Risk Response: Performing Tests of Controls

Question 1

What are the steps associated with assessing control risk?

Answer 1

1. Understand entity-level controls
2. Understand the flow of transactions
3. Identify what can go wrong (WCGW) for F/S assertions
4. Identify relevant controls to test
5. Determine preliminary audit strategy
6. Perform tests of controls
7. Evaluate the evidence, assess control risk, and reevaluate audit strategy (if needed)
8. Report internal control weaknesses to those charged with governance

Question 2

What are the common steps for any transaction?

Answer 2

1. Authorization
2. Executing the transaction (involves filling the order so that title of a good passes)
3. Recording the transaction (transactions are recorded after title passes)
4. Consideration (transaction is completed when money is received or paid)

Question 3

What is “What can go wrong” (WCGW)?

Answer 3

It describes where material misstatements due to error or fraud could occur in a flow of transactions or source and preparation of information that affects a relevant F/S assertion.

Example, the auditor is concerned about potential RR problems that lead to premature RR. (Revenue recognition)

Question 4

What is the reporting system for ICFR?

Answer 4

If internal controls (I/C) are significant deficiencies, the auditor can issue an unqualified opinion on ICFR.
If I/C are material weaknesses, the audit will issue an adverse opinion on ICFR

Question 5

Explain “understanding entity-level controls”

Answer 5

The auditor conducts interviews throughout the organization to understand the strength of entity level controls and to identify weaknesses at the entity level. The auditor will want to understand if weaknesses are so pervasive to offset strength at a transaction level.

Question 6

Explain “understanding the flow of transactions”

Answer 6

The auditor performs a system walkthrough to understand the flow of transactions and identify potential strengths and weaknesses at the transaction level.

Question 7

Explain “Identifying WCGW”

Answer 7

The auditor uses their understanding of assertions to identify what can go wrong at the transaction level.

Question 8

Explain “Identifying relevant controls to test”

Answer 8

Given the auditor’s understanding of entity level and transaction level controls, the auditor should identify key controls for each assertion/

Question 9

Explain “Determining preliminary audit strategy”

Answer 9

When internal control strengths are present at the assertion level the auditor may want to follow a reliance strategy: if internal controls strengths are not present at the assertion level the auditor will follow a primarily substantive approach. The auditor may have different strategies for different assertions for the same transaction class.

Question 10

Explain “Performing tests of controls”

Answer 10

The auditor should test controls where the auditor plans a reliance strategy

Question 11

Explain “Evaluating evidence and assess control risk”

Answer 11

The auditor evaluates the evidence obtained from tests of controls. If evidence shows that controls are strong the auditor should document finding and proceed with a reliance strategy. If control tests do not support a finding of strong controls, the auditor might identify compensating controls and test those controls. If the control testing does not support the preliminary audit strategy, the auditor should revise their audit strategy.

Question 12

What steps should an auditor take if the they determine that a key control is not operating effectively?

Answer 12

1. Look for a compensating control
2. Test the compensating controls
3. If the compensating control are effective, proceed with audit strategy
4. If a strong control is not identified for an assertion the auditor should decrease the level of assessed detection risk
5. Make appropriate changes to the nature, timing, and extent of substantive tests related o an assertion.

Question 13

What are preventive controls?

Answer 13

Controls applied to each transaction that stop fraud or errors rom occurring.
Example: the software application will not allow a sale to be processed if a customer has exceeded its credit limit.

Question 14

What are detective controls?

Answer 14

Controls applied after transactions have been processed to identify whether fraud of errors have occurred, and to rectify the fraud or errors on a timely basis.

Question 15

What are tests of controls?

Answer 15

They are the audit procedures performed to test the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level.

Question 16

Tests of controls include what?

Answer 16

1. Inquiry (asking questions about procedures)
2. Observation (observing the control being performed)
3. Inspection of physical evidence (testing physical evidence to verify that a control has been performed properly)
4. Reperformance (retesting for effectiveness)
5. Various data analytics techniques

Question 17

What is the tolerable deviation rate?

Answer 17

The maximum rate of deviation from a prescribed control that an auditor is willing to accept and still use the planned assessed level of control risk.

Question 18

What is desired level of assurance?

Answer 18

The level of assurance that the sample is representative of the population; the auditor wants to choose a level of assurance so tolerable misstatement is less likely to be exceeded by the actual misstatement in the population.

Question 19

What is the expected rate of deviation in the population?

Answer 19

It is the rate at which the auditor expects controls to not function as planned.

Question 20

What is attribute sampling?

Answer 20

A technique used to reach a conclusion about a population in terms of a rate (frequency) of occurence

Question 21

What is control exception (deviation)?

Answer 21

An observed condition that provides evidence that the control being tested did not operate as intended.

Question 22

What is benchmarking?

Answer 22

It is an audit testing strategy that can be used to allow evidence obtained in prior audit period to support a conclusion about IT application controls in the current audit period.

Question 23

Name five factors to consider when deciding the extent of tests of controls to be performed.

Answer 23

1. Tolerable deviation rate: if the auditor can only tolerate smaller deviation rates this will cause large sample sizes.
2. Desired level of assurance that the tolerable deviation rate is not exceeded by the actual rate of deviation in the population: as the auditor want high levels of assurance from the audit evidence sample size will increase.
3. Expected rate of deviation in the population to be tested: when the expected deviation rate is close to the tolerable rate sample size will increase.
4. Number of sampling units in the population when the population is small: larger population size results in larger sample sizes.
5. Number of sampling units the population when the population is large: population size has not effect on sample sizes.

Question 24

What is a compensating control?

Answer 24

It is a control that may control an assertion, when the key control tested by the auditor is not effective. Example, when testing payroll the auditor determines that manual follow up of exceptions noted by the computer is not timely or effective. However, a performance review exists where department manager must approve the total payroll charged to their departments, and this control is effective. This would be an example of a compensating control.

Question 25

Why does the auditor always investigate control exceptions?

Answer 25

To determine how significant the exceptions are. The auditor needs to determine if the exception is a deficiency in internal control, a significant deficiency, or a material weakness. The auditor evaluate this based on the likelihood of a misstatement and the materiality of a misstatement that may result from a breakdown in internal control.

Question 26

What is a control exception?

Answer 26

An instance in which there is a deficiency in the design or operating effectiveness of a control.

Question 27

What should be included in a working paper documentation?

Answer 27

1. The auditor’s conclusion about control risk
2. The basis for this conclusion (underlying evidence)