Joanne M. Flood - Wiley Practitioner's Guide to GAAS 2020

Your tests of operating effectiveness should be designed to determine:

How the control procedure was performed

The consistency with which it was applied

By whom it was applied

The reliability of a test is influenced by three factors:

1 Nature. The type of the test you perform is referred to as its “nature.”There are four types of tests:Inquiry. Think of inquiry as providing circumstantial evidence about the performance of a control. For example, if you ask the accounting clerk “Did you perform the month-end reconciliation?” the reply “Yes” does not provide you with as much evidence as you would get from reviewing the actual reconciliation. For controls related to higher risks of misstatement, you will want to supplement your inquiries with other tests.Observation. You may observe the performance of a control procedure. For example, the annual count of inventory and an edit check built into a computer application are controls whose performance you might observe. The observation of a control is a reliable test, but it applies only to the point in time when you observed the control. If the control is performed only once during the period (e.g., the inventory count), that one observation may be sufficient. But if the control is performed throughout a period (e.g., the edit check), you will need to perform other tests if you want evidence that the control was performed consistently.Documentation. You may inspect the documentation of the performance of the control. For example, if cash disbursements over a certain dollar amount require dual signatures, then you could inspect a number of checks over that amount to determine that they contain two signatures.Combination. In many instances, particularly for controls associated with higher risks, you will perform a combination of procedures. A walk-through is an example of a combination of inquiry, observation, and inspection of documentation.

2 Timing. You are required to determine whether controls are operating effectively as of the company’s fiscal year-end. The closer your tests are to year-end, the more reliable; the further away from year-end, the less reliable. Ideally, you would perform all your tests as of the balance sheet date, but as a practical matter this is not possible. Some tests will be performed in advance of year-end. For example, you may decide to test the controls relating to payroll as of October 31.The bigger the difference between the “as of” date of the tests and year-end, the less reliable the tests. In our example, if payroll controls are tested as of October 31, there is a chance that the operating effectiveness of those controls changed during the two months from October 31 to December 31.Plan on testing controls related to low risks of material misstatement in advance of year-end. Controls related to higher risks should be performed as closely to year-end as possible.

3 Extent. The extent of your procedures refers to the number of tests you perform. In the previous example of certain cash disbursements requiring dual signatures, the question is “How many checks should I examine?” The greater the extent of your tests—in this case, the more checks you examine—the more reliable your conclusion. Controls related to higher risk of misstatement will require more extensive testing than those related to lower risk.

When you do test controls in advance of year-end, you will want to consider the need to perform additional tests to establish the effectiveness of the control procedure from the time the tests were performed until year-end.

For example, if you tested the effectiveness of bank reconciliations as of June 30 and the reporting date was December 31, you should consider performing tests to cover the period from July 1 through December 31. These tests may not require you to repeat the detailed tests performed at June 30 for the subsequent six-month period. If you establish the effectiveness of the control procedure at June 30, you may be able to support a conclusion about the effectiveness of the control at the reporting date indirectly through the consideration of entity-level controls and other procedures, such as:

The effectiveness of personnel-related controls, such as the training and supervision of personnel who perform control procedures. For example, are the people performing the bank reconciliations adequately supervised, and was their work reviewed during the second half of the year?

The effectiveness of risk identification and management controls, including change management. For example, would management be able to identify changes in the entity’s business or its circumstances that would affect the continued effectiveness of bank reconciliations as a control procedure?

The effectiveness of the monitoring component of the entity’s internal control.

Inquiries of personnel to determine what changes, if any, occurred during the period that would affect the performance of controls.

Repeating the procedures performed earlier in the year, focusing primarily on elements of the control procedure that have changed during the period. For example, if the entity added new bank accounts or new personnel performing certain bank reconciliations, you would focus your tests on those accounts and individuals.

Again, the types of procedures you perform for the period between June 30 and December 31 will depend on the risk related to the control. Application controls are the structure, policies, and procedures that apply to separate, individual business process application systems. They include both the automated control procedures (i.e., those routines contained within the computer program) and the policies and procedures associated with user activities, such as the manual follow-up required to investigate potential errors identified during processing.

As with all other control procedures, information technology (IT) application controls should be designed to achieve specified control objectives, which in turn are driven by the risks to achieving certain business objectives. In general, the objectives of a computer application are to ensure that:

Data remain complete, accurate, and valid during their input, update, and storage.

Output files and reports are distributed and made available only to authorized users.

Specific application-level controls should address the risks to achieving these objectives.

The way in which IT control objectives are met will depend on the types of technologies used by the entity. For example, the specific control procedures used to control access to an online, real-time database will be different from those procedures related to access of a “flat file” stored on a disk.

An IT controls specialist most likely will be needed to understand the risks involved in various technologies and the related activity-level controls.

Some activities in a company are performed centrally and affect several different financial account balances. For example, cash disbursements affect not only cash balances but also accounts payable and payroll. The most common types of shared activities include:

Cash receipts

Cash disbursements

Payroll

Data processing

When designing your activity-level tests, you should be sure to coordinate your tests of shared activities with your tests of individual processing streams. For example, you should plan on testing cash disbursements only once, not several times for each different processing stream that includes cash disbursements.