5035.1 Identify controls that address risks of materials misstatement at the assertion level

Sep-2022

OAG Guidance

As explained in OAG Audit 5031 obtaining an understanding of the entity’s system of internal control allows us to identify and assess risks of material misstatement specific to the entity as well as facilitates the development of audit responses that effectively and efficiently address the identified risks of material misstatements. One of the components of the entity’s system of internal control that we are required to understand is control activities. As noted by CAS 315.A147 this component includes controls that are designed to ensure the proper application of policies in all other components of the entity’s system of internal control and includes both direct and indirect controls. When obtaining our understanding of the control activities component, we focus on identifying controls that address risks of material misstatement at the assertion level. The detailed guidance covering the types of the controls that we would generally identify within the control activities component is included in the block below Controls that address risks of material misstatement at the assertion level.

Not all controls that we identify during our audit would be included in the control activities component of the entity’s system of internal control subject to design and implementation evaluation. The relationship of the controls that the entity has designed and those that we would identify within the control activities component is depicted on the diagram below:

View actual size

In order to ensure proper functioning of the business, the entity puts in place various controls referred to as the entity’s controls in the diagram above. The ‘entity’s controls’ typically address a variety of business and operational risks, some of which are not meant to address risks of material misstatement of the entity’s financial statements. When planning and performing our audit we focus on risks of material misstatement at the financial statement and assertion levels and the subset of the entity’s controls that address these risks. This subset of controls are referred to as controls relevant to the preparation of the financial statements in the diagram above. We typically identify such controls when obtaining an understanding of the components of the entity’s system of internal control especially when obtaining understanding of the flow of transactions and business processes within the information system and communication component. See OAG Audit 5034 for additional guidance related to understanding information processing activities within business processes.

We identify controls that address risks of material misstatement at the assertion level and are part of the control activities component in accordance with CAS 315.26(a). It is these controls that are subject to design and implementation evaluation. As explained in the block below Controls that address risks of material misstatement at the assertion level, in addition to these controls other controls could be included in this subset based on specific CAS requirements other than CAS 315. See OAG Audit 5035.5 for further guidance on evaluation of design and implementation. A final subset of the controls presented on the chart are those controls that we plan to rely on when obtaining audit evidence and therefore would be selected for operating effectiveness testing. For further guidance on these controls see the block below Controls selected for operating effectiveness testing.

The table below summarizes the expected evidence for each of the control subsets mentioned above:

When performing the expected audit procedures for the individual control subset we need to be mindful that the concepts of design and implementation are not the same as testing the operating effectiveness of an internal control. Each of the concepts is explained below:

• Design: Evaluating the design effectiveness of controls within the control activities component is focused on whether they can prevent or detect and timely correct a material misstatement, due to error or fraud, of the financial statements.

• Implementation: Based on our understanding of the control, and our professional judgment we validate, through inspection, observation or re‑performance of at least one instance of the control, to obtain evidence that the entity has placed the control into operation as designed. We may also trace a transaction through a business process as evidence that the control has been implemented as designed.

Operating effectiveness: Testing the operating effectiveness of a control involves testing its operation over time during the audit period to determine whether it is operating as designed. If we intend to place reliance on the control, we test an appropriate sample of instances of the control operating during the audit period. See OAG Audit 6053 for guidance on sample sizes when testing operating effectiveness of a control.

OAG Guidance

As part of obtaining a sufficient understanding of the entity’s information systems and the related business processes relevant to financial reporting, we normally obtain an understanding of controls within the business process/sub‑processes. We focus on controls that individually or in combination with others are likely to prevent or, detect and correct on a timely basis, material misstatements in the financial statements. In determining whether controls will prevent or detect misstatements both due to error and fraud, we consider their relationship with the relevant financial statement assertions.

CAS 315.26(a) requires us to understand, including evaluation of design and determining implementation, controls that address risks of material misstatement at the assertion level in the control activities component as follows:

• Controls that address a risk that is determined to be a significant risk

• Controls over journal entries, including non‑standard journal entries used to record non‑recurring, unusual transactions or adjustments

• Controls for which we plan to test operating effectiveness, including controls that address risks for which substantive procedures alone do not provide sufficient appropriate audit evidence

• Other controls based on our professional judgment that we consider are appropriate to identify, and evaluate the design and determine the implementation, which may include:

  • Controls that address risks assessed as higher on the spectrum of inherent risk but have not been determined to be a significant risk (i.e., elevated risks);

  • Controls related to reconciling detailed records to the general ledger; or

  • Complementary user entity controls, if using a service organization.

