Professional Documents
Culture Documents
Chapter 9
Assessing Control Risk and Designing Tests of Controls
Overview
In the previous chapter, we discussed the components of the COSO (Committee of Sponsoring
Organizations of the Treadway Commission) internal control framework, including how
companies integrate technology into their system of internal controls. In this chapter, we return
to the audit process and discuss how auditors obtain and document their understanding of
internal controls and assess control risk as part of the audit planning process.
At this point in the course, our greatest concern is for students to understand the relationship
between understanding internal control, and assessing control risk and its effect on audit
strategy and evidence accumulation. It is our aim that, by the time students reach Chapter 10
(Audit Strategy), they have a firm grasp on the foundations so that it all makes sense at that
point. It is also important for students to develop a strong understanding of key internal control
concepts and to develop skills in identifying controls and deficiencies in internal control.
However, we want to avoid students thinking solely on the basis of control activities and
transaction testing. At this point, we want students to grasp the big picture of control risk
assessment. We explore assessing and testing transaction internal controls further when
discussing sampling and the controls related to each cycle.
Learning Objectives
1. Obtain and document an understanding of internal control.
2. Assess control risk at the financial statement level and at the assertion level.
3. Describe the process of designing and performing tests of controls.
4. Understand and assess controls of outsourced systems.
5. Understand how control risk impacts detection risk and the design of substantive tests.
6. Describe how the complexity of the IT environment impacts control risk assessment and
testing
7. Describe the auditor’s responsibilities for reporting significant control risks to those in
charge of governance.
8. Explain the difference in the scope of control testing for an audit opinion on the
effectiveness of controls over financial reporting versus an audit opinion for financial
statements.
Chapter opening vignette: “Just Because the Computer Did the Work
Doesn’t Mean It’s Right”
The opening vignette describes how an auditor, using the firm’s own audit software,
recalculated the aging of accounts receivable totals and found that the client’s computer
software computed the totals incorrectly. The vignette then mentions how the material
calculation error was caused by software programming error and how as a result, the auditor
had to substantially increase the amount of testing of the year-end balance of the allowance for
uncollectible accounts. (Note: We highlight that computers perform only as well as they are
programmed, so consider using the vignette to facilitate a discussion about the impact of
software programming errors on the accuracy of financial information. The discussion can be
linked to software-caused errors in the Federal government’s new payroll processing system
(Phoenix); more information to enhance the discussion can be found in the following article:
http://www.cbc.ca/news/canada/british-columbia/federal-workers-government-fix-phoenix-
payroll-system-1.4447752)
We explain that as part of the auditor’s risk assessment procedures, the auditor uses
procedures to obtain an understanding of internal controls, which involve gathering evidence
about the design of internal controls and whether they have been implemented, and then the
auditor uses that information as a basis for assessing control risk.
We highlight the following key questions that the auditor wants to answer:
We then explain that the methods discussed above are also used to obtain an
understanding of entitylevel controls and IT general controls. Time permitting, we then refer
to Figure 9-2 and Figure 9-3 to show how the auditor’s understanding of internal controls is
documented. Students often incorrectly presume that understanding and testing of internal
controls is the same things, so we stress that at this stage the auditor is only gathering
information about internal controls to gain an understanding about them, and is not testing
the controls.
Teaching Tip: Auditing in Action 9-1 discusses how judgment traps can
influence the auditor’s assessment of “Tone at the Top” and can be used to
facilitate a class discussion about the challenges faced by auditors when
assessing “Tone at the Top”.
Audit students often think assessing control risk is only assessing the risk associated with
control activities (this is not entirely their fault since when we move on to talking about control
testing the focus is on control activities). In order to avoid this misconception, we refer
students to Figure 9-4 to highlight the role of pervasive and specific controls in assessing
financial reporting risk. We then stress that the starting point is entity level and general
controls as well as fraud controls, processing controls, and period-end reporting process
controls. Students may not yet fully understand these terms so we spend some time
explaining these terms using real-life examples and simple class exercises (similar to the
chair inventory count and class attendance examples used in previous lectures). We then
refer to Table 9-1 to highlight some general guidelines regarding the effectiveness of internal
controls.
