Control risk Essay Example for Free

Control insecurity EssayThe attender masters an understanding of the formula and carrying out of cozy Control to make a prelim exam perspicacity of mince pretend as graphic symbol of the inspectors overall Assessment of the try of solid misstatements. The scrutinizeor uses this preliminary judgement of inhibit assay to plan the study for for distri howeverively bingle natural class of achievements. However, in some instances the attendant whitethorn learn that the match deficiencies argon signifi tummyt such(prenominal)(prenominal) that the nodes pecuniary statements whitethorn non be visitable. So, in advance making a preliminary estimation of comprise pretendiness for each bodily class of executions, the take stockor inbred(prenominal) rootage reconcile whether the entity is scrutinizeable. Two primary factors resolve scrutiniseability the unity of concern and the ade quacy of accounting records. If perplexity lacks integrit y, most listeners go forth non accept the engagement. The accounting records argon an important source of scrutinise secernate for most canvas targets. If the accounting records argon deficient, need audit evidence whitethorn not be available. For example, if the knob has not kept duplicate gross gross gross gross revenue invoices and vendors invoices, it is unremarkably impractical to do an audit.In complex IT environments, much of the transaction information is available whole in electronic form without generating a visible audit trail of documents and records. In that case, the company is unremarkably stock- legato auditable however, meeters mustiness prize whether they afford the necessary skills to gather evidence that is in electronic form and thr unmatchable assign psychenel with decorous IT training and experience. After entertaining an understanding of inseparable keep in line, the attender makes a preliminary judging of bind venture as pa rt of the attenders overall appraisal of the risk of material misstatement. This assessment is a measure of the meeters expectation that internal images volition prohibit material misstatements from occurring or detect and correct them if they have occurred. The starting chief for most he arrs is the assessment of entity- take reserves. By nature, entity- aim masterys, such as many of the elements contained in the regard environment, risk assessment, and monitoring components, have an overarching carry on on most major parts of legal proceeding in each transaction bout.For example, an ineffective board of directors or managements failure to have any process to come across, assess, or manage key risks, has the potential to neutralize wangles for most of the transaction- link audit documentarys. Thus,auditors generally assess entity-level manoeuvers before assessing transaction specific disciplines. Once auditors check out that entity-level fits be conventio ned and placed in action, they next make a preliminary assessment for each transaction-related audit objective for each major type of transaction in each transaction cycle.For example, in the gross sales and collection cycle, the types of transactions usually involve sales, sales returns and allowances, cash receipts, and the provision for and write-off of uncollectible accounts. The auditor too makes the preliminary assessment for conquers affect audit objectives for balance sheet accounts and presentations Many auditors use a control risk hyaloplasm to assist in the control risk assessment process at the transaction level. The purpose is to submit a convenient way to organize assessing control risk for each audit objective. the control risk matrix for transaction-related audit objectives, auditors use a similar control risk matrix format to assess control risk for balance-related and presentation and disclosure-related audit objectives. chance upon Audit ObjectivesThe first step in the assessment is to identify the audit objectives for classes of transactions, account balances, and presentation and dis closure to which the assessment applies. For example, this is through for classes of transactions by applying the specific transaction-related audit objectives introduced earlier, which were stated in general form, to each major type of transaction for the entity. For example, the auditor makes an assessment of the occurrence objective for sales and a separate assessment of the rel quietness objective.Identify Existing ControlsNext, the auditor uses the information discussed in the previous section on receiveing and documenting an understanding of internal control to identify the controls that contribute to accomplishing transaction-related audit objectives. One way for the auditor to do this is to identify controls to satiate each objective. For example, the auditor drive out use knowledge of the clients constitution to identify controls that at omic number 18 belike to prevent errors or fraud in the occurrence transaction-related audit objective. The same thing enkindle be done for all separate objectives. It is overly helpful for the auditor to use the phoebe bird control activities ( musical interval of duties, fit authorization,Adequate documents and records, physical control over assets and records, and Independent checks on actualizeance) as reminders of controls.For example Is thither adequate separation of duties and how is it achieved? Are transactions aright authorized? Are pre- consequenceed documents properly accounted for? Are key hold in files properly restricted from unauthorized access? The auditor should identify and allow whole those controls that atomic number 18 pass judgment to have the greatest effect on meeting the transaction-related audit objectives. These are often called key controls. The priming for including only key controls is that they will be sufficient to achieve the transact ion-related audit objectives and