Identifying Controls  
SEC & PCAOB > PCAOB > Auditing Standard No. 2 > Identifying Controls to Test

PCAOB Release 2004-001
March 9, 2004
Page A39 Standard

83. Identifying Controls to Test. The auditor should obtain evidence about the effectiveness of controls (either by performing tests of controls himself or herself, or by using the work of others)14/ for all relevant assertions related to all significant accounts and disclosures in the financial statements. After identifying significant accounts, relevant assertions, and significant processes, the auditor should evaluate the following to identify the controls to be tested:

Points at which errors or fraud could occur;
The nature of the controls implemented by management;
The significance of each control in achieving the objectives of the control criteria and whether more than one control achieves a particular objective or whether more than one control is necessary to achieve a particular objective; and
The risk that the controls might not be operating effectively. Factors that affect whether the control might not be operating effectively include the following:

Whether there have been changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness;
Whether there have been changes in the design of controls;
The degree to which the control relies on the effectiveness of other controls (for example, the control environment or information technology general controls);
Whether there have been changes in key personnel who perform the control or monitor its performance; 14/ See paragraphs 108 through 126 for additional direction on using the work of others.
Whether the control relies on performance by an individual or is automated; and
The complexity of the control.

84. The auditor should clearly link individual controls with the significant accounts and assertions to which they relate.

85. The auditor should evaluate whether to test preventive controls, detective controls, or a combination of both for individual relevant assertions related to individual significant accounts. For instance, when performing tests of preventive and detective controls, the auditor might conclude that a deficient preventive control could be compensated for by an effective detective control and, therefore, not result in a significant deficiency or material weakness. For example, a monthly reconciliation control procedure, which is a detective control, might detect an out-of-balance situation resulting from an unauthorized transaction being initiated due to an ineffective authorization procedure, which is a preventive control. When determining whether the detective control is effective, the auditor should evaluate whether the detective control is sufficient to achieve the control objective to which the preventive control relates.

Note: Because effective internal control over financial reporting often includes a combination of preventive and detective controls, the auditor ordinarily will test a combination of both.

86. The auditor should apply tests of controls to those controls that are important to achieving each control objective. It is neither necessary to test all controls nor is it necessary to test redundant controls (that is, controls that duplicate other controls that achieve the same objective and already have been tested), unless redundancy is itself a control objective, as in the case of certain computer controls.

87. Appendix B, paragraphs B1 through B17, provide additional direction to the auditor in determining which controls to test when a company has multiple locations or business units. In these circumstances, the auditor should determine significant accounts and their relevant assertions, significant processes, and major classes of transactions based on those that are relevant and significant to the consolidated financial statements. Having made those determinations in relation to the consolidated financial statements, the auditor should then apply the directions in Appendix B.