Auditing Standard No. 2

An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements

APPENDIX B

Additional Performance Requirements and Directions; Extent-of-Testing Examples
 

Tests to be Performed When a Company Has Multiple Locations or Business Units

B1.            To determine the locations or business units for performing audit procedures, the auditor should evaluate their relative financial significance and the risk of material misstatement arising from them.  In making this evaluation, the auditor should identify the locations or business units that are individually important, evaluate their documentation of controls, and test controls over significant accounts and disclosures.  For locations or business units that contain specific risks that, by themselves, could create a material misstatement, the auditor should evaluate their documentation of controls and test controls over the specific risks.

B2.            The auditor should determine the other locations or business units that, when aggregated, represent a group with a level of financial significance that could create a material misstatement in the financial statements.  For that group, the auditor should determine whether there are company-level controls in place.  If so, the auditor should evaluate the documentation and test such company-level controls.  If not, the auditor should perform tests of controls at some of the locations or business units. 

B3.            No further work is necessary on the remaining locations or businesses, provided that they are not able to create, either individually or in the aggregate, a material misstatement in the financial statements.

Locations or Business Units That Are Financially Significant

B4.            Because of the importance of financially significant locations or business units, the auditor should evaluate management's documentation of and perform tests of controls over all relevant assertions related to significant accounts and disclosures at each financially significant location or business unit, as discussed in paragraphs 83 through 105.  Generally, a relatively small number of locations or business units will encompass a large portion of a company's operations and financial position, making them financially significant. 

B5.            In determining the nature, timing, and extent of testing at the individual locations or business units, the auditor should evaluate each entity's involvement, if any, with a central processing or shared service environment.

Locations or Business Units That Involve Specific Risks

B6.            Although a location or business unit might not be individually financially significant, it might present specific risks that, by themselves, could create a material misstatement in the company's financial statements.  The auditor should test the controls over the specific risks that could create a material misstatement in the company's financial statements.  The auditor need not test controls over all relevant assertions related to all significant accounts at these locations or business units.  For example, a business unit responsible for foreign exchange trading could expose the company to the risk of material misstatement, even though the relative financial significance of such transactions is low.  

Locations or Business Units That Are Significant Only When Aggregated with Other Locations and Business Units

B7.             In determining the nature, timing, and extent of testing, the auditor should determine whether management has documented and placed in operation company-level controls (See paragraph 53) over individually unimportant locations and business units that, when aggregated with other locations or business units, might have a high level of financial significance.  A high level of financial significance could create a greater than remote risk of material misstatement of the financial statements.

B8.            For the purposes of this evaluation, company-level controls are controls management has in place to provide assurance that appropriate controls exist throughout the organization, including at individual locations or business units.

B9.            The auditor should perform tests of company-level controls to determine whether such controls are operating effectively.  The auditor might conclude that he or she cannot evaluate the operating effectiveness of such controls without visiting some or all of the locations or business units.

B10.        If management does not have company-level controls operating at these locations and business units, the auditor should determine the nature, timing, and extent of procedures to be performed at each location, business unit, or combination of locations and business units.  When determining the locations or business units to visit and the controls to test, the auditor should evaluate the following factors:

  • The relative financial significance of each location or business unit.
  • The risk of material misstatement arising from each location or business unit.
  • The similarity of business operations and internal control over financial reporting at the various locations or business units.
  • The degree of centralization of processes and financial reporting applications.
  • The effectiveness of the control environment, particularly management's direct control over the exercise of authority delegated to others and its ability to effectively supervise activities at the various locations or business units.  An ineffective control environment over the locations or business units might constitute a material weakness.
  • The nature and amount of transactions executed and related assets at the various locations or business units.
  • The potential for material unrecognized obligations to exist at a location or business unit and the degree to which the location or business unit could create an obligation on the part of the company.
  • Management's risk assessment process and analysis for excluding a location or business unit from its assessment of internal control over financial reporting.

