Professional Documents
Culture Documents
n
he
ng
e
internal
controls
are
far
more
effective
in
focusi
SUMMARY
The Audit Risk Model that is being used, on
a
worldwide basis, to underpin the audits of
nancial statements, is being criticised. This pap
er
offers an analysis of the model, resulting in
a
proposal for restructuring the audit process.
The model has been codied in Internation
al
Standard on Auditing (ISA) 400. It is essenti
ally
based on the idea that an auditors detection ri
sk
is inuenced by inherent risk and control ri
sk.
The latter risks are incurred by the audi
tee,
whereas detection risk applies to the auditor onl
y.
Inherent risk is largely determined by the activit
ies
control.
To that end, internal control is reviewed for the
three stages of preparation of nancial statements:
A. Occurrence of events and their rst recording
in the accounting system.
B. Data processing, resulting in a routine product, the trial balance.
C. Adjusting the trial balance in order to arrive
at the nal balance sheet and income
statement.
At stage C there is hardly any internal control in
the traditional sense.
ISSN 10906738
Blackwell Publishing Ltd 2004. Published by Blackwell Publishing, 9600 Garsington
Road, Oxford OX4 2DQ, UK and 350 Main Street, Malden, MA 02148, USA.
186
J. H. Blokdijk
hat
INTRODUCTION
International regulations on auditing have b
een
based on the so-called Audit Risk Model, witn
ess
the International Standard on Auditing 400
(ISA
400), issued by the International Federa
tion of
Accountants (IFAC).
As the International Standards on Auditing h
ave
been accepted by a large number of accou
ntancy
bodies in numerous countries, the major
ity of
audits of large companies nancial state
ments
are being performed conforming with the
International Standards on Auditing (ISAs).
Consequently, these audits are based on the A
udit
Risk Model.
In recent times, the Audit Risk Model
has
come under severe criticism, especially fro
m the
Securities and Exchange Commission (SE
C) of
the United States. On October 7, 1999, the
187
188
J. H. Blokdijk
correctly.
Stage C is the non-routine part of the preparation
of nancial statements. It mainly involves the
application of subjective judgments, such as the
determination of provisions, and other non-routine
operations, such as the determination of obligations resulting from pension plans, share option
plans and the like, and of income tax. This stage is
crucial in the preparation of nancial statements:
management normally exercises direct inuence
on this stage of the accounting process. Its
decisions may be scrutinized by a board of
directors and/or an audit committee, but the
auditor cannot conne him/herself to reading the
minutes of their meetings and ascertaining that
managements decisions have been reviewed,
which would be a test of control. The auditor
should form his/her own judgment as to the
acceptability of these, normally crucial, decisions.
Consequently, the audit in stage C should be
performed by applying substantive procedures. As
the number of accounting adjustments in stage C
is normally very small compared to the number of
accounting entries in stages A and B, this is not a
large problem in practice.
So, the issue is conned to stages A and B. These
stages differ in nature, so they merit separate
189
190
J. H. Blokdijk
191
192
J. H. Blokdijk
Inspection of documents supporting transactions and other events to gain audit evidence
that internal controls have been operated
properly,
for
example,
verifying
that
a
transaction has been authorized.
Inquiries about, and observation of, internal
controls which leave no audit trail, for example,
determining who actually performs each
function, not merely who is supposed to perform it.
Reperformance
of
internal
controls,
for
example, reconciliation of bank accounts, to
ensure they were correctly performed by the
entity.
From the wording in paragraph 30 it is obvious
that this list is not meant to be all-inclusive: other
effective tests are allowed. But in a number of US
auditing textbooks I have not found any other
types of tests of control, which leads me to suspect
that in practice, tests of control are limited to those
mentioned above.
Tests of control by inspection of documents
consist of inspecting the audit trail of internal
controls performed. If the internal controls cannot
be reperformed by the auditor, the audit trail
means that the controls seem to have been
193
parameters
is
dubious;
substantive
procedures are more effective, or at least more
efcient.
5. Tests
on
access
control
and
on
nonDISCUSSION AND CONCLUSION
reproducible internal controls embedded in
computer
information
systems
may
be
In the preceding sections the following conclusio
effective if they are used to select items to be
ns
subjected to substantive tests.
have been drawn:
6. Tests of control on input of data are not
1. Tests of control might be effective to
efcient; top-down substantive procedures
determine the existence of a system, bu
are both more effective and more efcient.
t a
The overall conclusion is, that separate tests of
walk-through test is more efcient.
control do not make much sense; if useful, their use
2. Tests of control on events and their lies in focusing substantive tests rather than in
rst
assessing internal control risk.
recording (stageA) consist mainly in
As to tests of control, the Audit Risk Model does
determining the quality of evidence to be us not t reality as confronted by auditors in auditing
ed
nancial statements. In order to serve as the basis
in substantive tests.
for regulation, it should be thoroughly revised.
3. Non-reproducible internal controls on even
ts
and their rst recording do not merit a role i A proposal for restructuring the
audit process
n
quantitative risk analysis, as a lack of s On the basis of these ndings, I propose:
uch
to abolish tests of control as an element of audit
controls cannot be compensated by the
risk analysis; and
auditors work.
to introduce a new stage in the audit process,
4. The effectiveness
of
tests
of
that comprises both certain system-oriented
control
on
and data-oriented procedures that serve to
program changes and on the setting of
focus substantive tests of details on items with
relevant characteristics.
In my view, the audit would consist of the
following main stages:
1. acquiring
knowledge
of
the
business
(including the design and the existence of the
accounting system and of internal control),
and risk analysis;
2. applying those analytical procedures that
serve to assist the auditor in planning the
nature, timing, and extent of other audit
procedures (ISA 520, paragraph 7 (a));
3. performing tracing procedures as indicated
above, as the basis for selective substantive
procedures;
4. applying substantive procedures, including
those analytical procedures that are more
effective or efcient than substantive tests of
details (ISA 520, paragraph 7 (b)); and
5. deciding on the audit opinion: overall review
(ISA 520, paragraph 7 (c)), and reporting.
In risk analysis, the assessment of control risk
should only be based on the design and the
existence of internal controls. The operation of
Blackwell Publishing Ltd 2004
194
J. H. Blokdijk
REFERENCES
Blokdijk, J. H., Drienhuizen, F. & Wallage, Ph. (1995),
Reections on Auditing Theory, a Contribution from the
Netherlands. Deventer: Kluwer.