Audit Method: Controls

Control activities are the policies and procedures that help ensure that management directives are carried out. Control activities, whether within IT or manual systems, have various objectives and are applied at various organizational and functional levels. Examples of specific control activities include those relating to the following:

1. Authorization.
2. Performance reviews.
3. Information processing.
4. Physical controls.
5. Segregation of duties.

An auditor would be required to conduct a walk through test to confirm the understanding as documented. Identify the preventive (exercised before occurrence of transactions and event) and detective and corrective (exercised after occurrence of transactions and event) controls established by management to support its assertions. Preventive, detective and corrective controls can be:

1. Application controls
2. IT-dependent manual controls
3. Manual controls

Application controls are automated controls processed by the entity’s IT applications without manual interference. Examples of Application controls are Edit Checks, Validations, Automatic calculations, Authorizations etc.

IT-dependent manual controls are controls in which we consider both the manual and automated aspect of the control e.g. a review of a computer generated sales orders report to determine that all sales are invoiced.

Manual controls are those controls that are operated completely manually e.g. bank reconciliations when the entity reconciles cash to bank statement.

Recommendation

Controls are performed to check the accuracy, completeness, and authorization of transactions.  A concept called The Internal Control Stream is introduced by Thomas P. Houck in his book “Why and How Audits Must Change: Practical Guidance to Improve Your Audits”. According to Thomas P. Houck this concept help auditors better understand the many controls that can exist in a company. The "stream" represents the path that a transaction follows as it moves from inception to its ultimate resting place in the financial statements. Controls can be located at different spots along the stream. Upstream controls help to ensure that transactions are properly entered into the computer system. Information technology controls are automated controls that help to prevent misstatements. Downstream controls come into play after information is processed in a computer system. An auditor is required to apply appropriate tests of controls to assess the reasonableness of design of system of internal control by enquiring relevant client personnel and documenting the same.