A couple of things we have wrong here to note…
– Tests of controls do not assess or measure control risk. Tests of controls only determine the operating effectiveness of controls AFTER control risk is assessed. Testing the operating effectiveness of controls is not required for a non-SEC company. Only gaining an understanding of the design and implementation of controls is required for ALL companies.
– “Tests of details” do not assess control operating effectiveness. Tests of details are substantive tests. Test of controls are tests of controls.
Hopefully my response to another thread will help you understand this concept…
“I'm going to start at the beginning to try and explain this as it looks like there is a lot of confusion in this area. Here is the basic steps in determining the audit plan based on the internal control system:
1. Obtain an understanding of whether internal controls are IMPLEMENTED.
2. Document understanding of internal controls.
3. Assess the risk of material misstatement (RMM) and plan further audit procedures (including tests of controls AND substantive testing).
Ok, so you're at step 3 and trying to assess RMM. You were right in that RMM = IR x CR from the audit risk formula (AR = IR x CR x DR). The RMM consisting of inherent risk and control risk cannot be controlled by the auditor. That is NOT to say it can't change based on changes in the BUSINESS. It just means that the auditor can only ASSESS the risk as it stands in the business based on the design of internal controls. Hence, why it is referred to as “business risk.”
Now, the only risk that the auditor CAN control is detection risk (DR) by either increasing or decreasing the nature, timing and extent of audit procedures. If your RMM is HIGH, you must bring detection risk to a LOW level in order to keep audit risk LOW (plug in numbers to the audit risk formula to see the effect). In order to bring DR to a LOW level, you must INCREASE your testing by changing the nature, timing and extent of audit procedures. You have a few options here. Nature of testing means you may change HOW you test a particular item. Timing means you change WHEN you test (generally, testing closer to year-end provides more assurance). Extent means HOW MUCH testing you actually do (increasing sample size will provide more assurance). So, to your question on when to perform year-end vs. interim testing… if you've decided you can tolerate a HIGH detection risk (because RMM is low), you can perform interim testing and just roll forward at year-end. If you can't tolerate a high detection risk because the controls at the company suck, then you better test at year-end to make sure you have the most accurate testing as of the date of the balance sheet.
Ok so now you have assessed your audit risk (AR = IR x CR x DR) to a tolerable level. Your initial control risk assessment indicates that controls seem to be pretty good at the company, so we want to rely on them in order to reduce our testing (control risk is LOW, detection risk is HIGH). Now you have to test controls. If the results of your tests of controls say that the controls looked good, but are actually CRAP, then now you have to reassess control risk as HIGH and detection risk at LOW. Meaning, now you have to perform additional substantive tests to keep audit risk at a tolerable level. So, in essence, you've wasted your time and should have never tested controls in the first place.
Keep in mind that you don't have an option of whether to test controls for an SEC registrant (public company) due to SOX rules.
Hope this helps!”
BEC - 68, 76
AUD - 90, 91
FAR - 63, 83
REG - 55, 79
FINALLY DONE!