies in the control requires
professional judgement.
We need to consider whether any control deficiencies noted have an impact on other controls or risks
of material misstatement, or whether a compensating control may exist. Thus concluding on operating
effectiveness of management review controls can be difficult. As noted elsewhere in this chapter, we
may involve senior members of the engagement team in the planning and review of our work on
management review controls and also in the evaluation of any control deficiencies identified. We may
also consider consultation, such as with Internal Controls champions or National Office.
5.4 Management review controls documentation considerations

5.4.1 More complex and subjective management review control example – Design
The following has been included to show considerations related to the level of documentation that may
be necessary to appropriately document a more complex and subjective management review control
that requires more significant levels of management judgement and addresses multiple risks. As the
complexity decreases the level of documentation may also decrease.
This is not intended to show illustrations of actual audit file documentation, nor does it contain the full
detail that would be expected in actual audit file documentation.
The column on the left shows insufficient evidence or incomplete descriptions, and the column on the
right shows an improved example or how our documentation may include more persuasive evidence.
The management review control demonstrated in this example relates to the review of a goodwill
impairment analysis.
Control ID C_01 Original control Observations on the Improved control description

description original control (abbreviated for this example)
description
Control The CFO reviews - Insufficient control Inputs:

description the impairment description (doesn’t
- The Step O Goodwill Impairment
analysis for describe what the CFO
appropriateness. does) as well as an Assessment Memo prepared by the
Monthly, the unnecessary process Controller which includes the
controller prepares description. Undiscounted Cash Flow Analysis
an undiscounted (UCFA) and supporting schedules
- Inconsistent
cash flow analysis, (describe details).
references to the
which is then
inputs (e.g., Reviewer Activities:
reviewed and
impairment analysis,
approved by the - The CFO reviews the Goodwill
undiscounted cash
CFO. The CFO Impairment Assessment Memo
flow analysis,
reviews the and the UCFA and supporting
schedules, control
various schedules schedules monthly for
package).
and signs off on appropriateness, including:
the control - Lack of cross-
package monthly. references to where - Discussing and considering the
we have appropriately current and forecasted business
addressed the controls environment with the CEO, the
over the information COO, and the VP of Operations
used in the review. (describe details).
Internal control

description
- Reviewing each of the
assumptions and support within
the UCFA with a particular focus
on the weighting assigned to each
outcome (describe details).
- Discussing and challenging
assumptions or weights that may
have a significant impact on the
conclusion [describe details].
Outputs:
- Questions sent to the controller to
be addressed and resolved to the
satisfaction of the CFO.
- The final Goodwill Impairment
Assessment Memo and the UCFA
and supporting schedules with the
CFO sign off.
Documentation Insufficient Observations on the More persuasive evidence

of evaluation of evidence insufficient evidence
design including
key design
factors:
Appropriateness The management Limiting the description - The management review control:
of the purpose of review control is a of a management
Addresses all relevant accounts or
the control and “high level review control to a high-
information
its correlation to analysis” (e.g., an level analysis without
the analysis of the considering the detail of - Considers multiple data sources
risk/assertion change in account each risk of material
balances from misstatement (e.g., current and forecasted
month to month or description and whether business environment,
year to year). the control is assumptions, and support within
appropriate to address the UCFA) such that it is likely that
The CFO’s review a misstatement would be detected.
the identified risks of
only focuses on
material misstatement - Is performed at a sufficiently
the items with
variances. detailed level to detect errors that
in the aggregate could be
The review is high significant
level and only
checks for
reasonableness
(i.e., similar to
providing negative
assurance).
The review does
not consider all
accounts or
information
necessary to
appropriately
Internal control

description
detect a
misstatement
Competence and Our evaluation of Assuming that the In addition to considering the
authority of the the competence of competence of the reviewer’s education, certification,
person(s) the reviewer reviewer is “implied” and tenure, our assessment of the
performing the addresses the due to his/her competence of the reviewer also
control reviewer’s: education, background, addresses the reviewer’s role and
position or experience knowledge specific to the subject
• Education
with the entity matter, including the activities he
• Certification or she is involved in to maintain
and update that knowledge to be
• Tenure able to develop an independent
expectation (similar to our
substantive analytical procedures),
which would then allow him or her
to be able to identify an error in the
financial information being
reviewed
We consider and document our
observations based on our prior
interactions with the reviewer with
respect to the subject matter
Criteria for The review Failing to evaluate The reviewer applies explicit
investigation threshold: whether an established thresholds that are sufficiently
(i.e., threshold) criteria for investigation precise for the intended purpose
Is the greater of
and process for exists or failing to
$x or y% of the We consider the depth and
follow-up evaluate whether the
financial line item thoroughness of the review
criteria for investigation
which results in a including the nature and extent of
is sufficiently precise
threshold that is the questions raised by the
not sufficiently reviewer including whether any
precise, or resulted in identifying a
misstatement.
Is not stated at all
(i.e., the threshold
for investigating
items/differences
is not defined and
thus lacks
sufficient basis to
conclude on the
precision
Internal control
5.4.2 More complex and subjective management review control example – Implementation
and operating effectiveness
Combined Insufficient Observations on More persuasive evidence
implementation evidence the insufficient (abbreviated for this example)
and operating evidence
effectiveness
Documentation We examined the Evidence of what We obtained two instances of the

of evidence memo that was the reviewer Impairment Assessment Memo and the
obtained and the subject of the actually did or UCFA and supporting schedules that
inspected review and noted considered in the were subjected to the CFO’s review and
(review control the controller’s review is lacking. assessed the appropriateness of the
performed by sign-off as information used in the review (see w/p
Testing a sample
an individual) evidence of his XXXXX where we have tested the
to determine if
review. controls that address the accuracy and
the Memos were
completeness of the reports and data
We selected 2 reviewed properly
that feed into the Impairment
months and noted is not
Assessment Memo and the UCFA and
that the Memos reperforming the
supporting schedules), noting
were properly control activity.
[summarize details].
reviewed therefore
A single (or
we concluded that We inquired of the CFO the steps taken,
limited) example
the control activity factors considered, the judgments
of a question
operated made, the basis for matters warranting
raised or an error
effectively further attention, the misstatements
identified in a
identified, and conclusions reached,
We inspected an review while
noting [summarize details].
email that helpful, may not
evidenced that the by itself provide We inspected the CFO’s notations and
CFO identified and sufficient written comments included on the
asked questions evidence that the Impairment Assessment Memo and the
about a small review was UCFA and supporting schedules that
error in one of the appropriately were reviewed and which supported the
UCFA’s that were detailed in order representations regarding the scope
the subject of the to be concluded and depth of the review, particularly
review. as being effective the span and nature of the questions
raised, noting [summarize details].
We re-performed the control procedure
by independently executing the same
reviewer activities described in the
control description and compared our
results to those of the CFO, noting
[summarize details].
We obtained and inspected the
evidence of follow-up and resolution of
the action items.
We considered whether evidence of
bias appears to exist in the discussions
or results, noting the following
[summarize details]
Internal control
6 Information technology considerations
6.1 Introduction
6.1.1 Purpose of this chapter
This chapter provides an overview of the unique considerations related to identifying, understanding,
and, where appropriate, testing relevant information technology (IT) controls.
The key activities addressed within this chapter are driven by requirements in the International
Standards on Auditing (ISAs) to understand:
• How IT affects the relevant flows of transactions (see discussion on identifying the relevant flows
of transactions in Chapter 2, Section 2.3) and;
• The specific risks to an entity’s financial statements arising from IT (that relate to risks of material
misstatement from an audit perspective) and how the entity has responded to these risks through
implementation of IT controls.
An entity’s reliance for internal control and financial reporting purposes on data, automated controls,
or system-generated reports that reside in or are generated by an application system, data
warehouse, and report writer may result in the determination that the application system, data
warehouse, or report writer and the related IT infrastructure are relevant to our audit because the
entity’s reliance on them introduces risk arising from IT into its processes. For purposes of our audit,
we consider these risks arising from IT, identify relevant general IT controls, evaluate design and
determine implementation (and test the operating effectiveness when relying on controls in
determining the nature, timing, and extent of substantive procedures) of relevant general IT controls
the entity has implemented to respond to such risks.
Our procedures related to risks arising from IT and controls are performed in the context of the
relevant flows of transactions related to material classes of transactions, account balances and
disclosures (i.e., material ABCOTDs). In other words, we are not required to obtain an understanding
of all the entity’s IT systems; instead, we focus on those aspects of the entity’s IT environment that
may pose risks to the entity’s financial statements. Even when we do not plan to rely on the operating
effectiveness of controls in determining the nature, timing, and extent of substantive procedures, our
understanding of the role of IT in the entity’s processes is important to our identification and
assessment of risks of material misstatement and to planning further substantive procedures.
DTTL AAM 12200.71 describes our responsibilities for understanding the entity’s information system,
including the procedures within IT systems by which transactions are initiated, authorized, recorded,
processed, corrected as necessary, transferred to the general ledger, and reported in the financial
statements:
areas:
• The classes of transactions in the entity’s operations that are significant to the
• The procedures within both information technology (IT) and manual systems,
by which those transactions are initiated, recorded, processed, corrected as
statements;
• The related accounting records, supporting information and specific accounts
in the financial statements that are used to initiate, record, process and report
manual or electronic form;
Internal control
• How the information system captures events and conditions, other than
transactions, that are significant to the financial statements;
• The financial reporting process used to prepare the entity’s financial
statements, including significant accounting estimates and disclosures; and
• Controls surrounding journal entries, including non-standard journal entries
used to record non-recurring, unusual transactions or adjustments.
This understanding of the information system relevant to financial reporting shall
include relevant aspects of that system relating to information disclosed in the
financial statements that is obtained from within or outside of the general and
subsidiary ledgers. [DTTL AAM 12200.71]
6.1.2 Discussion with an IT specialist

DTTL AAM 13400.10, Involvement of an information technology specialist, requires that the audit
engagement partner and the IT specialist discuss, at a minimum every three years (and more
frequently if there are significant changes in IT systems, reliance on automated controls, and/or on
system-generated information), the extent of involvement of the IT specialist in the audit. The goal of
this discussion is for the engagement team and the IT specialist to determine whether to involve IT
specialists in the audit (and if so, the extent of such involvement), irrespective of whether we are
planning to rely on the operating effectiveness of controls in determining the nature, timing, and
extent of substantive procedures.
For complex IT environments when systems are typically identified that are relevant to our audit and
IT specialists are to be involved in the audit, their involvement extends to identifying relevant risks
arising from IT and relevant general IT controls that address such risks, including evaluating their
design and determining implementation. In less complex IT environments when no systems are
identified that are relevant to the audit, there are no relevant risks arising from IT and, therefore, no
relevant IT controls. In such cases, IT specialist involvement is typically limited to the required
discussion which should be appropriately documented. Our goal is to have the right level of IT
specialist involvement commensurate with the nature of the IT environment and related processes and
systems. If engagement teams, including the audit engagement partner and the IT specialist, are
uncertain about the relevance of IT to the audit and the commensurate level of IT specialist
involvement necessary, a consultation may be appropriate to assist in determining the appropriate
course of action.
Note Refer to the Discussion of the involvement of an IT specialist template on the IT

Resources landing page on TL. The template provides two illustrative example
memos that may be used to document the results of the discussion between the
engagement partner and IT specialist. The first is for situations where IT specialists
are involved in the audit and second is for situations where no IT specialist
involvement is planned.
6.1.3 Process flow for IT activities

The process flow below depicts the IT activities explained in this chapter with references to the
supporting details in the sections below. The chart is intended to represent the practical work flow
with which the IT activities are completed. Each of these steps requires professional judgment.
Accordingly, we may use the Using Professional Judgment framework to support our judgments.
Internal control
Figure 6.1
Start
Understand how IT affects the

flows of transactions (6.2)
Identify relevant applications, data

warehouses, report writers, and other
technology elements (6.3)
Relevant applications, No
data warehouses, or End
report writers?
Yes
Identify and assess

risks arising from IT (6.4)
Identify, understand, and evaluate

relevant GITCs (6.5)
Yes
Conclude on risks arising from IT and
GITCs Deficiences?
determine the audit response (6.6)
No
Evaluate the severity of

End
GITC deficiencies (6.7)
6.2 Understand how IT affects the flows of transactions

6.2.1 Understanding flows of transactions
Our understanding of how IT affects the flows of transactions (business processes) begins with the
relevant flows of transactions related to material classes of transactions, account balances, and
disclosures (see Chapter 3), which are depicted in the red box in Figure 6.2 below. Therefore, this
Internal control
chapter assumes that the overall audit planning and risk assessment procedures, including our
procedures to identify and assess risks of material misstatement for material classes of transactions,
account balances, and disclosures, have already been performed, or are being performed concurrently
with the activities and procedures described in this chapter.
We begin with a high-level understanding of the flows of transactions, which includes:

• The procedures by which transactions are initiated, authorized, recorded, processed, and
corrected.
• How transactional data is transferred to the general ledger and reported in the financial
statements, including automated and manual interfaces.
The diagram in Figure 6.2 that follows is adapted from Figure 4 in COBIT IT Control Objectives for
Sarbanes-Oxley, 2nd Edition. While the diagram was prepared to support audits of internal control
over financial reporting, the concepts herein are relevant for financial statement audits as well. This
diagram depicts a typical IT environment, including the relationship between the material classes of
transactions, account balances, and disclosures, the related application systems (including data
warehouses and report writers), the IT infrastructure supporting those systems2 and the relevant
general IT controls, modified to align with our terminology. Notably, the diagram illustrates that our
identification of the relevant aspects of the IT environment follows our identification of the material
classes of transactions, account balances, and disclosures and the related relevant flows of
transactions, further emphasizing that the relevant aspects of the IT environment are identified based
on the effect they may have on the entity’s internal control over financial reporting, and ultimately on
the financial statements. Figure 6.2 will be used throughout this chapter to highlight each aspect of
the IT environment as it is discussed.
2 The application systems and the IT infrastructure (database, operating system, and network) are technology elements that are collectively referred to as an IT
environment (see further discussion of IT environment in Section 6.3.2). The IT environment may also include interfaces, middleware, and data warehouses, which are
not depicted in the diagram but are discussed in detail later in this chapter.
Internal control
Figure 6.2
Material Classes of Transactions, Account Balances, and Disclosures
Balance Income Other

Cash Flow Notes
Sheet Statement Disclosures
Relevant Flows of Transactions (Processes)
Flow of Flow of Flow of

Transactions A Transactions B Transactions C
IT Environment
Identifying Relevant
Relevant Application Systems, Data Warehouses, and Report Writers: Application Systems,
Data Warehouses, and
Data Report Writers:
General IT Control Application A Application B
Warehouse A • Data
Areas:
• Automated controls
• Data center and
• System generated
network operations
IT Infrastructure reports
• Access security
• Substantive
• System change Database procedures alone
control
Operating System cannot provide
sufficient
Network appropriate audit
evidence
In conjunction with gaining our understanding of the relevant flows of transactions (processes) for
material classes of transactions, account balances, and disclosures, we also understand the role of IT
in those processes, including where relevant financial data resides and how it is being processed to
determine (1) which applications, data warehouses and report writers are relevant to our audit and
(2) the IT infrastructure that supports those application systems, data warehouses, and report writers
and is therefore also relevant to our audit.
Multiple systems and layers of supporting IT infrastructure (databases, operating systems and
networks) may be involved in the process from initiation to recording in the general ledger and
ultimately to reporting in the financial statements, and therefore, any or all of these systems and IT
infrastructure may be relevant to our audit. Whether applications, data warehouses, or report writers
are relevant for our audit is the key driver as to whether risks arising from IT and general IT controls
are relevant for our audit. See Section 6.3 below for further details with respect to possible scenarios
when determining whether there are relevant applications. Figure 6.3 below depicts how the
applications and related general IT controls relate to material classes of transactions, account
balances, and disclosures.
Figure 6.3
Relevant
Material classes
infrastructure
of transactions,
Relevant (database, Risks arising
account Relevant GITCs
applications? operating from IT
balances, and
system,
disclosures
network)
Direct
Relationship
Indirect Relationship
Internal control
6.2.2 Understanding the IT environment

The IT environment may be defined as the policies and procedures that an entity implements and the
application systems, data warehouses, report writers, and IT infrastructure, which may also include
interfaces or middleware the entity uses to support business operations and achieve business
strategies.
Building on the understanding of the flows of transactions from Section 6.2.1 above, we obtain a high-
level understanding of the IT environment, which includes:
• The application systems and supporting IT infrastructure that comprise the IT environment and
play a role in financial reporting. The objective at this point in the process is to identify the
application systems and supporting IT infrastructure that may be relevant to our audit.
• The people and processes involved in maintaining the IT environment.
For example, an understanding of the IT department, including the size and complexity of the
support teams (e.g., security and change management support
• Significant changes (e.g., system upgrade and/or new system implementation) within the IT
environment.
The application systems, data warehouses, report writers, and IT infrastructure (databases, operating
systems, and networks) are technology elements that are collectively referred to as an IT
environment. These technology elements may be defined as follows:
• Application system: Designed to allow a user to store/retrieve data in a logical and meaningful
manner and apply predefined business rules to that data.
For example, SAP, PeopleSoft, JD Edwards, Oracle, Hyperion.
• Data warehouse: A system used for reporting and data analysis. Data warehouses are central
repositories of integrated data from one or more disparate sources.
For example, EDW (“Enterprise Data Warehouse”), Business Warehouse (BW), and Business
Intelligence (BI).
• Report writer: A system used to extract data from one or more locations (e.g., an application
system or data warehouse) and present it in a specified format.
For example, Cognos, Crystal Reports, Business Objects (BO).
• Database: Stores the data used by the applications.
For example, Oracle, Sybase, DB2, SQL.
• Operating system: Responsible for managing communications (input/output) between hardware,
application systems, and other software. User authentication for certain application systems may
be dependent on operating system security.
For example, Windows, UNIX, LINUX, MVS, z/OS, OS390, OS/400.
• Network: Used to transmit data and to share information, resources, and services. The network
also typically establishes a layer of logical security (enabled through the operating system) for
certain computing resources within the organization.
For example, Cisco, NetGear, CheckPoint, Windows Active Directory.
These technology elements are depicted in the red box in Figure 6.4. The database, operating system,
and network technology elements work together to support the entity’s application systems and are
collectively referred to as the IT infrastructure.
Internal control
Figure 6.4

