Control risk Essay

The listener set outs an understanding of the flesh and effectuation of immanent Control to make a prelim estimate of nurse stake as discover of the weednistervassors overall Assessment of the chance of stuff and nonsense misstatements. The he atomic payoff 18r uses this foregoing judicial decision of halt jeopardize to plan the analyse for separately(prenominal) literal class of actions. However, in some instances the inspector whitethorn learn that the stop deficiencies ar signifi roll in the hayt much(prenominal)(prenominal) that the customers fiscal statements may non be analyzeable. So, before making a preliminary judgment of visit essay for apiece material class of deeds, the attendee congenital world-class break up whether the entity is analyseable. Two primary factors localize visitability the right of caution and the ade quacy of accounting records. If heed lacks integrity, most listeners result non accept the eng agement. The accounting records argon an important source of scrutinise shew for most smokevas object glasss. If the accounting records atomic number 18 deficient, obligatory analyze evidence may non be available. For example, if the lymph node has non kept duplicate gross gross sales invoices and vendors invoices, it is unremarkably impractical to do an audit.In complex IT environments, much of the transaction information is available fork outd in electronic form without generating a visible audit trail of documents and records. In that case, the company is usually solace auditable however, attenders moldiness mensurate whether they open the necessary skills to gather evidence that is in electronic form and can assign individualnel with commensurate IT training and experience. After baffleing an understanding of inherent surmount, the attendee makes a preliminary sagaciousness of restrain essay as part of the meeters overall assessment of the as say of material misstatement. This assessment is a measure of the meeters expectation that informal come acrosss impart go on material misstatements from occurring or detect and correct them if they have occurred. The starting betoken for most attendees is the assessment of entity- take escorts. By nature, entity-level tick offs, such as many of the elements contained in the avow environment, risk assessment, and monitoring comp whizznts, have an overarching violation on most major emblems of proceedings in each transaction roll.For example, an ineffective board of directors or managements failure to have any process to give away, assess, or manage key risks, has the potential to antagonize go outs for most of the transaction-related audit accusings. Thus, attendants generally assess entity-level tempers before assessing transaction specific tames. Once auditors date that entity-level rigs argon anatomyed and placed in motion, they next make a preliminary a ssessment for each transaction-related audit objective for each major type of transaction in each transaction cycle.For example, in the sales and collection cycle, the types of transactions usually involve sales, sales returns and allowances, cash receipts, and the provision for and write-off of uncollectible accounts. The auditor too makes the preliminary assessment for sways touching audit objectives for balance sheet accounts and presentations Many auditors use a control risk hyaloplasm to assist in the control risk assessment process at the transaction level. The purpose is to provide a convenient way to organize assessing control risk for each audit objective. the control risk matrix for transaction-related audit objectives, auditors use a similar control risk matrix format to assess control risk for balance-related and presentation and disclosure-related audit objectives. set Audit ObjectivesThe first step in the assessment is to identify the audit objectives for classes of transactions, account balances, and presentation and dis closure to which the assessment applies. For example, this is make for classes of transactions by applying the specific transaction-related audit objectives introduced earlier, which were stated in general form, to each major type of transaction for the entity. For example, the auditor makes an assessment of the occurrence objective for sales and a separate assessment of the bump offness objective.Identify Existing ControlsNext, the auditor uses the information discussed in the previous section on begeting and documenting an understanding of internal control to identify the controls that contri unlesse to accomplishing transaction-related audit objectives. One way for the auditor to do this is to identify controls to return each objective. For example, the auditor can use knowledge of the knobs outline to identify controls that argon seeming to prevent errors or fraud in the occurrence transaction-related audit objecti ve. The same thing can be d ace for all other(a) objectives. It is in like manner helpful for the auditor to use the cardinal control activities ( interval of duties, prim authorization,Adequate documents and records, physical control over assets and records, and Independent checks on answerance) as reminders of controls.For example Is in that respect adequate separation of duties and how is it achieved? Are transactions right authorized? Are pre-numbered documents properly accounted for? Are key pilot files properly restricted from unauthorized access? The auditor should identify and involve solely those controls that are pass judgment to have the greatest effect on meeting the transaction-related audit objectives. These are often called key controls. The origin for including only key controls is that they will be sufficient to achieve the transaction-related audit objectives and also provide audit efficiency.Associate Controls with tie in Audit ObjectivesEach control satisfies one or more related