Joanne M. Flood - Wiley Practitioner's Guide to GAAS 2020

Testing the operating effectiveness is necessary only when the auditor will rely on the operating effectiveness of controls to modify the nature, timing, and extent of substantive procedures or when substantive procedures alone do not provide the auditor with sufficient audit evidence at the assertion level.

The procedures necessary to understand the design and implementation of controls do provide some limited evidence regarding the operation of the controls. However, the procedures necessary to understand the design and implementation of controls generally are not sufficient to serve as a test of their operating effectiveness for the purpose of placing significant reliance on their operation.

Examples of situations where the procedures the auditor performs to understand the design and implementation of controls may provide sufficient audit evidence about their operating effectiveness include:

Controls that are automated to the degree that they can be performed consistently provided that general information technology (IT) controls over those automated controls operate effectively during the period.

Controls that operate only at a point in time rather than continuously throughout the period. For example, if the client performs an annual physical inventory count, the auditor’s observation of that count and other procedures to evaluate its design and implementation provide audit evidence that may affect the design of the auditor’s substantive procedures.

The required understanding of internal control must include all five components of internal control:

1 The control environment,

2 The entity’s risk assessment process,

3 The information system, including processes related to financial reporting and communication,

4 Control activities, and

5 Monitoring.

(AU-C 315.A57)

These components may operate at the entity level or the individual transaction level. Obtaining an appropriate understanding of internal control requires the auditor to understand and evaluate the design of all five components of internal control and to determine whether the controls are in use by the client.

The auditor should obtain a sufficient knowledge of the control environment to understand management’s and the board of directors’ attitudes, awareness, and actions concerning the environment. (AU-C 315.15) Control environment factors include:

Communication and enforcement of integrity and ethical values

Commitment to competence

Characteristics of those charged with governance

Management’s philosophy and operating style

Organizational structure

Assignment of authority and responsibility

Human resources policies and practices

(AU-C 315.A79)

NOTE: The auditor should concentrate on the substance of controls (established and acted upon), not their form.

The auditor should obtain an understanding of the entity’s procedures for business risk, specifically:

Identifying the risks

Estimating significance

Assessing the likelihood of occurrence

Deciding on an action plan to address the risk

(AU-C 315.16)

Risks can occur because of the following:

Changes in operating environment

New personnel

New or revamped information systems

Rapid growth

New technology

New business models, products, or activities

Corporate restructurings

Expanded foreign operations

New accounting pronouncements

Changes in economic conditions

(AU-C 315.A90)

NOTE: The auditor’s assessment of inherent and control risks is a separate consideration and not part of the entity’s risk assessment.

The auditor should obtain sufficient knowledge of the accounting information system to understand:

The classes of transactions that are significant to the financial statements

The procedures, both automated and manual, by which those transactions are initiated, recorded, processed, and reported from their occurrence to inclusion in the financial statements

The related accounting records, whether electronic or manual, supporting information, and specific accounts involved in initiating, recording, processing, and reporting transactions

How the information system captures other events and conditions that are significant to the financial statements

The financial reporting process

Controls surrounding journal entries, including nonstandard journal entries used to record nonrecurring, unusual transactions, or adjustments

(AU-C 315.19)

The auditor should understand the automated and manual procedures used to prepare financial statements and related disclosures, and how misstatements may occur. Such procedures include:

The procedures used to enter transaction totals into the general ledger

NOTE: The auditor should be aware that when information technology (IT) is used to automatically transfer information from transaction processing systems to general ledger or financial reporting systems, there may be little or no visible evidence of intervention in the information systems (e.g., an individual may inappropriately override automated processes by changing the amounts being automatically passed to the general ledger or financial reporting system).

The procedures used to initiate, record, and process standard (e.g., monthly sales and purchase transactions) and nonstandard (e.g., business combinations or disposals, or a nonrecurring accounting estimate) journal entries in the general ledger

NOTE: Auditors should be aware that:

When IT is used to maintain the general ledger and prepare financial statements, such nonstandard entries may exist only in electronic form and may be more difficult to identify through physical inspection of printed documents.

Financial statement misstatements are often perpetrated by using nonstandard entries to record fictitious transactions or other events and circumstances, particularly near the end of the reporting period.

Other procedures used to record recurring and nonrecurring adjustments (e.g., consolidating adjustments and reclassifications that are not made by formal journal entries)

The auditor should also obtain sufficient knowledge of the means the entity uses to communicate financial reporting roles and responsibilities and significant matters about financial reporting. (AU-C 315.20)

The auditor should obtain an understanding of those control activities that are relevant to the audit. (AU-C 315.21) Control activities are relevant to the audit if they are related to significant risks , as discussed later in this section. Examples of specific control activities include:

Authorization

Performance reviews

Information processing

Physical controls

Segregation of duties (e.g., assigning different people the responsibility for authorizing transactions, recording transactions, and maintaining custody of assets)

(AU-C 315.A99)

The auditor should also obtain an understanding of the process of reconciling detail to the general ledger for significant accounts. (AU-C 315.21)

The auditor should obtain sufficient knowledge of the major types of activities that the entity uses to monitor internal control over financial reporting, including the internal audit function—how it works, its responsibilities, and how it fits into the organization and sources of information used in the monitoring activities. (AU-C 315.23–.25)