Chapter 9 - Assessing Control Risk and Designing Tests of Controls Flashcards
What are the 3 methods for documenting our understanding of controls activities?
- Narrative—a written description of a client’s internal controls, including the origin, processing, and disposition of documents and records, and the relevant control activities.
- Flowchart— a diagrammatic representation of the client’s documents and records, and the sequence in which they are processed.
- Internal control questionnaire—a series of questions about the controls in each audit area used as a means of gaining an understanding of internal control.
What are some common methods used in performing the evaluation of implementation of controls?
- Update and Evaluate Auditor’s Previous Experience With the Entity
- Make Inquiries of Client Personnel
- Examine Documents and Records
- Observe the Entity’s Activities and Operations
- Perform Walk-Throughs of the Accounting System
- Assess Control Risk
Before making a preliminary assessment of control risk for each material class of transactions, the auditor must decide whether the entity is auditable. What are some things that should be considered?
- If management lacks integrity, most auditors will not accept the engagement or, in the case of a continuing client, will resign from the engagement.
- If the accounting records are deficient, necessary audit evidence may not be available.
- In complex IT environments, the auditors must assess if they have the necessary IT skills.
If we decide the entity is auditable, the next step in assessing control risk is…
The assessment of entity-level controls.
Auditors generally assess entity-level and general controls before assessing transaction controls (control activities) and IT application controls.
Once auditors determine that entity-level and general IT controls are designed and placed in operation, they next make a preliminary assessment for each transaction-related audit objective for each major type of transaction in each transaction cycle.
What is the difference between pervasive and specific controls?
Pervasive controls = entity-level controls. Includes controls over:
- Fraud (management override)
- Centralized processing
- Period-end financial reporting process
Specific Controls = transaction controls (i.e., IT application controls)
What are the 3 levels of the absence of internal controls?
- control deficiency - exists if the design or operation of controls does not detect and correct misstatements in timely manner
- significant deficiency - exists if one or more control deficiencies exist that are less severe than a material weakness
- material weakness - exists if a significant deficiency, results in a reasonable possibility that internal control will not prevent or detect material financial misstatements on a timely basis.
What are the 5 steps used to identify significant and/or material internal control weaknesses?
- Identify existing controls.
- Identify the absence of key controls.
- Consider the possibility of compensating (or mitigating) controls.
- Decide whether there is a significant deficiency or material weakness.
- Determine potential material misstatements that could result.
What are tests of controls?
The procedures to test effectiveness of controls in support of a reduced assessed control risk
What are the 5 types of audit procedures that are used to support the operation of key internal controls?
- Make Inquiries of Appropriate Entity Personnel
- Inspect Documents, Records, and Reports
- Observe Control-Related Activities
- Test Data
- Re-perform Client Procedures
What is the difference between tests of controls and procedures to obtain an understanding?
In obtaining an understanding of internal control, the procedures are applied to all controls identified. Tests of controls, on the other hand, are applied only when the assessed control risk has not been satisfied by the procedures to obtain an understanding.
Procedures to obtain an understanding are performed only on one or two transactions or, in the case of observations, at a single point in time.
What is a management letter?
Management letter—the auditor’s written communication to management to point out LESS SIGNIFICANT weaknesses in internal control and possibilities for operational improvements.
How does the auditor communicate SIGNIFICANT control deficiencies to those charged with governance?
The auditor is required to communicate significant control deficiencies in writing to “the audit committee or equivalent.”
The description of the internal control deficiency and recommendation is usually included in a year-end report, or internal control letter to the audit committee.
