SAS 55, The Auditor's Consideration of Internal Control Structure in the Financial Statement Audit, was the most comlicated of the nine "expectation gap" SASs issued in 1988. Many auditors have asked: "How do I apply this standard in my practice?" "What am I required to understand about my client's internal control structure?" "How will documentation requirements change?" With this in mind, the Auditing Standards Board delayed the SAS's effective date to audits of financial statements for periods beginning on or after January 1, 1990. During 1989, a task force developed an audit guide (Guide) to provide answers to these and other questions about applying SAS 55. The Guide is scheduled to be issued this month.

In applying SAS 55 and the Guide, it is important that the reader have an understanding of other authoritative literature such as SAS 31, Evidential Matter, and SAS 47, Audit Risk and Materiality in Conducting the Audit. Some of the terms and phraseology in these documents may still be somewhat unfamiliar and require further study. To facilitate the auditor's understanding of these matters, Appendix A to the Guide explains the key aspects of these standards.

For example, SAS 47 defines the terms "audit risk" and control risk." The concept of control risk is used throughout SAS 55 and the Guide. In another example, SAS 31 presents "assertions" (e.g., completeness, existence, or occurence) as representations of management that are embodied in financial statement components. SAS 55 builds on this concept and says that the auditor should assess control risk in terms of assertions. Glossaries of selected terms and concepts are published as appendices to both SAS 55 and the Guide.

ORGANIZATION OF THE

GUIDE

Figure 1 presents a road map to the Guide. A key feature of the Guide is the recognition of two different preliminary audit strategies. The concepts is to choose the strategy that is likely to result in the more efficient audit. the objective of both strategies is to conclude that the risk of material misstatement in the financial statements, i.e., overall audit risk, is at an appropriately low level. Assessing control risk below the maximum is of importance if by so doing the overall audit will be performed more efficiently.

A primarily substantive approach. This strategy recognizes that for the audit of many assertions, especially in smaller business entities, it is not efficient to plan to perform tests of controls. therefore the auditor anticipates designing audit procedures with a control rish assessment at or slightly below the maximum. A sufficient understanding of the internal control structure for this strategy is not as extensive as might be needed when the auditor plans to support a lower assessed level of control risk. It centers on considering the design of control structure policies and procedures and whether they have been placed in operation. It is important to note that the resulting understanding of the control structure must be documented in the workpapers.

As explained later in this article, even though the primarily substantive approach has been planned, the auditor usually does not ignore evidence about operating effectiveness that may have been obtained while gaining an understanding of the internal control structure. the evidence may be sufficient to enable the auditor in planning specific audit procedures to assess control risk at less than the maximum. The result will be an even more efficient audit.

A lower assessed level of control risk. For other assertions it may be efficient to plan tests of controls so that the assessment of control risk could be at lower level than that which would be used in primarily a substantive approach. Often, this strategy involves obtaining a greater understanding of control procedures. In addition to documenting the understanding of the control structure, it would always require performing sufficient tests of controls to support a lower assessment of control risk. the auditor should also consider whether the results of tests of controls support the lower assessment of control risk.

The flowchart in the Guide (Figure 1) is different from the one presented as an appendix to SAS 55. It is intended to be more practical and easier to use. the primary difference is that the Guide focuses on only two possible audit strategies, the two that are the subject of this article. The Guide also provides general guidance on how the results of tests of controls may affect the design of substantive tests.

EXAMPLE COMPANIES

The guide illustrates many key concepts through three example companies. It also illustrates an assortment of methods to document the understanding of various internal control structures, and tests of controls. All the examples focus on the sales cycle to illustrate how audit procedures might vary as similar systems become more complex.

* Ownco Inc. The first company is a small owner-managed business. The audit strategy for many assertions uses a primarily substantive approach. The accounting systems are micro-computer based, and operated by a single bookkeeper with oversight of the owner/manager.

* Young Fashions, Inc. The second example represents a growing non- public company with multiple locations. The audit strategy for many assertions is also a primarily substantive approach. The accounting systems for this multi-computer company are processed on a mini-computer system where the system has not kept pace with growth of the company.

* Vinco, Inc. This example is a large public company, with multiple locations and accounting systems processed on a mainframe computer. The control system incorporates many programmed control procedures, and computer general control procedures are strong. In this example, the auditor plans a lower assessed level of control risk for most assertions.

WHY UNDERSTAND THE

INTERNAL CONTROL

STRUCTURE?

Many auditors have asked: "Why it is necessary to understand an entity's control environment, accounting system, and control procedures?" The Guide answers this question in that the auditor uses this understanding to:

* Identify types of potential misstatements;

* Consider factors that affect the risk of material misstatement; and

* Design substantive tests.

