[spqr105]

I’m kind of confused in the Becker AUD lecture about something in the Risk Assessment/Internal Control portion. It states that the Auditor must assess the risk of material misstatement which includes an assessment of internal controls. Yet it states that control testing doesn’t take place until after the risk is assessed and has been responded to. It explicitly states that control risk must be assessed based on tests of controls. So why is Becker stating that one must make a risk assessment before control testing? This is embodied in their “IMACPA” mnemonic. The “M” pertains to assessing the risk of material misstatement which includes the assessment of control risk. While the “C” pertains to Control testing. How could the control testing possibly occur after the risk assessment? This seems kind of contradictory to me and has been causing me a great amount of confusion. Can someone please clarify this process for me. Thank you.

[gabe1475]

That might be an error. You can get an assesment of internal control by talking to management. If they present that controls are in place and should be working, then you test controls. If you get the feeling that controls are not working properly or discover that shortly after testing, then you need to move to test of details. This would probably be stated clearly in the problem, I hope.

FAR - 95
AUD - 82
REG - 94
BEC - 84

[spqr105]

That sounds a little more reasonable. I figured the auditors could come up with a preliminary assessment of control risk which is included in their preliminary assessment of the risk of material misstatement which is modified throughout the engagement up to and including the control testing phase. However, Becker states control testing takes place after the risk assessment has already been made. It's been confusing the hell out of me.

[gabe1475]

Control testing does take place after risk assessment has been made, but testing is not done in completing the assesment.

FAR - 95
AUD - 82
REG - 94
BEC - 84

[spqr105]

It states that under Assessing the Risk of Material Misstatement (which occurs before Control Testing) that:

“In making risk assessments, the auditor should identify those controls that are likely to prevent or detect and correct material misstatements in specific relevant assertions. If the risk assessment is based on effective operation of those controls, they must be tested by the auditor.”

So essentially, the assessment of controls when originally determining the risk of material misstatement is solely based on the auditors understanding of internal controls, and no testing of them? When assessing the initial risk of material misstatement the auditor is essentially just selecting the controls that appear to be effective and deferring testing to a later date? Thank you for your assistance!

[spqr105]

It also states:

“Assessing risk based on the effective operation of controls involves (1) identifying specific internal controls relevant to specific assertions that are likely to prevent or detect material misstatements in those assertions, and (2) performing tests of such controls to evaluate their effectiveness.”

Doesn't this statement show that tests of controls are performed prior to making the assessment of the risk of material misstatement, not after?

[gabe1475]

Not an expert, but I thing testing is required only for determining if in fact you can rely on the controls and reduce your NET. I would not get hung up about it, I have not seen one question that would imply testing cotrols in order to assess controls, but you could call becker if you are still worried.

FAR - 95
AUD - 82
REG - 94
BEC - 84

[spqr105]

I appreciate your insight on the matter and have only seen a few questions relating to the sequence of the control process but it has been confusing me and now I'm just very curious. It says that tests of controls are needed to judge operating effectiveness of controls which in turn leads to a risk assessment. It then states that control testing takes place after this risk assessment has been determined. How can this be?

[75 CPA]

Becker fails to give an Internal Control Flowchart (COSCO Internal Framework used by management):

1. Determine Audit Risk

2. Planning (Inherent Risk)

3. Understanding (Control Risk)

4.Preliminary Evaluation (Control Risk)

– Assess Risk of Material Misstatements in Financial Statements

5. If RMM is GOOD (Internal Control Works) then

6. Do Tests of Controls (Analytical Procedures, etc.)

5. If RMM is Bad (Internal Control Procedures are NOT Effective) then

6. Gather More Evidence (More Substantive Tests, etc.) and skip Tests of Controls

You do need to understand and memorize the Internal Control Flowchart. Multiple choice questions will test your knowledge of the correct components and the order of those components. If you do not know this flowchart, you will be very confused.

[spqr105]

Thank you for clarifying 75cpa. So let me get this straight, for the Preliminary Evaluation the auditor is assessing the Risk of Material Misstatement based on the Understanding, Design, and Implementation of controls opposed to their operating effectiveness correct? Then if the controls were assessed to be good upon preliminary evaluation, they are then tested for operating effectiveness after the initial assessment of the Risk of Material Assessment has been made?

