Page 132 - Internal Auditing Standards
P. 132

Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts





        In other cases, the link between pervasive and specific controls may be more direct. For example, some monitoring

        controls may identify control breakdowns in specific (business process) controls. Testing these monitoring controls

        for effectiveness might reduce (but not eliminate) the need for testing more specifi c controls.
        Tests of pervasive controls (often referred to as entity-level and general IT controls) tend to be more subjective
        (such as evaluating the commitment to integrity or competence), and therefore tend to be more diffi  cult to

        document than specific internal control at the business process level (such as checking to see if a payment
        was authorized). As a result, the testing of entity-level and general IT controls is often documented with

        memoranda to the file explaining the approach taken and the action steps (e.g., staff interviews, assessments,


        review of employee files, etc.), along with supporting evidence.
        This approach is illustrated in the following example.
        Exhibit 10.5-2

        Testing Pervasive (entity-level) Controls

         Control Component = Control Environment
         Risk Addressed      No emphasis is placed on need for integrity and ethical values.

         Controls            Management requires all new employees to sign a form stating their agreement
         Identifi ed         with the firm’s fundamental values and understanding of the consequences for non-

                             compliance.
         Control Design      Read the form to be signed by employees and ensure it does indeed address integrity
                             and ethical values.
         Control             Review one employee file to ensure there is a signed form, and consider what

         Implementation      evidence exists (such as discipline) that employees actually practice the values. This
                             could be based on a short interview with an employee.
         Test of Controls    Select a sample of employee files and ensure there are agreement forms on fi le and

         Eff ectiveness      they are signed by the employee. This would be supplemented by asking a sample of
                             employees some questions about the stated entity policies.
         Documentation       Prepare a memo that provides details of the employee files selected, and notes

                             from interviews (including the name of the person and the date) along with the
                             conclusions reached.

        Some key factors for the auditor to consider when designing a test of controls are listed below.


        Exhibit 10.5-3
         Address               Description

         What Risk             Identify the risk of material misstatement and the related assertion that would be
         of Material           addressed by performing tests of control.  Then consider whether audit evidence
         Misstatement and      about the relevant assertion can be best obtained by a performing tests of controls
         Assertion Is Being    or through substantive procedures.
         Addressed?










   130
   127   128   129   130   131   132   133   134   135   136   137