Chapter 9 - Control Risk Assessment Flashcards
What are the auditors responsibility in controls risk assessment?
Identify the control deficiencies to make an appropriate controls risk assessment and and develop an appropriate risk response.
What is the purpose of risk assessment procedures?
To gain an understanding of the entity and environment and the applicable accounting framework.
What is the goal of the auditor in assessing controls?
- Obtain an understanding of the internal controls
- Evaluate the components of the system of internal control.
What are the six risk assessment procedures for controls? Briefly describe each one.
- Inspection - All forms of internal control have documents, by inspecting the documents records, and files, we can evaluate effectiveness
- Inquiry of entity personnel - Ask staff if they know their duties, this helps assess if they perform their job adequately according to documentation.
- Observation - Watching their internal controls and accounting systems and records allows the auditor to know if the controls are adequate.
- Reperformance - Use walkthroughs, follow the transaction from its origin through the information system, unit it is in the financial records using the same tech and documents as the client. Provides a good understanding of the business.
- Update and evaluate auditors previous experience with the entity - For auditors that have a continuing engagement, assess whether they have made changes to internal controls or if they have fixed insufficient controls in the past.
- Understand IT general controls - Talk to people in IT, watch the system, do tests, allowing them to understand if controls are adequate.
What is a walkthrough?
Combines inspection, observation, inquiry to ensure the controls designed and implemented are good. Provide the opportunity to ask probing questions to assess skills and competence
What are the three tools auditors use to document the system of internal controls?
- Narrative
- Flowchart
- Internal controls questionnaire.
What is a narrative? What four areas does it cover?
A written description of a clients internal controls. A proper narrative covers:
- The origin of every document and record in the system
- All the processing that takes place
- The disposition of every document and record in the system
- Key controls (SPAID) relevant to the controls risk assessment.
What is an internal controls flowchart? What are elements of an adequate flow chart?
It is a symbolic, diagrammatic representation of the clients documents and their sequential flow in the organization. The same characteristics as the narrative.
What are the advantages of a flowchart? If a flowchart is adequate, what should it allow the auditor to do?
They are easier to read and update. Identify inadequacies by facilitating a clear understanding of how the system operates.
What is an internal controls questionnaire? What is the main disadvantage?
A predesigned questionnaire that consists of a series of questions about the controls in each audit area including the control environment, as a means of indicating to the auditor aspects of internal control that may be inadequate. They are a year or no response, with no indicating potential deficiency.
Main disadvantage is the inability to provide an overview of the system
What is the best combination of tools to use for controls risk assessment and why?
The use of questionnaire and the flowchart is a good combination as it allows you to understand the design of the controls and identify control deficiencies within those control activities. Flowcharts provide an overview of the system, the questionnaire offers a useful checklist to remain the auditor of the many different types of internal controls that exist.
What is the purpose of control risk assessment procedures. What is the 4 step process?
It is to identify whether the system is strong or weak. The four step process is:
- Evaluate the design of the controls (whether they are capable of preventing or detecting and correcting material misstatement)
- Determine if the controls have been implemented (the control exists if the company is using it)
- Evaluate the competence of the people using the controls
- Evaluate the adequacy of IT (does it capture relevant information such as signatures for approval)
What are strong controls? What does it mean if auditors are going to rely upon controls? What does it mean if they are not
Controls that are effective at minimizing the risk of material misstatement for significant class of transactions, account balances, disclosures, and relevant assertions.
It means that they have assessed the fact that controls are good, and they will test the effectiveness. It means they will not test the controls and rely on substantive testing instead.
What are the two key questions auditors ask when deciding to rely upon the controls? Describe them.
- Will the test of controls improve the audit efficiency? - Can permit the audit at an interim period, change the nature and extent of the audit, improving efficiency.
- Is it necessary to perform test of controls because transactions are highly automated transactions - If the organization uses highly automated processes, it is near impossible to use the substantive testing as there is no audit trail , you must assess the internal controls.
What will an auditor do if the assessed RMM is high?
They will implement more overall financial statement procedures or they will do more substantive testing. If the substantive testing is still not enough, they may issue a report with a scope limitation.
What are the three levels of absence of internal controls? Describe
- Control deficiency - Exists if the design or operation of controls does not detect and correct misstatements on a timely basis.
- Significant deficiency - Exists if one or a combination of control deficiencies exist such that in the auditors professional judgement, are of sufficient importance to merit the attention of those in charge of governance.
- Material weakness - Exists if a significant deficiency, by itself or in combination with other significant deficiencies, result in a reasonable possibility that internal controls will not prevent or detect material misstatements on a timely basis.
What are the two parts of a control deficiency?
Design deficiency - A necessary control is missing or not properly designed
Operation deficiency - It is a well designed control but does not operate as designed or the person performing the control is insufficiently qualified or authorized.
What are four examples of situations that create controls deficiency?
- Fraud of any magnitude that involves the senior managers
- Deficiencies that the auditors communicated to management in previous audits that have not been corrected
- Management failure to respond to significant risks
- Restatement of previously issued financial statements.
Describe the evaluating controls deficiency graph
The horizontal like is the likelihood with remote on the left and reasonably possible on the right.
The vertical line is the magnitude with significant on the top and immaterial on the bottom.
If we are in the right quadrant than it is a material weakness.
If we are in the top left quadrant it is a significant deficiency.
What is a compensating (or mitigating) control
it is a control elsewhere in the system that offsets the weakness. Any control can be a compensating control. This can be the active involvement of the owner in a small business to compensate for the lack of segregation of duties.
What does a material weakness mean?
What does it help auditors to do?
What is the material weakness proportionate too?
It means that there is a reasonable possibility that the internal controls will not prevent or detect material misstatements, it does not mean that it has occurred.
It helps auditors to identify specific errors or fraud and other irregularities that are likely to result from the absence of controls
It is proportionate to the magnitude of errors or fraud and other irregularities that are likely to result from it.
What are five items that auditors should assess for control risk considering the internal controls (5 components)
`
- Evaluate the control environment, risk assessment, and monitoring process.
- Evaluate information systems and communications
- Evaluate control activities.
When auditors evaluate the design of a control activity, what do they consider?
- Whether the control activity addresses the identified risk of fraud and / or error (what can go wrong)
- Whether the control activity addresses the related assertions.
What are the 4 areas auditors are specifically expected to understand and evaluate the control activities for?
- Controls, automated or manual, that address significant risk - Those in the upper end of the spectrum for inherent risk
- Controls over journal entries.
- Controls for which the auditor plans to test operating effectiveness (substantive procedures alone are not sufficient or plans to rely on them)
- Controls related to reconciling detailed records to the general ledger or the transaction processed by a service center.