Cash Flow Notes

IT Environment
Areas:
• Data center and
network operations
• Access security
• Substantive
control
sufficient
evidence
6.3 Identify relevant applications, data warehouses, report writers, and other technology
elements
6.3.1 Identify relevant applications, data warehouses, and report writers
This section includes further details of each of the technology elements and the relevant factors to
consider in determining which elements, if any, are relevant to our audit.
Note If we determine there are no application systems, data warehouses, and report
writers that are relevant for our audit, no other technology elements will be relevant
to the audit since the other technology elements (i.e., IT infrastructure) underlie and
support the application systems, data warehouses, and report writers.
Application systems
Application systems may be defined as automated user systems and manual procedures that process
information. From a financial statement audit perspective, the application systems that are typically
relevant are those that play a role in initiating, authorizing, processing, recording or reporting financial
data, which may range from complex Enterprise Resource Planning (ERP) systems (e.g., SAP,
PeopleSoft, JD Edwards, Oracle), to custom software (developed internally by the entity or developed
for the entity by a third party), to commercial off-the-shelf (COTS) software requiring little or no
customization (e.g., Quick Books).
ERP systems are customizable and therefore implementation thereof may vary based on business
needs (for example custom developed ERP systems, off-the-shelf ERP system with or without
customization and cloud-based ERP systems). Considerations that may be relevant when considering
the entities ERP system include, but are not limited to:
• The number and type of ERP functionalities and/or modules management has implemented:
Internal control
- The extent to which management relies on automation provided through the ERP systems.
- The extent to which management relies on system generated reports in their controls.
- ERP application functionality used. Complexity increases when the ERP system is implemented
to for example automatically initiate transactions or when a variety of complex calculations
underlie automated entries.
• How the ERP applications and modules interface (automated vs manual).
• The IT infrastructure supporting the ERP system (database, operating system and network).
• The extent to which management relies on the ERP system to process and maintain data.
Data warehouses and report writers
An entity’s IT environment may also include one or more data warehouses and associated report
writers. A data warehouse contains data to facilitate the querying and analysis of data for reporting
purposes. Entities may use data warehouses to improve the quality and efficiency of their reporting
and analysis capabilities. Since data warehouses are separate from the entity’s transactional
application system(s), complex queries and analyses can be performed more efficiently and without
using the resources of the entity’s application system, whose primary job is typically to record
transactions in real-time.
Data from various transactional application systems is typically transferred to a data warehouse
database through system interfaces. End users may access the data in the data warehouse via report
writers. Report writers include analytical applications (e.g., Cognos) and/or query tools (e.g., Business
Objects). The method to access the data is dependent upon the technologies implemented by the
entity and how it is using them.
Understanding how IT affects the entity’s flow of transactions includes understanding the role of data
warehouses and report writers and what information is stored or accessed through these technologies.
Figure 6.8 below depicts where a data warehouse may be located in an IT environment.
Identifying application systems, data warehouses, and report writers relevant to the audit
The determination as to whether application systems, data warehouses, and report writers (and
therefore general IT controls) are relevant to our audit is based on the following factors (as noted in
DTTL AAM 12200.98):
• Data
• System-generated reports – Information produced by the entity
• Substantive procedures alone cannot provide sufficient appropriate audit evidence
These considerations are further explored below providing additional information as to circumstances
and examples to determine when they may be relevant to our audit.
Data
Data: The entity relies on an application system or data warehouse to process or maintain data
(e.g., transactions or other relevant data) related to (i) material classes of transactions,
account balances, and disclosures or (ii) reports used in the operation of a relevant control.
[Excerpt from DTTL AAM 12200.98]
We may determine that an application system, data warehouse, and/or report writer are relevant to
the audit when management relies on an application system or data warehouse to process or maintain
data (e.g., transactions or other relevant data) related to (i) material classes of transactions, account
Internal control
balances, and disclosures or (ii) reports used in the operation of a relevant control. The more complex
and voluminous the transactions and/or other data, the more likely their integrity and reliability will
depend on the effectiveness of general IT controls, as it is less likely that sufficiently precise controls
that are not dependent on the data or the system (e.g., input/output controls or review controls) will
be in place to address the risks of material misstatement for the material account balances, classes of
transactions, and disclosures.
An entity’s reliance on data that by its nature, and due to its complexity and volume, depends on
general IT controls for integrity and reliability results in our determination that the systems in which
this data resides and the related IT infrastructure are relevant to our audit (i.e., because an entity’s
use of such systems introduces risks arising from IT that affect the integrity and reliability of the
data). See further discussion of risks arising from IT resulting from an entity’s reliance on data in
Section 6.4.
For example, an entity uses a billing system that:
Performs functions: processes orders, generates invoices for billing, tracks client receivables
balances, and calculates revenue and receivables entries for posting to the general ledger system.
Processes and houses data: entity-specific details (e.g., billing rates by service, billing information,
and terms) that are manually entered into the billing system based on a signed sales order,
information on services provided that is either manually entered into the billing system or obtained
through interfaces with other entity systems, and receivables, and collection information.
Due to the volume of data supporting the entries posted to the general ledger system and the
complexity involved because of multiple inputs being considered, it is not practical for the entity to
design precise controls that are independent of the billing system (e.g., input/out controls) to validate
the revenue and receivables entries generated by the billing system and recorded in the general
ledger system. As a result, the entity likely relies on automated controls within the billing system and
the related infrastructure that may be relevant to our audit. If so, the billing system and related IT
infrastructure introduce risks arising from IT that affect the integrity and reliability of the data and, as
such, the system and related IT infrastructure are relevant to our audit. In this case, the relevant
controls over the data are automated controls thus general IT controls would be relevant to the audit.
For example, a manufacturer uses several application systems to record sales transactions, as
follows:
Executed sales orders, approximately 200 per month, are entered into the order entry system from
a hard copy received from the salesperson. Management has an input/output control where the
sales orders processed are reconciled back to the hard copy originally entered into the system.
Once a new sales order is entered into the order entry system, it interfaces with the billing/revenue
management system, which in turn interfaces with the general ledger system.
Revenue recognition is based on information in the billing/revenue management system, including
certain information that originated in the order entry system, which is also detailed on the sales
order received directly from the customer.
The company is not relying on any automated controls within the order entry system.
In this case, it may be appropriate to conclude that the order entry system and related IT
infrastructure are not relevant to our audit, as the volume and complexity of the sales order and
related revenue transactions are low and management has a precise input/output control verifying the
accuracy and completeness of the sales orders processed. In other words, the risk arising from IT
related to the integrity and accuracy of the data in the order entry system and the general IT controls
in place to address these risks are not relevant to our audit as management is not relying upon the
general IT controls, rather they are relying upon the input/output control. As such, there is no need
for the auditor to understand the general IT controls in this scenario in order to plan substantive
procedures.
Internal control
Automated controls
Automated controls: The entity relies upon the application system to perform certain automated
functions that we determine are relevant to the audit, such as:
• Automated input, processing, and output controls: This includes the automation of controls
related to financial reporting (e.g., a three-way match of the purchase order, shipping
document, and invoice prior to payment; the automated approval of payment following an
approved delegation of authority; or the automation of the interface between two systems).
• Automated calculations: This includes the automation of financial calculations underlying
amounts that support or are related to classes of transactions, account balances, or
disclosures in the financial statements (e.g., the extension of sales price times quantity to
generate sales invoices; the calculation of outstanding balance on a loan portfolio; or the
calculation of depreciation expense).
• Automated application access: This includes the automation of access to financial reporting
transactions, including logical segregation of duties (e.g., access restrictions to updates to
inventory quantities or the systematic segregation of duties between front-office and back-
office transactions for derivatives processing).
We may determine that an entity’s application system, data warehouse, and/or report writer is
relevant to our audit because management relies upon the application system to perform certain
automated functions that we determine are relevant to the audit. This functionality may include
automated input, processing, and output controls, automated calculations, and automated application
access, for which we use the term “automated controls.”
For example, automated controls within the system that the entity’s users may rely on include:
Depreciation rules that have been automatically set to calculate depreciation expense
Cash discounts that are automatically calculated and applied using standard programmed
algorithms and established terms of sale
Key functions in an inventory module that are appropriately configured to maintain data integrity
such that inventory is relieved on a First-In-First-Out flow assumption basis only when goods are
shipped with approved customer orders.
Internal control
System-generated reports — Information produced by the entity
System-generated reports: There are two types of information produced by the entity –
Information used as audit evidence and information used in a control
• Information produced by the entity – Information used as audit evidence: With this type of
information produced by the entity, general IT controls would only be relevant if we were
testing ‘controls over the preparation and maintenance’ of the information. If we are ‘directly’
testing the information we use as audit evidence, in tandem with our substantive procedures,
then general IT controls would not be relevant.
• Information produced by the entity – Information used in a control: The entity relies upon an
application system, data warehouse query, or report writer to generate a report that is used in
the operation of relevant controls. The automation of the report logic (which we view as akin
to an automated control) includes the extraction criteria and algorithms, such as may be found
in an accounts receivable aging report, an exception report of goods shipped but not invoiced,
or monthly financial statements. In this case, general IT controls relevancy depends on
whether we are taking a ‘direct’-testing approach over the information produced by the entity
– information used in a control or a ‘controls’-testing approach over the information used in a
control.
Information produced by the entity – Information used as audit evidence: We may determine that an
entity’s system is relevant to our audit when we plan to evaluate the accuracy and completeness of
information produced by the entity used as audit evidence (e.g., information produced by the entity
used to perform tests of operating effectiveness of controls or in substantive procedures) through an
evaluation of controls (e.g., we do not plan to test the information produced by the entity directly).
For example, a system-generated “rent roll” report listing tenant information, such as monthly rent
amount and lease term, used as an independent population to make selections for testing revenue for
a real estate entity. Management relies upon the system to generate the report accurately and
completely and we decide to evaluate controls over this report that we will use as audit evidence.
Information produced by the entity – Information used in a control: We may determine that an
entity’s application system, data warehouse, or report writer is relevant to our audit if management
relies upon an application, data warehouse query, or report writer to generate a report that is used in
the operation of relevant controls. General IT controls would be relevant in these situations if we are
evaluating the operating effectiveness of controls over the preparation and maintenance of
information used in a control.
For example, a system-generated accounts receivable aging report from SAP used by the entity to
determine the allowance for doubtful accounts and management relies upon the system to generate
the report accurately and completely. In this case, if we intend to rely on the operating effectiveness
of controls in determining the nature, timing, and extent of substantive procedures and we plan to
take a controls testing approach over the information used in a control, the general IT controls would
be relevant.
Substantive procedures alone cannot provide sufficient appropriate audit evidence
Substantive procedures alone cannot provide sufficient appropriate audit evidence: We have
judged that it is not possible or practicable for us to obtain sufficient appropriate audit evidence to
address certain risks of material misstatement by performing only substantive procedures and the
relevant controls that we have identified over such risks are automated controls or manual
controls that rely on general IT controls (see Section 13300).
Internal control
Section 3.3.1 of this guide provides factors to consider in determining when substantive procedures
alone cannot provide sufficient appropriate audit evidence.
For example, an entity conducts its business using its application system to initiate orders for the
purchase and delivery of goods based on predetermined rules of what to order and in what quantities
and to pay the related accounts payable based on system-generated decisions initiated upon the
confirmed receipt of goods and terms of payment. No other documentation of orders placed or goods
received is produced or maintained, other than through the application system. In this example, the
automated three-way match of the order, the goods receiver and the invoice is a relevant automated
control; therefore, the application system is relevant to our audit.
For example, an entity provides services to customers via electronic media (e.g., an internet service
provider or a telecommunications company) and uses its application system to create a log of the
services provided to its customers, to initiate and process its billings for the services, and to
automatically record such amounts in the general ledger. In this example, the automated logging of
services rendered, the automated calculation and billing for such services, and the automated
generation of the journal entry to record the billing transaction are automated controls; therefore, the
application system is relevant to our audit.
Example engagement scenarios for determining when applications, data warehouses, or
report writers (and their general IT controls) are relevant to the audit
The following examples in Figure 6.5 demonstrate application of the four application relevancy factors
describe above to example engagement scenarios. Further, the use of the term “application
functionality” below is intended to include data, automated controls and system-generated reports
relevant for financial reporting.
Figure 6.5
# Applications, data warehouses, or Applications, data warehouses, or report

report writers and their general IT writers and their general IT controls are
controls are not relevant relevant
1. Worldwide real estate auction company in Tulsa, OK.

Provides live, at-the-property auctions.
Uses Solomon for its general ledger and Microsoft Dynamics CRM for revenue, commission
expense, commission accrual and receivables
• Standalone applications; all journal • Applications are interfaced.

entries (including interfaces
• The volume of data (transactions) is
between applications) are manually
significant.
entered into Solomon.
• The application’s functionality is complex as
• The volume of data (transactions) is
(1) the application automatically initiates
not significant.
transactions, (2) there are multi-factor
• The application’s functionality is not transactions, and (3) there are a variety of
complex. complex calculations underlying automated
entries.
• Each auction transaction is
supported by original hard copy • Each auction transaction is supported by
documentation. original hard copy documentation.
Basis for conclusion: Basis for conclusion:
General IT controls are not relevant as: General IT controls are relevant as:
• The volume of data is not • Management relies on an application system
significant and therefore to process or maintain data as the volume of
management is not relying upon data is significant.
Internal control

general IT controls to process or • Management relies upon the application
maintain the data. system to perform certain automated controls
that are relevant to the audit.
• Management does not rely on
automated controls or other
automated functionality.
• Although management uses
system-generated reports in their
controls, they do not rely on these
reports. Instead they reconcile the
reports back to the hard copy
documentation and verify the
calculations in the reports.
• We will directly test information
used as audit evidence.

2. Insurance company
• Operates in a small, niche market. • Provides multiple types of insurance to

consumers and businesses.
• Provides property and casualty
insurance to nuclear power plants. • Uses legacy applications for claims processing
and SAP for other financial applications.
• Uses Peachtree for its accounting
software. • Applications are interfaced.
• All journal entries are manually • The volume of data is significant.
entered into Peachtree using data
• The application’s functionality is complex as
from external sources.
(1) the application automatically initiates
• The volume of data is not significant. transactions, (2) claims are automatically
edited, and (3) there are a variety of complex
• The application’s functionality is not
calculations underlying automated entries.
complex.
Basis for conclusion:
• All policy and claim files are manually
maintained. General IT controls are relevant as:
Basis for conclusion: • Management relies on an application system
to process or maintain data as the volume of
General IT controls are not relevant as:
data is significant.
• The volume of data is not significant
• Management relies upon the application
and therefore management is not
system to perform certain automated
relying upon general IT controls to
functions that are relevant to the audit.
process or maintain the data.
• Management does not rely on
Internal control
• Although management uses system-

generated reports in their controls,
they do not rely on these reports.
Instead they reconcile the reports
back to the external sources and
verify the calculations in the reports.
• We will directly test information used
as audit evidence.

3. Gold is a supplier of advanced technology products for scientific research and aerospace
industries.
Uses ERP for inventory, revenue/receivables, and general ledger.
• The volume of transactions for • The volume of transactions is high for

inventory (due to just in time inventory as the company supplies 200
inventory targets) is not significant different types of parts and there are a
and the customer base is small (e.g., significant number of customers (e.g.,
100 customers). 1,000).
• The application does not automatically • The functionality is complex as the
initiate transactions application automatically initiates
transactions in inventory and
Basis for conclusion:
revenue/receivable cycles. There are
General IT controls are not relevant as: multiple different products supplied.
Revenue recognition criteria are enforced
The volume of data is not significant and by the ERP system. Invoices are generated
therefore management is not relying upon automatically.
general IT controls to process or maintain
the data. Basis for conclusion:
• Management does not rely on General IT controls are relevant as:

• Management relies on an application
system to process or maintain data as the
• Although management uses system-
volume of data is significant.
generated reports in their controls,
they do not rely on these reports. • Management relies upon the application
Instead they reconcile the reports system to perform certain automated
back to the external sources and functions that are relevant to the audit.
verify the calculations in the reports.
• We will directly test information used
as audit evidence.
Conclusion options regarding application systems, data warehouses, and report writers
relevancy to the audit
The relevance of general IT controls in a financial statement audit triggers whether we need to
understand applications, data warehouses, and report writers and their general IT controls for
purposes of our risk assessment and planning further audit procedures (i.e., evaluating design and
determining implementation) and/or if we plan to rely on the operating effectiveness of controls in
determining the nature, timing, and extent of substantive procedures. We consider whether
applications, data warehouses, and report writers are relevant to the audit by material account
balance (e.g., material ABCOTDs), not at the entity level. However, in the case where the entity uses
Internal control
an ERP system, such as SAP or Oracle, many account balances would typically be supported by the
ERP system. Our conclusions related to applications, data warehouses, and report writers and the
related general IT controls in a financial statement audit fall into one of the following three options:
• Applications, data warehouses, and report writers and therefore general IT controls are
determined to not be relevant and no further procedures are necessary.
• Applications, data warehouses, and report writers and therefore general IT controls are relevant,
but we do not intend to rely upon the operating effectiveness of controls in determining the
nature, timing, and extent of substantive procedures (i.e., understanding them is considered
necessary for purposes of our risk assessments and planning further audit procedures). See
Section 6.5.2 below for additional specific considerations when we are evaluating design and
determining implementation of relevant general IT controls.
• Applications, data warehouses, and report writers and, therefore, general IT controls are relevant
and we intend to rely upon the operating effectiveness of controls in determining the nature,
timing, and extent of substantive procedures. This is applicable when we:
- Determine that substantive procedures alone do not provide sufficient appropriate audit
evidence (see DTTL AAM 13150.58-62), or
- Opt to plan to rely on the operating effectiveness of controls in determining the nature, timing,
and extent of substantive procedures and determine that there are application systems (and
therefore general IT controls that address arising from IT) that are relevant to the audit.
In these circumstances, we are required to test the operating effectiveness (in addition to
evaluating the design) of the general IT controls that address the identified risks arising from IT.
Figure 6.6 below indicates how we consider the four application, data warehouse, and report writer
relevancy factors described above (i.e., data, automated controls, system generated reports –
Information produced by the entity, and substantive procedures alone) in the context of the three
options above (i.e., not relevant, relevant for an audit where we are evaluating design and
determining implementation only, relevant for an audit where we are testing operating effectiveness.
Figure 6.6
Consideration [1] General IT [2] General IT [3] General IT

controls are likely controls are likely controls are likely
not relevant when: relevant when relevant when
evaluating design and evaluating design and
determining testing operating
implementation only) effectiveness)
Data Management does not Management relies on an Management relies on an

rely on an application application system or application system or
system or data data warehouse to data warehouse to
warehouse to process process or maintain process or maintain
or maintain data. data. data.
Automated Management does not Management relies upon Management relies upon
controls rely upon the the application system to the application system to
application system to perform certain perform certain
perform certain automated functions that automated functions that
automated functions. we determine are we determine are
relevant to the audit. relevant to the audit.
System- We plan to directly N/A as we typically We plan to evaluate the

generated evaluate the would plan to directly accuracy and
reports, information produced evaluate the information completeness of the
information by the entity – produced by the entity – information produced by
produced by the entity – information
Internal control
Consideration [1] General IT [2] General IT [3] General IT

controls are likely controls are likely controls are likely
not relevant when: relevant when relevant when
evaluating design and evaluating design and
determining testing operating
implementation only) effectiveness)
the entity — information used as information used as used as audit evidence
Information audit evidence. audit evidence. through a test of
used as audit controls.
evidence
System- Management does not Management relies upon Management relies upon
generated rely on system- an application, data an application, data
reports, generated reports in warehouse query, or warehouse query, or
information their controls. report writer to generate report writer to generate
produced by a report that is used in a report that is used in
the entity — the operation of relevant the operation of relevant
Information controls. controls.
used in a
Note: In evaluating Note: In an integrated
control
design and determining audit, we test controls
implementation of a over the information
relevant control we are used in a control.
not relying on, we
In an ISA financial
typically directly
statement audit
evaluate whether
(nonintegrated), we can
information used in the
directly evaluate the
control is sufficiently
information produced by
reliable for our purposes,
the entity or evaluate
hence this is not typically
controls over the
a driver for an
information.
application being
relevant.
Substantive N/A N/A It is not possible or

procedures practicable for us to
alone cannot obtain sufficient
provide appropriate audit
sufficient evidence to address
appropriate certain risks of material
audit evidence misstatement by
performing only
substantive procedures
and the relevant controls
that we have identified
over such risks are
automated controls
and/or manual controls
that rely on general IT
controls
6.3.2 Identify other technology elements

