Chapter 9 - Control Risk Assessment

Question 1

What are the auditors responsibility in controls risk assessment?

Answer 1

Identify the control deficiencies to make an appropriate controls risk assessment and and develop an appropriate risk response.

Question 2

What is the purpose of risk assessment procedures?

Answer 2

To gain an understanding of the entity and environment and the applicable accounting framework.

Question 3

What is the goal of the auditor in assessing controls?

Answer 3

1. Obtain an understanding of the internal controls
2. Evaluate the components of the system of internal control.

Question 4

What are the six risk assessment procedures for controls? Briefly describe each one.

Answer 4

1. Inspection - All forms of internal control have documents, by inspecting the documents records, and files, we can evaluate effectiveness
2. Inquiry of entity personnel - Ask staff if they know their duties, this helps assess if they perform their job adequately according to documentation.
3. Observation - Watching their internal controls and accounting systems and records allows the auditor to know if the controls are adequate.
4. Reperformance - Use walkthroughs, follow the transaction from its origin through the information system, unit it is in the financial records using the same tech and documents as the client. Provides a good understanding of the business.
5. Update and evaluate auditors previous experience with the entity - For auditors that have a continuing engagement, assess whether they have made changes to internal controls or if they have fixed insufficient controls in the past.
6. Understand IT general controls - Talk to people in IT, watch the system, do tests, allowing them to understand if controls are adequate.

Question 5

What is a walkthrough?

Answer 5

Combines inspection, observation, inquiry to ensure the controls designed and implemented are good. Provide the opportunity to ask probing questions to assess skills and competence

Question 6

What are the three tools auditors use to document the system of internal controls?

Answer 6

1. Narrative
2. Flowchart
3. Internal controls questionnaire.

Question 7

What is a narrative? What four areas does it cover?

Answer 7

A written description of a clients internal controls. A proper narrative covers:

1. The origin of every document and record in the system
2. All the processing that takes place
3. The disposition of every document and record in the system
4. Key controls (SPAID) relevant to the controls risk assessment.

Question 8

What is an internal controls flowchart? What are elements of an adequate flow chart?

Answer 8

It is a symbolic, diagrammatic representation of the clients documents and their sequential flow in the organization. The same characteristics as the narrative.

Question 9

What are the advantages of a flowchart? If a flowchart is adequate, what should it allow the auditor to do?

Answer 9

They are easier to read and update. Identify inadequacies by facilitating a clear understanding of how the system operates.

Question 10

What is an internal controls questionnaire? What is the main disadvantage?

Answer 10

A predesigned questionnaire that consists of a series of questions about the controls in each audit area including the control environment, as a means of indicating to the auditor aspects of internal control that may be inadequate. They are a year or no response, with no indicating potential deficiency.

Main disadvantage is the inability to provide an overview of the system

Question 11

What is the best combination of tools to use for controls risk assessment and why?

Answer 11

The use of questionnaire and the flowchart is a good combination as it allows you to understand the design of the controls and identify control deficiencies within those control activities. Flowcharts provide an overview of the system, the questionnaire offers a useful checklist to remain the auditor of the many different types of internal controls that exist.

Question 12

What is the purpose of control risk assessment procedures. What is the 4 step process?

Answer 12

It is to identify whether the system is strong or weak. The four step process is:

1. Evaluate the design of the controls (whether they are capable of preventing or detecting and correcting material misstatement)
2. Determine if the controls have been implemented (the control exists if the company is using it)
3. Evaluate the competence of the people using the controls
4. Evaluate the adequacy of IT (does it capture relevant information such as signatures for approval)

Question 13

What are strong controls? What does it mean if auditors are going to rely upon controls? What does it mean if they are not

Answer 13

Controls that are effective at minimizing the risk of material misstatement for significant class of transactions, account balances, disclosures, and relevant assertions.

It means that they have assessed the fact that controls are good, and they will test the effectiveness. It means they will not test the controls and rely on substantive testing instead.

Question 14

What are the two key questions auditors ask when deciding to rely upon the controls? Describe them.

Answer 14

1. Will the test of controls improve the audit efficiency? - Can permit the audit at an interim period, change the nature and extent of the audit, improving efficiency.
2. Is it necessary to perform test of controls because transactions are highly automated transactions - If the organization uses highly automated processes, it is near impossible to use the substantive testing as there is no audit trail , you must assess the internal controls.