B11.        Testing company-level controls is not a substitute for the auditor's testing of controls over a large portion of the company's operations or financial position.  If the auditor cannot test a large portion of the company's operations and financial position by selecting a relatively small number of locations or business units, he or she should expand the number of locations or business units selected to evaluate internal control over financial reporting. 

Note:  The evaluation of whether controls over a large portion of the company's operations or financial position have been tested should be made at the overall level, not at the individual significant account level.

Locations and Business Units That Do Not Require Testing

B12.        No testing is required for locations or business units that individually, and when aggregated with others, could not result in a material misstatement to the financial statements.

Multi-Location Testing Considerations Flowchart

B13.        Illustration B-1 depicts how to apply the directions in this section to a hypothetical company with 150 locations or business units, along with the auditor's testing considerations for those locations or business units.


Illustration B-1

* Numbers represent number of locations affected.

** See paragraph B7.

Special Situations

B14.        The scope of the evaluation of the company's internal control over financial reporting should include entities that are acquired on or before the date of management's assessment and operations that are accounted for as discontinued operations on the date of management's assessment.  The auditor should consider this multiple locations discussion in determining whether it will be necessary to test controls at these entities or operations.

B15.        For equity method investments, the evaluation of the company's internal control over financial reporting should include controls over the reporting in accordance with generally accepted accounting principles, in the company's financial statements, of the company's portion of the investees' income or loss, the investment balance, adjustments to the income or loss and investment balance, and related disclosures.  The evaluation ordinarily would not extend to controls at the equity method investee.

B16.        In situations in which the SEC allows management to limit its assessment of internal control over financial reporting by excluding certain entities, the auditor may limit the audit in the same manner and report without reference to the limitation in scope.  However, the auditor should evaluate the reasonableness of management's conclusion that the situation meets the criteria of the SEC's allowed exclusion and the appropriateness of any required disclosure related to such a limitation.  If the auditor believes that management's disclosure about the limitation requires modification, the auditor should follow the same communication responsibilities as described in paragraphs 204 and 205.  If management and the audit committee do not respond appropriately, in addition to fulfilling those responsibilities, the auditor should modify his or her report on the audit of internal control over financial reporting to include an explanatory paragraph describing the reasons why the auditor believes management's disclosure should be modified.

B17.        For example, for entities that are consolidated or proportionately consolidated, the evaluation of the company's internal control over financial reporting should include controls over significant accounts and processes that exist at the consolidated or proportionately consolidated entity.  In some instances, however, such as for some variable interest entities as defined in Financial Accounting Standards Board Interpretation No. 46, Consolidation of Variable Interest Entities, management might not be able to obtain the information necessary to make an assessment because it does not have the ability to control the entity.  If management is allowed to limit its assessment by excluding such entities, 1/ the auditor may limit the audit in the same manner and report without reference to the limitation in scope.  In this case, the evaluation of the company's internal control over financial reporting should include evaluation of controls over the reporting in accordance with generally accepted accounting principles, in the company's financial statements, of the company's portion of the entity's income or loss, the investment balance, adjustments to the income or loss and investment balances, and related disclosures.  However, the auditor should evaluate the reasonableness of management's conclusion that it does not have the ability to obtain the necessary information as well as the appropriateness of any required disclosure related to such a limitation.

Use of Service Organizations

B18.        AU sec. 324, Service Organizations, applies to the audit of financial statements of a company that obtains services from another organization that are part of its information system. The auditor may apply the relevant concepts described in AU sec. 324 to the audit of internal control over financial reporting.  Further, although AU sec. 324 was designed to address auditor-to-auditor communications as part of the audit of financial statements, it also is appropriate for management to apply the relevant concepts described in that standard to its assessment of internal control over financial reporting.

B19.        Paragraph .03 of AU sec. 324 describes the situation in which a service organization's services are part of a company's information system.  If the service organization's services are part of a company's information system, as described therein, then they are part of the information and communication component of the company's internal control over financial reporting.  When the service organization's services are part of the company's internal control over financial reporting, management should consider the activities of the service organization in making its assessment of internal control over financial reporting, and the auditor should consider the activities of the service organization in determining the evidence required to support his or her opinion. 

