CHAPTER 11

AUDIT PROCEDURES IN RESPONSE TO

ASSESSED RISKS: TESTS OF CONTROLS
Learning Check
11-1. a.

b.

Assessing control risk is the process of evaluating the effectiveness of an entity's

internal controls in preventing or detecting material misstatements in the financial
statements.
Control risk should be assessed in terms of individual financial statement
assertions.

11-2. In assessing control risk for an assertion, the auditor should perform the following five
steps:
1. Consider knowledge acquired from procedures to obtain an understanding about
whether controls pertaining to the assertion have been designed and placed in
operation by the entity's management.
2. Identify the potential misstatements that could occur in the entity's assertion.
3. Identify the necessary controls that would likely prevent or detect the misstatements.
4. Perform tests of controls on the necessary controls to determine the effectiveness of
their design and operation.
5. Evaluate the evidence and make the assessment.
11-3. a.

b.

In identifying both potential misstatements and necessary controls, the auditor

typically uses either (1) computer software that analyzes responses to specific
questions input for computerized internal control questionnaires or (2) checklists
developed for the same purpose.
Most completeness controls compare information that is obtained when a
transaction is authorized, and compare the information with information that is
created when goods or services are shipped or received, and again with
information when the transaction is recorded. Completeness controls will also
compare information created with the transaction is recorded with information
associated with receipt or payment of cash (consideration). For example, a
control over completeness of sales might create a report of all goods that are
ordered that have not been shipped, a separate report of all items that have been
shipped but not billed, and a third report of all billings that have not been
collected.

c.

The occurrence, accuracy cutoff, and classification objectives are normally

controlled by comparing information input for recording a transaction with
information that is entered into the system when the transaction is authorized or
when goods or services are shipped or received. For example, sales invoice
information will usually be compared with information associated with the sales
order (authorization) or the bill of lading and packing slip (shipment of goods).

11-4. a.

Evidence obtained from procedures to obtain an understanding should be used by

the auditor to (1) identify types of potential misstatements and (2) consider factors
that affect the risk of material misstatements, such as whether controls necessary
to prevent or detect the misstatements have been designed and placed in
operation. This knowledge should enable the auditor to make an initial assessment
of control risk for an assertion. During this process the auditor may obtain some
evidence about the effectiveness of the design and operation of internal controls.
However, such evidence rarely is sufficient to allow the auditor to assess control
risk at moderate or low.

b.

Evidence obtained from tests of controls pertains to the effectiveness of the design
and/or operation of the control tested and may be used in making a final
assessment of control risk for an assertion.

11-5. When evaluating the significance of any deficiency in internal control the auditor should
consider the likelihood (frequency of deviations) and the magnitude of potential
misstatements. For example, when evaluating a deficiency in internal controls related to
revenue recognition, the auditor needs to evaluate the percentage of the time that the
control might fail (likelihood or probability) and the dollar amount of misstatement that
could happen when the control fails (magnitude or materiality). The auditor will
normally classify deficiencies as (1) deficiencies, (2) significant deficiencies, or (3)
material weaknesses depending on the likelihood and magnitude of potential
misstatements that might result from an internal control weakness.
11-6. a.

b.

Three strategies that the auditor might use when testing a system of internal
controls that use information technology include:
1. Assessing control risk based on user controls.
2. Planning for a low control risk assessment based on application controls.
3. Planning for a high control risk assessment based on general controls and
manual follow-up.
The auditor might assess control risk as low based on two of the three above
strategies, assuming that the evidence shows that the controls are effectively
designed and placed in operation. First the auditor can assess control risk as low
based on user controls, such as effective performance reviews by management.
Second, the auditor can assess control risk as low based on effective computer
application controls. This strategic also involved effective manual follow-up of
exceptions noted by application controls.

c.

The auditor can assess control risk as high based on evidence obtained about both
computer controls and manual follow-up procedures. The auditor may be able to
develop implications about the effective operation of application controls based
on inspection of exception reports and inquiries of those who follow-up on
exception reports. However, the auditor must perform direct tests of application
controls in order to assess control risk below a high level.

11-7. a.

The advantages of using computer assisted audit technique in performing tests of

controls include:
A significant part of the entitys system of internal controls is imbedded in
computer programs.
There are significant gaps in the visible audit trail.
There are large volumes of records to be tested.

b.

The major disadvantages of using computer-assisted audit techniques are the

special knowledge and skills required, and the possible disruption of the clients
IT operations while the auditor uses IT equipment, programs and files. The
auditor must also test the effectiveness of manual follow-up procedures in order to
determine how effectively the computer controls are at preventing or detecting
and correcting misstatements in assertions.

11-8. The advantages of parallel simulation include the following:

Because real data are used, the auditor can verify the transactions by tracing them to
source documents and approvals.
The size of the sample can be greatly expanded at relatively little additional cost.
The auditor can independently run the test.
The disadvantages include the fact that the auditor may need special training to
understand the clients program and develop a program that simulates the clients
program. The auditor must also take care to determine that the data selected for
simulations are representative of actual client transactions.
11-9. a.

