[greeneyesCPA]

Becker Question –

In this Simulation, positive confirmations are sent out for Account Receivable balances. We are to review the confirmation responses and then select an appropriate auditing response. One of the choices was “Assess control risk at a high level and send out additional confirmation requests”. Would an auditor ever reasses the control risk while he/she is collecting audit evidence? When is it appropriate to reasses control risk?

FAR Passed
BEC Passed
AUD Passed
REG Passed

[jenuno01]

Hi, since nobody has responded, I will take a stab at it…

First of all, the reason you've increased you control risk (CR) is because you perceive the company's controls as being too risky, you have determined this after doing Test of Controls. That being said, by increasing CR your Detection Risk (DR) needs to go down…how do you accomplish this? By applying more effective testing (i.e positive confirmations). Here is what the auditor has to do: 1) Understand I/C, 2nd-Identify types of potential Mistatements, 3rd-Do test of controls!, 4th-Assess CR, 5th-Determine RMM. 6th-determine NET of SUB testing!–>Might decide not to do TOC & only SUB.

So, the SIM you are working is reffering to the point in the audit where the auditor has already determined that CR will be high, therefore, they have to compensate with more Substantive testing (again, because the company's controls have been perceived as being ineffective).

Hope this helps! Below is an excerpt from my notes… sorry for all the abbreviations:

-Regardless of the level of CR, an auditor would still perform some SUBS tests to restrict the DR for significant trx classes – you can NEVER eliminate SUBS testing!

*Inherent Risk= assuming there are no controls, what is the likelihood of a FS assertion to be materially misstated

– Cannot be changed by the auditor bc it is based on the nature of the related assertion

*Detection Risk= Decreasing it means CR is increased, you should do more substantive testing and 1) change nature of subs test to more effective procedures; 2) Change timing of tests from Interim to YE; OR 3) change the extent of subs tests, such as using a larger sample size

-The DR is inversely related to the level of assurance provided by subs tests – if DR is down, you'll need to do more reliable subs testing to justify the decrease

*Analytical procedure=Test account balances

Internal Control

*You MUST have an understanding of I/C relevant to an entity's financial reporting objective!

*Document key elements of the understanding of the entity & its environment, including each of the 5 components of I/C

*Observation/Inspection is the most reliable method

*The ultimate purpose in assessing CR>> to contribute to the auditor's evaluation of the risk that MM exist in the FS!!

*LOGIC: TOC helps the auditor assess CR and determine the RMM

– Use the knowledge provided by the understanding of I/C and the RMM to determine the NET of SUB tests

-1st- Understand I/C, 2nd-Identify types of potential Mistatements, 3rd-TOC!, 4th-Assess CR, 5th-Determine RMM. 6th-determine NET of SUB testing!–>Might decide not to do TOC & only SUB

*The operating efficiency of I/C is not important to an auditor; the auditor is only concerned w/ operating effectiveness. You are NOT required to assess operating effectiveness during planning

*I/C is relevant to the entire entity, or to any its operating units or business functions

*Establishing Budgets and forecasts is a good way for mgmt to supervise

*Firm's Control Environment: overall attitude and awareness of BoD about I/C

*The ultimate purpose of assessing CR is to contribute to evaluate of Risk that MM exist in FS (RMM!)

*When understanding I/C= Concentrate on substance over form, bc mgmt may establish good I/C but mya not enforce compliance

*Proper SODs prevent an employee from recording and concealing fraud

*Primary I/C planning objectives: 1) Identify types of MM; 2) consider factors of RMM; 3) design effective sub tests

*The Control Environment element= relates to the tone of the firm, which includes HR P&P

Info & Communication: identification, capture, and exchange of info, Monitoring: assess the quality of I/C over time,

*Focus on I/C that provide assurance about processing and summarizing financial data

*An entity's objectives: 1) Reliable financial reporting; 2) Effective and efficient operations

*Inherent limitations=collusion, human error, and mgmt override

Class of 2012

[Anonymous]

I have a question about this. In Becker, when assessing RMM, it gives the mnemonic IM A CPA.

Internal control, entity, and environment – obtain an understanding

Material misstatement – assess the risk

Assessed level of risk response

Control Testing

Perform substantive testing

Audit Evidence

If RMM is made up of Inherent Risk and Control Risk, how can that come before control testing? The timing is what is confusing me. So do you assess RMM first and then only test the controls that you plan to rely on? If that's the case, you're first assuming that they work OK in your assessment of RMM? Sorry if I'm confusing everyone, please let me know if you need some more clarification.

