Chapter 9: Control Risk Assessment

Understanding and Evaluating Internal Controls

Risk Assessment Procedures

Recall risk assessment procedures consist of the following types of procedures: inspection,
inquiry, observation and reperformance. Some types of risk assessment procedures to
understand and evaluate internal controls are:

• Update and Evaluate audit’s previous experience with entity: start with what we
already know
• Make inquiries of client personnel: ask management, supervisors and staff to
explain their duties and ensure it lines with up entity’s control documentation
• Examine documents and records: inspect to determine if information described in
clow chats and narratives has been implemented
• Observe entity’s activities and operations: observe staff carrying out their normal
activities
• Perform walk through so the information system: Follow a transaction from its
origin through to financial records – at each stage, make inquires, observe activities,
and inspect documents. This is a type of reperformance.
• Understand ITGCs: depends on complexity of environment; can inquiry with IT
personnel and key users, example flowcharts, manuals, program change requests,
and system testing results

Documenting the System of Internal Control

Three common methods:

1) Narrative: written description, includes original of documents and records, all

processing, disposition of documents and records, and controls relevant to
assessment of control risk (typically segregation of duties, authorization and
approvals, and internal verification)

Example narrative for documenting credit sales process:

Sales order is received by fax or email. Check customer details against customer account balance
to see if the customer has exceeded its credit limit. If the customer has exceeded its limit, refer
the sales order to the credit manager (C. Cox) for approval. If approval is denied, refer the order
back to the sales manager to notify or discuss with the customer. If customer has not exceeded
its credit limit or the credit manager (C. Cox) has provided an approval to exceed the limit,
process the sale in the sales ledger.
2) Flowchart: diagram representing the flow of clients documents and processes

Example flowchart for credit sales process

 3) Internal Control Questionnaire: pre-designed questionnaire with a series of
questions about the controls in each audit area – assists in gaining an
understanding of internal controls within the entity

Example Checklist for Documenting a Credit Sales Process

Process step Performed IT/reliance on electronic

by data
Yes/No?
Customer places sales order and order is
input into sales order program
Credit and/or credit terms approved
Order filled and prepared for shipment
Shipping/delivery documents prepared
Order shipped/delivered to or picked up by
customer
Sales invoice prepared
Prices (or deviations from standard prices)
approved
Invoice reviewed for accuracy and
mailed/delivered to customer
Sales journal produced
Sales journal summarized and posted to
general ledger and trade receivables detail

Evaluate system of internal control

Overview of Evaluation of Internal Control System:

1) Evaluate the design of controls
2) Determine if controls have been implemented appropriately
3) Evaluate competence of people carrying out control
4) Evaluate the adequacy of IT

If auditors plan to rely on certain controls to mitigate risk, then those controls must be
tested.

What would determine whether an auditor would decide to rely on the controls (or not)?

• If performing the test of controls will improve audit efficiency – for example, by
testing the control, it means less substantive testing can be done.
• If it is necessary due to the automation of the controls, and substantive testing
cannot be done.
When testing of controls is done, there are three levels of concern:

1) Control deficiency: Design deficiency if control is missing or not properly designed;

operation deficiency if a well designed control does not operate as intended
2) Significant deficiency: One or more combination of control deficiencies exist that
are of merit to bring to the attention of Those Charged With Governance (examples
below)
3) Material weakness: Exists if a significant deficiency, by itself or with others, could
indicate that internal controls will not prevent or detect material financial
misstatements.

Some examples of a significant deficiency:

• Fraud that involves senior management

• Deficiencies from previous audits that haven’t been corrected
• Managements failure to response to significant risks
• Restatement of previously issued financial statements

Note that a material weakness does not mean a material misstatement has occurred. It simply
means that controls are not in place to prevent or detect a material misstatement.

When assessing controls, auditor will consider if there are compensating/mitigating

controls – for example, in a small company, lack of segregation of controls can be mitigated
by an owner being actively involved in the business and doing regular review of all
reporting.

If there are not adequate controls in place, we must do more substantive testing (test of
details).

Auditors expected to understand and evaluate the following control activities:

1) Controls that address significant risks (may be manual or automated)

2) Controls over journal entries
3) Controls that the auditor plans to test are working effectively
4) Controls auditor considers to be appropriate (ie: reconciling controls, transactions
processed by a service center like a payroll system)

Controls of outsourced systems: many businesses use service centers for processing
transactions, such as payroll, or investment brokers. This presents a challenge because the
auditor can’t assume controls at the service center are appropriate, but the auditor can’t
easily test since it’s an independent business.

• Because of this, many service providers have an audit report done called a “service
Auditor Report” that can be provided to their client’s auditors and describes their
design of controls (Type 1), OR, their design and effectiveness (Type 2)
Control Risk Assessment

Auditors need to understand internal control and use risk assessment procedures to
assess the design and implementation of any controls relevant to the audit. This is required
even when the auditor is not intending to place any reliance on the controls.

Overall Financial Statement Level risk (OFSL) focuses on controls that address pervasive
risks)

Controls at assertion level addresses transaction risks (mostly control activities)

Typically start with considering control environment – if it is weak, we expect operating

effectiveness of controls to be low (meaning control risk is high).

