Explore topic-wise InterviewSolutions in .

The assessment of control risk is a process of EVALUATING the effectiveness of a client’s INTERNAL CONTROLS in PREVENTING and DETECTING material misstatements in the financial statements.

The assessment of control risk is a process of evaluating the effectiveness of a client’s internal controls in preventing and detecting material misstatements in the financial statements.

The AUDITOR must exercise PROFESSIONAL JUDGMENT in determining the METHODS and extent of documentation.

The most frequently used methods of documentation are:

1. Flowcharts
2. Questionnaires
3. Narrative memos (WRITTEN descriptions)

The auditor must exercise professional judgment in determining the methods and extent of documentation.

The most frequently used methods of documentation are:

Ordinarily, a combination of the FOLLOWING procedures is used in obtaining a sufficient understanding of internal control:

• Previous EXPERIENCE with the client
• Inquiry of appropriate client personnel
• Observation of client activities
• Reference to prior year WORKING papers
• Inspection of client-prepared DESCRIPTIONS, such as organization charts and accounting MANUALS.

Ordinarily, a combination of the following procedures is used in obtaining a sufficient understanding of internal control:

The practitioner MUST obtain a sufficient understanding of INTERNAL control to enable the proper planning of the audit. Whether controls have been placed in OPERATIONS is of prime importance. Operating effectiveness is not to be judged by the practitioner.

The understanding of the internal control should:

provide a basis for identifying types of POTENTIAL misstatements, enable the assessment of the risk that such misstatements will occur, and
enable the auditor to design substantive tests.

The practitioner must obtain a sufficient understanding of internal control to enable the proper planning of the audit. Whether controls have been placed in operations is of prime importance. Operating effectiveness is not to be judged by the practitioner.

The understanding of the internal control should:

provide a basis for identifying types of potential misstatements, enable the assessment of the risk that such misstatements will occur, and
enable the auditor to design substantive tests.

IT POSES specific risks to INTERNAL control, including:

• Reliance on inaccurate systems or programs
• Unauthorized access to data that may result in destruction of data or improper alterations to data.
• Unauthorized changes to master files
• Unauthorized changes to systems or programs
• Failure to make necessary changes to systems or programs
• Inappropriate MANUAL INTERVENTION
• Potential loss of data

IT poses specific risks to internal control, including:

IT provides potential benefits of effectiveness and EFFICIENCY for internal control because it enables the entity to:

• CONSISTENTLY apply predefined rules and perform complex calculations in processing large volumes of transactions or data.
• Enhance the timeliness, availability, and accuracy of information.
• Facilitate the additional analysis of information.
• Enhance the ability to monitor the PERFORMANCE of the entity’s ACTIVITIES and its policies and procedures.
• Reduce the risk that controls will be circumvented.
• Enhance the ability to achieve EFFECTIVE segregation of duties by implementing security controls in applications, databases, and operating systems.

IT provides potential benefits of effectiveness and efficiency for internal control because it enables the entity to:

• An entity’s USE of IT may affect any of the five interrelated components of internal CONTROL.
• Controls in systems that use IT consist of a combination of automated controls (e.g., controls embedded in computer PROGRAMS) and manual controls.

The auditor’s primary consideration is whether a specific control affects the financial statement ASSERTIONS rather than its classification into any PARTICULAR component. Although the five components are applicable to every audit,

they should be considered in the context of the following:

• Entity size
• Organization and OWNERSHIP characteristics
• Nature of the entity’s business
• DIVERSITY and complexity of operations
• METHODS of transmitting, processing, maintaining, and accessing information
• Applicable legal and regulatory requirements

The auditor’s primary consideration is whether a specific control affects the financial statement assertions rather than its classification into any particular component. Although the five components are applicable to every audit,

they should be considered in the context of the following:

In general, the auditor should consider the CONTROLS that pertain to the entity’s objective of preparing financial statements for external use that are presented fairly in conformity with GENERALLY accepted ACCOUNTING principles (GAAP) or some other comprehensive basis of accounting other than GAAP (OCBOA).

The controls relating to operations and compliance objectives MAY be relevant to a financial STATEMENT audit if they pertain to data the auditor evaluates or uses. For example, the auditor may consider the controls relevant to nonfinancial data (such as production statistics) used in analytical procedures.

In general, the auditor should consider the controls that pertain to the entity’s objective of preparing financial statements for external use that are presented fairly in conformity with generally accepted accounting principles (GAAP) or some other comprehensive basis of accounting other than GAAP (OCBOA).

The controls relating to operations and compliance objectives may be relevant to a financial statement audit if they pertain to data the auditor evaluates or uses. For example, the auditor may consider the controls relevant to nonfinancial data (such as production statistics) used in analytical procedures.

There is a direct relationship between objectives and components. This results from the fact that objectives are what an entity STRIVES to achieve, while components are what an entity needs to achieve the objectives. It is also IMPORTANT to REMEMBER that internal control is relevant not only to the entire entity, but also to an entity’s OPERATING units and business functions.

There is a direct relationship between objectives and components. This results from the fact that objectives are what an entity strives to achieve, while components are what an entity needs to achieve the objectives. It is also important to remember that internal control is relevant not only to the entire entity, but also to an entity’s operating units and business functions.

Monitoring is MANAGEMENT’s process of assessing the quality of internal control performance over TIME. Accordingly, management MUST assess the design and operation of controls on a timely basis and take necessary corrective actions.

Monitoring may involve:

separate evaluations, the use of internal auditors, and the use of communications from outside parties (e.g., COMPLAINTS from customers and regulator COMMENTS).

