6057 Execute and evaluate results of planned controls procedures
Sep-2022

Controls exceptions noted during substantive testing

CAS Requirement

When evaluating the operating effectiveness of controls upon which the auditor intends to rely, the auditor shall evaluate whether misstatements that have been detected by substantive procedures indicate that controls are not operating effectively. The absence of misstatements detected by substantive procedures, however, does not provide audit evidence that controls related to the assertion being tested are effective (CAS 330.16).

If the auditor is unable to apply the designed audit procedures, or suitable alternative procedures, to a selected item, the auditor shall treat that item as a deviation from the prescribed control, in the case of tests of controls, or a misstatement, in the case of tests of details (CAS 530.11).

The auditor shall investigate the nature and cause of any deviations or misstatements identified, and evaluate their possible effect on the purpose of the audit procedure and on other areas of the audit (CAS 530.12).

CAS Guidance

A material misstatement detected by the auditor’s procedures is a strong indicator of the existence of a significant deficiency in internal control. (CAS 330.A41)

For tests of controls, no explicit projection of deviations is necessary since the sample deviation rate is also the projected deviation rate for the population as a whole. CAS 330 provides guidance when deviations from controls upon which the auditor intends to rely are detected (CAS 530.A20).

For tests of controls, an unexpectedly high sample deviation rate may lead to an increase in the assessed risk of material misstatement, unless further audit evidence substantiating the initial assessment is obtained. For tests of details, an unexpectedly high misstatement amount in a sample may cause the auditor to believe that a class of transactions or account balance is materially misstated, in the absence of further audit evidence that no material misstatement exists (CAS 530.A21).

If the auditor concludes that audit sampling has not provided a reasonable basis for conclusions about the population that has been tested, the auditor may (CAS 530.A23):

  • Request management to investigate misstatements that have been identified and the potential for further misstatements and to make any necessary adjustments; or
  • Tailor the nature, timing and extent of those further audit procedures to best achieve the required assurance. For example, in the case of tests of controls, the auditor might extend the sample size, test an alternative control or modify related substantive procedures.

OAG Guidance

If we identify a misstatement during substantive testing and the amount is over the stated de minimis amount, we report the misstatement on the SUM.

In addition, we assess whether misstatements could represent a control deficiency / weakness.

  • If the response is Yes, create an issue in the audit file for communication in the management letter and RAC‑Annual Audit Results, if necessary.
  • If we identify a misstatement that does not have control implications, document why this is.

Related Guidance

See OAG Audit 7016 for further guidance on documenting the results of substantive audit procedures.

Actions when deviations in controls testing are detected

CAS Requirement

If deviations from controls upon which the auditor intends to rely are detected, the auditor shall make specific inquiries to understand these matters and their potential consequences, and shall determine whether (CAS 330.17):

(a) The tests of controls that have been performed provide an appropriate basis for reliance on the controls;

(b) Additional tests of controls are necessary; or

(c) The risks of material misstatement need to be addressed using substantive procedures.

CAS Guidance

The concept of effectiveness of the operation of controls recognizes that some deviations in the way controls are applied by the entity may occur. Deviations from prescribed controls may be caused by such factors as changes in key personnel, significant seasonal fluctuations in volume of transactions and human error. The detected rate of deviation, in particular in comparison with the expected rate, may indicate that the control cannot be relied on to reduce risk at the assertion level to that assessed by the auditor (CAS 330.A42).

OAG Guidance

A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis that could affect the company’s ability to record, process, summarize, and report financial data consistent with management’s assertions in the financial statements. Such deficiencies in internal control may involve aspects of any of the five internal control components.

A deficiency in the design of the internal control exists when

  • a control necessary to meet the control objective is missing; or
  • an existing control is not properly designed so that, even if it operates as designed, the control objective is not always met.

A deficiency in the operation of internal control exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.

We consider whether the results of substantive testing indicate that there has been a breakdown in controls and whether a deficiency in internal control exists.

A significant deficiency in internal control is a deficiency or combination of deficiencies in internal control that, in our judgment, is of sufficient importance to merit the attention of those charged with governance.

Number of Exceptions

The more important the control and the more evidence we are seeking that the control is operating effectively, generally the more items we test and the lower the acceptable exception rate. Questions to consider in determining the acceptable exception rate for manual controls include:

  • How much evidence is desired?
  • How effective is the control if it is performed less than 100 percent of the time?

We accept that a control is achieving its objectives when we find no or negligible exceptions.

The definition of negligible exceptions is a matter of professional judgment and depends largely on the nature and importance of the control and the degree of evidence we seek from the control. The more exceptions we find, the more limited our audit evidence. The sample sizes that we typically use in our initial samples (for example, 25 items for a manual control performed multiple times per day, see OAG Audit 6053) do not allow for any exceptions.