IT infrastructure
Each application system, data warehouse, and report writer used by an entity is supported by IT
infrastructure that usually consists of databases, operating systems, and networks. These three
Internal control
technology elements are depicted in the red box in Figure 6.7 below. As is also depicted in Figure 6.7,
the same technology elements may support multiple systems.
Note As noted above, if there are no applications, data warehouses, or report writers identified
that are relevant to the audit, there is no need to consider the IT infrastructure as the IT
infrastructure underlies and supports the application.
Figure 6.7

Cash Flow Notes

IT Environment
Areas:
• Data center and
network operations
• Access security
• Substantive
control
sufficient
evidence
Identifying relevant elements of IT infrastructure

Based on the identified relevant application systems, data warehouses, and report writers, we then
identify the relevant elements of the IT infrastructure, as these elements support these systems and
are therefore typically only relevant to the extent that the systems they support are relevant. In
today’s highly integrated, complex, and real-time processing environments, when we are testing the
operating effectiveness of general IT controls to rely on the operating effectiveness of controls in
determining the nature, timing, and extent of substantive procedures, it is typical for each of the
technology elements comprising the IT infrastructure to be relevant to our audit.
For example, we may determine that the entity’s SAP application runs on a Unix server (operating
system) and uses an Oracle database. User authentication is dependent upon Windows Active
Directory (operating system) and the entity is using Cisco network management software. In this
example, the Unix and Windows Active Directory operating systems, Oracle database, and Cisco
network management software are the technology elements supporting the SAP application system,
and all of these technology elements are relevant to our audit.
For each relevant application system, data warehouse, and report writer, we consider the relevance of
all three elements of the IT infrastructure (database, operating system, and network) and document
our consideration of and conclusion on the relevance of each.
Internal control
For example, in an AS 400 environment, there is no separate database, and therefore, the database
element would not be considered relevant, as the database risks are addressed through the
application or operating system layers.
For example, a small entity runs a standalone manufacturing system, which does not communicate
with other applications and has no networking capability to access the Internet or other remote
locations. In this case, the network element would not be relevant to our audit.
Interfaces and middleware
Our end-to-end understanding of the relevant flows of transactions includes understanding the
interfaces between various systems, including both automated and manual interfaces. Automated
interfaces allow for the electronic transfer of transactions and data between systems. Depending on
how an entity’s systems are designed and configured, automated interfaces may or may not require
manual intervention.
For example, when an invoice is generated by the billing system, an entry may be automatically
posted to the general ledger system with no manual intervention required. Alternatively, entity
personnel may be required to enter a command to tell the billing system to post the transaction to the
general ledger system, but once the command is given, the transaction is transferred electronically.
Middleware, which is a type of automated interface, is a specific type of software that connects two
otherwise separate applications. It is a unique type of interface between two applications in that it is a
separate product that serves as the “glue,” and allows for transference of data between the two
applications.
For example, a mortgage banking entity may have multiple third parties originating loans in different
application systems. Each of these application systems would interface its loans through a common
middleware, which would reformat the diverse loan data formats into a common field layout prior to
interacting with the loan servicing application.
Figure 6.8 depicts where interfaces and middleware may be located in an IT environment.
Figure 6.8
IT Environment — Relevant Technology Elements
Relevant Application Systems
Interface/ Interface/
Middleware Middleware
Application A Application B Application C
Interface Data Interface

Warehouse
Note Process flow diagrams may be particularly useful to document our understanding of
the flow of transactions and data between systems, including any interfaces or
middleware involved in the process. See A Guide in Preparing Flowcharts and See
DTTL AAM 12200.102 for the requirement, when auditing a public interest entity, to
document our understanding of the applicable flows of transactions using process
flow diagrams to supplement narratives or other documentation related to classes of
transactions, account balances, or disclosures for which we have identified a
significant risk and revenue classes of transactions identified as material to the
financial statements.
Internal control
Identifying relevant interfaces and middleware
We may determine that an interface or middleware is relevant to our audit if we determine the data
transferred via the interface or middleware is relevant to our audit. Regardless of whether an interface
is automated or manual, an understanding of the “path” by which transactions and other data travel
through the entity’s systems before ultimately being reported in the entity’s financial statements
allows us to identify where risks to the financial data may exist.
For example, an entity generates revenue by providing services to customers. Customers are billed a
standard rate (based on contracts) per service provided. Services provided are tracked by the Service
Counts system. The entity uses a separate Billing system to generate invoices, which are calculated
based on contract rates stored in the Billing system and “counts” of services provided that are
automatically fed into the Billing system from the Service Counts system. The Billing system also
tracks client receivables balances and generates revenue and receivables entries that are
automatically transferred to the General Ledger system for posting. In this example, there are
automated interfaces between the Service Counts system and the Billing system and between the
Billing system and the General Ledger system. Figure 6.9 depicts this process.
Figure 6.9
Service Counts Interface

Service Counts Interface
Service Counts
System System System
Service organizations
Our understanding of the flows of transactions includes an understanding of the entity’s use of service
organizations to perform processes relevant to financial reporting (e.g., payroll processing, processing
of insurance or medical claims) and, from an IT perspective, the systems that are being used by the
service organizations to perform those processes. In addition to outsourcing certain business
processes to a service organization, an entity may also outsource administration of one or more of its
systems to a service organization or use a service organization to “host” its systems.
6.4 Identify and assess risks arising from IT

6.4.1 Introduction
Risk arising from IT (RAITs) may be defined as risks that result from the entity’s use of, or reliance
on, application systems and the related IT infrastructure, related to financial reporting. Similar to the
process we use to identify risks of material misstatement for material classes of transactions, account
balances and disclosures, we identify and assess risks arising from IT, so that we may plan our further
audit procedures. The following are requirements and guidance in DTTL AAM 12200.113 and
12200.142 related to risks arising from IT:
DTTL AAM In understanding the entity’s control activities, the auditor shall obtain an
Literature understanding of how the entity has responded to risks arising from IT. [DTTL AAM
12200.113]
IT also poses specific risks to an entity’s internal control, including, for example:
• Reliance on systems or programs that are inaccurately processing data,
processing inaccurate data, or both.
• Unauthorized access to data that may result in destruction of data or improper
changes to data, including the recording of unauthorized or nonexistent
Internal control
transactions or inaccurate recording of transactions. Particular risks may arise

when multiple users access a common database.
• The possibility of IT personnel gaining access privileges beyond those
necessary to perform their assigned duties thereby breaking down segregation
of duties.
• Unauthorized changes to data in master files.
• Unauthorized changes to systems or programs.
• Failure to make necessary changes to systems or programs.
• Inappropriate manual intervention.
• Potential loss of data or inability to access data as required.
[DTTL AAM 12200.142]
Similar to our identification and assessment of risks of material misstatement for material classes of
transactions, account balances, and disclosures, our process of identifying and assessing risks arising
from IT is not a discrete phase of the audit, but rather is an iterative and non-linear process that
continues throughout the audit engagement as we are obtaining our understanding of the entity’s
flows of transactions, identifying and assessing risks of material misstatement, and planning and
performing further audit procedures. This process is depicted in Figure 6.10.
Figure 6.10
Understand the Entity's Flows of

Transactions
IT Risk
Assessment Identify and
Assess Risks of
Material
Plan and Misstatement
Perform
Further Audit
Procedures
When identifying risks arising from IT relevant for the audit, we consider the relevant IT environment
at the entity. It is important to identify and consider risks arising from IT as they relate to each
relevant technology element (databases, operating systems, and networks). Furthermore, risks may
result from interactions among technology elements. Such risks may vary depending on a variety of
factors, including the complexity of the IT environment and the specific technology being used.
The risks arising from IT related to systems used by service organizations to perform business
processes relevant to financial reporting and systems administered or hosted by service organizations
Internal control
on behalf of the user entity are similar to the risks arising from IT that exist within the user entity’s
own IT environment.
RAIT risk assessment typically occurs in two phases:

• High-level RAIT risk assessment—We perform a high-level RAIT risk assessment as we are
obtaining our overall understanding of how IT affects the entity’s flow of transactions, including
obtaining a high-level understanding of the IT environment (see Section 6.3.1). This is completed
as part of the identification and assessment of risks of material misstatement.
• Detailed RAIT risk assessment—We perform a more detailed assessment of the risks arising from
IT once we know which applications, data warehouses, and report writers, and their infrastructure
are relevant for the audit (see Section 6.3.2). We use the understanding obtained in the high-level
RAIT risk assessment to complete a more detail assessment of the RAITs for each system, which
allows us to plan our further audit procedures to address these RAITs, which ultimately help
address the risks of material misstatement. There are three elements to the detailed RAIT risk
assessment process, which are described in the following sections.
1 – Identify and assess RAITs—Identify and assess RAITs for the application, data warehouse,
or report writer and its related infrastructure based on relevancy to financial reporting and the
technology platform (see Sections 6.4.2 and 6.4.3).
2 – Understand and identify relevant GITCs to address RAITs—Where relevant, identify
GITCs commensurate with the assessed RAIT (lower, higher, or significant) associated with a
system supporting an ABCoTD/assertion (see Section 6.5.1).
3 – Assess the risk associated with GITCs (RAWC)—Determine the nature, timing, and
extent of GITC testing based on both the RAIT and the RAWC (not higher or higher) (see
Section 6.5.3).
Note: We identify RAITs and GITCs to address them on all audits. We risk assess the RAIT and the
RAWC to vary the nature, timing, and extent of GITC testing only when we are testing the operating
effectiveness of controls.
6.4.2: Identify RAITs

When identifying RAITs, we consider the applications, data warehouses, and report writers relevant to
financial reporting at the entity and their related infrastructure. It is important to identify and consider
RAITs as they relate to each relevant technology element (e.g., application, database, operating
system, and network). Furthermore, as the technology elements interact with each other, they may
introduce unique risks to be considered. Such risks may vary depending on a variety of factors,
including the complexity of the IT environment and the specific technology being used. We utilize
FORM 1860S — IT RISK AND GENERAL IT CONTROLS GUIDE to assist in identifying relevant RAITs.
Examples to illustrate the RAITs that may relate to each technology element are provided below.
Application systems
RAITs related to application systems typically result from the entity’s reliance on data (whose integrity
and accuracy depends on GITCs), automated controls that reside in the application, or system-
generated reports that are generated by the application system or created using information from the
application system.
For example, if the entity relies on data related to material ABCoTDs and disclosures (i.e.,
transactions or other data that are initiated, authorized, recorded, processed, or reported through the
application system) and that by their nature and given their volume and complexity, require GITCs to
address their integrity and reliability, a relevant RAIT may be that users have access privileges beyond
those necessary to perform their assigned duties, giving rise to the risk that inappropriate
modifications may be made to financial data, which in turn may result in invalid, incomplete, or
incorrect data being reported in the entity’s financial statements.
For example, if an entity relies on its application system to perform a "three-way match" (automated
control) whereby invoices are generated only upon matching the purchase order and shipping
documents based on established tolerances, a relevant RAIT may be that inappropriate changes are
Internal control
made to the application system resulting in the three-way match control not functioning correctly
(e.g., due to ineffective access controls, an unauthorized user might change the parameters of the
three-way match such that invoices may be generated even when variances between the purchase
order and shipping documents exceed established tolerances).
For example, if the entity uses an accounts receivable aging report (system-generated reports)
generated from the application system to determine the allowance for doubtful accounts, one relevant
RAIT related to the source data may be that systems are not adequately configured or updated to
restrict system access to properly authorized and appropriate users, which may result in inappropriate
modifications being made to the source data included in the accounts receivable aging report and
ultimately may affect the appropriateness of the allowance for doubtful accounts. A RAIT related to
the report logic component of the accounts receivable aging report may be that inappropriate changes
are made to the report logic within the application system, which may affect the accuracy and
completeness of the accounts receivable aging report (e.g., certain data may be inappropriately
excluded from the report, or data may not be properly categorized in the report).
RAITs related to application systems are typically addressed through the entity’s GITCs (see Section
6.5).
Data warehouses and report writers
RAITs related to data warehouses and report writers typically result from the entity’s reliance on data
housed within the data warehouse or reports generated from the report writer. Our identification of
the relevant RAITs related to the entity’s reliance on such reports depends on our understanding of
the elements of the system-generated report and where each element resides (i.e., in which system):
(1) the source of the relevant data (source data) within the system-generated report and (2) where
the report logic resides.
This section includes further details of each of the technology elements and the relevant factors to
consider in determining which elements, if any, are relevant to our audit.
Note Typically there are not any RAITs related to user-input parameters, as the risk
related to parameters is typically that the parameters are not input correctly by the
user (e.g., the user may input the wrong date range when running a report), which
is not a RAIT (see the Information Produced by the Entity Guide for additional
information on testing parameters).
For example, management has a monthly control whereby the credit manager reviews an exception
report listing new and deleted customers, shipping address changes, etc. The source data includes
information from the customer master file. Although this source data originated in the entity’s
application system, it is subsequently transferred to a data warehouse, and it is from this data
warehouse and associated report writer that the exception report is generated. Therefore, in this case,
the report logic that identifies the exceptions also resides in the report writer. See below for potential
RAITs in this example.
Potential RAITs related to source data:

• Users have access privileges in the application system beyond those necessary to perform their
assigned duties, which may result in inappropriate modifications to the data in the application
system (in which case it would also be incorrect in the data warehouse).
• Inappropriate changes were made to the interface between the application system and the data
warehouse, which may result in the data being transferred incorrectly or incompletely from the
application system to the data warehouse.
• Users have access privileges in the data warehouse beyond those necessary to perform their
assigned duties, which may result in inappropriate modifications to the data in the data
warehouse.
• As data warehouses are primarily used for reporting purposes, user access to data warehouses is
often limited to read-only access. In this case, users would have the ability to run reports from the
Internal control
data warehouse, but they would not be able to modify data housed within the data warehouse. If
we obtain audit evidence that all user access to a data warehouse is read-only, there would be no
risk of users inappropriately modifying data within the data warehouse, and therefore we may not
need to test certain controls over the data warehouse, such as the controls over adding,
modifying, and removing user access.
Potential RAIT related to report logic:

• When we consider the report logic, we may consider the risk that the report logic in the report
writer used to analyze data within the data warehouse to identify the exceptions that should be
included on the exception report was inappropriately changed, resulting in inaccurate or
incomplete reporting from the data warehouse.
• In addition, our testing of controls over report writers considers if access to modify the report logic
is restricted to key personnel and report changes follow the company’s change control process.
IT infrastructure
RAITs related to the IT infrastructure typically relate to the effect that issues within each of the
elements of the IT infrastructure may have on the application systems, data warehouses, and report
writers they support, including any data or automated controls residing in those systems or system-
generated reports created using information from those systems.
For example, inappropriate direct database access may allow for an unauthorized user to update or
alter previously posted transactions, bypass application-level access controls, or introduce errors that
affect the reliability of data.
For example, ineffective operating system access controls may allow for an unauthorized user to
modify program executable files, which may affect the reliability of automated controls (e.g.,
calculations) and data in reports.
For example, incorrect changes to network configurations may disrupt data transfers between
systems and affect the accuracy and completeness of financial transactions.
RAITs related to IT infrastructure are typically addressed through the entity’s GITCs (see Section 6.5).
Interfaces and middleware
RAITs related to interfaces typically include the risk that data is transferred incorrectly or incompletely
between systems. The entity may address these risks through interface controls, which may be
controls related to risks of material misstatement (e.g., reconciliations between data outputs from one
system and inputs into the subsequent system) or GITCs (e.g., automated interface controls, such as
job scheduling and the monitoring of job completion).
In addition to the risk related to the incorrect or incomplete transfer of data between systems that
exists for most interfaces, there may be additional risks associated with middleware given that
middleware typically performs additional functions beyond a simple transfer of data from one system
to the next. The specific RAITs and controls related to a particular piece of middleware depend on the
functions being performed by the middleware.
For example, a mortgage banking entity may have multiple third parties originating loans in different
application systems. Each of these application systems would interface their loans through a common
middleware, which would reformat the diverse loan data formats into a common field layout prior to
interface to the loan servicing application. In this case, there may be a RAIT that inappropriate
changes were made to the middleware, which may result in errors occurring in the reformatting
process performed by the middleware. Controls to address this risk may exist in the middleware (e.g.,
automated balancing controls, such as header/trailer records that have a hash total that is compared
to the sum of the detail records as transactions are passed across the middleware), or there may be
reconciliation controls between the applications originating the loans and the loan servicing
application.
Internal control
Service organizations
The RAITs related to systems used by service organizations to perform business processes relevant to
financial reporting and systems administered or hosted by service organizations on behalf of the user
entity are similar to the RAITs that exist within the user entity’s own IT environment.
For example, if the service organization is using an application system to process payroll transactions
for the user entity, the RAITs that may be relevant to our audit include the RAITs related to the
application system and the related IT infrastructure, which would be similar to the RAITs related to
those technology elements described earlier in this section.
6.4.3: Assess RAITs