also provide audit efficiency.Associate Controls with associate Audit ObjectivesEach control satisfies one or more than(prenominal) related audit objectives. This can be seen for transaction-relatedaudit objectives. The corpse of the matrix is employ to show how each control contributes To the accomplishment of one or more transaction-related audit objectives. In this , a C was entered in each cell where a control partially or fully satisfied an bjective. A similar control risk matrix would be completed for balance-related and presentation and disclosure-related audit objectives.For example, the mailing of statements to customers satisfies leash objectives in the audit of Hillsburg Hardware, which is indicated by the post of each C on the row . Identify and Evaluate Control Deficiencies, Significant Deficiencies, and worldly Weaknesses Auditors must evaluate whether key controls are absent in the design of internal control over financial re porting as a part of evaluating control risk and the likelihood of financial statement misstatements. Auditing standards congeal three levels of the absence of internal controls1. Control deprivation.A control want exists if the design or operation of controls does not permit company personnel to prevent or detect mis-statements on a seasonably basis in the normal course of performing theirassigned functions. A design deficiency exists if a necessary control is missing or not properly designed. An operation deficiency exists if a well-designed control does not operate as designed or if the person performing the control is insufficiently qualified or authorized.2. Significant deficiency.A operative deficiency exists if one or more control deficiencies exist that is little severe than a material helplessness (defined below), but important enough to merit attention by those responsible for oversight of the companys financial reporting. 3. Material weakness. A material weakness exists if a significant deficiency, by itself, or in combination with other significant deficiencies, results in a mind able possibility that internal control will not prevent or detect material financial statement misstatements on a timely basis.To determine if a significant internal control deficiency or deficiencies are a material weakness, they must be evaluated along both dimensions likelihood and significance. If there is more than a reasonable possibility (likelihood) that a material misstatement (significance) could result from the significant deficiency or deficiencies, whence it is considered a material weakness. A cinque-step mount can be used to identify deficiencies, significant deficiencies, and Material weaknesses.1. Identify existing controls. Because deficiencies and material weaknesses are the absence of adequate controls, the auditor must first know which controls exist. The methods for identifying controls have already been discussed. 2. Identify the absen ce of key controls. Internal control questionnaires, go down charts, and walkthroughs are useful tools to identify where controls are lacking and the likelihood of misstatement is thereof increased. It is also useful to examine the control risk matrix, such as to look for objectives where there are no or only a few controls to prevent or detect misstatements. 3. Consider the possibility of compensating controls. A compensating control is one Elsewhere in the system that offsets the absence of a key control. A common example in a small business is the active involvement of the owner. When a compensating control exists, there is no long-term a significant deficiency or material weakness.4. Decide whether there is a significant deficiency or material weakness. The likelihood of misstatements and their materiality are used to evaluate if there are significant deficiencies or material weaknesses. 5. Determine potential misstatements that could result. This step is intended to identify specific misstatements that are possible to result because of the significant deficiency or material weakness. The importance of a significant deficiencyor material weakness is immediately related to the likelihood and materiality of potential misstatements. Associate Significant Deficiencies and Material Weaknesses with Related Audit Objectives The same as for controls, each significant deficiency or material weakness can apply to one or more related audit objectives. In the case of Hillsburg, there are two significant deficiencies, and each applies to only one transaction-related objective. The significant deficiencies are shown in the body of the figure by a D in the abstract objective column.Assess Control jeopardy for Each Related Audit ObjectiveAfter controls, significant deficiencies, and material weaknesses are identified and associated with transaction-related audit objectives, the auditor can assess control risk for transaction related audit objectives. This is the cr itical ratiocination in the evaluation of internal control. The auditor uses all of the information discussed previously to make a unverifiable control risk assessment for each objective. thither are different ways to express this assessment. about auditors use a subjective expression such as high, moderate, or low. Others use numerical probabilities such as 1.0, 0.6, or 0.2. Again, the control risk matrix is a useful tool for making the assessment. This assessment is not the final one. Before making the final assessment at the end of the combine audit, the auditor will test controls and perform solid tests.These Procedures can either support the preliminary assessment or cause the auditor to make changes. In some cases, management can correct deficiencies and material weaknesses before the auditor does significant scrutiny, which whitethorn permit a reduction in control risk. After a preliminary assessment of control risk is make for sales and cash receipts, the auditor