Beruflich Dokumente
Kultur Dokumente
Tests of Controls
Objectives
Explain the relationship between control risk assessment
and audit strategy
Describe the purpose of tests of controls and the nature,
timing and extent of such tests
Clarify how the work of internal auditing may be used in
tests of controls
Explain the process of assessing control risk and
documenting the conclusion
Objectives
Indicate the appropriate communications the auditor
makes on internal control matters
Describe the types of controls you would expect to see in
an information technology environment
Identify the alternate types of computer-assisted audit
techniques
Preliminary Assessment of
Control Risk
ASA 315 para 25 states:
The auditor shall identify and assess the risks of
material misstatement at the financial report level, and
at the assertion level for classes of transaction,
account balances and disclosures
Assessment to obtain a reasonable understanding of
controls in place
Subsequently, decide on appropriate audit strategy so
as to design a detailed audit program
Process of assessing
control risk
Use professional judgement to assess the control
environment
Assess the design effectiveness of control procedures
and their ability to prevent or correct misstatements
Assess whether controls were effectively applied
throughout the period under audit
Tests of Controls
Tests of controls are carried out to evaluate the
operating effectiveness of the internal control policies
and procedures
The auditor must decide on the nature, timing and
extent of tests of control
ASA 330 The Auditors Procedures in Response to
Assessed Risks
Designing tests
Tests of controls include:
enquiring of client personnel
observation of activities and procedures
e.g. observation of counting during a stock take
inspection of documents and records
re-performance of procedures
10
Designing tests
Tests of controls conduced at interim period as auditor
can get an early indication of controls are operating
effectively and change tests to substantive tests if
required
Extent of tests is determined by auditors planned
assessed level of control risk
More extensive testing is needed for a low assessed
level of control risk
13
Final assessment
Need to fully document all tests
Important to communicate all concerns regarding
internal control matters to the entitys management
and board
Refer ASA 265 on Communication of Audit Matters
with Those Charged with Corporate Governance (i.e.
to director level)
14
Communication of internal
control matters
Insert figure 1: monitoring applied to
the internal control process
Types of controls in an
information technology
environment
Overview of computer controls
Types of controls in an
information technology
environment
Audit strategies for assessing control risk
assessing control risk based on user controls
Planning for a low control risk assessment based on
application controls
Planning for a high control risk assessment based on
general controls and manual follow-up
Types of controls in an
information technology
environment
User controls
Manual procedures designed to test the
completeness and accuracy of computer processed
transactions
Application controls
Use of automated controls and planning of strategies
to assess control risk as low
Test data
Integrated test facility
Parallel simulation
Continuous monitoring
Tagging transactions
Systems control audit review file
20
22