Guide to Using International Standards on Auditing in - IFAC

More documents

Recommendations

Info

130 <strong>Guide</strong> <strong>to</strong> <strong>Using</strong> <strong>International</strong> <strong>Standards</strong> on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts In other cases, the link between pervasive and specific controls may be more direct. For example, some moni<strong>to</strong>ring controls may identify control breakdowns in specific (business process) controls. Testing these moni<strong>to</strong>ring controls for effectiveness might reduce (but not eliminate) the need for testing more specific controls. Tests of pervasive controls (often referred <strong>to</strong> as entity-level and general IT controls) tend <strong>to</strong> be more subjective (such as evaluating the commitment <strong>to</strong> integrity or competence), and therefore tend <strong>to</strong> be more difficult <strong>to</strong> document than specific internal control at the business process level (such as checking <strong>to</strong> see if a payment was authorized). As a result, the testing of entity-level and general IT controls is often documented with memoranda <strong>to</strong> the file explaining the approach taken and the action steps (e.g., staff interviews, assessments, review of employee files, etc.), along with supporting evidence. This approach is illustrated in the following example. Exhibit 10.5-2 Testing Pervasive (entity-level) Controls Control Component = Control Environment Risk Addressed Controls Identified Control Design Control Implementation Test of Controls Effectiveness Documentation No emphasis is placed on need for integrity and ethical values. Management requires all new employees <strong>to</strong> sign a form stating their agreement with the firm’s fundamental values and understanding of the consequences for noncompliance. Read the form <strong>to</strong> be signed by employees and ensure it does indeed address integrity and ethical values. Review one employee file <strong>to</strong> ensure there is a signed form, and consider what evidence exists (such as discipline) that employees actually practice the values. This could be based on a short interview with an employee. Select a sample of employee files and ensure there are agreement forms on file and they are signed by the employee. This would be supplemented by asking a sample of employees some questions about the stated entity policies. Prepare a memo that provides details of the employee files selected, and notes from interviews (including the name of the person and the date) along with the conclusions reached. Some key fac<strong>to</strong>rs for the audi<strong>to</strong>r <strong>to</strong> consider when designing a test of controls are listed below. Exhibit 10.5-3 Address What Risk of Material Misstatement and Assertion Is Being Addressed? Description Identify the risk of material misstatement and the related assertion that would be addressed by performing tests of control. Then consider whether audit evidence about the relevant assertion can be best obtained by a performing tests of controls or through substantive procedures.
131 <strong>Guide</strong> <strong>to</strong> <strong>Using</strong> <strong>International</strong> <strong>Standards</strong> on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts Address Reliability of the Controls Existence of Indirect Controls Nature of Test <strong>to</strong> Meet Objectives Description As a general rule, it is not worth testing controls that may prove <strong>to</strong> be unreliable, because the small sample sizes commonly used for testing controls are based on no deviations being found. If any of the following fac<strong>to</strong>rs are significant, it may be more effective <strong>to</strong> perform substantive procedures (if possible): • His<strong>to</strong>ry of errors. • Changes in the volume or nature of transactions. • The underlying entity-level and general IT controls are weak. • Controls can be (or have been) circumvented by management. • Infrequent operation of the control. • Changes in personnel or competence of people performing the control. • There is a significant manual element in the control that could be prone <strong>to</strong> error. • Complex operation, and major judgments involved with its