[jenuno01]

@Entourage – Yep. “-1st- Understand I/C, 2nd-Identify types of potential Mistatements, 3rd-TOC!, 4th-Assess CR, 5th-Determine RMM. 6th-determine NET of SUB testing!–>Might decide not to do TOC & only SUB” <– From my post above.

If after understanding the client's I/C, you decide NOT to rely on them, you can stop there and go directly to Substantive testing. You may decide not to do test of controls; however, you can NEVER skip Substantive testing. Does this help?

Class of 2012

[Anonymous]

It does make things a bit clearer. With Becker's mnemonic though, assessing RMM comes before CR as referenced by IM A CPA. How does that factor in?

[jenuno01]

In the mnemonic IM A CPA, are you sure that the ‘M' means to determine the RMM? According to my notes, the 2nd component is to Identify Potential types of Mistatements (i.e. brainstorm what could go wrong).

Class of 2012

[KassiusKlay]

@jenuno01

1. Obtain understanding of entity and environment, including IC

2. assess the RMM, identify types of potential misstatements

3. respond to assessed level of risk by designing further audit procedures based on this assessment.

4. test internal controls to evaluate their operating effectiveness

5. perform sub procedures

6. evaluate sufficiency and appropriateness of audit evidence obtained.

So basically IMACPA is 1-6.. I being Internal control, M being Material misstatement-assess risk, A being assessed level of risk, C being control testing, P being Perform Sub tests, and A being Audit evidence, evaluate. I think you have it correct that the second component is to ID potential types of misstatements. I think Becker words it differently/awkwardly in hopes of getting a fancy mnemonic. haha

Form is temporary, class is permanent.

Audit 4/19/12 - 77
BEC 5/31/12 - 75
FAR 8/30/12

[Anonymous]

Ah ok I think I understand it. Please correct me if I'm wrong. When you get a understanding of internal control, you assess the inherent risk AND the control risk based on the design of the control. This allows you to assess the RMM. After this, you test the operating effectiveness of the controls if necessary and then based on the result of this test, update substantive testing as necessary. So this means control risk in the context of RMM has to do with design and NOTHING to do with operating effectiveness. Only if you rely on the controls while looking at control risk do you actually test the operating effectiveness AFTER you assess RMM. Phew, confusing, but let me know if that's correct.

[KassiusKlay]

So when if you assess RMM you then have to respond to it. This response is your NET of further audit procedures. Higher assessed RMM the more reliable and relevant audit evidence you need (direct relationship between RMM and audit evidence), higher the assessed RMM the greater the extent of audit procedures (quantity, sample), and higher the assessed RMM the closer to period end sub procedures should be performed. You always HAVE to do sub test but depending on your initial assessed RMM you either do them at the end (Strong IC, low risk level, perform test of controls as well) or you have weak IC, high risk level, you perform NO test of controls in which case you rely heavily on sub procedures. Sorry if this sounds like Becker regurgitated but I've been trying to memorize this darn book for awhile. Typed this of the top of my head and i know some one will catch an error : (

Form is temporary, class is permanent.

Audit 4/19/12 - 77
BEC 5/31/12 - 75
FAR 8/30/12

[Anonymous]

jenuno01, you seem to be very knowledgeable about this. Do you mind verifying what I said so I can get it straight in my head before my test on Thursday? Thank you very much.

[jenuno01]

Sure.

You are on the right track. Inherent risk will exist no matter what, even with the strongest controls, you'll still have this risk. Control risk on the other hand, gets a little tricky.

“This allows you to assess the RMM. After this, you test the operating effectiveness of the controls if necessary and then based on the result of this test, update substantive testing as necessary” <— Depends, if you decide you are going to place reliance on the existing controls THEN you test controls…. Why would you not rely on the client's controls? You might test a few controls on the surfice and determine that the client's controls are not good at mitigating risk, Conversations with the previous auditor indicates the client's controls are too risky, very obvious weak controls, etc. So after you decide you're not relying on the client's controls, THEN you set the CR at a maximum level…and you compensate by doing extensive SUB testing.

“So this means control risk in the context of RMM has to do with design and NOTHING to do with operating effectiveness. Only if you rely on the controls while looking at control risk do you actually test the operating effectiveness AFTER you assess RMM” <—-Correct!

Class of 2012

[Anonymous]

Alright thank you very much!

[Author]

Replies