SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING OVERVIEW Objective To evaluate audit reliance on control effectiveness and substantive testing of transactions TESTING CONTROL EFFECTIVENESS Components General approach Understanding internal control Testing operating effectiveness Reliance on past results SUBSTANTIVE TESTING REPORTING WEAKNESSES TO MANAGEMENT Aim Approach Hybrid approach Management letter Content Form and presentation Follow up Interested third parties Specimen letter EXAM SKILLS 1301 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING TESTING CONTROL EFFECTIVENESS 1.1 Components INTERNAL CONTROL CONTROL ENVIRONMENT RISK ASSESSMENT PROCESS INFORMATION SYSTEMS CONTROL ACTIVITIES CONTROL MONITORING 1.2 General approach Risk assessment and internal controls No reliance Reliance Test effectiveness Evaluate Remaining assurance from substantive procedures Not effective Report to management All assurance from substantive procedures As part of their risk assessment, the auditor must consider if controls are appropriately designed to prevent, or detect and correct, a material misstatement AND have been implemented (See Sessions and 9) 1302 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING If, following the risk assessment, controls not appear to be satisfactory OR the auditor does not seek to place reliance on controls, a fully substantive testing approach is used (eg a high level of testing transactions, balances and disclosures) If the auditor decides that audit assurance can be obtained through reliance on the effectiveness of internal controls (and it is cost effective to so) audit evidence must be obtained through testing the effectiveness of such controls (eg throughout the period being audited) In this context, cost effective means that the time taken to test the controls and carry out a lower level (eg minimum sample size or analytical procedures) of substantive testing on transactions would be less than if a higher level (eg maximum sample size) of substantive testing of transactions alone was undertaken If the testing shows the controls have been effective, then the remaining assurance should be obtained through substantive testing This will mean lower sample sizes for testing transactions, testing of balances and effective use of substantive analytical review procedures If the testing shows that the controls are not effective, all audit assurance will be obtained through increased substantive testing (eg larger sample sizes) of transactions, balances and disclosures Where the risk assessment or testing indicates that controls are not satisfactory, a report to management must also be made (See Session 13) 1.3 Understanding internal control ISA 315 requires the auditor: to understand internal control in sufficient detail to be able to identify and assess the risks of material misstatement; and to design and perform further audit procedures (i.e test the operating effectiveness of controls and substantive testing) Controls that are likely to prevent, or detect and correct material misstatements will be identified (and understood) as part of the risk assessment process Often, single controls will be insufficient, but multiple controls (when considered together) will be sufficient to achieve a given control objective Professional judgement must be used by the auditor in deciding whether or not placing reliance upon the operation of controls would be an effective and (cost) efficient means of obtaining sufficient, appropriate audit evidence Just because there are controls, does not mean the auditor should always test them (e.g in smaller businesses or areas of a large business, the level of transactions may be relatively low such that a fully substantive approach would be more cost efficient) 1303 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING Conversely, where the availability of substantive evidence to provide sufficient, appropriate audit evidence is insufficient, the testing of controls is essential (e.g for highly automated systems where a significant amount of data is initiated, recorded, processed and reported electronically, it may not be possible to obtain sufficient audit evidence through substantive testing alone In this instance, testing of both manual and electronic controls plus extensive analytical review would usually provide the assurance required) 1.4 Testing operating effectiveness Appendix Session 36 contains detail on the control objectives, internal control procedures, tests of control and substantive procedures (see also Appendix Session 37) for revenue and expense transaction cycles These MUST be studied in order to fully understand and complement the detail within this session and Sessions and 1.4.1 Nature of tests of control Tests of controls (testing control effectiveness, compliance testing) will use the following procedures: inspection observation inquiry confirmation recalculation reperformance analytical procedures all of which may be used for assessing the operating effectiveness of control procedures at the assertion level (PIPSA), e.g Performance reviews (e.g analytical procedures, reperformance, observation) Information processing (e.g inspection, recalculation, reperformance) Physical controls (e.g observation, inquiry, reperformance, analytical procedures) Segregation of duties (e.g observation, inspection, reperformance) Authorisation (e.g inspection, inquiry, confirmation) Note that the nature of such tests is exactly