Guide to Using International Standards on Auditing in - IFAC
Guide to Using International Standards on Auditing in - IFAC
Guide to Using International Standards on Auditing in - IFAC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
130<br />
<str<strong>on</strong>g>Guide</str<strong>on</strong>g> <str<strong>on</strong>g>to</str<strong>on</strong>g> <str<strong>on</strong>g>Us<strong>in</strong>g</str<strong>on</strong>g> <str<strong>on</strong>g>Internati<strong>on</strong>al</str<strong>on</strong>g> <str<strong>on</strong>g>Standards</str<strong>on</strong>g> <strong>on</strong> <strong>Audit<strong>in</strong>g</strong> <strong>in</strong> the Audits of Small- and Medium-Sized Entities Volume 1—Core C<strong>on</strong>cepts<br />
In other cases, the l<strong>in</strong>k between pervasive and specific c<strong>on</strong>trols may be more direct. For example, some m<strong>on</strong>i<str<strong>on</strong>g>to</str<strong>on</strong>g>r<strong>in</strong>g<br />
c<strong>on</strong>trols may identify c<strong>on</strong>trol breakdowns <strong>in</strong> specific (bus<strong>in</strong>ess process) c<strong>on</strong>trols. Test<strong>in</strong>g these m<strong>on</strong>i<str<strong>on</strong>g>to</str<strong>on</strong>g>r<strong>in</strong>g c<strong>on</strong>trols<br />
for effectiveness might reduce (but not elim<strong>in</strong>ate) the need for test<strong>in</strong>g more specific c<strong>on</strong>trols.<br />
Tests of pervasive c<strong>on</strong>trols (often referred <str<strong>on</strong>g>to</str<strong>on</strong>g> as entity-level and general IT c<strong>on</strong>trols) tend <str<strong>on</strong>g>to</str<strong>on</strong>g> be more subjective<br />
(such as evaluat<strong>in</strong>g the commitment <str<strong>on</strong>g>to</str<strong>on</strong>g> <strong>in</strong>tegrity or competence), and therefore tend <str<strong>on</strong>g>to</str<strong>on</strong>g> be more difficult <str<strong>on</strong>g>to</str<strong>on</strong>g><br />
document than specific <strong>in</strong>ternal c<strong>on</strong>trol at the bus<strong>in</strong>ess process level (such as check<strong>in</strong>g <str<strong>on</strong>g>to</str<strong>on</strong>g> see if a payment<br />
was authorized). As a result, the test<strong>in</strong>g of entity-level and general IT c<strong>on</strong>trols is often documented with<br />
memoranda <str<strong>on</strong>g>to</str<strong>on</strong>g> the file expla<strong>in</strong><strong>in</strong>g the approach taken and the acti<strong>on</strong> steps (e.g., staff <strong>in</strong>terviews, assessments,<br />
review of employee files, etc.), al<strong>on</strong>g with support<strong>in</strong>g evidence.<br />
This approach is illustrated <strong>in</strong> the follow<strong>in</strong>g example.<br />
Exhibit 10.5-2<br />
Test<strong>in</strong>g Pervasive (entity-level) C<strong>on</strong>trols<br />
C<strong>on</strong>trol Comp<strong>on</strong>ent = C<strong>on</strong>trol Envir<strong>on</strong>ment<br />
Risk Addressed<br />
C<strong>on</strong>trols<br />
Identified<br />
C<strong>on</strong>trol Design<br />
C<strong>on</strong>trol<br />
Implementati<strong>on</strong><br />
Test of C<strong>on</strong>trols<br />
Effectiveness<br />
Documentati<strong>on</strong><br />
No emphasis is placed <strong>on</strong> need for <strong>in</strong>tegrity and ethical values.<br />
Management requires all new employees <str<strong>on</strong>g>to</str<strong>on</strong>g> sign a form stat<strong>in</strong>g their agreement<br />
with the firm’s fundamental values and understand<strong>in</strong>g of the c<strong>on</strong>sequences for n<strong>on</strong>compliance.<br />
Read the form <str<strong>on</strong>g>to</str<strong>on</strong>g> be signed by employees and ensure it does <strong>in</strong>deed address <strong>in</strong>tegrity<br />
and ethical values.<br />
Review <strong>on</strong>e employee file <str<strong>on</strong>g>to</str<strong>on</strong>g> ensure there is a signed form, and c<strong>on</strong>sider what<br />
evidence exists (such as discipl<strong>in</strong>e) that employees actually practice the values. This<br />
could be based <strong>on</strong> a short <strong>in</strong>terview with an employee.<br />
Select a sample of employee files and ensure there are agreement forms <strong>on</strong> file and<br />
they are signed by the employee. This would be supplemented by ask<strong>in</strong>g a sample of<br />
employees some questi<strong>on</strong>s about the stated entity policies.<br />
Prepare a memo that provides details of the employee files selected, and notes<br />
from <strong>in</strong>terviews (<strong>in</strong>clud<strong>in</strong>g the name of the pers<strong>on</strong> and the date) al<strong>on</strong>g with the<br />
c<strong>on</strong>clusi<strong>on</strong>s reached.<br />
Some key fac<str<strong>on</strong>g>to</str<strong>on</strong>g>rs for the audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r <str<strong>on</strong>g>to</str<strong>on</strong>g> c<strong>on</strong>sider when design<strong>in</strong>g a test of c<strong>on</strong>trols are listed below.<br />
Exhibit 10.5-3<br />
Address<br />
What Risk<br />
of Material<br />
Misstatement and<br />
Asserti<strong>on</strong> Is Be<strong>in</strong>g<br />
Addressed?<br />
Descripti<strong>on</strong><br />
Identify the risk of material misstatement and the related asserti<strong>on</strong> that would be<br />
addressed by perform<strong>in</strong>g tests of c<strong>on</strong>trol. Then c<strong>on</strong>sider whether audit evidence<br />
about the relevant asserti<strong>on</strong> can be best obta<strong>in</strong>ed by a perform<strong>in</strong>g tests of c<strong>on</strong>trols<br />
or through substantive procedures.