For the purposes of assessing RAITs, we determine whether each RAIT is classified as lower, higher,
or significant. Significant risks are those risks that require special audit consideration.
For example, the entity experienced a new large scale system implementation in the current year
and there were various accounting process issues and known control failures occurring as a result of
the system implementation. Due to the significance and effect on multiple ABCoTDs, the RAIT is
considered to be significant.
Note that there may be situations where the application and related infrastructure, its GITCs, or
individual RAITs are not relevant for purposes of our audit. Our RAIT risk assessment plays an
important role in designing further audit procedures that are responsive to the identified RAITs. The
determination that a RAIT is lower or higher or significant affects the persuasiveness of the audit
evidence that we plan to obtain from our tests of controls.
Figure 6.11 –RAIT risk assessment overview
RAIT risk considerations drive assessment of the RAIT as lower, higher or significant. Figure 6.12
demonstrates the lower and higher spectrum of significance in order to provide perspective on how to
apply the RAIT risk considerations when assessing the RAIT. Conclusions on RAIT risk classification are
based on professional judgment. Note that there may be other factors that could affect the RAIT risk
assessment, such as considerations unique to the entity or the industry the entity operates in.
Internal control
Figure 6.12 – RAIT considerations
RAIT consideration May indicate a lower RAIT May indicate a higher RAIT
Relevancy to financial reporting considerations
Pervasiveness to the Stand-alone system affecting small ERP system that affects multiple
business and financial number of related ABCoTDs ABCoTDs
reporting
Source data Low volume of data or simple data Large volume of data or complex
data
Automated controls Small number or simple relevant Large number or complex relevant
automated controls automated controls
Automated report logic Simple relevant automated report Complex relevant automated report
logic in information produced by the logic in IPE or IUC
entity (IPE) or information used in a
control (IUC)
Highly automated, paperless Not a relevant factor Is a relevant factor

processing
Data inputs and interfaces Small number of data inputs or Large number of data inputs or
simple interfaces complex interfaces
History of error in financial No history of error in automated History of error in calculations or

reporting related automation calculations or automated controls automated controls
Technology platform considerations
Technology platform or Mature and stable mainframe, small Complex mainframe, large or
architecture or simple client server, software as complex client server, web-facing,
a service cloud infrastructure as a service cloud
End user access Small number with ‘update’ access Larger number with ‘update’ access
to financial reporting to financial reporting
Type of application Purchased application with little or Custom developed application

no customization
Number and nature of Mature or small number or simple New or large number or complex
changes changes, traditional systems changes, agile development
development life cycle
Data conversion (if Minor version upgrade, limited data Major version upgrade, new release,
applicable) being converted platform change
Usage of systematic jobs Limited number or simple jobs that High number or critical jobs that
affect financial data affect financial data
Complexity of security Simple, role-based security Complex security model
Third party hosting / Competent, mature, proven New or start-up provider, lack of
sourcing provider skills
Internal control
*Considerations for Significant RAITs are not included in Figure 6.12.
RAIT risk conclusions would typically be documented at the system level in the list of applications,
data warehouses and report writers that are relevant for the audit. Figure 6.13 contains examples of
the documentation to support the risk assessment rationale. Documentation is to be supported by
sufficient appropriate audit evidence as risk assessment procedures are audit procedures. IT
specialists carefully consider the results from design and operating effectiveness testing as they inform
our RAIT risk assessment. For example, if we originally concluded a system’s RAIT risk assessment
was lower due to a small volume of simple changes, but later, due to introduction of new business
requirements, during operating effectiveness testing we observe a large volume of complex changes,
so we need to re-consider our original RAIT risk assessment and the related effect on our audit.
Note that only key RAIT considerations driving the RAIT risk assessment are documented in the
rationale for RAIT risk assessment. It is not expected that each RAIT risk consideration in the table
above would be documented.
Figure 6.13 – Documentation examples of RAIT risk assessment
Rational for RAIT risk assessment
System Description RAIT risk
assessment
ATAM Advanced Lower Relevancy to financial reporting

Treasury considerations:
Management
• This is a stand-alone system affecting
(ATAM) is a
a small number of related account
Treasury
balances (cash and debt). There are
Management
no relevant automated controls.
System for
trading, • There is relevant data, however it is
treasury, loan not complex and represents a low
administration, volume of data.
securitization,
cash • There are various reports generated
management, from the system that are considered to
regulatory be IUC, however this includes a
standards relatively low number reports that lack
compliance, and complexity.
accounting • There are a small number of users
applications. (approximately 100) with update
access to the system as evidenced in
access listings.
Technology platform considerations:
• It is a purchased application with little
customization, which does not change
frequently, as evidenced by the small
volume of changes.
• The entity does not have access to the
source code, as evidenced by
installation of only executable program
files, so updates to the system involve
the installation of vendor patches.
• The infrastructure hosting is
outsourced to a reputable third party.
• The system has been used by the
entity for several years and operates
under a mature, stable control
Internal control

assessment
environment, and experienced
leadership and staff.
CODMAR Complete Goods Higher Relevancy to financial reporting

Order Data considerations:
Management &
• CODMAR is a custom developed
Reporting
application. There is dependency on
System
several automated controls, system
(CODMAR) tracks
generated reports, and related data.
an order from
the point of Technology platform considerations:
order coming in,
the process of • Although the system is mature, we
building machine observed there is a high number of
in assembly line, changes made throughout the year, as
shipping of the evidenced by change ticket volume.
completed
machine, and
creation of
invoices.
FAS FAS (Fixed Lower Relevancy to financial reporting

Assets System) considerations:
is a purchased
• This is a stand-alone system that is
application used
specific to fixed assets.
to track assets
for property and • There is only one relevant automated
calculate control (depreciation calculation).
depreciation.
• There is relevant data, however it is
not complex and represents a low
volume of data.
• There are various financial reporting
reports generated from the system
and considered to be IUC, however
this includes a relatively low number of
reports that lack complexity.
• There are a small number of users
with update access to the system, as
evidenced in access listings.
• It is a purchased application with little
customization, which does not change
frequently, as evidenced by a low
volume of change tickets.
• The entity does not have access to the
source code, as evidenced by
installation of only executable program
files, so updates to the system involve
the installation of vendor patches.
• The system has been used by the
entity for several years and operates
Internal control

assessment
under a mature, stable control
environment, and experienced
leadership and staff.
SAP ECC SAP ECC Higher Relevancy to financial reporting

Landscape (ERP considerations:
system with
• The SAP system is an ERP that
several modules)
includes several modules.
• Due to the pervasive use of the
system, there are a large number of
users with access.
• There is a large volume of data
initiated and maintained within SAP.
• There are a large number of reports
generated from SAP that are
considered to be IUC.
• The security model associated with
SAP is complex.
The RAIT risk considerations described in Figure 6.12 are initially evaluated at the system level
(application, data warehouse, or report writer and its related infrastructure). In many cases, the
system-level risk classification of lower, higher, or significant will be cascaded down to all of the
identified risks arising from IT. However, given this is a principles based framework with flexibility for
judgement based on the specific facts and circumstances, it is possible that there is a different RAIT
risk classification when considering a specific RAIT.
For example, a system has been classified as higher as part of the risk assessment based on
consideration of various factors described in Figure 6.12. The IT specialist further considered the
system when assessing the RAIT related to network (The network does not adequately prevent
unauthorized users from gaining inappropriate access to information systems.) and determined that
the entity’s system is not web facing, as they do not conduct business with external parties through a
public network. They considered how this lowers the potential exposure associated with users outside
of the entity’s internal Local Area Network (LAN) gaining inappropriate access to the system and
determined the RAIT associated with network is lower risk and proceeded to identify and test a control
related to user authentication for the LAN, which uses Active Directory.
Additionally, it is possible that the RAIT risk classification will be different for the application as
opposed to the infrastructure, when considering in context of the related risk.
For example, operating system security is being tested for mainframe Z/OS, which supports multiple
applications that are classified as higher and lower risk. A lower risk classification was determined to
be appropriate for the operating system layer RAITs. This was mainly due to the mainframe being
used by the entity for several years, does not change frequently, has a mature security model, and
operates under a mature, stable control environment, and experienced leadership and staff.
Similarly, for common controls that encompass multiple technologies that have different risk
classifications, professional judgment is applied (with consideration of factors in Figure 6.12) to
determine the appropriate risk classification.
For example, change management is being tested as a common control that encompasses
multiple technologies. The risk classification for each of the technologies varies, as some
Internal control
are considered lower and some are higher. The IT specialist determined that a higher risk
classification is appropriate. This was mainly due to the high number of changes in the
testing population.6.5 Understand, identify, and evaluate relevant general IT controls
The process for identifying relevant controls, evaluating design and determining implementation,
testing operating effectiveness, and performing rollforward procedures is essentially the same for
general IT controls and for controls that directly address risks of material misstatement. However, this
section provides an overview of certain unique considerations related to these processes as they relate
to general IT controls.
Figure 6.14

Cash Flow Notes

IT Environment
Areas:
• Data center and
network operations
• Access security
• Substantive
control
sufficient
evidence
6.5.1 Understand and identify general IT controls

General IT controls are the policies and procedures that serve to support the effective functioning of
applications, including the effective operation of automated controls embedded in the applications, the
integrity of reports generated from the applications, and the security of data housed within the
applications. They are organized into the following areas:
• Data center and network operations – General IT controls related to data center and network
operations include controls to provide for the integrity of information as it is processed, stored, or
communicated by the relevant aspects of the IT infrastructure.
For example, physical controls over the system prevent inappropriate override of logical access
controls at the application, database and operating system layers.
• Access security – General IT controls related to access security include logical access controls to
prevent or detect unauthorized use of, and changes to, data, systems, or programs, including the
establishment of system-based segregation of duties.
For example, an effective security administration function supports the continued effective
functioning of application controls that restrict access.
For example, effective access controls support the reliability of source data used in automated
reports, such as the sales data used to create a report of invoices in excess of an established
Internal control
threshold.
• System change control – General IT controls related to system change control include controls
within the following categories:
- Program change: Controls to provide assurance that changes to the application systems and
database management systems are implemented in a controlled manner.
- System software acquisition, change, and maintenance: Controls to provide assurance that
network and communication software, systems software, and hardware are effectively
acquired, changed, and maintained.
- Application system acquisition, development, and maintenance: Controls to provide assurance
that application systems and database management systems are effectively acquired,
developed, implemented, and maintained. System change controls address implementation
and integration of programs or systems within the IT environment to verify the integrity of
processing, performance, and controls over the computerized application systems that it
supports.
For example, effective program change controls support the continued effective operation of
automated application controls, such as a three-way match.
For example, effective program change controls support the continued effective operation of
the programs responsible for creating certain automated reports from the entity’s application
systems, such as an accounts receivable aging report.
As depicted in Figure 6.15 below, general IT controls may be structured such that there are similar
controls in place for some of the general IT controls across the technology elements. This may allow
for efficiency in testing by applying a common control testing strategy.
For example, the entity may have implemented an entity wide change management process,
which is used to control changes at the application system, database, operating system, and
network layers. In this case, we may be able to test this control as a common control across all 4
IT elements.
For example, the entity may use Active Directory to facilitate single sign-on for all applications.
In this case, we may test Active Directory authentication once to address the authentication
control for all relevant applications.
Figure 6.15
Technology Elements
Application Database Operating Network
System System
General IT Control Areas
Access Security
System Change Control
Data Center and Network Operations
The following is the guidance in DTTL AAM 12200.113 and 12200.96.
Internal control
DTTL AAM In understanding the entity’s control activities, the auditor shall obtain an
Literature understanding of how the entity has responded to risks arising from IT. [DTTL AAM
12200.113]
General IT controls are policies and procedures that relate to many applications and
support the effective functioning of application controls. They apply to mainframe,
miniframe, and end-user environments. General IT controls that maintain the
integrity of information and security of data commonly include controls over the
following:
• Data center and network operations.
• System software acquisition, change and maintenance.
• Program change.
• Access security.
• Application system acquisition, development and maintenance.
• They are generally implemented to deal with the risks referred to in paragraph
142 above.
[DTTL AAM 12200.96]
Note Within EMS under the ‘Risk Strategy View’ and the subcategory ‘Risk Arising from
IT’ illustrative examples of common risks arising from IT and general IT controls to
address such risks are available.
The IT specialist identifies relevant general IT controls commensurate with the assessed RAIT
associated with a system supporting an ABCoTD/assertion, considering the individual RAIT risk
considerations (See Section 6.4.3). IT specialists are expected to follow the guidance in the Form
1860 practice aid and the technology specific frameworks when identifying controls to test and for
specific testing steps. As shown in Figure 6.11, we would typically expect more GITCs and more
persuasive evidence for higher RAIT systems and less for lower RAIT systems.
IT specialists evidence procedures and conclusions related to RAIT risk assessment and the controls
identified for testing in the IT working papers.
For example, based on consideration of the risk factors in Figure 6.12, the system RAIT risk
classification for a relevant fixed assets application was concluded to be lower. The following RAIT
related to change management was identified “Inappropriate changes are made to application systems
or programs that contain relevant automated controls and/or report logic.” The system is a
commercial off the shelf (COTS) application as evidenced by only executable code being installed. As
the entity does have source code installed, no custom program changes are made by the entity. The
software vendor makes program changes as part of their software package available to customers via
system patches or upgrades. The engagement team inspected system generated reports used in
management’s controls and confirmed the entity uses standard reports that are delivered with the
software package. The depreciation calculation was identified as a relevant automated control, which
is embedded within the code delivered with the software package. There were no related
configurations associated with the automated control, hence configuration changes are not applicable.
The IT specialist identified and tested the following control related to the evaluation and installation of
vendor updates, “Application changes are appropriately tested and approved before being moved into
the production environment.” Since the entity does have source code to make changes, the IT
specialist determined that access to implement changes and segregate with development is not a
relevant control.
For example, based on consideration of the risk factors in Figure 6.12, the RAIT risk classification for
the entity’s ERP system (which includes the general ledger) is higher. In addition, the entity has a
Internal control
separate stand-alone revenue system that is also classified as higher. The following RAIT was
identified related to backups “Financial data cannot be recovered or accessed in a timely manner when
there is a loss of data.” All of the entity’s systems are backed up and replicated to a secondary data
center on a daily basis. The stand-alone revenue system transfers detailed records to the ERP system
on a daily basis. This was evidenced through testing of the control related to the sub-ledger to general
ledger reconciliation. Considering the revenue system transfers financial information to the ERP
systems, there is a low probability that the entity would be unable to recover or access financial data
from this system. The IT specialist identified and tested the following control related to backup
configuration and replication for the ERP system “Financial data is configured to be backed up on a
regular basis according to an established schedule and frequency.” The IT specialist concluded they
did not need to test the backup configuration for the stand-alone revenue system as the revenue data
is being transferred to the ERP system on a daily basis and therefore the relevant backup processing
relevant to addressing the RAIT occurs in the ERP system.
Once GITCs are selected for testing, the IT specialist follows the sample size guidance for lower,
higher, or significant RAIT, following the same sample size tables as for risks of material
misstatement.
6.5.2 Evaluate design and determine implementation of relevant general IT controls