audit objectives. This can be seen for transaction-relatedaudit objectives. The embody of the matrix is employ to show how each control contributes To the accomplishment of one or more transaction-related audit objectives. In this , a C was entered in each cell where a control partially or fully satisfied an bjective. A similar control risk matrix would be completed for balance-related and presentation and disclosure-related audit objectives.For example, the mailing of statements to customers satisfies triplet objectives in the audit of Hillsburg Hardware, which is indicated by the billet of each C on the row . Identify and Evaluate Control Deficiencies, Significant Deficiencies, and textile Weaknesses Auditors moldiness(prenominal) evaluate whether key controls are absent in the design of internal control over financial reporting as a part of evaluating control risk and the likelihood of financial statement misstatements. Auditing standards decide three levels of the absence of internal controls1. Control deprivation.A control lack pull rounds if the design or operation of controls does not permit company personnel to prevent or detect mis-statements on a well-timed(a) basis in the normal course of performing theirassigned functions. A design deficiency exists if a necessary control is missing or not properly designed. An operation deficiency exists if a well-designed control does not operate as designed or if the person performing the control is insufficiently qualified or authorized.2. Significant deficiency.A earthshaking deficiency exists if one or more control deficiencies exist that is less(prenominal) severe than a material impuissance (defined under), but important enough to merit attention by those responsible for oversight of the companys financial reporting. 3. Material weakness. A material weakness exists if a significant deficiency, by itself, or in combination with other significant deficiencies, re sults in a evidence able possibility that internal control will not prevent or detect material financial statement misstatements on a timely basis.To determine if a significant internal control deficiency or deficiencies are a material weakness, they must be evaluated along ii dimensions likelihood and significance. If there is more than a reasonable possibility (likelihood) that a material misstatement (significance) could result from the significant deficiency or deficiencies, past it is considered a material weakness. A louver-step tone-beginning can be used to identify deficiencies, significant deficiencies, and Material weaknesses.1. Identify existing controls. Because deficiencies and material weaknesses are the absence of adequate controls, the auditor must first know which controls exist. The methods for identifying controls have already been discussed. 2. Identify the absence of key controls. Internal control questionnaires, attend charts, and walkthroughs are useful tools to identify where controls are lacking and the likelihood of misstatement is so incr consolationd. It is also useful to visualize the control risk matrix, such as to look for objectives where there are no or only a few controls to prevent or detect misstatements. 3. Consider the possibility of compensating controls. A compensating control is one Elsewhere in the system that offsets the absence of a key control. A common example in a small business is the active involvement of the owner. When a compensating control exists, there is no durable a significant deficiency or material weakness.4. Decide whether there is a significant deficiency or material weakness. The likelihood of misstatements and their materiality are used to evaluate if there are significant deficiencies or material weaknesses. 5. Determine potential misstatements that could result. This step is intended to identify specific misstatements that are likely to result because of the significant deficiency or m aterial weakness. The importance of a significant deficiencyor material weakness is at one time related to the likelihood and materiality of potential misstatements. Associate Significant Deficiencies and Material Weaknesses with Related Audit Objectives The same as for controls, each significant deficiency or material weakness can apply to one or more related audit objectives. In the case of Hillsburg, there are two significant deficiencies, and each applies to only one transaction-related objective. The significant deficiencies are shown in the body of the figure by a D in the beguile objective column.Assess Control adventure for Each Related Audit ObjectiveAfter controls, significant deficiencies, and material weaknesses are identified and associated with transaction-related audit objectives, the auditor can assess control risk for transaction related audit objectives. This is the critical termination in the evaluation of internal control. The auditor uses all of the informat ion discussed previously to make a indispensable control risk assessment for each objective. on that point are different ways to express this assessment. about auditors use a subjective expression such as high, moderate, or low. Others use numerical probabilities such as 1.0, 0.6, or 0.2. Again, the control risk matrix is a useful tool for making the assessment. This assessment is not the final one. Before making the final assessment at the end of the unified audit, the auditor will test controls and perform hearty tests.These Procedures can either support the preliminary assessment or cause the auditor to make changes. In some cases, management can correct deficiencies and material weaknesses before the auditor does significant test, which may permit a reducing in control risk. After a preliminary assessment of control risk is make for sales and cash receipts, the auditor can complete the three control risk rows of the evidence- planning worksheet . If