the same as used by the auditor to understand the design and implementation of the control The major differences are the timing and extent of tests of control The detail of these tests are fully described in Sessions & and should be reviewed along with the detail within Appendix 1304 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING 1.4.2 Timing of tests of control Testing a control at any moment in time will only provide evidence of the effectiveness (and implementation) of that control at that point in time Depending on the objective of the test, it is often necessary to test the effectiveness of controls over a period of time, eg: Year end inventory counts only require testing of control (and substantive procedures) at the year end since no reliance is placed on day-to-day controls Controls over continuous inventory systems will need to be tested throughout the year (e.g discrepancy reports must be followed up and acted upon) if reliance is to be placed on inventory records at the year end A common (efficient) approach to testing of controls is to conduct, wherever possible, this procedure during the interim audit In doing so, the auditor is able to reassess their audit approach, as necessary, prior to the rear end audit (rather than making last minute discoveries that impact upon the audit approach) When an interim audit is carried out, the approach to auditing the remaining period must be considered Factors to take into account include: the significance of the assessed risks of material misstatement during the remaining period; the length of the remaining period (eg four months of transactions will be more material than just one month); the control environment; and significant changes made to the internal control system since the interim audit Illustration An interim audit is carried out two months before the year end The results show that there is a high degree of operating effectiveness (no errors noted) During the remaining two months, a change is made to the procurement procedures This is considered by the auditor to be significant in that if the changed control did not work, there is a risk of material misstatement in the financial statements No other changes to internal control were identified by the auditor Full understanding and risk assessment is made based around this change in control The operational effectiveness of the change and its impact on the procurement system will be tested from the date of its introduction As the monitoring of controls was assessed as being effective at the interim audit, the auditor decides that a review of the control monitoring procedures during the last two months, supported by analytical review, would be sufficient to cover the remaining internal controls relevant to the audit 1305 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING 1.4.3 Extent of tests of control Takes into consideration: The frequency of the performance of the control by the entity during the period The length of time during the audit period that the auditor is relying on the operating effectiveness of the control (This will generally be the whole period.) The relevance and reliability of the audit evidence to be obtained The extent to which audit evidence is obtained from tests of other controls related to the assertion The extent to which the auditor plans to rely on the operating effectiveness of the control in the assessment of risk (and thereby reduce substantive procedures based on the reliance of such control) The expected deviation (ie number of errors) from the control A common expected deviation is zero – thus any deviations may result in increased substantive testing If the system is changed partway through a year (eg manual system converted to a computer based system), effectively two systems will need to be fully assessed and tested, depending on the length of time each system has been in operation (eg if the change occurred during the last month, a detailed analytical review may provide sufficient audit evidence for the last month) What is of prime importance will be the procedures and control over the transfer of data, ie that the integrity of data was maintained during the change This must be fully assessed and tested by the auditor (see Session 12) 1.4.4 Errors found during tests of control The concept of materiality does not apply when dealing with control test errors – if the expected deviation is zero (the most common expectation) then any error means that the control did not work What is important is for the auditor to determine the reason for the error(s) If there was only one (or very few) errors from the sample tested, this may be indicative of an isolated error (e.g no purchasing authorisation for a day because the buying manager was sick) A review should be undertaken to see if the error was repeated at any other time (e.g at what other times was the manager ill and were alternative controls in place) plus analytical review of the purchases actually made on those days It may then be concluded that if there is no material impact on the financial statements, substantive procedures may not need to be increased A report of the weakness and potential impact must still be made to the client If there were several errors within a test, then the conclusion may usually be reached that the controls are not effective and substantive procedures will need to be extended accordingly The reasons for the control not working must still be established and reported