Original Pronouncement | Statement on Auditing Standards (SAS) 110. |
Effective Date | This statement currently is effective. |
Applicability | Audits of financial statements in accordance with generally accepted auditing standards (GAAS). |
SAS No. 122, Codification of Auditing Standards and Procedures, is effective for audits of financial statements with periods ending on or after December 15, 2012.
AU-C 330 does not change extant requirements in any significant respect.
Further audit procedures. Audit procedures performed after performing risk assessment procedures. Further audit procedures consist of tests of controls and substantive tests (i.e., tests of details and substantive analytical procedures).
Substantive procedures. Procedures performed to detect material misstatements at the assertion level. Includes substantive analytical procedures and tests of detail.
Tests of controls. Procedures concerned with how an internal control procedures was applied, the consistency with which it was applied during the audit period, and by whom it was applied. Tests of controls used for generating evidence about operating effectiveness include inquiries, inspection, observation, and reperformance of the application of the control.
Substantive procedure. An audit procedure designed to detect material misstatements at the assertion level. Substantive procedures comprise:
Test of controls. An audit procedure designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level.
Sections 318 and 314 are the centerpiece of the risk assessment standards. Together, these two sections provide detailed guidance on how to apply the audit risk model described in Section 312. That model describes audit risk as:
AR = RMM × DR
where AR is audit risk, RMM is the risk of material misstatement, and DR is detection risk. The RMM is a combination of inherent and control risk. Although the standard describes a combined risk assessment, the auditor may perform separate assessments of inherent and control risks.
Section 318 provides guidance on the design and performance of further audit procedures, which consist of tests of controls (an element of RMM), and substantive procedures, which are related to detection risk. It provides a significant amount of new guidance that previously did not exist in the auditing literature.
The assessment of the risk of material misstatement serves as the basis for the design of further audit procedures. Further audit procedures should be clearly linked and responsive to the assessed risks.
AU-C Section 330 states that “the objective of the auditor is to obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement through designing and implementing appropriate responses to those risks.”
To reduce audit risk to an acceptably low level, the auditor should:
The auditor should determine overall responses to financial statement–level risks of material misstatement. Those overall responses may include:
The auditor should design and perform further audit procedures whose nature, timing, and extent are responsive to and clearly linked with the assessment of the risk of material misstatement. In designing further audit procedures, the auditor should consider matters such as:
Regardless of the audit approach selected, the auditor should design and perform substantive procedures for all relevant assertions related to each material class of transactions, account balance, and disclosure.
The nature of audit procedures refers to their type. Selecting the type of audit procedure to perform is of most importance in designing tests that are responsive to assessed risks.
The higher the auditor’s assessment of risk, the more reliable and relevant is the audit evidence sought by the auditor from substantive procedures. Section 326 provides guidance on the relative reliability of various types of audit evidence.
In some instances, the auditor may use information produced by the entity’s information system in performing audit procedures. For example, the auditor may use the entity’s aging of accounts receivable to test the adequacy of their allowance for doubtful accounts. When the auditor uses information from the entity’s system in this manner, the auditor should obtain audit evidence about the accuracy and completeness of the information. This audit evidence may come from tests of controls, substantive procedures, or both.
Timing refers to when audit procedures are performed or the period or date to which the audit evidence applies. Tests of controls may be performed either at an interim date or at period end. In considering when to perform audit procedures, the auditor should consider matters such as:
When further audit procedures are performed at an interim date, the auditor should consider the additional evidence that is necessary for the remaining period.
Extent refers to the quantity of a specific audit procedure to be performed—for example, a sample size. The auditor determines the extent of an audit procedure after considering:
As the risk of material misstatement increases, the extent of audit procedures also should increase.
The auditor should test controls when
The auditor will perform risk assessment procedures to evaluate the design of the entity’s internal control, and these procedures may provide some limited audit evidence about the operating effectiveness of internal control. But risk assessment procedures by themselves generally will not provide sufficient appropriate audit evidence to support relying on controls to modify the nature, timing, and extent of substantive procedures.
As the planned level of assurance increases, the auditor should seek more reliable or more extensive audit evidence about the operating effectiveness of controls. For example, if the auditor has determined that, for a particular assertion, substantive procedures alone will not be sufficient, then the auditor would want to select tests of controls that will provide more reliable audit evidence.
When designing tests of controls, the auditor should consider the need to obtain audit evidence supporting the effective operation of controls directly related to the relevant assertion as well as other indirect controls on which those controls depend. For example, if the auditor tests an IT application control, he or she should consider the need to test the IT general controls upon which the effective operation of the application control depends.