tests of controls resul ts do not support the preliminary assessment of control risk, the auditor must modify the worksheet later. Alternatively, the auditor can wait until tests of controls are done to complete the three control risk rows of the worksheet. As part of understanding internal control and assessing control risk, the auditor is requisite to give-up the ghost authoritative matters to those charged with plaque. This cultivation and other recommendations about controls are also often communicated to management.Communications to Thoseaerated With GovernanceThe auditor must communicate significant deficiencies and material weaknesses in writing to those charged with governance as soon as the auditor becomes aware of their existence. The communication is usually addressed to the audit delegacy and to management. Timely communications may provide management an opportunity to address control deficiencies before managements report on internal control must be issued. In some instances, deficiencie s can be corrected sufficiently early such that some(prenominal) management and the auditor can intermit that controls are run effectively as of the balance sheet date. Regardless, these communications must be made no later than 60 days following the audit report release.Management LettersIn addition to these matters, auditors often identify less significant internal control-related issues, as well as opportunities for the client to make operational improvements. These should also be communicated to the client. The form of communication is often a separate garner for that purpose, called a management letter. Although management letters are not required by auditing standards, auditors generally order them as a evaluate-added service of the audit.Test of controlsWeve examined how auditors link controls, significant deficiencies, and material Weaknesses in internal control to related audit objectives to assess control risk for each objective. Now well address how auditors test th ose controls that are used to support a control risk assessment. For example, each key control that the auditor intends to confide on to support a control risk of medium or low must be supported by sufficient tests of controls. We will deal with tests of controls for both audits of internal control for financial reporting and audits of financial statements. Assessing control risk requires the auditor to consider both the design and operation of controls to evaluate whether they will likely be effective in meeting related audit objectives. During the understanding phase, the auditor will have already gathered some evidence in support of both the design of the controls and their implementation by using procedures to obtain an understanding .In most cases, the auditor will not have gatheredenough evidence to precipitate assessed control risk to a sufficiently low level. The auditor must therefore obtain additional evidence about the operate posture of controls end-to-end all, or a t least most, of the period under audit. The procedures to test effectiveness of controls in support of a cut down assessed control risk are called tests of controls. If the results of tests of controls support the design and operation of controls as expected, the auditor uses the same assessed control risk as the preliminary assessment.If, however, the tests of controls indicate that the controls did not operate effectively, the assessed control risk must be reconsidered. For example, the tests may indicate that the application of a control was curtailed midway through the family or that the person applying it made frequent misstatements. In such situations, the auditor uses a higher assessed control risk, unless compensating controls for the same related audit objectives are identified and found to be effective. Of course, the auditor must also consider the impact of those controls that are not run effectively on the auditors Report on internal control.Procedures for Tests of C ontrolsThe auditor is likely to use four types of procedures to support the operating effectiveness of internal controls. Managements test of internal control will likely include the same types of procedures. The four types of procedures are as follows 1. Make inquiries of appropriate client personnel. Although inquiry is not a highly reliable source of evidence about the effective operation of controls, it is fluent appropriate. For example, to determine that unauthorized personnel are denied access to information processing system files, the auditor may make inquiries of the person who controls the computer library and of the person who controls online access security watchword assignments.2. Examine documents, records, and reports. Many controls see a clear trail of documentary evidence that can be used to test controls. Suppose, for example, that when a customer order is received, it is used to create a customer sales order, which is approved for acknowledgment. Then the c ustomer order is attached to the sales order as authorization for upgrade processing. The auditor can test the control by examining the documents to make sure that they are complete and properly matched and that required signatures or initials are present. 