Chapter 12- Assessing Control Risk and Reporting on Internal Control

Process for Understanding Internal Control and Assessing Control Risk
Figure 12-1

Phase 1- Obtain and document an understanding of internal control: design and operation

Phase 2- Assess control risk

Phase 3- Design, perform, and evaluate tests of controls

Phase 4- Decide planned detection risk and substantive tests

Obtain and Document
 Understanding of Internal Control

lAuditing standards require auditors to obtain and document their understanding of internal control for every audit.

–Audit of financial statements

–Audit of internal control over financial reporting

Obtain and Document Understanding of Internal Control

The understanding involves gathering evidence about:

–Design of internal controls

–Implementation of internal controls

Obtain and Document Understanding of Internal Control

The auditor generally uses four types of evidence to obtain an understanding:

–Inquiry of entity personnel

–Observation of employees performing control processes

–Inspection of documents and records

–Reperformance by tracing one or a few transactions through the accounting system

Obtain and Document Understanding of Internal Control

lThe auditor generally uses three types of documents to obtain and document the understanding:

–Narratives

–Flowcharts

–Internal Control Questionnaires

Narrative

–Written description of a client’s internal controls

Flowchart

–Diagram of the client’s documents and their sequential flow in the organization

–Figure 14-3 (page 469) presents a flowchart of sales and cash receipts

Obtain and Document Understanding of Internal Control

Narratives and Flowcharts contain the

same basic information

–The origin of every document and record in the system.

–All processing that takes place.

–The disposition of every document and record in the system.

–An indication of the controls relevant to the assessment of control risk.

*Unusual to use both a flowchart and a narrative because they present the same information

Flowcharts have two advantages

–Easier to read

–Easier to update

Questionnaire

–Asks a series of questions about the controls in each area

–Most questionnaires require a “yes” or “no” response

–“No” indicates a potential control deficiency

–Figure 12-2 presents a questionnaire for sales

Questionnaire Disadvantages

–Do not provide overview of the system

–Do not apply to some audits (e.g., small companies)

Evaluating Internal Control Implementation

The understanding of the design and implementation of internal control are often done simultaneously

Common Methods of Evaluating Internal Control Implementation

–Update and evaluate auditor’s previous experience with the entity

–Make inquiries of client personnel

–Observe entity activities and operations

–Inspect documents and records

–Perform walkthroughs of the accounting system

Assess Control Risk

• The auditor obtains an understanding of the design and implementation of internal control to make a preliminary assessment of control risk

• The auditor makes the preliminary assessment for each transaction-related audit objective for each major type of transaction in each transaction cycle

Use of a Control Risk Matrix

Many auditors use a control risk matrix in the control risk assessment process

Figure 12-3 illustrates a control risk matrix for sales transactions

Preparation of the matrix consists of six steps

Step 1 in Assess of control risk

Identify Audit objectives

• Recall the seven transaction-related objectives:

–Occurrence

–Completeness

–Accuracy

–Posting and summarization

–Classification

–Timing

–Presentation

*See Figure 12-3: List these objectives at the top of the matrix

Step 2 in Assess of control risk

Use information acquired from obtaining and documenting the understanding of internal control

lUse the five control activities as reminders

–Separation of duties

–Proper authorization

–Adequate documents and records

–Independent checks on performance

–Physical control over assets and records

*Figure 12-3- –List the controls in the rows on the left side of the matrix

ldentify and include only “key controls”

–Controls that are expected to have the greatest effect on meeting the transaction related audit objectives

Step 3 in Assess of control risk

Associate Controls with Related Audit Objectives

• Enter a “C” in each cell where a control partially or fully satisfies an audit objective

See Figure 12-3

–Control: mailing statements to customers

–Related objectives: occurrence, accuracy, posting and summarization

Step 4 in Assess of control risk

Identify and Evaluate Absence of Controls

Evaluate whether key controls are absent

Three levels of absence of controls

–Control deficiency

–Significant deficiency

–Material weakness

: Identify and Evaluate  Absence of Controls (Figure 12-5)

In Step 4 Identify and Evaluate Absence of Controls, a material weakness exists if

a significant deficiency, by itself, or in combination with other significant deficiencies, results in a reasonable possibility that internal control will not prevent or detect material financial statement misstatements on a timely basis

A significant deficiency exists if

one or more control deficiencies exist that is less severe than a material weakness, but important enough to merit attention by those responsible for oversight of the company’s financial reporting

A control deficiency exists if

the design or operation of controls does not permit company personnel to prevent or detect misstatements on a timely basis (least severe)

Step 4: Identify and Evaluate Absence of Controls Steps

• Identify existing controls

• Identify the absence of key controls

• Consider the possibility of compensating controls (offsets the absence of a key control)

• Decide whether there is a significant deficiency or material weakness

• Determine potential misstatements

Step 5 in Assess of control risk

Associate Control Deficiencies with Related Audit Objectives

Enter a “D” in each cell where there is a significant deficiency or material weakness for an audit objective

See Figure 12-3

–Significant deficiency: There is a lack of internal verification for the possibility of sales invoices being recorded more than once

–Objective: Occurrence

lWhat is the likelihood that a material misstatement would not be prevented or detected by these controls?

Answer

–High, moderate, low (more often)

–1.0, .6, .2

Step 6 in Assess of control risk

Assess Control Risk

Enter answer in bottom row of matrix.

