Control Risk Assessment

Design and Implementation of Controls:

- Planning stage of the audit when identifying and assessing ROMM
- Must look at D&I over significant risks e.g. fraud risks

(1) Design
- Are the controls capable of mitigating the risk?
- Are they properly designed?

Procedures:
- Obtain the System description and inspect for description of controls
and assess their ability to mitigate the risks
- Enquire with management as to the nature of risks and the controls put
in place to mitigate

(2) Implementation
– Are the controls actually there and being used?

Procedures:
- Observation
- Walk through system (point in time)
*This is different to checking operating effectiveness of controls as
operating effectiveness is checking that the controls have worked all year
long (Exception to this rule is automated control if consistent IT
processing)

 MUST conclude.

*If D&I not good i.e. answer to the above questions is no – then ISA265 Control
deficiencies applies.

ISA 265: Auditor responsibility to communicate if deficiency is SIGNIFICANT

General controls:
- Weak control environment
- GITC deficiencies
- Controls over fraud
Application:
- Ineffective management response to identified risks
- Misstatements detected that should have been stopped

Actions: (in ISA)

- Communicate in writing to board on significant deficiencies and other NB
- Include a description of deficiency and potential effects
- Information to understand the context of the communication (not
auditors main purpose)
- Timely basis