When discussing the control matrix, we highlight it is a tool for assessing control risk at the
assertion level. By using this, it helps students see the connection between control
(transaction) objectives and assessment of controls and deficiencies. We also discuss the five
steps that the auditor uses to evaluate whether a deficiency is significant or material and refer
to Figure 9-6. An important point to stress is this represents the potential misstatement that
could occur, not the actual misstatement (which only substantive testing can determine). We
also use Figure 9-7 to demonstrate when a deficiency is identified, the auditor considers its
impact on audit evidence (planned detection risk).
We conclude by referring to Figure 9-8, which takes us to the next part of the lecture (testing
of controls).
Teaching Tip: Question 9-26 is useful for developing the student’s skills of linking
errors/frauds with control deficiencies.
LO 3 Tests of Controls
We first explain that the extent of control testing depends upon the assessed level of control risk
and the testing focuses on significant risks.
A key point we stress is the difference between the level of audit evidence needed for
understanding versus testing control effectiveness. We refer to Table 9-2 to illustrate the
difference and highlight that in addition to inquiry, inspection, and observation, is reperformance
(which can be manual or through generalized audit software).
Teaching Tip: Question 9-23, 9-24, and 9-25 are great for reinforcing students’
knowledge when it comes to testing of internal controls.
Question 9-33 can easily be adapted for in-class discussion. Provide the students
with the excerpt from the CPAB Report and then ask the three questions – it helps
reinforce why testing should be performed over the entire period and the quality of
different types of evidence.
Since this book is used for an introductory course, the aim is to have students consider the
impact of outsourced systems (which essentially represent outsourced controls) and how the
auditor will deal with this.
We then explain that where the results of the tests of controls support the design of controls as
expected, the auditor uses the same assessed control risk. We then stress that if, however, the
tests of controls indicate that the controls did not operate effectively, the assessed level of
control risk must be reconsidered and the auditor must reassess the planned detection risk and
design of substantive procedures. In other words, if through testing the controls, the auditor
determines that they do not work as the auditor thought they would (based on the initial
understanding), the auditor needs to take a step back and reassess the detection risk and
determine what additional substantive testing needs to be performed.
We then highlight that auditors use three approaches to test the effectiveness of automated
controls when auditing through the computer: test data approach, parallel simulation, and
embedded audit module approach.
Copyright © 2019 Pearson Canada Inc. 77
Instructor’s Resource Manual for Auditing, 14Ce, by Arens/Elder/Beasley/Hogan/Jones
Time permitting, we then refer to Figure 9-9 to provide a brief overview of test data approach
and Figure 9-10 to explain parallel simulation.
Lecture Review
This chapter focused on the auditor’s responsibility for understanding, evaluating, and testing
internal controls. To rely on a client’s internal controls to reduce planned audit evidence for
audits of financial statements, the auditor must first obtain an understanding of each of the five
components of internal control. Knowledge about the design of the client’s control environment,
risk assessment, control activities, information and communication, and monitoring activities and
information about whether internal control components have been implemented assist the
auditor in assessing control risk for each audit objective. The chapter also discussed the impact
of a more complex information technology environment on control risk assessment and testing.
Knowledge about general controls provides a basis for the auditor to rely on automated
application controls and may reduce the extent of tests of key automated controls in audits of
financial statements and internal controls. Some of the auditor’s tests of controls can be done by
the computer, often as a way to achieve more effective and efficient audits. The chapter also
included a brief overview of an audit of a public company subject to Section 404(b) of the
Sarbanes Oxley Act and PCAOB requirements to report on internal control over financial
reporting. For those companies, the auditor is required to provide an opinion on the
effectiveness of internal controls. For those auditors who follow Canadian regulations and CAS,
it is not required, although auditors may still provide such an opinion.
Discussion Professional
Multiple
Learning Review Questions Judgment
Choice
Objectives Questions and Problems and
Questions
Problems Cases
LO 1 9-1, 9-3, 9-5 9-26, 9-27
LO 5 9-11, 9-12
LO 6 9-13, 9-14 9-20, 9-21, 9-28, 9-29
9-22
LO 7 9-6 9-18 9-26 9-32
LO 8 9-15 9-17