When identifying controls relevant to the preparation of the financial statements, various CASs require that we understand controls in the following specific areas:

1. Identified controls in the control activities component over management’s process for making accounting estimates (see OAG Audit 7073.1; CAS 540.13(i))

2. Controls, if any, that management has established to identify, account for, disclose and authorize related party transactions and transactions outside the normal course of business (see OAG Audit 7532; CAS 550.14)

3. Identified controls in the control activities component at the user entity that relate to services provided by a service organization, including those that are applied to transactions processed by the service organization (See OAG Audit 6042; CAS 402.10)

4. For group audits, group‑wide controls designed, implemented and maintained by group management over group financial reporting (see OAG Audit 2332; CAS 600.17)

To the extent any of the controls we identify and understand in the above areas are determined to represent controls in the control activities component, we are required to evaluate their design effectiveness and determine whether they have been implemented, as described in OAG Audit 5035.5. Conversely, to the extent any of these controls we identify and understand are not determined to represent controls in the control activities component, we are not required to evaluate their design effectiveness or to determine whether they have been implemented as described.

OAG Guidance

Business performance reviews

Business performance reviews ("BPRs") can represent Indirect Entity Level Controls (ELCs) typically included in the entity’s process to monitor the system of internal control, or direct ELCs typically included in the control activities component of the entity’s system of internal control.

Although their purposes may overlap, there is an important distinction between BPRs, which are a type of control activity, and monitoring of controls. The objective of monitoring of controls is to assess effective operation of internal controls whereas BPRs are directed at determining whether certain metrics (financial or non‑financial) are being met (e.g., is the entity meeting its budget). In some cases, BPRs may also provide information that enables management to identify deficiencies in internal control. Although controls such as monitoring of super‑user activity involve monitoring activities they are considered ITGCs and not BPRs.

When designed, implemented and operating effectively, BPRs may operate at a sufficient level of precision to adequately prevent, or detect and correct on a timely basis, material misstatements to one or more relevant assertions for FSLIs. Testing the operating effectiveness of BPRs that operate at a level of precision that, by themselves, would prevent or detect a material misstatement on a timely basis often will allow us to reduce the number of information processing controls that we might otherwise test. We may be able to rely on BPRs that are designed to prevent or detect and correct, on a timely basis, a material misstatement that could arise when information processing controls are either missing or deficient.

It is important we do not begin testing the operating effectiveness of any control, including a BPR, until we have first assessed its design effectiveness. It is important that the entity is able to describe the control design in sufficient detail to allow us to assess and document the basis for our conclusion about the design effectiveness of the BPR. Depending on the importance of the control, simply explaining or evaluating the design of a control as "Jane Doe, Controller, reviews and approves the group reporting package," or "The divisional controller performs a variance analysis," does not provide sufficient detail about what controls are performed and therefore does not identify the information needed to assess whether the control is designed in a way that is likely to prevent, or detect and correct, on a timely basis, a material misstatement. In addition to a detailed description of the activities performed, it is important to understand the actions taken when potential variances or other operating anomalies are identified and what level of variance or anomaly will trigger further investigation and/or correction (i.e., the level of precision with which the control is designed to operate).

As a first step in determining whether we can rely upon a BPR in our audit, we begin by evaluating its design effectiveness. The factors that could be relevant to our evaluation of the design effectiveness of a BPR include those to be considered for other types of controls discussed in this section as well as other factors specific to BPRs.

The table below includes a summary of factors to consider when evaluating design and implementation of a BPR:

• The objective(s) of the control;

• Component(s) of the entity (individually or consolidated) covered by the control being evaluated;

• Account(s) at the component(s) covered by the control;

• The authority and competence of the person that performs the control;

• The frequency with which the control operates;

• The specific procedures that are performed and at what level of precision and the related controls (i.e., a process consists of activities and sub‑processes but not all of them are likely to be controls in the control activities component)

• Reliability of the information used in the performance of the control and its source; and

• The evidence available to demonstrate that the control operates as intended

1. The objective(s) of the control

2. Component(s) of the entity (individually or consolidated) covered by the control being evaluated

3. Account(s) at the component(s) covered by the control

4. The authority and competence of the person that performs the control

5. The frequency with which the control operates

6. The specific procedures that are performed and at what level of precision and the related controls (i.e., a process consists of activities and sub‑processes but not all of them are likely to be controls within the control activities component).