Under the test data approach, dummy transaction are prepared by the auditor and
processed under auditor control by the clients computer program. This is often
performed during a time when the auditor can take full control over the clients
computer operations. In an integrated tests facility approach the auditor does not
control computer operations and dummy transactions are processed
simultaneously with real transactions. This usually requires the creation of a small
subsystem (a mini-company) within the regular IT system. It may be
accomplished by creating dummy master files or appending dummy master
records to existing client files. Test data, specially coded to correspond to the
dummy master files, are introduced into the system together with actual
transactions.
b.

A common way to test programmed controls in an on-line, real-time system is to

create some form of continuous monitoring. For example, an audit module might

be created to tag transactions for subsequent testing, or an audit log (frequently

called a systems control audit review file or SCARF) might be used to record
transactions that meet particular audit criteria.
11-10. In comparison to the methodology for assessing control risk under the primarily
substantive approach, the methodology under the lower assessed level of control risk
approach involves obtaining and documenting a more extensive understanding of relevant
policies and procedures for all five components of internal control. The component
control activities often may be skipped in some cases when the primarily substantive
approach is used. In addition, under the lower assessed level of control risk approach,
additional or planned tests of controls must be performed in order to obtain the evidence
needed to support the planned assessed level of control risk of moderate or low.
11-11. When the auditor evaluates the effectiveness of a control the auditor should assess (1)
how the control was applied, (2) the consistency with which it was applied during the
period, and (3) by whom it was applied.
11-12.
Types of evidence to
evaluate the effectiveness
of internal control
Inquiries of appropriate entity
personnel

Factors that affect the

reliability of the evidence.

Inspection of documents,
reports, or electronic files,
indicating performance of the
control.

Observation of the application

of the control

Reperformance of the
application of the control by
the auditor, including CAATS

Inquiry is most effective for determining an employees

understanding of computer controls or of his or her duties,
the individuals performance of those duties, and the
frequency, causes, and disposition of deviation.
The results of inquiry is a form of representation by
management or employees and should be corroborated by
other evidence
Inspection of documents may leave documentary evidence
of the audit trail, such as notations on exception reports,
signatures or validation stamps that indicate whether a
control was performed.
Not all controls leave a documentary audit trail. Further,
in some systems, documents may be retained only for a
short period of time.
Observation also is effective for determining how an
employee uses computer output and how an employee
performs his or her duties.
Observation may be affected by the fact that an employee
may perform procedures differently when the auditor is
present.
Observation applies only to the time at which it is
performed.
Reperforming a control, particularly using CAATs,
provides evidence about the effective functioning of the
control at that point in time.
CAATs only provides evidence about the point in time at

when it was performed.

11-13. a.

The timing of tests of controls relates to when it was obtained and the portion of
the audit period to which it applies. For example, performing CAATs, such as the
use of test data, applies only to the point in time when the test was performed.

b.

When the auditor obtains evidential matter about the design or operation of
controls during an interim period, he or she should determine what additional
evidential matter should be obtained for the remaining period. Professional
standards suggest that the auditor should consider the following factors when
determining the evidence that needs to be obtained during the remaining period.
The significance of the assertion involved
The specific controls that were evaluated during the interim period
The degree to which the effective design and operation of those controls were
evaluated
The results of the tests of controls used to make that evaluation
The length of the remaining period
The evidential matter about design or operation that may result from the
substantive test performed in the remaining period.
The auditor should also obtain evidential matter about the nature and extent of
any significant changes in internal control, including its policies, procedures, and
personnel that occur subsequent to the interim period.

c.

The auditor of a private company may consider evidence about the effective
design or operation of internal controls obtained during prior audits in assessing
control risk in the current audit. Professional standards state that when evaluating
the use of evidence obtained in prior audits the auditor should consider:
The significance of the assertion involved.
The specific controls that were evaluated during the prior audits.
The degree to which the effective design and operation of those controls were
evaluated
The results of the tests of controls used to make those evaluations
The evidential matter about design or operation that may result from
substantive tests performed in the current audit.
The auditor should also consider that the longer the time elapsed since the
performance of tests of controls, the less assurance it may provide. Finally, the
auditor needs to evaluate evidence in the current period about whether changes
have occurred in internal control, including its policies, procedures, and
personnel, subsequent to the prior audits, as well as the nature and extent of any
such changes.
Evidence obtained in the prior period is not a substitute for evidence obtained in
the current period. After considering the factors that affect evidence obtained in
the prior period and evidence obtained about changes in the current period, the
evidence may support either increasing or decreasing the additional evidential

matter about the effectiveness of design and operation to be obtained in the

current period.
Students should note that standards are different for auditors of public
companies. If the auditor is issuing an opinion on the effectiveness of
internal controls over financial reporting, evidence supporting that opinion
must be obtained from the current audit period.
11-14. a.
b.