to the client 1306 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING 1.5 Reliance on past results 1.5.1 General Audit evidence of the operating effectiveness of controls in a prior period may be relied upon as audit evidence for the current period, provided: inquiries, observations and inspections are made to confirm that no changes have occurred in the current period; if an individual control, that control is tested at least once every three years; if a number of controls, then a sufficient portion (auditor’s judgment) of those controls must be tested each year and each control must be tested at least every three years; the assessed risk is not a significant risk (auditor’s judgement) 1.5.2 Significant risks For significant risks, the operating effectiveness of controls must be tested each year Whilst the audit evidence obtained in a prior year relating to the design of such controls may be relied upon (provided no changes to the design have been made), the evidence of its implementation AND operating effectiveness must be fresh each year In general, the higher the risk of material misstatement, or the greater the reliance on the control, the higher the need for that control to be tested every year Factors to consider include: the effectiveness of other elements of internal control, including the control environment, the entity’s monitoring of controls, and the entity’s risk assessment process; the risks arising from the characteristics of the control, including whether controls are manual or automated; the effectiveness of general IT-controls, if applicable; the effectiveness of the control and its application by the entity, including the nature and extent of deviations in the application of the control from tests of operating effectiveness in prior audits; whether the lack of a change in a particular control poses a risk due to changing circumstances; the risk of material misstatement and the extent of reliance on the control Example Suggest reasons for the auditor not to rely on audit evidence obtained in prior periods 1307 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING Solution SUBSTANTIVE TESTING 2.1 Aim Substantive procedures are those procedures that are performed in order to detect material misstatements at the assertion level and include: tests of detail of transactions tests of detail on account balances tests of detail on disclosures; and analytical review 2.2 Approach Fully (100%) substantive procedures must be considered when: it will be more effective to use purely substantive procedures (e.g low volume, high value items, often non-homogenous – non-current assets for example); the effectiveness of internal controls are not to be relied upon; or from testing controls they are found to be ineffective 2.2.1 Nature Substantive analytical procedures are generally more applicable to large volumes of transactions that tend to be predictable over time, and are often used in conjunction with a strong control environment AND where audit evidence has been obtained from testing the effectiveness of controls (eg computer information systems) See Session 16 for further detail on substantive analytical review Tests of detail on transactions are used to obtain audit evidence regarding certain assertions about transactions (usually on manual systems or computer information systems where it is easy to trace a transaction through the system), eg completeness, occurrence and measurement 1308 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING Illustration After carrying out a risk assessment, an auditor decides that substantive tests of detail on an entity’s manual sales system are required as part of their procedures to reduce audit risk Reliance cannot be placed on the effective operation of internal controls Transaction tests carried out include: Agreeing a despatch entry in the inventory records to the despatch note and then through to a sales invoice Agreeing details on the sales invoice including customer name, address, unit prices, VAT and the arithmetical accuracy of the invoice Agreeing that the invoice is correctly posted and analysed in the sales day book (SDB) and agreeing the arithmetical accuracy of the SDB Agreeing the correct posting of the day book to the general ledger Effectively they are tests that trace a transaction through a system, for example to ensure that a despatch is correctly recorded as a sale or a purchase entry recorded in the daybook is supported by a purchase invoice, goods received note and purchase order If no reliance is placed on controls, the level (ie sample size) of transaction testing will be high If reliance can be placed on controls, then the level of transaction testing will be lower The auditor may assess that audit risk can be reduced to an acceptable level by reliance on controls and substantive analytical review, rather than transaction testing (as above) Tests of detail on balances (and disclosures) primarily deal with assets/liabilities and related assertions, eg existence, valuation, control The assertions and approach to tests of detail are covered in Session 15 2.2.2 Timing Substantive procedures may be carried out at an earlier date than the entity’s year end and the final audit, i.e at an interim audit If carried out at an interim date, further tests must be carried out to cover the remaining period These tests (substantive and/or tests of control) must be sufficient to ensure that the risk of misstatement does not increase