In the context of general IT controls, in addition to the factors described in Section 2.5 above, our
evaluation of design and determination of implementation of general IT controls may include factors
such as:
• Whether any specialized IT knowledge, training, experience, or IT certifications would be required
to perform the control.
For example, SAP security controls are complex and require significant knowledge and
experience in the SAP Basis administration area. There are many access paths available in SAP
and without appropriate competency in SAP the controls may not be designed, implemented or
operated properly. As part of our design evaluation, we need to evaluate the competency of the
control operator in light of the technology being controlled.
• The consistency of the entity’s controls with industry standards.
For example, a common general IT control related to access security is the use of unique user
IDs and passwords to access application systems, including system-enforced password
requirements, such as minimum password length and complexity. An entity may have a policy
establishing its password requirements, but we may determine that these requirements are not
consistent with industry standards for “strong passwords” (i.e., passwords structured to be of a
particular length, complexity, and unpredictability to reduce the likelihood that the passwords can
be guessed or “cracked” by an attacker).
For example, the entity may require passwords but they may not have a requirement that
passwords be changed periodically (e.g., every 90 days).
Based on the procedures we perform to evaluate design and determine implementation of general IT
controls, we assess and, using our professional judgment, determine whether the design of the
relevant general IT controls addresses the related risk arising from IT. Design evaluation and
implementation determination procedures are performed during the planning stage of our audit as the
results of these procedures are an input into our risk assessment and substantive procedures.
Typically, we would complete the procedures to evaluate design and determine implementation in
tandem with a “walkthrough” of these controls.
If we are performing a recurring audit and the prior year control deficiencies have not been
remediated, the engagement team does not need to complete procedures to evaluate design and
determine implementation for those specific controls that remain deficient. The team evaluates these
control deficiencies following the guidance below in Section 6.6 and Section 6.7.
Considerations when evaluating design and determining implementation only
When applications, data warehouse, or report writers and their general IT controls are relevant but we
do not intend to rely upon them in determining the nature, timing, and extent of substantive
Internal control
procedures, we are required to identify and understand those general IT controls considered necessary
to assess risks and plan further audit procedures. General IT controls in this scenario may include:
• Controls that address significant risks (although typically general IT controls do not directly
address a significant risk in its entirety).
• Any other general IT controls related to relevant applications that we believe are necessary to
understand in order to appropriately address risks arising from IT and plan further audit
procedures. When we are not relying on general IT controls, we would generally identify fewer
relevant general IT controls than if we were relying on general IT controls.
Considering the risks arising from IT in DTTL AAM 12200.142 (and listed in Section 6.4 above), the
general IT control areas that are more likely to be relevant when not planning to rely on the operating
effectiveness of controls in determining the nature, timing, and extent of substantive procedures are
(1) authentication (e.g., password) controls (2) user access review controls, and (3) change
management controls at the application and database layers, but may include other general IT control
areas depending on the IT environment and our professional judgment.
For example, if we are not relying on general IT controls (i.e., evaluating design and determining
implementation only), the authentication, user access, and change controls at the application and
database layers may be relevant but not at the operating system and network layers because (1) the
entity’s IT department is not sophisticated and therefore IT personnel do not typically make changes
at the operating system and network layers and (2) operating system and network changes are
limited to application of patches or regular upgrades from vendors. In this case, risks arising from IT
at the operating system and network layers are generally not likely to be relevant.
When determining implementation of a general IT control, audit evidence about the implementation of
the general IT control may include inquiring of entity personnel, plus at least one or more of the
following: observing the application of specific controls, inspecting documents and reports, and/or
tracing transactions through the information system relevant to financial reporting. Performing a
walkthrough of the process and control is an effective approach to achieving this audit objective.
6.5.3 Plan the nature, timing, and extent of tests of operating effectiveness of general IT
controls
This section addresses specific considerations for planning our tests of the operating effectiveness of
general IT controls.
Assess the risk associated with general IT controls
Refer to Chapter 3 for guidance on assessing risk associated with the control for all controls. The
following content supplements the guidance in Chapter 3 with examples specific to GITCs.
Risk associated with control is higher
• If there is a history of control deficiencies related to new user access not being appropriately
approved by management, we may determine there is a higher risk that the controls over
management approval of user-access privileges for new and modified user access are not
effective.
• If there have been changes to the entity’s IT environment that could adversely affect the design
and operating effectiveness of the GITCs, we may assess the risk associated with the affected
GITCs as higher.
For example, if the entity converted data into a new database as part of a system upgrade,
multiple material ABCoTDs may be affected. In addition, the process to convert data typically
requires manual intervention (e.g., to map the data). If the data conversion was not performed
appropriately, the data being relied upon for material ABCoTDs may not be accurate and
complete. These factors may lead us to conclude that the risk associated with the system change
controls (including data conversion controls) is higher.
• When assessing the risk associated with system change controls (e.g., approval and testing of
system changes), we consider if controls over access to implement changes into production (e.g.,
Internal control
access to make changes to systems and promote these changes to the production environment is
segregated) are operating effectively. If the related access controls are not operating effectively,
we may determine there is a higher risk associated with the system change controls.
Risk associated with control is not higher
• There is generally not a higher risk associated with GITCs that have an automated component
when the other related GITCs are operating effectively.
For example, system password parameters, which are GITCs with an automated component, are
configurable settings that are not changed on a frequent basis. If other related GITCs, such as
those related to appropriately restricting access to modify the system password parameters, are
operating effectively, we may conclude that the risk associated with the system password
parameter control is not higher.
• If the entity has implemented an effective monitoring control whereby user access privileges are
reviewed by business owners on a quarterly basis, we may determine that the risk associated with
the lower-level controls monitored by this control (e.g., approval of the extent of user access
privileges for new employees, approval of modifications to user access privileges for existing
employees, and timely deactivation of user accounts for terminated employees) is not higher.
• When assessing risk associated with system change controls, we may consider if controls over
access to implement changes into production are operating effectively. If the access controls are
operating effectively and there are no other relevant factors (e.g., significant changes to the
entity’s IT environment, such as implementation of a new ERP system), we may determine that
the risk associated with the system change controls is not higher.
Sample selection
When we are selecting samples to test general IT controls, we typically follow the same sampling
guidance as for business control testing. However, we may consider the need to balance our selections
such that each item in the population has a chance of selection with the need to apply judgment to
include in our selection for testing certain items that are particularly significant to the entity’s IT
environment and the audit.
For example, to test the entity’s controls over changes to its application system, we may obtain a
system-generated listing of all changes made during the period, and make a selection of changes from
the list based on our sample size guidance. However, based on our walkthroughs of transactions
through the application systems and other inquiries with entity personnel and our knowledge of the
entity’s IT environment, we may be aware that the entity performed a significant system upgrade to
its application system during the audit period, and this upgrade was not one of the changes we
selected for testing. Due to the significance of such a change to the entity’s IT environment, we may
use our judgment to determine that it would be appropriate to purposefully select such a change for
testing.
Identifying the population to test — (Information produced by the entity)
We test information produced by the entity that we use to perform our tests of general IT controls by
either directly testing the accuracy and completeness of the information produced by the entity or
testing controls over the preparation and maintenance of the information produced by the entity. The
most common information produced by the entity that is relevant to our testing of general IT controls
is information produced by the entity we use to establish the population for our testing of user access
(access security) and system change controls.
Completing mitigating procedures when control deficiencies are identified
In certain circumstances, when we identify a deficiency in general IT controls that we are relying on,
our next step may be to perform “mitigating procedures” to determine whether the unaddressed risk
arising from IT was exploited.
For example, if users have unauthorized access to the system but we obtain evidence that those
specific users did not actually log-on to the system during the period of unauthorized access, the
potential exposure of the control deficiency is mitigated and therefore we may conclude that the risk
Internal control
arising from IT related to the general IT control deficiency is mitigated. Therefore our plan to rely on
the operating effectiveness of controls in determining the nature, timing, and extent of substantive
procedures remains appropriate, despite the identified general IT control deficiency.
When we conclude that relevant general IT controls that we had not planned to rely upon are not
properly designed or implemented, we typically do not complete mitigating procedures, unless
specifically discussed and agreed with the audit engagement partner.
6.5.4 Perform rollforward procedures

See Section 3.4 above for considerations when we rollforward our conclusions on the operating
effectiveness of controls we have tested as of an interim date. These same considerations apply to
rollforward procedures for general IT controls we have tested as of an interim date.
If evaluating design and determining implementation only, we generally do not need to perform
rollforward procedures unless there was a significant change after our original design evaluation and
implementation determination procedures.
6.6 Conclude on risks arising from IT and determine the audit response
Due to the complexity and pervasiveness of general IT controls and their impact on the entity’s
financial reporting process as well as on our audit, this section provides supplemental guidance to
Section 2.5 and Section 3.6.
6.6.1 Concluding on risks arising from IT and determining the audit response when general
IT controls we planned to rely upon are deficient (e.g., audits where we are evaluating
design and testing operating effectiveness of controls)
When we conclude that relevant general IT controls that we had planned to rely upon are not designed
or operating effectively, we have three options for maintaining the plan to rely on the operating
effectiveness of controls in determining the nature, timing, and extent of substantive procedures. Any
one of these three options described below may be completed.
• Complete mitigating procedures;
With respect to completing mitigating procedures, we consider whether there are any procedures
that may be performed to obtain sufficient evidence that the risk arising from IT was not
exploited. These procedures can be performed by management or us. If performed by
management, we perform procedures to determine whether the mitigating procedures performed
by management provided sufficient evidence that the risk arising from IT was not exploited. When
such procedures can be performed and sufficient, persuasive evidence is obtained that the risk
arising from IT was not exploited, we may be able to conclude that the risk arising from IT is
mitigated for the financial statement audit. In such case, no modifications may be necessary to
the financial statement audit approach (e.g., a plan to rely on the operating effectiveness of
controls in determining the nature, timing, and extent of substantive procedures may be
appropriate because the risk arising from IT has been mitigated). When considering the
appropriateness of the mitigating procedures performed in response to the risk arising from IT, we
also consider whether information used to perform the mitigating procedures (e.g., information
produced by the entity) could have been compromised by the deficient general IT control. And,
the mitigating procedures are completed to address the full audit period.
The extent of mitigating procedures depends on the population of interest (e.g., the specific users
identified with inappropriate access or the specific program changes that were implemented that
were not subject to the appropriate change controls). Generally, we perform mitigating procedures
for each exception (e.g., each user with inappropriate access in the population, not the sample) to
determine whether the risk arising from IT was exploited. However, when the population of
interest (i.e., number of users, changes, items) becomes too large from a practical standpoint to
test all, consultation is encouraged.
When it is determined that an exploitation did occur, we determine the appropriate audit
response, including whether fraud was involved.
For example, if users have unauthorized access to the system (but not the system logs) and we
Internal control
perform procedures to obtain sufficient and appropriate evidence that those specific users did not
actually log onto the system during the period of unauthorized access, the potential exposure of
the control deficiency is mitigated, and we may conclude that the risk arising from IT related to
the general IT control deficiency is addressed for the financial statement audit.
For example, the user access review control failed to identify ten users with inappropriate access
to post manual journal entries in the general ledger. The engagement team was able to use the
Journal Entry Testing Tool (an analytic tool used to test manual journal entries) to do a 100% test
of all manual journal entries to determine whether any of these ten users posted manual journal
entries. Given none of them actually posted manual journal entries, we may conclude that the risk
arising from IT related to the general IT control deficiency is addressed for the financial statement
audit.
For example, in a test of the preventative control to remove user access for terminated
employees wherein 100% of terminated employees were tested, fifteen terminated employees
were found with access to the company’s revenue application. The engagement team was
provided with evidence from management of the last login details for the accounts owned by the
terminated employees and the users did not log into the revenue application after their
termination dates. After performing appropriate procedures on management’s mitigating
procedures, we may conclude that the risk arising from IT related to the general IT control
deficiency is addressed for the financial statement audit.
For example, in a 100% test of the segregation of duties to make and move program and
configuration changes in SAP, we noted two IT developers who could both make and move
changes. This created a segregation of duties risk as program and configuration changes should be
reviewed and approved by a separate person prior to being moved to production. We
communicated the control deficiency to management and to respond to this risk arising from IT,
management inspected the transport records within the system, noting that no program or
configuration changes were moved into production by these two users. Management further
obtained evidence that these two users did not have access to modify the transport logs. After
performing appropriate procedures on management’s mitigating procedures, we may conclude the
risk arising from IT related to this change management segregation of duties deficiency is
addressed for the financial statement audit.
OR
• Identify and test the operating effectiveness of alternate general IT controls;
We may consider whether there are any alternate general IT controls that address the risk arising
from IT affected by the general IT control deficiency. When such controls are identified, we
evaluate their design and test operating effectiveness. If we conclude the controls are designed
and operating effectively, we may conclude the risk arising from IT is addressed by the alternate
control and preserve our plan to rely on the operating effectiveness of controls in determining the
nature, timing, and extent of substantive procedures for the financial statement audit.
For example, if we find a general IT control deficiency in the end user access provisioning
control, but we find the company has an alternate control where end user access is reviewed each
quarter, if we test the end user access review control and we find it is operating effectively, we
conclude the risk arising from IT is addressed by this alternate control and we continue with our
plan to rely on the operating effectiveness of controls in determining the nature, timing, and
extent of substantive procedures as originally planned.
For example, a deficiency was noted in Unix operating system access control, which allowed
direct update access to configuration settings. We identified an alternate control where, on a
quarterly basis, IT management monitors the Unix security configuration settings using Tripwire
and corrects any configuration settings which are not set properly. This control would detect
inappropriate updates to the configuration settings allowed by the access deficiency and if
inappropriate updates were noted includes an evaluation of potential exploitation or the
inappropriate settings during the quarter. We tested the alternate general IT control and noted it
was operating effectively to address the same risk arising from IT. We concluded that the risk
arising from IT related to the Unix general IT control deficiency is addressed for the financial
statement audit by this alternate control.
Internal control
For example, in testing access to modify the data dictionary in SAP ECC, five users were noted
with access that was not commensurate with their job responsibilities. In order to use the access,
the SAP client would need to be open. We identified and tested the general IT controls related to
management logging, approving and monitoring the opening and closing of the SAP client, and
determined these controls were operating effectively. As these controls were effective alternate
controls to address the risk arising from IT related to the data dictionary access, we concluded the
risk arising from IT is addressed for the financial statement audit.
For example, a control deficiency was noted as offsite third party developers were identified with
administrator access. These accounts could be used to deploy changes to production for the
revenue application. We identified and tested a control over remote access, where management
provided third party access on a time limited basis, only after reconciling requests to authorized
change records, and monitored the remote sessions. As this control was operating effectively, we
concluded the risk arising from IT related to the administrative access is addressed for the
financial statement audit.
OR
• Identify and test the operating effectiveness of direct and precise business controls.
These are controls that directly address risks of material misstatement. The paragraphs below
explain concepts to consider as we evaluate whether these controls address the risk arising from
IT.
We may consider whether there are direct controls to address the risk arising from IT of the
affected applications or systems. When these controls are not IT dependent (i.e., they do not rely
on the IT systems or reports) and they are at an appropriate level of precision, they may also
address a risk arising from IT. However, in highly automated environments, larger IT dependent
entities, or ERP environments, controls are often IT dependent (e.g., they depend on the system
functionality, the integrity of the data flowing through the system, or reports originating from the
system). In these circumstances, such controls typically are IT dependent and thus are likely
either affected by the risk arising from IT or not sufficiently precise to address an unaddressed risk
arising from IT related to the system functionality, the integrity of the data flowing through the
system, or the accuracy and completeness of reports coming from the system.
Circumstances in which a direct control is more likely to be appropriate or effective in addressing a
risk arising from IT include situations in which:
• The affected system data is reconciled to external sources (e.g., bank statements)
• The affected system data is reconciled to internal sources which are not affected by the control
deficiency (e.g., a separate system or data source)
• The output from the affected system (e.g., the data) is being reviewed or checked at the
transactional level (i.e., lower level detective controls, not “higher level” management review
controls).
Typically, a general IT control deficiency affects more than one class of transactions, account
balance, or disclosure and risk of material misstatement; accordingly, we make our evaluation of
the sufficiency of direct controls for each class of transaction, account balance, or disclosure and
risk of material misstatement supported by the application(s) that is affected by the unaddressed
risk arising from IT.
For example, assume an unaddressed risk arising from IT has been identified in the entity’s
general ledger system. If the sales account in the general ledger system is reconciled to its source
(i.e., the sales system, which is not affected by the control deficiency), then the reconciliation
control may be sufficiently precise to address the risk arising from IT.
For example, the user access review control failed to identify ten users with inappropriate access
to post manual journal entries in the general ledger. The engagement team tested the direct and
precise business mitigating control wherein management prepares and reviews a monthly
reconciliation of the general ledger to the subledgers and found it to be operating effectively.
Given the reconciliation control would detect inappropriate manual journal entries and the
individuals preparing and reviewing the reconciliations are not part of the ten users with
Internal control
inappropriate access, we concluded the risk arising from IT is addressed by the account
reconciliation control.
For example, testing of the point of sale application for a retail entity identified a general IT
control deficiency wherein cashiers were inadvertently granted administrator access at retail
locations that was not necessary based upon their job responsibilities. Note that this access did
not allow the cashiers access to update sales pricing. The risk arising from IT was related to the
cash, receivables and revenue account balances. The team tested the daily sales business controls
which reconciled cash and credit card slips to both the bank statements and the general ledger,
and concluded the control was operating effectively and was direct and precise enough to identify
inappropriate cash or credit transactions if they were made by a cashier. We concluded the risk
arising from IT is addressed for the financial statement audit by this direct and precise business
control.
For example, testing of general IT controls over an automated interface between the core
banking system and the general ledger identified a design deficiency as management did not have
a control procedure to monitor the batch jobs and resolve data transfer errors. The engagement
team identified a direct and precise business mitigating control, a daily reconciliation conducted by
the finance team between the core banking system and the general ledger, to address the risk
arising from IT, which was tested and found to be operating effectively. As the reconciliation would
identify any discrepancies in data between the banking system and the general ledger, we
concluded the risk arising from IT is addressed for the financial statement audit by this direct and
precise business control.
Ultimately we consider whether, as a result of the procedures performed under one of the options
selected above, the risk arising from IT has been addressed. If so, we would be able to maintain our
plan to rely on the operating effectiveness of controls in determining the nature, timing, and extent of
If the risk arising from IT is not addressed, we typically consider the following actions (refer to Section
2.3 for specific examples):
• Reconsider our risk assessment
For example, as a result of our further understanding of the process and identification of
deficient relevant controls, we may identify additional risks of material misstatement or reassess
existing risks of material misstatement as significant risks.
For example, when there are significant concerns over system access controls, we may
reconsider whether one or more risks of material misstatement represent a significant risk of
fraud. In this evaluation, we may consider the potential for the override of controls, such as
through segregation of duties issues in application access.
• Modify the nature, timing, and/or extent of our substantive procedures
For example, perform tests of details as opposed to substantive analytical procedures, or use a
reduced threshold for substantive analytical procedures.
For example, perform our testing at year-end as opposed to an interim date.
For example, increase the substantive procedures samples sizes to those of non-control reliance.
For example, increase the extent of our direct tests of information produced by the entity. Note
that we could use analytic tools to independently recreate key reports from source data and
reconcile these to management’s reports.
Regardless of the results of our additional procedures performed to maintain the plan to rely on the
operating effectiveness of controls in determining the nature, timing, and extent of substantive
procedures, we would nevertheless evaluate the severity of the deficient general IT control. See
Section 6.7.
Internal control
6.6.2 Concluding on risks arising from IT and determining the audit response when general
IT controls we had not planned to rely upon are deficient (e.g., audits where we are
evaluating design and determining implementation only of controls)
When we conclude that relevant general IT controls that we had not planned to rely upon are not
properly designed or implemented, we:
• Typically do not complete mitigating procedures, unless specifically discussed and agreed with the
audit engagement partner
• Evaluate the severity of the general IT control deficiency (see Section 6.7)
• Reconsider our risk assessments and consider the need to modify the nature, timing, and/or
extent of our substantive procedures
6.7 Evaluate the severity of each general IT control deficiency identified, individually and in
the aggregate
Due to the complexity and pervasiveness of general IT controls and their impact on the entity’s
financial reporting process and therefore on our communications to management and those charged
with governance, the guidance in this section is an IT supplement to Chapter 4.
6.7.1 Evaluating the severity of each general IT control deficiency identified individually
When we conclude that relevant general IT controls are deficient, in addition to the considerations in
Chapter 4, we evaluate whether control deficiencies constitute significant deficiencies in internal
control, we also consider the following in making a professional judgement as to the classification of
the control deficiency individually:
• Classify the general IT control deficiency as a ‘deficiency’ if there are alternate general IT controls
or direct and precise business controls that address the risk arising from IT; OR
• Consider higher level compensating controls that would prevent or detect a significant deficiency
in internal control.
6.7.2 Evaluating the severity of general IT control deficiencies in aggregate