Note:   The use of a service organization does not reduce management's responsibility to maintain effective internal control over financial reporting.

B20.        Paragraphs .07 through .16 in AU sec. 324 describe the procedures that management and the auditor should perform with respect to the activities performed by the service organization.  The procedures include:

  1. Obtaining an understanding of the controls at the service organization that are relevant to the entity's internal control and the controls at the user organization over the activities of the service organization, and
  2. Obtaining evidence that the controls that are relevant to management's assessment and the auditor's opinion are operating effectively.

B21.        Evidence that the controls that are relevant to management's assessment and the auditor's opinion are operating effectively may be obtained by following the procedures described in paragraph .12 of AU sec. 324.  These procedures include:

  1. Performing tests of the user organization's controls over the activities of the service organization (for example, testing the user organization's independent reperformance of selected items processed by the service organization or testing the user organization's reconciliation of output reports with source documents).
  2. Performing tests of controls at the service organization.
  3. Obtaining a service auditor's report on controls placed in operation and tests of operating effectiveness, or a report on the application of agreed-upon procedures that describes relevant tests of controls.

Note: The service auditor's report referred to above means a report with the service auditor's opinion on the service organization's description of the design of its controls, the tests of controls, and results of those tests performed by the service auditor, and the service auditor's opinion on whether the controls tested were operating effectively during the specified period (in other words, "reports on controls placed in operation and tests of operating effectiveness" described in paragraph .24b of AU sec. 324).  A service auditor's report that does not include tests of controls, results of the tests, and the service auditor's opinion on operating effectiveness (in other words, "reports on controls placed in operation" described in paragraph .24a of AU sec. 324) does not provide evidence of operating effectiveness.  Furthermore, if the evidence regarding operating effectiveness of controls comes from an agreed-upon procedures report rather than a service auditor's report issued pursuant to AU sec. 324, management and the auditor should evaluate whether the agreed-upon procedures report provides sufficient evidence in the same manner described in the following paragraph.

B22.        If a service auditor's report on controls placed in operation and tests of operating effectiveness is available, management and the auditor may evaluate whether this report provides sufficient evidence to support the assessment and opinion, respectively.  In evaluating whether such a service auditor's report provides sufficient evidence, management and the auditor should consider the following factors:

  • The time period covered by the tests of controls and its relation to the date of management's assessment,
  • The scope of the examination and applications covered, the controls tested, and the way in which tested controls relate to the company's controls,
  • The results of those tests of controls and the service auditor's opinion on the operating effectiveness of the controls.

Note: These factors are similar to factors the auditor would consider in determining whether the report provides sufficient evidence to support the auditor's assessed level of control risk in an audit of the financial statements as described in paragraph .16 of AU sec. 324.

B23.        If the service auditor's report on controls placed in operation and tests of operating effectiveness contains a qualification that the stated control objectives might be achieved only if the company applies controls contemplated in the design of the system by the service organization, the auditor should evaluate whether the company is applying the necessary procedures.  For example, completeness of processing payroll transactions might depend on the company's validation that all payroll records sent to the service organization were processed by checking a control total. 

B24.        In determining whether the service auditor's report provides sufficient evidence to support management's assessment and the auditor's opinion, management and the auditor should make inquiries concerning the service auditor's reputation, competence, and independence.  Appropriate sources of information concerning the professional reputation of the service auditor are discussed in paragraph .10a of AU sec. 543, Part of Audit Performed by Other Independent Auditors.  

B25.        When a significant period of time has elapsed between the time period covered by the tests of controls in the service auditor's report and the date of management's assessment, additional procedures should be performed.  The auditor should inquire of management to determine whether management has identified any changes in the service organization's controls subsequent to the period covered by the service auditor's report (such as changes communicated to management from the service organization, changes in personnel at the service organization with whom management interacts, changes in reports or other data received from the service organization, changes in contracts or service level agreements with the service organization, or errors identified in the service organization's processing).  If management has identified such changes, the auditor should determine whether management has performed procedures to evaluate the effect of such changes on the effectiveness of the company's internal control over financial reporting.  The auditor also should consider whether the results of other procedures he or she performed indicate that there have been changes in the controls at the service organization that management has not identified.