Monitoring is management’s process of assessing the quality of internal control performance over time. Accordingly, management must assess the design and operation of controls on a timely basis and take necessary corrective actions.

Monitoring may involve:

separate evaluations, the use of internal auditors, and the use of communications from outside parties (e.g., complaints from customers and regulator comments).

The auditor should obtain sufficient knowledge about the information system relevant to financial reporting. The information system generally consists of the METHODS and records established to record, process, summarize, and report entity TRANSACTIONS and to maintain accountability of related assets, liabilities, and equity. Communication INVOLVES PROVIDING an understanding of individual roles and responsibilities pertaining to internal CONTROL over financial reporting.

The auditor should obtain sufficient knowledge about the information system relevant to financial reporting. The information system generally consists of the methods and records established to record, process, summarize, and report entity transactions and to maintain accountability of related assets, liabilities, and equity. Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting.

Control activities are the policies and procedures management has implemented in order to ensure that directives are carried out.

Control activities that may be relevant to a financial STATEMENT audit may be classified into the following categories:

• Performance reviews, including comparisons of actual performance with budgets, forecasts, and prior period results.
• Information processing. Controls relating to information processing are generally DESIGNED to verify accuracy, COMPLETENESS, and authorization of transactions. Specifically, controls may be classified as general controls or application controls. General controls might include controls over data center operations, systems software acquisition and maintenance, and access security; application controls apply to the processing of individual applications and are designed to ensure that transactions that are recorded are valid, AUTHORIZED, and complete.
• Physical controls, which involve adequate safeguards over the access to assets and RECORDS, include authorization for access to computer programs and files and periodic counting and comparison with amounts shown on control records.
• Segregation of duties, which is designed to reduce opportunities that allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of his or her duties, involves assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets.

Control activities are the policies and procedures management has implemented in order to ensure that directives are carried out.

Control activities that may be relevant to a financial statement audit may be classified into the following categories:

If the auditor concludes, BASED on his or her understanding of INTERNAL control, that controls are likely to be ineffective or that evaluation of their effectiveness would be INEFFICIENT, then the auditor may assess control risk at the maximum level for some or all financial statement assertions.

If specific controls are likely to prevent or detect material misstatements and the auditor PERFORMS tests of controls in order to evaluate the effectiveness of the controls identified, then ASSESSMENT of control risk below the maximum level is permissible.

If the auditor concludes, based on his or her understanding of internal control, that controls are likely to be ineffective or that evaluation of their effectiveness would be inefficient, then the auditor may assess control risk at the maximum level for some or all financial statement assertions.

If specific controls are likely to prevent or detect material misstatements and the auditor performs tests of controls in order to evaluate the effectiveness of the controls identified, then assessment of control risk below the maximum level is permissible.

SAS 55 defines tests of controls as tests directed toward the design or OPERATION of an internal control to assess its effectiveness in preventing or detecting material misstatements in a financial statement assertion. Inquiry of company personnel, inspection of CLIENT DOCUMENTS and RECORDS, observation of client activities, and re-performance of controls REPRESENT some of the procedures used in performing tests of controls.

SAS 55 defines tests of controls as tests directed toward the design or operation of an internal control to assess its effectiveness in preventing or detecting material misstatements in a financial statement assertion. Inquiry of company personnel, inspection of client documents and records, observation of client activities, and re-performance of controls represent some of the procedures used in performing tests of controls.

An entity’s risk assessment for financial reporting purposes is its identification, analysis, and management of risks pertaining to financial statement preparation. Accordingly, risk assessment may consider the possibility of executed transactions that remain unrecorded.

The following internal and external events and circumstances may be relevant to the risk of preparing financial statements that are not in conformity with generally accepted accounting principles [or another comprehensive basis of accounting]:

• Changes in operating environment, including competitive pressures
• New personnel that have a different perspective on internal CONTROL
• Rapid growth that can result in a breakdown in controls
• New technology in information systems and production PROCESSES
• New lines, products, or ACTIVITIES
• Corporate restructuring that MIGHT result in changes in SUPERVISION and segregation of job functions
• Foreign operations
• Accounting pronouncements requiring adoption of new accounting principles

An entity’s risk assessment for financial reporting purposes is its identification, analysis, and management of risks pertaining to financial statement preparation. Accordingly, risk assessment may consider the possibility of executed transactions that remain unrecorded.

The following internal and external events and circumstances may be relevant to the risk of preparing financial statements that are not in conformity with generally accepted accounting principles [or another comprehensive basis of accounting]:

The control environment, which is the foundation for the other components of internal control, provides DISCIPLINE and structure by setting the tone of an organization and influencing control consciousness.

Factors to consider in assessing the client’s control environment include:

• Integrity and ETHICAL values, including (1) management’s actions to eliminate or mitigate incentives and temptations on the part of personnel to commit dishonest, illegal, or unethical acts, (2) policy statements, and (3) codes of conduct
• Commitment to COMPETENCE, including management’s consideration of competence levels for specific tasks and how those levels translate into necessary SKILLS and knowledge.
• Board of directors or audit committee participation, including interaction with internal and external (independent) auditors
• Management’s philosophy and operating style, such as management’s attitude and actions regarding financial reporting, as well as management’s approach to TAKING and monitoring risks
• The entity’s organizational structure
• Assignment of authority and responsibility, including fulfilling job responsibilities
• Human resource policies and practices, including those relating to hiring, orientation, training, evaluating, counseling, promoting, and compensating employees

The control environment, which is the foundation for the other components of internal control, provides discipline and structure by setting the tone of an organization and influencing control consciousness.

Factors to consider in assessing the client’s control environment include: