Phase III is relevant for integrated audits and for financial statement audits where the auditor wants to rely on controls as part of the evidence about the reasonableness of account balances and disclosures (in other words, a controls reliance audit). In an integrated audit, the auditor needs to opine on internal control effectiveness—including operating effectiveness—as of the client’s year end. However, if the auditor wants to rely on controls as part of the audit evi- dence about account balances for the financial statement audit, the auditor needs to know whether controls were operating effectively throughout the year. To determine whether controls are operating effectively—at either year- end (for the internal control opinion) or throughout the year (for the financial statement opinion)—the auditor tests controls that are important to the con- clusion about whether the organization’s controls adequately address the risk of material misstatement. There is no need to test every control related to a relevant assertion; the auditor tests only those controls that are most important in reducing the risk.
In Phase II, the auditor performs procedures to assess the design effec- tiveness and implementation of controls. In Phase III, the auditor tests the operating effectiveness of controls, which is different from what was done in Phase II. However, as noted in the Auditing in Practice feature, “Risk Assessment Procedures and Tests of Operating Effectiveness of Controls,”
the risk assessment procedures might provide some evidence on the operat- ing effectiveness of controls. The auditor tests the operating effectiveness of controls, determining whether the control is operating as designed and whether the person performing the control has the necessary authority and competence to perform the control effectively. In designing and performing tests of controls, the auditor should obtain more persuasive audit evidence as the reliance the auditor places on the effectiveness of a control increases.
A U D I T I N G I N P R A C T I C E
Risk Assessment Procedures and Tests of Operating Effectivness of Controls
Although risk assessment procedures performed dur- ing Phase II may not have been specifically designed as tests of controls, they may still provide audit evidence about the operating effectiveness of the controls. In such cases, these procedures might serve as appropri- ate tests of controls. For example, the auditor’s risk assessment procedures may include the following:
● Inquiring about management’s use of budgets
● Inspecting documentation of management’s comparison of monthly budgeted and actual expenses
● Inspecting reports pertaining to the investigation of variances between budgeted and actual amounts These audit procedures provide knowledge about the design of the entity’s budgeting policies and whether they have been implemented. However, these proce- dures also may provide audit evidence about the effec- tiveness of the operation of budgeting policies in preventing, or detecting and correcting, material mis- statements in the classification of expenses. To the extent possible, the auditor should look for ways such as this to improve audit efficiency.
LO10 Identify audit activities in Phase III of the audit opinion formulation process.
The Audit Opinion Formulation Process 175
Selecting Controls to Test
The auditor selects controls that are important to the conclusion about whether the organization’s controls adequately address the assessed risk of material misstatement for relevant assertions. The auditor selects both entity-wide and transaction controls for testing. The selection of control activities to be tested will depend, in part, on the results of testing the selected entity-wide controls. Effective entity-wide controls may reduce the number of control activities selected for testing. Overall, risks associated with significant accounts, disclosures, and their relevant assertions should lead to the identification of important controls that need to be tested.
In determining which controls to select for testing, the auditor should explicitly link controls and assertions. Exhibit 5.9 links the assertions of existence, completeness, and valuation to possible controls that the auditor may test.
Performing Tests of Controls
To obtain evidence about whether a control is operating effectively, the auditor directly tests the control in operation. The following tests of controls are pre- sented in the order of their rigor, from least to most rigorous: inquiry, observa- tion, inspection of relevant documentation, and reperformance of a control.
Also note that inquiry alone does not provide sufficient evidence to support a conclusion about the effectiveness of a control. The type of audit procedure used varies with the process, the materiality of the account balance, and the control. For example, computerized edit controls built into a computer applica- tion could be tested by submitting test transactions. For manual controls, such as authorizations, the auditor might select a number of transactions to deter- mine if there is documented evidence that proper authorization has taken place.
For the reconciliation of shipments with recorded sales, the auditor could select a number of daily sales and review documentation to determine whether the reconciliations were performed appropriately. Or if a more rigorous test was needed because of the materiality of the account related to the reconciliation, the auditor may choose to reperform the reconciliation.
