Performance Support — Document Controls
Performance Support ― Document Controls
Document At a Glance
 Document Business Processes and Relevant
Direct Controls addressing ROMMs
 Document IT Elements and relevant General
IT Controls addressing RAITs
 Document other Components of Internal
Control and relevant Indirect Controls
 Use the Risk Strategy View effectively for
controls-related work
 Document control-related Findings
 Use Dashboards, EMS Links, File Checks and
Permissions to help manage control related
work
Related EMS Help Topics
 Contents Tab  Risks  Control
 Contents Tab  Risks  General IT
Control
 Contents Tab  Findings and
Observations
Where do I document Internal Controls in EMS?
There are 3 types of controls in the audit approach (Direct Controls, General IT Controls, and
Other Indirect Controls):
Direct Controls:
1. Using the Business Process Leadsheet View and the “Understand internal control”
subphase (12200) / business process subphases, as needed, document the understanding
of the entity’s Business Processes relevant to the audit.
2. Identify relevant controls that directly address Risks of Material Misstatement (ROMMs),
associating the controls to the ROMMs and the ROMMs to the Business Processes.
3. Using the ROMM Risk Strategy View (RSV), add and perform procedure(s) to evaluate
the design and implementation (D&I) of each control.
4. For each ROMM, determine whether to rely on the operating effectiveness (OE) of
associated controls, documenting those decisions on the ROMM and the control(s).
5. Using the ROMM RSV, design and perform the OE procedures.
6. Document any findings, cross referenced to the control and associated to the relevant
Business Process and ABCOTD.
See the ‘Direct Controls’ sections below for details.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
1
Performance Support — Document Controls
General IT Controls:
1. Using the IT Element Leadsheet View, document the understanding of the entity’s IT
Elements relevant to the audit.
2. Identify relevant General IT Controls (GITCs) that address Risks Arising from IT
(RAITs), associating the GITCs to the RAITs and the RAITs to the IT Elements.
3. Using the RAIT RSV, add and perform procedure(s) to evaluate the design and
implementation (D&I) of each GITC.
4. For each RAIT, determine whether to rely on the operating effectiveness (OE) of
associated GITCs, documenting those decisions on the RAIT and the GITC(s).
5. Using the RAIT RSV, design and perform the OE procedures.
6. Document any Findings, cross referenced to the GITC and associated to the IT Element.
See the ‘General IT Controls’ sections below for details.
Other Indirect Controls:
1. Using the Process View, document the understanding of the components of internal
control not covered above using the “Understand internal control” subphase (12200).
2. Identify relevant controls that do not directly address Risks of Material Misstatement
(i.e., indirect controls).
o The functionality to include indirect controls in the EMS database has not been
designed. Therefore, these controls are documented in working papers.
3. In the working paper(s), evaluate the design and implementation of the relevant indirect
controls.
4. Indirect controls are not typically tested for operating effectiveness, except in PCAOB
integrated audits, where OE testing is required. If applicable, design and perform OE
procedures in working papers.
5. Document any Findings, cross referenced to the relevant working paper and associated to
the “Understand internal control” subphase (12200).
See the ‘Indirect Controls’ sections that follow for details.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
2
Performance Support — Document Controls
DIRECT CONTROLS
How do I document an understanding of the Business Process?
The auditing standards require that we obtain an understanding of every business process
relevant to financial reporting. Use the Business Process functionality to organize the
documentation of each relevant business process.
Document each Business Process Detail View as follows:
Business Process Detail View
1.
Use the Description field for a short
narrative. As a less-preferred
alternative, use a cross referenced
working paper for extensive,
detailed narratives.
2. The Library Item will be selected
when creating the Business Process.
3. Create sub-processes as necessary
to subdivide complex processes.
4. Associate the business process with
the ABCOTDs that result from the
process.
5. Associate the business process with
the IT Elements involved in the
process.
6. Associate the business process to
any ROMMs.
7. Associate the business process to
any Findings.
8. Cross reference into the processflow diagram.
9. Add any tags that provide useful
filtering capabilities.
10. Use tickmarks for additional text
documentation, as needed.
11. Use signoff to record who prepared
the documentation and when, and
who reviewed it and when.
