Chapter 9 - Control Risk Assessment Flashcards
What are the auditors responsibility in controls risk assessment?
Identify the control deficiencies to make an appropriate controls risk assessment and and develop an appropriate risk response.
What is the purpose of risk assessment procedures?
To gain an understanding of the entity and environment and the applicable accounting framework.
What is the goal of the auditor in assessing controls?
- Obtain an understanding of the internal controls
- Evaluate the components of the system of internal control.
What are the six risk assessment procedures for controls? Briefly describe each one.
- Inspection - All forms of internal control have documents, by inspecting the documents records, and files, we can evaluate effectiveness
- Inquiry of entity personnel - Ask staff if they know their duties, this helps assess if they perform their job adequately according to documentation.
- Observation - Watching their internal controls and accounting systems and records allows the auditor to know if the controls are adequate.
- Reperformance - Use walkthroughs, follow the transaction from its origin through the information system, unit it is in the financial records using the same tech and documents as the client. Provides a good understanding of the business.
- Update and evaluate auditors previous experience with the entity - For auditors that have a continuing engagement, assess whether they have made changes to internal controls or if they have fixed insufficient controls in the past.
- Understand IT general controls - Talk to people in IT, watch the system, do tests, allowing them to understand if controls are adequate.
What is a walkthrough?
Combines inspection, observation, inquiry to ensure the controls designed and implemented are good. Provide the opportunity to ask probing questions to assess skills and competence
What are the three tools auditors use to document the system of internal controls?
- Narrative
- Flowchart
- Internal controls questionnaire.
What is a narrative? What four areas does it cover?
A written description of a clients internal controls. A proper narrative covers:
- The origin of every document and record in the system
- All the processing that takes place
- The disposition of every document and record in the system
- Key controls (SPAID) relevant to the controls risk assessment.
What is an internal controls flowchart? What are elements of an adequate flow chart?
It is a symbolic, diagrammatic representation of the clients documents and their sequential flow in the organization. The same characteristics as the narrative.
What are the advantages of a flowchart? If a flowchart is adequate, what should it allow the auditor to do?
They are easier to read and update. Identify inadequacies by facilitating a clear understanding of how the system operates.
What is an internal controls questionnaire? What is the main disadvantage?
A predesigned questionnaire that consists of a series of questions about the controls in each audit area including the control environment, as a means of indicating to the auditor aspects of internal control that may be inadequate. They are a year or no response, with no indicating potential deficiency.
Main disadvantage is the inability to provide an overview of the system
What is the best combination of tools to use for controls risk assessment and why?
The use of questionnaire and the flowchart is a good combination as it allows you to understand the design of the controls and identify control deficiencies within those control activities. Flowcharts provide an overview of the system, the questionnaire offers a useful checklist to remain the auditor of the many different types of internal controls that exist.
What is the purpose of control risk assessment procedures. What is the 4 step process?
It is to identify whether the system is strong or weak. The four step process is:
- Evaluate the design of the controls (whether they are capable of preventing or detecting and correcting material misstatement)
- Determine if the controls have been implemented (the control exists if the company is using it)
- Evaluate the competence of the people using the controls
- Evaluate the adequacy of IT (does it capture relevant information such as signatures for approval)
What are strong controls? What does it mean if auditors are going to rely upon controls? What does it mean if they are not
Controls that are effective at minimizing the risk of material misstatement for significant class of transactions, account balances, disclosures, and relevant assertions.
It means that they have assessed the fact that controls are good, and they will test the effectiveness. It means they will not test the controls and rely on substantive testing instead.
What are the two key questions auditors ask when deciding to rely upon the controls? Describe them.
- Will the test of controls improve the audit efficiency? - Can permit the audit at an interim period, change the nature and extent of the audit, improving efficiency.
- Is it necessary to perform test of controls because transactions are highly automated transactions - If the organization uses highly automated processes, it is near impossible to use the substantive testing as there is no audit trail , you must assess the internal controls.
What will an auditor do if the assessed RMM is high?
They will implement more overall financial statement procedures or they will do more substantive testing. If the substantive testing is still not enough, they may issue a report with a scope limitation.
What are the three levels of absence of internal controls? Describe
- Control deficiency - Exists if the design or operation of controls does not detect and correct misstatements on a timely basis.
- Significant deficiency - Exists if one or a combination of control deficiencies exist such that in the auditors professional judgement, are of sufficient importance to merit the attention of those in charge of governance.
- Material weakness - Exists if a significant deficiency, by itself or in combination with other significant deficiencies, result in a reasonable possibility that internal controls will not prevent or detect material misstatements on a timely basis.
What are the two parts of a control deficiency?
Design deficiency - A necessary control is missing or not properly designed
Operation deficiency - It is a well designed control but does not operate as designed or the person performing the control is insufficiently qualified or authorized.
What are 4 considerations for control deficiency?
- Fraud of any magnitude that involves the senior managers
2.Deficiencies that the auditors communicated to management in previous audits that have not been corrected - Management failure to respond to significant risks
- Restatement of previously issued financial statements.
Describe the evaluating controls deficiency graph
The horizontal like is the likelihood with remote on the left and reasonably possible on the right.
The vertical line is the magnitude with significant on the top and immaterial on the bottom.
If we are in the right quadrant than it is a material weakness.
If we are in the top left quadrant it is a significant deficiency.
What is a compensating (or mitigating) control
it is a control elsewhere in the system that offsets the weakness. Any control can be a compensating control. This can be the active involvement of the owner in a small business to compensate for the lack of segregation of duties.
What does a material weakness mean?
What does it help auditors to do?
What is the material weakness proportionate too?
It means that there is a reasonable possibility that the internal controls will not prevent or detect material misstatements, it does not mean that it has occurred.
