AU 318: Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

AU-C 330: Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

AU EFFECTIVE DATE AND APPLICABILITY

AU-C EFFECTIVE DATE AND SUMMARY OF CHANGES

SAS No. 122, Codification of Auditing Standards and Procedures, is effective for audits of financial statements with periods ending on or after December 15, 2012.

AU-C 330 does not change extant requirements in any significant respect.

AU DEFINITIONS OF TERMS

Further audit procedures. Audit procedures performed after performing risk assessment procedures. Further audit procedures consist of tests of controls and substantive tests (i.e., tests of details and substantive analytical procedures).

Substantive procedures. Procedures performed to detect material misstatements at the assertion level. Includes substantive analytical procedures and tests of detail.

Tests of controls. Procedures concerned with how an internal control procedures was applied, the consistency with which it was applied during the audit period, and by whom it was applied. Tests of controls used for generating evidence about operating effectiveness include inquiries, inspection, observation, and reperformance of the application of the control.

AU-C 330 DEFINITIONS OF TERMS

Substantive procedure. An audit procedure designed to detect material misstatements at the assertion level. Substantive procedures comprise:

Test of controls. An audit procedure designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level.

OBJECTIVES OF AU SECTION 318

Sections 318 and 314 are the centerpiece of the risk assessment standards. Together, these two sections provide detailed guidance on how to apply the audit risk model described in Section 312. That model describes audit risk as:

AR = RMM × DR

where AR is audit risk, RMM is the risk of material misstatement, and DR is detection risk. The RMM is a combination of inherent and control risk. Although the standard describes a combined risk assessment, the auditor may perform separate assessments of inherent and control risks.

Section 318 provides guidance on the design and performance of further audit procedures, which consist of tests of controls (an element of RMM), and substantive procedures, which are related to detection risk. It provides a significant amount of new guidance that previously did not exist in the auditing literature.

The assessment of the risk of material misstatement serves as the basis for the design of further audit procedures. Further audit procedures should be clearly linked and responsive to the assessed risks.

OBJECTIVE OF AU-C SECTION 330

AU-C Section 330 states that “the objective of the auditor is to obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement through designing and implementing appropriate responses to those risks.”

FUNDAMENTAL REQUIREMENTS

Basic Requirement

To reduce audit risk to an acceptably low level, the auditor should:

• Determine overall responses to address the assessed risks of material misstatement at the financial statement level, and
• Design and perform further audit procedures whose nature, timing, and extent are responsible to the assessed risks of material misstatement at the relevant assertion level.

Overall Responses

The auditor should determine overall responses to financial statement–level risks of material misstatement. Those overall responses may include:

• Emphasizing to the audit team the need to maintain professional skepticism in gathering and evaluating audit evidence
• Assigning more experienced staff or those with specialized skills
• Using specialists
• Providing more supervision
• Incorporating additional elements of unpredictability in the selection of further audit procedures
• Making general changes to the nature, timing, or extent of further audit procedures, such as performing substantive procedures at period end instead of at an interim date

Designing the Nature, Timing, and Extent of Further Audit Procedures

The auditor should design and perform further audit procedures whose nature, timing, and extent are responsive to and clearly linked with the assessment of the risk of material misstatement. In designing further audit procedures, the auditor should consider matters such as:

• The significance of the risk
• The likelihood that a material misstatement will occur
• The characteristics of the class of transactions, account balance, or disclosure involved
• The nature of the specific controls used by the entity, in particular, whether they are manual or automated
• Whether the auditor expects to obtain audit evidence to determine if the entity’s controls are effective in preventing or detecting material misstatements

Regardless of the audit approach selected, the auditor should design and perform substantive procedures for all relevant assertions related to each material class of transactions, account balance, and disclosure.

Nature

The nature of audit procedures refers to their type. Selecting the type of audit procedure to perform is of most importance in designing tests that are responsive to assessed risks.