For example, many elements of the control environment have been shown to be related to the risk of material misstatements in the financial statements. Many auditors believe that there is a significant relationship between management's philosophy and operating style and the risk of misstatements in accounting estimates. Effective management control methods can often prevent or detect misstatements in certain assertions. Issues such as an entity's policies for hiring and training personnel may be related to the risk of routine processing errors in an accounting system.

The auditor's understanding of the accounting system has always been the cornerstone for developing effective audit procedures. for example, knowledge about whether source documents are pre-numbered and accounted for provides information about the risk of material misstatement in the completeness assertion. The auditor is also better able to assess the risk of material misstatement with knowledge about who has access to computer programs and data.

In order to design effective substantive tests the auditor needs to know how transactions:

* Are initiated;

* Are recorded in the accounting system;

* Are supported by documents and records; and

* Flow to the general ledger and the financial statements.

The Guide recognizes that the auditor's preliminary audit strategy for an assertion affects the extent of the understanding of control procedures that is sufficient to plan the audit. When the auditor obtains an understanding of the control environment and the accounting system, he or she is likely to obtain an understanding of some control procedures, e.g., bank reconciliation procedures, procedures to assure that all transactions are recorded, or procedures to count inventory. This understanding may be sufficient when the auditor makes a preliminary decision to follow a primarily substantive approach.

The Guide also recognizes that control procedures are often more effective in preventing or detecting misstatements than many elevents of the control environment and the accounting system. As a result, the auditor understands and tests control procedures to support a lower control risk assessment.

EDP BIAS

Some commentators suggest that the Guide has an EDP bias. This may be true. However, the Guide does not focus only on large mainframe computer systems; the days when only large companies had computers are gone. Most of today's accounting systems involve significant computer processing, and many programmed control procedures are included in microcomputer accounting software. Even when the auditor plans a primarily substantive approach, it is important to understand the computer aspects of the control environment and the accounting system.

Auditors often think of computer general control procedures when they consider the control environment. However, many aspects of general controls relate more to control procedures than to management's attitude, awareness and actions concerning the control environment. Computer aspects of the control environment relate more to management's involvement in setting policy for ensuring the accuracy of programs and data. For example, in a small business the auditor might consider management's involvement in:

* Choosing purchased software;

* Oversight of installation of programs; and

* Oversight of access to programs and data.

It is also important for the auditor to understand computerized aspects of the accounting system. For example, the auditor might need to understand:

* How transactions are converted to machine-readable information;

* How computer files are accessed and updated;

* The nature of computer processing involved from initiation of a transaction to its inclusion in the general ledger; and

* Computer involvement in the financial reporting process.

Consider, for examole, the following two revenue systems. In the first system, sales are approved by an owner/manager. Sales orders and shipping documents are written manually. The company's microcomputer system requires the bookkeeper to input customer information, stock number, quantities shipped, and prices for each transaction to produce a sales invoice. In the second system, sales order information is input to the computer and the computer applies predetermined credit criteria to authorize or reject the Sale. At shipping, customer and quantity information is input to generate shipping documents. This information is stored on a transaction file and is used to generate a sales invoice after accessing a master price file.

Each system accomplishes the same end--a recorded sale. Each system also has different risks of material misstatement. In the first system, misstatements may result from input errors on a transaction by transaction basis. In the second system, an error that occurs when modifying criteria for authorizing sales or prices on a master price file will systematically affect many transactions. Each system allows different access to programs and data. The first system is largely microcomputer based with primary access by the bookkeeper. The second delegates responsibility for input of data for sales orders, shipping reports, and price changes to different personnel.

If the auditor plans a primarily substantive approach, it may not be necessary to understand computer general control procedures or programmed control procedures. The auditor usually obtains this understanding when the effective design and operation of those procedures are relevant to a lower control risk assessment.

DOCUMENTATION OF THE

AUDITOR'S UNDERSTANDING

SAS 55 differs from previous guidance by requiring the auditor to document his or her understanding of the internal control structure. A primary objective of the Guide is to provide practitioners with practical examples of how to meet the documentation requirements. This documentation should show that the auditor acquired a sufficient understanding to plan the audit. However, an auditor is not required to document the procedures performed to obtain this understanding.

This understanding of an entity's internal control structure may be documented using any of the following forms:

* Narratives;

* Fllowcharts;

* Questionnaires;

* Decision tables; or

* Other forms that the auditor may choose.

The examples in the guide for Ownco, Inc. (owner-managed) include:

* A one-page narrative to document the understanding of the control environment;

* A simple flowchart to document the understanding of the shipping and billing functions; and

* Narratives to document the understanding of cash receipts, sales returns and adjustments.