In general, the lower the planned assessed level of control risk, the greater the
extent of tests of controls.
Three factors bear on the auditors decisions about test of controls: (1) the nature
of the control, (2) the frequency of operation of the control, and (3) the
importance of the control.
With respect to the nature of the control the auditor should subject manual
controls to more extensive testing than automated controls. A single test of each
condition of a programmed control may be sufficient to obtain a high level of
assurance that the control operated effectively if general controls are also
operating effectively. However, manual controls usually require more extensive
testing. In general, as the level of complexity and the level of judgment in the
application of a control increase, the extent of the auditors testing should also
increase. If the level of competency of the person performing the control
decreases, the extent of testing should also increase.
With respect to the frequency of operation of the control the more frequent the
operation of a manual control, the more operations of the control the auditor
should test. Controls that operate daily should be tested more extensively than
controls that operate monthly (account reconciliations), or quarterly (quarter end
reviews).
With respect to the importance of the control, controls that are more important
should be tested more extensively. Some controls such as the control
environment or computer general controls have a pervasive impact on other
controls should be subjected to more extensive tests than controls that are less
important to the audit strategy.

11-15. It might be appropriate to use a computer audit specialist to evaluate computer general
controls and application controls. It might also be appropriate to bring in a health care
industry expert to evaluate the risk of incorrect Medicare billing, or a banking industry
expert to evaluate FDIC regulatory compliance.
Entry level staff usually have sufficient qualifications to evaluate internal controls over
routine transactions, such as sales, purchases, or payroll.

11-16. Dual-purpose tests occur when the auditor simultaneously performs tests of controls and
substantive tests of details of transactions to detect monetary errors on the same
transactions.
11-17. a.

For an account affected by a single transaction class, the control risk assessment
for a particular account balance assertion is the same as the control risk
assessment for the same transaction class assertion. Thus, control risk for the
existence or occurrence assertion for the sales account balance is the same as the
control risk assessment for the existence or occurrence assertion for the sales
transactions class. The actual control risk assessment is then compared with the
planned control risk assessment for the assertion. If the actual assessment is not
greater than the planned assessment for the assertion, the planned level of
substantive tests is supported.

b.

For an account affected by more than one transaction class (a balance sheet
account), the combined control risk assessment is based on the control risk
assessment for the transaction class assertions that increase the account balance
and the transaction class assertions that decrease the account balance. Thus,
control risk for the existence of accounts receivable is based on the combined
control risk assessments for the occurrence of sales and the completeness of cash
receipts transactions and the completeness of sales returns and allowance.

11-18. When the control risk assessments for the relevant transaction class assertions differ, the
auditor may (1) judgmentally weigh the significance of each assessment in arriving at a
combined assessment or (2) use the most conservative (highest) of the relevant
assessments. The assessment for each related transaction class assertion must be
considered because a misstatement in any of the relevant transaction class assertions
could produce a misstatement in the account balance assertion.
11-19. a.

b.
11-20. a.

b.

The requirements for documenting the assessed level of control risk are: (1)
control risk at maximum - only this conclusion needs to be documented; (2)
control risk below the maximum - the basis for the assessment must also be
documented.
In practice, documentation of the assessed level of control risk often takes the
form of narrative memoranda organized by financial statement assertions.
The auditor is required to identify and report to the audit committee, or other
entity personnel with equivalent authority and responsibility, certain conditions
that relate to an entity's system of internal control observed during an audit. In
particular, the auditor should report significant deficiencies or material
weaknesses in internal control.
Both significant deficiencies and material weaknesses have more than a remote
likelihood of occurrence. They differ in the magnitude of misstatement that might
result for the deficiency. The magnitude of misstatement in a significant

deficiency is more than inconsequential. The magnitude of misstatement

associated with a material weakness is material.

Comprehensive Questions
11-21. (Estimated time 30 minutes)
a.

An auditor may assess control risk at the maximum level for some or all
assertions because the auditor believes internal controls are unlikely to pertain to
an assertion, are unlikely to be effective, or because evaluating their effectiveness
would be inefficient.

b.

To support assessing control risk at less than the maximum level, an auditor must
determine whether internal controls are suitably designed to prevent or detect
material misstatements in specific financial statement assertions and obtain
evidence through tests of controls that the policies and procedures are operating
effectively.

c.

When seeking a further reduction in the planned assessed level of control risk, the
auditor should consider the likelihood that evidence can be obtained in a costefficient manner to support a lower assessment.

d.

The auditor's understanding of the internal controls should be documented in the

form of completed questionnaires, flowcharts, and/or narrative memoranda. The
auditor's decisions regarding the type of evidence, the source of evidence, the
timeliness of evidence, the existence of other evidential matter, and audit staffing
should be documented in an audit program and related working papers. When the
auditor's assessment of control risk is at the maximum level, only that conclusion
needs to be documented. When the assessment is that control risk is below the
maximum, the basis for the assessment must also be documented.

11-22. If the auditor wants to assess control risk at a low level, the auditor needs to put the
following combination of tests of controls together to have compelling evidence that the
programmed control functioned effectively throughout the period.

The auditor needs evidence to support the conclusion that computer general
controls are effective.

The auditor needs evidence from CAATs to conclude that the programmed control
is effectively matching sales invoices with underlying shipping information.

The auditor needs evidence that items that appear on exception reports are
followed-up upon and corrected on a timely basis.