The higher the auditor’s assessment of risk, the more reliable and relevant is the audit evidence sought by the auditor from substantive procedures. Section 326 provides guidance on the relative reliability of various types of audit evidence.

In some instances, the auditor may use information produced by the entity’s information system in performing audit procedures. For example, the auditor may use the entity’s aging of accounts receivable to test the adequacy of their allowance for doubtful accounts. When the auditor uses information from the entity’s system in this manner, the auditor should obtain audit evidence about the accuracy and completeness of the information. This audit evidence may come from tests of controls, substantive procedures, or both.

Timing

Timing refers to when audit procedures are performed or the period or date to which the audit evidence applies. Tests of controls may be performed either at an interim date or at period end. In considering when to perform audit procedures, the auditor should consider matters such as:

• The control environment
• When relevant information is available (for example, electronic files may subsequently be overwritten, or procedures to be observed may occur only at certain times)
• The nature of the risk (for example, if there is a risk of inflated revenues to meet earnings expectations by subsequent creation of false sales agreements, the auditor may examine contracts available on the date of the period end)
• The period or date to which the audit evidence relates

When further audit procedures are performed at an interim date, the auditor should consider the additional evidence that is necessary for the remaining period.

Extent

Extent refers to the quantity of a specific audit procedure to be performed—for example, a sample size. The auditor determines the extent of an audit procedure after considering:

• Tolerable misstatement
• The assessed risk of material misstatement
• The degree of assurance the auditor plans to obtain

As the risk of material misstatement increases, the extent of audit procedures also should increase.

Tests of Controls

The auditor should test controls when

• The auditor will rely on the operating effectiveness of controls to modify the nature, timing and extent of substantive procedures, or
• Substantive procedures alone will not be sufficient. Section 319 provides guidance on determining when substantive procedures alone will not be sufficient.

The auditor will perform risk assessment procedures to evaluate the design of the entity’s internal control, and these procedures may provide some limited audit evidence about the operating effectiveness of internal control. But risk assessment procedures by themselves generally will not provide sufficient appropriate audit evidence to support relying on controls to modify the nature, timing, and extent of substantive procedures.

Nature

As the planned level of assurance increases, the auditor should seek more reliable or more extensive audit evidence about the operating effectiveness of controls. For example, if the auditor has determined that, for a particular assertion, substantive procedures alone will not be sufficient, then the auditor would want to select tests of controls that will provide more reliable audit evidence.

When designing tests of controls, the auditor should consider the need to obtain audit evidence supporting the effective operation of controls directly related to the relevant assertion as well as other indirect controls on which those controls depend. For example, if the auditor tests an IT application control, he or she should consider the need to test the IT general controls upon which the effective operation of the application control depends.

Timing

When determining the timing of tests of controls, the auditor should consider whether audit evidence is needed about how the control operated as of a point in time or how it operated throughout the audit period. This determination will depend on the auditor’s overall objective. For example, to test the controls over the entity’s physical inventory count, the auditor’s objective would be related to how the control operated at the point in time the physical inventory count was taken. On the other hand, to modify the nature, timing, and extent of, say, revenue transactions or accounts payable, the auditor would want to test the operation of controls throughout the audit period.

If certain conditions are met, the auditor may use audit evidence about the operating effectiveness of controls obtained in prior audits. These conditions include the following:

• The auditor should obtain audit evidence about whether changes to the controls have occurred since the prior audit. If the controls have changed since they were last tested, the auditor should test the controls in the current period, to the extent they affect the relevance of the audit evidence from the prior period.
• The auditor should test the operating effectiveness of controls at least once every third year in an annual audit. When there are a number of controls for which the auditor determines that it is appropriate to use audit evidence in prior audits, the auditor should test the operating effectiveness of some controls each year.

