2 Timing. You are required to determine whether controls are operating effectively as of the company’s fiscal year-end. The closer your tests are to year-end, the more reliable; the further away from year-end, the less reliable. Ideally, you would perform all your tests as of the balance sheet date, but as a practical matter this is not possible. Some tests will be performed in advance of year-end. For example, you may decide to test the controls relating to payroll as of October 31.The bigger the difference between the “as of” date of the tests and year-end, the less reliable the tests. In our example, if payroll controls are tested as of October 31, there is a chance that the operating effectiveness of those controls changed during the two months from October 31 to December 31.Plan on testing controls related to low risks of material misstatement in advance of year-end. Controls related to higher risks should be performed as closely to year-end as possible.
3 Extent. The extent of your procedures refers to the number of tests you perform. In the previous example of certain cash disbursements requiring dual signatures, the question is “How many checks should I examine?” The greater the extent of your tests—in this case, the more checks you examine—the more reliable your conclusion. Controls related to higher risk of misstatement will require more extensive testing than those related to lower risk.
When you do test controls in advance of year-end, you will want to consider the need to perform additional tests to establish the effectiveness of the control procedure from the time the tests were performed until year-end.
For example, if you tested the effectiveness of bank reconciliations as of June 30 and the reporting date was December 31, you should consider performing tests to cover the period from July 1 through December 31. These tests may not require you to repeat the detailed tests performed at June 30 for the subsequent six-month period. If you establish the effectiveness of the control procedure at June 30, you may be able to support a conclusion about the effectiveness of the control at the reporting date indirectly through the consideration of entity-level controls and other procedures, such as:
The effectiveness of personnel-related controls, such as the training and supervision of personnel who perform control procedures. For example, are the people performing the bank reconciliations adequately supervised, and was their work reviewed during the second half of the year?
The effectiveness of risk identification and management controls, including change management. For example, would management be able to identify changes in the entity’s business or its circumstances that would affect the continued effectiveness of bank reconciliations as a control procedure?
The effectiveness of the monitoring component of the entity’s internal control.
Inquiries of personnel to determine what changes, if any, occurred during the period that would affect the performance of controls.
Repeating the procedures performed earlier in the year, focusing primarily on elements of the control procedure that have changed during the period. For example, if the entity added new bank accounts or new personnel performing certain bank reconciliations, you would focus your tests on those accounts and individuals.
Information Technology Application Controls
Again, the types of procedures you perform for the period between June 30 and December 31 will depend on the risk related to the control. Application controls are the structure, policies, and procedures that apply to separate, individual business process application systems. They include both the automated control procedures (i.e., those routines contained within the computer program) and the policies and procedures associated with user activities, such as the manual follow-up required to investigate potential errors identified during processing.
As with all other control procedures, information technology (IT) application controls should be designed to achieve specified control objectives, which in turn are driven by the risks to achieving certain business objectives. In general, the objectives of a computer application are to ensure that:
Data remain complete, accurate, and valid during their input, update, and storage.
Output files and reports are distributed and made available only to authorized users.
Specific application-level controls should address the risks to achieving these objectives.
The way in which IT control objectives are met will depend on the types of technologies used by the entity. For example, the specific control procedures used to control access to an online, real-time database will be different from those procedures related to access of a “flat file” stored on a disk.
An IT controls specialist most likely will be needed to understand the risks involved in various technologies and the related activity-level controls.
Shared Activities
Some activities in a company are performed centrally and affect several different financial account balances. For example, cash disbursements affect not only cash balances but also accounts payable and payroll. The most common types of shared activities include:
Cash receipts
Cash disbursements
Payroll
Data processing
When designing your activity-level tests, you should be sure to coordinate your tests of shared activities with your tests of individual processing streams. For example, you should plan on testing cash disbursements only once, not several times for each different processing stream that includes cash disbursements.
Sample Sizes and Extent of Tests
Whenever you test activity-level controls, you will have to determine the extent of your tests. If you are testing the reconciliation of significant general ledger accounts to the underlying detailed trial balance, how many reconciliations should you look at? If the control is something that is performed on every transaction—for example, the authorization of payments to vendors—how many should you test?
The extent of your tests should be sufficient to support your conclusion on whether the control is operating effectively at a given point in time. Determining the sufficiency of the extent of your tests is a matter of judgment that is affected by a number of factors. Exhibit 12.1 lists these factors and indicates how they will affect the extent of your tests.
Exhibit 12.1 Determining the Extent of Tests
Effect
|