Skip Ribbon Commands
Skip to main content
Stay Connected: Twitter Facebook Flickr RSS E-Mail

Click Plus Sign Icon to expand menu items
Click Minus Sign Icon to collapse menu items

Skip Navigation Links.
ExpandAS No. 1: References in Auditors’ Reports to the Standards of the Public Company Accounting Oversight Board
ExpandAS No. 3: Audit Documentation
ExpandAS No. 4: Reporting on Whether a Previously Reported Material Weakness Continues to Exist
ExpandAS No. 5: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements
ExpandAS No. 6: Evaluating Consistency of Financial Statements
ExpandAS No. 7: Engagement Quality Review
ExpandAS No. 8: Audit Risk
ExpandAS No. 9: Audit Planning
ExpandAS No. 10: Supervision of the Audit Engagement
ExpandAS No. 11: Consideration of Materiality in Planning and Performing an Audit
CollapseAS No. 12: Identifying and Assessing Risks of Material Misstatement
Auditing Standard No. 12
Appendix A: Definitions
Appendix B: Consideration of Manual and Automated Systems and Controls
ExpandAS No. 13: The Auditor's Responses to the Risks of Material Misstatement
ExpandAS No. 14: Evaluating Audit Results
ExpandAS No. 15: Audit Evidence
ExpandAS No. 16: Communications with Audit Committees
ExpandAS No. 17: Auditing Supplemental Information Accompanying Audited Financial Statements
ExpandAU Section 100 - Statements on Auditing Standards -- Introduction
ExpandAU Section 200 - The General Standards
ExpandAU Section 300 - The Standards of Field Work
ExpandAU Section 400 - The First, Second, and Third Standards of Reporting
ExpandAU Section 500 - The Fourth Standard of Reporting
ExpandAU Section 600 - Other Types of Reports
ExpandAU Section 700 - Special Topics
ExpandAU Section 800 - Compliance Auditing
ExpandAU Section 900 - Special Reports of the Committee on Auditing Procedures

 
Auditing Standard No. 12

Identifying and Assessing Risks of Material Misstatement

Appendix B – Consideration of Manual and Automated Systems and Controls

B1.     While obtaining an understanding of the company's information system related to financial reporting, the auditor should obtain an understanding of how the company uses information technology ("IT") and how IT affects the financial statements.1/ The auditor also should obtain an understanding of the extent of manual controls and automated controls used by the company, including the IT general controls that are important to the effective operation of the automated controls. That information should be taken into account in assessing the risks of material misstatement.2/    

B2.     Controls in a manual system might include procedures such as approvals and reviews of transactions, and reconciliations and follow-up of reconciling items.

B3.     Alternatively, a company might use automated procedures to initiate, record, process, and report transactions, in which case records in electronic format would replace paper documents. When IT is used to initiate, record, process, and report transactions, the IT systems and programs may include controls related to the relevant assertions of significant accounts and disclosures or may be critical to the effective functioning of manual controls that depend on IT.

B4.     The auditor should obtain an understanding of specific risks to a company's internal control over financial reporting resulting from IT. Examples of such risks include:

  • Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both;
  • Unauthorized access to data that might result in destruction of data or improper changes to data, including the recording of unauthorized or non-existent transactions or inaccurate recording of transactions (particular risks might arise when multiple users access a common database);
  • The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties, thereby breaking down segregation of duties;
  • Unauthorized changes to data in master files;
  • Unauthorized changes to systems or programs;
  • Failure to make necessary changes to systems or programs;
  • Inappropriate manual intervention; and
  • Potential loss of data or inability to access data as required.

B5.     In obtaining an understanding of the company's control activities, the auditor should obtain an understanding of how the company has responded to risks arising from IT.

B6.     When a company uses manual elements in internal control systems and the auditor plans to rely on, and therefore test, those manual controls, the auditor should design procedures to test the consistency in the application of those manual controls.

1/ See also AU sec. 324, Service Organizations, if the company uses a service organization for services that are part of the company's internal control over financial reporting.

2/ See also paragraphs 16-17 of Auditing Standard No. 9, Audit Planning.