In addition, it seems like a preliminary evaluation would have to be formed prior to a plan being formed. Wouldn't the plan be formed after the auditor had an idea about what controls had to be tested for operating effectiveness and subsequently, which substantive procedures have to be performed?

I can't tell you how much I appreciate your clarification.

[75 CPA]

I hope that this explanation helps:

Planning is primarily done in the CPA's office. Planning consists of

1. Design of controls

2. Identify potential misstatements

3. Do analytical procedures

Understanding of control risk includes:

1. Risk assessment procedures which are similar to procedures for examination of internal control (recalculation, insperction, inquiry and observation).

2. Walk through and analytical procedures

Review policies and procedures

3. Flowchart and other documentation

Preliminary Evaluation of Control Risk

Assess risk of material misstatement – the scope and purpose are different from an examination of internal control. An engagement to examine internal control will be more extensive in scope than the assessment of control risk.

If RMM is low, you do tests of control. If RMM is high, you skip test of controls and go directly to substantive tests, tests of details and tests of transactions.

Garland with Lambers ($300) did a very good job explaining all of this.

[spqr105]

Thank you for the explanation. I understand it much better now. I believe the wording and sequencing in the Becker materials can be quite deceptive (for me anyway).

[spqr105]

Perhaps someone can assist me with this particular question because this is still kind of not clicking with me even though I thought I had it figured out:

“An auditor's risk assessment is based on the assumption that controls are operating effectively. Which of the following was not a step in making this assessment?”

a) Evaluate the effectiveness of the internal controls with test of controls.

b) Obtain an understanding of the entity's accounting system and control environment.

c) Perform tests of details of transactions to detect material misstatements in the financial statements.

d) Consider whether control activities can have a pervasive effect on financial statement assertions.

Now I completely understand why “C” wouldn't be part of the risk assessment process but I'm a little confused about why “A” isn't. Doesn't risk assessment take place prior to any test of controls taking place? The question even states that the auditor ASSUMES that controls are operating effectively. Wouldn't his initial risk assessment be predicated on this assumption and then he would later test the controls to see if they were in fact operating as assumed?

The steps related to Risk Assessment are:

1) Obtain an understanding of the entity and its environment, including it's internal control.

2) Assess the risk of material misstatement.

3) Respond to the assessed level of risk by designing further audit procedures based on this assessment.

4) Test internal controls to evaluate their operating effectiveness.

5) Perform substantive tests.

6) Evaluate the sufficiency and appropriateness of audit evidence obtained.

Step 2 clearly takes place before step 4, so why is the aforementioned question saying that Step 4 takes place before Step 2? Is it because Step 2 refers to a preliminary risk assessment while the question is referring to another level of risk assessment determined after control testing has been completed? Any help would be greatly appreciated.

[suzzette1]

The reason A was not chosen as the right answer because the auditor is assessing the internal control (test of control) remember if you read B and D they also refer to test of internal control while C which is the correct answer is test of detail which is a form of substantive test. Hope this will make it clearer.

BEC 2/8/10 - 75 (studied hard & prayed less)
REG 5/15/10 - 88 (studied less but prayed hard)
AUDITING 8/9/10 - 79 (studied hard and prayed hard)
FAR 11/30/10 - 79 (studied hard and prayed hard) Thanks GOD! I'm DONE

[spqr105]

Correct, but doesn't Risk Assessment take place before Test of Controls take place as shown in the above steps? Or is that referring to a Preliminary Risk Assessment and the question is referring to a Final Risk Assessment determined after the Control Testing has taken place? I'm not understanding how one can assess the risk of material misstatement if they haven't performed tests of controls.

[suzzette1]

Yes . Risk assessment is done first and if the internal control is operating effectively then he can proceed to test of control which is A, B and D and then proceed to Substantive test which is answer C ( there is a reduction of substantive test if control is operating effectively). Please note that the question is asking for test of control and the odd out is C which is a substantive test. This is how tricky this question is!

BEC 2/8/10 - 75 (studied hard & prayed less)
REG 5/15/10 - 88 (studied less but prayed hard)
AUDITING 8/9/10 - 79 (studied hard and prayed hard)
FAR 11/30/10 - 79 (studied hard and prayed hard) Thanks GOD! I'm DONE

[Author]

Replies