Auditor's Tests of Controls and Control Risk Assessment

Internal Control and Audit

• The auditor's assessed control risk remains the same as the preliminary assessment if the tests of controls support the design and operation of controls as expected.
• If the tests of controls indicate that the controls did not operate effectively, the assessed control risk must be reconsidered.

Types of Procedures to Support Operating Effectiveness

• The auditor uses four types of procedures to support the operating effectiveness of internal controls:
  • Make inquiries of appropriate client personnel
  • Examine documents, records, and reports
  • Observe control-related activities
  • Repreform client procedures

Extent of Tests of Controls

• The extent of tests of controls depends on the preliminary assessed control risk.
• If the auditor wants a lower assessed control risk, more extensive tests of controls are applied.

Detection Risk and Substantive Tests

• The auditor uses the control risk assessment and results of tests of controls to determine planned detection risk and related substantive tests for the audit of financial statements.

Evaluating Internal Control Deficiencies

• The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors.

Evaluating the Effectiveness of a Control

• Evaluating the effectiveness of a control involves obtaining evidence about whether it is operating as designed.
• The evaluation follows a structured, logical, and organized series of steps and procedures.

Phases of Evaluation

• Phase 1: Obtain and document understanding of internal control design and operation
• Phase 2: Assess control risk
• Phase 3: Design, perform, and evaluate tests of controls
• Phase 4: Decide planned detection risk and substantive tests

Understanding Internal Control Design

• The auditor uses procedures to obtain an understanding of the design of internal controls and whether they have been implemented.
• The auditor uses four types of evidence in obtaining an understanding of the design and implementation of controls:
  • Inspection
  • Inquiry of entity personnel
  • Observation of employees performing control processes
  • Repreformance by tracing one or a few transactions through the accounting system from start to finish

Documents Used to Obtain Understanding

• The auditor commonly uses three types of documents to obtain and document their understanding of the design of internal control:
  • Narrative: a written description of a client's internal controls
  • Flowchart: a diagram of a client's documents and their sequential flow in the organization
  • Internal Control Questionnaire: asks a series of questions about the controls in each audit area as a means of identifying internal control deficiencies