Control Risk, Audit Planning and Test of Controls

Slide 8.
Control Risk, Audit Planning and Test of

Controls
Principles of Auditing: An Introduction to
International Standards on Auditing - Ch. 8
Rick Stephan Hayes,

Roger Dassen, Arnold Schilder,
Philip Wallage
[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007
Slide 8.2
Understanding, Assessing and Testing

Internal Controls
Assessment of control risk includes three
steps: (See Illustration 8.1)
(1) Obtaining an understanding of internal
controls culminating in documentation of
the controls
(2) An initial assessment and response to
assessed risk based on the design of
internal controls culminating in an audit
planning memorandum and audit plan
(audit program).
(3) A final assessment based upon test of
controls of operating effectiveness
Slide 8.3
Illustration 8.1
Slide 8.4
Audit Risk, the risk that the auditor gives a wrong

opinion based on the evidence, has three components:
inherent risk, detection risk, and control risk
Audit Risk
Control Risk Inherent

Risk
Detection Risk
Slide 8.5
Procedures to obtain an understanding
Procedures to obtain an understanding are

procedures used by the auditor to gather
evidence about the design and placement
in operation of specific control policies and
procedures.
Slide 8.6
Information System Understanding

The auditor should obtain an understanding of the
information system in the following areas:
 The classes of transactions significant to the
financial statements.
 The procedures by which those transactions are
initiated, recorded, processed and reported in the
financial statements.
 The related accounting records,
 How the information system captures events and
conditions,
 The financial reporting process used to prepare
the entity’s financial statements
Slide 8.7
(1) The discussion among the audit team

Documentation of regarding the susceptibility of the entity’s
the Understanding financial statements to material
misstatement due to error or fraud.
of internal control (2) The understanding obtained regarding
each of the internal control components,
the sources of information for the
understanding, and the risk assessment
procedures.
(3) The results of the risk assessment both
at the financial statement level and at
the assertion level.
(4) The controls evaluated as a result of
identification of significant risks and risks
for which it is not possible to reduce
risks of material misstatement.
Slide 8.8
Common documentation techniques
 narrative descriptions (Illustration 8.4, 8.5)

 a written description of a client's internal control
structure
 internal control questionnaire (Illustration 8.6)
 a series of questions about the controls in each
audit area – mostly require “yes” or “no”
 check lists (Illustration 8.7)
 a list of controls that should normally be in place
 flow charts (Illustration 8.8)
 a symbolic, diagrammatic representation of the
clients documents and their sequential flow in the
organization.
Slide 8.9
Steps in Assessing Control Risks
 Determine financial statement assertion about

significant account balances and transactions.
 E.g., completeness of payables balance
 Based on the assertions, determine audit
objectives
 E.g., 'all accounts payable are recorded'
 For each of these audit objective determine if you
can rely on internal controls
 E.g.,is the initial recording of purchase orders
reviewed
 Identify the relevant internal controls for the most
material financial statement assertion or audit
objective
 E.g., completeness – review cash disbursements
after balance sheet date for unrecorded liabilities
Slide 8.10
When assessing controls the auditor looks for

‘weaknesses’ in the controls for two reasons:
 to determine the nature and extent of the

substantive tests to be performed
 to formulate constructive suggestions for
improvements.
 A management letter will contain

communications of reportable conditions
that are significant deficiencies in internal
control
Slide 8.11
Weaknesses in internal control are the

absence of adequate controls, which
increases the risk of misstatements
existing in the financial statements.
controls do not exist at all where there
should be controls
controls are not operating properly.
In some cases, the presence of the
weakness might be so important or
pervasive that it may materially affect the
financial statements. This is called a
material weakness in internal control.
Slide 8.12
A four-step approach to identify significant

weaknesses is sometimes recommended:
1 Identify existing controls.

2 Identify the absence of key controls (where
controls are lacking).
3 Determine potential material
misstatements that could result.
4 Consider the possibility of compensating
controls. A compensating control is one
elsewhere in the system that offsets a
weakness.
Slide 8.13
If internal controls are

assessed below
the maximum (at
medium or low risk)
the assessment
must be supported
by tests of control.
Slide 8.14
Overall response to assessed risk may include
(1) emphasizing to the audit team the need

to maintain professional skepticism in
gathering and evaluating audit evidence
(2) assigning more experienced staff or
assigning staff with special skills or using
experts.
(3) providing more supervision.
(4) incorporating additional elements of
unpredictability in the selection of further
audit procedures to be performed.
Slide 8.15
NET Nature Extent and