during this period Unlike tests of control, where prior year audit evidence may be relied upon under certain circumstances, prior year substantive evidence will be insufficient to address a risk of material misstatement in the current period 2.2.3 Extent In general, the greater the risk of material misstatement, the greater the extent of substantive procedures 1309 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING For any one substantive procedure, the extent of testing usually relates to sample sizes, e.g increase the extent means increasing the sample size However: selecting large (eg material) or unusual items from a population, or stratifying the population into homogeneous subpopulations for sampling are also appropriate ways of considering the extent of substantive procedures It is not unusual in many substantive testing approaches that all items greater than the materiality level (or a ‘tolerable error’, e.g 50% of the materiality level) are selected for testing If an error is found, then that error is likely to be material to the financial statement assertions 2.3 Hybrid approach In some cases, a single test approach can achieve both the control and substantive objective at the same time Illustration The auditor decides to place reliance on internal controls in a sales system and determines the sample sizes as 30 for control testing and 30 for transaction testing Without reliance on controls, a sample size of 60 would be appropriate Rather than using two separate samples, the auditor decides to use one sample to cover the transaction testing and control testing as appropriate Those controls that cannot be tested during the transaction testing will be covered by separate tests The transaction is recognised by issue of inventory resulting in a despatch document, sales invoice, sales day book entry, ledger entries 30 inventory issues are selected (throughout the year) and traced through the system to the general ledger At the various stages of the sales system where controls have been identified for testing, control testing is also carried out For example, the control of sales invoice authorisation requires that the sales manager has agreed the details to the authorised despatch note, the sales price and discounts to the sales customer data-base, checked the VAT and cross cast the invoice The manager then signs all copies of the invoice As part of the transaction test, each invoice for all of the above sample would have been substantiated by the auditor (inventory issue to despatch note, despatch note to sales invoice, other details on invoice to supporting evidence, calculations and casting) Thus they have effectively reperformed the control action of the manager Provided the manager’s signature is on all invoices, the control can be considered as effective 1310 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING If invoices were found that did not have the manager’s signature on them AND the auditor concludes (after further investigation) that the control cannot be relied upon (eg no alternative control), an additional 30 inventory despatch items would be selected for further transaction testing Every month a reconciliation is carried out between the control account and sales ledger account This does not form part of the sales system transaction testing, thus testing this control would be dealt with separately REPORTING WEAKNESSES TO MANAGEMENT 3.1 Management letters Under the terms of a standard engagement letter (see Session 5) the auditor is required to inform management of any material weaknesses in the design or implementation of internal control relating to financial reporting that came to their attention during their audit They are also required, under ISA 260 Communications of Audit Matters with Those Charged with Governance and most corporate governance codes, to discuss such matters with those charged with governance, eg the audit committee The primary form of doing so is the management letter (sometimes referred to as a letter of weakness, internal control memoranda, letters of recommendation, constructive service letters or post-audit letters) Apart from dealing with control weaknesses, the management letter may also be used to: provide constructive advice on business systems, risk systems and managing risk (eg through benchmarking client’s systems against expected norms as part of the auditor’s understanding the entity and environment); indicate areas in which audit efficiency could be improved and thereby reduce audit costs (eg extended use of CAATs, preparation of documents by the client); protect the firm against potential litigation by demonstrating that critical weaknesses had been identified and drawn to the attention of management 3.2 Content The management letter must be addressed to the board, and not to any one individual director The auditor should ensure that its contents have been fully discussed by the board, eg minuted at a board meeting 1311 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING The report must be clear, concise, constructive, and structured It will usually consist of two elements: a covering letter; and supporting detail of the weaknesses, suggestions for corrective action and management response The detail within the letter should not conflict with the opinion expressed within the audit report, eg matters within the report indicate that proper books and records have not been kept, yet the audit report is unqualified The covering