7. Reliability of the information used in the performance of the control and its source (IT dependency).

8. The evidence available to demonstrate that the control operates as intended.

Although the table above is focused on specific factors that may affect the evaluation of the design effectiveness of BPRs, these factors may also be relevant when assessing other types of review controls (e.g., controls over the review of journal entry submissions, spreadsheet calculations, or the methods, assumptions or data used to develop estimates).

We consider relevant factors as part of our evaluation of the design and implementation of the control. When evaluating the BPR design we also need to assess whether the control is likely to achieve the intended objectives if it is consistently executed. In making this assessment we consider the following, among other relevant factors:

• Can the control objective(s) feasibly be met?

• Is there a demonstrated history of effective operation of the control? What is the evidence?

• Has the control previously failed to prevent or detect misstatements for which the control was intended to prevent or detect?

• Are there other controls (supervisory or otherwise) that are designed to monitor the effectiveness of the control?

• Are there other controls that work in conjunction with the control to achieve the control objective(s)?

OAG Guidance

When selecting controls to test for operating effectiveness, we focus on testing only those controls that are designed to prevent or detect on a timely basis material misstatements, individually or in the aggregate, for a relevant assertion. We select controls for operating effectiveness testing that provide the most effective or efficient means of obtaining audit evidence for one or more relevant financial statement assertions for one or more FSLIs. As explained in the block Overview above, those controls, also commonly referred to as selected controls, are a sub‑group of the controls subject to design and implementation evaluation, which in turn is a sub‑group of the controls relevant to the preparation of the financial statements

Judgment is required to identify and select controls to test. For example, it is not necessary to test controls that:

a. Do not address the identified risk

b. Address the identified risk, but we have other sources of audit evidence available (e.g., other controls or substantive evidence) that provide a more effective and efficient source of obtaining sufficient evidence.

Example:

There is a risk of material misstatement over purchases and payables related to purchases not being appropriately authorized.

We identify two controls during our walkthrough to understand the end‑to‑end purchases and payables business process:

• Control A is an automated control that requires a supervisory approval before an item can be requested for purchase (i.e., before a purchase order can be processed).

• Control B is a manual control executed by the director of the purchasing department that verifies all items requested for purchase are using agreed suppliers, that appropriate approvals have been obtained (the same risk that control A covers) and that bank details for payment have not changed.

Here, on the basis that control B is designed and implemented to address this risk of material misstatement, we would likely plan to test control B for operating effectiveness. Testing of control A would not be necessary because a sufficient appropriate level of controls reliance can be obtained from the effective operation of control B throughout the audit period.

Not all controls that we evaluate for design and implementation will be selected for operating effectiveness testing. For example, although we are required to assess design and determine implementation of a control addressing relevant assertions for a significant risk, we would not necessarily select this control and test it for operating effectiveness if we conclude we can effectively and efficiently obtain sufficient appropriate audit evidence by performing substantive audit procedures. A selected control therefore is a control for which we plan to test the operating effectiveness because it is judged to be:

• An effective way of obtaining audit evidence to address the assessed risk of material misstatement at the assertion level;

• Designed and operating at the appropriate level of precision;

• Responsive to the identified risk of material misstatement, due to error or fraud;

• Efficient to test in order to achieve the expected controls reliance.

When selecting controls for operating effectiveness testing, first consider whether to place reliance on Direct ELCs, as they are often designed to cover multiple assertions relating to an FSLI, provided the control is designed to operate at a sufficient level of precision. OAG Audit 6051 provides additional guidance on selecting controls to test

When selecting controls for operating effectiveness testing we may follow the following approach that summarizes the practical approach to the guidance provided above:

• We obtain an understanding of the entity’s controls relevant to the preparation of the financial statements when performing procedures to understand and evaluate the entity’s system of internal controls.

• Once we have obtained an understanding of the entity and its environment, and the entity’s system of internal control and determined the significant classes of transactions, account balances and disclosures and the relevant assertions, we identify those direct ELC and information processing controls that address the identified risks of material misstatement at the assertion level. We then select controls that we believe provide an effective and efficient way of obtaining audit evidence addressing the identified risks of material misstatement at the assertion level.

• For those controls selected for testing of operating effectiveness, evaluate if the Direct ELCs are designed effectively and if they are sufficiently precise to prevent or detect and correct, on a timely basis, the identified risk of material misstatements at the assertion level. A Business Performance Review (BPR) is an example of such a direct ELC. The level of assurance obtained from testing the operating effectiveness of a BPR depends on a number of factors – see the block above Understanding and evaluating business performance review controls for further guidance.