Generally, the objective of a control test is not met if the actual number of exceptions found in the sample is more than negligible (i.e., it exceeds the number of exceptions allowed for in the testing plan). In those cases, and depending on our understanding of the cause of the exception, consider whether additional testing could support a conclusion that the exception rate in the original selection is not representative of that in the total population. This evaluation will vary based on the nature of the control (e.g., automated versus manual) and the frequency it operates (e.g., quarterly, monthly, weekly, daily or multiple times per day).

Audit Approach and Reporting

If we conclude, as a result of our evaluation of the design and implementation of controls and testing of operating effectiveness of controls, that we are unable to obtain audit evidence as a result of deficiencies in internal controls, we

  • consider whether the deficiency in internal control could (or has) result(ed) in a material misstatement in the financial statements;
  • document a significant matter for the deficiency in internal control identified;
  • if a material misstatement might have occurred or could still occur, through either error or fraud, if corrective action is not taken, assess the effect on our further audit procedures, including whether other planned audit procedures will result in sufficient evidence. If they do not, we design further appropriate substantive tests;
  • determine whether the effect of the deficiencies in internal control will result in a significant change to our audit approach. Significant changes to the audit strategy and plan shall be recorded; and
  • determine whether the deficiencies in internal control identified, individually or collectively, constitute a significant deficiency in internal control. We discuss such significant deficiencies with management. We shall communicate all significant deficiencies in internal control in writing to those charged with governance in accordance with CAS 265.

Considerations When Exceptions are Identified

Because of the wide variety of control types, population, characteristics, and test exceptions implications, consider qualitative and quantitative factors when assessing whether exceptions arising from our understanding, evaluation and testing of internal controls result in deficiencies, or significant deficiencies, in internal control. In order to reach this conclusion, apply professional judgment and consider guidance in OAG Audit 2222.

When exceptions are identified in our testing of internal controls, we first consider whether the likelihood of a misstatement resulting from the exception is at least reasonably possible. Where this is not the case it may indicate that the control identified for testing was not designed to achieve the desired objective. We therefore make inquiries to further our understanding in order to assess whether the decision to test the control remains appropriate, or whether it is necessary to select a different control to test.

When it is at least reasonably possible that a control exception will result in a misstatement, after inquiring into the reasons for the exception, we may:

  • Find out that we did not understand the control and re‑design our tests of control based on this new information.
  • Consider whether a compensating control exists at a level of precision sufficient to prevent or detect a misstatement that could be material to the financial statements, and test the design and operating effectiveness of such compensating controls.
  • For manual controls, test more items because we believe more testing might provide evidence that the control is functioning properly at an acceptable level. However, first understand the nature of the exceptions detected and determine whether additional testing would be beneficial. If we decide to conduct additional testing, examine at least as many additional items as we examined initially. Professional judgment is required to determine if the aggregate results provide sufficient evidence that the control is operating effectively.
  • Determine, based on professional judgment and the engagement circumstances, that the control provides a limited degree of evidence over the related assertion, and consider the impact on the overall testing strategy for the relevant assertion(s). Place no reliance on the control and assess the impact this has on the overall testing strategy for the relevant assertion(s).

Examples of deficiencies in internal control which would be a strong indicator that there is a significant deficiency in internal control are provided in CAS 265.A7.

If one control simply does not work or is not effective, consider whether there are effective compensating controls or processes available / in place that provide management with evidence and determine whether those controls may, in fact, do the same job. These compensating controls would then be tested for operating effectiveness, if it is effective and efficient to do so. However, if we cannot find compensating controls, increase the amount of substantive testing to be performed in respect of the relevant assertion. For detailed guidance on evaluating and communicating deficiencies in internal control see OAG Audit 2220.

Document exceptions in controls testing

OAG Guidance

An exception would normally mean that we will need to obtain further audit evidence beyond that originally planned. An exception would arise when the test of controls objective is not achieved (i.e., the deviation rate in the sample exceeded an acceptable level).

The determination of whether an exception was identified is a matter of professional judgment. Consider what will constitute an exception before performing the work.

An exception would not normally be identified when performing a test of controls and the test objective is achieved (i.e., the deviation rate in the sample is within an acceptable level).

If we identify an exception during testing performed at an interim date, and management had the opportunity to remediate the exception and additional testing is planned, document the management actions.

Indicate whether exceptions occurred during controls testing under the Results section. If exceptions are noted, indicate whether the exception noted is a control deficiency / weakness. If No, document why the exception noted is not a control deficiency / weakness.