Tip:
Highlight text to annotate it
X
0:00:08.000,0:00:16.000
In this video, we will continue our discussion of
what how an auditor jusitifies their reliance on
internal controls by testing them.
0:00:16.000,0:00:27.000
The methods we can use to test controls vary.
Inquiry of client personnel is one possible way to
test a control,
0:00:27.000,0:00:31.033
but it’s generally not a very strong source of
audit evidence.
0:00:31.033,0:00:38.033
Inspecting documents and records along the
audit trail for evidence of performance of the
internal control procedure...
0:00:38.033,0:00:41.000
is a much stronger source of evidence.
0:00:41.000,0:00:47.066
Keep in mind that with a test of control, we are
looking for evidence that the control procedure
has been performed.
0:00:47.066,0:00:50.033
We are not trying to substantiate a balance or
an amount per se.
0:00:50.033,0:00:58.066
So if the key control is that a payables clerk
matches a receiving report, a purchase order
and a purchase invoice...
0:00:58.066,0:01:07.000
prior to preparing the payment, then we would
be looking at a sample of these documents
looking for h evidence of the three way match.
0:01:07.000,0:01:11.066
A third way to test controls is to observe the
control activity be performed.
0:01:11.066,0:01:18.033
If a control is undocumented and there is no
evidence, this may be the only way we can test
it.
0:01:18.033,0:01:24.033
However, it harder to verify that the control
operated throughout the period using this
method.
0:01:24.033,0:01:31.000
Test data is a way of testing computer controls
by feeding dummy data into the computer
system,
0:01:31.000,0:01:37.066
and ensuring that it processes the data
according to the controls documentation
gathered.
0:01:37.066,0:01:42.000
And lastly, we can reperform the client’s control
procedures.
0:01:42.000,0:01:50.000
In our earlier example of the three way match,
we may look for evidence such as a stamp on
the invoice indicating that the clerk...
0:01:50.000,0:01:55.000
performed the three way match was done;
however, using the reperformance method,
0:01:55.000,0:01:58.066
we can reperform the three way match
ourselves.
0:01:58.066,0:02:04.000
The extent of tests of the client's internal
controls depends on the our assessment of
control risk.
0:02:04.000,0:02:07.000
The lower this assessment, the greater the
reliance,
0:02:07.000,0:02:13.033
and the greater the amount of testing and
evidence required to support that reliance.
0:02:13.033,0:02:14.000
Make sense?
0:02:14.000,0:02:18.066
The results of our control testing are fed back
into our risk assessment.
0:02:18.066,0:02:26.000
If the tests support our initial assessment we
continue executing the audit plan as scripted.
0:02:26.000,0:02:33.066
However, if the tests do not support the control
risk assessment, then we will need to circle
back and reformulate our audit approach.
0:02:33.066,0:02:37.000
When this happens, there is often a deficiency
in the internal controls noted.
0:02:37.000,0:02:41.033
Our first step might be to consider whether a
compensating control exists.
0:02:41.033,0:02:47.066
A compensating control is another control that
exists elsewhere in the process that offsets the
weakness.
0:02:47.066,0:02:52.000
If there is not compensating control and we
legitimately have a control gap,
0:02:52.000,0:02:56.033
we will document the weakness on a separate
working paper.
0:02:56.033,0:03:03.000
This working paper will discuss the potential
misstatement that can arise, and any effects on
collection of substantive evidence.
0:03:03.000,0:03:07.000
This is often referred to as a control matrix
working paper.
0:03:07.000,0:03:16.000
Significant internal control deficiencies are
communicated in an internal control letter to the
audit committee or its equivalent in the company
0:03:16.000,0:03:20.066
Management letters are a similar
communication;
0:03:20.066,0:03:27.066
however, the control deficiencies identified and
discussed are less significant,
0:03:27.066,0:03:31.000
and would be communicated to management to
point out areas for improvement.
0:03:31.000,0:03:38.066
The common way of communicating deficiencies
is to identify the deficiency, talk about the
implication,
0:03:38.066,0:03:40.000
and then propose a recommendation to close
the gap.
0:03:40.000,0:03:43.000
So there you have it.
0:03:43.000,0:03:45.033
What you need to do before you can rely on
internal controls.
0:03:45.033,0:03:49.066
Now a couple of finishing points before we close
off this lesson.
0:03:49.066,0:03:55.033
First, sometimes we will purposely assess
control risk at maximum for efficiency purposes.
0:03:55.033,0:04:05.000
For example, if a balance or a transaction cycle
can be more easily audited using a substantive
procedure than testing controls,
0:04:05.000,0:04:08.033
then we can limit our work on internal controls to
gaining an understanding.
0:04:08.033,0:04:11.000
We then immediately move into the substantive
procedures.
0:04:11.000,0:04:22.033
And finally, let’s put a bow around this whole
group of lessons by reviewing the overall
approaches to an audit,
0:04:22.033,0:04:26.066
of which there are two- a combined or a
substantive approach.
0:04:26.066,0:04:32.066
Under both approaches we need to obrtain an
understanding the control environment and
0:04:32.066,0:04:38.066
system of internal controls to enable us to make
our assessment of control risk.
0:04:38.066,0:04:42.033
This is done on an overall basis and also on a
transactional cycle basis.
0:04:42.033,0:04:47.066
Under a combined approach, we believe there
are efficiencies to be gained by relying on the
strength
0:04:47.066,0:04:51.000
of the client’s system of internal controls.
0:04:51.000,0:04:55.000
If this is our approach, we must test the controls
to support our reliance.
0:04:55.000,0:05:01.066
The results of our tests of control may or may
not impact the rest of the audit depending on the
results of our findings.
0:05:01.066,0:05:12.033
Then we move on to do substantive audit
procedures, which would hope would be
generally less because of our reliance on control
0:05:12.033,0:05:17.033
Under the substantive approach, we assess
control risk as maximum.
0:05:17.033,0:05:20.066
This takes us right into the substantive audit
procedures,
0:05:20.066,0:05:25.033
which will generally be greater than had we done
more work on the internal controls.
0:05:25.033,0:05:31.066
It has taken a while to get to this point in the
course where you begin to see how all the
pieces of the audit fit together.
0:05:31.066,0:05:35.033
This won’t be the last time we review the
different audit approaches,
0:05:35.033,0:05:39.066
so if your understanding is still a bit fuzzy, hang
in there and remember…
0:05:39.066
Don’t stop until you get to the top and when you
get to the top, don’t stop.