Extent

In general, the greater the auditor’s planned reliance on the operating effectiveness of controls, the greater the extent of testing. Other factors that the auditor should consider when determining the extent of tests of controls include the following:

• The frequency of the performance of the control by the entity during the period
• The length of time during the audit period that the auditor is relying on the operating effectiveness of the control
• The relevance and reliability of the audit evidence to be obtained in supporting that the control prevents, or detects and corrects, material misstatements at the relevant assertion level
• The extent to which audit evidence is obtained from tests of other controls related to the relevant assertion
• The expected deviation from the control

Generally, IT processing is inherently consistent. Therefore, the auditor may be able to limit the testing to one or a few instances of the control operations, providing that IT general controls operate effectively.

Substantive Procedures

The auditor’s substantive procedures should include:

• Performing tests directed to the relevant assertions related to each material class of transactions, account balance, and disclosures
• Agreeing the financial statements, including their accompanying notes to the underlying accounting records, and
• Examining material journal entries and other adjustments made during the course of preparing the financial statements

Section 318 describes significant risks and how the auditor identifies significant risks. With regard to performing procedures related to significant risks, the auditor should perform tests of details or a combination of tests of details and substantive analytical procedures. That is, the auditor is precluded from performing only substantive tests of details in response to significant risks.

Nature

The auditor should design tests of details responsive to the assessed risk with the objective of obtaining sufficient appropriate audit evidence to achieve the planned level of assurance at the relevant assertion level. In designing substantive analytical procedures, the auditor should consider matters such as:

• The suitability of using substantive analytical procedures, given the assertions
• The reliability of the data, whether internal or external, from which the expectation of recorded amounts or ratios is developed
• Whether the expectation is sufficiently precise to identify the possibility of a material misstatement at the desired level of assurance
• The amount of any difference in recorded amounts from expected values that is acceptable

Timing

In some circumstances, the auditor may perform substantive procedures as of an interim date, which increases the risk that misstatements that exist at the period end will not be detected by the auditor. As such, when substantive tests are performed at an interim date, the auditor should perform further substantive procedures or substantive procedures combined with tests of controls to cover the period between the interim tests and period end.

When considering whether to perform substantive procedures at an interim date, the auditor should consider factors such as:

• The control environment and other relevant controls
• The availability of information at a later date that is necessary for the auditor’s procedures
• The objective of the substantive procedure
• The assessed risk of material misstatement
• The nature of the class of transactions or account balance and relevant assertions
• The ability of the auditor to reduce the risk that misstatements that exist at the period end are not detected by performing appropriate substantive procedures or substantive procedures combined with tests of controls to cover the remaining period

If the auditor detects misstatements at an interim date, the auditor should consider modifying the planned nature, timing, or extent of the substantive procedures covering the remaining period.

Extent

The greater the risk of material misstatement, the greater the extent of substantive procedures. In designing tests of details, the auditor normally thinks of the extent of testing in terms of the sample size, which is affected by the planned level of detection risk, tolerable misstatement, expected misstatement, and the nature of the population. However, the auditor also should consider other matters, such as selecting large or unusual items from a population rather than sampling items from the population.

Evaluating the Sufficiency and Appropriateness of the Audit Evidence Obtained

The auditor should conclude whether sufficient appropriate audit evidence has been obtained to reduce to an appropriate low level the risk of material misstatements in the financial statements. The auditor’s judgment as to what constitutes sufficient appropriate audit evidence is influenced by factors such as the following:

• Significance of the potential misstatement in the relevant assertion and the likelihood of its having a material effect, individually or aggregated with other potential misstatements, on the financial statements
• Effectiveness of management’s responses and controls to address the risks
• Experience gained during previous audits with respect to similar potential misstatements
• Results of audit procedures performed, including whether such audit procedures identified specific instances of fraud or error
• Source and reliability of available information
• Persuasiveness of the audit evidence
• Understanding of the entity and its environment, including its internal control

Documentation

The auditor should document the following:

INTERPRETATIONS

There are no interpretations for this section.

