Guide to Using International Standards on Auditing in - IFAC

17.03.2014 Views
130 ong>Guideong> ong>toong> ong>Usingong> ong>Internationalong> ong>Standardsong> on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts In other cases, the link between pervasive and specific controls may be more direct. For example, some moniong>toong>ring controls may identify control breakdowns in specific (business process) controls. Testing these moniong>toong>ring controls for effectiveness might reduce (but not eliminate) the need for testing more specific controls. Tests of pervasive controls (often referred ong>toong> as entity-level and general IT controls) tend ong>toong> be more subjective (such as evaluating the commitment ong>toong> integrity or competence), and therefore tend ong>toong> be more difficult ong>toong> document than specific internal control at the business process level (such as checking ong>toong> see if a payment was authorized). As a result, the testing of entity-level and general IT controls is often documented with memoranda ong>toong> the file explaining the approach taken and the action steps (e.g., staff interviews, assessments, review of employee files, etc.), along with supporting evidence. This approach is illustrated in the following example. Exhibit 10.5-2 Testing Pervasive (entity-level) Controls Control Component = Control Environment Risk Addressed Controls Identified Control Design Control Implementation Test of Controls Effectiveness Documentation No emphasis is placed on need for integrity and ethical values. Management requires all new employees ong>toong> sign a form stating their agreement with the firm’s fundamental values and understanding of the consequences for noncompliance. Read the form ong>toong> be signed by employees and ensure it does indeed address integrity and ethical values. Review one employee file ong>toong> ensure there is a signed form, and consider what evidence exists (such as discipline) that employees actually practice the values. This could be based on a short interview with an employee. Select a sample of employee files and ensure there are agreement forms on file and they are signed by the employee. This would be supplemented by asking a sample of employees some questions about the stated entity policies. Prepare a memo that provides details of the employee files selected, and notes from interviews (including the name of the person and the date) along with the conclusions reached. Some key facong>toong>rs for the audiong>toong>r ong>toong> consider when designing a test of controls are listed below. Exhibit 10.5-3 Address What Risk of Material Misstatement and Assertion Is Being Addressed? Description Identify the risk of material misstatement and the related assertion that would be addressed by performing tests of control. Then consider whether audit evidence about the relevant assertion can be best obtained by a performing tests of controls or through substantive procedures.

131 ong>Guideong> ong>toong> ong>Usingong> ong>Internationalong> ong>Standardsong> on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts Address Reliability of the Controls Existence of Indirect Controls Nature of Test ong>toong> Meet Objectives Description As a general rule, it is not worth testing controls that may prove ong>toong> be unreliable, because the small sample sizes commonly used for testing controls are based on no deviations being found. If any of the following facong>toong>rs are significant, it may be more effective ong>toong> perform substantive procedures (if possible): • Hisong>toong>ry of errors. • Changes in the volume or nature of transactions. • The underlying entity-level and general IT controls are weak. • Controls can be (or have been) circumvented by management. • Infrequent operation of the control. • Changes in personnel or competence of people performing the control. • There is a significant manual element in the control that could be prone ong>toong> error. • Complex operation, and major judgments involved with its operation. Does control depend on effective operation of other controls? This could include non-financial information produced by a separate process, the treatment of exceptions, and periodic reviews of reports by managers. Tests of controls usually involve a combination of the following: • Inquiries of appropriate personnel; • Inspection of relevant documentation; • Observation of the company’s operations; and • Re-performance of the application of the control. Note that inquiry alone would not be sufficient evidence ong>toong> support a conclusion about the effectiveness of a control. For example, ong>toong> test the operating effectiveness of internal control over cash receipts, the audiong>toong>r might observe the procedures for opening the mail and processing cash receipts. Because an observation is pertinent only at the point in time at which it is made, the audiong>toong>r would supplement the observation with inquiries of entity personnel and inspection of documentation about the operation of such internal control at other times. CONSIDER POINT Determine what constitutes a control deviation. When designing a test of control, spend time ong>toong> define exactly what constitutes an error or exception ong>toong> the test. This will save time spent by audit staff in determining whether a seemingly minor exception (such as an incorrect telephone number) is, in fact, a control deviation. Auong>toong>mated Controls There may be some instances where control activities are performed by a computer and supporting documentation does not exist. In these situations, the audiong>toong>r may have ong>toong> re-perform some controls ong>toong> ensure the software application controls are working as designed. Another approach is ong>toong> use Computer- Assisted Audit Techniques (CAATs). One example of a CAAT is a software package that can import an entity’s

Page 1 and 2: Guide to</

Page 3 and 4: 3 Guide to


Page 7 and 8: Disclaimer This Guide</stro


Page 11 and 12: 11 Guide t

Page 13 and 14: 13 2. Clarified ISAs In March 2009,



Page 19 and 20: Volume 1 Core Concepts
















Page 51 and 52: 51 5. Internal Control — Purpose













Page 77 and 78: 77 6. Financial Statement Assertion












Page 101 and 102: 101 Guide







Page 115 and 116: 115 10. Further Audit Procedures Ch







Page 129: 129 Guide







Page 145 and 146: 145 12. Related Parties Chapter Con








Page 161 and 162: 161 14. Going Concern Chapter Conte





Page 171 and 172: 171 15. Summary of Other ISA Requir

















Page 205 and 206: 205 16. Audit Documentation Chapter
















audit

auditor

procedures

statements

controls

relevant

entities

auditing

volume

audits

ifac

www.kacr.cz

Guide to Using International Standards on Auditing in - IFAC

Guide to Using International Standards on Auditing in - IFAC ... View more Guide to Using International Standards on Auditing in - IFAC

Delete template?

Save as template ?

Guide to Using International Standards on Auditing in - IFAC Guide to Using International Standards on Auditing in - IFAC