Throughout the examples in the Guide, alternative documentation styles are used to illustrate options for the auditor. Auditors of any size business, for example, might find the control environment questionnaire that was used for Vinco, Inc. useful. Portions of that questionnaire are presented in this article as Figure 2.

The documentation of the understanding of the internal control structure is permanent file material that the auditor reviews and updates annually. The task force believed this was the most efficient way to meet the documentation requirements of SAS 55.

TESTS OF CONTROLS

Assessing control risk at the maximum. Control risk should be assessed at the maximum for some or all assertions if:

* Policies and procedures are unlikely to pertain to an assertion;

* Policies and procedures are unlikely to be effective;

* It would not be efficient for the auditor to obtain evidential matter to evaluate their effectiveness; or

* Evidence does not support a conclusion about the effective design and operation of policies and procedures.

If control risk is assessed at the maximum for some assertions, there is no reduction in the level of assurance needed from substantive tests with respect to that assertion. The auditor should also recognize that policies or procedures that are ineffective might raise concerns about auditability or other concerns. If the auditor is able to overcome auditability concerns, he or she may respond by:

* Heightening the degree of professional skepticism;

* Assigning a more experienced staff; or

* Changing the nature, timing and extent of substantive procedures.

Assessing control risk below th emaximum. Assessing control risk below the maximum involves:

* Identifying specific internal control structure policies and procedures that are likely to prevent or detect material mistatements; and

* Performing tests of controls to evaluate the effectiveness of such policies and procedures.

Tests of controls may include procedures performed to obtain the required understanding of the internal control structure.

Tests of Controls When the

Auditor Plans a Primarily

Substantive Approach

Tests of controls ordinarily include:

* Inquiries of appropriate entity personnel;

* Inspection of documents and reports;

* Observation of the application of specific policies and procedures; and

* Re-performance of the application of the policy or procedures by the auditor.

The first three of these types of tests may be performed when the auditor is obtaining the required understanding. Even if such work was not planned to test controls, it may provide evidence about the effective design and operation of control policies and procedures, and thus, serve as a test of controls. What has happened is that in performing the basic requirement of obtaining an understanding of the internal control structure, the auditor has also performed some tests of controls. the auditor should take advantage of this evidence and use it to reduce substantive tests. Ths is done by assessing control risk at less than the maximum based on the evidence obtained.

The Guide presents several examples of this audit strategy. This is the primary strategy for all assertions for the audit of sales and receivables of Ownco, Inc. In the example, the auditor determined that Ownco's owner/manager demonstrated a conservative attitude toward business risks. The auditor determined this through prior experience with the entity, inquiry of the owner/manager, and inspection of documentation of business decisions during the year. through inquiry, observation, and walking selected transactions through the system, the auditor determined that the owner/manager approved sales and reviewed receivables listings on a regular basis. Based on these procedures the auditor assessed control risk at slightly below the maximum for the existence assertion.

Several cautions tempered this risk assessment. The auditor considered that:

* Evidence from prior audits may be affected by subsequent changes in the internal control structure;

* Evidence from inquiry depends on the extent of the inquries;

* Inquiry alone generaly will not provide sufficient evidential matter to support a conclusion about the effectiveness of a specific policy or procedure;

* Observation of employees may corroborate evidence obtained from other sources, but pertains only to the point in time when the observation was made; and

* Evidence from inspection of documents depends on the extensiveness of inspections made.

In the Ownco, Inc. example, the auditor assessed control risk at only slightly below the maximum because the procedures performed to obtain the understanding were not extensive and related to a period of only one week.

The Guide goes further to point out that the auditor's conlusions about the assessed level of control risk might change if the auditor performed additional tests of controls. For Ownco, Inc. significant owner/manager controls are present. The auditor might be able to assess control risk at a moderate level if he or she:

* Performed more extensive inquires and observations while maintaining close contract with the client throughout the year; and

* Examined additional specific receivable listings with notations of the owner/manager's review.

These additional procedures might be performed if the effort to perform them would be moe than offset by the time saved from performing substantive precedures using an assessed moderate level of control risk.

Many auditors maintain regular contact with clients throughout the year. If a client has an effective control structure for certain assertions, the auditor may be able to obtain evidence to support a moderate control risk assessment without significant additional efort.

Tests of Controls When the

Auditor Plan a Low Control

Risk Assessment

For some assertions the auditor may plan to assess control risk at a low level. the auditor usually weighs the increase in audit effort associated with planned tests of controls against the resulting decrease in audit effort associated with:

* Changing the nature of substantive tests from a more effective to a less effective procedure, such as using tests directed toward parties or documentation within the entity rather than tests directed toward independent parties outside the entity;

* Changing the timing of substantive tests, such as performing them at an interim date rather than at year end; or

* Changing the extent of substantive tests, such as using a smaller sample size.