To evaluate general IT control deficiencies in aggregate, in addition to the considerations in Section
4.3, we accumulate identified control deficiencies, we also consider the following factors in making a
professional judgement as to the classification of the control deficiencies in aggregate:
• Consider whether there are related control deficiencies or “themes” by type or nature of control
deficiency (e.g., access, segregation of duties, or change management).
• Considering all deficiencies in general IT controls, consider whether there are pervasive issues that
are indicative of a significant deficiency in the entity’s general IT controls.
• When we believe management is not devoting sufficient attention or resources to remediating
more severe or pervasive deficiencies or significant deficiencies in internal control in prior years,
we consider whether there may be deficiencies in other internal control components (e.g., the
control environment).
For example, an entity has multiple control deficiencies in user access that were individually
classified as deficiencies in internal control. However, because of the common theme of these
deficiencies in internal control (in this instance all related to user access), we may conclude that,
in aggregate, they are significant enough to warrant the attention of those charged with
governance (i.e., a significant deficiency in internal control).
6.8 Differences
The table below summarizes the differences in general IT control procedures for the following types of
audits, when we have concluded there are applications, data warehouses, or report writers which are
relevant for our audit:
Internal control
• ISA financial statement audits in which we are not relying on general IT controls — Audits in which
we are evaluating the design and determining implementation of controls to assess risks and plan
further audit procedures.
• ISA financial statement audits in which we plan to rely on general IT controls — Audits in which
we are evaluating the design and testing the operating effectiveness of controls to support a plan
to rely on the operating effectiveness of controls in determining the nature, timing, and extent of
• PCAOB integrated audits — Audits in which we are evaluating design and testing the operating
effectiveness of controls to rely on the operating effectiveness of controls in determining the
nature, timing, and extent of substantive procedures and to issue an opinion on the entity’s ICFR.
Note that if we obtain our understanding in Section 6.3 above and conclude there are no applications,
data warehouses, or report writers that are relevant for our audit, then IT is not relevant and no
further IT procedures are needed.
General IT control ISA financial ISA financial PCAOB integrated

audit area statement audits — statement audits — audits
Not relying on Relying on general IT
general IT controls controls
Identifying relevant Same approach

applications
Assessing risks N/A Same approach

arising from IT
(RAITs)
Identifying relevant The following control Consider controls in EMS under ‘Risk Strategy
general IT controls to activities are typically* View’ and subcategory ‘Risk Arising’ from IT
address risks arising considered relevant at at the application, database, operating
from IT the application and system, and network layers, as appropriate.
database layers,
including:
• Authentication
controls
• User access review
(or alternatively
provisioning and
deprovisioning
controls)
• Change
management.
*These controls may
vary based on the IT
environment and our
professional judgment.
Evaluating design of Extent of evaluation is Our evaluation of the Evaluation may be

relevant general IT sufficient to identify and design of a control may more extensive in a
controls be more extensive when PCAOB audit than in
Internal control

evaluate risk and plan we plan to rely on the ISA financial

substantive procedures. control than when we do statement audits
not plan to rely on the due to PCAOB
control because we may guidance related to
need a more detailed the extent of
understanding of the consideration
control in order to necessary for the
design our tests of design factors of
operating effectiveness. certain controls.
Evaluating system Information produced Directly test or test Test controls over
generated reports, by the entity – controls over source source data, report
information produced Information used in a data, report logic, and logic, and
by the entity – control: We may parameters for parameters for
Information used in a exercise judgment in information used in a information used in
control determining the extent control we are relying a control.
of our evaluation of upon.
whether the information
used in a control is
sufficiently reliable for
its purpose.
Assessing risk Not required. Required. Required.

associated with the
control
Evaluating N/A Test the accuracy and completeness of the

information produced information produced by the entity used as
by the entity used as audit evidence in the general IT control
audit evidence in the control testing (through direct test or test of
general IT control controls over the information produced by the
operating entity).
effectiveness control
testing
Determining Determine the implementation of the general IT control by reviewing

implementation evidence of the control operating once (e.g., full population and random
selection not needed).
Evaluating operating N/A May be able to use prior Operating

effectiveness of year audit evidence if effectiveness testing
general IT controls certain conditions are each year.
met (see DTTL AAM
Select sample
23001.11).
following sample
Select sample following size tables based on
sample size tables RAIT and risk
based on RAIT and risk
Internal control

associated with the associated with the

control. control.
Apportion or Generally not needed Apportion testing or rollforward procedures

rollforward testing unless a significant completed to extend interim conclusions to
system change after year-end.
original design and
implementation
procedures.
Response to a control Generally no mitigating Consider mitigating procedures where

deficiency procedures completed, possible, after discussion with the audit
unless specifically engagement partner, to preserve a plan to
discussed and agreed rely on the operating effectiveness of controls
with the audit in determining the nature, timing, and extent
engagement partner. of substantive procedures for the financial
statement audit.
Use professional
judgement to consider Use professional judgement to consider
adjustments to our adjustments to our audit approach and
audit approach and consult when necessary.
consult where
necessary.
Control deficiency May choose to consider Evaluate the effect of Required to evaluate
classification compensating controls compensating controls the effect of
in evaluating the when determining if a compensating
severity of the control control deficiency or controls when
deficiency, after combination of control determining if a
discussion with the audit deficiencies is a control deficiency or
engagement partner. If significant deficiency in combination of
so, evaluate design and internal control. control deficiencies
determine is a material
implementation of the weakness.
compensating controls.
Internal control
7 Information used in a control
7.1 Introduction
Information produced by the entity that is relevant to our audit and used as audit evidence generally
falls into one of three categories as depicted in Figure 7.1:
Figure 7.1 Information produced by the entity and information used in a control
Information produced by the entity that the entity uses when performing relevant controls is referred
to as information used in a control or “IUC”.
Information produced by the entity is information that we use as audit evidence when performing (1)
risk assessment procedures (2) tests of operating effectiveness of relevant controls, that is not also
used by the entity in its control, or (3) substantive procedures is referred to as information produced
by the entity or “IPE” and is outside the scope of this chapter.
This chapter provides guidance with respect to our responsibilities to evaluate whether IUC is
sufficiently reliable for our purposes.
When a relevant control uses information (e.g., data or a report) produced by the entity in the
operation of a control, the effectiveness of the control depends on the accuracy and completeness of
the information. Since it is unlikely that the control performer can validate the accuracy and
completeness of the information contained in a report simply by reviewing the report, it is important
that we evaluate whether the information produced by the entity is sufficiently reliable early in our
testing, because if it is not, then the relevant control will not be effective.
Information used by the entity in the performance of a control might also be obtained from third party
sources. While not the focus of this chapter, we would also need to consider whether this information
is sufficiently reliable as part of our audit procedures.
Internal control
7.2 Process flow for evaluating/testing the accuracy and completeness of information used
in a control relevant to the audit
This process flow summarizes the steps for evaluating the reliability of information used in a control
relevant to the audit. Each of these steps requires professional judgment and is expanded upon
further within this guide.
1. Identify the information used by a control (section 7.3)
2. Determine which aspects of the information are relevant to the effectiveness of the control
(section 7.4)
3. Understand how the relevant information is produced (section 7.5)
Consider:
• The source data
• The report logic
• User entered parameters
4. Evaluate whether the IUC is sufficiently reliable / Test the accuracy and completeness of
the IUC
Where we are evaluating the design and

implementation of the control (section 7.6):
We evaluate whether the IUC is sufficiently reliable for
our purposes.
Where we are testing the operating effectiveness of the control (section 7.7 to
7.9):
We obtain audit evidence about the accuracy and completeness of IUC by either:
1. Testing the operating effectiveness of controls that address the accuracy and
completeness of IUC,
2. Directly testing the IUC, or
3. A combination of these approaches
7.3 Identifying the relevant information used in a control

For each relevant control, we identify the information used in the operation of the control based on our
understanding of the control, including our evaluation of design which may include inquiry and
Internal control
observation of the control performer showing us what they do (including the information used in the
control) and inspection of documentary evidence (including the information used in the control).
The purpose of most management review controls is to review information (which we refer to as
“inputs” – see Section 5.2 for further discussion) to identify potential misstatements. Therefore,
virtually all management review controls use information in the operation of the control.
7.4 Determine which aspects of the information are relevant to the effectiveness of the
control
Typically, when information is used in a control in the form of a “report”, the information in the report
is relevant to the performance of the control.
For example, the data presented in a typical A/R aging report is relevant to the review of the
adequacy of the allowance for doubtful accounts.
However, in some cases, a report may contain information, not all of which is necessarily relevant to
the operation of a control for our financial statement audit purposes or of equal importance even when
it is relevant. Accordingly, when applicable, we consider and identify which reports, or which data
within a report, represent the information that is important to the effectiveness of the control that
uses the report. When this determination represents a significant judgment, we document our thought
process and basis for the conclusions.
For example, a management review control uses a spreadsheet that contains ten columns of data,
only two of which are directly relevant to the purpose of the review (the other data is for a different
purpose and not necessary for the operation of the control).
For example, the “monthly reporting package” prepared by components is reviewed at the group
level to identify potential misstatements. However, other data in the package (e.g., data related to
insignificant accounts or operational data) is not relevant and therefore does not need to be further
considered.
7.5 Understand how the relevant information is produced

Before we can apply our professional judgement to evaluate whether the IUC is sufficiently reliable for
our purposes (in the case where we are only evaluating design and determining implementation), or
design appropriate procedures to test the accuracy and completeness of the IUC (in the case where
we are testing operating effectiveness), it is important to first obtain an appropriately detailed
understanding of the IUC, and the process from initiation of the data to the generation of the reports.
We begin with a thorough understanding of what the IUC is, and how the IUC is generated.
Note When the IUC is more complex, we may consider using IUC diagrams to assist us
in identifying and understanding the source data, report logic, and user-entered
parameters (if applicable) and designing our audit approach for testing the IUC.
IUC typically consists of three elements: (1) source data, (2) report logic, and (3) parameters. These
three elements are further described as follows:
Element Description
Source The information from which the IUC is created. This may include data maintained in
Data the IT system (e.g., within an application system or database) or external to the
system (e.g., data maintained in an Excel spreadsheet or manually maintained),
which may or may not be subject to general IT controls.
For example, for a report of all sales greater than $10,000, the source data
is the database of all sales transactions.
Internal control
Element Description
Report Automated report logic, which we view as akin to an automated control, is the
Logic computer code, algorithms, or formulas for transforming, extracting or loading the
relevant source data and creating the report. Report logic may include standardized
report programs, user-operated tools (e.g., query tools and report writers) or Excel
spreadsheets, which may or may not be subject to the general IT controls.
For example, for the A/R aging report, the report logic is typically a
program in the A/R application that contains the code and algorithms for
extracting the data from the A/R subledger detail (source data), allocating it
to the various aging categories, and calculating the sub-totals and totals of
the report.
Report Report parameters allow the user to look at only the information that is of interest
Parameters to them. Common uses of report parameters including defining the report structure,
specifying or filtering data used in a report, or connecting related reports (data or
output) together. Depending on the report structure, report parameters may be
created manually by the user (user-entered parameters) or they may be pre-set
(there is significant flexibility in the configuration of parameters, depending on the
application system), and they may or may not be subject to the general IT controls.
For example, for a monthly report of slow moving inventory by warehouse
location, the user enters the month and location code parameters to
generate the reports.
Our objective when we perform procedures on IUC is to evaluate whether these three elements, when
applicable, produce IUC that is sufficiently accurate and complete. As IUC is generated in many
different forms and through many different methods, our evaluation strategy may vary depending on
the nature of the IUC (e.g., a standard pre-coded report versus a custom ad-hoc report) and how it is
created (e.g., the degree of automation which typically increases reliability when subject to effective
general IT controls).
For example, Entity A and Entity B both use the same ERP system; however, Entity A uses an A/R
aging report from the system to determine its allowance for doubtful accounts, and Entity B takes the
same A/R aging report, downloads it into Excel, and then manually manipulates the report. The
downloading and manipulation of Entity B’s report likely introduces additional possibilities that the IUC
may be inaccurate or incomplete compared to the A/R aging report used by Entity A and therefore, it
would likely be necessary to perform additional procedures on Entity B’s report to determine its
accuracy and completeness as compared to Entity A’s report.
Accordingly, for relevant information used in a control, it is important that we obtain an understanding
of how the information is generated (i.e., from initiation of the data to the generation of the report) as
part of our overall understanding of the process flows for the relevant process. In situations where the
entity makes pervasive use of IT systems and programs to generate information (e.g., reports), we
may consider teaming with our IT specialists to obtain an appropriate understanding of both the IT
aspects and the non-IT aspects of generating information.
Specific considerations when understanding how a report is generated include the following:
• Where does the source data originate?
- Is it transactional data captured by the entity’s accounting IT systems (e.g., sub-ledgers or
general ledgers)? If so, what is the underlying flow of transactions?
- Is it data from other sources?
Internal control
- Information from processes or systems which were not initially considered to be relevant to
the audit (which may or may not be subject to the entity’s general IT controls).
For example, shipping data, which is included in a report that a relevant control uses, is
generated from a standalone warehouse shipping system, which was initially determined to be
not relevant to the audit. However, we concluded that the shipping data is relevant to the
control that addresses the risks associated with the shipping cost accrual and accordingly
concluded the application is relevant (therefore, we consider whether the controls over the
data and generation of the report which may include the entity’s general IT controls).
- Information generated from applications hosted by a service organization.
For example, data is processed by a service organization and reports are produced from the
service organization’s application systems and are used in the operation of the controls of the
user organization (therefore we consider the controls over the data and generation of the
report which are typically controls, including general IT controls, at the service organization).
See DTTL AAM 22850 – Service Organizations.
- Information obtained from external sources (e.g., information available in the public domain or
information obtained from specialists or service providers, such as investment security pricing
services).
For example, to prepare a monthly revenue report for hotel revenues by region, the revenue
accountant obtains an industry report with occupancy rates and average revenues per room
by region that is manually loaded into an Excel spreadsheet by the preparer of the report to
compare against the entity’s actual data extracted from their IT systems (therefore we
consider management’s controls which address their evaluation of the reliability of the data for
its intended use and that the data was properly input into the monthly revenue report).
- Which application system is the data initially input? Is there any further processing of the data
by this system subsequent to its initial input? To which application systems, or data
warehouses does the data flow subsequent to its initial input up to the point of extraction? Are
these application systems/data warehouses subject to general IT controls?
Data may initially be entered and processed into one application system, but subsequently
transferred to another application system for further processing.
For example, data related to capital projects may initially be recorded within the accounts
payable application when invoices are received, then subsequently transferred to a projects
application where budgets/actuals can be analyzed, and then ultimately to the fixed asset
application when the project is completed and the asset is ready for use at which point it will
be subject to amortization.
• Was the report generated using report writing or query software? Is the report writer/query
software, and the query scripts subject to the entity’s general IT controls?
Data warehouses are often used to enable end-users to access and filter data using report writer
or query tools on an as-needed basis, which typically upload the extracted data into an Excel
template for further refinement or formatting. An important determination is whether the data
warehouse and related queries are subject to the entity’s general IT controls. There are typically
two scenarios:
1. Standard queries that are subject to general IT controls (i.e., the user can run the query, but
cannot alter it).
2. User-generated queries which are not subject to general IT controls. While the report writer or
query software itself may be subject to the entity’s general IT controls, the query “scripts” (or
equivalent) which represent the specific “instructions” of what the user wants the tool to
extract, is maintained by the user, and is therefore not subject to the entity’s general IT
controls.
For example, the entity has a data warehouse and a query tool, referred to as “SAS code,”
which is used to extract data from the warehouse. The data extracted from the warehouse is
then used to develop a significant estimate for financial reporting purposes and also used in a
control. The end-user is responsible for maintaining the SAS code scripts to achieve its
Internal control
intended purpose (i.e., extract the appropriate information), including revising it as needed.
Each month, the end-user initiates the running of the SAS code from his/her computer. As the
SAS code can be manipulated or changed by the end-user, the reports generated by the SAS
code are not subject to the entity’s general IT controls.
For example, the entity uses a report writer to create their internal financial reporting
package and monthly analyses. The report writer tool interfaces with the underlying general
ledger which is subject to the entity’s general IT controls. However, the actual “scripts” used
to generate the reports are the responsibility of the financial reporting department, including
revising the scripts for new accounts and cost centers in the general ledger; therefore, the
scripts and the report are not subject to the entity’s general IT controls.
• Are there interfaces between where the data was initially input, and where the data is extracted
from? Are the interfaces automated or manual?
In the case where data transfers from one application to another (or to a data warehouse), the
transfers may be performed automatically by the system, or may require manual intervention by a
user via a download/upload process.
• Does the user enter parameters within the application system when the IUC is generated? If so
what are the parameters?
In some instances, the parameters are automatically generated by the IT systems, and therefore
the user is not required to input any parameters. More typically with today’s ERP systems, to
initiate the report, the user needs to enter basic parameters such as the “as-of date” of the report
or the location code(s) desired.
• Is the report downloaded from an IT system into end user applications such as Excel
spreadsheets? If so, is the data further manipulated/refined/formatted in creating the final report?
If so, how so?
Based on our understanding of the above considerations, we will be able to conclude whether the
report is system-generated, or non-system generated:
• System generated – The source data (i.e., data within application systems and/or data
warehouses) and report logic (i.e., application systems, report writers and query scripts) are
subject to the entity’s general IT controls (access and program change controls).
• Non-system generated – The source data and/or report logic are not subject to the entity’s
general IT controls. Said differently, the report is generated with manual intervention which may
include the collection or input of data, or utilizing a user-configured report writer or query script or
utilizing an end-user application such as Excel which are not subject to the entity’s general IT
controls.
The importance of the distinguishing between these two types of reports will be highlighted as part of
the guidance related to testing controls over IUC in Section 7.8 below.
Figures 7.2 and 7.3 depict example flows of information from initiation of the data to the generation of
the report, including the source data and report logic (including user-entered parameters).
Internal control
Figure 7.2
Typical system-generated report
Note: The red circle signifies what is within the IT environment and therefore subject to general IT
controls.
Figure 7.3
Typical non-system-generated report
Note: Often the data warehouse and/or the queries are subject to GITCs.
Internal control
Failure to identify information used by a • When understanding a relevant control, focus on

relevant control. identifying and documenting the inputs used in
the operation of the control (e.g., use the formal
report name).
• Identify reports generated by the entity’s service
organizations that are used in the operation of
relevant controls.
Failure to obtain a sufficient understanding • To understand how information is generated,

of the source data, report logic, and consider starting with the report and “work
parameters of the IUC, particularly system- backwards” to identify (1) the database(s) that
generated reports (e.g., how the report is the data is extracted from, (2) the relevant data
developed, which system the report comes fields in the database, (3) relevant interfaces
from, or how the data is extracted). between applications, and (4) where the data
originates (e.g., the relevant transaction flows).
• Include the steps to generate the relevant
information used in a relevant control in the
process flow diagram or narrative to specifically
depict or describe how the data flows and how the
report is generated.
• Team with IT specialists to obtain an
understanding of both the IT aspects and the non-
IT aspects of generating the information.
• Inquire of the entity’s IT function and the end-
user as to who is responsible for the integrity of
data and maintaining the report logic (e.g., Excel
formulas or query scripts).
Not identifying which elements (e.g., • Team with IT specialists to help identify which
source data, report logic, user-entered elements are subject to the entity’s general IT
parameters) are not subject to the entity’s controls, and which elements are not.
general IT controls (e.g., access or
program change controls).
7.6 Evaluating the reliability of IUC in evaluating design and determining the
implementation of a control
When we do not plan to rely on the operating effectiveness of the entity’s controls to reduce
substantive testing, we are nevertheless required to obtain an understanding of controls relevant to
the audit as part of our planning and risk assessment procedures.
Obtaining an understanding of a control involves evaluating its design and determining whether it has
been implemented, including if the IUC that the control is dependent upon is sufficiently reliable.
The nature and depth of this evaluation is a matter of professional judgment, based on considerations
such as:
• The extent to which the control is dependent on the IUC.
• The history of any errors in the IUC.
• The nature of the IUC, including:
Internal control
- The significance of the judgments made by individuals preparing the IUC.