In selecting approaches to test control, there are several concepts that are important to consider. These concepts relate to testing various types of con- trols, including computerized controls, manual controls, controls over adjust- ing entries, and controls over accounting estimates. Exhibit 5.10 provides examples of important concepts and indicates possible tests of controls.
E X H I B I T 5.9 Linking Financial Statement Assertions and Selecting
Controls to Test
Financial Statement Assertion Examples of Controls That Might Be Selected for Testing
Existence/Occurrence ● Shipments recorded are reconciled with shipping documents daily.
● Items cannot be recorded without underlying source documents and approvals.
Completeness ● Prenumbered shipping documents are used and reconciled with shipments recorded daily.
● A list of cash receipts is developed when cash is collected and is reconciled with cash deposits and the debit to cash daily.
Valuation/Allocation ● Preauthorized sales prices are entered into the computer pricing table by authorized individuals.
● Sales prices can be overridden only on the authorization of key management personnel. A record of overrides is documented and independently reviewed by management, internal audit, or other parties performing control analysis.
E X H I B I T 5.10 Types of Controls and Examples of Concepts Affecting Control Testing
Types of Controls Concepts Affecting Control Testing and Possible Tests of Controls Computerized
Controls
Concept:Determine whether there have been changes to important computer applications during the year.
● Determine if there are changes in the computer program. If there are, test the integrity of the controls after the changes (inspection of relevant documentation and reperformance of control).
● Consider submitting test transactions through the system to determine that it is working properly (reperformance of control).
● Take a random sample of transactions and determine that (a) key controls are operating and (b) processing is complete (reperformance of control).
● Review exception reports to determine that (a) proper exceptions are being noted and that (b) exceptions go to authorized personnel and there is adequate follow-up for proper pro- cessing (inspection of relevant documentation).
Manual Controls Authorizations
Reconciliations
Reviews for unusual transactions
Concept:There should be documented evidence that a control is working. The auditor should take a sample of transactions to determine that there is evidence of the control’s operation.
● Take a sample of transactions and examine evidence supporting that the controls are working. For example, review a document or a computer printout indicating proper approval (inspection of relevant documentation).
● Take a sample of reconciliations to determine that (a) they were performed by an autho- rized person and that (b) they were performed properly (inspection of relevant documenta- tion, re-performance of control).
● Review documentation of selected transactions to determine whether they were properly autho- rized and recorded in the correct time period (inspection of relevant documentation).
● Take a sample of reports that management uses to identify unusual transactions. Review to determine (a) that they are used regularly and that (b) unusual items are identified and investigated further (inspection of relevant documentation).
Controls over Adjusting Entries
Concept:There should be documented evidence that there are controls over normal journal entries (such as depreciation) and that they are applied on a regular basis. All other adjusting entries should include documentation that spells out (a) the reason and support for the adjust- ment and (b) the authorization of the adjustment.
● Take a sample of adjusting entries and review to determine that (a) there is supporting docu- mentation for the entry, (b) the entry is appropriate, (c) the entry is made to the correct accounts, and (d) the entry was properly authorized (inspection of relevant documentation).
● Give special attention to significant entries made near year end (inquiry of management, inspection of relevant documentation).
Controls over Accounting Estimates
Concept:There should be documented evidence regarding the estimate. Further, the auditor should determine that controls are sufficient to ensure that (a) the estimate is made based on accurate data, (b) the process of making the estimate is performed consistently, and (c) the model is updated for changing economic or business conditions. For example, estimates of a health care liability should be updated for changes in the trend of health care costs and required employee deductibles and co-pays.
● Review the process, noting that:
● All entries are properly authorized (inspection of relevant documentation).
● There are controls to ensure that estimates are updated for current market or economic conditions (inquiry of management and inspection of relevant documentation).
● There is evidence that data used to make the estimates come from reliable sources (inquiry of management and inspection of relevant documentation).