3. espouse control-relatedactivities. Some controls do not leave an evidence trail, which delegacy that it is not possible to examine evidence that the control was executed at a later date. For example, separation of duties relies on specific persons performing specific tasks, and there is typically no documentation of the separate achievement. For controls that leave no documentary evidence, the auditor generally observes them universe applied at various points during the year.4. Reperform client procedures. on that point are also control-related activities for which there are related documents and records, but their content is insufficient for the auditors purpose of assessing whether controls are operating effectively. Fo r example, assume that prices on sales invoices are obtained from the master price list, but no indication of the control is documented on the sales invoices. In these cases, it is common for the auditor to reperform the control activity to see whether the proper results were obtained. For this example, the auditor can re perform the procedure by shadow the sales prices to the authorized price list in effect at the date of the transaction. If no misstatements are found, the auditor can conclude that the procedure .Extent of ProceduresThe extent to which tests of controls are applied depends on the preliminary assessed control risk. If the auditor wants a lower assessed control risk, more extensive tests of controls are applied, both in terms of the number of controls tested and the extent of the tests for each control. For example, if the auditor wants to use a low assessed control risk, a larger exemplar size of it for documentation, observation, and re performance procedures sh ould be applied. The extent of testing also depends on the frequency of the operation of the controls, and whether it is manual or automated.Reliance on Evidence from the Prior stratums AuditWhen auditors plan to use evidence about the operating effectiveness of internal control obtained in prior audits, auditing standards require tests of the controls effectiveness at least any third year. If auditors determine that a key control has been changed since it was last tested, they should test it in the current year. When there are a number of controls tested in prior audits that have not been changed, auditing standardsrequire auditors to test some of those controls each year to ensure there is a rotation of controls testing passim the three year period.Testing of Controls Related to Significant take a chancesSignificant risks are those risks that the auditor believes require special audit consideration. When the auditors risk assessment procedures identify significant risks, the auditor is required to test the operating effectiveness of controls that mitigate these risks in the current year audit, if the auditor plans to rely on those controls to support a control risk assessment below 100%. The greater the risk, the more audit evidence the auditor should obtain that controls are operating effectively.Testing Less Than the Entire Audit PeriodRecall that managements report on internal control deals with the effectiveness of internal controls as of the end of the fiscal year. PCAOB Standard 5 requires the auditor to perform tests of controls that are adequate to determine whether controls are operating effectively at year-end. The timing of the auditors tests of controls will therefore depend on the nature of the controls and when the company uses them. For controls that are applied throughout the accounting period, it is usually practical to test them at an interim date. The auditor will then determine later if changes in controls occurred in the period not tested and decide the implication of any change. Controls traffic with financial statement preparation occur only quarterly or at year-end and must therefore also be tested at quarter and year-end.Relationship among Tests of Controls and Procedures to Obtaining Understanding There is a significant overlap between tests of controls and procedures to obtain an understanding. Both include inquiry, documentation, and observation. There are two primary differences in the application of these common procedures. 1. In obtaining an understanding of internal control, the procedures to obtain an understanding are applied to all controls identified during that phase. Tests of controls, on the other hand, are applied only when the assessed control risk has not been satisfied by the procedures to obtain an understanding. 2. Procedures to obtain anunderstanding are performed only on one or a few transactions or, in the case of observations, at a single point in time. Tests of controls are perfo rmed on larger samples of transactions (perhaps 20 to 100), and often, observations are made at more than one point in time.For key controls, tests of controls other than re performance are essentially an appendix of procedures to obtain an understanding. Therefore, assuming the auditors plan to obtain a low assessed control risk from the beginning of the integrated audit, they will likely combine both types of procedures and perform them simultaneously. One option is to perform the audit procedures separately, where minimal procedures to obtain an understanding of design and operation are performed, followed by additional tests of controls. An alternative is to combine both columns and do them simultaneously. The same come up of evidence is accumulated in the second approach, but more efficiently. The inclination of the appropriate sample size for tests of controls is an important audit decisions.Detection risk and the design of hearty testsWeve cerebrate on how auditors asse ss control risk for each related audit objective and support control risk assessments with tests of controls. The completion of these activities is sufficient for the audit of internal control over financial reporting, even though the report will not be finalized until the auditor completes the audit of financial statements. The auditor uses the control risk assessment and results of tests of controls to determine planned staining risk and related satisfying tests for the audit of financial statements. The auditor does this by linking the control risk assessments to the balance related audit objectives for the accounts affected by the major transaction types and to the four presentations and disclosure audit objectives. The appropriate level of detection risk for each balance-related audit objective is then decided