TECHNIQUES FOR APPLICATION

Testing at Interim Dates

Convenience-Timed Tests

Some audit tests can be applied at any convenient selected date before the balance sheet date and completed as part of year-end procedures. Examples are:

The common denominator in these tests is that the nature and extent of procedures applied are not necessarily influenced by doing a portion of the testing before the balance sheet date. For example, the auditor may decide to vouch all property additions and retirements over a specified dollar amount. The nature and extent of the test are not influenced by whether the testing is done all at year-end or one portion is done at an interim date and the remainder at year-end.

Misstatements Detected at Interim Dates

Section 318 does not address the issue of misstatements detected at an interim date. For example, if the auditor confirms accounts receivable as of October 31 and discovers an error in the receivables balance, how should that misstatement be handled, given that the opinion is on the balance sheet as of December 31, not October 31?

As a practical matter, the auditor should evaluate the results of interim testing to assess the possibility of misstatement at the balance sheet date. This evaluation is influenced by:

This assessment may cause the auditor to reperform principal substantive tests at year-end or to otherwise expand the scope of substantive tests at year-end.

Considering Control Risk When Testing at an Interim Date

When performing principal substantive tests at an interim date, the primary control focus is on asset safeguarding and controls that address the completeness assertion. If the design of these controls in not effective, then the substantive tests related to existence and completeness assertions should be applied at year-end.

Keep in mind that this consideration is tied to specific assertions, not to the overall account. For example, confirmation of receivables does not address the completeness assertion, which means that receivables could be confirmed at an interim date even if controls to address completeness were not effectively designed. However, the auditor would still need to consider the nature, timing, and extent of further audit procedures related to the completeness assertion.

Length of Remaining Period

How long can the remaining period be? Section 318 offers only the general observation that the potential for increased audit risk tends to become greater as the remaining period becomes longer.

In practice, many auditors believe the remaining period should not exceed three months (i.e., for a December 31 audit, testing certain balances as of September 30). Another rule of thumb is to consider a remaining period of one month as creating a relatively low increase in audit risk. Ordinarily, if the remaining period is one month, substantive tests to cover the remaining period can be restricted to test such as

• Comparison of the account balance at year-end with the balance at the interim date to identify unusual amounts or relationships.
• Investigation of unusual amounts or relationships.
• Application of other analytical procedures to the year-end balance.

Naturally, as with any rule of thumb, the auditor should be aware that in specific circumstances, factors may increase audit risk, and the principal substantive tests will have to be applied at year-end.

Designing Audit Procedures

There is an almost infinite variety of approaches that an auditor can use in practice to achieve the objectives of Section 318. The following illustration shows some examples of further audit procedures that may be performed to meet certain audit objectives.

This approach can be time-consuming and result in a substantial amount of repetition. For example, developing specific audit objectives for the existence of each asset normally results in the repetitive statement that the particular asset does, in fact, exist and is available for its intended use. There is more variation for specific audit objectives related to presentation and disclosure, but disclosure checklists are available for that assertion and related specific objectives.

Tests of Internal Control Operating Effectiveness

Test Design Considerations

Your tests of operating effectiveness should be designed to determine:

• How the control procedure was performed
• The consistency with which it was applied
• By whom it was applied

Risk-Based Approach to Designing Tests

The reliability of a test is influenced by three factors:

When you do test controls in advance of year-end, you will want to consider the need to perform additional tests to establish the effectiveness of the control procedure from the time the tests were performed until year-end.