can complete the three control risk rows of the evidence- mean worksheet . If tests of controls results do not support the preliminary assessment of control risk, the auditor must modify the worksheet later. Alternatively, the auditor can wait until tests of controls are done to complete the three control risk rows of the worksheet. As part of understanding internal control and assessing control risk, the auditor is required to exit sure matters to those charged with institution. This selective information and other recommendations about controls are also often communicated to management.Communications to Those supercharged With GovernanceThe auditor must communicate significant deficiencies and material weaknesses in writing to those charged with governance as soon as the auditor becomes aware of their existence. The communication is usually addressed to the audit direction and to management. Timely communications may provide management an opportunity to address control deficienci es before managements report on internal control must be issued. In some instances, deficiencies can be corrected sufficiently early such that both management and the auditor can close up that controls are operate effectively as of the balance sheet date. Regardless, these communications must be made no later than 60 days following the audit report release.Management LettersIn addition to these matters, auditors often identify less significant internal control-related issues, as well as opportunities for the client to make operational improvements. These should also be communicated to the client. The form of communication is often a separate garner for that purpose, called a management letter. Although management letters are not required by auditing standards, auditors generally install them as a assess-added service of the audit.Test of controlsWeve examined how auditors link controls, significant deficiencies, and material Weaknesses in internal control to related audit objec tives to assess control risk for each objective. Now well address how auditors test those controls that are used to support a control risk assessment. For example, each key control that the auditor intends to intrust on to support a control risk of medium or low must be supported by sufficient tests of controls. We will deal with tests of controls for both audits of internal control for financial reporting and audits of financial statements. Assessing control risk requires the auditor to consider both the design and operation of controls to evaluate whether they will likely be effective in meeting related audit objectives. During the understanding phase, the auditor will have already gathered some evidence in support of both the design of the controls and their implementation by using procedures to obtain an understanding .In most cases, the auditor will not have gatheredenough evidence to overthrow assessed control risk to a sufficiently low level. The auditor must therefore obta in additional evidence about the operational lastingness of controls passim all, or at least most, of the period under audit. The procedures to test effectiveness of controls in support of a cut assessed control risk are called tests of controls. If the results of tests of controls support the design and operation of controls as expected, the auditor uses the same assessed control risk as the preliminary assessment.If, however, the tests of controls indicate that the controls did not operate effectively, the assessed control risk must be reconsidered. For example, the tests may indicate that the application of a control was curtailed midway through the class or that the person applying it made frequent misstatements. In such situations, the auditor uses a higher assessed control risk, unless compensating controls for the same related audit objectives are identified and found to be effective. Of course, the auditor must also consider the impact of those controls that are not in operation(p) effectively on the auditors Report on internal control.Procedures for Tests of ControlsThe auditor is likely to use four types of procedures to support the operating effectiveness of internal controls. Managements test of internal control will likely include the same types of procedures. The four types of procedures are as follows 1. Make inquiries of appropriate client personnel. Although inquiry is not a highly reliable source of evidence about the effective operation of controls, it is clam up appropriate. For example, to determine that unauthorized personnel are denied access to calculating machine files, the auditor may make inquiries of the person who controls the computer library and of the person who controls online access security give-and-take assignments.2. Examine documents, records, and reports. Many controls dedicate a clear trail of documentary evidence that can be used to test controls. Suppose, for example, that when a customer order is received, it is used to create a customer sales order, which is approved for point of reference. Then the customer order is attached to the sales order as authorization for besides processing. The auditor can test the control by examining the documents to make sure that they are complete and properly matched and that required signatures or initials are present. 