using the audit risk model. The relationship of transaction-related audit objectives to balance-related audit objectives and the selection and design of audit procedure s for material tests of financial statement.Types of testIn developing an overall audit plan, auditors use five types of tests to determine whether financial statements are fairly stated. Auditors use riskassessment procedures to assess the risk of material misstatement, represented by the combination of inherent risk and control risk. The other four types of tests represent and audit procedures performed in response to the risks identified. Each audit procedure falls into one, and sometimes more than one, of these five categories. bode 13-1 shows the relationship of the four types of come along audit procedures to the audit risk model. As encounter 13-1 illustrates, tests of controls are performed to support a reduced assessment of control risk, while auditors use uninflected procedures and tests of details of balances to satisfy planned detection risk. Substantive tests of transactions affect both control risk and planned detection risk, because they test the effectiveness o f internal controls and the sawhorse sign amounts of transactions.Risk Assessment ProceduresTThe second standard of fieldwork requires the auditor to obtain an understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement in the clients financial statements. Risk assessment procedures are performed to assess the risk of material misstatement in the financial statements. The auditor performs tests of controls, substantive tests of transactions, analytic procedures, and tests of details of balances in response to the auditors assessment of the risk of material misstatements.The combination of these our types of further audit procedures provides the basis for the auditors opinion, as illustrated by Figure 13-1. A major part of the auditors risk assessment procedures are done to obtain an Understanding of internal control. Procedures to obtain an understanding of internal control were studied and focus on both the design and implementation of internal control and are used to assess control risk for each transaction-related audit objectively Tests of ControlsEThe auditors understanding of internal control is used to assess control risk for each transaction-related audit objective. Examples are assessing the truth objective for sales transactions as low and the occurrence objective as moderate. When control policies and procedures are believed to be effectively designed, the auditor assesses control risk at a level that reflects the relative effectiveness of those controls. To obtain sufficientappropriate evidence to support that assessment, the auditor performs tests of controls.S Tests of controls, either manual or automated, may include the following types of evidence. (Note that the first three procedures are the same as those used to obtain an understanding of internal control.) Make inquiries of appropriate client personnel Examine documents, records, and reports Observe control-related activi ties Reperform client proceduresAuditors perform a system walkthrough as part of procedures to obtain an under standing to help them determine whether controls are in place. The walkthrough is normally applied to one or a few transactions and follows that transaction through the entire process. For example, the auditor may select one sales transaction for a system walk through of the credit approval process, then follow the credit approval process from presentation of the sales transaction through the granting of credit. Tests of controls are also used to determine whether these controls are effective and usually involve testing a sample of transactions. As a test of the operating effectiveness of the credit approval process, for example, the auditor top executive examine a sample of 50 sales transactions from throughout the year to determine whether credit was granted before the shipment of goods.Procedures to obtain an understanding of internal control generally do not provide sufficient appropriate evidence that a control is operating effectively. An exception may apply for automated controls because of their consistent performance. The auditors procedures to determine whether the automated control has been implemented may also serve as the test of that control, if the auditor determines there is minimal risk that the automated control has been changed since the understanding was obtained. Then, no additional tests of controls would be required. The amount of additional evidence required for tests of controls depends on two things 1. The extent of evidence obtained in gaining the understanding of internal control2. The planned reduction in control riskFigure 13-2 (p. 406) shows the role of tests of controls in the audit of the sales and collection cycle relative to other tests performed to providesufficient appropriate evidence for the auditors opinion. Note the un shaded circles with the wrangle Audited by TOC. For simplicity, we make two assumptions On ly sales and cash receipts trans actions and three general al-Quran balances make up the sales and collection cycle and the beginning balances in cash and accounts receivable were audited in the previous year and are considered correct. If auditors verify that sales and cash receipts transactions are properly recorded in the accounting records and posted to the general script, they can conclude that the ending balances in accounts receivable and sales are correct.