It helps auditors to identify specific errors or fraud and other irregularities that are likely to result from the absence of controls
It is proportionate to the magnitude of errors or fraud and other irregularities that are likely to result from it.
What are three things that auditors should assess for control risk?
- Evaluate the control environment, risk assessment, and monitoring process.
- Evaluate information systems and communications
- Evaluate control activities.
When auditors evaluate the design of a control activity, what do they consider?
- Whether the control activity addresses the identified risk of fraud and / or error (what can go wrong)
- Whether the control activity addresses the related assertions.
What are the 4 areas auditors are specifically expected to understand and evaluate the control activities for?
- Controls, automated or manual, that address significant risk - Those in the upper end of the spectrum for inherent risk
- Controls over journal entries.
- Controls for which the auditor plans to test operating effectiveness (substantive procedures alone are not sufficient or plans to rely on them)
- Controls related to reconciling detailed records to the general ledger or the transaction processed by a service center.
What are key controls?
Controls that would be most effective or have the greatest impact on reducing misstatements.
What happens if the test of controls do not match the preliminary assessment of the controls? What’s RMM if the auditor chooses not to rely upon the controls?
The auditor will make changes and adjustments for better control risk responses. The audit approach will change
Then the RMM will be equivalent to the inherent risk.
What do auditors have to do if the client uses a business service like payroll or cloud computing?
They need to perform an assessment of the other firm or get a control form that validates the controls are adequate from another auditor to ensure that the controls implemented in the audit client are sufficient and appropriate. The amount of information is based on the complexity and the extent to which controls will be relied.
What is the service audit report?
To provide guidance and uniformity in the way service providers disclose their control activities and processes to their customers and the entity’s auditors. It is to provide the service centre customers with reasonable assurance that the general and application controls are adequate.
What are the two types of reports that can be issued by a service provider. Describe them
Type 1 - A report on managements description of a service organizations system and the sustainability of the design of controls
Type 2 - A report on managements description of a service organizations system and the suitability of the design and operating effectiveness of controls.
What does the type 1 report assist the auditor in?
What are the three ways that auditors can get information regarding the effectiveness and operational efficiency of the internal controls
It assists the auditor in understanding the internal controls and planning the audit.
- Type 2 service report
- Tests of the users organizations control over the activities of the service organization. 3.When the auditor does appropriate tests at the service organizations.
How is the formalization of IT determined? What do auditors need to have?
Based on the complexity of the IT environment. They must assess whether they have the necessary skills to cater information from the IT as it is electronic documents
What are the 5 things that IT specialists can do?
1.Document and assess the IT control environment
2. Test the general controls
3. Document and assess key automated controls
4. Develop ATT’s to test controls and perform substantive tests.
5. Develop IT control weakness and develop recommendations.
What must happen with controls assessment even if they are not planning to rely on it?
They must perform risk assessment procedures to understand the design and implementation. This is necessary regardless if they are planning on relying on it or not.
What is the assessment of control risk?
A measure of the auditors expectation that the internal controls will neither prevent material misstatements at the assertion level from occurring nor detect of correct them if they actually occur.
What does understanding the internal controls leads too?
An assessment of overall financial statement risk and the risk at the assertion level.
How do auditors assess at the overall financial statement level risk? How do auditors assess at the assertion level?
There is a heavy focus on the control environment, risk assessment, or monitoring, the areas that have a pervasive risk throughout the entire audit.
There is a heavy focus on the controls that address the transaction level risk, or the control activities and its implications on the IS and indirect controls of the assertions
What level do auditors typically assess first?
They will typically assess the risk assessment, monitoring, or the control environment that affect the financial statements pervasively before the control activities. If the risk at the general level is high then likely the controls themselves are not going to be sufficient and vice versa.
What do auditors assess first with IT?
They will typically assess the general IT controls first before they start looking at the automated application controls or manual controls. If the risk at the general level is high then likely the controls themselves will not be sufficient and vice versa
What are the three audit approaches.
- Controls approach only
- Combined approach
- Substantive testing only
Describe the controls approach only
This approach is only used in very rare circumstances such as where it is impossible to rely on substantive testing. For example, if the company uses highly automated transaction processing machines no audit trail is left and all they can rely on is the test of controls.
Describe how the auditor selects between the combined approach of the substantive approach.
If the control risk is high that means that in general the controls are not working and thus it would not make sense to rely too heavily on the test of controls as a way to provide sufficient appropriate audit evidence. Therefore to keep the audit risk low, they will lower the detection risk meaning they will use more substantive procedures.
If the control risk is low that means that in general the controls are working and thus they can rely on the controls to provide sufficient appropriate audit evidence. Therefore they can use the combined approach, still doing test in details but less of it.
What guide the auditor in making their selection?
The preliminary controls risk assessment will guide their decision making.
What are substantive tests? Why would they use the substantive testing? If they do not test the controls what is RMM equal too?
Substantives tests means that the auditor will implement the 3 parts of understanding the internal controls, analytical procedures, and test in details. Here they do not rely on controls and focus more on ensuring that the expectations are in alignment with what has been recorded. Either because the controls risk is high that testing the controls would not reduce the risk or it is not efficient to perform a test of controls. It is equal to the inherent risk.
What is the combined approach?
The combined approach means that the auditor will use a combination of controls and also substantive testing. It means that the controls are effective and that they plan to rely on the controls when determine the nature, timing, and extent of the audit procedures.
Why do we still have to do a test of controls if it was assessed that the internal controls seemed good? Why may an auditor use a combined approach?
It is because the internal controls general assessment was based on procedures that are not entirely conclusive and thus a test of controls must be done to certify and guarantee it. They may use a combined approach because it is cost effective.
