[Ralphie Dos Nachos]

Hey guys,

I’m studying for my audit retake and following ninja framework. Definitely seeing things a lot better this time but in becker, they say a risk assessment procedure is to obtain an understanding of the entity and its environment including internal control (meaning understanding the design and implementation of those controls)….next chapter it says tests of controls are used to test the operating effectiveness of the controls…Is that the same thing? because I thought when we obtain an understanding about the design and imp. as a risk assessment we do test procedures like walkthroughs (inquire, reperformance, inspection, observation) and thats essentially telling us if they are operating effectively and then we decide on whether to rely on them. Am i understanding this correctly?

[Mike J]

Look at it this way, you can't assess how well something works if you don't first have an understanding of how it is designed. You can't run if you can't crawl.

[Ren]

Hi Tiramisu,

You’re in the right direction. But to answer your question, they are not exactly the same. Understanding the entity is broader and pretty much covers a huge area of the planning phase of the audit. Assessing audit risk is of them. Im sure you already came across the formula IR x CR x DR = AR. In understanding the entity, you consider factors such as the entity’s industry, complexity of business model, number of accounts, etc. to come up with your Inherent risk assessment (IR). Through walkthroughs, you are able to “identify” the existing “Controls” to address “What Could Go Wrongs (WCGW)”. For example, WCGW: Unauthorized cash disbursement. Control: The AP accountant forwards the invoice voucher to Accounting Manager for approval. There will be a series of WCGW and Controls that you’ll be able to identify.

Test of controls – now that you identify all the controls the entity have, it’s time to actually “test” them. Depending on your assessment, you will select number of sample transactions to see if the controls identified is really being followed. In our example, you will check if all your sample invoices have Accounting Manager signature. When exceptions are noted, you have to inquire to the management why a certain invoice does not have a signature. Depending on the result of the test of controls, you’ll be able to assess you should “rely” or “not rely” on the controls.

Relying or not relying to the entity’s control plays a part in determining the nature, timing and extent of the substantive or analytical procedures the auditor will perform. I hope this helps.

[Mike J]

Yes. Ren's answer is better.

Also, I didn't mean that OP was a baby. I just meant that analogy for the Int Ctrls. You need a starting point and follow steps. Hope that was clear.

[Author]

Replies