B26.        The auditor should determine whether to obtain additional evidence about the operating effectiveness of controls at the service organization based on the procedures performed by management or the auditor and the results of those procedures and on an evaluation of the following factors.  As these factors increase in significance, the need for the auditor to obtain additional evidence increases.

  • The elapsed time between the time period covered by the tests of controls in the service auditor's report and the date of management's assessment,
  • The significance of the activities of the service organization,
  • Whether there are errors that have been identified in the service organization's processing, and
  • The nature and significance of any changes in the service organization's controls identified by management or the auditor.

B27.        If the auditor concludes that additional evidence about the operating effectiveness of controls at the service organization is required, the auditor's additional procedures may include:

  • Evaluating the procedures performed by management and the results of those procedures.
  • Contacting the service organization, through the user organization, to obtain specific information.
  • Requesting that a service auditor be engaged to perform procedures that will supply the necessary information.
  • Visiting the service organization and performing such procedures.

B28.        Based on the evidence obtained, management and the auditor should determine whether they have obtained sufficient evidence to obtain the reasonable assurance necessary for their assessment and opinion, respectively.

B29.        The auditor should not refer to the service auditor's report when expressing an opinion on internal control over financial reporting. 

Examples of Extent-of-Testing Decisions

B30.        As discussed throughout this standard, determining the effectiveness of a company's internal control over financial reporting includes evaluating the design and operating effectiveness of controls over all relevant assertions related to all significant accounts and disclosures in the financial statements.  Paragraphs 88 through 107 provide the auditor with directions about the nature, timing, and extent of testing of the design and operating effectiveness of internal control over financial reporting. 

B31.        Examples B-1 through B-4 illustrate how to apply this information in various situations.  These examples are for illustrative purposes only.

Example B-1 - Daily Programmed Application Control and Daily Information Technology-Dependent Manual Control

The auditor has determined that cash and accounts receivable are significant accounts to the audit of XYZ Company's internal control over financial reporting.  Based on discussions with company personnel and review of company documentation, the auditor learned that the company had the following procedures in place to account for cash received in the lockbox:

  1. The company receives a download of cash receipts from the banks.
  2. The information technology system applies cash received in the lockbox to individual customer accounts.
  3. Any cash received in the lockbox and not applied to a customer's account is listed on an exception report (Unapplied Cash Exception Report).
    • Therefore, the application of cash to a customer's account is a programmed application control, while the review and follow-up of unapplied cash from the exception report is a manual control.

To determine whether misstatements in cash (existence assertion) and accounts receivable (existence, valuation, and completeness) would be prevented or detected on a timely basis, the auditor decided to test the controls provided by the system in the daily reconciliation of lock box receipts to customer accounts, as well as the control over reviewing and resolving unapplied cash in the Unapplied Cash Exception Report.

Nature, Timing, and Extent of Procedures.   To test the programmed application control, the auditor:

  • Identified, through discussion with company personnel, the software used to receive the download from the banks and to process the transactions and determined that the banks supply the download software.
    -- The company uses accounting software acquired from a third-party supplier.   The software consists of a number of modules.  The client modifies the software only for upgrades supplied by the supplier.
  • Determined, through further discussion with company personnel, that the cash module operates the lockbox functionality and the posting of cash to the general ledger.  The accounts receivable module posts the cash to individual customer accounts and produces the Unapplied Cash Exception Report, a standard report supplied with the package.  The auditor agreed this information to the supplier's documentation.
  • Identified, through discussions with company personnel and review of the supplier's documentation, the names, file sizes (in bytes), and locations of the executable files (programs) that operate the functionality under review.  The auditor then identified the compilation dates of these programs and agreed them to the original installation date of the application.
  • Identified the objectives of the programs to be tested.  The auditor wanted to determine whether only appropriate cash items are posted to customers' accounts and matched to customer number, invoice number, amount, etc., and that there is a listing of inappropriate cash items (that is, any of the above items not matching) on the exception report. 