operation. Does control depend on effective operation of other controls? This could include non-financial information produced by a separate process, the treatment of exceptions, and periodic reviews of reports by managers. Tests of controls usually involve a combination of the following: • Inquiries of appropriate personnel; • Inspection of relevant documentation; • Observation of the company’s operations; and • Re-performance of the application of the control. Note that inquiry alone would not be sufficient evidence <strong>to</strong> support a conclusion about the effectiveness of a control. For example, <strong>to</strong> test the operating effectiveness of internal control over cash receipts, the audi<strong>to</strong>r might observe the procedures for opening the mail and processing cash receipts. Because an observation is pertinent only at the point in time at which it is made, the audi<strong>to</strong>r would supplement the observation with inquiries of entity personnel and inspection of documentation about the operation of such internal control at other times. CONSIDER POINT Determine what constitutes a control deviation. When designing a test of control, spend time <strong>to</strong> define exactly what constitutes an error or exception <strong>to</strong> the test. This will save time spent by audit staff in determining whether a seemingly minor exception (such as an incorrect telephone number) is, in fact, a control deviation. Au<strong>to</strong>mated Controls There may be some instances where control activities are performed by a computer and supporting documentation does not exist. In these situations, the audi<strong>to</strong>r may have <strong>to</strong> re-perform some controls <strong>to</strong> ensure the software application controls are working as designed. Another approach is <strong>to</strong> use Computer- Assisted Audit Techniques (CAATs). One example of a CAAT is a software package that can import an entity’s
Page 1 and 2:
Guide to</
Page 3 and 4:
3 Guide to
Page 5 and 6:
5 Guide to
Page 7 and 8:
Disclaimer This Guide</stro
Page 9 and 10:
9 Guide to
Page 11 and 12:
11 Guide t
Page 13 and 14:
13 2. Clarified ISAs In March 2009,
Page 15 and 16:
15 Guide t
Page 17 and 18:
17 Guide t
Page 19 and 20:
Volume 1 Core Concepts
Page 21 and 22:
21 Guide t
Page 23 and 24:
23 Guide t
Page 25 and 26:
25 Guide t
Page 27 and 28:
27 Guide t
Page 29 and 30:
29 Guide t
Page 31 and 32:
31 Guide t
Page 33 and 34:
33 Guide t
Page 35 and 36:
35 Guide t
Page 37 and 38:
37 Guide t
Page 39 and 40:
39 Guide t
Page 41 and 42:
41 Guide t
Page 43 and 44:
43 Guide t
Page 45 and 46:
45 Guide t
Page 47 and 48:
47 Guide t
Page 49 and 50:
49 Guide t
Page 51 and 52:
51 5. Internal Control — Purpose
Page 53 and 54:
53 Guide t
Page 55 and 56:
55 Guide t
Page 57 and 58:
57 Guide t
Page 59 and 60:
59 Guide t
Page 61 and 62:
61 Guide t
Page 63 and 64:
63 Guide t
Page 65 and 66:
65 Guide t
Page 67 and 68:
67 Guide t
Page 69 and 70:
69 Guide t
Page 71 and 72:
71 Guide t
Page 73 and 74:
73 Guide t
Page 75 and 76:
75 Guide t
Page 77 and 78:
77 6. Financial Statement Assertion
Page 79 and 80: 79 Guide t
Page 101 and 102: 101 Guide
Page 115 and 116: 115 10. Further Audit Procedures Ch
Page 129: 129 Guide
Page 145 and 146: 145 12. Related Parties Chapter Con
Page 161 and 162: 161 14. Going Concern Chapter Conte
Page 171 and 172: 171 15. Summary of Other ISA Requir
Page 181 and 182:
181 Guide
Page 183 and 184:
183 Guide
Page 185 and 186:
185 Guide
Page 187 and 188:
187 Guide
Page 189 and 190:
189 Guide
Page 191 and 192:
191 Guide
Page 193 and 194:
193 Guide
Page 195 and 196:
195 Guide
Page 197 and 198:
197 Guide
Page 199 and 200:
199 Guide
Page 201 and 202:
201 Guide
Page 203 and 204:
203 Guide
Page 205 and 206:
205 16. Audit Documentation Chapter
Page 207 and 208:
207 Guide
Page 209 and 210:
209 Guide
Page 211 and 212:
211 Guide
Page 213 and 214:
213 Guide
Page 215 and 216:
215 Guide
Page 217 and 218:
217 Guide
Page 219 and 220:
219 Guide
Page 221 and 222:
221 Guide
Page 223 and 224:
223 Guide
Page 225 and 226:
225 Guide
Page 227 and 228:
227 Guide
Page 229 and 230:
229 Guide
Page 231 and 232:
231 Guide
Page 233 and 234:
233 Guide
Page 235 and 236:
235 Guide
show all

Guide to Using International Standards on Auditing in - IFAC

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?