Assessing Control Risk Under AICPA Standards Flashcards
Risk Assessment Procedures
The auditor should perform risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control (the nature, timing, and extent of the risk assessment procedures vary with the engagement’s circumstances, such as the entity’s size and complexity and the auditor’s experience with it).
Observation and Inspection
The auditor’s risk assessment procedures should include observation of entity operations, inspection of documents (e.g., internal control manuals), reading reports prepared by management and those charged with governance (e.g., minutes of meetings), and visits to the entity’s facilities.
Analytical Procedures
the auditor’s analytical procedures performed in planning may assist the auditor in understanding the entity and its environment and identify specific risks relevant to the audit.
The auditor’s understanding of the entity and its environment consists of understanding the following:
(1) industry, regulatory, and other external factors;
(2) nature of the entity;
(3) objectives and strategies and related business risks that may cause material misstatement of the financial statements;
(4) measurement and review of the entity’s financial performance; and
(5) internal control.
The Auditor’s Primary Consideration
The auditor should consider whether (and how) a specific control prevents, or detects and corrects, material misstatements in relevant assertions related to classes of transactions, account balances, or disclosures.
Internal control consists of five interrelated components:
Five interrelated components:
1) Control environment
2) Risk Assessment
3) Information and communication systems
4) Control activities
5) Monitoring
control environment
The policies and procedures that determine the overall control consciousness of the entity, sometimes called “the tone at the top.”
risk assessment
The policies and procedures involving the identification, prioritization, and analysis of relevant risks as a basis for managing those risks.
Information and communication systems
The policies and procedures related to the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
control activities
The policies and procedures that help ensure that management directives are carried out, especially those related to:
a) Authorization,
b) Segregation of duties,
c) Performance reviews,
d) Information processing, and
e) Physical controls.
monitoring
The policies and procedures involving the ongoing assessment of the quality of internal control effectiveness over time.
Inherent Limitations of Internal Control
Internal control provides reasonable, not absolute, assurance about achieving the entity’s objectives. Internal control may be ineffective owing to human failures (mistakes and misunderstandings) and controls may be circumvented by collusion or management override of controls. The cost of an internal control procedure should not exceed the benefit expected to be derived from it.
During consideration of the internal control structure in a financial statement audit, an auditor is not obligated to
The auditor is not required to search for significant deficiencies in the design or operation of internal control. The auditor is required to communicate any significant deficiencies noted to the audit committee (or those in governance).
For certain controls, such as segregation of duties, documentary evidence may not exist.
An auditor would most likely test the procedures by
observation and inquiry
When considering the internal control structure, an auditor should be aware of the concept of reasonable assurance, which recognizes that
The cost of an entity’s internal control should not exceed the benefits derived therefrom.