- The complexity of the IUC.
- The degree to which the IUC is automated as opposed to being prepared manually.
For example, consider a control related to the recording of accruals at month-end. Ten days after
month-end, the accounts payable manager runs a query report (from a standard report tool in a
packaged software program) of all invoices, by department, which have been entered into the
accounts payable sub-ledger subsequent to month-end. This report is distributed to the various
department managers who review the report and indicate which items for their department are to be
accrued at month-end. The accounting manager prepares the journal entry for month-end accruals,
accompanied by the query reports reviewed and initialed by the department managers, and submits
them to the controller for review and approval.
In evaluating the design of this control in this example, we might consider:

• The extent to which the control is dependent on the IUC – This control is highly dependent on the
use of IUC (i.e., the control would not be effective if the query report was inaccurate or
incomplete; thus, consideration of the IUC is relevant to the assessment of design of the control).
• The nature of the IUC –
- Developing the query report does not involve the accounts payable manager’s judgment as
the report parameters are predetermined (10 days after month-end), and the same
parameters are used each time the report is prepared. Further, the parameters used appear
appropriate for purposes of this control.
- The query report is not complex.
- The query report has both manual and automated aspects; it is generated using a standard
reporting tool in a pre-packaged software program with manual input of the parameters by the
accounts payable manager.
Based on these considerations, we may have a sufficient understanding of how the query report is
prepared and used in the control to conclude that the IUC is sufficiently reliable for purposes of
evaluating the design of the control. In other words, we were able to evaluate the design of the
control without testing the completeness and accuracy of the IUC. Our documentation of evaluation of
the design of this control and the related IUC would need to be sufficient to support our conclusion.
To test the implementation of this control, we may inspect the query report; identify the parameters
used; and observe how entity-personnel use the report to perform the control.
If consideration of the factors above indicates that the IUC may not be sufficiently reliable (e.g., the
information is produced with a complex customized software program or is highly dependent on the
judgment by the individual who prepares the information), it may be necessary to further evaluate
whether the information is sufficiently reliable for our purposes, including testing the accuracy and
completeness of the information as part of our evaluation of design and implementation.
7.7 Approach to testing the accuracy and completeness of IUC

The accuracy and completeness of the information produced by the entity can be tested by either:
1. Testing the operating effectiveness of controls that address the accuracy and completeness of the
information produced by the entity;
2. Directly testing the information produced by the entity; or a
3. Combination of these approaches.
7.8 Identify and test the controls that address the accuracy and completeness of IUC
When testing controls that address the accuracy and completeness of IUC, we need to identify and
test the controls over the 1) source data, 2) report logic, and 3) parameters.
Internal control
The specific controls addressing each of these for which we determine to be relevant to our audit will
depend on whether the report is system-generated or non-system generated.
7.8.1 System-generated
For a system-generated report, in which the source data and report logic are subject to effective
general IT controls (i.e., access and program change controls), we would typically identify and test the
following controls:
Source Data
• Controls over the initiation and processing of the data prior to being input into an application
system.
• Controls over the input of the data into the application system, as well as controls over any further
processing of the data.
• Controls over the interfaces between one application system to another application system, or to a
data warehouse (if the data in the report originates from a different system that generated the
report).
• General IT controls that 1) prevent unauthorized access to the source data and (2) that make
certain that any changes to the applications related to the source data are tested prior to being
placed into production.
Report Logic
• The automated extraction function.
• All automated calculations (including all variations of calculations).
• General IT controls that (1) prevent unauthorized access to the report logic (e.g., the programs
and algorithms that produce the report) and (2) that make certain that any changes to the
applications related to the report logic are tested prior to being placed into production.
We typically test the controls over the generation of the report (and user-entered parameters) for the
same instances that we select to test the relevant control that uses the information (e.g., the report).
For system-generated reports, similar to testing an automated control, it may be appropriate to limit
our testing to one instance of each significant calculation or variation in the report logic, when the
relevant general IT controls are concluded to be effective.
Testing controls over the automated extraction function may be performed by:
1. Reperforming the automated data extraction by performing one or more of the following:
a. Validating it included important elements/variations (e.g., user listing included both employees
and contractors)
b. Selecting a sample of items from the source and agreeing to the report and selecting a sample
of items from the report and agreeing back to the source
c. Reconciling report totals to source data totals.
2. Inspecting the specific programming or query language used to extract the relevant source data
and generate the report. This may include user specified criteria for reports generated from a
report writer or data warehouse (e.g., parameters define the logic).
3. Using a CAAT (e.g., ACL or Excel) to reperform the extraction and calculations/algorithms
When we determine that a report is a standard report from packaged software and it has not been
modified since received from the vendor, it may not be necessary to test the report logic of the report.
It is important to obtain evidence from the system to validate that the report is standard and has not
been changed and to retain such evidence in the audit file.
Standard reports generated by “commercial off the shelf”, packaged software for which the entity does
not have access to the source code have the lowest risk for modification because the entity cannot
change the reports, and thus program change controls and testing the automation of the report logic
Internal control
are generally not applicable. Since this applies only to the report logic element, we would still need to
consider the controls over report configuration settings, source data, and parameters.
The entity also may have standard reports which come pre-packaged with applications such as SAP,
but the entity has access to the source code. If we have obtained audit evidence that the reports have
never been changed since installation and we have retained such evidence in the audit file, then there
is no need to test the report logic.
Parameters
• Controls that management has implemented to check that the parameters used are appropriate
For example, consider a monthly control in which the Controller reviews and challenges the
appropriateness of the allowance for doubtful accounts, which was based in part on the A/R aging
Report (the “report”) as an important data point in the review of the allowance. The report can be run
on demand by the Credit & Collections Staff but no user-entered parameters are required to be
entered. The report logic program and the database (A/R Sub-ledger) from which the report is
extracted are subject to effective general IT controls (e.g., access and program change controls).
Figure 7.4
Identify controls for a typical system-generated report
What controls are relevant to the source data?
The controls over the source data would include the following:
• Controls over the initiation, authorization, processing, and recording of the sales/invoices, cash
receipts, and credit memos into the database (i.e., A/R sub-ledger) from which the data to
compile the report is extracted.
• The general IT controls that (a) prevent unauthorized access to the A/R sub-ledger and (b) that
check that any authorized changes to the application system were subjected to appropriate
program change procedures.
What controls are relevant to the report logic and how would we test them?
Internal control
• Automation of the extraction function

- Reconcile the total A/R aging report to the A/R sub-ledger (completeness).
- Select one invoice from A/R aging and agreed to the A/R sub-ledger (accuracy).
- Recalculate the sub-total for one customer.
• Automation of each relevant calculation (including variations)
- Verify that the program has appropriately aged items by selecting one invoice for each
transaction type (i.e., invoices, unapplied cash receipts, credit memos) AND for each aging
category and manually recalculate to verify the transaction has been appropriately aged.
• The general IT controls (a) that prevent unauthorized access to the application system, and the
A/R aging program that generates the report and (b) that check that any authorized changes to
the applications and report logic were subjected to appropriate program change procedures.
- As the accounts receivable application supports significant account balances, the application
and related general IT controls may already be concluded to be relevant to our audit.
What controls are relevant to the parameters?
In this case, no parameters are required to be entered when running the report. Therefore there are
no relevant controls. However, if parameters had been required to be entered, we would need to
inquire with management as to what they do to verify the parameters entered, and then test the
identified control accordingly or directly test that the appropriate parameters were entered.
7.8.2 Non-system generated

A non-system generated report is one in which the source data and/or the report logic are not subject
to the entity’s general IT controls (i.e., access and program change controls). These reports are often
created on an ad-hoc basis, with business users having the ability to create and modify such reports.
Therefore, the relevant controls over the accuracy and completeness of the report would include
controls that management implements to check that the report was produced as intended (e.g.,
controls which “prove” the extraction of data, such as reconciling the report to the data from which it
was derived, comparing individual data from the report to the source data and vice versa, and controls
which check the formulas or macros).
It is important to note that the control that management implements to address the accuracy and
completeness of the report may itself rely on other controls over the information. For example, if the
source data within a non-system generated report was extracted from an IT system that is subject to
effective general IT controls, it is not likely that management will check the source data of the report
by agreeing to the original source document (i.e., an invoice). Instead, they will likely agree the data
within the report to the database within the underlying IT system from which it was extracted.
Therefore, they will be relying on all the controls over the source data (including relevant general IT
controls) up to the point the data is extracted, and no longer subject to general IT controls.
Since every non-system generated report is different, it is very important to fully understand how the
report is generated such that all relevant controls are identified and tested. For a non-system
generated report in which the underlying data was extracted from an IT system, we would typically
identify and test the following controls:
Source Data
• Controls over the initiation and processing of the data prior to being input into an application
system.
• Controls over the input of the data into the application system, as well as controls over any further
processing of the data.
Internal control
• Controls over the interfaces between one application system to another application system, or to a
data warehouse (if the data on the report originates from a different system that generated the
report).
• General IT controls that 1) prevent unauthorized access to the source data and (2) that make
certain that any changes to the applications related to the source data are tested prior to being
placed into production.
• Manual controls that management implements to check that the source data within the non-
system generated report is accurate and complete (i.e., reconciliation of the source data back to
the database from which it was extracted).
Report Logic
• Manual controls that management has implemented to check that the report was produced as
intended (e.g., controls which “prove” the appropriate extraction of data, and controls which check
the formulas or macros).
Parameters
• Manual controls that management has implemented to check that the parameters used are
appropriate.
We typically test the controls over the generation of the report (and user-entered parameters) for the
same instances that we select to test the relevant control that uses the information (e.g., the report).
For example, consider a control in which the Controller and Executive Vice President – Credit review
the analysis for the loan loss reserves and challenge the appropriateness of the reserve based on the
data and trend lines depicted in the report.
The entity processes significant volumes of loan related data, including payment history, through its
application systems which is uploaded into a data warehouse for read-only access via an automated
interface (the application systems are subject to general IT controls). Quarterly, the Staff Accountant
prepares the report, which includes various data points and trend lines of the portfolios based on
internally available data by running a number of pre-configured queries. The pre-configured queries
are used to filter and extract certain data from the data warehouse, which is populated into a report
template. The queries are maintained and run by the Staff Accountant. The Staff Accountant also
directly inputs certain external data and trends and performs some formatting of the data to generate
the final report. Therefore, the generation of the report is subject to manual intervention and is not
subject to general IT controls.
The Credit Manager checks the generation of the report, prepared by the Staff Accountant, prior to
forwarding the report to the Controller and Executive Vice President – Credit.
Internal control
Figure 7.5
Identify controls for a typical non-system generated report
What controls are relevant to the source data?
The controls over the source data would include the following controls:
• Controls over the initiation, authorization, processing, and recording of the transaction flows into
the loan sub-ledger from which data used to compile the report is extracted.
• General IT controls that (a) prevent unauthorized access to the application system, and loan sub-
ledger and (b) that check that any authorized changes to the applications were subjected to
appropriate program change procedures.
• Controls over the automated interface from the loan sub-ledger to the data warehouse
• Access controls over the data warehouse (i.e., confirm that the user has read only access)
• Manual controls that management has implemented to check the input of external data (i.e.,
agreeing back to the third-party source).
What controls are relevant to the report logic?

• General IT controls that (a) prevent unauthorized access to the application system, and the query
tool and (b) that check that any authorized changes to the applications were subjected to
appropriate program change procedures.
• Manual controls that management has implemented over the query scripts, including the following
which we may consider reperforming:
- Reconciling the output of the queries to the source data
- Verifying that the query generated the data appropriately
- Checking that the final report was properly formatted.
What controls are relevant to the parameters?
Internal control
Parameters were not required during the generation of the report. However, if parameters had been
required at some point in the process of generating the report (or as part of management’s control in
addressing its accuracy and completeness), we would need to inquire with management as to what
they did to verify the parameters, and then test the identified control accordingly.
7.8.3 Consider the implications of control deficiencies

When we identify a deficiency in design or an exception when testing operating effectiveness, which is
concluded to be a deficiency in the operating effectiveness of the control, of controls that address the
accuracy and completeness of information used in a control, we evaluate the severity of the control
deficiency and the implications to our approach and plan for the audit of the financial statements,
similar to other deficiencies in relevant controls. This does not automatically mean that the control
which depends on this information would also be concluded to be not operating effectively. The
following considerations are in the specific context of deficiencies in controls that address the accuracy
and completeness of information used in a control:
• Deficiencies in design or operating effectiveness of general IT controls that support the reliability
of system-generated reports or the source data that is processed and housed within the IT
systems, are considered similar to any other general IT control deficiency.
For example, we consider whether the control deficiencies resulted in an error in the system-
generated report(s) or in the reliability of the source data used in reports (either system
generated or non-system generated).
• A deficiency in a control that addresses the accuracy and completeness of information typically
results in a conclusion that the control that uses the information is also ineffective. Absent
appropriate redundant or compensating controls, the severity of the control deficiency is evaluated
the same as any other deficiency in a control that directly addresses a risk of material
misstatement.
For example, a management review control uses an Excel report and we test the management
review control and conclude that it is designed and operating effectively; however, the controls
over the generation of the Excel report are found to be deficient. Although the management
review control was tested and concluded to be effective, as it relies on the accuracy and
completeness of the Excel report, we conclude that the management review control is therefore
not effective. Accordingly, we need to consider whether other controls exist to address the risk(s)
of material misstatement to which the management review control was related. The deficient
controls over the accuracy and completeness of the Excel report are evaluated for severity similar
to any other control deficiency (i.e., we consider whether the control deficiency could have
resulted in errors in the Excel report, such that there is a reasonable possibility that a material
misstatement could occur [regardless of whether an actual misstatement did occur]).
• We consider the effect of any control deficiencies on the nature, timing, and extent of our
substantive procedures, including whether it is still appropriate to assess control risk as less than
maximum (i.e., take a control-reliance approach) for the affected area.
For example, we might choose to amend our testing strategy and direct test each instance of the
report generated to determine whether any errors exist.
Failure to adequately document the Document our evaluation of the design and
evaluation of design and implementation, implementation, and where applicable, test of operating
and where applicable, operating effectiveness either:
effectiveness of the controls that address
• Together with the control that uses the
the relevant information used in a control.
information, or
• Treat as a “stand-alone control” and document our
testing separately.
Internal control
Inappropriately concluding that the review Ask the user of the report whether they are relying on
of the information by the control performer the accuracy and completeness of the report. If not
is sufficiently precise to address the relying on the report, ask them what they do to ensure
accuracy and completeness of the that the report is accurate and complete (both in the
information, particularly system-generated aggregate and at the line item level in the report) and
reports and non-system generated reports carefully evaluate and document whether their activities
that utilize report writers or queries or supports a conclusion that the control addresses the
Excel workbooks with complex formulas or accuracy and completeness of the information.
macros.
Not considering the frequency of which Test the controls over the generation of a non-system
manual controls over non-system generated report each time we test the control that
generated reports operate (i.e., every time uses the report.
the relevant control that uses the report
operates), and testing only one sample.
Failure to perform rollforward procedures Plan to perform rollforward procedures for the controls
for controls that address the accuracy and that address accuracy and completeness of relevant
completeness of relevant information used information used in a control, together with the
in a control tested at an interim date. rollforward testing of the related control.
Not properly considering the implications of Evaluate the impact of any errors in the report or
deficiencies in controls that address the deficiencies in the controls that address the accuracy
accuracy and completeness of the report and completeness of the report, considering the impact
(including deficiencies in general IT to our overall audit approach.
controls) on:
• The control that uses the information
• The nature, extent, and timing of our
substantive and other auditing
procedures.
7.9 Testing the accuracy and completeness of IUC directly

When directly testing IUC, our test approach considers each of the three elements: (1) source data,
(2) report logic, and (3) user-entered parameters, as applicable.
The nature of direct tests over IUC is highly dependent on the nature of the IUC. Examples of such
tests for each of the three elements include:
Source data:
• Select a sample of items from the report and agree to relevant information in the system (if
audited) or back to the appropriate source documentation as appropriate (accuracy).
• Make a sample selection from the source documentation (or from a system if audited) and agree
to relevant information on the report (completeness).
• Reconcile report totals to source data totals, as applicable.
Report logic:
• Foot and cross-foot report and verify report logic on a sample basis (including formulas for
extracting the relevant source data, creating the report, and executing computations within the
report, as applicable).
Internal control
• Independently recreate the report and related algorithms (e.g., using ACL or by involving
exploratory data analysis specialists).
User-entered parameters:
• Directly test the appropriateness of user-entered parameters or thresholds used to generate
report (e.g., by observing entity personnel input the user-entered parameters; by reviewing the
user-entered parameters depicted on the report; or by comparing the IPE to relevant information
in the system). Some report user-entered parameters are, by their nature, entered each time a
report is generated.
We will discuss the considerations related to determining the nature and extent of direct testing
procedures in Section 7.9.2 below.
7.9.1 Considerations when planning our direct testing procedures

In order to determine whether “directly” testing IUC is the most effective and efficient testing method,
we consider the following with respect to whether and to what extent our tests of controls or
substantive procedures already address the accuracy or completeness of the IUC:
1. Consider if the IUC is the starting point of our substantive procedures, and therefore,
whether our substantive procedures also address the accuracy and completeness of the
three elements of the IUC.
Specifically, our substantive procedures may:

- Address both the accuracy and completeness of the IUC, in which case no additional
procedures are required to test the accuracy and completeness of the IUC. Often, when IUC
represents the details of a general ledger account or details from a sub-ledger that agree or
reconcile to the general ledger, our substantive procedures, including agreeing the detail to
the general ledger, address the accuracy and completeness of the IUC.
- Address the accuracy, but not the completeness, of the IUC or the completeness, but not
accuracy, of the IUC.
- Address the accuracy and completeness of some, but not all, of the attributes of the IUC that
are important to the objectives of the control or substantive procedure in which the IUC will be
used.
- Address neither the accuracy nor the completeness of the IUC.
To determine if our substantive procedures have sufficiently addressed the accuracy and/or
completeness of the IUC, we may consider the following questions:
- What is the nature of the IUC and the objective of the relevant control that uses it?
- What is the objective of the relevant control and substantive procedures in which this IUC is to
be used?
- How will this IUC be used in the substantive procedure?
The questions above are considerations that may assist us in determining if our substantive
procedures already address the accuracy and/or completeness of IUC.
Note: when evaluating the sufficiency of our substantive procedures, we consider each instance of the
IUC we need to test. See Section 7.9.2 for further guidance.
Consider the following examples that illustrate the consideration of these questions for the purpose of
determining whether our substantive procedures have (1) addressed both the accuracy and
completeness of the IUC, (2) addressed either the accuracy or completeness of the IUC, or (3)
addressed the accuracy and completeness of the IUC, but not certain attributes of the IUC that are
important to the objectives of the control or substantive procedure in which the IUC will be used.
Example 1: Substantive procedures address both the accuracy and completeness of the IUC —
Schedule of current year additions to property, plant, and equipment (PP&E)
Internal control
• What is the nature of the IUC?