When determining the timing of tests of controls, the auditor should consider whether audit evidence is needed about how the control operated as of a point in time or how it operated throughout the audit period. This determination will depend on the auditor’s overall objective. For example, to test the controls over the entity’s physical inventory count, the auditor’s objective would be related to how the control operated at the point in time the physical inventory count was taken. On the other hand, to modify the nature, timing, and extent of, say, revenue transactions or accounts payable, the auditor would want to test the operation of controls throughout the audit period.
If certain conditions are met, the auditor may use audit evidence about the operating effectiveness of controls obtained in prior audits. These conditions include the following:
In general, the greater the auditor’s planned reliance on the operating effectiveness of controls, the greater the extent of testing. Other factors that the auditor should consider when determining the extent of tests of controls include the following:
Generally, IT processing is inherently consistent. Therefore, the auditor may be able to limit the testing to one or a few instances of the control operations, providing that IT general controls operate effectively.
The auditor’s substantive procedures should include:
Section 318 describes significant risks and how the auditor identifies significant risks. With regard to performing procedures related to significant risks, the auditor should perform tests of details or a combination of tests of details and substantive analytical procedures. That is, the auditor is precluded from performing only substantive tests of details in response to significant risks.
The auditor should design tests of details responsive to the assessed risk with the objective of obtaining sufficient appropriate audit evidence to achieve the planned level of assurance at the relevant assertion level. In designing substantive analytical procedures, the auditor should consider matters such as:
In some circumstances, the auditor may perform substantive procedures as of an interim date, which increases the risk that misstatements that exist at the period end will not be detected by the auditor. As such, when substantive tests are performed at an interim date, the auditor should perform further substantive procedures or substantive procedures combined with tests of controls to cover the period between the interim tests and period end.
When considering whether to perform substantive procedures at an interim date, the auditor should consider factors such as:
If the auditor detects misstatements at an interim date, the auditor should consider modifying the planned nature, timing, or extent of the substantive procedures covering the remaining period.
The greater the risk of material misstatement, the greater the extent of substantive procedures. In designing tests of details, the auditor normally thinks of the extent of testing in terms of the sample size, which is affected by the planned level of detection risk, tolerable misstatement, expected misstatement, and the nature of the population. However, the auditor also should consider other matters, such as selecting large or unusual items from a population rather than sampling items from the population.
The auditor should conclude whether sufficient appropriate audit evidence has been obtained to reduce to an appropriate low level the risk of material misstatements in the financial statements. The auditor’s judgment as to what constitutes sufficient appropriate audit evidence is influenced by factors such as the following:
The auditor should document the following:
There are no interpretations for this section.
Some audit tests can be applied at any convenient selected date before the balance sheet date and completed as part of year-end procedures. Examples are:
The common denominator in these tests is that the nature and extent of procedures applied are not necessarily influenced by doing a portion of the testing before the balance sheet date. For example, the auditor may decide to vouch all property additions and retirements over a specified dollar amount. The nature and extent of the test are not influenced by whether the testing is done all at year-end or one portion is done at an interim date and the remainder at year-end.
Section 318 does not address the issue of misstatements detected at an interim date. For example, if the auditor confirms accounts receivable as of October 31 and discovers an error in the receivables balance, how should that misstatement be handled, given that the opinion is on the balance sheet as of December 31, not October 31?
As a practical matter, the auditor should evaluate the results of interim testing to assess the possibility of misstatement at the balance sheet date. This evaluation is influenced by:
This assessment may cause the auditor to reperform principal substantive tests at year-end or to otherwise expand the scope of substantive tests at year-end.
When performing principal substantive tests at an interim date, the primary control focus is on asset safeguarding and controls that address the completeness assertion. If the design of these controls in not effective, then the substantive tests related to existence and completeness assertions should be applied at year-end.
Keep in mind that this consideration is tied to specific assertions, not to the overall account. For example, confirmation of receivables does not address the completeness assertion, which means that receivables could be confirmed at an interim date even if controls to address completeness were not effectively designed. However, the auditor would still need to consider the nature, timing, and extent of further audit procedures related to the completeness assertion.
How long can the remaining period be? Section 318 offers only the general observation that the potential for increased audit risk tends to become greater as the remaining period becomes longer.
In practice, many auditors believe the remaining period should not exceed three months (i.e., for a December 31 audit, testing certain balances as of September 30). Another rule of thumb is to consider a remaining period of one month as creating a relatively low increase in audit risk. Ordinarily, if the remaining period is one month, substantive tests to cover the remaining period can be restricted to test such as
Naturally, as with any rule of thumb, the auditor should be aware that in specific circumstances, factors may increase audit risk, and the principal substantive tests will have to be applied at year-end.