The Audit Opinion Formulation Process 177
Example of Approaches to Testing Controls As an example of alter- native testing approaches, consider an important control in virtually every organization. That control is that the organization requires a credit review and specific approval for all customers that are granted credit, and the amount of credit for any one company is limited by customer policy which is based on financial health of the customer, past collection experience, and current credit rating of the customer. There are three approaches that an auditor might consider in testing the control:
1. Take a sample of customer orders and trace the customer orders
through the system to determine whether (a) there was proper review of credit and (b) credit authorization or denial was proper.
2. Take a sample of recorded items (accounts receivable) and trace back to the credit approval process to determine that it was performed
appropriately.
3. Use a computer audit program to read all accounts receivable and develop a print-out of all account balances that exceed their credit authorization.
Clearly, there are different costs and advantages associated with each of these three methods. The third method is dependent on proper input of the credit limits into the computer system. If there are no exceptions, the auditor could infer that the control is working even though the auditor did not directly test the con- trol. This approach is cost-effective, but it requires an inference about the control and covers only the operation of the controls related to the current account bal- ances. The first method is the most effective because it not only requires that the auditor look at documentary evidence, but that the auditor determine that the control did work effectively—it led to the correct conclusion, to either deny or provide credit. This method requires documentation of all credit applications and purchase orders and is based on audit sampling (not an examination of all transactions), whereas the third method was a 100% evaluation of each item cur- rently recorded. The second method (sample from recorded items) can provide evidence on whether there was proper credit approval for all items that are pres- ently recorded. However, it does not provide evidence as to whether other items should have been approved for credit, but had not been approved.
All three methods provide relevant evidence to the controls related to credit approval. Which one is the most appropriate? Auditors have to make decisions like this on every engagement. It seems trite to say “it depends,”
but the right choice does depend on the risk associated with the engagement, the auditor’s experience with the credit level set by the organization (in other words, the credit approval level seems appropriate), the auditor’s assessment of the control environment, the auditor’s assessment of the quality of con- trols surrounding the computer applications, and the overall cost of the audit procedure. If other controls are good and risk is low, the auditor will most likely use the third approach because (a) it is the least costly and (b) it tests 100% of the recorded population. The auditor might reason further that the major risk is overstatement of accounts receivable through bad credit. The auditor is not very concerned about customers who were turned down for credit; on the other hand, management, in its assessment, might prefer to test the control by sampling from all customer orders because they do not want valid customers to be turned down for credit.
While the auditor has various options when testing controls, an important point is that the auditor has to perform tests of controls if the auditor plans to rely on those controls for the financial statement audit.
Further, the auditor has to consider the results of tests of controls when designing substantive procedures. These points are highlighted in the Auditing in Practice feature, “The Need for Performing and Considering the Results of Tests of Controls.”
Testing the Operating Effectiveness of the Control Environment, Risk Assessment, Information and Communication, and Moni- toring Components Auditors are often most comfortable testing control activities. However, research continues to show that fraud and other misstate- ments in financial statements are often caused by control deficiencies in other control components—especially deficiencies in the control environment. Similar to management’s testing described in Chapter 3, the auditor tests the relevant principles of the components of control environment, risk assessment, informa- tion and communication and monitoring. For example, the auditor can test com- mitment to integrity and ethical values (Committee of Sponsoring Organizations, COSO, Principle 1) through first-hand knowledge of the client’s attitude toward
“pushing the accounting boundaries.”As part of testing the risk assessment com- ponent, the auditor might test COSO Principle 6 (“The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.”); this can be done by reviewing documentation of the organization’s objectives. In testing the information and communication com- ponent, the auditor might inquire of personnel and review relevant documenta- tion indicating how the organization internally communicates information, including objectives and responsibilities for internal control (COSO Principle 14). An important principle of the monitoring component is that the organization communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action (COSO Principle 17). Reviewing appro- priate documentation and inquiring of appropriate personnel could provide audit evidence on the extent to which this principle is operating effectively.