Some control procedures often have a specific effect on an individual assertion. As a result, they are more effective than some elements of the control environment or accounting system in preventing or detecting material misstatements.

Testing user control procedures. In some situations, the client may have user control procedures that independently check the completeness and accuracy of computer output against source documents or other input. For example, entity personnel may independently check sales invoices to assure billings are correct. The auditor may choose to test the consistent application of this procedure to support a low control risk assessment.

Testing computer general controls and manual follow-up procedures. User control procedures are not present in many small businesses. In addition, many larger entities now rely more on programmed control procedures than on user control procedures. Today, many programmed control procedures rely on the effective operation of both the computer program in listing exceptions for follow-up and on the manual follow-up of such exceptions. The Guide suggests a strategy that involves tests of the effectiveness of computer general control procedures and manual follow-up procedures. These tests may provide evidential matter sufficient to support a low control risk assessment.

Computer general control procedures are policies or procedures that affect many applications and often pertain to:

* The development of new programs and systems;

* Changes to existing programs and systems;

* Computer operations; and

* Access to programs and data.

If computer general control procedures operate effectively, there is greater assurance that programmed control procedures are properly designed and function consistently throughout the period.

Under this strategy, the degree to which the auditor may need to directly test programmed control procedures depends on the effectiveness of controls over the development of and changes to such procedures. While testing general controls the auditor may obtain sufficient evidence about the design and operating effectiveness of programmed procedures so that he or she need only test the related effectiveness of manual follow-up in order to asses control risk as low.

DOCUMENTATION OF TESTS

OF CONTROLS

The auditor's documentation of the assessed level of control risk depends on whether control risk is assessed at the maximum or below the maximum. For assertions where control risk is assessed at the maximum, the auditor need only document that it is at the maximum.

For assertions where control risk is assessed below the maximum, the auditor should document:

* The tests of controls; and

* their results.

For Ownco, Inc. the Guide demonstrates a style of documentation in which the auditor has a workpaper that summarizes all audit areas where control risk has been assessed below the maximum. For sales and accounts receivable, a two-page memo summarizes how procedures performed to obtain the understanding provided evidence about the operating effectiveness of certain policies and procedures. It also describes the policies and procedures that allowed for a control risk assessment that is below the maximum.

HOW DOES THE CONTROL

RISK ASSESSMENT AFFECT

SUBSTANTIVE TESTS?

Many auditors have asked: "If control risk is assessed below the maximum, what are the specific ways that my other audit procedures can be modified?" The question must be answered within the framework of the audit risk model. That model says that the auditor's decisions about substantive tests of details depends on the auditor's assessment of:

* The assessed level of inherent risk for the assertion;

* The assessed level of control risk for the assertion; and

* The effectiveness of analytical procedures performed as substantive tests

Figure 3 shows, in qualitative terms, how an auditor might relate his or her assessment of inherent risk and control risk to judgments about the appropriate level of detection risk for various combinations of substantive analytic procedures and tests of details.

For example, an auditor may assess inherent risk at the maximum for the existence assertion for inventories. Tests of details of the existence of inventory must be performed at low detection risk levels to reduce the risk of material misstatement to an appropriate level if:

* Control risk is assessed at the maximum; and

* No analytical procedures are performed.

By low detection risk it is meant that the risk of the substance audit procedure not detecting the misstatement must be at a low level.

On the other hand, procedures performed to obtain the understanding of the internal control structure may provide sufficient evidence to support a control risk assessment of slightly below the maximum. As a result, the auditor might reduce the extent of test count procedures. The auditor might also consider modification of the timing of test counts depending on the effectiveness of analytical procedures.

SUMMARY

Business is no longer as usual. The transition to SAS 55 will require practice units to set guidelines on how to convert and modify existing practices to meet the new standards. The language is different. Documentation requirements are different.

The Guide provides practical guidance on how to apply the audit judgments introduced by SAS 55. For three companies of various sizes, extensive examples are provided of:

* The required understanding of the internal control structure;

* Forms of documentation of the understanding:

* Strategies for tests of controls;

* Documentation of tests of controls; and

* Examples of how the auditor's control risk assessment may affect the nature, timing, and extent of substantive tests.

The end result will be different. Hopefully more thoughtful audits will be both more efficient and more effective. This Guide is an important starting point in putting SAS 55 into action. Mastery will come by taking the guidance and developing firm policies and procedures to implement it in specific audit situations as soon as possible.

Raymond N. Johnson, PhD, CPA, is a Professor of Accounting, and Chairman of the Accounting Department at Portland State University, Portland, OR. He was a member of the task force that developed the audit guide for SAS 55, and was responsible for drafting major portions of the guide. Dr. Johnson is a member of the AICPA and is a member of the Board of Directors of the Oregon Society of CPAs.