Risk Assessment (c)(iii) and (d)

Question 1

What is a “Walkthrough”?

Answer 1

• Act of tracing a transaction through org records, procedure and business processes
• Auditor’s objective is to understand transaction flow (how initiated, authorized, recorded, processed, and reported)
• ID when control is missing, operating ineffectively or not designed properly
• Nontechnical approach to learning how a particular process or transaction works
• Considered a prelim step in overall testing process
• Based on the info and evidence gathered from walkthroughs, IT auditor s/b able to assess risks w/ business processes and controls relate to IT

Question 2

What are may be included in “Walkthrough” procedures?

Answer 2

Combination of:

• Inquiry
• Observation
• Inspect relevant doc
• Re-perform controls
• Auditor should follow AS5 recommendations about combining
  observation, inquiry, and review of relevant documents as part of the walkthrough

Question 3

When are “Walkthrough” required?

Answer 3

• Required when certifying financial reporting controls under SOX 404

Question 4

Based on concept of “Key Controls”, when do Controls become “Relevant”?

Answer 4

(1) If controls are associated w/ FS data or financial reporting processes
(2) If controls are IT-related or IT-dependent
(3) If controls are related to RMM

Question 5

What are 2 focus IT Auditor has on Automated Controls?

Answer 5

(1) Automated controls are key objective in IT audit
(2) Effective automated controls can be leveraged to reduce substantive testing in FAP phase of financial audit
- Automated controls s/b tested when there is an expectation of operating effectiveness for them, when substantive procedures alone do not provide sufficient evidence, and when there is a
lack of audit trail other than through IT or digital data

Question 6

What are methods to ID Key Controls?

Answer 6

• IT auditor ID’s key controls associated w/ relevant systems, applications, and specifically business processes
• Methods: Walkthroughs, interviews, observation, review of key documents, flowchart of business processes, financial systems and data flows

Question 7

Determine Relevant Business Processes and Controls to Review

Answer 7

(1) IT auditor ID’s Key Controls
- Associated w/ relevant systems, applications, and specifically business processes via walkthroughs, flowcharts
(2) ID Relevant Controls Embedded in Automated Business Processes
(3) Benchmark Relevant Automated Controls
- Measure and evaluate the “strength” (reliance) of control based on benchmark (the designed purpose of the control)

Question 8

What is “Risk of Material Misstatement”?

Answer 8

• RMM = IR + CR
• Risk that an event, process or activity will lead to material misstatement and not be prevented/detected timely
• Includes acct balances, classes of transactions, disclosures, mgmt assertions
• Also includes risks from IT of entity

Question 9

Describe the 6 Steps in the “RMM Process” Framework:

Answer 9

(1) ID IR - Some IR w/ processes, transactions, and events
(2) Type of Risk - Error or fraud
(3) Risk Level
- Relevant assertion regarding the IR or FS as a whole
(4) Controls - ID controls that may mitigate some IR
(5) CR Assessed
- Determine mitigation degree
- Auditor reduces original IR level by some amt and reaches some “Residual” risk
- Residual risk, and its level of risk, becomes primary factor in audit planning and developing FAPs
(6) RMM
- Combine IR and CR to determine level of risk for each specific RMM