3. spy control-relatedactivities. Some controls do not leave an evidence trail, which intend that it is not possible to examine evidence that the control was executed at a later date. For example, separation of duties relies on specific persons performing specific tasks, and there is typically no documentation of the separate performance. For controls that leave no documentary evidence, the auditor generally observes them cosmos applied at various points during the year.4. Reperform client procedures. at that place are also control-related activities for which there are related documents and records, but their content is insuffic ient for the auditors purpose of assessing whether controls are operating effectively. For example, assume that prices on sales invoices are obtained from the master price list, but no indication of the control is documented on the sales invoices. In these cases, it is common for the auditor to reperform the control activity to see whether the proper results were obtained. For this example, the auditor can re perform the procedure by analyze the sales prices to the authorized price list in effect at the date of the transaction. If no misstatements are found, the auditor can conclude that the procedure .Extent of ProceduresThe extent to which tests of controls are applied depends on the preliminary assessed control risk. If the auditor wants a lower assessed control risk, more extensive tests of controls are applied, both in terms of the number of controls tested and the extent of the tests for each control. For example, if the auditor wants to use a low assessed control risk, a lar ger have sizing for documentation, observation, and re performance procedures should be applied. The extent of testing also depends on the frequency of the operation of the controls, and whether it is manual or automated.Reliance on Evidence from the Prior course of instructions AuditWhen auditors plan to use evidence about the operating effectiveness of internal control obtained in prior audits, auditing standards require tests of the controls effectiveness at least each third year. If auditors determine that a key control has been changed since it was last tested, they should test it in the current year. When there are a number of controls tested in prior audits that have not been changed, auditing standardsrequire auditors to test some of those controls each year to ensure there is a rotation of controls testing end-to-end the three year period.Testing of Controls Related to Significant put on the linesSignificant risks are those risks that the auditor believes require spec ial audit consideration. When the auditors risk assessment procedures identify significant risks, the auditor is required to test the operating effectiveness of controls that mitigate these risks in the current year audit, if the auditor plans to rely on those controls to support a control risk assessment below 100%. The greater the risk, the more audit evidence the auditor should obtain that controls are operating effectively.Testing Less Than the Entire Audit PeriodRecall that managements report on internal control deals with the effectiveness of internal controls as of the end of the fiscal year. PCAOB Standard 5 requires the auditor to perform tests of controls that are adequate to determine whether controls are operating effectively at year-end. The timing of the auditors tests of controls will therefore depend on the nature of the controls and when the company uses them. For controls that are applied throughout the accounting period, it is usually practical to test them at an interim date. The auditor will then determine later if changes in controls occurred in the period not tested and decide the implication of any change. Controls traffic with financial statement preparation occur only quarterly or at year-end and must therefore also be tested at quarter and year-end.Relationship amidst Tests of Controls and Procedures to Obtaining Understanding There is a significant overlap between tests of controls and procedures to obtain an understanding. Both include inquiry, documentation, and observation. There are two primary differences in the application of these common procedures. 1. In obtaining an understanding of internal control, the procedures to obtain an understanding are applied to all controls identified during that phase. Tests of controls, on the other hand, are applied only when the assessed control risk has not been satisfied by the procedures to obtain an understanding. 2. Procedures to obtain anunderstanding are performed only on one or a f ew transactions or, in the case of observations, at a single point in time. Tests of controls are performed on larger samples of transactions (perhaps 20 to 100), and often, observations are made at more than one point in time.For key controls, tests of controls other than re performance are essentially an file name extension of procedures to obtain an understanding. Therefore, assuming the auditors plan to obtain a low assessed control risk from the beginning of the integrated audit, they will likely combine both types of procedures and perform them simultaneously. One option is to perform the audit procedures separately, where minimal procedures to obtain an understanding of design and operation are performed, followed by additional tests of controls. An alternative is to combine both columns and do them simultaneously. The same step of evidence is accumulated in the second approach, but more efficiently. The function of the appropriate sample size for tests of controls is an important audit decisions.Detection risk and the design of solid testsWeve focussed on how auditors assess control risk for each related audit objective and support control risk assessments with tests of controls. The completion of these activities is sufficient for the audit of internal control over financial reporting, even though the report will not be finalized until the auditor completes the audit of financial statements. The auditor uses the control risk assessment and results of tests of controls to determine planned detection risk and related significant tests for the audit of financial statements. The auditor does this by linking the control risk assessments to the balance related audit objectives for the accounts affected by the major transaction types and to the four presentations and disclosure audit objectives. The appropriate level of detection risk for