12. Assign the Business Process to
engagement team members who
will obtain the understanding, and
their reviewers.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
3
Performance Support — Document Controls
Insert the ‘understand the business process’ procedure from the Procedure Library:
Insert Procedure from Library
Also, consider procedures included in the ‘Understand internal control’ subphase (12200) as
necessary, as the procedures in the Business Process subphases are only a small subset of the
procedures that are available in the 12200 subphase.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
4
Performance Support — Document Controls
Customize the library procedure to the specific process and activities necessary to obtain
1.
Start with the Library procedure in
order to have access to guidance,
links to tools, and templates.
2. Customize to the specifics of the
engagement.
3. Use a meaningful Procedure
Reference.
4. This is a risk assessment procedure,
so select ‘Other’ as the Procedure
Type.
5. Indicate if IPE is used as audit
evidence.
6. Add any tags that provide useful
filtering capabilities.
7. As a result of creating the procedure
from the Business Process Detail
View, it will automatically be
associated with the Business Process.
8. Cross reference to the working paper,
such as a process flow diagram.
9. Use tickmarks for additional text
documentation, as needed.
10. Use signoff to record who prepared
the documentation and when.
11. Assign the procedure to the person
who will perform it.
understanding:
Procedure Detail View
Document the understanding of the business process using the ‘Description’ field of the Business
Process combined with the Excel-based process flow diagram. Insert an Excel-based Illustrative
Business Process Flowchart which can be accessed via links within from business process
procedure guidance, as a starting point. Change it to reflect the specifics of the engagement.
Cross reference the Risks of Material Misstatement, relevant Controls, IT Elements, ABCOTDs,
and IPE to the appropriate places within the process.
Process Flow Diagram
1. Unless the entity provides the engagement the diagram, start with an Illustrative Business
Process Flowchart, accessed via links within business process procedure guidance.
2. The entity may use this document for the starting point of their documentation.
3. Use the Excel version in order to allow for cross references.
4. Cross reference ROMMs, Controls, IT Elements, ABCOTDs, Findings, and IPE.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
5
Performance Support — Document Controls
Use the Business Process Leadsheet View to see a summary of Business Processes and related
information. The leadsheet view displays the Business Processes and sub-processes, with
columns containing information about each Business Process. By default, that is a count of, and
link to, the:
1. associated Significant ROMMs (click to navigate to the filtered RSV)
2. Total associated ROMMs (click to navigate to the filtered RSV)
3. associated Findings (click to navigate to the filtered Findings and Observations Summary
View)
4. attached tickmarks (click to open the Business Process Detail View, and then the
tickmark)
5. cross referenced documents (click to navigate to the Working Paper)
As needed, additional columns can be added to display:
6. A count of, and link to, Procedures associated to the Business Process
7. The Business Process Description
8. Associated ABCOTDs
9. Associated IT Elements
10. Preparer and Reviewer Assignments
11. Preparer and Reviewer Signoff
12. Review Notes
13. Library Item and Category
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
6
Performance Support — Document Controls
14. Whether the Business Process is marked as a ‘Favorite’
Most of the columns support filters. Open the filter panel by clicking the filter icon in the upper
right corner.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
7
Performance Support — Document Controls
How do I document the understanding of the Relevant Control?
As you obtain an understanding of the business process, identify the entity’s direct controls. If
they are relevant to the audit, add them to EMS, associated to the risk(s) of material misstatement
they are intended to address.
Document the description of the control as follows:
Control Detail View
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
Use the entity’s control ID or develop
one for the engagement team’s use.
Use the Name for a short title.
Use the Description to cover all the
important steps of the control.
Record who from the entity performs
the control.
Indicate if the control is automated.
Indicate if the control’s operation is
dependent on information produced
by the entity.
Record the frequency.
If the control is automated or IT
dependent, associate to the
applicable IT Element(s).
Associate to the ROMMs the control
is meant to address.
Add any tags that provide useful
filtering capabilities. For example,
use a tag to indicate if the control is
performed by a third-party service
organization, or if the control is a
group-wide control.
Cross reference to the point in the
process flow diagram where the
control occurs.
Use tickmarks for additional text
documentation, as needed.
The Operating Effectiveness strategy
fields are not part of the control
description, and are covered in a
later section.
8
Performance Support — Document Controls
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
9
Performance Support — Document Controls
Only enter relevant controls into EMS. As all relevant controls are required to be evaluated for
design, all controls entered into EMS need to have at least a design procedure associated to them.