See Figure 12-3

–Occurrence: Medium

–Completeness: Low

–Accuracy: Low

–Posting and summarization: Low

–Classification: Low

–Timing: Medium

–Presentation: Lowc

Purpose of Tests of Control

lPurpose

–Test the effectiveness of controls in support of a reduced assessed control risk

If tests of controls indicate that controls are effective

–Reduced assessment = Preliminary assessment

lf tests of controls indicate that controls are not effective

–Reduced assessment must be reconsidered

Procedures for Tests of Control

Make inquiries of client personnel

Examine documents, records, and records

Observe control-related activities

Reperform client procedures

Extent of Procedures

Reliance on evidence from prior year’s audit

–Auditing standards require tests of controls’ effectiveness every third year

–Auditing standards require some tests each year to ensure rotation of controls

Testing of controls related to significant risks

Testing less than the entire period

–Some controls can be tested on an interim basis

–Other controls must be tested at year-end

Relationship of Assessed Control Risk and Extent of Procedures

Decide Planned Detection Risk and Design Substantive Tests

lThe auditor uses the results of the control risk assessment process and tests of controls to determine the planned detection risk and related substantive tests auditor links the control risk assessments to the balance-related audit objectives

Communications

Communication in writing to those charged with governance

–Significant deficiencies

–Material weaknesses

–Management letters

–Less important control issues

–Operational issues

Section 404- Sarbanes-OCley
 Reporting Requirements

lThe auditor is required to prepare an audit report on internal control over financial reporting for public companies subject to Sarbanes-Oxley Section 404

lThe auditor may issue separate or combined audit reports on the financial statements and on internal control over financial reporting

Types of Opinions

lUnqualified Opinion

–No material weaknesses as of year end

–No scope restrictions

*if one material, its an adverse opinion

Adverse Opinion (See Figure 12-7)

–Material weakness exists

Qualified or Disclaimer of Opinion

–Scope restriction

Internal Control for Nonpublic Companies

lReporting requirements

l

lExtent of required internal controls

lExtent of understanding needed

lAssessing control risk

Extent of tests of controls needed

Differences in Scope of Controls Tested

Internal controls over financial reporting

An internal control deficiency may be defined as a condition in which material misstatements would ordinarily not be timely detected by

1. (1)auditors in assisting control risk.

2. (2)the controller reconciling the general ledger.

3. (3)employees in normal course of assigned functions.

4. (4)the chief financial officer reviewing interim financial statements.

3

Which of the following is an example of an operation deficiency in internal control?

1. (1)The company does not have a code of conduct for employees to consider.

2. (2)The cashier has online ability to post write-offs to accounts receivable accounts.

3. (3)Clerks who conduct monthly reconciliation of intercompany accounts do not understand the nature of misstatements that could occur in those accounts.

4. Management does not have a process to identify and assess risks on a recurring basis.

3

A material weakness in internal control represents a control deficiency that

1. (1)more than remotely adversely affects a company’s ability to initiate, authorize, record, process, or report external financial statements reliably.

2. (2)results in a reasonable possibility that internal control will not prevent or detect material financial statement misstatements.

3. (3)exists because a necessary control is missing or not properly designed.

4. (4)reduces the efficiency and effectiveness of the entity’s operations.

2

On the basis of audit evidence gathered and evaluated, an auditor decides to increase assessed control risk from that originally planned. To achieve an audit risk level (AcAR) that is substantially the same as the planned audit risk level (AAR), the auditor will

1. (1)increase inherent risk.

2. (2)increase materiality levels.

3. (3)decrease substantive testing.

4. (4)decrease planned detection risk.

4

An auditor uses assessed control risk to

1. (1)evaluate the effectiveness of the entity’s internal controls.

2. (2)identify transactions and account balances where inherent risk is at the maximum.

3. (3)indicate whether materiality thresholds for planning and evaluation purposes are sufficiently high.

4. (4)determine the acceptable level of detection risk for financial statement assertions.

4

The ultimate purpose of assessing control risk is to contribute to the auditor’s evaluation of the

1. (1)factors that raise doubts about the auditability of the financial statements.

2. (2)operating effectiveness of internal control policies and procedures.

3. (3)risk that material misstatements exist in the financial statements.

4. (4)possibility that the nature and extent of substantive tests may be reduced.

3

During the planning stage of an audit, the auditor initially assessed both inherent risk and control risk at a high level. Further testing of the client’s internal controls led the auditor to reduce the assessment of control risk. Which of the following will most likely occur as a result?

1. (1)The auditor may reduce the assessment of inherent risk to match the control risk, since they were assessed at the same level during the initial planning.

2. (2)The auditor may decrease the allowed level of detection risk.

3. (3)The auditor may rely solely on analytical procedures, with no substantive procedures performed.

4. (4)The auditor may reduce the amount of substantive procedures performed.

4

When assessing control risk, an auditor is required to document the auditor’s: Understanding of the Entity’s Control Environment

Basis for the Auditor’s Risk Assessment

yes yes

• Jefferson, CPA, has identified five significant deficiencies in internal control during the audit of Portico Industries, a nonpublic company. Two of these conditions are considered to be material weaknesses. Which best describes Jefferson’s communication requirements?

• (1)Communicate the two material weaknesses to Portico’s management and those charged with governance, but not the three significant deficiencies that are not material weaknesses.

  • (2)Communicate all five significant deficiencies to Portico’s management and those charged with governance, distinguishing between material weaknesses and significant deficiencies.

  • (3)Communicate all five significant deficiencies to Portico’s management and those charged with governance, but only require a management response with respect to the two material weaknesses.

  • (4)Communicate all five significant deficiencies to Portico’s management and those charged with governance, without distinction among the deficiencies.

2