artikel 1zdb
-
Upload
arda-raditya-tantra -
Category
Documents
-
view
222 -
download
4
description
Transcript of artikel 1zdb
International Journal of AuditingInt. J. Audit. 8: 185–194 (2004)
Tests of Control in the Audit RiskModel: Effective? Efficient?
J. H. Blokdijk*Lately, the Audit Risk Model has been subject to criticism. Togauge its validity, this paper confronts the Audit Risk Modelas incorporated in International Standard on Auditing No. 400,with the real life situations faced by auditors in auditingfinancial statements. This confrontation exposes
seriousdeficiencies in the Audit Risk Model, especially regarding testsof control. One conclusion is that internal controls that cannotbe reperformed by an auditor, should be disregarded inassessing control risk. Another conclusion is that tests of theother internal controls are far more effective in focusingspecific substantive tests, than in assessing control riskwith the aim of reducing the size of a random sample. Thepaper concludes with a proposal for restructuring the auditprocess.Key words: Audit risk model, risk analysis, tests of control,control risk, audit process, internal control and the auditor.
SUMMARYThe Audit Risk Model that is being used, on aworldwide basis, to underpin the audits offinancial statements, is being criticised. This paperoffers an analysis of the model, resulting in aproposal for restructuring the audit process.The model has been codified in International
Standard on Auditing (ISA) 400. It is essentiallybased on the idea that an auditor’s ‘detection risk’is influenced by ‘inherent risk’ and ‘control risk’.The latter risks are incurred by the auditee,whereas detection risk applies to the auditor only.Inherent risk is largely determined by the activitiesof the auditee, but it is influenced by externalforces. Control risk is purely internal; it derivesfrom management’s decisions on the level ofinternal control required. The auditor cannotinfluence these risks; he/she can only assess them
*Correspondence to: [email protected]
to determine the amount of audit work requiredto reduce his/her detection risk to an acceptablelevel.
Control risk encompasses three aspects: thedesign, the ‘existence’ and the actual operation ofthe controls. The auditor should test the actualoperation by performing ‘tests of control’. ISA400 covers the assessment of inherent risk and ofthe design and ‘existence’ of internal controlreasonably well. So, the analysis focuses on tests ofcontrol.
To that end, internal control is reviewed for thethree stages of preparation of financial statements:A. Occurrence of events and their first recording
in the accounting system.B. Data processing, resulting in a routine pro-
duct, ‘the trial balance’.C. Adjusting the trial balance in order to arrive
at the final balance sheet and incomestatement.
At stage C there is hardly any internal control inthe traditional sense.
ISSN 1090–6738© Blackwell Publishing Ltd 2004. Published by Blackwell Publishing, 9600 GarsingtonRoad, Oxford OX4 2DQ, UK and 350 Main Street, Malden, MA 02148, USA.
186 J. H. Blokdijk
Stage A normally contains many internalcontrols, but most of these cannot be reperformedby the auditor, for reasons explained in the paper.So, these ‘non-reproducible’ internal controlsshould be disregarded in risk analysis, as theireventual absence cannot be compensatedbyadditional audit work.The internal controls in stage B are
‘reproducible’ in principle, but it is hardlypracticable to test the entire chain of internalcontrols in this stage. The few practicable testswould be far more effective if used to focussubstantive tests on specific items, rather than todetermine the size of random samples. Moreover,tests of internal controls in this stage would nearlyalways involve substantive tests. In ISA 400,tests of control conceptually precede substantiveprocedures, and serve to determine their nature,extent and timing. ISA 400 moves in a semanticcircle that does not provide much guidance toauditing practice, and does not cover all relevantinternal controls.On the basis of these findings, I propose:1. to abolish tests of control as an element
ofaudit risk analysis;
2. to introduce a new stage in the audit process,
that encompasses both certain system-oriented and data-oriented procedures tha
tserve to focus substantive tests of details
onitems with relevant characteristics.
The structure of the audit of financial statementswould conform more with reality, as faced byauditors.