letter should contain statements that: accounting and internal control systems were considered only to the extent necessary to determine the auditing procedures (ie design/implementation plus effectiveness if deemed appropriate to obtain audit assurance) and not to determine the adequacy of internal control for management purposes or to provide assurance on the accounting and internal control systems; only weaknesses in internal control which have come to the auditor’s attention as a result of their audit procedures are included; other weaknesses in internal control not assessed by audit procedures may exist; the report is provided for use only by management (and those charged with governance where necessary) in the context of the audit Example As audit manager, what qualities would you look for when reviewing a letter of weakness drafted by an audit senior? Solution 1312 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING 3.3 Form and presentation of supporting detail The matters raised by the management letter may be within the body of the covering letter, or as a separate appendix They will usually be prioritised, eg high risk first, lower risk following They may also be categorised into audit sections (eg purchases, sales, inventory, receivables) Matters that have been raised in previous management letters, but have not yet been acted upon by management, should be dealt with in a separate section of the report Care should be taken to ensure that such matters are still relevant and not considered irrelevant by management, eg not considered cost effective to implement recommendation A common structure of the recommendations covers: Explanation/details – The description of each weaknesses is concise but specific, and the extent of the error quantified if possible Consequence/impact – Expressed in terms of the financial statements (e.g they could contain errors), and/or the business’s assets (e.g financial loss may result) Care must be taken not to imply that the errors are already there, but were not found, or that any employee has taken advantage of the weakness Recommendation – How each problem could be overcome Must be practical, beneficial and cost-effective to encourage management to adopt them Management response– If points already raised with client, include action agreed Otherwise, request reply to points raised All matters raised should normally be in writing However, if a written report is considered unnecessary, inappropriate or not cost effective (eg only one matter of note), the matter should be discussed with the client and fully recorded as audit evidence within the working papers Ideally, a copy of the note should be sent to the client for confirmation and response 3.4 Follow up Once issued, the management response should be obtained as quickly as possible and assessed for its impact on the next stage of the audit, eg will recommendations be implemented before the year end and final audits Prior year management letters should be reviewed as part of the planning for the current audit If controls have been implemented, their design, implementation and potential for testing must be assessed 1313 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING Example You are the auditor of Homecontrols, a company which manufactures components for domestic appliances The company operates a perpetual inventory system and also performs quarterly physical inventory counts, amending the perpetual inventory records where appropriate to reflect actual quantities counted During your interim visit you review the results of the last physical count It appears that a number of high value items included in the records were not in inventory Also, returns from customers are added into physical inventory but are not recorded in the perpetual inventory records Required: State the points which you would make in your report to management in respect of these matters and comment on their possible impact on your yearend audit work Solution Weaknesses Risks Recommendations 1314 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING 3.5 Interested third parties The auditor cannot disclose the detail of the management letter to any third party without the client’s consent as it is confidential information A disclaimer/caveat would normally be placed within the report: report prepared for use by management (or other specific named party) written consent for auditor required for client to disclose to another party no responsibility to third parties 3.6 Specimen letter The Board of Directors Revup Automotives Rada Str, 56A Oceanana, 010145 A, B & C Per Schorwsa, 777 Oceanana, 030598 21 May 20XY Dear Sirs 20XY Audit During our recent interim audit for the year ending 30 June 20XY, we examined the internal controls and procedures that your company has established to enable it to ensure, as far as possible, the accuracy and reliability of its financial records, safeguard its assets and achieve its business objectives As agreed at our meeting on 26 April 20XY and stated within our engagement letter of August 20XX , we are writing to you in order to draw your attention to the weaknesses in internal control which have come to our notice during this examination, and to suggest ways in which the system could be improved These matters are set out in the attached appendix It must be appreciated that the matters dealt with in this letter came to our notice during the conduct of our normal audit procedures which are designed