(Cash disbursements transactions will OF have to be audited before the auditor can accomplish a conclusion about the ending balance in the cash account.) One way the auditor can verify recording of transactions is to perform tests of controls. If controls are in place over sales and cash receipts transactions, the auditor can perform tests of controls to determine whether the six transaction-related audit objectives are being met for that cycle. Substantive tests of transactions, which we will examine in the next secti on, also affect audit assurance for sales and cash receipts transactions.Substantive Tests of TransactionsSTSSubstantive tests are procedures designed to test for dollar misstatements (often called financial misstatements) that directly affect the correctness of financial statement balances. Auditors rely on three types of substantive tests substantive tests of transactions, substantive analytic procedures, and tests of details of balances. Substantive tests of transactions are used to determine whether all six transactions related audit objectives have been satisfied for each class of transactions. Two of those objectives for sales transactions are recorded sales transactions exist (occurrence objective) and existing sales transactions are recorded (completeness objective for the six transaction-related audit objectives.When auditors are confident that all transactions were the right way recorded in the journals and correctly posted, considering all six transaction-related audit objectives, they can be confident that general ledger totals are correct. Figure 13-2 illustrates the role of substantive tests of transactions in the audit of the sales and collection cycle by light shaded circles with the words Audited by STOT. Observe that both tests of controls and substantive tests of transactions are performed for transactions in the cycle, not on the ending accountbalances. The auditor verifies the recording and summarizing of sales and cash receipts transactions by performing substantive tests of transactions. Figure 13-2 shows one set of tests for sales and another for cash receipts.Analytical Procedures analytic procedures involve comparisons of recorded amounts to expectations developed by the auditor. Auditing standards require that they be done during planning and completing the audit. Although not required, analytical procedures may also be performed to audit an account balance. The two most important purposes of analytical procedures in the audit of account balances are to 1. Indicate possible misstatements in the financial statements2. Provide substantive evidenceAnalytical procedures done during planning typically differ from those done in the testing phase. tear down if, for example, auditors calculate the gross margin during planning, they probably do it using interim data. Later, during the tests of the ending balances, they will reckon the ratio using full-year data. If auditors believe that analytical procedures indicate a reasonable possibility of misstatement, they may perform additional analytical procedures or decide to modify tests of details of balances. When the auditor develops expectations using analytical procedures and concludes that the clients ending balances in certain accounts appear reasonable, certain tests of details of balances may be eliminated or sample sizes reduced.Auditing standards state that analytical procedures are a type of substantive test (referred to as substantive analytical procedures ), when they are performed to provide evidence about an account balance. The Extent to which auditors may be willing to rely on substantive analytical procedures in support of an account balance depends on some(prenominal) factors, including the precision of the expectation developed by the auditor, materiality, and the risk of material misstatement. Figure 13-2 illustrates the role of substantive analytical procedures in the audit of the sales and collection cycle by the dark shaded circles with the words Audited by AP. Observe that the auditor performs substantive analytical procedures on sales and Cash receipts transactions, as well as on the ending balances of the accounts in the cycle.Tests of Details of BalancesTests of details of balances focus on the ending general ledger balances for both balance sheet and income statement accounts. The primary emphasis in most tests of details of balances is on the balance sheet. Examples include arrest of customer balances for accounts receivable, physical examination of inventory, and examination of vendors statements for accounts payable. Tests of ending balances are essential because the evidence is usually obtained from a source independent of the client, which is considered highly reliable. Much like for transactions, the auditors tests of details of balances must satisfy all balance-related audit objectives for each significant balance sheet account.Figure 13-2 illustrates the role of tests of details of balances by the circles with half dark and half light shading and the words Audited by TDB. Auditors perform detailed tests of the ending balances for sales and accounts receivable, including procedures such as confirmation of account receivable balances and sales cutoff tests. The extent of these tests depends on the results of tests of controls, substantive tests of transactions, and substantive analytical procedures for these accounts. Tests of details of balances help establish the monetary correctness of the accounts they relate to and therefore are substantive tests. For example, confirmations test for monetary misstatements in accounts receivable and are therefore substantive tests. Similarly, counts of inventory and cash on hand are also substantive tests.OSelect the appropriate types of audit testsTypically, auditors use all five types of tests when performing an audit of the financial statements, but certain types may be emphasized, depending on the circumstances. Recall that risk assessment procedures are required in all audits to assess the risk of material misstatement while the other four types of tests are performed in response to the risks identified to provide the basis for the auditors opinion. Note also