INTRODUCTIONInternational regulations on auditing have bee
nbased on the so-called ‘Audit Risk Model’, witnessthe International Standard on Auditing 400 (ISA400), issued by the International Federation ofAccountants (IFAC).As the International Standards on Auditing ha
vebeen accepted by a large number of accountancybodies in numerous countries, the majority ofaudits of large companies’ financial statementsare being performed conforming with theInternational Standards on Auditing (ISAs).Consequently, these audits are based on the AuditRisk Model.In recent times, the Audit Risk Model ha
scome under severe criticism, especially from theSecurities and Exchange Commission (SEC) ofthe United States. On October 7, 1999, the
then chairman of the SEC, Arthur Levitt, Jr.stated: ‘In an era that calls for greater riskmanagement, the industry has migrated to whatthey call the ‘risk-based’ model. [. . .] Because of thechallenges of executing these new standards well,I wonder if the public interest is being betterserved. We cannot permit thorough audits to besacrificed for re-engineered approaches that aremarginally more efficient, but significantly lesseffective.’
One year earlier, Mr. Levitt had requested thePublic Oversight Board to appoint a Panel onAudit Effectiveness, which was to review andevaluate how independent audits of the financialstatements of public companies were performed.The Panel issued its final Report andRecommendations on August 31, 2000. Itpronounced itself ‘satisfied that the modelunderpinning financial statement audits generallyis appropriate, although in need of enhancing andupdating’. This rather soothing conclusion didnot exactly induce the auditing profession to seeka critical review of the bases of the Audit RiskModel.
The Panel, however, also concluded: ‘Thus,examining the efficacy of the audit process alone is
not the answer to assessing audit effectiveness’. So,the Panel seemed to share Mr. Levitt’s criticism, atleast partly. As it affects the audits of the financialstatements of the largest companies in the world,it seems useful to take a hard look at the Audit RiskModel as the basis of such audits. To that end,I will:1. describe and analyse the Audit Risk Model as
developed in ISA 400;2. analyse the process of preparing financial
statements in connection with the ideasunderlying the Audit Risk Model;
3. analyse the auditor’s possibilities in the tworelevant stages in said process;
4. review ISA 400 in the light of the conclusionsreached;
5. offer a proposal for restructuring the auditprocess.
The International Standards on Auditing aimat establishing standards and providing guidanceon the structuring of an audit. On the basis ofthe following analysis, I propose to revise thatstructure. Though the analysis necessarilyinvolves some specific procedures, the pro-posal should be judged on the same level ofabstraction as the current International Standardson Auditing.
© Blackwell Publishing Ltd 2004 Int. J. Audit. 8: 185–194 (2004)
Tests of Control in the Audit Risk Model 187
THE AUDIT RISK MODEL ACCORDINGTO ISA NO. 400The Audit Risk Model is essentially based on theidea that an auditor’s ‘detection risk’ is influencedby ‘inherent risk’, and ‘control risk’. ISA 400defines ‘detection risk’ in paragraph 6 as: ‘the riskthat an auditor’s substantive procedures will notdetect a misstatement that exists in an accountbalance or class of transactions that could bematerial, individually or when aggregated withmisstatements in other balances or classes.’ Inparagraph 4, ‘inherent risk’ is defined as: ‘thesusceptibility of an account balance or class oftransactions to misstatements that
could bematerial, individually or when aggregated withmisstatements in other balances or
classes.’‘Control risk’ is described in paragraph 5 as: ‘therisk that a misstatement, that could occur in
an account balance or class of transactions andthat could be material, individually or whenaggregated with misstatements in other balancesor classes, will not be prevented or detected andcorrected on a timely basis by the accounting andinternal control systems’.Note that both inherent risk and control ris
k areincurred by the auditee, whereas detection riskapplies to the auditor only. Once management hasdecided on the activities to be engaged in, inherentrisk is largely a given quantity. Management thendecides on the acceptable level of control risk, andimplements the necessary measures of internalcontrol. The auditor cannot influence inherent risk;he/she can only indirectly influence control risk byadvising on the internal controls that management
should implement.When confronted with a draft of financial
statements to be audited, the auditor cannot domore than assess inherent risk and control risk,in order to determine his/her detection risk. Thishas been recognized in paragraph 42 of ISA400, which reads as follows: ‘The auditor shouldconsider the assessed levels of inherent and controlrisks in determining the nature, timing and extentof substantive procedures required to reduce auditrisk to an acceptably low level’. The purpose of thisassessment has been stated in paragraph 47: ‘Thehigher the assessment of inherent and control risk,the more audit evidence the auditor should obtainfrom the performance of substantive procedures’.ISA 400 also states, in paragraph 45: ‘Regardless ofthe assessed levels of inherent and control risks,the auditor should perform some substantive
procedures for material account balances andclasses of transactions’.