primarily to enable us to express an independent opinion on the financial statements of the company Consequently, our work did not encompass a detailed review of all aspects of the control system and cannot be relied upon necessarily to disclose all defalcations or other irregularities or to include all possible improvements in internal control As confirmed in our meeting by the finance director and chief accountant, all of these matters have been discussed by us with them and they are in broad agreement with the recommendations made This report has been prepared for the use of the board and audit committee of Revup Automotives, and no responsibility is accepted to third parties without our prior knowledge and agreement in writing We look forward to hearing from you in due course regarding the future action that you intend to take Finally, we should like to take this opportunity to thank your staff for their co-operation during the course of the audit Yours faithfully A, B & C Chartered Certified Accountants & Registered Auditors 1315 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING Weakness Hours worked by service employees The total hours worked by service employees (including overtime) are not independently verified and authorised Impact Employees may be paid for work that they have not done, eg by getting other employees to input their time card and code on arriving and leaving the premises The service manager should review and authorise the computer time schedules as an accurate record of time spent working by employees He should also regularly review the security tapes of the employees inputting their time card and code to check for misuse, eg more than one card being used Financial loss would occur if, for example, the goods received were not ordered or were not of the right quality Using poor quality goods may result in customer claims against the firm From our tests carried out, we estimate that 60% of goods received are not being agreed to purchase orders or physically checked All goods received should be checked for quality and agreement to the purchase orders Any goods received note sent to accounts (to await the purchase invoice) should be returned to goods received department if not authorised or not in agreement with the copy purchase order already held by accounts The financial accountant should follow up any such instances Because the password facility has been disabled, anybody can access the system without authority and, for example, change or corrupt data, eg add nonexistent employees or increase wage rates Whilst our tests did not find any errors, the password system should be activated immediately Although users find it difficult to remember their passwords (they should not write it down or use easily connected elements eg date of birth) the risk of data corruption data and financial loss is too high Goods received Goods received notes are not always authorised to show that details have been agreed to purchase orders and that the quality of the goods has been checked Data security There is no access security for the computer terminals in the wages department Recommendations The current data held on the system should be verified to independent sources, eg the personnel department’s system, to ensure it is correct, valid and appropriate 1316 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING EXAM SKILLS 4.1 Effectiveness of controls KEY SKILLS Specify control objectives To ensure that something good happens/ something bad does not Key words ⇒ CAVe Specify control activities Suggest tests of controls Control environment Risk assessment procedures Information systems Monitoring “Ideas list” – inquire – observe – inspect – reperform – test Make Identify control recommendations weaknesses Deficiencies in control components Be specific – Who? – What? – When Illustration Consider the sales cycle Identify the overall control objective (that all goods despatched are correctly recorded in the general ledger) break down transaction into components, i.e the flow of documentation, and ask “what could go wrong?” – that is, what would be an appropriate control objective for that element (eg to ensure that goods cannot be despatched without the correct authorisation)? Effectively, devise control objectives at each stage Customer order Sales order Can invoices be raised when no goods despatched? Despatch note Invoice Sales day book General ledger Dr SLC a/c Cr Sales Can goods be despatched without authorisation? Receivables ledger Can goods be despatched but not invoiced? Can invoices be raised but not recorded? Can goods be despatched or charged to the wrong customer? Then ask yourself what control activities need to be in place to achieve the control objective, e.g authorisation, completeness checks, reconciliations, analytical review, pre-numbering of documents, segregation of duties, etc Compare your ideas with what the question scenario has, any differences will form the basis of your answer 1317 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING In the examination, be prepared for a ‘practical theory’ question, where you are presented with a scenario and have to identify internal control weaknesses Basically place the ideal “framework” over the scenario and identify the errors/gaps Ensure you fully understand the difference between the control objective (eg what does the control aim to achieve … to ensure that ….) and the control activities (eg what actions have