For example, if you tested the effectiveness of bank reconciliations as of June 30 and the reporting date was December 31, you should consider performing tests to cover the period from July 1 through December 31. These tests may not require you to repeat the detailed tests performed at June 30 for the subsequent six-month period. If you establish the effectiveness of the control procedure at June 30, you may be able to support a conclusion about the effectiveness of the control at the reporting date indirectly through the consideration of entity-level controls and other procedures, such as:

• The effectiveness of personnel-related controls, such as the training and supervision of personnel who perform control procedures. For example, are the people performing the bank reconciliations adequately supervised, and was their work reviewed during the second half of the year?
• The effectiveness of risk identification and management controls, including change management. For example, would management be able to identify changes in the entity’s business or its circumstances that would affect the continued effectiveness of bank reconciliations as a control procedure?
• The effectiveness of the monitoring component of the entity’s internal control.
• Inquiries of personnel to determine what changes, if any, occurred during the period that would affect the performance of controls.
• Repeating the procedures performed earlier in the year, focusing primarily on elements of the control procedure that have changed during the period. For example, if the entity added new bank accounts or new personnel performing certain bank reconciliations, you would focus your tests on those accounts and individuals.

Information Technology Application Controls

Again, the types of procedures you perform for the period between June 30 and December 31 will depend on the risk related to the control. Application controls are the structure, policies, and procedures that apply to separate, individual business process application systems. They include both the automated control procedures (i.e., those routines contained within the computer program) and the policies and procedures associated with user activities, such as the manual follow-up required to investigate potential errors identified during processing.

As with all other control procedures, information technology (IT) application controls should be designed to achieve specified control objectives, which in turn are driven by the risks to achieving certain business objectives. In general, the objectives of a computer application are to ensure that:

• Data remain complete, accurate, and valid during their input, update, and storage.
• Output files and reports are distributed and made available only to authorized users.

Specific application-level controls should address the risks to achieving these objectives.

The way in which IT control objectives are met will depend on the types of technologies used by the entity. For example, the specific control procedures used to control access to an online, real-time database will be different from those procedures related to access of a “flat file” stored on a disk.

An IT controls specialist most likely will be needed to understand the risks involved in various technologies and the related activity-level controls.

Shared Activities

Some activities in a company are performed centrally and affect several different financial account balances. For example, cash disbursements affect not only cash balances but also accounts payable and payroll. The most common types of shared activities include:

• Cash receipts
• Cash disbursements
• Payroll
• Data processing

When designing your activity-level tests, you should be sure to coordinate your tests of shared activities with your tests of individual processing streams. For example, you should plan on testing cash disbursements only once, not several times for each different processing stream that includes cash disbursements.

Sample Sizes and Extent of Tests

Whenever you test activity-level controls, you will have to determine the extent of your tests. If you are testing the reconciliation of significant general ledger accounts to the underlying detailed trial balance, how many reconciliations should you look at? If the control is something that is performed on every transaction—for example, the authorization of payments to vendors—how many should you test?

The extent of your tests should be sufficient to support your conclusion on whether the control is operating effectively at a given point in time. Determining the sufficiency of the extent of your tests is a matter of judgment that is affected by a number of factors. Exhibit 1 lists these factors and indicates how they will affect the extent of your tests.

Exhibit 1. Determining the Extent of Tests

When determining the extent of tests, you also should consider whether the control is manual or automated. When a control is performed manually, the consistency with which that control is performed can vary greatly. In contrast, once a control becomes automated, it is performed the same way each and every time. For that reason, you should plan on performing more extensive tests of manual controls than you will for automated controls.

In some circumstances, testing a single operation of an automated control may be sufficient to obtain a high level of assurance that the control operated effectively, provided that IT general controls operated effectively throughout the period.

Sample Sizes for Tests of Transactions

You do not have to test every performance of a control to draw a valid conclusion about the operating effectiveness of the control. For example, suppose that one of the controls a manufacturing company performs in its revenue cycle is to match the shipping report to the customer’s invoice to make sure that the customer was billed for the right number of items and the revenue was recorded in the proper period. Over the course of a year, the company has thousands of shipments. How many of those should be tested to draw a conclusion?

Statistical Sampling Principles

You do not have to perform a statistical sample to determine your sample size, but it does help to apply the basic principles of statistical sampling theory. In a nutshell, the size of your sample is driven by three variables:

Note that the size of the population does not affect the sample size (unless it is very small, e.g., when a control procedure is performed only once a month, in which case the population consists of only 12 items).