Insert the Design Procedure from the library and customize to the specifics of the control.
Design Procedure
1.
2.
3.
4.
5.
6.
7.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
Start with the library
procedure in order to have
access to guidance, links to
tools, and templates.
Customize to the specifics of
the engagement.
Use a meaningful procedure
reference.
Indicate this is a D&I
procedure.
Indicate if the procedure uses
IPE as audit evidence.
Add any tags that provide
useful filtering capabilities.
Because the procedure was
created from the control, it is
automatically associated with
the control.
10
Performance Support — Document Controls
If you are working on a PCAOB integrated or PCAOB non-integrated audit, a ‘Control Testing
Template’ is available from within the ‘Link to Tools’ tab for use in documenting details related
to the evaluation of the design and the testing of the operating effectiveness of the internal
controls.
Working Paper
Perform the work and document in the working paper, sign off on the working paper and
procedure, and enter the conclusion on the control:
Conclude on Control
1.
2.
3.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
Design Conclusion options are ‘Effective’
and ‘Not Effective’.
If the Control is not designed effectively,
create an Internal Control Deficiency
Finding, cross referenced to the Control.
(See the “How do I document Controlrelated Findings” Section for details).
Sign off on the working paper, procedure,
and control at the time they are completed
as a natural extension of the work. Do not
put it off as a separate activity.
11
Performance Support — Document Controls
If the control is designed effectively, auditing standards require that we determine that the
control is implemented. Insert the Implementation Procedure from the library and customize it.
Implementation Procedure
1.
2.
3.
4.
5.
6.
7.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
Start with the library
procedure in order to have
access to guidance, links to
tools, and templates.
Customize the library
procedure to the specifics of
the engagement.
Use a meaningful procedure
reference.
Indicate this is a D&I
procedure.
Indicate if the procedure uses
IPE as audit evidence.
Add any tags that provide
useful filtering capabilities.
Because the procedure was
created from the control, it is
automatically associated with
the control.
12
Performance Support — Document Controls
Perform the work, sign off on the procedure, and conclude on the control.
Conclude on Control
1.
2.
Implementation Conclusion options are
‘Implemented’, ‘Not Implemented’, and
‘Not Tested’ (when Design is Not Effective).
If the control is not implemented, create an
Internal Control Deficiency Finding, cross
referenced to the Control. (See the ‘How do
I document control-related Findings?’
section for details).
Document Findings for any negative conclusions.
How do I document the Control Reliance Strategy for each ROMM?
There may not be a relevant control to address each ROMM. This may not be an issue if the Risk
of Material Misstatement is classified as Lower or Higher, but for significant risks, we are
required to consider whether this is a significant deficiency in internal control. If it is, create an
Internal Control Deficiency Finding, cross referenced to the ROMM. (See the ‘How do I document
Control-related Findings?’ section for details).
In a financial statement audit, unless the ROMM is one where substantive procedures alone
cannot provide sufficient appropriate audit evidence, the engagement team may decide whether
to test the operating effectiveness of controls as part of the further audit procedures to address the
ROMM. If the ROMM is one where the engagement team considers that substantive procedures
alone cannot provide sufficient appropriate audit evidence, tag the ROMM as such in order to
document the decision on the ROMM.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
13
Performance Support — Document Controls
Risk Detail View
1.
2.
3.
Extent of Substantive Response Options
Then on the control, indicate the strategy
specific to that control.
Answer the 2 Response Strategy questions.
The ‘Rely on Controls’ options are ‘Yes’ and
‘No’.
Tag the risk if substantive procedures alone
do not provide adequate evidence.
Six of the ‘Extent of Substantive Response’
options are a combination of the classification of
the risk and the decision regarding relying or not
relying on controls. Make sure the answers to
these question are consistent.
The seventh option is for situations when there is
no substantive testing planned for a given risk.
Under ISA, each ROMM requires ‘further audit
procedures’ which may be either or both control
and substantive testing. Only significant risks
require substantive procedures. Note that a
‘Control Reliance Alone’ approach cannot be
taken for all ROMMs associated to a material
ABCOTD.