each balance-related audit objective is then decided using the audit risk model. The relationship of transaction-r elated audit objectives to balance-related audit objectives and the selection and design of audit procedures for square tests of financial statement.Types of testIn developing an overall audit plan, auditors use five types of tests to determine whether financial statements are fairly stated. Auditors use riskassessment procedures to assess the risk of material misstatement, represented by the combination of inherent risk and control risk. The other four types of tests represent promote audit procedures performed in response to the risks identified. Each audit procedure falls into one, and sometimes more than one, of these five categories. lick 13-1 shows the relationship of the four types of progress audit procedures to the audit risk model. As general anatomy 13-1 illustrates, tests of controls are performed to support a reduced assessment of control risk, while auditors use uninflected procedures and tests of details of balances to satisfy planned detection risk. Substantive tests of transactions affect both control risk and planned detection risk, because they test the effectiveness of internal controls and the sawhorse amounts of transactions.Risk Assessment ProceduresTThe second standard of fieldwork requires the auditor to obtain an understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement in the clients financial statements. Risk assessment procedures are performed to assess the risk of material misstatement in the financial statements. The auditor performs tests of controls, substantive tests of transactions, analytical procedures, and tests of details of balances in response to the auditors assessment of the risk of material misstatements.The combination of these our types of further audit procedures provides the basis for the auditors opinion, as illustrated by Figure 13-1. A major part of the auditors risk assessment procedures are done to obtain an Understanding of internal c ontrol. Procedures to obtain an understanding of internal control were studied and focus on both the design and implementation of internal control and are used to assess control risk for each transaction-related audit objectively Tests of ControlsEThe auditors understanding of internal control is used to assess control risk for each transaction-related audit objective. Examples are assessing the verity objective for sales transactions as low and the occurrence objective as moderate. When control policies and procedures are believed to be effectively designed, the auditor assesses control risk at a level that reflects the relative effectiveness of those controls. To obtain sufficientappropriate evidence to support that assessment, the auditor performs tests of controls.S Tests of controls, either manual or automated, may include the following types of evidence. (Note that the first three procedures are the same as those used to obtain an understanding of internal control.) Make inq uiries of appropriate client personnel Examine documents, records, and reports Observe control-related activities Reperform client proceduresAuditors perform a system walkthrough as part of procedures to obtain an under standing to help them determine whether controls are in place. The walkthrough is normally applied to one or a few transactions and follows that transaction through the entire process. For example, the auditor may select one sales transaction for a system walk through of the credit approval process, then follow the credit approval process from commencement of the sales transaction through the granting of credit. Tests of controls are also used to determine whether these controls are effective and usually involve testing a sample of transactions. As a test of the operating effectiveness of the credit approval process, for example, the auditor great power examine a sample of 50 sales transactions from throughout the year to determine whether credit was granted befor e the shipment of goods.Procedures to obtain an understanding of internal control generally do not provide sufficient appropriate evidence that a control is operating effectively. An exception may apply for automated controls because of their consistent performance. The auditors procedures to determine whether the automated control has been implemented may also serve as the test of that control, if the auditor determines there is minimal risk that the automated control has been changed since the understanding was obtained. Then, no additional tests of controls would be required. The amount of additional evidence required for tests of controls depends on two things 1. The extent of evidence obtained in gaining the understanding of internal control2. The planned reduction in control riskFigure 13-2 (p. 406) shows the role of tests of controls in the audit of the sales and collection cycle relative to other tests performed to providesufficient appropriate evidence for the auditors opin ion. Note the un shaded circles with the course Audited by TOC. For simplicity, we make two assumptions Only sales and cash receipts trans actions and three general script balances make up the sales and collection cycle and the beginning balances in cash and accounts due were audited in the previous year and are considered correct. If auditors verify that sales and cash receipts transactions are powerful recorded in the accounting records and posted to the general record book, they can conclude that the ending balances in accounts receivable and sales are correct.