ASSESSING AUDIT

RISK AND
DESIGNING TEST
OF CONTROLS
PRESENTER: KRISHIA BELLE A. CAMBALON
 AUDIT RISK
It is the probability that the auditor will render an
unqualified (clean) opinion on financial statements that
are, in fact, materially misstated. Material misstatements
may be caused by errors or irregularities or both. Errors
are unintentional mistakes.

Irregularities are intentional misrepresentations

associated with the commission of a fraud such as the
misappropriation of physical assets or the deception of
financial statement users
 AUDIT RISK COMPONENTS

• The auditor’s objective is to achieve a level of

audit risk that is acceptable to the auditor.
• Acceptable audit risk (AR) is estimated based
on the ex ante value of the components of the
audit risk model. These are inherent risk,
control risk, and detection risk.
 INHERENT RISK
Inherent risk is the susceptibility of an account
balance or class of transactions to
misstatements that could be material,
individually or when aggregated with
misstatements in other balances or classes,
assuming that there were no related internal
controls.
 CONTROL RISK
Control risk is the risk that a misstatement that
could occur in an account balance or class of
transactions and that could be material –
individually or when aggregated with
misstatements in other balances or classes – will
not be prevented or detected and corrected on a
timely basis by accounting and internal control
systems.
 DETECTION RISK
Detection risk is the risk that an auditor’s procedures
will not detect a misstatement that exists in an account
balance or class of transactions that could be material,
individually or when aggregated with misstatements in
other balances or classes.
WHAT IS TEST OF CONTROL?
• A test of control explains the audit procedures
used to determine if a control is designed and
operating.

• The goal of the test of controls in audit procedures

is to determine if controls are sufficient to prevent
or detect risks that could impact a business.
What Are the Five Types of Audit Tests?

There are five main methods to walk through and test each control in
place at the service organization which include (listed in order of
complexity from lowest to highest):
1. Inquiry,
2. Observation,
3. Examination or inspection of evidence,
4. Re-performance, and
5. Computer-assisted audit technique (CAAT).

These methods are used when designing audit procedures.

 INQUIRY
Simply, the auditor asks appropriate management and staff
about the controls in place at the service organization to
determine some relevant information. This method is often
used in conjunction with other, more reliable methods. For
example, an auditor may inquire of management if visitors
to the data center are escorted at all times if the auditor is not
able to observe this activity while on site.
OBSERVATION

Activities and operations are tested using

observation. This method is useful when there is
no documentation of the operation of a control,
such as observing that a security camera is in
place or observing that a fire suppression system
is installed.
EXAMINATION OR INSPECTION OF
EVIDENCE
This method is used to determine whether or not manual controls
are being performed. For instance, are backups scheduled to run on
a regular basis? Are forms being filled out appropriately? This
method often includes reviewing written documentation and
records such as employee manuals, visitor logs, and system
databases. The evidence is obtained and examined or inspected as
part of this method.
 RE-PERFORMANCE
• Re-performance (sometimes called recalculation) is used when the three above
methods combined fail to provide sufficient assurance that a control is operating
effectively. This method can also be used to prove by itself that controls are
operating effectively.

• This method of testing (as well as a CAAT) is the strongest type of testing to show
the operating effectiveness of a control. Re-performance requires the auditor to
manually execute the control, such as re-performing a calculation that a system
automatically calculates to confirm that the system performs the control correctly.

• Re-performance by the auditor is completed and then compared to the systematic

output to validate that the result is the same.
COMPUTER-ASSISTED AUDIT TECHNIQUE
(CAAT)
• This method can be used to analyze large volumes of data,
or just be able to analyze every transaction rather than just
a sample of all transactions.

• Software is generally used to perform a CAAT, which can

range from using a spreadsheet to using specialized
databases or software designed specifically for data
analytics (e.g. ACL).
 When Do You Use the Different Audit
Testing Procedures?

• Samples of populations are selected for testing based on

the type of test being performed (i.e., a test of one would
be completed for an automated control using re-
performance, but a sample of the population would be
selected for an inspection control).

• Additional considerations are the population size and the

level of precision we want to achieve in the testing.
What Are the Main Procedures for Obtaining
Audit Evidence?
When completing the tests of controls, it is very important how audit
evidence is obtained. To be able to rely on evidence obtained, the
auditor must be comfortable that audit evidence is complete and accurate.
This can be accomplished by observing the pulling of audit support
directly from the person responsible for the support.

For example, sitting with a system administrator as they pull up and

screenshot password restrictions or a population of all system users.
Additionally, to confirm the completeness of population, queries can be
obtained and reviewed to ensure none of the population has been filtered
out.
THANK
YOU!