ISA 520 states in paragraph 10: ‘The auditor’sreliance on substantive procedures to reducedetection risk relating to specific financialassertions may be derived from tests of details,from analytical procedures, or from a combinationof both’. For the purpose of this analysis, two typesof substantive procedures are distinguished:1. Selective: tracing and testing specific items
‘because they are of high value, or exhibitsome other characteristic, for example itemsthat are suspicious, unusual, particularly risk-prone or that have a history of error’ (ISA No.530, para. 25).
2. Random: selecting and testing items withoutregard to any characteristic.
Only analytical procedures support the firstcategory of substantive procedures. Theassessment of inherent risk and control risk isprimarily relevant for the determination of randomsample sizes; to that end, these risks must bequantified.
Risky activities should be safeguarded by ahigher level of internal control than less risky ones.Consequently, control risk cannot be meaningfullyassessed without assessing inherent risk first. Butit is, in effect, the product of the two risks that theauditor faces in planning his audit. As ISA 400states in paragraph 40, inherent risk and controlrisk are highly related.
Inherent risk is largely determined by theactivities of the auditee, but it is influenced byexternal forces. Control risk is purely internal;it derives from management’s decisions on thelevel of internal control to be implemented, anddepends on the degree of compliance by theemployees. This is why internal control is a centraltheme in ISA 400, which is titled ‘Risk Assessmentsand Internal Control’. Paragraph 2 states: ‘Theauditor should obtain an understanding of theaccounting and internal control systems sufficientto plan the audit and develop an effective auditapproach’.
Assessing internal controlIn this respect, ISA 400 distinguishes between thedesign and the operation of the accounting andinternal control systems. In order to achieve theunderstanding of the systems, the auditor may,according to ISA 400, perform a ‘walk-throughtest’, that is, trace a few transactions through the
© Blackwell Publishing Ltd 2004 Int. J. Audit. 8: 185–194 (2004)
188 J. H. Blokdijk
accounting system (para. 15). Furthermore, the
auditor should perform ‘tests of control’ to obtainaudit evidence about the effectiveness of the
design of the systems, and of the operation of theinternal controls throughout the period (para. 27).This structure is not very clear. In practice,
adistinction into three aspects may be morerecognizable:1. The design of the systems, which can
beunderstood and evaluated by consultingdocumentation, such as manuals, and
whichneed not be repeated as long as the
systemsremain unchanged.
2. The ‘existence’ of the systems (have they been
implemented? or, in subsequent periods, have
they been unchanged?), which should beverified in every audit period, for example, b
yperforming the above walk-through tests.
3. The actual operation of the systems, which
should be verified by tests of control, andcover the entire audit period.
ISA 400 does not require the verification of thecontinuing existence of systems for which thedesign has been evaluated. This may, however, beachieved by a ‘walk-through test’, if performedduring every audit period. The verification of theexistence of internal controls in the systems mightalso be done by way of tests of control; if a controldesigned in a system does not in fact exist, tests ofcontrol will reveal this. In this respect, tests ofcontrol are more effective in determining theexistence of the systems than to achieve thepurpose stated in paragraph 27: to determinethe effectiveness of their design. Of course, errorsfound in tests of control do shed light on theeffectiveness of the operation of the system, butmuch less so on the effectiveness of its design.Even though somewhat impractically struc-
tured, the requirements in ISA No. 400regarding the design and the existence of thesystems seem reasonably adequate andpracticable. This is not quite clear regarding theoperation of the systems: the effectiveness of testsof control is a large question mark, as will beshown in the following analysis of the process ofpreparation of financial statements and of theinternal controls involved.
THE STAGES OF THE PREPARATION OFFINANCIAL STATEMENTSThe preparation of financial statements involvesthree stages:
A. Occurrence of events and their first recordingin the accounting system.
B. Data processing, resulting in a routineproduct, ‘the trial balance’.
C. Adjusting the trial balance in order to arriveat the final balance sheet and incomestatement.
In stage A, internal control serves to ensure thatthe events (e.g., transactions, production) conformto management’s directives, and that the firstrecording of the events conforms with reality. Inpractice, these two purposes are often inseparable:an approval stamp for goods received means thatthe goods ordered from the supplier are of goodquality, and that the related data can be processedin the accounting system. As quality control ofgoods received and data processing are notnormally performed by the same person, the dataprocessor and, subsequently, the payments officershould have evidence of the performance of theinternal control by the quality inspector.
