Page 136 - Internal Auditing Standards
P. 136
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts
Paragraph # Relevant Extracts from ISAs
330.14 If the auditor plans to use audit evidence from a previous audit about the operating
effectiveness of specific controls, the auditor shall establish the continuing relevance of that
evidence by obtaining audit evidence about whether significant changes in those controls
have occurred subsequent to the previous audit. The auditor shall obtain this evidence by
performing inquiry combined with observation or inspection, to confirm the understanding of
those specific controls, and:
(a) If there have been changes that affect the continuing relevance of the audit evidence from
the previous audit, the auditor shall test the controls in the current audit. (Ref: Para. A36)
(b) If there have not been such changes, the auditor shall test the controls at least once in
every third audit, and shall test some controls each audit to avoid the possibility of testing
all the controls on which the auditor intends to rely in a single audit period with no testing
of controls in the subsequent two audit periods. (Ref: Para. A37-A39)
330.29 If the auditor plans to use audit evidence about the operating effectiveness of controls
obtained in previous audits, the auditor shall include in the audit documentation the
conclusions reached about relying on such controls that were tested in a previous audit.
Rotational Testing of Controls
Assuming that the factors outlined in the exhibit below do not apply, it is possible that the tests of operating
effectiveness of internal controls may only need to be performed once every third audit. The actual period of
reliance will be based on professional judgment, but cannot exceed two years.
Factors that would rule out the use of rotational testing are outlined below.
Exhibit 10.5-6
Use of control testing performed in prior years is NOT permitted when:
Reliance on the control is required to mitigate a “signifi cant risk”;
The operation of the internal control has changed during the period, or the risk being mitigated by the
control has changed;
A weak control environment exists;
The ongoing monitoring of internal control operation is poor;
There is a significant manual element to the operation of relevant controls;
Personnel changes have occurred that signifi cantly affect the application of the control;
Changing circumstances indicate the need for changes in the operation of the control; and/or
General IT controls are weak or ineff ective.
Before audit evidence obtained in prior audits can be used, the continuing relevance of such evidence needs to
be established each period. This will include confirming the understanding of those specific controls through:
• Inquiry of management and others about changes; and
• Observation or inspection of the internal control to determine its continuing implementation.
134