(Cash disbursements transactions will OF have to be audited before the auditor can dig a conclusion about the ending balance in the cash account.) One way the auditor can verify recording of transactions is to perform tests of controls. If controls are in place over sales and cash receipts transactions, the auditor can perform tests of controls to determine whether the six transaction-related audit objectives are bei ng met for that cycle. Substantive tests of transactions, which we will examine in the next section, also affect audit assurance for sales and cash receipts transactions.Substantive Tests of TransactionsSTSSubstantive tests are procedures designed to test for sawbuck misstatements (often called fiscal misstatements) that directly affect the correctness of financial statement balances. Auditors rely on three types of substantive tests substantive tests of transactions, substantive analytical procedures, and tests of details of balances. Substantive tests of transactions are used to determine whether all six transactions related audit objectives have been satisfied for each class of transactions. Two of those objectives for sales transactions are recorded sales transactions exist (occurrence objective) and existing sales transactions are recorded (completeness objective for the six transaction-related audit objectives.When auditors are confident that all transactions were correctly recorded in the journals and correctly posted, considering all six transaction-related audit objectives, they can be confident that general ledger totals are correct. Figure 13-2 illustrates the role of substantive tests of transactions in the audit of the sales and collection cycle by mildly shaded circles with the words Audited by STOT. Observe that both tests of controls and substantive tests of transactions are performed for transactions in the cycle, not on the ending accountbalances. The auditor verifies the recording and summarizing of sales and cash receipts transactions by performing substantive tests of transactions. Figure 13-2 shows one set of tests for sales and another for cash receipts.Analytical Proceduresanalytical procedures involve comparisons of recorded amounts to expectations developed by the auditor. Auditing standards require that they be done during planning and completing the audit. Although not required, analytical procedures may also be performed to aud it an account balance. The two most important purposes of analytical procedures in the audit of account balances are to 1. Indicate possible misstatements in the financial statements2. Provide substantive evidenceAnalytical procedures done during planning typically differ from those done in the testing phase. nonetheless if, for example, auditors calculate the gross margin during planning, they probably do it using interim data. Later, during the tests of the ending balances, they will recalculate the ratio using full-year data. If auditors believe that analytical procedures indicate a reasonable possibility of misstatement, they may perform additional analytical procedures or decide to modify tests of details of balances. When the auditor develops expectations using analytical procedures and concludes that the clients ending balances in certain accounts appear reasonable, certain tests of details of balances may be eliminated or sample sizes reduced.Auditing standards state that a nalytical procedures are a type of substantive test (referred to as substantive analytical procedures), when they are performed to provide evidence about an account balance. The Extent to which auditors may be involuntary to rely on substantive analytical procedures in support of an account balance depends on several(prenominal) factors, including the precision of the expectation developed by the auditor, materiality, and the risk of material misstatement. Figure 13-2 illustrates the role of substantive analytical procedures in the audit of the sales and collection cycle by the dark shaded circles with the words Audited by AP. Observe that the auditor performs substantive analytical procedures on sales and Cash receipts transactions, as well as on the ending balances of the accounts in the cycle.Tests of Details of BalancesTests of details of balances focus on the ending general ledger balances for both balance sheet and income statement accounts. The primary emphasis in most tests of details of balances is on the balance sheet. Examples include handicap of customer balances for accounts receivable, physical examination of inventory, and examination of vendors statements for accounts payable. Tests of ending balances are essential because the evidence is usually obtained from a source independent of the client, which is considered highly reliable. Much like for transactions, the auditors tests of details of balances must satisfy all balance-related audit objectives for each significant balance sheet account.Figure 13-2 illustrates the role of tests of details of balances by the circles with half dark and half light shading and the words Audited by TDB. Auditors perform detailed tests of the ending balances for sales and accounts receivable, including procedures such as confirmation of account receivable balances and sales cutoff tests. The extent of these tests depends on the results of tests of controls, substantive tests of transactions, and substantive an alytical procedures for these accounts. Tests of details of balances help establish the monetary correctness of the accounts they relate to and therefore are substantive tests. For example, confirmations test for monetary misstatements in accounts receivable and are therefore substantive tests. Similarly, counts of inventory and cash on hand are also substantive tests.OSelect the appropriate types of audit testsTypically, auditors use all five types of tests when performing an audit of the financial statements, but certain types may be emphasized, depending on the circumstances. Recall that risk assessment procedures are required in all audits to assess the risk of material misstatement while the other four types of tests are performed in response to the risks identified to provide the basis for the