In practice, most companies have chosen sample sizes for tests of transactions that range from 20 items to 60 items. It is common for independent auditors to offer some guidance on sample sizes.

Be careful in simply accepting sample sizes without questioning the underlying assumptions for the three variables just listed. In reviewing these assumptions, you should ask:

• Am I comfortable with the assumed confidence level? Given the importance of the control and other considerations, do I need a higher level of confidence (which would result in testing more items), or is the assumed level sufficient?
• Is the tolerable rate of error acceptable? Can I accept that percentage of errors in the application of the control procedure and still conclude that the control is operating “effectively”?
• Is the expected population deviation rate greater than 0%? Some sample sizes are determined using the assumption that the expected population deviation rate is 0%. Although this assumption reduces the initial sample size, if a deviation is discovered, the sample size must be increased to reach the same conclusion about control effectiveness. Unless you have a strong basis for assuming a population deviation rate of 0%, you should assume that the population contains some errors. That assumption will increase your initial sample size, but it usually is more efficient to start with a slightly higher sample size rather than increasing sample sizes subsequently, as deviations are discovered.

Sample Sizes for Tests of Other Controls

You also will need to determine sample sizes for controls that are performed less frequently than every transaction or every day. Because the population sizes for these types of controls are so small, traditional sampling methodologies need to be adjusted. Exhibit 2 lists the sample sizes that have evolved in practice for tests of smaller populations.

Exhibit 2. Sample Sizes for Small Populations

Types of Tests

Inquiry and Focus Groups

Formal inquiries of entity personnel—either individually or as part of a focus group—can be a reliable source of evidence about the operating effectiveness of application-level controls. Inquiries can serve two main purposes:

Confirming control design. Typically, this process consists primarily of a review of documentation (such as policies and procedures manuals) and limited inquiries of high-level individuals or those in the accounting department. To confirm this understanding of the processing stream and control procedures, you should expand your inquiries to include operating personnel and those responsible for performing the control.

When conducting your inquiries, consider:

• Focus first on what should happen and whether the employees’ understanding of the control procedure is consistent with your understanding. This strategy accomplishes two important objectives:

• Ask open-ended questions. Open-ended questions get people talking and allow them to volunteer information. The results of your inquiries are more reliable when individuals volunteer information that is consistent with your own understanding rather than simply confirming that understanding with a direct statement.
• Focus on how the procedure is applied and documented. As described earlier, operating effectiveness is determined by how the procedure was applied, the consistency with which it was applied, and by whom (e.g., whether the person performing the control has other, conflicting duties). The last two elements will be the subject of your inquiries to identify exceptions to the stated policy. Questions about what somebody does or how he or she documents control performance (e.g., by initialing a source document) typically are less threatening than questions related to consistency (“Under what circumstances do you not follow the required procedure?”) or possible incompatible functions.
• Interviewers should share their findings and observations with each other. Research indicates that the effectiveness of inquiries as an evidence-gathering technique improves when engagement team members debrief the results.
• Ask “What could go wrong?” Interviewees will easily understand a line of questioning that starts with:

• Consider the difference between processes and controls. A process changes or manipulates the information in the stream. Processes introduce the possibility of error. Controls detect errors or prevent them from occurring during the processing of information. Your inquiries should confirm your understanding of both the steps involved in processing the information and the related controls.

Identify exceptions. In every entity, there will be differences between the company’s stated procedures and what individuals actually do in the course of everyday work. The existence of differences is normal. In testing the effectiveness of application-level controls, you should anticipate that these differences will exist, and you should plan your procedures to identify them and assess how they affect the effectiveness of activity-level controls. Differences between what should happen and what really happens can arise from:

• The existence of transactions that were not contemplated in the design of the system.
• Different application of the procedure according to division, location, or differences between people.
• Changes in personnel or in their assigned responsibilities during the period under review.
• Practical, field-level workarounds, a way to satisfy other objectives, such as bypassing a control to better respond to customer needs.