Timing
Nature of audit procedures refers to both their

purpose (tests of controls or substantive
procedures) and their type (inspection, observation,
inquiry, confirmation, recalculation, reperformance,
or analytical procedures ).
Extent generally means the quantity of an audit
procedure to be performed (e.g., the size of an
audit sample or the number of observations).
Timing refers to when audit procedures are
performed or the period or date to which the audit
evidence applies.
Slide 8.16
The Audit Planning Memo Includes
 Background information
 The objectives of the audit
 The assessment of engagement risk and
potential follow-up
 An identification of other auditors or experts that
will be relied upon in the audit
 An assessment of materiality.
 Inherent risks
Slide 8.17
Audit Planning Memo Also Includes
 Conclusions regarding the control environment

 Classification of the client’s CIS environment
 An evaluation of the quality of the accounting and
internal control systems
 Audit approach for each account balance and
audit objective for which an inherent risk has
been identified.
 The timing and scheduling of audit work.
 Audit budget, detailed for each level of expertise
available in the audit team.
Slide 8.18
Audit Plan (Audit Program)
‘The auditor should develop

an audit plan in order to
implement the overall audit
strategy.’
 The audit plan (program)
serves as a set of instructions
to assistants involved in the
audit and as a means to
control and record the proper
execution of the work.
(Illustration 8.9)
Slide 8.19
Tests of Controls
TESTS OF CONTROLS are audit

procedures to test the effectiveness of
control policies and procedures in support
of a reduced control risk.
Slide 8.20
Tests of controls are necessary in two

circumstances. (2006 ISA 500 – not in text)
1. When the auditor’s risk assessment includes

an expectation of the operating effectiveness
of controls, the auditor is required to test
those controls to support the risk
assessment.
2. When substantive procedures alone do not
provide sufficient appropriate audit evidence,
the auditor is required to perform tests of
controls to obtain audit evidence about their
operating effectiveness.
Slide 8.21
Timing of Tests of Controls
The timeliness of evidential matter is about when the

evidence was obtained and the portion of the audit
period to which it may be applied.
 some tests of controls, such as observation of
inventory, pertain only to the point in time at which the
auditing procedure was applied
 the auditor performs other tests that are capable of
providing audit evidence that the control operated
effectively at relevant times during the audit period.
Slide 8.22
Extent of Tests of Control

The more reliance the
auditor puts on controls in
their audit, the greater is
the extent (amount) of the
auditor’s tests of controls.
In addition, as the rate of
expected variability of the
control increases, the
auditor increases the
extent of testing of that
control.
Slide 8.23
Evaluate Sufficiency and

Appropriateness of Audit Evidence
What is sufficient appropriate audit evidence is
influenced by such factors as the:
 Significance of the potential misstatement
 Effectiveness of management’s responses and
controls to address the risks.
 Experience gained during previous audits with
respect to similar potential misstatements.
 Results of audit procedures performed,
 Source and reliability of the available information.
 Persuasiveness of the audit evidence.
 Understanding of the entity and its environment,
including its internal control.
Slide 8.24
Thank You for Your Attention
Any Questions?

Control Risk, Audit Planning and Test of Controls

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Control Risk, Audit Planning and Test of Controls

Uploaded by

Copyright:

Available Formats

Slide 8.

Control Risk, Audit Planning and Test of

Rick Stephan Hayes,

Understanding, Assessing and Testing

Audit Risk, the risk that the auditor gives a wrong

Control Risk Inherent

Procedures to obtain an understanding

Procedures to obtain an understanding are

Information System Understanding

(1) The discussion among the audit team

Common documentation techniques

 narrative descriptions (Illustration 8.4, 8.5)

Steps in Assessing Control Risks

 Determine financial statement assertion about

When assessing controls the auditor looks for

 to determine the nature and extent of the

 A management letter will contain

Weaknesses in internal control are the

A four-step approach to identify significant

1 Identify existing controls.

If internal controls are

Overall response to assessed risk may include

(1) emphasizing to the audit team the need

NET Nature Extent and

Nature of audit procedures refers to both their

The Audit Planning Memo Includes

Audit Planning Memo Also Includes

 Conclusions regarding the control environment

Audit Plan (Audit Program)

‘The auditor should develop

TESTS OF CONTROLS are audit

Tests of controls are necessary in two

1. When the auditor’s risk assessment includes

Timing of Tests of Controls

The timeliness of evidential matter is about when the

Extent of Tests of Control

Evaluate Sufficiency and

Thank You for Your Attention

You might also like