In addition, the auditor had evaluated and tested general computer controls, including program changes (for example, confirmation that no unauthorized changes are undertaken) and logical access (for example, data file access to the file downloaded from the banks and user access to the cash and accounts receivable modules) and concluded that they were operating effectively.

To determine whether such programmed controls were operating effectively, the auditor performed a walkthrough in the month of July.  The computer controls operate in a systematic manner, therefore, the auditor concluded that it was sufficient to perform a walkthrough for only the one item.  During the walkthrough, the auditor performed and documented the following items:

  1. Selected one customer and agreed the amount billed to the customer to the cash received in the lockbox.
  2. Agreed the total of the lockbox report to the posting of cash receipts in the general ledger.
  3. Agreed the total of the cash receipt download from the bank to the lockbox report and supporting documentation.
  4. Selected one customer's remittance and agreed amount posted to the customer's account in the accounts receivable subsidiary ledger. 

To test the detective control of review and follow up on the Daily Unapplied Cash Exception Report, the auditor:

  1. Made inquiries of company personnel.  To understand the procedures in place to ensure that all unapplied items are resolved, the time frame in which such resolution takes place, and whether unapplied items are handled properly within the system, the auditor discussed these matters with the employee responsible for reviewing and resolving the Daily Unapplied Cash Exception Reports.  The auditor learned that, when items appear on the Daily-Unapplied Cash Exception Report, the employee must manually enter the correction into the system.  The employee typically performs the resolution procedures the next business day.  Items that typically appear on the Daily Unapplied Cash Exception Report relate to payments made by a customer without reference to an invoice number/purchase order number or to underpayments of an invoice due to quantity or pricing discrepancies.
  2. Observed personnel performing the controlThe auditor then observed the employee reviewing and resolving a Daily Unapplied Cash Exception Report.  The day selected contained four exceptions - three related to payments made by a customer without an invoice number, and one related to an underpayment due to a pricing discrepancy.
    • For the pricing discrepancy, the employee determined, through discussions with a sales person, that the customer had been billed an incorrect price; a price break that the sales person had granted to the customer was not reflected on the customer's invoice.  The employee resolved the pricing discrepancy, determined which invoices were being paid, and entered a correction into the system to properly apply cash  to the customer's account and reduce accounts receivable and sales accounts for the amount of the price break.
  3. Reperformed the control.  Finally, the auditor selected 25 Daily Unapplied Cash Exception Reports from the period January to September.  For the reports selected, the auditor reperformed the follow-up procedures that the employee performed.  For instance, the auditor inspected the documents and sources of information used in the follow-up and determined that the transaction was properly corrected in the system.  The auditor also scanned other Daily Unapplied Cash Exception Reports to determine that the control was performed throughout the period of intended reliance.

Because the tests of controls were performed at an interim date, the auditor had to determine whether there were any significant changes in the controls from interim to year-end.  Therefore, the auditor asked company personnel about the procedures in place at year-end.  Such procedures had not changed from the interim period, therefore, the auditor observed that the controls were still in place by scanning Daily Unapplied Cash Exception Reports to determine the control was performed on a timely basis during the period from September to year-end. 

Based on the auditor's procedures, the auditor concluded that the employee was clearing exceptions in a timely manner and that the control was operating effectively as of year-end. 

Example B-2 - Monthly Manual Reconciliation

The auditor determined that accounts receivable is a significant account to the audit of XYZ Company's internal control over financial reporting.  Through discussions with company personnel and review of company documentation, the auditor learned that company personnel reconcile the accounts receivable subsidiary ledger to the general ledger on a monthly basis.  To determine whether misstatements in accounts receivable (existence, valuation, and completeness) would be detected on a timely basis, the auditor decided to test the control provided by the monthly reconciliation process.

