Chapter 12: Assessing Control Risk and Reporting on Internal Controls
*Obtain and Document Understand of Internal Control* Auditors need to understand controls that are relevant to ____ in order to ____ and _____the risks of material misstatements
Auditors need to understand controls that are relevant to *financial statements audits* in order to *identify* and *assess* the risks of material misstatements
Auditors insert an audit module into the client's application system to identify specific types of transactions.
Embedded Audit Module Approach-
What is used to asses control risk for each related audit objective?
The control matrix
What is used to associate control deficiencies with related audit objectives?
The control matrix
*Auditing in More Complex IT Environments-* When traditional source documents and accounting records *exist only electronically*, the auditors must change their approach by auditing through the ________.
computer
*Auditing in More Complex IT Environments* Auditors commonly do parallel simulation testing using ______.
generalized audit software (GAS).
*Internal control over financial reporting*- Controls that must be tested in an audit of ______
internal-controls
*2. Extent of Internal Controls-* may be ______ _____, e.g. adequate separation of duties is difficult in smaller companies
less extensive
If the auditor wants a lower control risk, __1__ __1___ tests of controls are applied, both in number and extent of tests.
more extensive
*Extent of Procedures*- depends on ________ _____ control risk
preliminary assessed
*Auditing standards define three levels of the absence of internal controls*: The design or implementation of internal controls does not permit company personnel to prevent or detect misstatement.
1. Control Deficiency-
*Procedures for Tests of Controls*- The auditor uses four types of procedures to test controls: 1. Make inquiries of appropriate _____ _______ 2. Examine ______, ______, and ____. 3. Observe ___-_____ activities. 4. _________ client procedures.
1. Make inquiries of appropriate client personnel. 2. Examine documents, records, and reports. 3. Observe control-related activities. 4. Reperform client procedures.
*Four steps in the process of understanding controls* 1. Obtain and document _______ 2. Assess _______ 3. ____,_______, and _____ tests of controls. 4. Decide______and____
1. Obtain and document understanding of internal control. 2. Assess control risk. 3. Design, perform, and evaluate tests of controls. 4. Decide planned detection risk and substantive tests.
*Relationship Between Tests of Controls and Procedures to Obtain an Understanding* *two primary differences:* 1. In obtaining an understanding of internal control, the procedures are applied to ___1____ during that phase. Tests of controls are applied only when the __2__ has not been satisfied.
1. all controls identified 2. assessed control risk
*Auditing in More Complex IT Environments* *Test Data Approach have three main considerations* • 1. Test data should include __________ that the auditor wants tested. • 2. Applications programs tested by auditor's test data must be _____ as those the client used throughout the year. • 3.Test data must be _______ from the client's records,
1. all relevant conditions 2. the same 3. eliminated
*DECIDE PLANNED DETECTION RISK AND DESIGN SUBSTANTIVE TESTS* The auditor links the __1__ assessment to the __2__ objectives for the accounts affected by the major transaction types and to the four presentation and disclosure audit objectives.
1. control risk 2, balance-related audit
The auditor uses the __1__ assessment and results of __2__ to determine *planned detection risk* and related *substantive tests* for the audit.
1. control risk 2. tests of controls
In addition to understanding the design of the internal controls, the auditor must also evaluate whether the __1__ controls are __2__.
1. designed 2. implemented
*Purpose of Tests of Controls* to test the __1__ of controls in support of a __2__ control risk for the audit.
1. effectiveness 2. reduced
*4. Assessing Control Risk-* the auditor will assess control risk at maximum when controls are __1__ or __2__ for any audit objectives
1. ineffective 2. nonexistent
Auditors must evaluate whether __1____ are _2___ in the design of internal control over financial reporting
1. key controls 2. absent
*Type of Opinions on Internal Control* *Unqualified Opinion*- The auditor will issue an unqualified opinion on internal control over financial reporting when two conditions are met: There are no identified __1____ as of the end of the fiscal year. There have been no __2__ of the auditor's work.
1. material weaknesses 2. restriction on the scope
*Communication to Those Charged with Governance and Management Letters* • Management letters are __1__ by auditing standards, but auditors usually provide them when less __2__ issues exist.
1. not required 2. significant internal control-related
The auditor makes a __1___ assessment of control risk based on __2__ control risks as well as __3__ general controls.
1. preliminary 2. entity-level 3. IT
*Communication to Those Charged with Governance and Management Letters* The auditor must communicate __1__ and __2__ in __3__to those charged with governance __4__ the auditor becomes aware of their existence.
