Audit Risk,

Audit Planning and Test of Controls

Course 6

Understanding, Assessing and

Testing Internal Controls
Assessment of control risk includes three
steps:
(1) Obtaining an understanding of internal
controls culminating in documentation of
the controls
(2) An initial assessment and response to
assessed risk based on the design of
internal controls culminating in an audit
planning memorandum and audit plan
(audit program).
(3) A final assessment based upon test of
controls of operating effectiveness

Illustration

Audit Risk, the risk that the auditor gives a wrong opinion based on
the evidence, has three components: inherent risk, detection risk,
and control risk

Procedures to obtain an understanding

Procedures to obtain an understanding are
procedures used by the auditor to gather
evidence about the design and placement
in operation of specific control policies and
procedures.

Information System Understanding

The auditor should obtain an understanding of the
information system in the following areas:
The classes of transactions significant to the financial
statements.
The procedures by which those transactions are
initiated, recorded, processed and reported in the
financial statements.
The related accounting records,
How the information system captures events and
conditions,
The financial reporting process used to prepare the
entitys financial statements

Documentation of
the Understanding of
internal control

(1) The discussion among the audit team

regarding the susceptibility of the entitys
financial statements to material
misstatement due to error or fraud.
(2) The understanding obtained regarding each
of the internal control components, the
sources of information for the
understanding, and the risk assessment
procedures.
(3) The results of the risk assessment both at
the financial statement level and at the
assertion level.
(4) The controls evaluated as a result of
identification of significant risks and risks for
which it is not possible to reduce risks of
material misstatement.

Common documentation
techniques
narrative descriptions
a written description of a client's internal control
structure

internal control questionnaire

a series of questions about the controls in each audit
area mostly require yes or no

check lists
a list of controls that should normally be in place

flow charts
a symbolic, diagrammatic representation of the clients
documents and their sequential flow in the
organization.

Steps in Assessing Control Risks

Determine financial statement assertion about
significant account balances and transactions.
E.g., completeness of payables balance

Based on the assertions, determine audit objectives

E.g., 'all accounts payable are recorded'

For each of these audit objective determine if you can

rely on internal controls
E.g.,is the initial recording of purchase orders reviewed

Identify the relevant internal controls for the most

material financial statement assertion or audit
objective
E.g., completeness review cash disbursements after
balance sheet date for unrecorded liabilities

When assessing controls the auditor looks for weaknesses in the

controls for two reasons:

to determine the nature and extent of the

substantive tests to be performed
to formulate constructive suggestions for
improvements.
A management letter will contain
communications of reportable conditions
that are significant deficiencies in internal
control

Weaknesses in internal control are the

absence of adequate controls, which
increases the risk of misstatements existing
in the financial statements.
controls do not exist at all where there should
be controls
controls are not operating properly.

In some cases, the presence of the

weakness might be so important or
pervasive that it may materially affect the
financial statements. This is called a
material weakness in internal control.

A four-step approach to identify significant

weaknesses is sometimes recommended:

1 Identify existing controls.

2 Identify the absence of key controls (where
controls are lacking).
3 Determine potential material
misstatements that could result.
4 Consider the possibility of compensating
controls. A compensating control is one
elsewhere in the system that offsets a
weakness.

If internal controls
are assessed below
the maximum (at
medium or low risk)
the assessment must
be supported by
tests of control.

Overall response to assessed risk may include

(1) emphasizing to the audit team the need

to maintain professional skepticism in
gathering and evaluating audit evidence
(2) assigning more experienced staff or
assigning staff with special skills or using
experts.
(3) providing more supervision.
(4) incorporating additional elements of
unpredictability in the selection of further
audit procedures to be performed.

NET Nature - Extent

and Timing
Nature of audit procedures refers to both their purpose
(tests of controls or substantive procedures) and their
type (inspection, observation, inquiry, confirmation,
recalculation, reperformance, or analytical procedures ).

Extent generally means the quantity of an audit

procedure to be performed (e.g., the size of an audit
sample or the number of observations).

Timing refers to when audit procedures are performed or

the period or date to which the audit evidence applies.

The Audit Planning Memo Includes

Background information
The objectives of the audit
The assessment of engagement risk and potential
follow-up
An identification of other auditors or experts that will
be relied upon in the audit
An assessment of materiality.
Inherent risks

Audit Planning Memo Also Includes

Conclusions regarding the control environment
Classification of the clients CIS environment
An evaluation of the quality of the accounting and
internal control systems
Audit approach for each account balance and audit
objective for which an inherent risk has been
identified.
The timing and scheduling of audit work.
Audit budget, detailed for each level of expertise
available in the audit team.

Audit Plan (Audit Program)

The auditor should develop
an audit plan in order to
implement the overall audit
strategy.
The audit plan (program)
serves as a set of instructions
to assistants involved in the
audit and as a means to
control and record the proper
execution of the work.
(Illustration 8.9)

Tests of Controls
TESTS OF CONTROLS are audit procedures to
test the effectiveness of control policies
and procedures in support of a reduced
control risk.

Tests of controls are necessary in two circumstances. (2006

ISA 500 not in text)

1. When the auditors risk assessment includes

an expectation of the operating effectiveness
of controls, the auditor is required to test
those controls to support the risk
assessment.
2. When substantive procedures alone do not
provide sufficient appropriate audit
evidence, the auditor is required to perform
tests of controls to obtain audit evidence
about their operating effectiveness.

Timing of Tests of
Controls
The timeliness of evidential matter is about when the
evidence was obtained and the portion of the audit
period to which it may be applied.
some tests of controls, such as observation of inventory,
pertain only to the point in time at which the auditing
procedure was applied
the auditor performs other tests that are capable of
providing audit evidence that the control operated
effectively at relevant times during the audit period.

Extent of Tests of Control

The more reliance the
auditor puts on controls
in their audit, the
greater is the extent
(amount) of the
auditors tests of
controls. In addition, as
the rate of expected
variability of the control
increases, the auditor
increases the extent of
testing of that control.

Evaluate Sufficiency and Appropriateness of

Audit Evidence
What is sufficient appropriate audit evidence is
influenced by such factors as the:
Significance of the potential misstatement
Effectiveness of managements responses and controls
to address the risks.
Experience gained during previous audits with respect
to similar potential misstatements.
Results of audit procedures performed,
Source and reliability of the available information.
Persuasiveness of the audit evidence.
Understanding of the entity and its environment,
including its internal control.