In this posting, we would like to discuss about some misconception in financial audit practices. Our discussion focus on misconception which often found in financial audit engagements or in some articles. Here are some misconception that we have found, especially in Indonesia:
Misconception of Financial Audit Practices - Part 1
1. Risk-Based Audit = Audit Risk ModelSome auditors argue that risk-based audit is similar with audit risk model. This misconception caused those auditors took the same methodology/ approach in conducting any type of audit engagement. Moreover, some auditors can not differentiate between risk assessment approach applied in risk based audit and risk assessment applied in risk management.
2. No different between Preliminary Assessment of Control and Test of Control.When performing financial audit, we often just perform test the implementation of control, but not test of control (test control’s functioning), and without assessing the adequacy of the control design. Some of us thought that test of controls include test of control's design.
We should obtain understanding and perform Preliminary Assessment of Control at plan phase. The result of the understanding and assessment of control design and limited test on control's function is used to determine the level of control risk (CR). While test of control is performed only if auditor want to reduce the determined CR. It test the function/ effectiveness of control. If the auditor decide not to reduce the determined CR, then auditor does not perform ToC and move to next phase, i.e. substantive test of transactions.
3. If the result of preliminary assessment of control concluded that the control is so weak/ poor, then no need to perform test of control (ToC).Some of us argue that if the result of an assessment of control’s design concludes that the control’s design is so weak, than audit engagement just jumps to substantive tests phase, without performing test of control. This procedures is based on argument that if the control’s design is so weak than it MUST be that there are no control which is functioning.
This misconception is caused by two misperceptions:
a. The main objective of test of control (ToC) in financial audit is the same with other ToC in other audits engagements, i.e.: to assess the control’s functioning/ effectiveness.
In financial audit, auditor determine control risk (ex: CR= 40%, control is strong) in preliminary phase, i.e. after understanding/ assessing client’s control. Then, (even in a strong control system) if auditor does not want to reduce CR, then auditor does not need to perform ToC. But, if auditor want to reduce CR (ex: from control so weak, CR = 100%, need be reduced to CR = 90%, in order to increase DR and TE, means reduce audit cost), then auditor need to perform ToC.
So the main objective of ToC in Financial Audit is to reduce CR, not to assess the control’s functioning/ effectiveness (even though in performing ToC, auditor will test the operating or effectiveness of control).
To provide more understanding about the above process, we provide the financial audit process, as follows:
|Audit Process Summary by Yulias C Sihombing|
|Dual Purpose Test by Yulias C Sihombing|
Some auditors and articles argue that if control design is not present or so poor, then there must be no control’s functions or operations. So they argue that auditor does need to perform an assessment of control’s function if there is no present of control design.
According to me, those argument is not appropriate. The control system is very correlated with the complexity, risk, size, and maturity of an organization. The system must be developed by considering its cost and benefit.
- For small organizations, we often found that the control design would be simple and often no formal documentation. Tend to be simple to make it efficient. But, they have control functioning.
- For mature organizations, we also often found that the control design is simple, but utilizing sophisticated technology. Documentation of control design is less visible. The functioning of the system is relied on the integrity and the quality of management and all of members. That is why they still have control functioning.
4. Dual purpose test = test of control + substantive test.Some modules (and some auditors) defines dual purpose test as a test designed to accomplish two audit objectives, i.e. to test of control and to test the existence of misstatement. Further, the module states that if the auditor found a weakness in control, then to be efficient, auditor will perform test of details to detect misstatement caused by the weakness.
There are two misconception regarding to dual purpose test:a. We often do not aware that there are two types of substantive test: (1) test of transactions and (2) test of details of balance, (+) analytical procedures. All of those tests are to detect material misstatement at the assertion level. Some of us perceive that in dual-purpose test we may perform test of transactions and/or test of details of balance.
b. In dual purpose test, the ToC and substantive test is performed in chronological order (in sequence), first perform ToC then perform substantive test.
However, if we explore some references (such as ISA, issued by IAASB), the dual purpose test is a test designed to perform a test of controls, concurrently (not in sequence) with a test of details on the same transaction. Although the purpose of a test of controls is different from the purpose of a test of details, both may be accomplished concurrently by performing a test of controls and a test of details on the same transaction. For example, the auditor may design, and evaluate the results of, a test to examine an invoice to determine whether it has been approved and to provide substantive audit evidence of a transaction. A dual-purpose test is designed and evaluated by considering each purpose of the test separately.
So, the test of controls and test of details is performed:
• Concurrently, not in sequence.
• Substantive test (test of details) is test of transaction, not test of details of balance.
• On the same transaction.