Stage B consists of the input of the data into theaccounting system, sorting these data (assigningthem to different accounts), and of summarizingand balancing the accounts. Internal control servesto ensure that these operations are performed
correctly.Stage C is the non-routine part of the preparation
of financial statements. It mainly involves theapplication of subjective judgments, such as thedetermination of provisions, and other non-routineoperations, such as the determination of obli-gations resulting from pension plans, share optionplans and the like, and of income tax. This stage iscrucial in the preparation of financial statements:management normally exercises direct influenceon this stage of the accounting process. Itsdecisions may be scrutinized by a board ofdirectors and/or an audit committee, but theauditor cannot confine him/herself to reading theminutes of their meetings and ascertaining thatmanagement’s decisions have been reviewed,which would be a test of control. The auditorshould form his/her own judgment as to theacceptability of these, normally crucial, decisions.
Consequently, the audit in stage C should beperformed by applying substantive procedures. Asthe number of accounting adjustments in stage Cis normally very small compared to the number ofaccounting entries in stages A and B, this is not alarge problem in practice.
So, the issue is confined to stages A and B. Thesestages differ in nature, so they merit separate
© Blackwell Publishing Ltd 2004 Int. J. Audit. 8: 185–194 (2004)
Tests of Control in the Audit Risk Model 189
consideration, which will be given in the followingtwo sections.
EVENTS AND THEIR FIRSTRECORDING: INTERNAL CONTROLAND THE AUDITORAs stated above, the procedures outlined in ISA400 to evaluate the design and to determine theexistence of the systems, including internal control,seem sufficiently effective; therefore, this criticalreview is restricted to tests of control to assess theoperation of the systems.Performance of internal controls in stage
Ashould normally be evidenced in some form, bystamps, initials on a voucher, and the like. Thecontrol should be performed by the appropriateemployee: the system should provide for anadequate segregation of duties. Evidence ofperformance should include the identity of theemployee.
But how conclusive is that evidence? ISA 400mentions several inherent limitations of internalcontrol, such as human error, circumvention ofinternal controls through collusion,
andmanagement override. In performing tests ofcontrol, can the auditor detect this? This wouldonly be possible if the auditor were able toreperform the internal controls involved.The problem can be illustrated with an exa
mplegiven in Blokdijk et al. (1995, p. 63) describedbelow. This example involves invoices for goods orservices received. It does not yet deal with thecircumstance that many internal controls in stageA are no longer evidenced in visible form, but areembedded in the automated systems (see nextsection).Regarding those invoices, the auditor can e
asilyreperform the computation of the final amount andof a sales tax amount included in it. Reperformanceof the internal control on the price invoiced is moredifficult: it may be in agreement with a price listfrom the supplier that the auditor may consult, butemployees in the purchasing department are paidby their company to obtain a better price. Thedifference may partly or wholly end up in theirown pockets by way of kick-backs. Only athorough knowledge of that particular marketwould enable the auditor to uncover such adeception; as he/she cannot be expected to havesuch expertise in all the markets where his/herclients do business, he/she must rely on the systemof internal control.
Similar considerations apply to the receipt ofgoods and the performance of services. Somegoods could be traced afterwards, though that maybe highly impractical. Most office supplies,however, are simply used up, and as to services,it is virtually impossible to ascertain that thewindows actually have been cleaned if the audittakes place three months after. For the mostimportant aspects of those purchases, the auditorcannot do much more than look for evidence of theperformance of internal control.
So, there are internal controls that cannot bereperformed by the auditor. The issues raisedin these circumstances have been exploredextensively in Dutch auditing literature. The bestEnglish translation I have been able to find for thistype of internal controls is: ‘non-reproducible’internal controls.
Sometimes, investigative techniques designedto overcome the restrictions outlined above, doexist, but an independent auditor is not allowed touse them. An example is the situation in which anauditor has suspicions about a credit notepurportedly granted by his/her client to anothercompany audited by a partner of his/her ownaudit firm. The professional rule of confidentialitydoes not permit the former auditor to consult thelatter on this document.