Question 15

What will an auditor do if the assessed RMM is high?

Answer 15

They will implement more overall financial statement procedures or they will do more substantive testing. If the substantive testing is still not enough, they may issue a report with a scope limitation.

Question 16

What are the three levels of absence of internal controls? Describe

Answer 16

1. Control deficiency - Exists if the design or operation of controls does not detect and correct misstatements on a timely basis.
2. Significant deficiency - Exists if one or a combination of control deficiencies exist such that in the auditors professional judgement, are of sufficient importance to merit the attention of those in charge of governance.
3. Material weakness - Exists if a significant deficiency, by itself or in combination with other significant deficiencies, result in a reasonable possibility that internal controls will not prevent or detect material misstatements on a timely basis.

Question 17

What are the two parts of a control deficiency?

Answer 17

Design deficiency - A necessary control is missing or not properly designed
Operation deficiency - It is a well designed control but does not operate as designed or the person performing the control is insufficiently qualified or authorized.

Question 18

What are four examples of situations that create controls deficiency?

Answer 18

1. Fraud of any magnitude that involves the senior managers
2. Deficiencies that the auditors communicated to management in previous audits that have not been corrected
3. Management failure to respond to significant risks
4. Restatement of previously issued financial statements.

Question 19

Describe the evaluating controls deficiency graph

Answer 19

The horizontal like is the likelihood with remote on the left and reasonably possible on the right.

The vertical line is the magnitude with significant on the top and immaterial on the bottom.

If we are in the right quadrant than it is a material weakness.
If we are in the top left quadrant it is a significant deficiency.

Question 20

What is a compensating (or mitigating) control

Answer 20

it is a control elsewhere in the system that offsets the weakness. Any control can be a compensating control. This can be the active involvement of the owner in a small business to compensate for the lack of segregation of duties.

Question 21

What does a material weakness mean?
What does it help auditors to do?
What is the material weakness proportionate too?

Answer 21

It means that there is a reasonable possibility that the internal controls will not prevent or detect material misstatements, it does not mean that it has occurred.

It helps auditors to identify specific errors or fraud and other irregularities that are likely to result from the absence of controls

It is proportionate to the magnitude of errors or fraud and other irregularities that are likely to result from it.

Question 22

What are five items that auditors should assess for control risk considering the internal controls (5 components)

`

Answer 22

1. Evaluate the control environment, risk assessment, and monitoring process.
2. Evaluate information systems and communications
3. Evaluate control activities.

Question 23

When auditors evaluate the design of a control activity, what do they consider?

Answer 23

1. Whether the control activity addresses the identified risk of fraud and / or error (what can go wrong)
2. Whether the control activity addresses the related assertions.

Question 24

What are the 4 areas auditors are specifically expected to understand and evaluate the control activities for?

Answer 24

1. Controls, automated or manual, that address significant risk - Those in the upper end of the spectrum for inherent risk
2. Controls over journal entries.
3. Controls for which the auditor plans to test operating effectiveness (substantive procedures alone are not sufficient or plans to rely on them)
4. Controls related to reconciling detailed records to the general ledger or the transaction processed by a service center.

Question 25

What are key controls?

Answer 25

Controls that would be most effective or have the greatest impact on reducing misstatements.

Question 26

What happens if the test of controls do not match the preliminary assessment of the controls? What's RMM if the auditor chooses not to rely upon the controls?

Answer 26

The auditor will make changes and adjustments for better control risk responses. The audit approach will change Then the RMM will be equivalent to the inherent risk.

Question 27

What do auditors have to do if the client uses a business service like payroll or cloud computing?

Answer 27

They need to perform an assessment of the other firm or get a control form that validates the controls are adequate from another auditor to ensure that the controls implemented in the audit client are sufficient and appropriate. The amount of information is based on the complexity and the extent to which controls will be relied.

Question 28

What is the service audit report?

Answer 28

To provide guidance and uniformity in the way service providers disclose their control activities and processes to their customers and the entity's auditors. It is to provide the service centre customers with reasonable assurance that the general and application controls are adequate.

Question 29

What are the two types of reports that can be issued by a service provider. Describe them

Answer 29

Type 1 - A report on managements description of a service organizations system and the sustainability of the design of controls Type 2 - A report on managements description of a service organizations system and the suitability of the design and operating effectiveness of controls.

