ACCT 3203 · Internal Controls · Testing and Evaluation

Led by Dorothy Rigour Simulacrum

1. Module 3 ○ Open

   Internal Controls · Testing and Evaluation

   Led by Dorothy Rigour Simulacrum

   The question

   Internal controls — what they are, how the auditor evaluates them, and how the operating-effectiveness test actually works in practice. The module covers the COSO framework, the difference between entity-level and process-level controls, the design and operation of the typical revenue-cycle controls, IT general controls and application controls, the audit's choice between a controls-reliant and substantive approach, and the test-of-controls procedures with appropriate sample sizes. The classification of deficiencies as control deficiency, significant deficiency, or material weakness closes the module.

   Outcome

   The student can identify key controls in a typical revenue process; design tests of operating effectiveness with appropriate sample sizes; classify a control deficiency as deficiency, significant deficiency, or material weakness; and articulate the implications of an ineffective ITGC environment for the audit approach. (Internal controls and testing)

   Begin the course → Mark module complete Print certificate of completion

   Practice scenarios

   Halberd's Revenue Process Controls

   You evaluate the controls in Halberd plc's revenue process and design the test-of-controls audit programme to support a controls-reliant approach. The work tests whether you can map controls to assertions, design appropriate sample sizes, identify the IT general control dependency, and resolve the question of how far to rely on internal audit's parallel work.

   Your goals

   • Identify the assertion-control mapping: occurrence (controls 3, 4); accuracy (controls 1, 2, ERP application controls); completeness (control 4 dispatch documentation, monthly bank rec); cut-off (year-end ERP cut-off procedure).
   • Design tests of operating effectiveness for the five controls. For control 1 (sales-manager approval >£10k): sample 40 orders over £10k from the year, inspect approval evidence (electronic sign-off in ERP). For control 3 (credit check): sample 30 new customer accounts, inspect credit-check documentation. For control 5 (bank rec): inspect 12 months' bank rec sign-offs and review reconciling items.
   • Identify the ITGC dependency: all controls rely on the ERP's access management (segregation between order entry and dispatch enforced in the system); change management (the price master file is locked; changes traceable in audit log); and the ERP's automated invoicing function. ITGC must be tested first.
   • Frame the test-of-controls audit programme: 40 hours of audit work for the five controls plus 60 hours for ITGC (total 100 hours) replacing what would otherwise be ~250 hours of substantive testing.
   • Identify the deficiency that emerged in walkthrough: the sales-manager's approval can be bypassed if the order is split into multiple sub-£10k orders; recommend management remediation.
   • Frame the conclusion as a 1,000-word controls-testing memo for the audit file.

   Practise this scenario →