Nature, Timing, and Extent of Procedures.   The auditor tested the company's reconciliation control by selecting a sample of reconciliations based upon the number of accounts, the dollar value of the accounts, and the volume of transactions affecting the account.  Because the auditor considered all other receivable accounts immaterial, and because such accounts had only minimal transactions flowing through them, the auditor decided to test only the reconciliation for the trade accounts receivable account.  The auditor elected to perform the tests of controls over the reconciliation process in conjunction with the auditor's substantive procedures over the accounts receivable confirmation procedures, which were performed in July. 

To test the reconciliation process, the auditor:

  1. Made inquiries of personnel performing the control.  The auditor asked the employee performing the reconciliation a number of questions, including the following:
    • What documentation describes the account reconciliation process?
    • How long have you been performing the reconciliation work?
    • What is the reconciliation process for resolving reconciling items?
    • How often are the reconciliations formally reviewed and signed off?
    • If significant issues or reconciliation problems are noticed, to whose attention do you bring them?
    • On average, how many reconciling items are there? 
    • How are old reconciling items treated?
    • If need be, how is the system corrected for reconciling items?
    • What is the general nature of these reconciling items?
  2. Observed the employee performing the controlThe auditor observed the employee performing the reconciliation procedures.  For nonrecurring reconciling items, the auditor observed whether each item included a clear explanation as to its nature, the action that had been taken to resolve it, and whether it had been resolved on a timely basis. 
  3. Reperformed the controlFinally, the auditor inspected the reconciliations and reperfomed the reconciliation procedures.  For the May and July reconciliations, the auditor traced the reconciling amounts to the source documents on a test basis.  The only reconciling item that appeared on these reconciliations was cash received in the lockbox the previous day that had not been applied yet to the customer's account.  The auditor pursued the items in each month's reconciliation to determine that the reconciling item cleared the following business day.  The auditor also scanned through the file of all reconciliations prepared during the year and noted that they had been performed on a timely basis.  To determine that the company had not made significant changes in its reconciliation control procedures from interim to year-end, the auditor made inquiries of company personnel and determined that such procedures had not changed from interim to year-end.   Therefore, the auditor verified that controls were still in place by scanning the monthly account reconciliations to determine that the control was performed on a timely basis during the interim to year-end period.

Based on the auditor's procedures, the auditor concluded that the reconciliation control was operating effectively as of year-end.

Example B-3 - Daily Manual Preventive Control

The auditor determined that cash and accounts payable were significant accounts to the audit of the company's internal control over financial reporting.  Through discussions with company personnel, the auditor learned that company personnel make a cash disbursement only after they have matched the vendor invoice to the receiver and purchase order.  To determine whether misstatements in cash (existence) and accounts payable (existence, valuation, and completeness) would be prevented on a timely basis, the auditor tested the control over making a cash disbursement only after matching the invoice with the receiver and purchase.   

Nature, Timing, and Extent of Procedures.   On a haphazard basis, the auditor selected 25 disbursements from the cash disbursement registers from January through September.  In this example, the auditor deemed a test of 25 cash disbursement transactions an appropriate sample size because the auditor was testing a manual control performed as part of the routine processing of cash disbursement transactions through the system.  Furthermore, the auditor expected no errors based on the results of company-level tests performed earlier.  [If, however, the auditor had encountered a control exception, the auditor would have attempted to identify the root cause of the exception and tested an additional number of items.  If another control exception had been noted, the auditor would have decided that this control was not effective.  As a result, the auditor would have decided to increase the extent of substantive procedures to be performed in connection with the financial statement audit of the cash and accounts payable accounts.]

  1. After obtaining the related voucher package, the auditor examined the invoice to see if it included the signature or initials of the accounts payable clerk, evidencing the clerk's performance of the matching control.  However, a signature on a voucher package to indicate signor approval does not necessarily mean that the person carefully reviewed it before signing.  The voucher package may have been signed based on only a cursory review, or without any review.
  2. The auditor decided that the quality of the evidence regarding the effective operation of the control evidenced by a signature or initials was not sufficiently persuasive to ensure that the control operated effectively during the test period.   In order to obtain additional evidence, the auditor reperformed the matching control corresponding to the signature, which included examining the invoice to determine that (a) its items matched to the receiver and purchase order and (b) it was mathematically accurate. 