11.23. (Estimated Time 25 minutes)

Primarily substantive
Item
approach
a. Obtaining and
documenting
the understanding

Lower assessed level of

control risk approach

Less extensive, focusing on

four of the five components
(control procedures may not be
relevant)
The auditor will usually
consider the evidence about
operating effectiveness while
obtained while understanding
internal controls.

More extensive with coverage of all

five components

c. Making an initial
assessment
of control risk

Performed based on evidence

obtained while understanding
internal controls.

d. Performing
additional or
planned tests of
controls
e. Making a final
assessment of
control risk
f. Documenting the
control risk
assessment

Not usually performed under

this strategy

The initial assessment based on

evidence obtained while
understanding internal controls will
probably will not support a low
control risk assessment.
Additional evidence is needed to
support lower assessed level of
control risk

b. Performing
concurrent tests of
controls

Designing substantive
tests

Same as initial assessment

under this strategy.

Done after completing

additional or planned tests of controls

If control risk is at the

maximum, only this conclusion
needs to be documented. If
below the maximum, the basis
for the conclusion must also be
documented.
Tests must be designed for a
high level of substantive tests
and low level of detection risk.

If below the maximum, both the

conclusion and the basis for the
conclusion must be documented.

11.24. (Estimated time: 35 minutes)

Category of
General Controls
Possible Misstatement
1. Organization and
operation
2. Access
3. Hardware and
systems software
4. Data and
procedural
5. Data and

The auditor will usually consider the

evidence about operating
effectiveness while obtained while
understanding internal controls.

Computer operators may modify

programs to bypass program
controls.
Unauthorized users may gain access
to computer equipment.
Unauthorized changes in systems
software may result in processing
errors.
Continuity of operations may be
disrupted by a disaster.
Errors may be made in inputting,

Tests should be designed for a low

level of substantive tests and a
moderate or high level of detection
risk.

Possible Test of Controls

Observe segregation of duties
within IT.
Inspect segregation of duties
within IT.
Examine evidence of approval and
documentation of changes.
Examine contingency plan.
Observe operation of data control

Category of
General Controls

Possible Misstatement

Possible Test of Controls

procedural
6. Organization and
operation
7. Systems
development and
documentation

processing, or outputting or data.

IT personnel may initiate and
process unauthorized transactions.
Unauthorized program changes may
result in unanticipated processing
errors.

8. Access

Data files and programs may be

processed or altered by
unauthorized users.

group.
Observe segregation of duties
between user departments and IT.
Examine evidence of
independent check of proper
authorization, testing, and
documentation.
Use of a library, librarian, and logs
to restrict access and
monitor usage.

9. Hardware and
systems software
10. Systems
Development and
documentation
11. Organization and
operation
12. Data and
procedural

Equipment malfunctions may result

in processing errors.
Systems designs may not meet the
needs of user departments or
auditors.
IT personnel may process
unauthorized transactions.
Data files and programs may be
lost.

11-25 (Estimated Time: 30 minutes)

a. Potential
b. Computer or
Misstatements
manual
control
1.

Bank balance per books

may not agree with
balance per bank

Manual

2.

Checks may not be

recorded.

Computer and
manual follow-up.

3.

Vendor may be paid

twice from supporting
documentation.
Unused checks may be
stolen.
An issued check may not
be accounted for.

Manual.

Classification errors may

be made in journalizing.
Check amounts may be
altered.

Manual

4.
5.

6.
7.

Manual.
Computer

Computer or
check protection
machine.

Examine hardware and systems

software specifications.
Examine evidence for approval
of new systems.
Observe segregation of duties
between user departments and IT.
Examine storage facilities.

c. Possible test of controls

Inspect bank reconciliations and test
accuracy on a sample basis. Note who
prepared the reconciliation and when the
reconciliation was prepared.
Test computer control generating the daily
check summary with CAATs. Inspect daily
check summaries and determine
effectiveness of manual follow-up.
Inspect supporting documents for evidence
of cancellation.
Observe physical controls over unused
checks.
Test computer program listing gaps in check
sequence and inspect manual follow-up
procedures to determine that gaps in
sequence are adequately explained and there
are no duplicate check numbers.
Inquire of supervisor about classifications
and inspect evidence of supervisory review.
Observe use of check protection device;
inspect checks for imprinted amounts.

8.
9.

a. Potential
Misstatements

b. Computer or
manual
control

c. Possible test of controls

Posting errors could be

made.
An issued check may not
be journalized.

Manual

Observe segregation of duties.

Computer and
manual follow-up.

Test computer control generating the daily

check summary with CAATs. Compare
daily check summaries and check register
entries and determine effectiveness of
manual follow-up.

11-26. (Estimated Time 35 minutes)

a. Potential
Misstatements
1

Sales may be made to

customers who cannot
pay.

b. Computer or
manual
control
Both manual and
computer

Goods might be shipped

to unauthorized
customers
Sales may not be
recorded
Revenue may be
recognized before goods
are shipped.
Sales may be recorded in
wrong amounts
Sales may be recorded in
the wrong accounting
period.
Sales may be billed to
the wrong customer

Manual

Various errors may

occur in the process of
recording sales

Manual

The company can

systematically recognize
revenue in the wrong
accounting period.
The company may under
or over provide for
doubtful accounts.