‘Non-reproducible’ internal controlsEven though there are internal controls that can bereperformed, such as those involving arithmeticaloperations, the most important ones often cannotbe reperformed. The fundamental causes havebeen categorized as follows:1. Expertise: the auditor cannot possibly acquire
sufficient expertise to form, entirely byhim/herself, a conclusive opinion on all thetechnical and/or commercial events that areto be reflected in the financial statements (e.g.,product yield rates, purchase prices).
2. Presence: the auditor cannot possibly be everpresent on the client’s premises in order toensure the correct recording of transactionsand (relevant) events; apart from economicconsiderations, this is unacceptable in thatit would jeopardize the client’s and/or theauditor’s independence.
3. Inadmissibility of investigative techniques:the independent auditor is not entitled touse certain techniques that are available togovernment auditors (such as informing other
© Blackwell Publishing Ltd 2004 Int. J. Audit. 8: 185–194 (2004)
190 J. H. Blokdijk
government auditors about other taxpayers),
or that may be used by the police (such as
wiretaps, search of private premises and the
like). (Blokdijk et al., 1995, p. 64)The inability of auditors to reperform important
internal controls severely limits the effectivenessof tests of control. Fortunately, not all non-reproducible internal controls are indispensable tothe audit. A lack of internal control in acceptingsales orders may lead to bad debts, but the auditorwill notice these in the course of the substantiveprocedures and insist on proper provisions. Theclient may incur losses, but the auditor is able toensure that these are truly and fairly reflected inthe financial statements. But the examples givenabove show that many internal controls areindispensable to the quality of audit evidence. Assuch the auditor cannot do more than rely on theaudit trail of the performance of the controls.In evaluating the design of a system, the audito
rshould ensure that all internal controls he/shedeems indispensable for his/her purpose, areprovided for. If not, he/she should conclude thatthe financial statements of the entity are notauditable; the best he/she can do is to disclaim anopinion.The same goes if indispensable internal control
sprovided for in the design appear not to beperformed at all: in other words, if the existingsystem differs from the design. Therefore,continuing existence of the system should be aseparate audit objective, which can be attained bytests of control. One ‘walk-through’ test for everytype of transaction is, however, more effective thana number of tests of control of randomly selecteditems that may include some types of transactionsmore than once, and others not at all.Tests of control may reveal that indispensabl
einternal controls are not performed in all instances.In that case, the Audit Risk Model demands moresubstantive tests, but to what end? These testswould only be effective if the auditor is able todetermine that the items tested are correct,notwithstanding the lack of internal control onthem. This would be possible only by performingthese internal controls, which the auditor is unable
to do if the control is non-reproducible. Extendingsubstantive procedures does not solve the problemencountered.The Audit Risk Model does not present a
realisticsolution to the problem of missing butindispensable non-reproducible internal controls.In that case, the design and the existence of a
system are important for the determination ofthe auditability of the entity, not for the extentof substantive procedures. A lack of compliancein the actual operation of non-reproducibleinternal controls cannot be remedied by theauditor’s substantive procedures. Therefore, non-reproducible internal controls should not beincluded in risk analysis, or in determining controlrisk.
DATA PROCESSING: INTERNALCONTROL AND THE AUDITORStage B comprises input of relevant data, sorting,summarizing the items and balancing theaccounts. These are all operations that the auditorcan reperform, so he/she is able to verify theeffectiveness of the operation of the internalcontrols involved in data processing. Theseinternal controls are not non-reproducible.
But data processing has been automated invirtually all companies that are obliged to havetheir financial statements audited. This means thatinternal controls, including many of the non-reproducible internal controls described above,have been embedded in the automated systems.
At the time of the audit, the auditor has to dealwith systems in operation; internal controls on thedesign and implementation of new or improvedsystems are not relevant at this stage.
The internal controls in systems in operationinclude at least: general ICT controls, being: (a)change controls; and (b) access controls;application controls, being; (c) programmed con-trols; and (d) user controls. The significance of testsof these controls will be discussed below.
(a) Change controlsThe purported improvement in the design of thesystem can be evaluated on the basis of thedocumentation of the change control procedures,and of implementation test results. In practice,however, many small changes are allowed on a lessformal basis, under the heading ‘maintenance’.These changes are normally made in order to makeprograms run faster, but they sometimes result inthe elimination of internal controls. For the auditor,tracing these changes is problematical: a ‘walk-through test’ in an automated system is very hardto perform, if at all possible.