Once you and the interviewee reach a common understanding of the company’s stated procedures, you should be prepared to discuss the circumstances that result in a variation from these procedures. When making these inquiries:

• Don’t make value judgments. In any organization, the information that flows through a processing stream will follow the path of least resistance. Controls that are seen as barriers to the processing of legitimate transactions that meet the company’s overall objectives may be bypassed. The employee may not be at fault. More important, if you adopt a judgmental attitude toward the interviewee, he or she will be less inclined to participate productively in the information-gathering process, and your interview will lose effectiveness.
• Separate information gathering from evaluation. Remember that this phase of your inquiries is a two-step process: (1) identify the exceptions to the stated policy, and (2) assess the effect that these have on operating effectiveness. Keep these two objectives separate. Be careful that you don’t perform your evaluation prematurely, before you gather all the necessary information. When performing your inquiries, remember that your only objective is to gather information; you will perform your evaluation once you have completed your inquiries.
• Use hypothetical or indirect questions to probe sensitive areas. Many interviewees will feel uncomfortable describing to you how they circumvent company policies or how they have incompatible duties that could leave the company vulnerable to fraud. To gather this type of information, use indirect questioning techniques that do not confront employees directly or otherwise put them on the defensive. For example, you might preface your questions with qualifying statements, such as:
  • “If a situation arose in which . . .”
  • “Suppose that . . .”
  • “If someone wanted to . . .”
• Ask them directly about their opinion of control effectiveness. The overall objective of your inquiry is to gather information to assess the effectiveness of controls. The opinions of those who perform the control procedures on a daily basis are important. Ask them to share those opinions. Do they think the controls are effective? Why or why not?

Qualifications of employees. Assessing the operating effectiveness of control activities requires you to consider who performs such activities. Your inquiries should determine whether the interviewee is qualified to perform the required procedures. To be “qualified,” the individual should have the necessary skills, training, and experience and should have no incompatible functions.

Focus groups. As a supplement to, or perhaps instead of, interviewing people individually, you may wish to facilitate a group discussion about the entity’s activity-level control activities and their effectiveness. The purpose of the group discussion would be the same as a discussion with individuals: to confirm your understanding of control design and to gather information about operating effectiveness. However, group discussions are advantageous in that they

• Enable you to see the whole process. You may be able to convene a group of individuals who represent every step in the processing stream, from the initiation of the transaction through to its posting in the general ledger. A group discussion that includes these members will help you to understand more quickly how the entire process fits together.
• Foster communication and understanding. In conducting your group discussion, you will bring together people in the company who may not interact on a regular basis, and you will engage them in a discussion about operating procedures and controls. By participating in this process, employees will gain a greater understanding of their responsibilities and how these fit into the larger picture. This improved understanding among employees will allow your project to provide value to the company that goes beyond mere compliance.

To conduct a group discussion, follow these five steps:

Tests of Transactions

Some control procedures allow you to select a sample of transactions that were recorded during the period and:

• Examine the documentation indicating that the control procedure was performed.
• Reperform the procedure to determine that the control was performed properly. For example, the process for recording inventory purchases may require physically matching a paper-based warehouse receiving report with an approved purchase order.
• Determine that the purchase order was properly approved, as indicated by a signature.
• Determine that the vendor is an approved vendor.
• Observe evidence (e.g., checkmarks, initials) that warehouse personnel counted the goods received.

To test the effectiveness of this control procedure, you could:

• Examine documentation that the control was performed, including:
  • Documents were matched.
  • Purchase order was signed.
  • Receiving report was marked.
• Determine that the control was performed properly, including:
  • Purchase order and receiving report are for the same transaction.
  • Vendor is an approved vendor.
  • Signer of the purchase order has the authority to approve the transaction.