Manual

3
4
5
6
7

10

Computer
Computer
Computer
Computer
Computer

Manual

c. Possible test of controls

Test manual controls over credit checking
credit history with inquiry, observation, and
inspection of documents.
Submit test data for a sale that exceeds the
customers credit limit.
Observe segregation of duties
Submit test data where shipments exceed
recorded sales.
Submit test data for recorded sales that are
not supported by shipments.
Submit test data for sales invoices that do
not match underlying quantities or prices.
Submit test data to record sales invoices in a
period other than when goods are shipped.
Submit test data to record sales invoices for
customers other than the customer to whom
goods were shipped.
Review notes made by management on
weekly sales reports and determine the
extent of management follow-up of errors
noted.
Review the minutes of a disclosure
committee and make inquires of disclosure
committee members as to their review of
revenue recognition policies.
Reperform controls over the process of
estimating the provision for doubtful
accounts.

11-27 (Estimate Time: - 30 minutes)

a. Control Function
b. Control Procedure
1. Input

Online edit checks..

2. Output

Reconciliation of totals by data

control group and user
departments.
Use of limit and reasonableness
checks.

3. Processing

4. Processing
5. Output

6. Input
7. Processing

Use of external and internal file

labels.
Use of report distribution control
sheets.
or
Use of passwords to limit access
to data and report writing
capabilities.
Use of error logs; return to user
department for correction.
Use of control totals.

8 Input

Use of password to limit access to

user by departments.

9. Input

Follow-up by data control group.

c. Possible Test of Controls

Test edit routine with CAATs and
observe responses to on-line edit
messages.
Examine evidence of
reconciliations performed.
Test limit and reasonableness tests
with CAATs and observe and
inspect evidence of manual followup procedures.
Observe use of external file labels.
Inspect distribution control sheets.
or
Observe control over passwords
and test effectiveness in limiting
access to data files.
Inspect logs and evidence of user
correction of data.
Examine evidence of control total
reconciliations.
Observe control over passwords
and test effectiveness in limiting
access to data files.
Inspect evidence of follow-up by
data control group

11-28 (Estimated Time 20 minutes)

1.
2.
3.
4.
5.
6.
7.
8.

Control
Computer generates prenumbered control over requisitions and purchase orders
and checks numerical sequence.
Computer compares account distribution on the voucher with account
distribution on purchase requisition or purchase order.
Computer checks batch totals and run-to-run totals to ensure that all
transactions are processed.
Computer match of voucher information regarding vendor, type of good,
quantity of goods, and dollar amount against authorized purchase order and
receiving report.
Computer checks for a valid purchase order in order to initiate receiving report.
Computer verification of employee authorization code to enter requisition or
purchase order.
Computer performs limit test on requisitions and purchase orders. Necessary
approvals tied to limit test.
Computer checks the mathematical accuracy of the voucher and supporting
documents.

Assertion
Completeness
Presentation and disclosure
Completeness
Valuation and allocation
Existence and occurrence
Existence and occurrence
Valuation and allocation
Valuation and allocation

9. Computer compares vendor on purchase order to master vendor file.

10. Computer checks for goods ordered and not received within a reasonable
period of time.
11. Computer checks for goods received but not recorded as a liability within a
reasonable period of time. In the case of services, the computer check for
services ordered but not recorded as a liability within a reasonable period of
time.
12. Computer compares accounting period in which the voucher is recorded with
the accounting period received.
13. Computer checks the mathematical accuracy of the voucher and supporting
documents.
14. Computer compares sum of subsidiary ledger accounts with general ledger
control account.

Existence and occurrence

Completeness
Completeness

Existence and occurrence or

Completeness
Valuation and allocation
Valuation and allocation

11-29. (Estimated Time 30 minutes)

a.
Auditing "around" the computer generally refers to examinations of transactions
in which a representative sample of transactions is traced from the original source
documents, perhaps through existing intermediate records in hard copy, to output
reports or records, or from reports back to source documents. Little or no attempt
is made to audit the computer program or procedures employed by the computer
to process the data. This audit approach is based on the premise that the method of
processing data is irrelevant as long as the results can be traced back to the input
of data and the input can be validated. If the sample of transactions has been
handled correctly, then the system outputs can be considered to be correct within a
satisfactory degree of confidence.
The auditor might also audit around the computer when testing manual controls
over computer output. If such controls are effective, the auditor can test these
controls directly rather than testing computer application controls.
b.

c.

The CPA would decide to audit "through" the computer instead of "around" the
computer (1) when the computer applications become complex, or (2) when
transaction trails become partly obscured and external evidence is not available.
Auditing "around" the computer would be inappropriate and inefficient in the
examination of transactions when the major portion of the system of internal
control is embodied in the IT system. Auditing "around" the computer will also be
ineffective if the sample of transactions selected for auditing does not cover
unusual transactions that require special treatment.
1.

