Solution Manual for Auditing: The Art and Science of

Assurance Engagements, Fourteenth Canadian

Edition Plus MyLab Accounting with Pearson eText
— Package, 14th Edition

To download the complete and accurate content document, go to:

https://testbankbell.com/download/solution-manual-for-auditing-the-art-and-science-of
-assurance-engagements-fourteenth-canadian-edition-plus-mylab-accounting-with-pe
arson-etext-package-14th-edition/
Solution Manual for Auditing: The Art and Science of Assurance Engagements, Fourteenth Canad

Chapter 9
Assessing Control Risk and Designing Tests of Controls
Overview
In the previous chapter, we discussed the components of the COSO (Committee of Sponsoring
Organizations of the Treadway Commission) internal control framework, including how
companies integrate technology into their system of internal controls. In this chapter, we return
to the audit process and discuss how auditors obtain and document their understanding of
internal controls and assess control risk as part of the audit planning process.

At this point in the course, our greatest concern is for students to understand the relationship
between understanding internal control, and assessing control risk and its effect on audit
strategy and evidence accumulation. It is our aim that, by the time students reach Chapter 10
(Audit Strategy), they have a firm grasp on the foundations so that it all makes sense at that
point. It is also important for students to develop a strong understanding of key internal control
concepts and to develop skills in identifying controls and deficiencies in internal control.
However, we want to avoid students thinking solely on the basis of control activities and
transaction testing. At this point, we want students to grasp the big picture of control risk
assessment. We explore assessing and testing transaction internal controls further when
discussing sampling and the controls related to each cycle.

Learning Objectives
1. Obtain and document an understanding of internal control.
2. Assess control risk at the financial statement level and at the assertion level.
3. Describe the process of designing and performing tests of controls.
4. Understand and assess controls of outsourced systems.
5. Understand how control risk impacts detection risk and the design of substantive tests.
6. Describe how the complexity of the IT environment impacts control risk assessment and
testing
7. Describe the auditor’s responsibilities for reporting significant control risks to those in
charge of governance.
8. Explain the difference in the scope of control testing for an audit opinion on the
effectiveness of controls over financial reporting versus an audit opinion for financial
statements.

74 Copyright © 2019 Pearson Canada Inc.

Visit TestBankBell.com to get complete for all chapters

 Chapter 9: Assessing Control Risk and Designing Tests of Controls

Chapter opening vignette: “Just Because the Computer Did the Work
Doesn’t Mean It’s Right”

The opening vignette describes how an auditor, using the firm’s own audit software,
recalculated the aging of accounts receivable totals and found that the client’s computer
software computed the totals incorrectly. The vignette then mentions how the material
calculation error was caused by software programming error and how as a result, the auditor
had to substantially increase the amount of testing of the year-end balance of the allowance for
uncollectible accounts. (Note: We highlight that computers perform only as well as they are
programmed, so consider using the vignette to facilitate a discussion about the impact of
software programming errors on the accuracy of financial information. The discussion can be
linked to software-caused errors in the Federal government’s new payroll processing system
(Phoenix); more information to enhance the discussion can be found in the following article:
http://www.cbc.ca/news/canada/british-columbia/federal-workers-government-fix-phoenix-
payroll-system-1.4447752)

LO 1 Obtain and Document Understanding of Internal Control

We explain that as part of the auditor’s risk assessment procedures, the auditor uses
procedures to obtain an understanding of internal controls, which involve gathering evidence
about the design of internal controls and whether they have been implemented, and then the
auditor uses that information as a basis for assessing control risk.

We highlight the following key questions that the auditor wants to answer:

 Do the controls, when in operation, achieve their objective?

 Do the controls exist and are they in operation?
 Are appropriately qualified personnel carrying out the controls?

We also highlight the type of procedures:

 Inquiries
 Examine documents and records
 Observation
 Perform walk-throughs (We usually spend a bit of time explaining the importance of
walk-throughs)

We then explain that the methods discussed above are also used to obtain an
understanding of entity­level controls and IT general controls. Time permitting, we then refer
to Figure 9-2 and Figure 9-3 to show how the auditor’s understanding of internal controls is
documented. Students often incorrectly presume that understanding and testing of internal
controls is the same things, so we stress that at this stage the auditor is only gathering
information about internal controls to gain an understanding about them, and is not testing
the controls.