• Consider the level of evidence obtained from testing direct ELCs and determine whether further controls evidence for relevant assertions is needed (e.g., if the ELC is not operating at a sufficient level of precision, consider also testing information processing controls).

• Both direct ELCs and information processing controls selected for testing of operating effectiveness are subject to design and implementation evaluation in accordance with the requirement of CAS 315.26(d).

On a recurring audit where we have relied on controls in past audits, it may be effective and efficient to test the operating effectiveness of such controls at the same time we update our evaluation of their design and determining whether they have been implemented. Because the procedures to evaluate design and implementation of controls and the procedures to test their operating effectiveness have two different objectives, it is important that our documentation of these procedures reflect evidence that supports the audit work performed to address each of these objectives. When we perform procedures concurrently before the end of the period, we need to consider performing update testing of the operating effectiveness of these controls (Refer to OAG Audit 6055 for guidance on update testing of controls).

OAG Guidance

We evaluate early in the audit whether identified Direct ELCs are designed effectively, including a sufficient level of precision to address risks of material misstatements at the assertion level because the result of that assessment is an important consideration in our audit planning process. An integral part of our consideration of direct ELCs is a focus on controls important to the prevention and detection of material misstatements to the financial statements due to error or fraud, including controls to address the risk of management override (where appropriate). Direct ELCs allow us to understand the entity’s controls over financial information and the more precise the direct ELC, the more audit evidence we typically need to test operating effectiveness throughout the audit period. We may be able to test fewer information processing controls if the direct ELC is precise enough to prevent or detect material misstatements. The impact of our evaluation and testing of direct ELCs on the nature, timing, and extent of our testing of information processing controls may vary significantly depending upon the specific circumstances of the entity, the applicable FSLI and/or the assertions relevant to the risk of material misstatement. See OAG Audit 5040 for a further understanding of relevant assertions and how they affect our audit procedures. Our evaluation of the direct ELCs and the level of precision at which they operate affects the nature and extent of testing that we otherwise may need to perform on controls at the information processing level.

The following continuum depicts the impact of ELCs and the level of precision at which they operate on a relevant assertion for a significant FSLI:

View actual size

At one end of the continuum are direct ELCs that are designed to operate at a level of precision that would, by themselves, prevent or detect, on a timely basis, material misstatements to one or more relevant assertions. In the middle of the continuum are controls that are intended to monitor the effectiveness of other controls, or those controls and procedures designed to identify possible deviations in information processing controls. At the other end of the continuum are indirect ELCs (e.g., controls within the control  environment component) that are not directly related to any relevant assertion for any specific significant FSLI and, therefore, would not by themselves prevent or detect on a timely basis material misstatements to one or more relevant assertions.

ELCs may impact the nature, timing and extent of our testing of controls, regardless of where they fall upon the continuum. However, ELCs that operate at a level of precision that, by themselves, would prevent or detect a material misstatement on a timely basis often will allow us to reduce the number of information processing controls that we might otherwise test.

Consider the effectiveness of indirect ELCs in determining the nature, timing and extent of testing controls. For example, an indirect ELC where management has implemented a policy manual outlining the entity’s policies and procedures for required learning and continuing development of employees and management monitors completion of required training, this may provide indirect evidence that an employee performing a control related to reconciliation of the accounts payable subledger to the general ledger has been sufficiently trained. This audit evidence obtained from an indirect ELC may allow us to reduce the nature, timing and extent of testing we perform over the operating effectiveness of this reconciliation control (e.g., more inspection and less reperformance of individual instances of controls).

When the precision at which an ELC operates is close to or below our materiality limits, there is greater likelihood that the ELC will prevent or detect a material misstatement by itself and, therefore, less testing of information processing or application level controls may be necessary. If an ELC operates at a sufficient level of precision to prevent or detect a material misstatement on a timely basis and meets the control objectives related to one or more relevant financial statement assertions for a significant FSLI, testing of additional controls with respect to the same relevant assertions for that significant FSLI may not be necessary other than to obtain evidence about the effectiveness of controls over the completeness and accuracy of information or data used in the ELC (i.e., underlying data used by management in performing business performance reviews).

For most entities indirect ELCs and controls that monitor the effectiveness of other controls are significantly more prevalent than ELCs designed and operating at a level of precision to prevent or detect a material misstatement, whether due to fraud or error. Therefore, while selecting and testing some ELCs may allow us to effectively and efficiently obtain audit evidence, in many cases the presence of ELCs will not lead to the elimination of control testing at the information processing, application, database, operating system and network levels.