Because the auditor performed the tests of controls at an interim date, the auditor updated the testing through the end of the year (initial tests are through September to December) by asking the accounts payable clerk whether the control was still in place and operating effectively.  The auditor confirmed that understanding by performing a walkthrough of one transaction in December.

Based on the auditor's procedures, the auditor concluded that the control over making a cash disbursement only after matching the invoice with the receiver and purchase was operating effectively as of year-end. 

Example B-4 - Programmed Prevent Control and Weekly Information Technology-Dependent Manual Detective Control

The auditor determined that cash, accounts payable, and inventory were significant accounts to the audit of the company's internal control over financial reporting.  Through discussions with company personnel, the auditor learned that the company's computer system performs a three-way match of the receiver, purchase order, and invoice.  If there are any exceptions, the system produces a list of unmatched items that employees review and follow up on weekly. 

In this case, the computer match is a programmed application control, and the review and follow-up of the unmatched items report is a detective control.  To determine whether misstatements in cash (existence) and accounts payable/inventory (existence, valuation, and completeness) would be prevented or detected on a timely basis, the auditor decided to test the programmed application control of matching the receiver, purchase order, and invoice as well as the review and follow-up control over unmatched items.    

Nature, Timing, and Extent of Procedures.   To test the programmed application control, the auditor:

  1. Identified, through discussion with company personnel, the software used to process receipts and purchase invoices.  The software used was a third-party package consisting of a number of modules.
  2. Determined, through further discussion with company personnel, that they do not modify the core functionality of the software, but sometimes make personalized changes to reports to meet the changing needs of the business.  From previous experience with the company's information technology environment, the auditor believes that such changes are infrequent and that information technology process controls are well established.
  3. Established, through further discussion, that the inventory module operated the receiving functionality, including the matching of receipts to open purchase orders.   Purchase invoices were processed in the accounts payable module, which matched them to an approved purchase order against which a valid receipt has been made.  That module also produced the Unmatched Items Report, a standard report supplied with the package to which the company has not made any modifications.  That information was agreed to the supplier's documentation and to documentation within the information technology department.
  4. Identified, through discussions with the client and review of the supplier's documentation, the names, file sizes (in bytes), and locations of the executable files (programs) that operate the functionality under review.  The auditor then identified the compilation dates of the programs and agreed them to the original installation date of the application.  The compilation date of the report code was agreed to documentation held within the information technology department relating to the last change made to that report (a change in formatting).
  5. Identified the objectives of the programs to be tested.  The auditor wanted to determine whether appropriate items are received (for example, match a valid purchase order), appropriate purchase invoices are posted (for example, match a valid receipt and purchase order, non-duplicate reference numbers) and unmatched items (for example, receipts, orders or invoices) are listed on the exception report.  The auditor then reperformed all those variations in the packages on a test-of-one basis to determine that the programs operated as described.

In addition, the auditor had evaluated and tested general computer controls, including program changes (for example, confirmation that no unauthorized changes are undertaken to the functionality and that changes to reports are appropriately authorized, tested, and approved before being applied) and logical access (for example, user access to the inventory and accounts payable modules and access to the area on the system where report code is maintained), and concluded that they were operating effectively.  (Since the computer is deemed to operate in a systematic manner, the auditor concluded that it was sufficient to perform a walkthrough for only the one item.)  