Teaching Tip: Auditing in Action 9-1 discusses how judgment traps can
influence the auditor’s assessment of “Tone at the Top” and can be used to
facilitate a class discussion about the challenges faced by auditors when
assessing “Tone at the Top”.

Copyright © 2019 Pearson Canada Inc. 75

Instructor’s Resource Manual for Auditing, 14Ce, by Arens/Elder/Beasley/Hogan/Jones

LO 2 Assess Control Risk

Audit students often think assessing control risk is only assessing the risk associated with
control activities (this is not entirely their fault since when we move on to talking about control
testing the focus is on control activities). In order to avoid this misconception, we refer
students to Figure 9-4 to highlight the role of pervasive and specific controls in assessing
financial reporting risk. We then stress that the starting point is entity level and general
controls as well as fraud controls, processing controls, and period-end reporting process
controls. Students may not yet fully understand these terms so we spend some time
explaining these terms using real-life examples and simple class exercises (similar to the
chair inventory count and class attendance examples used in previous lectures). We then
refer to Table 9-1 to highlight some general guidelines regarding the effectiveness of internal
controls.

When discussing the control matrix, we highlight it is a tool for assessing control risk at the
assertion level. By using this, it helps students see the connection between control
(transaction) objectives and assessment of controls and deficiencies. We also discuss the five
steps that the auditor uses to evaluate whether a deficiency is significant or material and refer
to Figure 9-6. An important point to stress is this represents the potential misstatement that
could occur, not the actual misstatement (which only substantive testing can determine). We
also use Figure 9-7 to demonstrate when a deficiency is identified, the auditor considers its
impact on audit evidence (planned detection risk).

We conclude by referring to Figure 9-8, which takes us to the next part of the lecture (testing
of controls).

Teaching Tip: Question 9-26 is useful for developing the student’s skills of linking
errors/frauds with control deficiencies.

LO 3 Tests of Controls

We first explain that the extent of control testing depends upon the assessed level of control risk
and the testing focuses on significant risks.

A key point we stress is the difference between the level of audit evidence needed for
understanding versus testing control effectiveness. We refer to Table 9-2 to illustrate the
difference and highlight that in addition to inquiry, inspection, and observation, is reperformance
(which can be manual or through generalized audit software).

Teaching Tip: Question 9-23, 9-24, and 9-25 are great for reinforcing students’
knowledge when it comes to testing of internal controls.

Question 9-33 can easily be adapted for in-class discussion. Provide the students
with the excerpt from the CPAB Report and then ask the three questions – it helps
reinforce why testing should be performed over the entire period and the quality of
different types of evidence.

76 Copyright © 2019 Pearson Canada Inc.

 Chapter 9: Assessing Control Risk and Designing Tests of Controls

LO 4 Understanding and Assessing Controls of Outsourced Systems

We start by briefly explaining that rather than maintain an internal IT centre, many clients
outsource various functions of their operations and some or all of their IT needs to an
independent computer service centre that includes application service providers (ASPs) and
cloud computing environments. We then point out that most likely, if the students have a part-
time job, their payroll is probably processed not by their employer, but rather by a payroll
processing company, such as ADP or Ceridian. We then explain that companies can also
outsource functions such as call centres, accounting, human resources, pension fund
management, and internal audit. We highlight that the auditor will need to obtain an
understanding if the controls are related to financial reporting risk. We then briefly go over the
auditor’s responsibility regarding relying upon a service centre auditor and the two types of
reports. We discuss the service auditors reports at a high level.

Since this book is used for an introductory course, the aim is to have students consider the
impact of outsourced systems (which essentially represent outsourced controls) and how the
auditor will deal with this.

LO 5 Evaluate Results, Decide on Planned Detection Risk, and Design

Substantive Tests
We refer back to Figure 9-8 and explain that the decision to test controls is based upon the
effectiveness of the controls and whether it is cost-effective to perform tests of controls. We
stress that performing tests of controls may be more cost efficient than performing substantive
procedures in certain situations and that tests of controls generally have smaller sample sizes
than substantive tests.

We then explain that where the results of the tests of controls support the design of controls as
expected, the auditor uses the same assessed control risk. We then stress that if, however, the
tests of controls indicate that the controls did not operate effectively, the assessed level of
control risk must be reconsidered and the auditor must reassess the planned detection risk and
design of substantive procedures. In other words, if through testing the controls, the auditor
determines that they do not work as the auditor thought they would (based on the initial
understanding), the auditor needs to take a step back and reassess the detection risk and
determine what additional substantive testing needs to be performed.