that only risk assessment procedures, especially procedures to obtain an understanding of controls, and tests of controls are performed in an audit of internal control over financial reporting. Several factors govern the auditors choice of the types of tests to sele ct, including the availability of the eight types of evidence, the relative costs of each type of test, the effectiveness ofinternal controls, and inherent risks. Only the first two are discussed further because the last two were discussed in earlier chapters. Availability of Types of Evidence for Further Audit Procedures OEach of the four types of further audit procedures involves only certain types of evidence (confirmation, documentation, and so forth. More types of evidence, six in total, are used for tests of details of balances than for any other type of test. Only tests of details of balances involve physical examination and confirmation. Inquiries of the client are made for every type of test. Documentation is used in every type of test except analytical procedures. Re performance is used in every type of test except analytical procedures. Auditors may re perform a control as part of a transaction walkthrough or to test a control that is not supported by sufficient docum entary evidence. Recalculation is used to verify the mathematical accuracy of transactions when per forming substantive test of transactions and account balances when per forming tests of details of balances.Relative CostsWhen auditors must decide which type of test to select for obtaining sufficient appropriate evidence, the cost of the evidence is an important consideration. The types of tests are listed below in order of increasing cost Analytical procedures Risk assessment procedures, including procedures to obtain an understanding of internal control Tests of controls Substantive tests of transactions Tests of details of balancesAnalytical procedures are the least costly because of the relative ease of making calculations and comparisons. Often, considerable information about potential misstatements can be obtained by simply comparing two or three numbers. Risk assessment procedures, including procedures to obtain an understanding of internal control, are not as costly as ot her audit tests because auditors can easily make inquiries and observations and perform planning analytical procedures. Also, examining such things as documentssummarizing the clients business operations and processes and management and governance mental synthesis are relatively cheaper than other audit tests. Because tests of controls also involve inquiry, observation, and inspection, their relative costs are also low compared to substantive tests.However, tests of controls are more costly relative to the auditors risk assessment procedures due to a greater extent of testing required to obtain evidence that a control is operating effectively, especially when those tests of controls involve re performance. Often, auditors can perform a large number of tests of controls quick using audit software. Such software can test controls in clients computerized accounting systems, such as in computerized accounts receivable systems that automatically authorize sales to existing customers by comparing the proposed sales amount and existing accounts receivable balance with the customers credit limit. Substantive tests of transactions cost more than tests of controls that do not include re performance because the former often require recalculations and tracings.In a computerized environment, however, the auditor can often perform substantive tests of transactions quickly for a large sample of transactions. Tests of details of balances just about ever so cost considerably more than any of the Other types of procedures because of the cost of procedures such as sending confirmations and counting inventories. Because of the high cost of tests of details of balances, auditors usually try to plan the audit to minimize their use. Naturally, the cost of each type of evidence varies in different situations. For example, the cost of an auditors test-counting inventory (a substantive test of the details of the inventory balance) often depends on the type and dollar value of the I nventory, its location, and the number of different items.Relationship between Tests of Controls and Substantive Tests To better understand tests of controls and substantive tests, lets examine how they differ. An exception in a test of control only indicates the likelihood of misstatements affecting the dollar value of the financial statements, whereas an exception in a substantive test of transactions or a test of details of balances is a financial statement misstatement. Exceptions in tests of controls are called control test deviations. From the three levels of control deficiencies deficiencies, significant deficiencies, andmaterial weaknesses. Auditors are most likely to believe material dollar misstatements exist in the financial statements when control test deviations are considered to be significant deficiencies or material weaknesses. Auditors should then perform substantive tests of transactions or tests of details of balances to determine whether material dollar misstatem ents have actually occurred.Assume that the clients controls require an independent clerk to verify the quantity, price, and extension of each sales invoice, after which the clerk must initial the duplicate invoice to indicate performance. A test of control audit procedure is to inspect a sample of duplicate sales invoices for the initials of the person who verified the information. If a significant number of documents lack initials, the auditor should consider implications for the audit of internal control over financial reporting and follow up with substantive tests for the financial statement audit. This can be done by extending tests