An effective way may be to compare theprogram in operation with an independently
© Blackwell Publishing Ltd 2004 Int. J. Audit. 8: 185–194 (2004)
Tests of Control in the Audit Risk Model 191
controlled copy of an executable or a sourcestatement program (Jenkins et al., 1995, pp. 285,286). This copy should be retained by the auditorafter evaluating the original design of the system.This comparison is a rather costly procedure. Inprinciple, tests of control might achieve theobjective just as well, if effective and efficient onescan be designed. Jenkins et al. recognize, however,that direct tests of programmed procedures aresubstantive in nature, and are normally carried outby reperformance (p. 288).De Koning (2002) mentions another
possibility.If all program changes are logged on a productionlibrary, the auditor may be able to discover allunauthorized temporary changes. In that case, theauditor should focus his/her substantive teststo the transactions processed under the modified
program; in other words, use it as a basis forselective substantive procedures. Simply decidingthat internal control risk is higher than expectedand, as a consequence, selecting a larger randomsample is not very effective.A more important development is,
however,that many companies give their employees thepossibility to change ‘parameters’ in the computerprograms they are authorized to use, in order toenhance the flexibility of the activities. This meansthat the ‘system’ changes continually,
whichfrustrates the comparison of the program inoperation with an earlier copy retained by theauditor. Furthermore, direct internal control on thesetting of these parameters is either non-existent ornon-reproducible by the auditor.Internal control may, however, be exercise
d in adifferent way than by immediate control of everyindividual transaction. For example, internalcontrol on sales prices could take the form offrequent and extensive review by management ofgross margins. To ‘test’ such a control, however, itis not sufficient to verify that these reviews havebeen performed. The internal control is not ‘non-reproducible’. To ascertain the value of the reviews,the explanation recorded should be tested, whichcan only be done by applying substantiveprocedures. Normally, it will not be necessary totest all the explanations: it is more efficient to usethe records of the review to focus the auditor’sselective substantive tests. This, however, is ananalytical review procedure, not a test of thecontrols.
(b) Access controlsTests of access control are highly important: a singlebreach of security in this respect can be devastating.Access control serves to prevent addition to,modification of, and deletion of recorded dataand the outcome of computer operations byunauthorized persons. Access control is especiallyimportant if the evidence of performance of non-reproducible internal controls described as part ofstage A above, no longer has the visible form ofinitials or stamps, but is recorded in a field of arecord in the client’s data base. The value of theinternal control depends on the employee whoperforms it, so only the authorized person orpersons should be able to modify the content ofsuch a field in the record involved.
In view of the fact that a single incident mayhave material consequences, a test of access controlwould only be effective if the auditor is able tohave an exception report generated, preferably bymeans of his/her own audit software, that showsall additions, modifications and deletions byunauthorized persons. But again: if exceptions arereported, the conclusion should not simply be thatmore random substantive procedures are required.It is far more effective to use such a report as thebasis for a selective substantive procedure, to focusthe auditor’s substantive tests on the specifictransactions involved.
(c) Programmed controlsThese are of two kinds: hard and soft. Hardprogrammed controls prevent the operator fromcontinuing with the program if an error made isnot corrected. Soft programmed controls (e.g.,plausibility controls) give a signal that invites areaction but may be ignored; those ‘controls’ aremerely ‘control possibilities’.
In order to have real internal control, the signalsshould be dealt with by a different, authorizedperson, who records his/her reaction. A test ofcontrol by an auditor would involve theserecordings; the auditor would have to beconvinced about their completeness. Cost/effectiveness of such a test of control isquestionable. In many cases, however, this internalcontrol is non-existent, or is performed by thesupervisor of the person who operates theprogram. In the latter case, the segregation ofduties is questionable, which negatively affects thevalue of a test of this control.
© Blackwell Publishing Ltd 2004 Int. J. Audit. 8: 185–194 (2004)
192 J. H. Blokdijk
Programmed controls mainly serve to enable the
operator of the program to correct unintendederrors; as such they are very helpful. Tests of the
operation of programmed controls, however, donot seem to contribute greatly to auditeffectiveness or efficiency.
