Assessing Control Risk / Tests of Controls
|Learning Check |
Assessing control risk is the process of evaluating the effectiveness of an entity's internal controls in preventing or detecting material misstatements in the financial statements.
Control risk should be assessed in terms of individual financial statement assertions.
10-2. In assessing control risk for an assertion, the auditor should perform the following five steps: 1. Consider knowledge acquired from procedures to obtain an understanding about whether controls pertaining to the assertion have been designed and placed in operation by the entity's management. 2. Identify the potential misstatements that could occur in the entity's assertion. 3. Identify the necessary controls that would likely prevent or detect the misstatements. 4. Perform tests of controls on the necessary controls to determine the effectiveness of their design and operation. 5. Evaluate the evidence and make the assessment.
In identifying both potential misstatements and necessary controls, the auditor typically uses either (1) computer software that analyzes responses to specific questions input for computerized internal control questionnaires or (2) checklists developed for the same purpose.
Evidence obtained from procedures to obtain an understanding should be used by the auditor to (1) identify types of potential misstatements and (2) consider factors that affect the risk of material misstatements, such as whether controls necessary to prevent or detect the misstatements have been designed and placed in operation. This knowledge should enable the auditor to make an initial assessment of control risk for an assertion. During this process the auditor may obtain some evidence about the effectiveness of the design and operation of internal controls. However, such evidence rarely is sufficient to allow the auditor to assess control risk at moderate or low.
Evidence obtained from tests of controls pertains to the effectiveness of the design and/or operation of the control tested and may be used in making a final assessment of control risk for an assertion.
Guidelines concerning the tolerable frequency of deviations from the proper performance of a control are used as follows: • If tests results lead the auditor to conclude that the frequency of deviations is less than or equal to the tolerable level, the operation of the control is considered effective. • If it is concluded that the frequency of deviations exceeds the tolerable level, the control is considered ineffective.
10-6. Among the qualitative factors that should be considered in forming a conclusion about the effectiveness of a control policy or procedure are (1) the cause of deviations and (2) whether a deviation is attributable to unintentional errors or to deliberate misrepresentations (fraud).
Three strategies that the auditor might use when testing a system of internal controls that use information technology include: 1. Assessing control risk based on user controls. 2. Planning for a low control risk assessment based on application controls. 3. Planning for a high control risk assessment based on general controls and manual follow-up.
The auditor might assess control risk as low based on two of the three above strategies, assuming that the evidence shows that the controls are effectively designed and placed in operation. First the auditor can assess control risk as low based on user controls, such as effective performance reviews by management. Second, the auditor can assess control risk as low based on effective computer application controls. This strategic also involved effective manual follow-up of exceptions noted by application controls.
The auditor can asses control risk as high based on...
Please join StudyMode to read the full document