Evaluation of Internal Control – how to measure control risk

  • Creator
    Topic
  • #177603
    Manuelo
    Member

    Can someone tell me if I’m right about how the internal control area is tackled in a financial statement audit.

    First, the auditor obtains an understanding of the internal control by evaluating the design and implementation of the controls. This is done by determining whether the controls are capable of detecting material misstatements, and by observing controls, inspecting documents, making inquiries of entity personnel, performing walkthroughs (Inquiry + additional procedure)..

    Second, after evaluating the design and implementation of the controls, the auditor assess their effectiveness. Test of controls is used. By doing this, the auditor can measure control risk.

    These are all performed in the planning stages of the audit.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Author
    Replies
  • #413833
    Anonymous
    Inactive

    I don't think tests of controls have to be done in the planning stage. They are usually done while you're doing substantive tests of transactions, but you could technically do them during planning while gaining an understanding since it can be efficient to do so.

    Also, you don't necessarily have to assess internal control effectiveness if you're not going to rely on the control and just do substantive testing.

    #413834
    jpat1980
    Member

    To gain an understanding of the controls, the auditor will: IRON

    Inquire

    Re-performance

    Observe

    iNspect

    The auditor will not test controls to determine the control risk.

    After assessing Control Risk, the auditor will perform Test of Details to determine if the controls are operating effectively. From this assessment, the auditor may modify the NET.

    If the controls are not operating effectively, the auditor will perform More Substantive tests.

    AUD-68,74,88
    REG-81
    BEC-75
    FAR-71,79
    (Primary: Becker | Supplemental: Wiley MCQ's, Ninja Notes)

    CFP - passed(3/2013)
    (KIER, College for Financial Planning-cffp.edu, Jeff Rattiner Books and Notes)

    #413835
    Anonymous
    Inactive

    jpat1980,

    ” the auditor will perform Test of Details to determine if the controls are operating effectively.”

    I think test of control is to determine whether the controls are operating effectively. I think terms here under substantive procedures break down into test of details and substantive analytical procedures. If test of controls indicates that internal controls are operating effectively, then substantive analytical procedures are sufficient to reduce detection risk, but if test of controls indicates that IC are not operating effectively or not performed, then auditors need to perform test of details only.

    #413836
    LoveEventing
    Member

    A couple of things we have wrong here to note…

    – Tests of controls do not assess or measure control risk. Tests of controls only determine the operating effectiveness of controls AFTER control risk is assessed. Testing the operating effectiveness of controls is not required for a non-SEC company. Only gaining an understanding of the design and implementation of controls is required for ALL companies.

    – “Tests of details” do not assess control operating effectiveness. Tests of details are substantive tests. Test of controls are tests of controls.

    Hopefully my response to another thread will help you understand this concept…

    “I'm going to start at the beginning to try and explain this as it looks like there is a lot of confusion in this area. Here is the basic steps in determining the audit plan based on the internal control system:

    1. Obtain an understanding of whether internal controls are IMPLEMENTED.

    2. Document understanding of internal controls.

    3. Assess the risk of material misstatement (RMM) and plan further audit procedures (including tests of controls AND substantive testing).

    Ok, so you're at step 3 and trying to assess RMM. You were right in that RMM = IR x CR from the audit risk formula (AR = IR x CR x DR). The RMM consisting of inherent risk and control risk cannot be controlled by the auditor. That is NOT to say it can't change based on changes in the BUSINESS. It just means that the auditor can only ASSESS the risk as it stands in the business based on the design of internal controls. Hence, why it is referred to as “business risk.”

    Now, the only risk that the auditor CAN control is detection risk (DR) by either increasing or decreasing the nature, timing and extent of audit procedures. If your RMM is HIGH, you must bring detection risk to a LOW level in order to keep audit risk LOW (plug in numbers to the audit risk formula to see the effect). In order to bring DR to a LOW level, you must INCREASE your testing by changing the nature, timing and extent of audit procedures. You have a few options here. Nature of testing means you may change HOW you test a particular item. Timing means you change WHEN you test (generally, testing closer to year-end provides more assurance). Extent means HOW MUCH testing you actually do (increasing sample size will provide more assurance). So, to your question on when to perform year-end vs. interim testing… if you've decided you can tolerate a HIGH detection risk (because RMM is low), you can perform interim testing and just roll forward at year-end. If you can't tolerate a high detection risk because the controls at the company suck, then you better test at year-end to make sure you have the most accurate testing as of the date of the balance sheet.

    Ok so now you have assessed your audit risk (AR = IR x CR x DR) to a tolerable level. Your initial control risk assessment indicates that controls seem to be pretty good at the company, so we want to rely on them in order to reduce our testing (control risk is LOW, detection risk is HIGH). Now you have to test controls. If the results of your tests of controls say that the controls looked good, but are actually CRAP, then now you have to reassess control risk as HIGH and detection risk at LOW. Meaning, now you have to perform additional substantive tests to keep audit risk at a tolerable level. So, in essence, you've wasted your time and should have never tested controls in the first place.

    Keep in mind that you don't have an option of whether to test controls for an SEC registrant (public company) due to SOX rules.

    Hope this helps!”

    BEC - 68, 76
    AUD - 90, 91
    FAR - 63, 83
    REG - 55, 79

    FINALLY DONE!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Evaluation of Internal Control – how to measure control risk’ is closed to new replies.