Example Independent Controls:
Audit Area: accuracy of booked incoming invoices
Control Design: Control
Objective Operationally Effective?
(Audit test result) Controller “A” reviews all (i.e., 100% of) booked incoming invoices
from location “A” to check that they are booked in the accounting system with the correct amount.
Accuracy YES
Controller “B” reviews all (i.e., 100% of) booked incoming invoices from location “B” to check that they are booked in the accounting system with the correct amount.
Accuracy NO
Controller “C” reviews all (i.e., 100% of) booked incoming invoices from location “C” to check that they are booked in the accounting system with the correct amount.
Accuracy YES
Example Compensating Controls:
Audit Area: accuracy of booked incoming invoices
Control Design: Control
Objective Operationally Effective?
(Audit test result) Controller “A” reviews all (i.e., 100% of) booked incoming invoices
from location “A” to check that they are booked in the accounting system with the correct amount.
In addition, Controller “A” reviews half of all (i.e., 50% of) booked incoming invoices from location “C” to double check that they are booked in the accounting system with the correct amount.
Accuracy YES
Controller “B” reviews all (i.e., 100% of) booked incoming invoices from location “B” to check that they are booked in the accounting system with the correct amount.
Accuracy NO
Controller “C” reviews all (i.e., 100% of) booked incoming invoices from location “C” to check that they are booked in the accounting system with the correct amount.
In addition, Controller “C” reviews half of all (i.e., 50% of) booked incoming invoices from location “A” to double check that they are booked in the accounting system with the correct amount.
Accuracy YES
Example Substitutable Controls:
Audit Area: accuracy of booked incoming invoices
Control Design: Control
Objective
Operationally Effective?
(Audit test result) Controller “A” reviews all (i.e., 100% of) booked incoming
invoices from location “A” to check that they are booked in the accounting system with the correct amount.
In addition controller “A” reviews all (i.e., 100% of) booked incoming invoices from location “B” to double check that they are booked in the accounting system with the correct amount.
Accuracy YES
Controller “B” reviews all (i.e., 100% of) booked incoming invoices from location “B” to check that they are booked in the accounting system with the correct amount.
In addition controller “B” reviews all (i.e., 100% of) booked incoming invoices from location “A” to double check that they are booked in the accounting system with the correct amount.
Accuracy NO
Controller “C” reviews all (i.e., 100% of) booked incoming invoices from location “C” to check that they are booked in the accounting system with the correct amount.
Accuracy NO
Example Multi-Step Controls:
Audit Area: Entity-level risk management.
Entity-level risk management is a control process aiming to ensure that (1) all relevant risks are identified, and (2) all relevant risks are assessed for impact and likelihood, and (3) all relevant risks are appropriately responded to (i.e., no relevant risks are unidentified, or wrongly assessed, or lack appropriate responses).
Control Design: Objective of Controller “A” identifies all relevant risks for the entire
entity (i.e., for all locations). Identified risks are documented in a “Risk Identification Report”.
Entity-Level Risk Management
NO
Controller “B” assesses the potential impact and likelihood of all risks documented in the “Risk Identification Report” (if risks are not documented in the
“Risk Identification Report”, they are not included in the assessment). Assessments are documented in a “Risk Assessment Report”.
Entity-Level Risk Management
NO
Controller “C” manages an entity wide process for deciding upon appropriate responses to all risks that are documented in the “Risk Assessment Report” (if risks are not documented in the “Risk Assessment Report”, they do not receive a risk response). Risk responses are documented in a “Risk Response Report”.
Entity-Level Risk Management
YES
Example Amplifying Controls:
Audit Area: accuracy of booked incoming invoices
Control Design: Control
Objective Operationally Effective?
(Audit test result) Controller “A” reviews all (i.e., 100% of) booked incoming invoices
from location “A” to check that they are booked in the accounting system with the correct amount.
Accuracy NO
Controller “B” reviews booked incoming invoices from location “B” to check that they are booked in the accounting system with the correct amount:
o Half (i.e., 50%) of the invoices from location “B” are sufficiently controlled by controller “B” alone.
The other half (i.e., the other 50%) of the invoices from location “B”
require an accuracy control from both controller “B” and controller “C”
together (due to special issues like language and GAAP). If only one, or neither, of the controllers perform their part of the control, these invoices cannot be considered booked in the accounting system with the correct amount.
o Controller “B” performs his part of the accuracy control over the other half (i.e., 50%) of the invoices from location “B”.
Accuracy YES
Controller “C” reviews all (i.e., 100% of) booked incoming invoices from location “C” to check that they are booked in the accounting system with the correct amount.
In addition, controller “C” performs his part of the accuracy control over the other half (i.e., 50%) of the invoices from location “B”.
Accuracy YES
Below each of the 40 cases, the following text occurred:
Control risk is roughly defined as the risk of error after the company has performed controls. Inherent risk has been fixed at 100%, and should not impact your control risk judgment.
(Please note that 100% is maximum risk of error and 0% is minimum risk of error) Control risk in the audit area is assessed to be: _______________________ %
Please assess the audit test results again: Does the client (i.e., all locations) have sufficient operationally effective controls for the given audit area?
YES NO