Considering the Results of Tests of Controls
The auditor considers the results of the tests of controls before finalizing deci- sions about substantive procedures. For the financial statement audit, there are two potential outcomes, with associated alternative courses of action:
1. If control deficiencies are identified, assess those deficiencies to determine whether the preliminary control risk assessment should be modified
A U D I T I N G I N P R A C T I C E
The Need for Performing and Considering the Results of Tests of Controls
The PCAOB performs periodic inspections of audit firms that conduct audits of public companies. Fol- lowing are excerpts from various firms’inspection reports, indicating that either the appropriate tests of controls had not been performed or the implications of the tests of controls were not reflected in the substantive procedures performed. A quality audit would require that such procedures be performed.
“The Firm failed to perform sufficient procedures to test the design and operating effectiveness of two important review controls on which it relied in evaluating internal controls over a number of significant accounts, including revenue, accounts receivable, inventory, and certain accruals.”
“Further, for some Level 3 financial instru- ments, the Firm concluded that it did not need to change the nature, timing, and extent of its procedures, notwithstanding certain issues that came to the Firm’s attention regarding controls related to the valuation of these instruments.”
“The Firm failed to sufficiently test controls over the issuer’s revenue recognition for certain revenue arrangements, as the Firm focused its testing on verifying that the control activity had occurred without evaluating its effectiveness, including its level of precision. Further, in cer- tain instances, the Firm performed procedures related to the issuer’s transaction processes but failed to test controls over those processes.”
The Audit Opinion Formulation Process 179
(should control risk be increased from low to high?), and document the implications for substantive procedures (should the nature, timing, and extent of substantive procedures be modified?).
2. If no control deficiencies are identified, assess whether the preliminary control risk assessment is still appropriate, determine the extent that controls can provide evidence on the accuracy of account balances, and determine planned substantive audit procedures. The level of substantive testing in this situation will be less than what is required in circum- stances where deficiencies in internal control were identified.
The results of the tests of controls will allow the auditor to determine how much assurance about the reliability of account balances can be obtained from the effective operation of controls. Using the previous analogy of accumulat- ing a box of evidence, the auditor needs to determine if evidence from tests of operating effectiveness of controls can be used to partially fill the evidence box. Organizations with strong internal controls should require less substan- tive testing of account balances since more assurance is being obtained from internal controls. Within any audit, that level of assurance will vary across accounts, disclosures, and assertions. Even if the auditor can fill a box with a lot of evidence from tests of controls, for most accounts the auditor also needs to add some evidence from substantive procedures to the box.
Additional Considerations for an Integrated Audit In an integrated audit, results of the tests of controls also have important implications for the auditor’s opinion on internal control over financial reporting. The auditor evaluates the severity of each identified control deficiency to determine whether the deficiencies, individually or in combination, are material weak- nesses. If any control deficiencies are severe enough to be considered mate- rial weaknesses, the auditor’s report on internal control should describe the material weaknesses and include an opinion indicating that internal control over financial reporting is not effective.
Summary of Audit Decisions Prior to Determining Substantive Procedures
The activities in Phases II and III of the audit opinion formulation process are important to determining the substantive procedures that need to be per- formed as a basis for the audit opinion on the financial statements.
Exhibit 5.11 provides a summary overview of important audit activi- ties and decisions leading up to the performance of substantive proce- dures. The process begins with the identification of significant account balances and disclosures and their relevant assertions. For most organiza- tions, the significant accounts and disclosures are obvious and include accounts such as revenue, cost of goods sold, inventory, receivables, and accounts payable. As part of identifying significant accounts and disclo- sures and their relevant assertions, the auditor identifies the types of risk that could cause a material misstatement to occur. The auditor should understand the controls that the client has implemented to address those risks of potential material misstatement. If the auditor plans to rely on those controls, the auditor should test their operating effectiveness. The results of these tests will influence the planned substantive procedures.
As an example, assume the auditor determines that a mid-sized public company has risk of material misstatement because the controller is not competent in addressing complex accounting issues. As a matter of policy, the company decided to mitigate the risks by (a) not engaging in complex business transactions and by (b) minimizing the percentage of management compensation that is directly attributed to reported profit. The auditor