(d) User controlsApart from programmed controls, user controlsmainly consist of the possibility of reviewingcomputer generated reports on the input or onthe initial data processing. In effect, this is alsoa control possibility: if the control is performedby the operator of the computer program or byhis/her supervisor, it is not based on a segregationof duties, and thus of questionable value to theauditor.The auditor may perform a test of a user contro
lby checking the reports generated with supportingdocumentation.This would be a substantiveprocedure, equivalent to the old-fashioned‘bottom-up’ approach to substantive auditing, thatinvolved tracing accounting entries from theirinput in the accounting system to the trial balance.Since those days, the ‘top-down’ approach hasproven to be far more effective; it starts from thetrial balance and goes back to the individual entriesand their supporting documentation, to the extentdetermined by risk analysis. Tests of user controlshave limited significance for the auditor; moreover,in order to be effective, they should consist ofsubstantive procedures.It should be noted that both programmed
anduser controls are, in effect, input controls. They donot cover the process of sorting, summarizing, andbalancing. Internal control on these computeroperations is based entirely on change and accesscontrols; in many cases it is tacitly left to theauditor and his/her substantive procedures.At the data processing stage, effective tests
ofcontrol either involve substantive tests or serveto focus substantive procedures. In the AuditRisk Model, tests of control conceptually precedesubstantive procedures, and serve to determinetheir nature, extent and timing. To that end, testsof control do not seem to be effective.
TESTS OF CONTROL: A REVIEWOF ISA 400According to paragraph 30 of ISA 400, ‘tests ofcontrol may include:
· Inspection of documents supporting trans-actions and other events to gain audit evidencethat internal controls have been operatedproperly, for example, verifying that atransaction has been authorized.
· Inquiries about, and observation of, internalcontrols which leave no audit trail, for example,determining who actually performs eachfunction, not merely who is supposed to per-form it.
· Reperformance of internal controls, forexample, reconciliation of bank accounts, toensure they were correctly performed by theentity’.From the wording in paragraph 30 it is obvious
that this list is not meant to be all-inclusive: othereffective tests are allowed. But in a number of USauditing textbooks I have not found any othertypes of tests of control, which leads me to suspectthat in practice, tests of control are limited to thosementioned above.
Tests of control by inspection of documentsconsist of inspecting the audit trail of internalcontrols performed. If the internal controls cannotbe reperformed by the auditor, the audit trailmeans that the controls seem to have been
performed. Nonetheless, the inspection makessense: without the audit trail the audit evidencepresented by the document is of less or no value.This makes it clear when the ‘test’ should beperformed: at the moment the auditor wishes toverify an accounting entry with a supportingdocument. The ‘test’ should be an integral part ofa substantive test! Inspection of documents as a‘test of control’ preceding substantive procedures isa ritual without significance.
Inquiries about, and observation of, internalcontrols do not provide strong audit evidence,as some auditing textbooks readily admit. Whenthe auditor has turned his/her back, clientpersonnel may go on in their normal ‘efficient’way, which may make the internal controlnon-existent.
Reperforming the internal control is onlypossible for internal controls that can bereperformed by the auditor. The example given,reconciliation of bank accounts, is highlyenlightening indeed: if this control has not beenperformed, the auditor would do it him/herself,and correctly call it a substantive procedure. As a‘test of control’ preceding substantive procedures,reperformance seems to be an inconsistency in thestructure of audits.
© Blackwell Publishing Ltd 2004 Int. J. Audit. 8: 185–194 (2004)
Tests of Control in the Audit Risk Model 193
In ISA 400, paragraph 27 requires tests of controlto provide evidence about the effectiveness of theoperation of the internal controls throughout theperiod. Logic also demands that the operationof all relevant controls throughout the periodare covered by tests of control: if in the chain ofinternal controls some links are missing, the testscannot be deemed effective. ISA 400 does notcontain such a requirement.ISA 400 does not mention any internal controls
in the data processing stage of the accountingprocess (stage B), with one exception I will refer topresently. In paragraph 8, under (b), some internalcontrols in that stage are mentioned, such aschanges to computer programs and access to datafiles, but these have not been reflected in theparagraphs on tests of control.
