Chapter 9 - Control Risk Assessment

0.0(0)
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/37

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

38 Terms

1
New cards

Why is it important for auditors to understand and evaluate internal controls?

For financial statement audits, auditors need to understand controls that are relevant to the audit to identify and assess the risks of material misstatements

2
New cards

Risk assessment Procedures - Goal for the auditor

  1. Obtain an understanding of internal control

  2. Evaluate the components of the system of internal control

3
New cards

risk assessment procedures

  • Inspection 

  • Inquiry of entity personnel 

  • Observation 

  • Reperformance

4
New cards

The types of risk assessment procedures auditors perform, and the information they gather to understand and evaluate the system of control are

  • Update and evaluate the auditor’s previous experience with the entity 

  • Make inquiries of client personnel 

  • Examine documents and records

  • Observe the entity’s activities and operations 

  • Perform walk-throughs of the information system

  • Understand IT general controls

5
New cards

Walk through

the tracing of selected transactions through the accounting system

6
New cards

Three ways documentation of the understanding of internal controls is done?

Narrative, Flow char and internal control questionare

7
New cards

Narrative

A written description of a client's internal controls, including the origin, processing, and disposition of documents and records and the relevant control activities

8
New cards

Flow chart

A diagrammatic representation of the client’s documents and records and the sequence in which they are processed

9
New cards

Internal control questionare

A series of questions about the controls in each audit area, used as a means of gaining an understanding of the internal control

10
New cards

Evaluate the design of the controls (whether the controls are capable of effectively preventing or detecting and correcting material misstatement)

Evaluate System of Internal Control steps

11
New cards

Determine if the controls have been implemented (i.e., the control exists and the company is using it)

Evaluate System of Internal Control steps

12
New cards

Evaluate the competence of the people carrying out the controls

Evaluate System of Internal Control steps

13
New cards

Evaluate the adequacy of information technology (e.g., does it capture relevant information such as an electronic signature for approval, and does it provide relevant information?)

Evaluate System of Internal Control steps

14
New cards

Auditors perform risk assessment procedures and document the system of internal control to?

evaluate the strengths and weaknesses of the system

15
New cards

three levels of the absence of internal controls

Control Deficiency

Significant Deficiency

Material Weakness

16
New cards

control deficiency

exists if the design or operation of controls does not detect and correct misstatements in a timely manner.

17
New cards

significant deficiency

exists if one or more control deficiencies exist that are of sufficient importance to merit attention by those in governance.

18
New cards

Material weakness

exists if a significant deficiency results in a reasonable possibility that internal control will not prevent or detect material financial misstatements on a timely basis.

19
New cards

compensating (or mitigating) control

is a control elsewhere in the system that offsets a weakness. Note that any control can be a compensating control.

20
New cards

What happens when a compensative control exists

the weakness is no longer a concern because the potential for misstatement has been sufficiently reduced.

21
New cards

Things auditors need to understand the effectiveness of the client’s control system to adjust detection risk appropriately

  • Evaluate the control environment, risk assessment and monitoring process 

  • Evaluate the information system 

  • Evaluate control activities

  • Consider whether the controls of outsourced systems should be included in control activities 

  • Other considerations in evaluating control activities

22
New cards

How do auditors to evaluate the effectiveness of controls in control activities at the assertion level

control risk matrix

23
New cards

Key controls

Controls that are expected to have the greatest impact on the risk of material misstatements in classes of transactions and relevant assertions

24
New cards

Assessment of control risk

A measure of the auditor’s expectation that inertial controls will neither prevent material misstatements at the assertion level from occurring nor detect and correct them if they have occurred

25
New cards

Audit Approach

Auditors have choices when developing an appropriate audit approach to address the identified risks of material misstatements at the assertion level

26
New cards

Two types of audit approach

Perform substantive procedures only 

or

Perform a combined approach using both tests of controls and substantive procedures. 

27
New cards

Substantive approach

the audit approach used in which the auditor decides not to rely upon control and collect audit evidence primarily through substantive tests 

28
New cards

Combined (or controls-based) approach

the audit approach used in which the auditor decided to rely upon controls and collects audit evidence through a combination of control tests and substantive tests

29
New cards

Benefits of control tests

Performing tests of controls may be more cost efficient than performing substantive procedures in certain situations

30
New cards

In what circumstances do auditors needed to rely upon internal controls

Highly automated systems

31
New cards

Decision process: substantive versus combined approach

32
New cards

Decision process

  • Understanding of Internal Control 

    • Evaluate Internal Control Design 

      • Is design effective 

        • NO (CR high) -> substantive audit approach 

      • Is it cost-effective to test the controls  

        • No, Substantive audit approach 

        • Yes, perform test of controls 

          • Yes, Evaluate test of controls 

            • Combined audit approach (controls + substantive) 

              • No (substantive audit approach) 

33
New cards

Tests of Controls

shows whether the controls actually worked throughout the period and were effective in preventing, detecting, correcting misstatements

34
New cards

Types of audit procedures used to assess the effectiveness of controls

  • Make inquiries of appropriate entity personnel 

  • Inspection documents, records, reports 

  • Observe control-related activities 

  • Reperfrom client procedures 

    • Test data approach

35
New cards

Auditor Reporting on Internal Control

Auditors are required to communicate significant deficiencies and material weakness to management and those in charge of governance.

36
New cards

Internal control letter

description of the internal control deficiency and recommendation, sent to the audit committee

37
New cards

Management letter

auditor's observation of less significant internal control-related matters, and opportunities for the client to make operational improvements

38
New cards

WIR

Weakness, implication and recommendation