The IUC is a system-generated report showing all PP&E additions during the fiscal year by asset
class.
• What is the objective of the relevant control in which this IUC will be used?
The schedule is used by the Controller in their review of asset additions in order to identify capital
assets recorded that do not exist, or inappropriate capitalization of repairs and maintenance
expenses.
• What is the objective of the substantive procedures in which this IUC will be used?
The objective of the substantive procedures in which the IUC will be used is to address risks of
material misstatement related to the existence assertion relevant to current year additions to
PP&E.
• How will this IUC be used in the substantive procedure?
The engagement team will agree the total additions by asset class to the PP&E roll-forward
schedule, and then agree the PP&E rollforward schedule to the general ledger.
The engagement team will then make selections from the schedule of additions and trace each
selection to supporting evidence, such as vendor invoices.
In this example, the engagement team’s test of details of additions addresses the accuracy of the IUC.
Further, agreeing the IUC to the general ledger would address the completeness of the IUC
considering that the objective of the relevant control in which it will be used. In other words, because
the objective of the relevant control in which the IUC will be used is to test the existence of PP&E
additions recorded in the general ledger during the year, agreeing the IUC to the general ledger
provides sufficient evidence that the IUC includes all PP&E additions recorded during the year — the
IUC is therefore complete for purposes of this relevant control.
Example 2: Substantive procedures address the accuracy but not the completeness of the IUC —
Subsequent cash disbursements report
The subsequent cash disbursements report is a system-generated report of cash disbursements
from the check registers for each of the entity’s operating cash accounts made in the 30 days after
year-end.
The entity’s accounts payable department runs this report in order to determine that all liabilities
at year-end have been included in accounts payable at year-end.
The objective of the substantive procedure in which the IPE will be used is to address the risks of
material misstatement linked to the completeness assertion for the year-end accounts payable
balance.
The engagement team will make selections from the IUC and for each selection examine
supporting evidence, such as evidence of disbursement, vendor invoices, and receiving reports,
and trace those that represent a liability at year-end to the year-end accounts payable detail.
In this example, the engagement team’s tests of details to address the completeness of year-end
accounts payable would address the accuracy of the IUC. However, the engagement team’s
substantive procedures would not address the completeness of the IUC considering the objective
of the relevant control. As a result, additional procedures would be necessary to address the
completeness of the IUC.
Example 3: Substantive procedures address the accuracy and completeness of some, but not all, of
the attributes of the IUC that are important to the objectives of the relevant control in which the IUC
will be used — A/R aging detail
Internal control

The A/R aging report is a standard monthly report from the entity’s ERP system that lists all
customer balances at year-end and the aging of those balances into current, 30-60 days, 60-90
days, and over 90 days categories.
• What is the objective of the relevant control and substantive procedures in which this IUC will be
used?
The report is used by the Controller is reviewing the estimate of the A/R allowance at month-end.
The objective of the substantive procedures in which the IUC will be used is to:
1) Address the risks of material misstatement related to the existence and accuracy assertions
for the accounts receivable balance
2) Address the risks of material misstatement related to the valuation assertion for the allowance
for doubtful accounts at year-end.
1) The engagement team will reconcile the A/R aging report to the general ledger, and will select
a sample of customer balances and confirm the selected balances with customers
2) The engagement team will use the aging categories in the A/R aging report to develop
expectations for the general allowance for doubtful accounts.
In this example, the engagement team’s tests of details (specifically, its confirmation procedures)
to address the risk of material misstatement that the accounts receivable balance at year-end is
not accurately recorded or does not relate to a valid receivable would address the accuracy of the
total accounts receivable amounts in the accounts receivable aging report. In addition, agreeing or
testing the reconciliation of the total accounts receivable balance in the accounts receivable aging
report to the general ledger at year-end would address the completeness of this IUC considering
the objective of the relevant control. However, these procedures would not address the accuracy
of the aging of individual customer balances, which is a critical attribute to the objective of the
relevant control. As a result, the engagement team would need to design procedures to test the
accuracy of the aging categories in the accounts receivable aging report.
Example 4: Substantive procedures have addressed neither the accuracy nor the completeness of the
IPE — Schedule of square footage under rent
The Schedule of Square Footage under Rent is a manually-generated report produced quarterly by
personnel in the entity’s Real Estate Department and is used in managing the entity’s real estate
costs. It lists all properties leased by the company and the square footage for each lease.
The Controller uses the report in their review of the budget for annual rent expense.
The objective of the substantive procedures in which this schedule will be used is to conclude on
the accuracy, occurrence, completeness, and cut-off assertions for annual rent expense.
The square footage in this schedule is one of the variables that will be used in developing the
engagement team’s expectations of annual rent expense.
The engagement team’s substantive analytical procedures to test rent expense would not address
the accuracy and completeness of the square footage amounts in this schedule. As a result,
additional procedures to test both the accuracy and completeness of the IUC would be needed.
Internal control
2. Consider if the IUC is extracted from data related to classes of transactions, account
balances, or disclosures that is already being tested as part of our audit — either by
testing the relevant controls or through substantive procedures. If so, we may need to
only plan additional testing of the remaining IUC elements (i.e., the report logic and, if
applicable, the user-entered parameters).
For example, we test the relevant controls over sales, billing, and cash receipts, including the
relevant general IT controls, for control reliance purposes and our substantive procedures validate
that the transaction data in the A/R sub-ledger is accurate and complete and protected from
unauthorized access or changes. Accordingly, when testing the A/R aging report which is derived
from the A/R sub-ledger detail, we do not need to trace selections back to source documents as
we have already determined through our tests of relevant controls that the A/R sub-ledger detail
is accurate and complete.
However, even when we may have tested the controls related to the underlying source data or
substantively tested the source data, we may still need to perform procedures to address the
appropriateness of the report logic and user-entered parameters used in producing the IUC. In
some cases, we may be able to use the same items tested (or a subset thereof) for our control
tests or substantive procedures to perform procedures specifically directed at the accuracy and
completeness of the process to extract the relevant data into the report.
For example, although we have already determined through our tests of relevant controls that
the A/R sub-ledger detail is complete and accurate, we still need to perform procedures to address
the appropriateness of the report logic. Therefore, to validate that the data in the A/R aging report
was properly extracted, we may reconcile the A/R aging report to the A/R sub-ledger in the
aggregate and then trace into the A/R aging report the relevant information for the items (or
subset thereof) that were selected for A/R confirmations.
Pitfall Not specifically considering whether the accuracy and completeness of IUC is
addressed as part of our already-planned audit procedures (e.g., substantive
procedures or tests of controls), resulting in duplicate or unnecessary
procedures being performed.
3. Consider if the IUC consists of source data that may be tested for accuracy and
completeness in conjunction with our other tests of controls or substantive procedures
for the relevant flows of transactions.
For example, when performing substantive test of sales transactions we may also include testing
that the product codes/SKUs were properly coded and input into the system in order to validate
that the data at the sales by product code/SKU level is accurate and complete.
For example, when performing tests of controls, we may also assess whether the identified
controls specifically address the recording and reporting of revenue and expenses by location.
Pitfall Inappropriately relying on our substantive procedures or tests of controls which did
not address all of the relevant aspects of the source data used in the IUC (e.g., the
location of an expense or coding of sales by SKU).
7.9.2 Considerations when determining the nature and extent of procedures to directly test
IUC
In determining the nature and extent of direct testing procedures, we need to consider 1) the number
of instances of the IUC to test 2) the nature and extent of procedures we will perform for each
instance.
1. The number of instances to test
Internal control
Each time we rely on the accuracy and completeness of information (e.g., a report) in concluding
whether a control that uses the information is effective, is an “instance” and, therefore, we test each
instance of the IUC that we rely on in making this conclusion (unless the IUC is system-generated and
subject to effective general IT controls — see below), i.e., each individual report used in each sample
of the relevant control we have selected is an “instance” that needs to be tested.
For example, to validate that all orders shipped are invoiced, and all orders invoiced have shipped,
the Warehouse Director reconciles the Daily Open Invoice Report to the daily Orders Shipped Log and
verifies that all shipments listed in the Orders Shipped Log were also listed in the Daily Open Invoice
Report for the same day. Given the frequency of this control is daily, we have calculated a sample size
of 15, and have decided to directly test the IUC. Since we need to test each report for each sample
selected, we will test 15 Open Invoice Reports, and 15 Orders Shipped Logs for a total of 30 instances
of IUC.
When the IUC is system-generated and the related general IT controls have been tested and found to
be operating effectively, the approach to determining the number of instances to test the IUC
elements that are subject to general IT controls (e.g., typically the report logic) is similar to the
approach for determining the sample size to test an automated control (i.e., testing the report logic
for one instance of the report may be sufficient because the general IT controls prevent unauthorized
changes to the report logic). However, this approach would typically not apply to user-entered
parameters that are input manually or the integrity and reliability of the source data before it enters
the IT system and becomes subject to the general IT controls.
For example, consider a monthly control that uses an instance of a particular system-generated
report. We determined that the access and program change controls over the report logic and source
data are effective. In this case, we may test all three elements of the IUC for the May sample, but we
do not need to retest the report logic for the November sample since it is subject to effective general
IT controls. However, we do consider what additional procedures are necessary with respect to the
source data (e.g., which may be addressed by testing the relevant controls over the processing and
maintenance of the source data or by directly testing the source data) and the user-entered
parameters.
When general IT controls are not effective, we consider the implications of the ineffective general IT
controls on our approach to control and substantive procedures (e.g., the source data the entity relies
on related to transactions or other data that are initiated, authorized, recorded, processed, or reported
through the system) and any reports produced by the IT systems affected by the ineffective general
IT controls and adjust our planned procedures accordingly.
Pitfalls Incorrectly assuming that each of the three elements of the IUC is addressed by the
entity’s general IT controls.
Inappropriately reducing the number of instances of IUC to test when general IT controls
are ineffective.
2. The nature and extent of procedures for each instance of IUC
The nature and extent of procedures to directly test the accuracy and completeness of IUC vary based
on (1) the classification of the associated risk of material misstatement as significant, higher or lower;
(2) how the IUC is used in the relevant control (i.e., how important is the IUC to the effectiveness of
the control); (3) the nature of the IUC; and (4) the likelihood the IUC (or of specific attributes of the
IUC that are important to the objective of the relevant control in which the IUC will be used) could be
inaccurate or incomplete.
As discussed above, we obtain an understanding of the nature of the IUC in order to determine
whether our substantive procedures by themselves sufficiently address the accuracy and/or
Internal control
completeness of the IUC. That understanding also informs our consideration of the likelihood the IUC
is inaccurate or incomplete, which enables us to determine the nature and extent of our direct testing
procedures.
There is no definitive list of factors that affect the likelihood that IUC is inaccurate or incomplete.
However, the following table provides some example factors that might indicate that IUC has a higher
or lower likelihood of being inaccurate and/or incomplete:
Lower likelihood Higher likelihood
Relatively simple Highly complex
Routinely prepared Prepared ad hoc
No history of errors A history of errors detected by the entity or us
Used by the entity in managing its operations Prepared solely for purposes of our audit
System-generated Manually prepared
Preparation involves little or no management Preparation involves significant management

judgment judgment
With respect to our extent of testing, while we are not required to use a statistically based approach
to determine the appropriate sample size for directly testing IUC, we may consider the sample size
tables in DTTL AAM Figure 23001.1 or DTTL AAM Figure 23002-4.1 as a starting point to provide a
frame of reference that may assist us in judgmentally determining an appropriate sample size of items
on a report/IUC to test. Therefore, for the purposes of performing procedures to address the accuracy
and completeness of IUC, the sample sizes in the tables are not required minimums or maximums;
rather, they are simply data points for consideration. In applying this guidance, it might be
determined that the sample for direct testing be limited to the lower of the sample size determined
from each of the two sample size tables referred to above.
When considering the sample size tables in DTTL AAM Figure 23001.1, the column considering the
frequency of the performance of the control may be considered in terms of the population of the
report being subjected to direct testing. For example, the population of a report that has 200-300 line
items is equivalent to a control that operates daily and thus, the indicated sample size may be used as
a data point for determining the sample size for testing the report.
Pitfalls For each instance of IUC selected for testing, defaulting to a very small sample size (e.g.,
a “test of one”) is typically not sufficient.
Inappropriately allocating the sample size across instances of IUC that are required to be
tested (e.g., spreading a sample of 25 items across the two instances of IUC that are
required to be tested).
Internal control
Inappropriately allocating the sample size between (1) procedures performed to address
accuracy and (2) procedures performed to address completeness of the IUC.
7.9.3 Testing the accuracy and completeness of IUC using a combination approach
We may determine that the most effective approach to testing the accuracy and completeness of IUC
is through a combination of both tests of controls and direct testing.
For example, management uses an accounts receivable aging report when evaluating the adequacy of
the bad debt reserve. It is a standard system-generated report, which is subject to general IT controls
that were tested and concluded to be effective. The user-entered parameters are reviewed by the user
of the report for appropriateness.
Combined testing approach 1: Test controls over the accuracy and completeness of source data and
directly test report logic and user-entered parameters
Test controls over accuracy and completeness of source data:
Test the relevant controls over the accuracy and completeness related to recording of sales, credit
memos, and cash receipts that explicitly address all the relevant data such as the customer, amounts
and transaction date.
Directly test report logic and user-entered parameters:
Reconcile the accounts receivable aging report totals to the accounts receivable sub-ledger and foot
and cross-foot totals. Select a sample of one of each important calculation addressing any significant
variations (e.g., aging bucket and a sample of each transaction types such as cash receipts, invoices,
and credits from each aging bucket) and determine that each item is properly aged in the accounts
receivable aging report.
Test the appropriate input of user-entered parameters or thresholds.
Combined testing approach 2: Directly test the accuracy and completeness of source data and test
controls over the report logic and user entered parameters
Directly test accuracy and completeness of source data: Reconcile the accounts receivable aging
report totals to the accounts receivables sub-ledger and foot and cross-foot totals. Select a sample of
X items from the accounts receivable sub- ledger confirmation selections (which were selected from
the accounts receivable sub-ledger) and trace them into the accounts receivable aging report. Test the
accuracy and completeness of a sample of other transactions (e.g., unapplied cash receipts and
credits, if material).
Test controls over the report logic and user-entered parameters:
Reperform the automation of the report logic by:

• Reconciling the accounts receivable aging report to the accounts receivable sub-ledger to
verify it agrees in total (completeness of the data extraction)
• Selecting one line item from the accounts receivable aging report and agree the details back to
the data in the accounts receivable sub-ledger (accuracy of the data extraction)
• Verifying the mathematical accuracy for each important calculation addressing any significant
variations e.g., a sample of each transaction type such as invoices and credits from each aging
bucket) and determine that each item is properly aged in the accounts receivable aging report.
(e.g., aging bucket and transaction types such as cash receipts, invoices, credits) to determine
that each item is properly aged in the report.
Reperform the review performed by the user of the user-entered parameters.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms,
and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”)
does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.
This publication is for internal distribution and use only among personnel of Deloitte Touche Tohmatsu Limited, its member firms, and their related
entities (collectively, the “Deloitte Network”). None of the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who
relies on this publication.
© 2017. For information, contact Deloitte Touche Tohmatsu Limited.

Internal Control Guide Sep 2017 - DTT

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Internal Control Guide Sep 2017 - DTT

Caricato da

Copyright:

Formati disponibili

Internal control

A guide for auditors in DTTL member firms

For internal distribution only

3.9 Appendix A — Illustrative examples: factors to consider in

6.4 Identify and assess risks arising from IT ....................... 139

What is a guide for auditors in DTTL member firms?

The chapters in this guide generally include:

2 Understanding internal control

2.2 Process flow for understanding internal control

Key activities for identifying relevant controls:

Key activities for evaluating design and determining implementation:

2.3.1 Control environment

2.3.2 The entity’s risk assessment process

[DTTL AAM 12200.64]

An entity’s information system policies and procedures might address:

[DTTL AAM 12200.85]

An understanding of the entity’s selection and application of accounting policies may

2.3.4 Monitoring of controls

2.3.5 Understanding the entity’s flows of transactions

2.3.5.2 Impact of our understanding of the flows of transactions on the audit

2.3.5.3 Extent of our understanding of the flows of transactions

2.4 Identify relevant control activities

2.4.0 Understanding the characteristics of a control: Nature, Approach, and Type

Manual Controls performed manually, not through information technology.

Nature Automated Control activities mostly or wholly performed through information

Authorization An authorization affirms that a transaction is valid (i.e., it represents

Physical Equipment, inventories, securities, cash, and other assets are

periodically counted and compared with amounts shown on control

• Approval of adjusting journal entry, if necessary (authorization and approval).

2.4.1 Controls we believe are necessary to understand in order to appropriately identify

2.4.3 Performing walkthroughs

2.4.3.1 Process vs. a Control

To perform a walkthrough, we would generally:

2.4.3.2 Extent of a walkthrough

2.4.4 Controls over journal entries

Note As part of obtaining an understanding of the entity’s financial reporting process, we

2.4.5 Further considerations

2.4.6 Pitfalls, and tips for avoiding pitfalls

Pitfalls Tips for avoiding pitfalls

• Insufficient understanding of the flows • Educate management on the importance of

Pitfalls Tips for avoiding pitfalls

- Significant process steps

- The inputs (information used in the control),

- Risks of material misstatement with cross-

- Relevant controls (both automated and manual)

• Inappropriately identifying steps in a • Educate management on the importance of

- Revise our documentation of a control to

- In our documentation of the detailed control

Pitfalls Tips for avoiding pitfalls

• Enhance the control description in our working

• Only obtaining or updating our • Extend our walkthroughs and inquiries to

- Test controls that operate infrequently,

• The procedures performed to • As soon as practicable after completion of obtaining

Pitfalls Tips for avoiding pitfalls

- Review and finalize working papers timely (e.g.,

• Overreliance on higher-level, less • For higher risk areas, consider whether a

2.5 Evaluate design and determine implementation

Inquiry alone, however, is not sufficient for such purposes.

2.5.1 Evaluating the design of relevant controls

2.5.1.1 Factors to consider when determining whether a control is appropriately designed

• Competence and authority of the person(s) performing the control

2.5.2 Determining implementation of a control

2.5.3 Considerations in evaluating design and determining implementation of components

If we identify an ineffective control when evaluating design and determining implementation of