[Troutman85]

Hi all,

I’m a little confused on setting control risk and am trying to work through it. My understanding is this:

When setting control risk, we use our understanding of the design of controls and test to see if they are implemented correctly. When testing for our assessment of controls, we can use procedures such as walk-through, inquiry, observation, and inspection.

If, based on our assessment of controls, we believe controls are strong we can then test for the effectiveness of controls. These tests can be performed using inquiry, re-performance, observation, and inspection. The results of control testing will affect the nature, extent, and timing of substantive procedures. Likewise, if controls are initially assessed as weak, we jump right to substantive testing.

So, assuming my thinking is correct, is there any real difference in procedures performed for assessing control risk and then testing controls effectiveness?

Thanks in advance for any responses!

[Anonymous]

I'm studying this section too, so I'm by no means an expert.

I think there are two things. The obtaining an understanding of the design and implementation of controls is not the same as assessing CR.

First you understand the design and implementation and then decide if you want to assess CR below maximum. If you want to assess CR below maximum then you have to do test of controls. So basically in order to assess CR you have to have done test of controls. So i don't think there is any difference between assessing CR and testing the effectiveness of CR.

So based on our understanding of the design and implementation of controls, we would like to assess CR below maximum. In order to assess the CR we have to use test of controls.

I think that is right……

[Jennifer241]

Yes. The procedures for gaining and understanding of IC and testing IC are completely different types of procedures.

Gaining an understanding of their controls – discussions with client (inquiry), watch a fake walk-through of accounts payable process (walk-through) reading of their internal control policy manual (inspection), watch bank reconciliation process (observance)

Testing internal controls – Once you know who does what, inquire to the A/P if they have been asked to do anything that they were not comfortable with or they felt was not appropriate (inquiry), Perform a walk-through of an actual invoice from the time it came into the mail, to the time a check goes out to the vendor (Walk-through), review the invoices of a sample of expenditures that were paid throughout the year and vouche that the date, amount, payee are correct in the bank account to the ledger; also review that invoices were properly signed off my the check signor (inspection). Observe the year end inventory count. (Observance)

Does this answer your question?

AUD - Jan 9,13 Pass
REG - Aug 30,13 Pass
BEC - Oct 26,13 Pass
FAR - Dec 4,13 Pass

Licensed CPA in the state of Oregon

[Zaq]

Gain understanding.

Assess CR.

CR low? Cool. Test controls.

CR high? Lame. Do more substantive testing; little to no test of controls.

Lots of IT and automated computer controls? Test controls regardless of CR assessment.

FAR: 50, 76!
REG: 74... (ouch baby, very ouch), 76!
AUD: 65, 91!?
BEC: 80! Aaaand doneskies!

May 2012 to August 2013. Can't believe it's over.

[Troutman85]

Thank you all for the responses, that does help.

So, once we understand the design of controls we have procedures(walk-through, inquiries,observation, and inspection) to see if the controls are implemented correctly and use our findings as our assessment of controls.

If controls are strong then we assess control risk as low and perform control testing.

If controls are weak we assess control risk as high and perform substantive testing,

[Jennifer241]

HiYA!!!! Perfecto!

AUD - Jan 9,13 Pass
REG - Aug 30,13 Pass
BEC - Oct 26,13 Pass
FAR - Dec 4,13 Pass

Licensed CPA in the state of Oregon

[Troutman85]

Thanks!

[Author]

Replies