Page 133 - Internal Auditing Standards
P. 133

Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts





          Address              Description
          Reliability of the   As a general rule, it is not worth testing controls that may prove to be unreliable,
          Controls             because the small sample sizes commonly used for testing controls are based on no
                               deviations being found. If any of the following factors are significant, it may be more


                               effective to perform substantive procedures (if possible):
                               •     History of errors.
                               •     Changes in the volume or nature of transactions.
                               •     The underlying entity-level and general IT controls are weak.
                               •     Controls can be (or have been) circumvented by management.
                               •     Infrequent operation of the control.

                               •     Changes in personnel or competence of people performing the control.

                               •     There is a significant manual element in the control that could be prone to error.
                               •     Complex operation, and major judgments involved with its operation.
          Existence of         Does control depend on effective operation of other controls?

          Indirect Controls

                               This could include non-financial information produced by a separate process, the
                               treatment of exceptions, and periodic reviews of reports by managers.
          Nature of Test       Tests of controls usually involve a combination of the following:
          to Meet Objectives
                               •     Inquiries of appropriate personnel;
                               •     Inspection of relevant documentation;
                               •     Observation of the company’s operations; and
                               •     Re-performance of the application of the control.

                               Note that inquiry alone would not be sufficient evidence to support a conclusion



                               about the effectiveness of a control. For example, to test the operating eff ectiveness
                               of internal control over cash receipts, the auditor might observe the procedures for
                               opening the mail and processing cash receipts. Because an observation is pertinent
                               only at the point in time at which it is made, the auditor would supplement the
                               observation with inquiries of entity personnel and inspection of documentation
                               about the operation of such internal control at other times.




           CONSIDER POINT

           Determine what constitutes a control deviation.

           When designing a test of control, spend time to define exactly what constitutes an error or exception


           to the test. This will save time spent by audit staff in determining whether a seemingly minor exception
           (such as an incorrect telephone number) is, in fact, a control deviation.


        Automated Controls
        There may be some instances where control activities are performed by a computer and supporting
        documentation does not exist. In these situations, the auditor may have to re-perform some controls to
        ensure the software application controls are working as designed. Another approach is to use Computer-
        Assisted Audit Techniques (CAATs). One example of a CAAT is a software package that can import an entity’s


                                                                                                                   131
   128   129   130   131   132   133   134   135   136   137   138