To determine whether the programmed control was operating effectively, the auditor performed a walkthrough in the month of July.  As a result of the walkthrough, the auditor performed and documented the following items:

  1. Receiving cannot record the receipt of goods without matching the receipt to a purchase order on the system.  The auditor tested that control by attempting to record the receipt of goods into the system without a purchase order.  However, the system did not allow the auditor to do that.  Rather, the system produced an error message stating that the goods could not be recorded as received without an active purchase order. 
  2. An invoice will not be paid unless the system can match the receipt and vendor invoice to an approved purchase order.  The auditor tested that control by attempting to approve an invoice for payment in the system.  The system did not allow the auditor to do that.  Rather, it produced an error message indicating that invoices could not be paid without an active purchase order and receiver.
  3. The system disallows the processing of invoices with identical vendor and identical invoice numbers.  In addition, the system will not allow two invoices to be processed against the same purchase order unless the sum of the invoices is less than the amount approved on the purchase order.  The auditor tested that control by attempting to process duplicate invoices.  However, the system produced an error message indicating that the invoice had already been processed. 
  4. The system compares the invoice amounts to the purchase order.  If there are differences in quantity/extended price, and such differences fall outside a pre-approved tolerance, the system does not allow the invoice to be processed.  The auditor tested that control by attempting to process an invoice that had quantity/price differences outside the tolerance level of 10 pieces, or $1,000.   The system produced an error message indicating that the invoice could not be processed because of such differences. 
  5. The system processes payments only for vendors established in the vendor master file.  The auditor tested that control by attempting to process an invoice for a vendor that was not established in the vendor master file.  However, the system did not allow the payment to be processed.
  6. The auditor tested user access to the vendor file and whether such users can make modifications to such file by attempting to access and make changes to the vendor tables.  However, the system did not allow the auditor to perform that function and produced an error message stating that the user was not authorized to perform that function. 
  7. The auditor verified the completeness and accuracy of the Unmatched Items Report by verifying that one unmatched item was on the report and one matched item was not on the report. 

    Note: It is inadvisable for the auditor to have uncontrolled access to the company's systems in his or her attempts described above to record the receipt of goods without a purchase order, approve an invoice for payment, process duplicate invoices, etc.  These procedures ordinarily are performed in the presence of appropriate company personnel so that they can be notified immediately of any breach to their systems.

To test the detect control of review and follow up on the Unmatched Items Report, the auditor performed the following procedures in the month of July for the period January to July:

  1. Made inquiries of company personnel.  To gain an understanding of the procedures in place to ensure that all unmatched items are followed-up properly and that corrections are made on a timely basis, the auditor made inquiries of the employee who follows up on the weekly-unmatched items reports.  On a weekly basis, the control required the employee to review the Unmatched Items Report to determine why items appear on it.  The employee's review includes proper follow-up on items, including determining whether:
    • All open purchase orders are either closed or voided within an acceptable amount of time.
    • The requesting party is notified periodically of the status of the purchase order and the reason for its current status.
    • The reason the purchase order remains open is due to incomplete shipment of goods and, if so, whether the vendor has been notified.
    • There are quantity problems that should be discussed with purchasing.
  2. Observed the performance of the control.  The auditor observed the employee performing the control for the Unmatched Items Reports generated during the first week in July.
  3. Reperformed the controlThe auditor selected five weekly Unmatched Items Reports, selected several items from each, and reperformed the procedures that the employee performed.  The auditor also scanned other Unmatched Items Reports to determine that the control was performed throughout the period of intended reliance.

To determine that the company had not made significant changes in their controls from interim to year-end, the auditor discussed with company personnel the procedures in place for making such changes.  Since the procedures had not changed from interim to year-end, the auditor observed that the controls were still in place by scanning the weekly Unmatched Items Reports to determine that the control was performed on a timely basis during the interim to year-end period.

Based on the auditor's procedures, the auditor concluded that the employee was clearing exceptions in a timely manner and that the control was operating effectively as of year-end.

1/ It is our understanding that the SEC Staff may conclude that management can limit the scope of its assessment if it does not have the authority to affect, and therefore cannot assess, the controls in place over certain amounts.  This would relate to entities that are consolidated or proportionately consolidated when the issuer does not have sufficient control over the entity to assess and affect controls.  If management's report on its assessment of the effectiveness of internal control over financial reporting is limited in that manner, the SEC staff may permit the company to disclose this fact as well as information about the magnitude of the amounts included in the financial statements from entities whose controls cannot be assessed.  This disclosure would be required in each filing, but outside of management's report on its assessment of the effectiveness of internal control over financial reporting.