Test data usually represent a full range of simulated transactions, some of

which may be erroneous, to test the effectiveness of the programmed
controls in identifying misstatements and to ascertain how transactions
would be handled (accepted or rejected). The auditor also wants to
determine, if accepted, the effect they would have on the accumulated
accounting data and, if rejected, the output that is generated for manual
follow-up.

2.

d.

The auditor may use test data to gain a better understanding of what the
data processing system does, and to check its conformity to desired
objectives. Test data may be used to test the accuracy of programming by
comparing computer results with results predetermined manually. Test
data may also be used to determine whether or not errors can occur
without observation and thus test the application's ability to detect
noncompliance with prescribed procedures and methods. Assurance is
provided by the fact that if one transaction of a given type passes a test,
then all transactions containing the identical test characteristics will-if the
appropriate control features are functioning--pass the same test.
Accordingly, the volume of test transactions of a given type is not
important. However, the auditor does need to test computer general
controls to gain assurance that the program operates consistently over
time.

In addition to actually observing the processing of data by the client, the auditor
can be satisfied that the computer programs presented are actually being used by
the client to process its accounting data by requesting the program on a surprise
basis from the IT librarian and using it to process a test data.

The CPA may also request on a surprise basis that the program be left in the computer at the
completion of processing so that he or she may use the program to process test data. This
procedure may reveal computer operator intervention, as well as assuring that a current version
of the program is being tested. This is an especially important consideration in newly organized
computer systems undergoing many program changes. To gain further assurance about this
matter, the CPA should inquire into the client's procedures and controls for making program
changes and erasing superseded programs, and should examine logs showing programs used
when available.
11-30. (Estimated Time 30 minutes)
a.

The internal controls pertaining to input of information that should be in effect

because an on-line / real-time computer processing system is employed should
include:
A self-checking digit or some other redundant check should be used with
every account number to prevent an entry to a wrong account.
A daily record of all transaction inputs from each input terminal should be
produced as a by-product of the computer processing so as to provide this
supplemental record.
IT personnel should not initiate inputs to the computer (except for testing
purposes) so that a proper segregation of duties is maintained. Any testing
should be done after regular processing is completed and should be recorded
in the computer log.
The internal audit staff should not initiate input because they would be
checking their own work.


b.

Computer file security should be provided to assure that entries are not made
to the accounts except during normal processing periods.

The internal controls which should be in effect pertaining to matters other than
information input are as follows:
Account balances should be backed-up or printed at regular intervals to
provide for record reconstruction and testing.
Limit tests should be included in the computer program to permit ready
identification of obvious exceptions, e.g., a withdrawal from an account
should not exceed the balance on deposit in the account.
The internal audit staff should have the responsibility for testing accounts and
transactions and checking error listings. Adjustments to the accounts proposed
by the internal audit staff should first be approved by a responsible official
and then be recorded in the normal manner so as to provide proper segregation
of work.
Account balance printouts and transaction records necessary to reconstruct the
accounts should be maintained in a separate location from the computer file
storage as a precaution against simultaneous destruction.
There should be provision for continued operation to avoid a time loss in case
of computer failure, e.g., each terminal should have mechanical registers in
addition to the computer's electronic registers.
Security should be provided at each terminal to assure that certain operations
could be initiated only by authorized personnel.
Back-up / auxiliary power source to allow orderly shutdown in the event of a
loss of electrical power.

11-31. (Estimated time - 20 minutes)

To determine detection risk for an account balance assertion, the auditor should determine a
combined control risk assessment for the assertion by considering the control risk assessments
for relevant assertions pertaining to the transaction classes that affect (increase or decrease) the
account balance. The appropriate relationships are shown in the following tabulation.

Account
Cash
Accounts
receivable
Accounts
payable
Sales

(1)

Transaction Class That

Increases
Decreases
Account
Account
Cash receipts
Cash
disbursements
Credit sales
Cash receipts &
Sales Adjustments
Purchases
Cash
disbursements and
Purchase Returns
Credit Sales

Account Balance Control Risk Assessment

Existence or
Completeness
Valuation or
occurrence
Allocation
Low (1)
Moderate (5)
Low (9)
Moderate (2)

Low (6)

Moderate (10)

Low (3)

Low (7)

Low (11)

Low (4)

Low (8)

Low (12)

This is the most conservative of the control risk assessments for occurrence of cash receipts
(low) and the completeness of cash disbursements (low).

(2)
(3)
(4)
(5)
(6)
(7)
(8)
(9)
(10)
(11)
(12)

This is the most conservative of the control risk assessments for occurrence of credit sales
(low), the completeness of cash receipts (moderate), and the completeness of sales returns
and allowances (moderate).
This is the most conservative of the control risk assessments for occurrence of purchases
(low), the completeness of cash disbursements (low), and the completeness of purchase
returns (moderate).
This is just the control risk assessment for the occurrence of credit sales (low).
This is the most conservative of the control risk assessments for the completeness of cash
receipts (moderate), and the occurrence of cash disbursements (low).
This is the most conservative of the control risk assessments for the completeness of credit
sales (low), the occurrence of cash receipts (low) and the occurrence of sales returns and
allowance (low).
This is the most conservative of the control risk assessments for the completeness of
purchases (low), the occurrence of cash disbursements (low) and the occurrence of purchase
returns (low).
This is just the control risk assessment for the completeness of credit sales (low).
This is the most conservative combination of the valuation or allocation assertions for cash
receipts (low) and cash disbursements (low).
This is the most conservative combination of the valuation or allocation assertions for credit
sales (low), cash receipts (low), and sales returns (moderate).
This is the most conservative combination of the valuation or allocation assertions for
purchases (low), cash disbursements (low), and purchases returns (low).
This is just the control risk assessment for the valuation of credit sales (low).

