11-6 a. Briefly describe three strategies for testing internal controls when information technology is used for significant accounting processing.

1. Assessing control risk based on user controls.

In many cases, the client may design manual procedures to test the completeness and accuracy of transactions processed by the computer. If user controls exist, the auditor can test the controls directly, similar to testing other human controls.

2. Planning for a low control risk assessment based on application controls.

Many auditors take advantage of automated controls and plan strategies for assessing control risk at a low level based on computer application controls.

3. Planning for a high control risk assessment based on general controls and manual follow-up. An audit strategy that allows the auditor to accomplish this task based on evidence about the effectiveness of general controls and manual follow-up procedures. When the auditor tests general controls, he or she will usually learn about the effectiveness of the design and testing of application controls. In addition, the auditor may be able to make inferences about the effectiveness of application controls in identifying exceptions through inquiry of knowledgeable individuals who perform manual follow-up procedures.
.

b. Identify two strategies that might be used to support a low control risk assessment. Discuss the difference between the two strategies.

Assessing control risk based on user controls and assessing control risk at a low level based on computer application controls. The user controls are based on managers and those in user department to find and correct misstatements. The computer application controls check the complexities of the systems. The three steps that have to be performed in order to provide assurance are test the computer application controls, test computer general controls and test the manual follow-up of exceptions noted by application controls.

c. Discuss a third audit strategy that might be used to assess control risk at a high level. Explain why this strategy will not support a low control risk assessment. The AICPA Internal Control Audit Guide presents an audit strategy that allows the auditor to accomplish this task based on evidence about the effectiveness of general controls and manual follow-up procedures. When the auditor tests general controls, he or she will usually learn about the effectiveness of the design and testing of application controls. In addition, the auditor may be able to make inferences about the effectiveness of application controls in identifying exceptions through inquiry of knowledgeable individuals who perform manual follow-up procedures. When such transactions do appear on exception reports, the auditor may be able to draw an inference about the programmed control. This evidence may be sufficient to allow the auditor to assess control risk at a high level, but the auditor should test programs directly with computer-assisted audit techniques if he or she wants to assess control risk as moderate or low.

11-8 What are the advantages and disadvantages of the computer-assisted audit technique known as parallel simulation?
In parallel simulation, actual company data are reprocessed using an auditor controlled software program. Parallel simulation may be performed at different times during the year under audit, and it may also be applied to the reprocessing of the historical data. Because real data are used, the auditor can verify the transactions by tracing them to source documents and approvals. The size of the sample can be greatly expanded at relatively little additional cost. The auditor can run the test independently. If the auditor decides to use parallel simulation, care must be taken to determine that the data selected for simulations are representative of actual client transactions. It is also possible that the client’s system may perform operations that are beyond the capacity of the auditor’s