Translate

1. Process for assessing control risk

Audit Risk

Audit risk (audit risk) is the risk of giving an inappropriate audit opinion (expressing an
inappropriate audit opinion) on financial statements that are materially misstated. The
purpose of the audit is to reduce this audit risk to a low level that is acceptable to the
auditor. Audit risk has two main elements as follows:

1. Risk: Inherent Risk and Control Risk:

The financial statements may/have the potential to contain material misstatements.

Entity objectives/operations and design/implementation of internal control by
management.

2. Risk: Detection Risk:

The auditor may fail to detect material misstatements in the financial statements. The
nature and extent of the audit procedures performed by the auditor.

Assessing Control Risk

The auditor finds that an understanding of the design and implementation of internal
controls makes an initial assessment of control risk as part of the auditor's overall
assessment of the risks of material misstatement. In some circumstances, the auditor
may learn that weaknesses in controls are so significant that the client's financial
statements cannot be audited. Before making a preliminary assessment of control risk
for each material class of transactions, the auditor must first determine whether the
entity is auditable. The objective of assessing control risk is to measure control risk by
attributing significant control deficiencies and material weaknesses to the transaction-
related audit objectives. The steps for assessing control risk are as follows:

1. Assess whether the financial statements can be audited

The two main factors that determine whether financial statements can be audited or not are
the integrity of management and the adequacy of accounting records
In a complex information technology environment, much transaction information is only
available in electronic form without producing a real audit trail of documents and records. In
such cases, the company can usually still be audited, but the auditor must assess whether they
have sufficient expertise to obtain evidence in electronic form and can assign personnel with
adequate information technology experience and skills.

2. Determining Control Risk Assessment Supported by Understanding and Assuming

Controls that Have Been Implemented.

After obtaining an understanding of internal control, the auditor makes a preliminary

assessment of control risk as part of the auditor's overall assessment of the risks of material
misstatement. This assessment is a measure of the auditor's expectation that internal control is
capable of preventing material misstatements from occurring or detecting and correcting
them when they have occurred. The auditor makes a preliminary assessment of materiality for
each transaction-related audit objective for each major transaction type during each
transaction cycle. The auditor must also make a preliminary assessment of control risk
affecting the audit objectives for the balance sheet accounts and the presentation and
disclosures in each of these cycles.

3. Using the Control Risk Matrix to Assess Control Risk

Many auditors use a control risk matrix to assist them in the process of measuring control
risk. The purpose of using the matrix is to provide an easy way to organize control risk for
each audit objective. The auditor uses the same control risk matrix format to assess control
risk for balance-related and presentation and disclosure audit purposes.

• Identifying Auditor's Objectives, first in measurement is identifying audit objectives for

groups of transactions, balances as well as presentation and disclosures specified in the
assessment. For example, the auditor makes an assessment on the occurrence objective for
sales and a separate assessment on the completeness objective

• Identifying Existing Controls. The Auditor uses the information discussed in the previous
section in obtaining and documenting an understanding of internal control to identify controls
that affect the achievement of transaction-related audit objectives. One way to do this is to
identify risks to meet each audit objective. The same can be done for all other purposes, it is
also very useful if the auditor uses the five control activities (segregation of duties, proper
authorization, adequate documents and records, physical protection of assets, and checking
work) independently as a control reminder. The auditor must identify and include only those
controls that are expected to have a significant effect on achieving the transaction-related
audit objectives. This is often referred to as key control. The reason for including only key
controls is that they will be sufficient to achieve the transaction-related audit objectives and
also provide audit efficiency

• Linking Controls to Related Audit Objectives. Each control satisfies one or more audit
objectives.

• Identify and evaluate control deficiencies, significant deficiencies and material weaknesses.
The auditor must assess whether key controls exist in internal control over financial
statements as part of evaluating control risk and possible misstatements in the financial
statements.

4. Identification of Shortages, Significant Shortages and Material Weaknesses

The five-step approach can be used to identify deficiencies, significant deficiencies and
material weaknesses, as follows:

1. Identifying existing controls Material deficiencies and weaknesses arise from a lack of
adequate controls, so the auditor must first find out which controls already exist.

2. Identify missing key controls. Internal control questionnaires, cash flow charts and
tracking are useful tools for identifying where there are deficiencies in controls and the
likelihood of misstatements occurring will thereby increase. It is also useful in testing the
control risk matrix.

3. Consider the possibility of replacement controls Replacement controls are existing controls
in a system that can cover key control weaknesses.

4. Determine whether there are significant deficiencies or material weaknesses. The

probability of misstatement and its materiality are used to evaluate whether there are
significant deficiencies or significant weaknesses

5. Communication with Those Responsible for Corporate Governance and Management

Memo

As part of understanding internal control and assessing control risk, the auditor is required to
communicate on a number of matters with those responsible for implementing corporate
governance. This information and other recommendations regarding internal control are
frequently communicated to management

• Communication with those charged with corporate governance. The auditor must
communicate significant deficiencies and material weaknesses in writing to those charged
with corporate governance as soon as the auditor becomes aware of their occurrence. Timely
communication can provide an opportunity for management to address control deficiencies
before management's report on internal control must be issued.