There is an almost infinite variety of approaches that an auditor can use in practice to achieve the objectives of Section 318. The following illustration shows some examples of further audit procedures that may be performed to meet certain audit objectives.
Illustrative assertions about account balances | Examples of substantive procedures |
Existence or Occurrence | |
Inventories included in the balance sheet physically exist. | Observing physical inventory counts. Obtaining confirmation of inventories at locations outside the entity. Testing of inventory transactions between a preliminary physical inventory date and the balance sheet date. |
Existence or Occurrence | |
Inventories represent items held for sale or use in the normal course of business. | Reviewing perpetual inventory records, production records, and purchasing records for indication of current activity. Comparing inventories with a current sales catalog and subsequent sales and delivery reports. Using the work of specialists to corroborate the nature of specialized products. |
Completeness | |
Inventory quantities include all products, materials, and supplies on hand. | Observing physical inventory counts. Analytically comparing the relationship of inventory balances to recent purchasing, production, and sales activities. Testing shipping and receiving cutoff procedures. |
Inventory quantities include all products, materials, and supplies owned by the entity that are in transit or stored at outside locations. | Obtaining confirmation of inventories at locations outside the entity. Analytically comparing the relationship of inventory balances to recent purchasing, production, and sales activities. Testing shipping and receiving cutoff procedures. |
Inventory listings are accurately compiled and the totals are properly included in the inventory accounts. | Tracing test counts recorded during the physical inventory observation to the inventory listing. Accounting for all inventory tags and count sheets used in recording the physical inventory counts. Testing the clerical accuracy of inventory listing. Reconciling physical counts with perpetual records and general ledger balances and investigating significant fluctuations. |
Rights and Obligations | |
The entity has legal title or similar rights of ownership to the inventories. | Observing physical inventory counts. Obtaining confirmation of inventories at locations outside the entity. Examining paid vendors’ invoices, consignment agreements, and contracts. |
Inventories exclude items billed to customers or owned by others. | Examining paid vendor’s invoices, consignment agreements, and contracts. Testing shipping and receiving cutoff procedures. |
Valuation or Allocation | |
Inventories are properly stated at cost (except when market is lower). | Examining paid vendors’ invoices. Reviewing direct labor rates. Testing the computation of standard overhead rates. Examining analyses of purchasing and manufacturing standard cost variances. |
Existence or Occurrence | |
Slow-moving, excess, defective, and obsolete items included in inventories are properly identified. | Examining an analysis of inventory turnover. Reviewing industry experience and trends. Analytically comparing the relationship of inventory balances to anticipated sales volume. Touring the plant. Inquiring of production and sales personnel concerning possible excess of obsolete inventory items. |
Inventories are reduced, when appropriate, to replacement cost or net realizable value. | Obtaining current market value quotations. Reviewing current production costs. Examining sales after year-end and open purchase order commitments. |
Presentation and Disclosure | |
Inventories are properly classified in the balance sheet as current assets. | Reviewing drafts of the financial statements. |
The major categories of inventories and their bases of valuation are adequately disclosed in the financial statements. | Reviewing the drafts of the financial statements. Comparing the disclosures made in the financial statements to the requirements of generally accepted accounting principles. |
The pledge or assignment of any inventories is appropriately disclosed. | Obtaining confirmation of inventories pledged under loan agreements. |
This approach can be time-consuming and result in a substantial amount of repetition. For example, developing specific audit objectives for the existence of each asset normally results in the repetitive statement that the particular asset does, in fact, exist and is available for its intended use. There is more variation for specific audit objectives related to presentation and disclosure, but disclosure checklists are available for that assertion and related specific objectives.
Your tests of operating effectiveness should be designed to determine:
The reliability of a test is influenced by three factors:
When you do test controls in advance of year-end, you will want to consider the need to perform additional tests to establish the effectiveness of the control procedure from the time the tests were performed until year-end.
For example, if you tested the effectiveness of bank reconciliations as of June 30 and the reporting date was December 31, you should consider performing tests to cover the period from July 1 through December 31. These tests may not require you to repeat the detailed tests performed at June 30 for the subsequent six-month period. If you establish the effectiveness of the control procedure at June 30, you may be able to support a conclusion about the effectiveness of the control at the reporting date indirectly through the consideration of entity-level controls and other procedures, such as:
Again, the types of procedures you perform for the period between June 30 and December 31 will depend on the risk related to the control. Application controls are the structure, policies, and procedures that apply to separate, individual business process application systems. They include both the automated control procedures (i.e., those routines contained within the computer program) and the policies and procedures associated with user activities, such as the manual follow-up required to investigate potential errors identified during processing.