Cases
11-32. (Estimated Time - 50 minutes)
a.

Controller

DP Manager

Data Entry

System Analysis

Programming; Operations

b.
1.

2.

Weakness
Organization and operation
The EDP manager reports to a significant
user department.
There is improper segregation of
functions between programming and
computer operations.
There is no data control group.
Systems development and
documentation controls
Program documentation is inadequate.
An operator's manual is not provided.
Operators can change programs.
User department is not involved in the
design or approval of new systems.
Undocumented "patch" changes are
made in programs by a programmer.

3.

4.

4.

Hardware controls and systems software

controls
There is no mention of the existence of
these controls.
Access Controls
EDP department is located above an
explosive chemical department.
Information on program and data tape
files is stored in machine room.
Too many people are permitted in the
machine room.
Operators have unlimited access to data,
files, etc.

5.

Data and procedural controls

Operators are not properly supervised
and their work is not reviewed.
Operators can make changes in operating

Recommended Improvement
EDP manager should report to president or
some other nonuser officer.
Programming and computer operations
should be separated.
A data control group should be established.

All programs should be fully documented.

An operator's manual should be provided to
facilitate the running of computer programs.
Only programmers should be able to change
programs.
User department representatives should be
included in system design, and system
specifications should be reviewed and
approved by user department.
All program changes should be documented
and approved by the EDP manager or a
designated supervisor.

Essential hardware controls such as dual

read, parity check, echo check, and read after
write should be installed.
EDP should have separate facilities with
special protection against theft, vandalism,
and possible disasters.
Such information should be stored in a
locked and fireproof library with restricted
access.
Only authorized operators and supervisory
personnel should be allowed into the
machine room, which should be locked at all
times.
Operators should only have restricted access
to tape files, programs, and operating
instructions.
Console sheets should be reviewed and a log
of machine activity should be maintained.
Changes in operating procedures should be

b.

Weakness
procedures when they encounter
difficulties.
No back-up equipment is provided.
There is no definite retention plan.
There is no provision for a data control
group to monitor EDP activity.

6.

Input Controls
There apparently are no controls over
input data.
No mention is made of controls over
conversion of input data into machinereadable form.
No provision seems to be made for
resubmission of incorrect data.

7.

Processing Controls
Tapes are not adequately labeled.
No provision appears to be made for
control totals and limit and
reasonableness tests.

8.

Output Controls
There is no control
over the distribution
of output.
A report distribution sheet is not
maintained.

Recommended Improvement
approved by a supervisor or the EDP
manager.
Back-up equipment should be provided at
another location and the capability of such
equipment should be tested periodically.
A definite plan, such as the grandfatherfather-son, should be implemented.
A data control group should be established.

A data control group should control input

data through review of data and control
totals.
There should be computer editing and
verification.
Error logs should be kept and there should be
prompt follow-up of incorrect data.
File identification labels should be used on
all files.
Provision should be made for these controls.

The data control group should review and

control the distribution of output to users.
Some type of a report distribution sheet
should be kept.

11-33. See separate file with answers to the comprehensive case related to the audit of Mt. Hood
Furniture that is included with this chapter.

Professional Simulation
Research
Situation

Internal
Control
Deficiencies

Communication

With respect to understand computer controls AU 319.43 reads as follows:

.43 The auditor should obtain an understanding of how IT affects control activities that are
relevant to planning the audit. Some entities and auditors may view the IT control activities in
terms of application controls and general controls. Application controls apply to the processing
of individual applications. Accordingly, application controls relate to the use of IT to initiate,
record, process, and report transactions or other financial data. These controls help ensure that
transactions occurred, are authorized, and are completely and accurately recorded and processed.
Examples include edit checks of input data, numerical sequence checks, and manual follow-up of
exception reports.
The most extensive discussion of computer general control relates to designing tests of controls.
AU 310.74, .77-.79 reads as follows:
.74
General controls relate to many applications and support the effective functioning of
application controls by helping to ensure the continued proper operation of information systems.
The auditor should consider the need to identify not only application controls directly related to
one or more assertions, but also relevant general controls.
.77
In designing tests of automated controls, the auditor should consider the need to obtain
evidence supporting the effective operation of controls directly related to the assertions as well as
other indirect controls on which these controls depend. For example, the auditor may identify a
user review of an exception report of credit sales over a customers authorized credit limit as a
direct control related to an assertion. In such cases, the auditor should consider the effectiveness
of the user review of the report and also the controls related to the accuracy of the information in
the report (for example, the general controls).
.78
Because of the inherent consistency of IT processing, the auditor may be able to reduce
the extent of testing of an automated control. For example, a programmed application control
should function consistently unless the program (including the tables, files, or other permanent
data used by the program) is changed. Once the auditor determines that an automated control is
functioning as intended (which could be done at the time the control is initially implemented or
at some other date), the auditor should consider performing tests to determine that the control
continues to function effectively. Such tests might include determining that changes to the

