Page 131 - Internal Auditing Standards
P. 131
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts
Designing Tests of Controls
Tests of controls are used to gain evidence about the operating effectiveness of controls included in any of
the five elements of internal control. See the illustration below and Volume 1, Chapter 5 of this Guide for
additional information on each of the five internal control elements.
Exhibit 10.5-1
Significant F/S Accounts & Disclosures
Control Risk Includes controls over:
Environment Assessment t Fraud (management
override)
Pervasive Controls Monitoring Entity Level Controlsls t Centralized processing
t Period-end financial
Leve
ty
Enti
l
Contro
reporting process
p
g
s
l
l
l
l
IT
t
con
IT
ro
t
General IT controls
G G
enera
Information
System
Control
Activities
Specific Controls Transactional
Controls
IT application
controls
Transactions
Specific controls (such as control activities) directly address the prevention or detection and correction of
misstatements, whereas pervasive controls provide the foundation for the specific controls and infl uence
their operation.
In smaller entities, some pervasive controls (such as the control environment) may also serve to address
specific risks of misstatement for a relevant assertion (e.g., where senior management is directly involved in
supervising and approving day-to-day transactions). In this case, if the pervasive controls were tested and
found to operate effectively, there would be no need to test other controls (such as control activities) related
to the particular risks involved.
CONSIDER POINT
Domination of management by a single individual does not mean that internal control is weak or does
not exist. In fact, the involvement of a competent owner-manager in the detailed day-to-day operations
would be an important control-environment strength. The opportunity for management override
of internal control still exists, but can be reduced to some extent (in virtually any size of entity) by
implementing some simple anti-fraud controls. (See Volume 1, Chapter 5.)
129