LO 6 Impact of IT Environment on Control Risk Assessment and

Testing
We explain that when traditional source documents such as invoices, purchase orders, billing
records, and accounting records such as sales journals, inventory listings, and accounts
receivable subsidiary records exist only electronically, auditors must change their approach to
auditing. This approach is often called auditing through the computer. (Note: we can recall here
the impact of software programming errors on the accuracy of information).

We then highlight that auditors use three approaches to test the effectiveness of automated
controls when auditing through the computer: test data approach, parallel simulation, and
embedded audit module approach.
Copyright © 2019 Pearson Canada Inc. 77
Instructor’s Resource Manual for Auditing, 14Ce, by Arens/Elder/Beasley/Hogan/Jones

Time permitting, we then refer to Figure 9-9 to provide a brief overview of test data approach
and Figure 9-10 to explain parallel simulation.

LO 7 Auditor Reporting on Internal Control

We use the excerpt from the TTC year-end report to illustrate how control deficiencies are
reported and the standard format of Weakness, Implication, and Recommendation (we stress
this format). Since this is the audit committee report, it also illustrates management’s response
and provides a live example of reporting to and the monitoring by the audit committee.

LO 8 Reporting on Internal Controls for Some Public Companies

We do not spend too much time on this topic except to highlight that auditors of dual listed
companies in Canada are required to issue an opinion on the operating effectiveness of controls
as well as on the financial statements. Time permitting, we refer to Figure 9-12 and explain the
differences in scope of controls tested in an Audit of Internal Controls and an Audit of Financial
Statements, stressing that in the latter the auditor is only required to test internal controls that
will be relied upon and that are used to assess control risk below maximum.

Teaching Tip: We find an interesting question to pose to students is if the audit

opinion on internal control effectiveness reports several material deficiencies, is it
possible for the auditor to conduct an audit of the financial statements? We find this
questions helps students make the connection between control testing (a combined
approach) and substantive testing (a substantive approach).

Lecture Review
This chapter focused on the auditor’s responsibility for understanding, evaluating, and testing
internal controls. To rely on a client’s internal controls to reduce planned audit evidence for
audits of financial statements, the auditor must first obtain an understanding of each of the five
components of internal control. Knowledge about the design of the client’s control environment,
risk assessment, control activities, information and communication, and monitoring activities and
information about whether internal control components have been implemented assist the
auditor in assessing control risk for each audit objective. The chapter also discussed the impact
of a more complex information technology environment on control risk assessment and testing.
Knowledge about general controls provides a basis for the auditor to rely on automated
application controls and may reduce the extent of tests of key automated controls in audits of
financial statements and internal controls. Some of the auditor’s tests of controls can be done by
the computer, often as a way to achieve more effective and efficient audits. The chapter also
included a brief overview of an audit of a public company subject to Section 404(b) of the
Sarbanes Oxley Act and PCAOB requirements to report on internal control over financial
reporting. For those companies, the auditor is required to provide an opinion on the
effectiveness of internal controls. For those auditors who follow Canadian regulations and CAS,
it is not required, although auditors may still provide such an opinion.

78 Copyright © 2019 Pearson Canada Inc.

Solution Manual for Auditing: The Art and Science of Assurance Engagements, Fourteenth Canad

Chapter 9: Assessing Control Risk and Designing Tests of Controls

Suggested Homework Problems

Discussion Professional
Multiple
Learning Review Questions Judgment
Choice
Objectives Questions and Problems and
Questions
Problems Cases
LO 1 9-1, 9-3, 9-5 9-26, 9-27

LO 2 9-2, 9-3, 9-4, 9-16, 9-24, 9-26, 9-27, 9-30, 9-31,

9-5 9-25 9-28, 9-29 9-32
LO 3 9-6, 9-7, 9-8, 9-19, 9-23 9-29 9-33
9-9
LO 4 9-10 9-18

LO 5 9-11, 9-12
LO 6 9-13, 9-14 9-20, 9-21, 9-28, 9-29
9-22
LO 7 9-6 9-18 9-26 9-32

LO 8 9-15 9-17

Copyright © 2019 Pearson Canada Inc. 79

Visit TestBankBell.com to get complete for all chapters