If the engagement file is based on PCAOB Integrated Audit Standards, record the evaluation of
the Risk Associated with the Control:
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
14
Performance Support — Document Controls
1. Indicate when the control was last tested for operating effectiveness.
a. If testing in the current period, enter the current year.
b. If the control was last tested more than two years prior, the use of prior audit
evidence would not be permitted under the DTTL audit approach.
2. The Operating Effectiveness Testing Strategy options are dependent on the Engagement
Standards selected when creating the engagement file. Based on the current DTTL Audit
Approach, those are:
a. ISA and VSA:
b. PCAOB Non-Integrated
c. PCAOB Integrated
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
15
Performance Support — Document Controls
3. If Testing is Not Planned, then enter ‘Not tested’ in the Operating Effectiveness
Conclusion
4. Use a Tag to identify those controls that will be tested at interim, those controls that will
be tested by internal audit, a service auditor, or a component auditor.
How do I document Tests of Operating Effectiveness for Direct Controls?
Insert the Test of Operating Effectiveness Procedure from the library, customize to the specifics
of the control and engagement plan, and cross reference to the appropriate point within the same
working paper, as was done for D&I procedures.
Use separate procedures for interim and rollforward if the control is to be tested at interim.
Use a separate procedure for obtaining evidence about the continuing relevance of prior audit
evidence if the strategy is to use prior audit evidence.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
16
Performance Support — Document Controls
Operating Effectiveness Procedure
1.
2.
3.
4.
5.
6.
7.
8.
Start with the library procedure in
order to have access to guidance,
links to tools, and templates.
Customize the library procedure to
the specifics of the engagement.
Use a meaningful procedure
reference.
Indicate this is an OE procedure.
Indicate whether the procedure will
involve the use of IPE as audit
evidence.
Tag the procedure to identify if it is
to be performed at interim, by
internal audit, by a service auditor,
or by a component auditor.
Because the procedure was created
from the control, it is automatically
associated with the control.
Cross reference to the working paper
where the work is documented.
Assign the procedure. Perform the work, and sign off on the working paper & procedure.
Conclude on the control. If the conclusions are as of an interim date, update the conclusions for
any changes identified through rollforward procedures, and sign off again.
Conclude on Control
1.
2.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
Options are ‘Effective’, ‘Not
Effective’, and ‘Not Tested’.
If the control is not operating
effectively, create an Internal Control
Deficiency Finding, cross referenced
to the Control. (See the “How do I
document Control-related
Findings?” section below for
details).
17
Performance Support — Document Controls
GENERAL IT CONTROLS
GITCs are policies and procedures that relate to many applications and support the effective
functioning of application controls by helping to ensure the continued proper operation of
information systems. They apply to mainframe, client server, web-based, virtual or end-user
environments. GITCs that maintain the integrity of information and security of data are generally
implemented to address the risks arising from IT and commonly include controls over:

Data center and network operations

System software acquisition, change, and maintenance

Program change

Access security

Application system acquisition, development, and maintenance
How do I document an understanding of IT Elements?
Refer to the IT Elements Performance Support.
How do I document an understanding of Relevant General IT Controls?
As you obtain an understanding of the IT Element, identify the entity’s General IT Controls. If
they are relevant to the audit, add them to EMS, associated to the Risk(s) Arising from IT they
are intended to address.
Documenting the description of a General IT Control is the same as documenting the description
of a Direct Control (detailed above), except that GITCs are associated to RAITs, not ROMMs.
Only enter relevant GITCs into EMS. As all relevant GITCs are required to be evaluated for
design, all GITCs entered into EMS need to have at least a design procedure associated to them.
Insert the Design Procedure from the library and customize the procedure to the specifics of the
GITC in the same manner as is illustrated for Direct Controls above.
If you are working on a PCAOB integrated or PCAOB non-integrated audit, a ‘Control Testing
Template’ is available from within the ‘Link to Tools’ tab for use in documenting details related
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
18
Performance Support — Document Controls
to the evaluation of the design and the testing of the operating effectiveness of the controls.
(Same as illustrated for Direct Controls above.)
Perform the work and document in the working paper, sign off on the working paper and
procedure, and enter the conclusion on the GITC (same as illustrated for Direct Controls above).
If the GITC is designed effectively, auditing standards require that we determine that it is
implemented. Insert the Implementation Procedure from the library and customize it. (Same as
illustrated for Direct Controls above).
