Chapter 9 – Control Assessment and Testing
Management vs. Auditor Responsibility
Management – responsible for its control environment, accounting system, and for establishing and
maintaining a system of internal control procedures.
Auditor – responsible for EVALUATING existing I/C and assessing the RMM related to them.
o Public accountants may help design ONLY for non-audit clients
Internal Controls (IC)
Internal controls help management:
Maintain operational effectiveness and efficiency
Minimize risks of asset loss
Enhance reliability of financial statements
Monitor compliance with laws and regulations
Note: Management must balance cost of controls and the benefit of RMM reduction.
At some point, Costs > Benefits because it is NOT possible to reduce risks to 0.
o Therefore, control systems generally do NOT provide ABSOLUTE assurance that objectives of
internal control are satisfied
Organizations that tend to be complex are going to need sophisticated controls in order to function
Mgmt needs to decide what level of risk is ACCEPTABLE.
General Type of Control Problems
1. Invalid transactions are recorded.
o Fictitious sales are recorded & charged to nonexistent customers.
o Matches to VALIDITY a.k.a. EXISTENCE
2. Valid transactions are omitted.
o Shipments to customers never get recorded.
o Matches to COMPLETENESS
3. Unauthorized transactions are executed.
o A customer’s order is not approved for credit, yet the goods are shipped, billed and charged to
the customer w/o requiring advance payment.
o Matches to AUTHORIZATION
4. Transaction amounts are inaccurate.
o A customer is billed and the sale is recorded in the wrong amt because the quantity shipped
and the quantity billed are not the same, and the unit price is for a different produce.
o Matches to ACCURACY.
5. Transactions are classified incorrectly.
o Sales to sub company are recorded as sales to outsiders instead of intercompany sales.
o Matches to CLASSIFICATION.
6. Transaction accounting is incomplete.
Keval Shah Chapter 9 – AFM 451 1 o Sales are posted in total to the A/R control account, but some are NOT posted to the individual
customer account records.
o Matches to ACCOUNTING.
7. Transactions are recorded in incorrect period.
o Shipments made in Jan are backdated and recorded as sales and charges to customers in
December (previous year) or vice versa
o Matches to PROPER PERIOD.
The risk that the client’s internal control will fail to prevent or detect a material misstatement.
The auditor does not control this risk.
The auditor’s task is to ASSESS the risk.
o Higher control risk means lowering detection risk.
Requires the auditor to increase substantive testing
Auditors often document control risk as either High, Moderate or Low (or as a probability: e.g., 1.0,
Control Risk – “Clean” vs. “Dirty”
“Clean” Audit: Client’s accounting records are accurate, well maintained and easy to verify that good
controls are in place.
o Such audits require LESS substantive test work
“Dirty” Audit: Client’s accounting records are incomplete, riddled with errors and there appears to be
poor or no controls present.
o Example: Shoes box full of receipts poor controls, very poor audit trail this can also lead to
an un-auditable client
Un-Auditable Client: Accounting records and controls so poor that RMM cannot be reduced to
Control Test vs. Substantive Procedure
Control Test – The auditor wants to obtain evidence about the OPERATING EFFECTIVENESS of control
procedures to provide indirect evidence about the RMM of monetary amounts in the F/S
Substantive Procedures – The auditor wants to obtain direct evidence about monetary misstatements
Note: A single procedure may produce both CONTROL and SUBSTANTIVE evidence.
Control Risk & The Audit Program
The control risk assessment will affect the PROCEDURES included in the audit program.
If the controls are weak …
Nature – Different tests may be needed to provide more relevant and reliable evidence. +
larger sample sizes (increase cost)
o I.e. Confirmation, Analytical Procedures, Document Vouching etc.
Keval Shah Chapter 9 – AFM 451 2 Timing - More testing will take place at year-end than at an interim date. (delays & increase
o I.e. Nov 1 (Interim Date), Dec 31 (Year-end) etc.
Extent – More evidence will have to be gathered (increase cost)
o I.e. Limited sample, all customer accounts, last 5 days sales etc.
Control Objectives - Note: These match up quite well with the mgmt. assertions
Control Objective Relation to Principal
Validity – Recorded transactions are valid and documented
Matching shipping documents w/ sales invoices before a sale is recorded – Ownership
Prevents recording of undocumented sales
Completeness – No transactions are omitted from accounting records
Every shipment should be matched with a sales invoice + shipping Completeness,
documents are often pre-numbered
Authorization – Transactions are authorized before they are recorded Existence, Ownership,
Credit sales must be preapproved Valuation
Accuracy - Transaction dollar amounts are properly recorded
A manual/computer check that q invoiced = q shipped, plus check to see that Valuation
correct list price is used
Classification - Transactions recorded in the right accounts
Ensure that credited to the right customers Valuation,
Classification errors b/w B/S and I/S present the greatest RMM because they Disclosure
will change net income
Accounting – Transactions recorded conform to GAAP
A clerk can balance the total of individual receivables with the control
account to determine if all entries to the control account have also been Presentation/
entered to individual customer accnts Disclosure
This is a useful category if you cannot identify a control problem in one of
the other categories
Proper Period - Transactions recorded in the proper period Completeness,
Sales, purchases, inventories, expense accruals, accruals etc. Presentation/
3 Phases of Control Evaluations (Note: Work on these phases overlaps)
I. UNDERSTANDING the internal controls
II. ASSESSING control risk by identifying strengths and weaknesses in the accounting info system
III. TESTING controls
Efficiency is important! = Doing high-quality work to obtain SAAE evidence with minimum time and
There should be a cost-benefit trade-off between control evaluation and substantive audit work
Keval Shah Chapter 9 – AFM 451 3 Cost Trade-Off Graph
Generally, the more auditors know about good controls, the less substantive year-end work they do
Key Controls: Important control procedures; auditors should identify and audit ONLY those controls
Note: Sometimes it may be easier NOT to test the controls
Auditors must make a trade-off between:
o Costs of evaluating Internal Control
o Costs of substantive audit tests
An EFFICIENT audit program looks for the combination of control evaluation and substantive work that
provides an acceptable level of assurance at the lowest total cost
Phase I: Understanding Internal Control
Done early in the audit.
Helps the auditor obtain overall acquaintance with:
o Control Environment
o Flow of transactions through accounting system
Recall: COSO and the flow of transactions through…
General Controls - PREVENTIVE in nature and can have a pervasive impact on various accounting
cycles. OVERALL impact on accounting processes.
Auditors focus general and environmental controls in the preliminary evaluation of IC
o Capable Personnel
Personnel problems IC problems
High turnover in accounting jobs – more new, inexperienced ppl
Accounting personnel changes warning signal
o Performance Reviews
Mgmt reviews of how reported performance compares w/ expectations, budgets and
Can be performed by auditors as part of their analytical procedures
o Segregation of Duties – Often on UFE
Authorization, recording, custody and reconciliation of recorded to existing amounts –
These 4 should be performed by diff departments
Keval Shah Chapter 9 – AFM 451 4 Fraud would require collusion of 2+ people and most ppl hesitate to ask for help
when conducting wrongful tasks
Innocent errors are more likely to be found and flagged for corrections
I.e. Oversee the credit manager’s performance or periodically compare the sum of
customers balances with the A/R control account total
Great tool for MONITORING and MAINTAINING a system of IC
o Controlled Access
Access to assets, important records, documents and BLANK FORMS (invoices, cheques)
should be limited to authorized personnel
o Periodic Comparison
Mgmt has responsibilit