to take place to ensure the objective is achieved) Example Break down the purchases cycle into components and generate four key control questions 4.2 Transaction testing Remember that a transaction test is a substantive procedure, not a control procedure Whilst, as with control testing, it is necessary to identify the accounting system and the documents generated by the system, transaction testing deals with the flow of data through the system and not the controls over the system (eg the data on a sales invoice and not the authorisation control) Illustration Consider sales transactions Identify the overall audit objective (as above) Break down the transaction into components and documents produced Customer order Sales order Despatch note Invoice Sales day book General ledger Dr SLC a/c Cr Sales Receivables ledger Then ask yourself what information needs to flow from one document to the next to achieve the overall objective Identify the assertions and how the transaction can be tested through the accounting system taking into account the overall audit objective (eg whilst the despatch note details will be agreed to the sales invoice (completeness and accuracy) further information is also recorded on the sales invoice and must be audited, eg sales price, discounts, VAT, casting) 1318 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING Assertions and the approach to the audit of balances and disclosures are covered in Session 15 FOCUS You should now be able to: explain the importance of internal controls to auditors; explain how auditors identify weaknesses in internal control systems and how those weaknesses limit the extent of auditors reliance on those systems; discuss the difference between tests of control and substantive procedures; explain, analyse and provide examples of internal control procedures and control activities; explain and tabulate tests of control suitable for inclusion in audit working papers; analyse the limitations of internal control components in the context of fraud and error; explain the need to modify the audit strategy and audit plan following the results of tests of control; discuss and provide examples of how the reporting of internal control weaknesses and recommendations to overcome those weaknesses are provided to management 1319 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING EXAMPLE SOLUTION Solution — Prior period audit evidence A weak control environment Weak monitoring of controls A significant manual element to the relevant controls Personnel changes that significantly affect the application of the control Changing circumstances that indicate the need for changes in the control Weak general IT-controls Solution — Qualities Timeliness – as soon as possible after completion of audit procedures Use of specific examples to illustrate weaknesses/deficiencies Clear explanations of implications/risks Commercial awareness of the client’s expectations Practicable recommendations for improvements Inclusion of prior year points not actioned, suitably amended Clear, constructive and concise Careful presentation (e.g “tiered”’ structure) Factual accuracy Evidence of discussion (e.g inclusion of client’s comments) No remarks of a personal nature Solution — Management letter points Weaknesses Authorised inventory movements (e.g customer returns) may not be recorded Possibility of unauthorised inventory movements/misappropriation/theft Risks Records unreliable for year-end inventory figures Management decisions (e.g to place orders/make sales) are based on unreliable figures Receivables will be overstated if returns not accounted for Unexplained inventory losses represent financial loss Recommendations Improve physical security (e.g with gate controls) All movements to be accompanied by sequentially numbered document Prohibit unauthorised movements – need responsible person in charge of stores Monthly physical counts until problem is resolved 1320 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING Impact on year-end audit Reliance to be placed on perpetual inventory records reduced (if any) Inventory count results more important – attend and increase number of test counts Differences between perpetual inventory records and physical results to be investigated/resolved Inventory losses to be identified and properly accounted for Solution — Purchases cycle Purchase requisition Can goods be received without authorisation? Purchase order Can goods be ordered without authorisation? Goods received note Can goods be received without a liability being raised? Invoice Purchase day book General ledger Dr Purchases Cr PLC a/c Payables ledger Can a liability be raised for goods not received? Can a liability be recorded for the wrong amount? Can a liability be raised for the wrong supplier? 1321 SESSION 13 – RELIANCE ON CONTROL EFFECTIVENESS & SUBSTANTIVE TESTING 1322 ... analytical procedures, reperformance, observation) Information processing (e.g inspection, recalculation, reperformance) Physical controls (e.g observation, inquiry, reperformance, analytical procedures)... confidential information A disclaimer/caveat would normally be placed within the report: report prepared for use by management (or other specific named party) written consent for auditor required for client... when no goods despatched? Despatch note Invoice Sales day book General ledger Dr SLC a/c Cr Sales Can goods be despatched without authorisation? Receivables ledger Can goods be despatched but not