As with all other control procedures, information technology (IT) application controls should be designed to achieve specified control objectives, which in turn are driven by the risks to achieving certain business objectives. In general, the objectives of a computer application are to ensure that:
Specific application-level controls should address the risks to achieving these objectives.
The way in which IT control objectives are met will depend on the types of technologies used by the entity. For example, the specific control procedures used to control access to an online, real-time database will be different from those procedures related to access of a “flat file” stored on a disk.
An IT controls specialist most likely will be needed to understand the risks involved in various technologies and the related activity-level controls.
Some activities in a company are performed centrally and affect several different financial account balances. For example, cash disbursements affect not only cash balances but also accounts payable and payroll. The most common types of shared activities include:
When designing your activity-level tests, you should be sure to coordinate your tests of shared activities with your tests of individual processing streams. For example, you should plan on testing cash disbursements only once, not several times for each different processing stream that includes cash disbursements.
Whenever you test activity-level controls, you will have to determine the extent of your tests. If you are testing the reconciliation of significant general ledger accounts to the underlying detailed trial balance, how many reconciliations should you look at? If the control is something that is performed on every transaction—for example, the authorization of payments to vendors—how many should you test?
The extent of your tests should be sufficient to support your conclusion on whether the control is operating effectively at a given point in time. Determining the sufficiency of the extent of your tests is a matter of judgment that is affected by a number of factors. Exhibit 1 lists these factors and indicates how they will affect the extent of your tests.
Effect on the Extent of Tests | ||
Factor to consider | Increase number of tests | Decrease number of tests |
How frequently the control procedure is performed | Procedure performed often (e.g., daily) | Procedure performed occasionally (e.g., once a month) |
Importance of control | Important control (e.g., control of addresses multiple assertions or it is a period-end detective control) | Less important control |
Degree of judgment required to perform the control | High degree of judgment | Low degree of judgment |
Complexity of control procedure | Relatively complex control procedure | Relatively simple control procedure |
Level of competence of the person performing the control procedure | Highly competent | Less competent |
When determining the extent of tests, you also should consider whether the control is manual or automated. When a control is performed manually, the consistency with which that control is performed can vary greatly. In contrast, once a control becomes automated, it is performed the same way each and every time. For that reason, you should plan on performing more extensive tests of manual controls than you will for automated controls.
In some circumstances, testing a single operation of an automated control may be sufficient to obtain a high level of assurance that the control operated effectively, provided that IT general controls operated effectively throughout the period.
You do not have to test every performance of a control to draw a valid conclusion about the operating effectiveness of the control. For example, suppose that one of the controls a manufacturing company performs in its revenue cycle is to match the shipping report to the customer’s invoice to make sure that the customer was billed for the right number of items and the revenue was recorded in the proper period. Over the course of a year, the company has thousands of shipments. How many of those should be tested to draw a conclusion?
You do not have to perform a statistical sample to determine your sample size, but it does help to apply the basic principles of statistical sampling theory. In a nutshell, the size of your sample is driven by three variables:
Note that the size of the population does not affect the sample size (unless it is very small, e.g., when a control procedure is performed only once a month, in which case the population consists of only 12 items).
In practice, most companies have chosen sample sizes for tests of transactions that range from 20 items to 60 items. It is common for independent auditors to offer some guidance on sample sizes.
Be careful in simply accepting sample sizes without questioning the underlying assumptions for the three variables just listed. In reviewing these assumptions, you should ask:
You also will need to determine sample sizes for controls that are performed less frequently than every transaction or every day. Because the population sizes for these types of controls are so small, traditional sampling methodologies need to be adjusted. Exhibit 2 lists the sample sizes that have evolved in practice for tests of smaller populations.
Frequency of Control Performance | Typical Sample Sizes |
Annually | 1 |
Quarterly | 2 or 3 |
Monthly | 2 to 6 |
Weekly | 5 to 15 |
Formal inquiries of entity personnel—either individually or as part of a focus group—can be a reliable source of evidence about the operating effectiveness of application-level controls. Inquiries can serve two main purposes:
Confirming control design. Typically, this process consists primarily of a review of documentation (such as policies and procedures manuals) and limited inquiries of high-level individuals or those in the accounting department. To confirm this understanding of the processing stream and control procedures, you should expand your inquiries to include operating personnel and those responsible for performing the control.
