people are involved in carrying out steps in some and/or all stages of a process, including
performing control activities
•
IT systems involved in the process record the transactions and store the data used to produce
the financial statements. In addition, automated controls operate within the IT systems.
Audit & Assurance
Chartered Accountants Program
Page 4-20
Core content – Unit 4
Example – Understanding the flow of a transaction in a sales process
•
The point at which a transaction begins – a triggering event
•
Example
: A customer calls the sales department and places an order over the phone
Initiation
•
The point at which the transaction is first entered into the entity's information system
•
Example
: A sales representative keys the customer's phone order (date, customer ID,
customer name, product code, quantity, sales amount) into the sales database
•
This is the broadest phase and covers any steps that need to be taken before the transaction
can be reported in the general ledger
•
Example
: The sales database generates an 'end of day' (EOD) file containing all the sales orders
entered into the database during the day, which is uploaded to the server at 10pm each night
Recording
Processing
•
The point at which the transaction is reported in the general ledger – i.e. when the
journal entry is posted
•
Example
: The accounting system automatically records a sales journal (DR Accounts
Receivable/CR Sales) using the information in each EOD file
Reporting
The auditor may choose to perform a walk-through (discussed below) as part of obtaining an
understanding of the flow of transactions in a process.
Required reading
ISA 315 (Revised) paras 18 and 20–21 and related application paragraphs.
Obtaining an understanding of relevant process level controls
As mentioned earlier in this unit, auditors do not need to obtain an understanding of all
controls implemented by management. Their focus is on obtaining an understanding of
controls relevant to the audit. The auditor uses their professional judgement in making this
determination.
Note, however, that whenever the auditor determines that a significant risk exists, they must
evaluate the design and implementation of controls over the significant risk.
Types of process level controls
To assess which control would be most effective in addressing the identified risk, the auditor
would consider the activity performed and the type of control. Controls can be categorised in
many ways – for example, by their objective, their degree of dependence on IT and the nature of
the control.
The objective of a control relates to how the control attempts to address the risk – that is, either
by preventing, or detecting and correcting, a material misstatement.
