Читать книгу Wiley Practitioner's Guide to GAAS 2020 - Joanne M. Flood - Страница 256
Tests of Controls
ОглавлениеThe auditor should test controls when:
The auditor will rely on the operating effectiveness of controls to modify the nature, timing, and extent of substantive procedures, or
Substantive procedures alone will not be sufficient. Section 330 provides guidance on determining when substantive procedures alone will not be sufficient.
(AU-C 330.08)
NOTE: When determining whether to rely on the operating effectiveness of controls to modify the nature, timing, and extent of substantive procedures, the auditor may consider matters such as the following:
The incremental cost of testing controls, which includes the cost of testing not just the controls that have a direct effect on the assertion, but also those controls upon which the direct controls depend. When considering incremental testing costs, consider that the costs of evaluating control design have already been incurred (because the auditor must evaluate control design on every audit) and that the incremental cost of obtaining audit evidence about the effective operation of controls may not be substantial.
In many circumstances, audit evidence obtained from tests of controls may be relevant for more than one period. That is, the costs of testing controls may provide benefit for three audit periods.
The benefits to be derived from testing controls. In many cases, testing controls may have benefits that extend beyond the relevant assertion to be addressed by the substantive procedures. For example, testing controls may provide audit evidence about the reliability of the entity’s IT system, which can allow the auditor to rely on other information produced by the system to perform substantive tests. For example, information obtained from a reliable IT system can contribute to more reliable analytical procedures.
The auditor will perform risk assessment procedures to evaluate the design of the entity’s internal control, and these procedures may provide some limited audit evidence about the operating effectiveness of internal control. But risk assessment procedures by themselves generally will not provide sufficient appropriate audit evidence to support relying on controls to modify the nature, timing, and extent of substantive procedures.