Perform the work, sign off on the procedure, and conclude on the GITC. Document findings for
any negative conclusions. (Same as illustrated for Direct Controls above.)
How do I document the Control Reliance Strategy for each RAIT?
There may not be a relevant GITC for each RAIT. If this is a control deficiency, create an
Internal Control Deficiency Finding, cross referenced to the ROMM. (See the ‘How do I document
Control-related Findings?’ section for details).
In a financial statement audit, the engagement team may decide whether to test the operating
effectiveness of GITCs. Document this decision on the RAIT.
Then on the GITC, indicate the strategy specific to that control. This is the same as illustrated for
a Direct Control.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
19
Performance Support — Document Controls
How do I document Tests of Operating Effectiveness for GITCs?
This is the same as illustrated for a Direct Control.
INDIRECT CONTROLS
An indirect control is a control which does not directly address ROMMs at the account/assertion
level, but which contributes to, or affects the effectiveness of direct controls. In PCAOB
terminology, these are also referred to as ‘indirect entity-level controls’.
How do I document an understanding of Relevant Indirect Controls in an ISA
Audit?
Follow the policies in the Understand Internal Control subphase (12200).
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
20
Performance Support — Document Controls
Use library procedures to create engagement procedures to address those requirements.
Customize the procedures to the specifics of the engagement, as appropriate.

There is no need to include procedures that are covered by the work on Business
Processes, Direct Controls, IT Elements, and General IT Controls, documented elsewhere
in the engagement file, as described in the sections above. The procedures in the
Business Process subphases are duplicative of the procedures in the 12200 subphase,
however, there are many more procedures in the 12200 subphase that are not included in
the business process subphases and that should be considered by the engagement team.

There is no need to include in the engagement file library procedures that do not apply to
the engagement. For example, several procedures are ‘contingent’ and include an ‘If’
statement (e.g., If the entity has an internal audit function…”). If the situation does not
apply to your engagement, do not include the library procedure in the engagement file.

Use the procedures in the “Evaluation of design and determination of implementation of
relevant controls” procedure group for Indirect Controls.

The subphase may contain several procedure groups that are duplicative or that do not
apply to ‘understanding’. Do not use those procedures at this point.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
21
Performance Support — Document Controls
How do I document Indirect Controls in a PCAOB integrated Audit?
The PCAOB Standards for integrated audits require testing of operating effectiveness at the ‘as
of’ date for all relevant controls, including those that are not intended to directly address a risk of
material misstatement, such as those in the control environment and those that monitor the
continued effectiveness of other controls.
In a PCAOB Integrated Audit, use Business Processes for the components of internal control.
Indirect entity-level controls don’t directly address risks of material misstatement at the
account/assertion level; therefore, instead of assessing the correlation of an indirect control to a
risk or assertion, we evaluate the purpose of the indirect entity-level control in the context of
how it contributes to the achievement of the applicable ‘principle’, including considering the
relevant points of focus related to the principle. The principles are defined in COSO 2013. For
example, principles in the Control Environment include:
Principle 1: The organization demonstrates a commitment to integrity and ethical values.
Principle 2: The board of directors demonstrates independence of management and exercises oversight
of the development and performance of internal control.
Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate
authorities and responsibilities in the pursuit of objectives.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
22
Performance Support — Document Controls
The ‘Principle’ is not a data entity in EMS. Further, the design of EMS is that controls need to be
associated to a ROMM and General IT Controls need to be associated to a RAIT. The
functionality to have Indirect Controls associated to a Principle has not been developed.
Therefore, do not enter Indirect Controls into the EMS database. Instead, document the
Principles, Points of Focus, Indirect Controls, Design Procedures and OE Procedures in working
papers stored in these subphases.
OTHER TOPICS
How do I use the Risk Strategy View Effectively for Controls?
The leading practice for navigation in EMS 4.0 is to start with a Leadsheet View to obtain an
understanding of a topic area (e.g., an ABCOTD or a Business Process) and to then drill down to
the associated risks for that area in the Risk Strategy View (RSV). From there, you perform the
procedures, documenting in an attached tickmark or cross referenced working paper. The RSV is
preferred over the Process View because it includes much more information necessary when
auditing internal controls. It is important to use the RSV efficiently and effectively.
There are several sub-views. The most useful is the Risk Overview, as all the possible columns
can be added to the view. Get familiar with the available columns, then customize the view to
only include those that you find useful.