Computer application controls also may lend themselves to similar testing techniques. For example, suppose that purchased goods are accompanied by a bar code that identifies the goods received and their quantities. The bar code is scanned, and the information is matched electronically to purchase order files and approved vendor master files. Unmatched transactions are placed in a suspense file for subsequent follow-up. (As indicated previously, the computer application control consists of both the programmed elements of the control and the manual follow-up of identified errors.) To test the effectiveness of this control, you could:

• Prepare a file of test transactions and run through the system to determine that all errors are identified.
• Review the resolution of the suspense account items performed throughout the period to determine that they were resolved properly.

When performing tests of transactions, you will have to address issues related to the extent of testing: how many items to test. Suggestions for considering the extent of tests were provided earlier in this chapter.

Before performing your tests of transactions, you also should define what you will consider a control procedure error. In instances in which the evidence of performing the procedure is documented (e.g., an initial or signature), the lack of documentation (a missing signature) should be considered an error in the operation of the control. That is, in order for a documented control to be considered properly performed, both of these points must be true:

• The documentation indicates that the control procedure was performed.
• Your reperformance of the procedure indicates it was performed properly.

Reconciliations

Reconciliations are a common control procedure; examples are bank reconciliations or the reconciliation of the general ledger account total to a subsidiary ledger. In some instances, a well-designed reconciliation can provide an effective control over most of a processing stream. Testing the effectiveness of a reconciliation is similar to tests of transactions.

• Review documentation that the test was performed on a timely basis throughout the period.
• Reperform the test to determine that all reconciling items were identified properly.
• Investigate the resolution of significant reconciling items.

Observation

You may be able to observe the application of some control procedures, such as computer input controls like edit checks. A physical inventory count also lends itself to observation as a means of assessing effectiveness. For a control performed only occasionally, such as a physical count, it may be possible to observe the control each time it is performed. For controls that are performed continuously for large volumes of transactions, you will need to supplement your observations with other tests, such as:

• Inquiry
• Test of entity-level controls

Evaluating Test Results

The results of your tests of activity-level controls should support your conclusion about their operating effectiveness. If your tests revealed no deviations or exceptions in the performance of control procedures, then you should be able to conclude that the control is operating effectively (assuming that the scope of your test work, as discussed earlier in this chapter, was sufficient).

When your tests of operating effectiveness uncover exceptions to the company’s prescribed control procedures, you should determine whether additional tests are required to assess operating effectiveness. A control testing exception is not necessarily a control deficiency. You may determine that the exception was an isolated instance of noncompliance with the established control procedure. However, if you do conclude that a testing exception is not a control deficiency, then you should perform and document additional test work to support your conclusion. In most instances, control testing exceptions usually are not considered to be isolated instances of noncompliance.

For example, when your test work reveals deficiencies in either the design or the operating effectiveness of a control procedure, you will need to exercise your judgment in order to reach a conclusion about control effectiveness.

Ultimately, you should consider that you are making a conclusion about the effectiveness of internal control as a whole. When you evaluate activity-level controls, you should consider the effectiveness of the entire information-processing stream, not individual control procedures in isolation.

Examples of Evidential Matter That May Support the Specific Assertions Embodied in Financial Statements

Another approach is a source list of procedures or evidential matter to be used as a resource in developing audit programs. The following chart indicates what this approach might look like for some common financial statement components. Usually such source lists present either evidential matter or procedures but, to avoid repetition, not both. For example, if the evidential matter is minutes of board meetings, the procedure is to read the minutes. Or if the procedure is to inspect a broker’s advice, the evidential matter is the broker’s advice.

Another approach is to use standardized audit programs developed for common components of financial statements. This approach is not illustrated here. Many auditors prefer source lists to packaged programs because of a concern that standardized programs promote routine application and do not encourage exercise of judgment.

Source List of Procedures or Evidential Matter