Auditing and Assurance Services

Seventeenth Edition, Global Edition

Chapter 11
Assessing Control Risk and
Reporting on Internal Controls

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Learning Objectives (1 of 2)
11.1 Obtain and document an understanding of internal
control
11.2 Assess control risk by linking key controls and control
deficiencies to transaction-related audit objectives
11.3 Describe the process of designing and performing tests
of controls
11.4 Understand how control risk impacts detection risk and
the design of substantive tests

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Learning Objectives (2 of 2)
11.5 Understand requirements for auditor reporting on
internal control (skip)
11.6 Describe the differences in evaluating, reporting, and
testing internal control for nonpublic and smaller
public companies (skip)
11.7 Describe how the complexity of the IT environment
impacts control risk assessment and testing

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Learning Objective 11.1
Obtain and document an understanding of internal control

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Obtain and Document Understanding of Internal
Control (1 of 3)
• Auditors need to understand the design and implementation of controls that are
relevant to the audit to identify and assess the risks of material misstatements
• There are four steps in this process:
1. Obtain and document understanding of internal control design and operation
(what control does the client have + document it)
2. Assess control risk (what is their CR)
3. Design, perform, and evaluate tests of controls (Test their control to see if it is
good or bad)
4. Decide planned detection risk and substantive tests (Calculate DR + do
remaining test)

– Client has good internal control  Auditors have lower audit effort (vice versa)

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Obtain and Document Understanding of Internal
Control (2 of 3)
• Auditors commonly use three types of documents to obtain and
document their understanding of the design of internal control:
– Narratives – written description of a client’s IC (like writing an essay,
but it would be difficult to read if the system is complex)
– Flowcharts – a diagram of client’s documents and their sequential flow
in the company (easy to read)
– Internal control questionnaires – asks a series of questions about
controls in each audit area as a means of identifying IC deficiencies
(standardized already so it’s easy to use, but it might be fit to every
client)
 E.g. Does someone reveal the invoice before sending it out?
 Then the team would answer it Yes / No

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Obtain and Document Understanding of Internal
Control (3 of 3)
• Auditors use the following methods to evaluate whether the controls are
implemented:
– System walkthrough – auditor selects one or a few documents of a
transaction type and takes them from initiation through the entire
accounting process (staffs walk you thru and you in between ask where
does the sales form go next)
– Make inquiries of client personnel (purely ask questions)
– Inspect documents and records (Check the records)
– Observe entity activities and operations

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Figure 11.1 Process for Understanding
Internal Control and Assessing Control
Risk

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Learning Objective 11.2
Assess control risk by linking key controls and control
deficiencies to transaction-related audit objectives

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Assess Control Risk (1 of 4)
• The auditor obtains an understanding of the design and implementation
of internal control to:
– Make a preliminary (=initial) assessment of control risk
 Meaning of CR: It is a measure of the auditor’s expectation that
internal controls will prevent material misstatements from occurring
or detect and correct them if they have occurred
 To have an initial estimation of CR

Q: Why do we need to know what controls there are?

A: enable auditors to assess control risk

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Assess Control Risk (2 of 4)
• Many auditors use a control risk matrix to assist in the control risk assessment
process at the transaction level (see Textbook p.341 for a sample matrix)
• The purpose is to provide a convenient way to organize assessing control risk for
each audit objective
• Components of the control risk matrix include:
– Identify audit objectives (Top row)
– Identify existing controls (Each row)
– Associate controls with related audit objectives (Those inputs C)

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Assess Control Risk (3 of 4)
• Auditors must evaluate whether key controls are absent in the design and
implementation of internal control over financial reporting as a part of evaluating
control risk and the likelihood of financial statement misstatements
– Find the missing control

• Auditing standards define three levels of the absence of internal controls:

1. Control deficiency – likely that misstatement cannot be prevented or detected
on timely basis (Not that bad)
2. Significant deficiency – merit management’s attention (Not as bad as material
weakness but the management should know about it)
3. Material weakness – reasonable possibility that misstatement cannot be
prevented or detected (High chance error to occur + effect of error is material)

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Assess Control Risk (4 of 4)
• A five-step approach can be used to identify deficiencies, significant deficiencies,
and material weaknesses:
1. Identify existing controls
2. Identify the absence of key controls
3. Consider the possibility of compensating controls
 Compensate for the missing control – that’s fine
 e.g. an owner in a small company to compensate for the absence of
controls – the owner would check
4. Decide whether there is a significant deficiency or material weakness
 No absolute answer to define – it depends on your professional judgment
5. Determine potential misstatements that could result

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Figure 11.4 Evaluating Significant
Control Deficiencies

Source: Michael Ramos, “Section 404 Compliance in the Annual Report,” Journal of Accountancy, October 2004,
pp. 43–48. Copyright by American Institute of CPAs. All rights reserved. Used with permission.