1. significant deficiencies 2. material weaknesses 3. writing 4. as soon as
*Relationship Between Tests of Controls and Procedures to Obtain an Understanding* There is significant overlap between __1__ and procedures to __2__
1. tests of controls 2. obtain an understanding.
*Reliance on Service Center Auditors-* It has become increasingly common for service centers to engage their own CPA firm to obtain ___1___ __1___ necessary for an audit and issue a report to be used by the auditors of __2__ _2__ .
1. the understanding 2. their customers
*Relationship Between Tests of Controls and Procedures to Obtain an Understanding* *two primary differences:* 2. Procedures to obtain an understanding are performed on __1__ or a __2__ transactions. Tests of controls are performed on __3__ samples and often at __4__ than one point in time.
1.only one 2. few 3. larger 4. more
*Auditing standards define three levels of the absence of internal controls*: A deficiency that is less severe than a material weakness, but important enough to merit attention.
2. Significant Deficiency-
*Auditing standards define three levels of the absence of internal controls*: Exists if a significant deficiency, or combination of significant deficiencies, result in a reasonable possibility that internal control will not prevent or detect material financial statement misstatement.
3. Material Weakness-
*Identify Deficiencies, Significant Deficiencies, and Material Weaknesses*- involves the following process: 1. Identify ________ _____ 2. Identify the absence of ___ ___ 3. Consider the possibility of _______ ______ 4. Decide whether there is a _____ ______or ____ ______. 5. Determine _______ ____ that could result.
Identify Deficiencies, Significant Deficiencies, and Material Weaknesses- involves the following process: 1. Identify existing controls. 2. Identify the absence of key controls. 3. Consider the possibility of compensating controls. 4. Decide whether there is a significant deficiency or material weakness. 5. Determine potential misstatements that could result.
*Obtain and Document Understanding of Internal Control* asks a series of questions about the controls in each audit area as a means of identifying internal control deficiencies.
Internal Control Questionaire-
*Auditing in More Complex IT Environments* Auditor often use *auditor-controlled* software to do the *same* operations that the client's software does, using the same data files. The purpose is to determine the *effectiveness of automated controls* and to obtain evidence about *electronic account balances*.
Parallel Simulation-
*Internal controls used to assess control risk below maximum*- Controls that must be tested in an audit of _____
financial statements
*The differences for smaller companies that are not subject to Section 404 (b):* *1. Reporting-* _____ for a report on internal control.
no requirement
*5. Extent of Test of Controls Needed-* the auditor will ____ tests of controls when control risk is assessed at maximum
not perform
*Type of Opinions on Internal Control* • *Adverse Opinion-* The auditor will express an adverse opinion on the effectiveness of internal control over financial reporting when _____ exist.
one or more material weaknesses
*Understanding Internal Controls on Outsourced Systems* When clients use service centers for______ ____, the auditor may need to obtain an understanding of the controls of the service center
processing transactions
*Type of Opinions on Internal Control* • *Qualified or Disclaimer of Opinion-* A ______ requires the auditor to express a qualified or disclaimer of opinion.
scope limitation
*3. Extent of Understanding Needed-* _______ to assess risk for the audit
sufficient
*Obtain and Document Understanding of Internal Control* • ___0____- Written description of client's internal controls including: 1. The ______ of every document and record in the system 2. All _______ that takes place 3. The _______ of every document and record in the system 4. An _____ of the controls relevant to the ______ of control risk
• *Narrative*- Written description of client's internal controls including: 1. The origin of every document and record in the system 2. All processing that takes place 3. The disposition of every document and record in the system 4. An indication of the controls relevant to the assessment of control risk
*Obtain and Document Understanding of Internal Control* A diagram of the client's documents flow in the organization.
• Flowchart-
The *extent of tests of controls is also dependent on the following*: • Reliance on evidence from ______. • Testing of controls related to _______ • Testing less than the _____
• Reliance on evidence from the prior year's audit. • Testing of controls related to significant risks • Testing less than the entire audit period
*Auditing in More Complex IT Environments* auditors process their own test data using the clients computer system and application program to determine whether the automated controls correctly process the test data
• Test Data Approach
Auditor use the following methods to *evaluate implementation* •Update and evaluate auditor's ___________ • Make inquiries of _______ • Examine________ and ______ • Observe entity ______ and ____ • Perform walkthroughs of ________
• Update and evaluate auditor's previous experience with the entity • Make inquiries of client personnel. • Examine documents and records • Observe entity activities and operations • Perform walkthroughs of the accounting system
*Components of the Control Risk Matrix* include •Identify audit _______. •Identify ______ controls. •Associate controls with _______ ___ _____
•Identify audit objectives. •Identify existing controls. •Associate controls with related audit objectives