The columns available are:
Risk Details
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
Control Details
Procedure Details
23
Performance Support — Document Controls
1.
2.
3.
4.
5.
6.
7.
‘Selected Items’ are the ABCOTDs, Business Processes, or other items you selected in the Lower Left
Navigation Pane.
If in the Lower Left Navigation Pane you selected an ABCOTD, the ‘Assertions on Selected Items’ column would
display the assertions of an ABCOTD to which a displayed ROMM is associated.
‘Other Items Associated to Risk’ – for example, if you selected the Accrued Interest account in the Lower Left
Navigation Pane, a risk associated to that ABCOTD would appear in the RSV. That risk may also be associated
to another account (e.g., Interest Expenses) and a Business Process (Debt Interest). Those other items would
appear in this column.
If the risk is a Financial Statement Level Risk, it will be noted as such in this column.
Some columns are mandatory: Selected Items, Risk Title, Control, Procedure text.
Risk Access, Control Access, and Procedure Access indicate whether those items are subject to ‘Full Access’ or
‘Read-Only Access’.
Tags create additional columns that should be added to the view (they are not included by default). They are
identified with ‘(Tag)’ at the end of the name.
How do I document Control-related Findings?
Deficiencies in internal controls may occur because:
1. There is no relevant control when one is necessary.
2. The relevant control is not designed effectively.
3. The relevant control is not implemented as designed.
4. The relevant control is not operating effectively.
In all cases, create a ‘Deficiencies in internal control’ finding. Use the finding to document all of
the subsequent analysis and decisions.
Deficiency
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
24
Performance Support — Document Controls
If the Finding is evaluated to be a significant deficiency, there is a separate category for
‘Significant deficiencies in internal control’.
Significant Deficiency
If in evaluating the deficiency, the engagement team identifies an alternate relevant control, add
that control to EMS, and complete all of the same actions as for the original control.
EMS prompts you to create a finding when you save a control with a negative conclusion.
Doing so creates an automatic cross reference between the control and the related finding.
As you are evaluating deficiencies in internal control, assess whether individual deficiencies in
the aggregate result in a significant deficiency.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
25
Performance Support — Document Controls
If so, add another finding to EMS categorized as ‘Significant deficiencies in internal control.’
Cross reference this significant deficiency with the underlying deficiencies.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
26
Performance Support — Document Controls
Use Subphase 30600, External communications, to document the evaluation and communication
of the identified control deficiencies.
What other functionality may be useful when working with Controls?
Use the ABCOTDs, Business Processes, Components, Other Audit Programs, and Other Phases
Overview Dashboard to obtain an overview of the OE Testing Strategy and the three
Conclusions for one or more selected subphases.
Use the IT Element Overview Dashboard to see the same information about GITCs for one or
more selected IT Elements.
Use the ‘Engagement Status’ and ‘Phase Status’ Dashboards to obtain the sign off status on
Controls, GITCs, and Control Procedures.
Use EMS Links to report information about Business Processes, Controls, IT Elements, GITCs,
Procedures Associated to Controls/GITCs, and Control Findings in Word and Excel working
papers. See the EMS Links Performance Support for details.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
27
Performance Support — Document Controls
Use File Check to identify potentially incomplete or inaccurate documentation about Controls
and GITCs:
Use Permissions to restrict who can edit or view working papers within the Business Process and
IT Element subphases. See the Permissions Performance Support for details.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
28
Performance Support — Document Controls
When Performing a Carryforward of the Engagement to Year 2, how do I make
control-related choices?
To start the next year’s audit, you will likely create the engagement from a carryforward of the
archived engagement. During the carryforward process, one of the options is to remove the
conclusions from the controls. Select that option so as to avoid confusion as to whether a
conclusion has been updated for the current audit. In the next year’s audit, after performing the
necessary procedures, re-answer those conclusions.
Another option during carryforward is to delete findings. Do not select that option. Instead, carry
the findings into the next audit and update them as part of the next audit’s risk assessment
procedures.
Carryforward Options
In the next year’s audit, after performing the necessary procedures, re-answer the risk strategy
and control strategy fields. Take advantage of the ability to use prior audit evidence where
possible.
© 2016 For information, contact Deloitte Touche Tohmatsu Limited.
29