auditors opinion. Note also that only risk assessment procedures, especially procedures to obtain an understanding of controls, and tests of controls are performed in an audit of interna l control over financial reporting. Several factors run the auditors choice of the types of tests to select, including the availability of the eight types of evidence, the relative costs of each type of test, the effectiveness ofinternal controls, and inherent risks. Only the first two are discussed further because the last two were discussed in earlier chapters. Availability of Types of Evidence for Further Audit Procedures OEach of the four types of further audit procedures involves only certain types of evidence (confirmation, documentation, and so forth. More types of evidence, six in total, are used for tests of details of balances than for any other type of test. Only tests of details of balances involve physical examination and confirmation. Inquiries of the client are made for every type of test. Documentation is used in every type of test except analytical procedures. Re performance is used in every type of test except analytical procedures. Auditors may re perform a c ontrol as part of a transaction walkthrough or to test a control that is not supported by sufficient documentary evidence. Recalculation is used to verify the mathematical accuracy of transactions when per forming substantive test of transactions and account balances when per forming tests of details of balances.Relative CostsWhen auditors must decide which type of test to select for obtaining sufficient appropriate evidence, the cost of the evidence is an important consideration. The types of tests are listed below in order of increasing cost Analytical procedures Risk assessment procedures, including procedures to obtain an understanding of internal control Tests of controls Substantive tests of transactions Tests of details of balancesAnalytical procedures are the least costly because of the relative ease of making calculations and comparisons. Often, considerable information about potential misstatements can be obtained by simply analyze two or three numbers. Risk assessment procedures, including procedures to obtain an understanding of internal control, are not as costly as other audit tests because auditors can easily make inquiries and observations and perform planning analytical procedures. Also, examining such things as documentssummarizing the clients business operations and processes and management and governance social organisation are relatively cheaper than other audit tests. Because tests of controls also involve inquiry, observation, and inspection, their relative costs are also low compared to substantive tests.However, tests of controls are more costly relative to the auditors risk assessment procedures due to a greater extent of testing required to obtain evidence that a control is operating effectively, especially when those tests of controls involve re performance. Often, auditors can perform a large number of tests of controls chop-chop using audit software. Such software can test controls in clients computerized accounting systems, such as in computerized accounts receivable systems that automatically authorize sales to existing customers by comparing the proposed sales amount and existing accounts receivable balance with the customers credit limit. Substantive tests of transactions cost more than tests of controls that do not include re performance because the former often require recalculations and tracings.In a computerized environment, however, the auditor can often perform substantive tests of transactions quickly for a large sample of transactions. Tests of details of balances to the highest degree constantly cost considerably more than any of the Other types of procedures because of the cost of procedures such as sending confirmations and counting inventories. Because of the high cost of tests of details of balances, auditors usually try to plan the audit to minimize their use. Naturally, the cost of each type of evidence varies in different situations. For example, the cost of an auditors test-counti ng inventory (a substantive test of the details of the inventory balance) often depends on the type and dollar value of the Inventory, its location, and the number of different items.Relationship between Tests of Controls and Substantive Tests To better understand tests of controls and substantive tests, lets examine how they differ. An exception in a test of control only indicates the likelihood of misstatements affecting the dollar value of the financial statements, whereas an exception in a substantive test of transactions or a test of details of balances is a financial statement misstatement. Exceptions in tests of controls are called control test deviations. From the three levels of control deficiencies deficiencies, significant deficiencies, andmaterial weaknesses. Auditors are most likely to believe material dollar misstatements exist in the financial statements when control test deviations are considered to be significant deficiencies or material weaknesses. Auditors should then perform substantive tests of transactions or tests of details of balances to determine whether material dollar misstatements have very occurred.Assume that the clients controls require an independent clerk to verify the quantity, price, and extension of each sales invoice, after which the clerk must initial the duplicate invoice to indicate performance. A test of control audit procedure is to inspect a sample of duplicate sales invoices for the initials of the person who verified the information. If a significant number of documents lack initials, the auditor should consider implications for the audit of internal control over financial reporting and follow up with substantive tests for the financial statement audit. This can be