• Management memo In addition to the above, the auditor often identifies issues related to
internal control that are less significant, as well as opportunities for the client to make
operational improvements. This must be communicated to the client. The communication
form is often a separate letter for that purpose, called a management memo. Although
management memos are not required by auditing standards, auditors usually provide them as
a value-added audit service

Auditing standards define three levels of the absence of internal control, as follows:

1. Control deficiencies, occur when the design or implementation of controls does not allow
company personnel to prevent or detect misstatements in a timely manner.

2. A significant deficiency occurs when one or more control deficiencies arise as a result of a
more than small probability that a material misstatement will not be prevented or detected.

3. Material weaknesses, arise when a significant deficiency, by itself, or together with other
significant deficiencies, results in a more than small possibility that internal control is unable
to prevent or detect material misstatements in the financial statements. To determine whether
an internal control deficiency is significant or a material weakness, it must be evaluated in
conjunction with the other two dimensions, namely likelihood and significance.

Assessing control risk (Assessing Control Risk) is a process of evaluating the effectiveness of
internal or entity controls in preventing or detecting material misstatements in the financial
statements. Information processing controls include general control procedures and
application control procedures. In addition, the auditor should also be aware of manual
follow-up procedures for transactions identified by application controls and the possibility
that user controls directly relate to an assertion.
 2. Control risk assessment of the information and technology environment:

IT CONTROL ASSESSMENT

The control impact assessment procedure is whether it is the same when using manual
controls or the Controller using IT or both. Some things you can do:

• Consider the information from the method to understand.

• Identify any errors in the statement.

• Identify the controls needed to prevent or detect & correct these errors.

• Conduct inspection and monitoring.

• Evaluating evidence and making judgments.

It should be remembered that tests of controls are performed to demonstrate the design
or operating effectiveness of controls. In a computerized system, controls may or may
not provide tangible evidence, while computers provide tangible evidence verification to
check the functionality of procedures and evaluate their effectiveness. Tests of IT
controls may include document reviews. Assuming that the index is not computer
generated, the control tests need to include the CCAT.

STRATEGIES FOR EXERCITING CONTROL

The following three strategies for assessing control risk:

• Check risk assessment based on user controls.

• Design a low management risk assessment based on application monitoring.

• Design follow-up risk assessments based on general controls and manual monitoring.

Application Control

The Application Control Auditor must develop a strategy to assess control risk based on
low-level computer application controls. To implement this strategy, the auditor must:

• Test computer controls.

• Test general computer controls.

• Test manual checks for dispensations recorded by its application controls.

All three are crucial to the tactic of testing controls. if the auditor relies on computer-
assisted audit management, its application should be personally tested using computer-
assisted auditing (CAAT) techniques.

User Control

In some cases, the Client can schedule manual procedures to test the completeness and
accuracy of computer-processed transactions. For example, an administrator who
knows of a deal that he is in control of, he can see a list of purchases that will be charged
to the account. Alternatively, someone from the business department can match the
computer-generated results and the original documents supporting the agreement.
Although both controls can detect and correct errors, the latter control is implemented
at a more detailed level and can provide a greater degree of assurance of errors being
found and corrected.

General inspection and control procedures

The Internal Control Audit Guide provides audit tactics that require the auditor to
perform the task according to the general audit effectiveness demonstration and manual
monitoring procedures.

The auditor can draw conclusions about the effectiveness of application controls in
identifying exceptions by interviewing experienced persons who perform manual
monitoring procedures. For example, they can understand the transaction flow in
sufficient detail to anticipate events that should appear in exception reports. If the
incident is on the exception report, the auditor can draw conclusions about
programmed control measures. This data may be sufficient for the auditor to assess
control risk at a high level, but auditors should test programs directly using computer
auditing techniques when they wish to test control risk at moderate or low levels.

COMPUTERIZED INSPECTION TECHNIQUES

Computer inspection techniques use the computer itself to test application controls
directly. This test is also often used when testing program input validation and
processing control routines. The examiner can detect interference in the use of the test
computer if:

• An important part of internal control is contained in computer programs.

• There is considerable wiggle room in the visible audit trail.

• There is a large dataset of records that needs to be tested.

The disadvantage of this technology itself is that it requires special knowledge and
expertise, which can cause disruption to the client's IT controls in the future when the
auditor uses IT tools, programs and files. Core computer testing techniques are used to
test the performance of certain application controls. namely, parallel simulation, data
testing, integrated testing services, & monotonous online monitoring of real-time
systems.