IFAC has also issued ISA 401, on Auditing in aComputer Information Systems
Environment.Nowadays, a separate Statement on Auditing onthis subject does not recognize reality. Moreover, itconsists only of generalities without a word ontests of control.The one exception I referred to above is
theexample given of reperformanceof
internalcontrols: reconciliation of bank accounts. This doescover the stage of data processing, but it is asubstantive procedure.The above leads to the conclusion that
tests ofcontrol in ISA 400 are either hardly effective orsubstantiveprocedures. ISA 400 moves in
asemantic circle that does not provide
muchguidance to auditing practice. Moreover, ISA 400does not cover all relevant internal controls.
DISCUSSION AND CONCLUSIONIn the preceding sections the following conclusionshave been drawn:1. Tests of control might be effective to
determine the existence of a system, but a
‘walk-through test’ is more efficient.2. Tests of control on events and their firs
trecording (stage A) consist mainly indetermining the quality of evidence to be use
din substantive tests.
3. Non-reproducible internal controls on eventsand their first recording do not merit a role inquantitative risk analysis, as a lack of suc
hcontrols cannot be compensated by theauditor’s work.
4. The effectiveness of tests ofcontrol on
program changes and on the setting of
‘parameters’ is dubious; substantiveprocedures are more effective, or at least moreefficient.
5. Tests on access control and on non-reproducible internal controls embedded incomputer information systems may beeffective if they are used to select items to besubjected to substantive tests.
6. Tests of control on input of data are notefficient; ‘top-down’ substantive proceduresare both more effective and more efficient.
The overall conclusion is, that separate tests ofcontrol do not make much sense; if useful, their uselies in focusing substantive tests rather than inassessing internal control risk.
As to tests of control, the Audit Risk Model doesnot fit reality as confronted by auditors in auditingfinancial statements. In order to serve as the basisfor regulation, it should be thoroughly revised.
A proposal for restructuring theaudit processOn the basis of these findings, I propose:· to abolish tests of control as an element of audit
risk analysis; and· to introduce a new stage in the audit process,
that comprises both certain system-orientedand data-oriented procedures that serve tofocus substantive tests of details on items withrelevant characteristics.In my view, the audit would consist of the
following main stages:1. acquiring knowledge of the business
(including the design and the existence of theaccounting system and of internal control),and risk analysis;
2. applying those analytical procedures thatserve to assist the auditor in planning thenature, timing, and extent of other auditprocedures (ISA 520, paragraph 7 (a));
3. performing tracing procedures as indicatedabove, as the basis for selective substantiveprocedures;
4. applying substantive procedures, includingthose analytical procedures that are moreeffective or efficient than substantive tests ofdetails (ISA 520, paragraph 7 (b)); and
5. deciding on the audit opinion: overall review(ISA 520, paragraph 7 (c)), and reporting.
In risk analysis, the assessment of control riskshould only be based on the design and theexistence of internal controls. The operation of
© Blackwell Publishing Ltd 2004 Int. J. Audit. 8: 185–194 (2004)
194 J. H. Blokdijk
internal controls should not be taken into account,
which would mean that control risk no longercould be set at ‘low’.This structure of the audit of financial stateme
nts
will conform more to reality as faced by auditors.The challenge will lie in devising ever moreeffective tracing procedures, to be embedded inaudit software. Imagination may be the key torestoring confidence in the effectivenessofauditing.
ACKNOWLEDGEMENTSHelpful comments were provided by ProfessorDan A. Simunic, University of British Columbia.
De Koning, F. (2002), ‘Beoordeling van de internecontrole in het kader van de accountantscontrole’.Maandblad voor Accountancy en Bedrijfseconomie. 76,jaargang, pp. 272–280.
Jenkins, B., Cooke, P. & Quest, P. (1995), An AuditApproach to Computers. London: The Institute ofChartered Accountants in England and Wales.
AUTHOR PROFILEJ. H. Blokdijk is professor emeritus of auditing
at the Vrije Universiteit Amsterdam, TheNetherlands, and a retired partner of KPMG in TheNetherlands. He is a research fellow at NyenrodeUniversity, The Netherlands. His research hascovered a wide range of auditing issues.
REFERENCESBlokdijk, J. H., Drieënhuizen, F. & Wallage, Ph. (1995),Reflections on Auditing Theory, a Contribution from theNetherlands. Deventer: Kluwer.
© Blackwell Publishing Ltd 2004 Int. J. Audit. 8: 185–194 (2004)