When conducting your inquiries, consider:
Identify exceptions. In every entity, there will be differences between the company’s stated procedures and what individuals actually do in the course of everyday work. The existence of differences is normal. In testing the effectiveness of application-level controls, you should anticipate that these differences will exist, and you should plan your procedures to identify them and assess how they affect the effectiveness of activity-level controls. Differences between what should happen and what really happens can arise from:
Once you and the interviewee reach a common understanding of the company’s stated procedures, you should be prepared to discuss the circumstances that result in a variation from these procedures. When making these inquiries:
Qualifications of employees. Assessing the operating effectiveness of control activities requires you to consider who performs such activities. Your inquiries should determine whether the interviewee is qualified to perform the required procedures. To be “qualified,” the individual should have the necessary skills, training, and experience and should have no incompatible functions.
Focus groups. As a supplement to, or perhaps instead of, interviewing people individually, you may wish to facilitate a group discussion about the entity’s activity-level control activities and their effectiveness. The purpose of the group discussion would be the same as a discussion with individuals: to confirm your understanding of control design and to gather information about operating effectiveness. However, group discussions are advantageous in that they
To conduct a group discussion, follow these five steps:
Some control procedures allow you to select a sample of transactions that were recorded during the period and:
To test the effectiveness of this control procedure, you could:
Computer application controls also may lend themselves to similar testing techniques. For example, suppose that purchased goods are accompanied by a bar code that identifies the goods received and their quantities. The bar code is scanned, and the information is matched electronically to purchase order files and approved vendor master files. Unmatched transactions are placed in a suspense file for subsequent follow-up. (As indicated previously, the computer application control consists of both the programmed elements of the control and the manual follow-up of identified errors.) To test the effectiveness of this control, you could:
When performing tests of transactions, you will have to address issues related to the extent of testing: how many items to test. Suggestions for considering the extent of tests were provided earlier in this chapter.
Before performing your tests of transactions, you also should define what you will consider a control procedure error. In instances in which the evidence of performing the procedure is documented (e.g., an initial or signature), the lack of documentation (a missing signature) should be considered an error in the operation of the control. That is, in order for a documented control to be considered properly performed, both of these points must be true:
Reconciliations are a common control procedure; examples are bank reconciliations or the reconciliation of the general ledger account total to a subsidiary ledger. In some instances, a well-designed reconciliation can provide an effective control over most of a processing stream. Testing the effectiveness of a reconciliation is similar to tests of transactions.
You may be able to observe the application of some control procedures, such as computer input controls like edit checks. A physical inventory count also lends itself to observation as a means of assessing effectiveness. For a control performed only occasionally, such as a physical count, it may be possible to observe the control each time it is performed. For controls that are performed continuously for large volumes of transactions, you will need to supplement your observations with other tests, such as:
The results of your tests of activity-level controls should support your conclusion about their operating effectiveness. If your tests revealed no deviations or exceptions in the performance of control procedures, then you should be able to conclude that the control is operating effectively (assuming that the scope of your test work, as discussed earlier in this chapter, was sufficient).
When your tests of operating effectiveness uncover exceptions to the company’s prescribed control procedures, you should determine whether additional tests are required to assess operating effectiveness. A control testing exception is not necessarily a control deficiency. You may determine that the exception was an isolated instance of noncompliance with the established control procedure. However, if you do conclude that a testing exception is not a control deficiency, then you should perform and document additional test work to support your conclusion. In most instances, control testing exceptions usually are not considered to be isolated instances of noncompliance.
For example, when your test work reveals deficiencies in either the design or the operating effectiveness of a control procedure, you will need to exercise your judgment in order to reach a conclusion about control effectiveness.
Ultimately, you should consider that you are making a conclusion about the effectiveness of internal control as a whole. When you evaluate activity-level controls, you should consider the effectiveness of the entire information-processing stream, not individual control procedures in isolation.
Another approach is a source list of procedures or evidential matter to be used as a resource in developing audit programs. The following chart indicates what this approach might look like for some common financial statement components. Usually such source lists present either evidential matter or procedures but, to avoid repetition, not both. For example, if the evidential matter is minutes of board meetings, the procedure is to read the minutes. Or if the procedure is to inspect a broker’s advice, the evidential matter is the broker’s advice.
Another approach is to use standardized audit programs developed for common components of financial statements. This approach is not illustrated here. Many auditors prefer source lists to packaged programs because of a concern that standardized programs promote routine application and do not encourage exercise of judgment.
3.22.166.151