[Manuelo]

I just wanna know the basic process of assessing control risk during the financial statement audit.

1. Understand the internal controls (design + implementation) and document them using flowcharts, I/C questionnaires, narratives, etc.

2. Evaluate the operating effectiveness of the controls by performing test of controls

3. Assess control risk (quantitative or qualitatively)

Is this right?

[LoveEventing]

No, you do not test controls to evaluate control risk. It's the other way around.

1. Gain an understanding of system of internal control.

2. Document understanding of internal control with flowcharts, narratives, etc.

3. THEN ASSESS control risk TO DETERMINE the nature, timing and extent of further audit procedures (including both tests of controls and substantive testing).

Remember the formula Audit Risk = Inherent Risk X Control Risk X Detection Risk.

Detection risk is the only risk an auditor has any control over. Inherent Risk and Control Risk are simply evaluated. Then, the nature, timing, and extent of audit procedures will either raise or lower detection risk in order to bring audit risk to an appropriate level.

Remember, only public (SEC registrant) companies require testing of internal controls. We need to gain an understanding on whether controls are IMPLEMENTED for every company, and then determine whether we want to rely on controls. If relying on controls to reduce substantive testing (tests of details), you need to test the operating EFFECTIVENESS of those controls (tests of controls). Otherwise, you may simply gain an understanding of the DESIGN of internal controls and increase your substantive testing to an appropriate level.

Sorry for the caps, but I am hoping the emphasis adds clarity as these are very important terms to differentiate on the AUD section of the CPA exam. Hope this helps!

BEC - 68, 76
AUD - 90, 91
FAR - 63, 83
REG - 55, 79

FINALLY DONE!

[LoveEventing]

Another note. If you decide to rely on controls and, therefore, test controls (remember, you have no choice on whether to test controls for SEC registrants), and the results of your tests of controls indicates that the control fails… your control risk must be reassessed as high risk, and you STILL end up having to increase your substantive testing. Because you have essentially proven through tests of controls that you cannot actually rely on the controls to reduce your substantive testing. Therefore, you just wasted your time and should have never tested controls in the first place.

BEC - 68, 76
AUD - 90, 91
FAR - 63, 83
REG - 55, 79

FINALLY DONE!

[Manuelo]

Thank you, Love everything. That was quite detailed, I'm pretty sure I understood most, but still, let me just summarize what you said to see if I've understood clearly:

1. Understand the design and implementation of I/C (inspect, reperform, observe, etc)

2. Document the understanding of the controls using flowcharts, narratives, questionnaires, etc.

3. Based on the above two points, assess control risk (qualitative or quantitative).

4. Then determine the NET of futher audit procedures (test of controls + substantive procedure) based on the assessed control risk

The effectiveness of I/C is evaluated ONLY if the controls reduces substantive testing (assuming the auditor relies on the controls). If the auditor relies on the design only, then increase the substantive testing.

[LoveEventing]

Yep! Sounds right, with one clarification. The determination of the NET of further audit procedures is actually based on the assessed risk of material misstatement, which includes both control risk and inherent risk. I will edit my first post to clarify as well.

Well… guess I can't edit that post anymore so this one will have to do!

BEC - 68, 76
AUD - 90, 91
FAR - 63, 83
REG - 55, 79

FINALLY DONE!

[Manuelo]

Thanks a lot!

[Author]

Replies