Column Heading Questions
In both the Entity-Level Control Form and the Control Activities Form, the column headings contain questions for each control principle/objective and control activity. The questions are conditional and appear in blue text at the top of the form.
The sections below describe each heading.
Evaluate Objective
Indicate whether you want to evaluate the control objective. A control objective states the purpose of a control in relation to risks of material misstatements in the financial statements. By considering control objectives and how they relate to risks, you may find it easier to identify relevant controls. Furthermore, you may find it easier to evaluate whether existing controls, if operating effectively, would fully achieve the objective or if deficiencies exist either in design or through non-existent controls.
Generally, you should focus on control objectives related to the assertions you identified as potentially being higher risk. In other words, focus on those that relate to the risks that caused you to identify the transaction class as significant. Then, identify the key controls for those objectives.
This question appears only on the
Control Activities Form
for Process Level Controls and General Computer Controls.
Addresses Significant Risk
Indicate whether the control addresses an identified fraud or other significant risk.
This question only appears on the
Control Activities Form
for Process Level Controls.
Key Control
You are not required to understand all controls and control activities that might exist in an entity. Rather, you should focus on key controls (those that are most important in achieving the control objectives you intend to evaluate). When determining which controls are key, consider factors such as:
The nature of the risks being addressed
The characteristics of related account balances or transaction classes
Whether the control is preventive (prevents misstatements) or detective (detects misstatements)
Whether the control works in combination with or relies on the operation of other controls
Whether the control is manual or automated
Certain controls that typically are key are selected by default; however, you should evaluate them based on your individual client situations, considering the risks that caused you to identify the transaction class as significant.
Implemented
Indicate whether the control has been implemented. Note that not all controls listed must be implemented to achieve the control objective, but typically, those that you have identified as key controls should be appropriately designed and implemented. Generally, you can determine implementation using procedures such as observation or inspection in combination with inquiries. Note that inquiry alone is not sufficient to evaluate the design of a control and determine if it has been implemented.
Select
Yes
,
No
, or
N/A
from the drop-down list in the
Implemented?
column.
Control Type
For each implemented control that you intend to evaluate, indicate whether the control is preventative (prevents misstatements) or detective (detects misstatements).
Select
Preventive
or
Detective
from the drop-down list in the
Control Type
column.
IT Dependent
If you selected
Yes
for the control from the
Control has been Implemented
drop-down list, the
IT Dependent
check box is enabled. Select the check box if the control is dependent upon information technology (IT). Examples of IT dependent controls include automated system controls that prevent access to data by unauthorized users, manual reviews or reconciliation based on computer-generated reports or spreadsheets, and so forth. For IT dependent controls, you need to indicate whether it is automated and identify the underlying software application.
Automated
If you selected the
IT Dependent
check box, the
Automated
check box is enabled. Indicate whether the control requires user intervention (manual control) or is performed by the system without user intervention (automated control). Manual controls in an automated system may use information produced by the system or may be limited to monitoring the automated controls and handling exceptions. Automated controls include processes such as edit and validation routines embedded in computer programs.
The use of manual controls is often more effective when judgment and discretion are needed. For example, manual controls are generally more appropriate in the following ways:
For large, unusual, or nonrecurring transactions,
When monitoring the effectiveness of automated controls,
In changing circumstances where a control response may be needed outside of the scope of an automated control
When misstatements are difficult to anticipate, define, or predict
However, manual controls may be subject to override, misinterpretation, error, or bypass. As a result, automated controls may be more suitable in the following situations:
Recurring or high-volume transactions
Situations where errors can be anticipated, predicted, prevented, or detected by control parameters subject to automation
Control activities whose nature allows the use of properly designed automated control processes
Software Application
When evaluating the effectiveness of IT dependent controls, it is important to also consider the design of general computer controls around the software applications upon which the IT dependent controls rely. Evaluating the effectiveness of IT general controls is required if performing a public company audit of internal control. For example, to assess whether a control such as management’s review of sales by product is effective, you must also consider whether the general controls around the computer application that produces the sales by product report are effective and result in a reliable report.
For each IT dependent control that you intend to evaluate (for example, each IT dependent key control), indicate the computer software application upon which the control depends. This value is carried forward to the general computer controls section, where you can evaluate general computer controls over the software application.
Click the browse button
next to the
Software Application
field for the control you are describing to open the
Software Applications
window.
At the bottom of the
Software Applications
window, type the name of the application in the entry field and click the
Add Application
button.
Select the
Significant for this Control?
check box, if applicable.
Effectively Designed
For those control principles/objectives that you intend to evaluate, conclude whether the control system is effectively designed to achieve the control objective.
Evaluation of design effectiveness considers whether an implemented control, individually or in combination with other implemented controls, is capable of effectively preventing or detecting and correcting errors that could result in material misstatements. That is, it considers the effectiveness of implemented controls in achieving the objective. If controls related to an objective are improperly designed, a control deficiency may exist that needs to be communicated to management and those charged with governance.
Test
If you selected
Yes
under
Control has been Implemented
, the
Test
column is activated. Select the check box if you plan to test the control.
Financial Statement Audit
It is necessary to test controls only if you determine the following:
Doing so allows you to assess control risk for an assertion at less than high and therefore reduce the nature or extent of substantive procedures, resulting in a more effective, efficient audit.
Substantive procedures alone are not effective.
If you plan to test and rely on information technology (IT) dependent controls, you also should test general computer controls around the software applications upon which the IT dependent controls depend.
Test only key controls that you have determined are suitably designed and have been implemented to prevent or detect material misstatements in specific assertions.
SAS No. 110
recognizes that control test results may be relied upon for three years, subject to certain conditions, so that tests of controls can be rotated using a three-year cycle. However, controls that have changed since they were last tested or controls that mitigate fraud risks or other significant risks should be retested each year. Controls that have not changed should be retested at least every third year. In addition, if a number of controls are being rotationally tested, some controls should be tested each year.