program are not made without being subject to the appropriate program change controls, that the
authorized version of the program is used for processing transactions, and that other relevant
general controls are effective. Such tests also might include determining that changes to the
programs have not been made, as may be the case when the entity uses packaged software
applications without modifying or maintaining them.
.79
To test automated controls, the auditor may need to use techniques that are different from
those used to test manual controls. For example, computer-assisted audit techniques may be used
to test automated controls or data related to assertions. Also, the auditor may use other automated
tools or reports produced by IT to test the operating effectiveness of general controls, such as
program change controls, access controls, and system software controls. The auditor should
consider whether specialized skills are needed to design and perform such tests of controls.
Internal
Control
Deficiencies
Situation

Research

Communication

What is the auditors responsibility for identifying significant deficiencies in internal control as
part of a financial statement audit? Compare and contrast the likelihood that the auditor will
identify significant deficiencies in audit areas where the auditor follows a lower assessed level of
control risk approach vs. audit areas where you follow a primarily substantive approach.
[Authors Note: This question requires that students not only read the professional standards but
apply them to a particular setting. The professional standards to not specifically address various
audit strategies. In this question the student must interpret and apply his or her understanding of
the professional standards to two differing audit strategies.]
AU 325.04 states that the auditor's objective in an audit of financial statements is to form an
opinion on the entity's financial statements taken as a whole. The auditor is not obligated to
search for reportable conditions. However, the auditor may become aware of possible reportable
conditions through consideration of the components of internal control, application of audit
procedures to balances and transactions, or otherwise during the course of the audit. The auditor's
awareness of reportable conditions varies with each audit and is influenced by the nature, timing,
and extent of audit procedures and numerous other factors, such as an entity's size, its
complexity, and the nature and diversity of its business activities.
If the auditor is planning a lower assessed level of control risk approach the auditor will probably
obtain a more in depth understanding of control activities and the auditor will perform tests of
the operating effectiveness of various control activities. As a result, more information may come
to the auditors attention about the significant deficiencies in the operating effectiveness of
various aspects of the system of internal control.
If the auditor is planning a primarily substantive approach, the auditor may not study the system
of internal control in the same depth, particularly with respect to control activities. However, the

auditor still needs a sufficient understanding of the design of the system to plan the audit. This
will usually include some level of system walk through. This process will often identify
deficiencies in the design of the system of internal control. Further, the auditors substantive
tests may reveal misstatements in the accounting records. These tests may also lead the audit to
discover significant deficiencies in the system of internal control.
However, under these two audit approaches, the nature, timing and extent of the audit procedures
differ. As a result, the likelihood of significant deficiencies coming to the auditors attention may
also differ particularly when the auditor has not tested the operating effectiveness of the system
of internal control (e.g., when following a primarily substantive approach).

Communication
Situation

Research

Internal
Control
Deficiencies

Date
George Alpha
Alpha Corporation
Address
Dear Mr. Alpha,
In planning and performing our audit of the financial statements of the Alpha Corporation for the
year ended December 31, 20XX, we considered its internal control in order to determine our
auditing procedures for the purpose of expressing our opinion on the financial statements and not
to provide assurance on the internal control. However, we noted certain matters involving the
internal control and its operation that we consider to be reportable conditions under standards
established by the American Institute of Certified Public Accountants. Reportable conditions
involve matters coming to our attention relating to significant deficiencies in the design or
operation of the internal control that, in our judgment, could adversely affect the organization's
ability to initiate, record, process, and report financial data consistent with the assertions of
management in the financial statements.
Expenditures and Accounts Payable
Issue
As part of a strong system of internal control there should be appropriate systems to ensure that
all goods ordered are received, and that liabilities are recorded in the correct accounting period
for all goods received. This ensures that all appropriate liabilities are recorded.
Findings

When performing a system walk through we did not find controls to ensure that all goods
ordered are received, or that goods received are recorded as accounts payable in the proper
period.
Recommendation
We suggest that the company establish internal controls to ensure that liabilities are recorded for
all goods received. For example, you can have the following controls programmed into the new
automated system for expenditures.

A report should be generated on a regular basis of all purchase orders that have not yet
been matched with a receiving report. Someone who will use the goods ordered should
regularly follow-up on these items that appear on these reports to determine why ordered
goods are not received.

A reports should be generated on a regular basis of all receiving reports that have not yet
been matched with a voucher. Someone in the accounts payable area should follow-up
on items that appear on this report to ensure that all payables are recorded on a timely
basis.
This report is intended solely for the information and the use of the owners, management, and
others within Alpha Corporation and is not intended to be and should not be used by anyone
other than these specified parties.
Sincerely,
Signature