of duplicate sales invoices to include verifying prices, extensions, and footings (substantive tests of transactions) or by increasing the sample size for the confirmation of accounts receivable (substantive test of details of balances).Even though the control is not operating effectively, the invoices may silence be correct, especially if the per son originally preparing On the other hand, if no documents or only a few of them are missing initials, the control will be considered effective and the auditor can therefore reduce substantive tests of transactions and tests of details of balances. However, some re performance and recalculation substantive tests are still necessary to provide the auditor assurance that the clerk did not initial documents without actually performing the control procedure or performed it carelessly. Because of the need to complete some re performance and recalculation tests, many auditors perform them as a part of the original tests of controls. Others wait until they know the results of the tests of controls and then determine the total sample size needed.Relationship between Analytical Procedures and Substantive Tests Like tests of controls, analytical procedures only indicate the likelihood of misstatements affecting the dollar value of the financial statements. Unusual fluctuations in the relatio nships of an account to other accounts, or to nonfinancial information, may indicate an increased likelihood that material misstatements exist without necessarily providing direct evidence of amaterial misstatement. When analytical procedures identify unusual fluctuations, auditors should perform substantive tests of transactions or tests of details of balances to determine whether dollar misstatements have actually occurred.If the auditor performs substantive analytical procedures and believes that the likelihood of material misstatement is low, other substantive tests can be reduced. For accounts with small balances and only minimal potential for material misstatements, such as many supplies and prepaid expense accounts, auditors often limit their tests to substantive analytical procedures if they conclude the accounts are reasonably stated.Trade-Off between Tests of Controls and Substantive TestsThere is a trade-off between tests of controls and substantive tests. During planning , auditors decide whether to assess control risk below the maximum. When they do, they must then perform tests of controls to determine whether the assessed level of control risk is supported. (They must always perform test of controls in an audit of internal control over financial reporting.) If tests of controls support the control risk assessment, planned detection risk in the audit risk model is increased, and planned substantive tests can therefore be reduced. Figure 13-3 shows the relationship between substantive tests and control risk assessment (including tests of controls) at differing levels of internal control effectivenessImpact of information technology on audit testingAuditing standards provide guidance for auditors of entities that transmit process, maintain, or access significant information electronically. Examples of electronic evidence include records of electronic fund transfers and purchase orders transmitted through electronic data interchange (EDI). Evidence o f the performance of automated controls, such as the computers comparison of proposed sales orders to customer credit limits, may also only be in electronic form. The standards recognize that when a significant amount of audit evidence exists in electronic form, it may not be practical or possible to reduce detection risk to an acceptable level by performing only substantive tests. For example, the potential for unlawful initiation or alteration of information may be greater if information is maintained only in electronic form.In these circumstances, the auditor should performtests of controls to gather evidence in support of an assessed level of control risk below maximum for the affected financial statement assertions. Although some substantive tests are still required, the auditor can significantly reduce substantive tests if the results of tests of controls support the effectiveness of controls. In the audit of a larger public company, computer-performed controls (these are cal led automated controls) must be tested if the auditor considers them to be key controls for reducing the likelihood of material misstatements in the financial statements. Because of the inherent consistency of IT processing, however, the auditor may be able to reduce the extent of testing of an automated control.For example, software based control is almost certain to function consistently unless the program is changed. Once auditors determine an automated control is functioning properly, they can focus subsequent tests on assessing whether any changes have occurred that will limit the effectiveness of the control. Such tests might include determining whether any changes have occurred to the program and whether these changes were properly authorized and tested prior to implementation. This approach leads to significant audit efficiencies when the auditor determines that automated controls tested in the prior years audit have not been changed and continue to be subject to effective g eneral controls.To test automated controls or data, the auditor may need to use computer-assisted audit techniques or use reports produced by IT to test the operating effectiveness of IT general controls, such as program change controls and access controls. In many cases, testing of automated controls may be performed by IT audit specialists. When auditors test manual controls that rely on IT-generated reports, they must consider both the Effectiveness of managements review and automated controls over the accuracy of Information in the report.