| LEVEL OF AGGREGATION |
AUDIT STAGES | ||||
|---|---|---|---|---|---|
| Client acceptance/ retention |
Audit planning | Control testing | Substantive testing | Opinion formulation | |
| Account balance assertion level |
na | CR2 | CR3 | CR4 | na |
During the audit planning stage, auditors evaluate CR2 for those account balance assertions that the auditor has identified as significant risks in the evaluation of IR2. Revenue account balances are always identified as significant risks. The evaluation is based on (a) the evaluation of CR1 for the related financial statement item assertion (b) the auditor's understanding of the accounting information system and related internal control and (c) an evaluation of the control polices affecting the account balance assertion as well as the effectiveness of design of internal control procedures that address the account balance assertion. The auditor gathers evidence of the effectiveness of the design of a control procedure through inquiry of client personnel, inspection of documentary evidence, reperforming the procedure, and certain CAATs.
The value of CR1 is then adjusted for any increased or reduced control risk relating the account balance assertion. The final evaluation of CR2 as LOW, MODERATE or HIGH assists is determining the audit approach for that account balance assertion. The more effective the design effectiveness of control procedures relating to a particular account balance assertion, the lower the evaluation of CR2. Where the auditor evaluates CR2 for a particular account balance assertion as either LOW or MODERATE, the auditor may plan reliance on the control procedure and adopt, for that account balance assertion, a systems, or part systems, audit approach. If the auditor evaluates CR2 as HIGH, then s/he does not plan any reliance on the control procedure and instead adopts a substantive approach for that account balance assertion. Note that where CR2 is not, for any reason, evaluated, it is assumed to be HIGH [fn].
During the control testing stage, which is applicable to those account balance assertions for which a controls testing or part controls testing approach has been adopted, auditors re-evaluate control risk for those control procedures upon which reliance has been planned. Auditors base the subsequent evaluation of CR3 on the effectiveness of operation of the internal control procedures. Auditors consider a control procedure to be operationally effective if the procedure is operating as it was designed to operate. Auditors refer to the activities used to gather this evidence as tests of control. These tests gather evidence, for example, that the control is executed at the planned time, by the person proposed, continuously throughout the period of intended reliance and supervised as planned.
The tests of control performed by the auditor may detect a number of control deviations. A control deviation (a type of exception) is evidence that a control procedure is not operating as it was designed to operate. For example, if the design of controls over the validity of purchase orders required all purchase orders to be approved by a particular employee, then evidence that a particular purchase order was not approved is evidence of a control deviation. The more control deviations, the greater is the evaluation of CR3.
There is a level or frequency of control deviations that is acceptable to the auditor. This is so because a control deviation does not always result in a monetary misstatement. For example, a purchase order that is not authorized by the appropriate employee is a departure from the design of the control, but it does not necessarily mean that a monetary misstatement has occurred. The purchase order, apart from not being authorized, may be valid in all other respects. Another example is a control procedure that requires all inventory to be counted by employees with no incompatible duties. If the auditor finds that some inventory was counted by a person with incompatible duties, a control deviation exists. However, this does not necessarily mean that inventory is misstated. Thus auditors decide, before performing the tests of controls, an acceptable level for each type of deviation that may occur. The greater the acceptable level of control deviations, the lower is the evaluation of CR3.
Where the number of control deviations is significantly less than the acceptable level, CR3 may be evaluated as LOW; where it equals the acceptable level, CR3 may be evaluated as MODERATE; where it significantly exceeds the acceptable level, CR3 is evaluated as HIGH. (Note that where the number of deviations exceeds the acceptable level, the auditor advises the client's management of details of these deviations.)
When CR3 is evaluated as HIGH, an alternative open to the auditor is to identify whether there is a compensating (or mitigating) control. That is, a control, or perhaps a group of controls, that is or are designed to achieve the same objective as the first identified control. If so, the auditor may need to gather and evaluate evidence as to the effectiveness of the latter control(s). For example, in a small business there may be an insufficient number of employees to segregate incompatible duties. However, a compensating control in this instance may be the existence of a greater level of supervision over the performance of the procedure.
In the substantive testing stage auditors re-evaluate CR3 based on any additional knowledge concerning the effectiveness of the internal controls obtained during the substantive testing stage. The revised evaluation is referred to as CR4. Note that as the audit progresses, the auditor gains more and more detailed and up to date knowledge concerning the design and operational effectiveness of control procedures. Where appropriate, the auditor uses that knowledge to update the evaluations of control risk.
Copyright, Australian Educational Research Pty Ltd. Any person accessing this site agrees to the Terms of Use.