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Let’s Discuss (1 of 7)
• What is a walkthrough of internal control?
– What is its purpose? To understand the client’s IC
• Describe how the nature of evidence used to evaluate the
control environment differs from the nature of evidence used to
evaluate control activities.
– Evidence for control environment are more general
– Evidence for control activities are more specific

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Learning Objective 11.3
Describe the process of designing and performing tests of controls

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Tests of Controls (1 of 4)
• The procedures to test effectiveness of controls in support of a reduced assessed
control risk (where assessed CR < 100%  controls are good) are called tests of
controls
– CR: prob that IC cannot catch the error
– We only test the control when we think they are good and verify

• The auditor is likely to use four types of procedures to support the operating
effectiveness of internal controls: (example: imagine an internal control policy
which requires the supervisor to check the invoice before sending out)
– Make inquiries of appropriate client personnel
 Ask the supervisor what he does with the invoice
– Examine documents, records, and reports
 Any check marks/ signs on those invoices
– Observe control-related activities
– Re-perform client procedures

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Tests of Controls (3 of 4)
• The extent to which tests of controls are applied depends on:
– The preliminary assessed control risk – the smaller the preliminary assessed CR,
the more you check
 If you think they are very good, you should check more
– Whether the control is manual or automated, and the frequency of the operation
of the control
 Automated  you could check less
 Manual  check more, human error more random
 Control operates more often  check more
– Reliance on evidence from the prior year’s audit
 Last year was good, this year could test less  IC seldom changes
– Testing of controls related to significant risks
 E.g. controls related to sales  check more
– Testing less than the entire audit period
 E.g. 1H you test many  2H you could test less

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Tests of Controls (4 of 4)
• There is a significant overlap between tests of controls and procedures to obtain an
understanding (see slides 7 and 17)
– Both include inquiry, inspection, and observation

• There are two primary differences in the application of these common

procedures in the area of:
– Application of procedures – must perform the procedures to obtain
understanding of controls; only perform the procedures to test the controls IF
ASSESSED CR <100% (YOU THINK THEY ARE GOOD)
– Samples size – smaller for understanding the controls; larger for testing the
controls
– and timing – understanding can be done at any fixed point in time; testing
should be done to ensure controls are good at various points of time throughout
the year

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Let’s Discuss (2 of 7)
• Describe the four steps performed by the auditor when obtaining
an understanding of internal control and assessing control risk.
See slide 5
• What is the purpose of a control risk matrix? Slide 11
• What four types of procedures are used by auditors to test
whether internal controls are operating effectively? Slide 17

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Learning Objective 11.4
Understand how control risk impacts detection risk and the
design of substantive tests

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Decide Planned Detection Risk and Design
Substantive Tests
• CR would affect DR:
– The auditor uses the control risk assessment and results of tests of
controls to determine planned detection risk and related substantive tests
for the audit of financial statements
• The auditor does this by:
– Linking the control risk assessments to the balance-related audit
objectives, including disclosure, for the accounts affected by the major
transaction types (see Chapter 12)

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Let’s Discuss (3 of 7)
• During the prior-year audits of McKimmon, Inc., a private company, the
auditor did tests of controls for all relevant financial statement assertions.
Some of the related controls are manual while others are automated.
– Describe the extent to which the auditor can rely on tests of controls
performed in prior years.
– Test less this year: Control tends to be quite stable. If they were good
last year, we can rely on the evidence last year and test less this year.
– Test more for manual and less for automated

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Let’s Discuss (4 of 7)
• How does the auditor use information obtained from the control risk
assessment and testing of controls to plan audit procedures?
– If preliminary assessed CR < 100%  test the controls
– If based on tests of controls, the controls are good  audit effort can
decrease
• If the auditor assesses control risk as high for a transaction-related audit
objective, what does that imply for detection risk and the level of substantive
testing? Audit risk model

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Learning Objective 11.7
Describe how the complexity of the IT environment impacts
control risk assessment and testing

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Impact of IT Environment on Control Risk
Assessment and Testing (1 of 3)
• The impact of general controls and application controls on audits is likely to
vary depending on the level of complexity in the IT environment
• When traditional source documents and accounting records exist only
electronically, the auditors must change their approach by auditing through
the computer

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.

Impact of IT Environment on Control Risk Assessment
and Testing (2 of 3)
• Auditors use three approaches to test the effectiveness of automated controls
when auditing through the computer:
– Test data approach
 Test the IT system rule: use test data as input and see if the outputs match
our expectation  match then it’s good
 e.g. overtime payment: exceed 100 hours would reject input  test entering
200 hours and check how the computer responses
– Parallel simulation
 We copy client’s program to our computer and that copy we ensure it is
good
 Verify using client’s software VS our software
– Embedded audit module approach
 We add the audit module into the client’s computer
 Send a request to identify all sales in client’s computer

Copyright © 2020 Pearson Education Ltd. All Rights Reserved.