done by extending tests of duplicate sales invoices to include verifying prices, extensions, and footings (substantive tests of transactions) or by increasing the sample size for the confirmation of accounts receivable (substantive test of details of ba lances).Even though the control is not operating effectively, the invoices may still be correct, especially if the person originally preparing On the other hand, if no documents or only a few of them are missing initials, the control will be considered effective and the auditor can therefore reduce substantive tests of transactions and tests of details of balances. However, some re performance and recalculation substantive tests are still necessary to provide the auditor assurance that the clerk did not initial documents without actually performing the control procedure or performed it carelessly. Because of the need to complete some re performance and recalculation tests, many auditors perform them as a part of the original tests of controls. Others wait until they know the results of the tests of controls and then determine the total sample size needed.Relationship between Analytical Procedures and Substantive Tests Like tests of controls, analytical procedures only indicate the l ikelihood of misstatements affecting the dollar value of the financial statements. Unusual fluctuations in the relationships of an account to other accounts, or to nonfinancial information, may indicate an increased likelihood that material misstatements exist without necessarily providing direct evidence of amaterial misstatement. When analytical procedures identify unusual fluctuations, auditors should perform substantive tests of transactions or tests of details of balances to determine whether dollar misstatements have actually occurred.If the auditor performs substantive analytical procedures and believes that the likelihood of material misstatement is low, other substantive tests can be reduced. For accounts with small balances and only minimal potential for material misstatements, such as many supplies and pay expense accounts, auditors often limit their tests to substantive analytical procedures if they conclude the accounts are reasonably stated.Trade-Off between Tests of Controls and Substantive TestsThere is a trade-off between tests of controls and substantive tests. During planning, auditors decide whether to assess control risk below the maximum. When they do, they must then perform tests of controls to determine whether the assessed level of control risk is supported. (They must always perform test of controls in an audit of internal control over financial reporting.) If tests of controls support the control risk assessment, planned detection risk in the audit risk model is increased, and planned substantive tests can therefore be reduced. Figure 13-3 shows the relationship between substantive tests and control risk assessment (including tests of controls) at differing levels of internal control effectivenessImpact of information technology on audit testingAuditing standards provide guidance for auditors of entities that transmit process, maintain, or access significant information electronically. Examples of electronic evidence include records of electronic fund transfers and purchase orders transmitted through electronic data interchange (EDI). Evidence of the performance of automated controls, such as the computers comparison of proposed sales orders to customer credit limits, may also only be in electronic form. The standards recognize that when a significant amount of audit evidence exists in electronic form, it may not be practical or possible to reduce detection risk to an acceptable level by performing only substantive tests. For example, the potential for unconventional initiation or alteration of information may be greater if information is maintained only in electronic form.In these circumstances, the auditor should performtests of controls to gather evidence in support of an assessed level of control risk below maximum for the affected financial statement assertions. Although some substantive tests are still required, the auditor can significantly reduce substantive tests if the results of tests of controls s upport the effectiveness of controls. In the audit of a larger public company, computer-performed controls (these are called automated controls) must be tested if the auditor considers them to be key controls for reducing the likelihood of material misstatements in the financial statements. Because of the inherent consistency of IT processing, however, the auditor may be able to reduce the extent of testing of an automated control.For example, software based control is almost certain to function consistently unless the program is changed. Once auditors determine an automated control is functioning properly, they can focus subsequent tests on assessing whether any changes have occurred that will limit the effectiveness of the control. Such tests might include determining whether any changes have occurred to the program and whether these changes were properly authorized and tested prior to implementation. This approach leads to significant audit efficiencies when the auditor determine s that automated controls tested in the prior years audit have not been changed and continue to be subject to effective general controls.To test automated controls or data, the auditor may need to use computer-assisted audit techniques or use reports produced by IT to test the operating effectiveness of IT general controls, such as program change controls and access controls. In many cases, testing of automated controls may be performed by IT audit specialists. When auditors test manual controls that rely on IT-generated reports, they must consider both the Effectiveness of managements review and automated controls over the accuracy of Information in the report.