Question 30

What does the type 1 report assist the auditor in? What are the three ways that auditors can get information regarding the effectiveness and operational efficiency of the internal controls

Answer 30

It assists the auditor in understanding the internal controls and planning the audit. 1. Type 2 service report 2. Tests of the users organizations control over the activities of the service organization. 3.When the auditor does appropriate tests at the service organizations.

Question 31

How is the formalization of IT determined? What do auditors need to have?

Answer 31

Based on the complexity of the IT environment. They must assess whether they have the necessary skills to cater information from the IT as it is electronic documents

Question 32

What are the 5 things that IT specialists can do?

Answer 32

1.Document and assess the IT control environment 2. Test the general controls 3. Document and assess key automated controls 4. Develop ATT's to test controls and perform substantive tests. 5. Develop IT control weakness and develop recommendations.

Question 33

What must happen with controls assessment even if they are not planning to rely on it?

Answer 33

They must perform risk assessment procedures to understand the design and implementation. This is necessary regardless if they are planning on relying on it or not.

Question 34

What is the assessment of control risk from an auditors expectations?

Answer 34

A measure of the auditors expectation that the internal controls will neither prevent material misstatements at the assertion level from occurring nor detect of correct them if they actually occur.

Question 35

What does understanding the internal controls leads too?

Answer 35

An assessment of overall financial statement risk and the risk at the assertion level.

Question 36

How do auditors assess at the overall financial statement level risk? How do auditors assess at the assertion level?

Answer 36

There is a heavy focus on the control environment, risk assessment, or monitoring, the areas that have a pervasive risk throughout the entire audit. There is a heavy focus on the controls that address the transaction level risk, or the control activities and its implications on the IS and indirect controls of the assertions

Question 37

What level do auditors typically assess first?

Answer 37

They will typically assess the risk assessment, monitoring, or the control environment that affect the financial statements pervasively before the control activities. If the risk at the general level is high then likely the controls themselves are not going to be sufficient and vice versa.

Question 38

What do auditors assess first with IT?

Answer 38

They will typically assess the general IT controls first before they start looking at the automated application controls or manual controls. If the risk at the general level is high then likely the controls themselves will not be sufficient and vice versa

Question 39

What are the three audit approaches.

Answer 39

1. Controls approach only 2. Combined approach 3. Substantive testing only

Question 40

Describe the controls approach only

Answer 40

This approach is only used in very rare circumstances such as where it is impossible to rely on substantive testing. For example, if the company uses highly automated transaction processing machines no audit trail is left and all they can rely on is the test of controls.

Question 41

Describe how the auditor selects between the combined approach of the substantive approach.

Answer 41

If the control risk is high that means that in general the controls are not working and thus it would not make sense to rely too heavily on the test of controls as a way to provide sufficient appropriate audit evidence. Therefore to keep the audit risk low, they will lower the detection risk meaning they will use more substantive procedures. If the control risk is low that means that in general the controls are working and thus they can rely on the controls to provide sufficient appropriate audit evidence. Therefore they can use the combined approach, still doing test in details but less of it.

Question 42

What guide the auditor in making their selection?

Answer 42

The preliminary controls risk assessment will guide their decision making.

Question 43

What are substantive tests? Why would they use the substantive testing? If they do not test the controls what is RMM equal too?

Answer 43

Substantives tests means that the auditor will implement the 3 parts of understanding the internal controls, analytical procedures, and test in details. Here they do not rely on controls and focus more on ensuring that the expectations are in alignment with what has been recorded. Either because the controls risk is high that testing the controls would not reduce the risk or it is not efficient to perform a test of controls. It is equal to the inherent risk.

Question 44

What is the combined approach?

Answer 44

The combined approach means that the auditor will use a combination of controls and also substantive testing. It means that the controls are effective and that they plan to rely on the controls when determine the nature, timing, and extent of the audit procedures.

Question 45

Why do we still have to do a test of controls if it was assessed that the internal controls seemed good? Why may an auditor use a combined approach?

Answer 45

It is because the internal controls general assessment was based on procedures that are not entirely conclusive and thus a test of controls must be done to certify and guarantee it. They may use a combined approach because it is cost effective.