Preliminary Control Risk Assessment

• Based on evaluation of design and implement of control activities component.

• Control risk is assessed for each relevant assertion

Audit Approach

Three choices when developing audit approach to address identified RMM at the assertion
level:

1) Test of Controls only (not common – only in highly automated situations with no
way to test transactions – would not be appropriate for full audit approach but may
work for some assertions)
2) Test of Substantive procedures only (poor control environment, can only rely on
transactional detail and place no reliance on controls OR it is inefficient to test the
controls)
3) Combined approach using both test of controls and substantive procedures

If auditors do not plan to test controls, then RMM = IR (Risk of Material Misstatement
is equal to Inherent Risk)

NOTE: Testing controls at the risk assessment stage is different than in the audit stage.
Remember that Risk Assessment procedures are NOT intended to be used as audit
evidence. SO why perform test of controls again if auditors have already done the risk
assessment procedures? Because the evidence gathered in the risk assessment process is
not extensive enough to conclude on the effectiveness of controls for audit purposes. That
is to say, the audit test of control procedures are more comprehensive than the risk
assessment. The primary difference is the extent of procedures performed. In Risk
Assessment, auditors may examine one or two transactions, or observe at one point in
time, whereas in Audit Procedures, test of controls are performed on larger samples, and
often more than one observation.
Why do test of controls instead of all substantive procedures? It can be more efficient as
controls testing usually has smaller sample sizes (Often, ITGC’s only require 1 sample!).
Controls may also be rotated every 3 years (more on that later), meaning less testing.

Test of Controls

How auditors design and perform test of controls:

1) When auditors’ assessment of RMM at the assertion level includes an expectation

that controls are operating effectively.
2) When substantive procedures cannot provide sufficient, appropriate audit evidence.

Focus is on whether the control worked (or not) to prevent or detect misstatements.

Controls will only be tested in the audit when:

1) They are well designed

2) They are in use
3) They are expected to be operating reliably throughout the period

When developing procedures to test effectiveness of controls, auditor will use inquiry,
inspection, observation and reperformance.

• Inquiry with appropriate personnel

• Inspect documents, reports and records
• Observe control related activity being performed
• Reperform client procedures
o This can also be automated using audit software

Extent of Tests

When Auditor is placing high reliance on controls (that is, Control Risk is assessed at
Low), the evidence needs to be more persuasive and auditors need to consider the
following:

• Frequency – does the control happen once a year? Quarterly? Monthly?

• Expected rate of deviation – Sample size increases when expected rate of
deviation increases. For example, manual controls are performed by people,
therefore are more prone to error or manipulation. As a result, it is expected there
will be deviations, so sample sizes are larger.
• Rotational Testing – Test of controls are required to be tested every 3 years, on a
rotational basis – meaning a proportionate amount of testing needs to be done
each year. If control relates to a significant risk, or was changed in the year, it needs
to be tested regardless of the 3 year rule.
 • Evidence from other controls tests – when auditors test several controls for one
assertion, extent of testing can be reduced.

Suggested extent of testing

Frequency Reasonable Assurance Limited Assurance from

from Test of Controls Test of Controls
> 1,000 instances 25–40 10–20
Daily 25–40 10–20
Weekly 5 2
Monthly 2 1
Quarterly 2 1
Annually 1 1
Other Professional Judgement Professional Judgement
Application control 1 1
(effective ITGC’s)

Changes in the IT System

When an entity changes their entire IT system, the new system controls need to be
documented, as well as an audit of how the data conversion was performed, including:

• Tests comparing details from new system to those of old system (ensure
accurate, authorized information has been transferred)
• Test comparing details from old system to new system (ensure accuracy and
nothing missing)
• Cut off testing (ensure transactions are included in the appropriate system
and not omitted)
Example of test of control working paper
Auditor Reporting on Internal Control

Auditors are required to communicate significant deficiencies and material weaknesses to

Management and Those Charged with Governance with an “Internal Control Letter”. For
less significant internal control related issues, and opportunities for operational
improvement, a separate letter is issued called a “Management Letter.” In both cases, the
communication includes a description of deficiency and a recommendation of how to
resolve it.

This is often tested on CPA cases, and the recommended approach is the “WIR“
method:

W: Weakness

I: Implication

R: Recommendation

Each “W” will tie into either a control weakness or an inefficiency:

• Lack of segregation (ie 1 person can’t do 2 of Accounting / Authorization / Access to
Asset
• No approval/authorization prior OR no reconciliation/review after
• Poor safeguarding of assets
• Poor recordkeeping (not done on timely basis)
• Inefficiency in operations (ie not taking volume discounts by combining purchases)

EXAMPLE of WIR
• Weakness: factory supervisor (use name from case?) can both hire an employee
and enter them into the pay system without any other approval/authorization

• Implication: a fictitious (or incompetent) employee could be hired

• Recommendation: (= control procedure) have all hirings approved by the payroll

dept in writing with approval by a superior to the factory supervisor
Developing procedures:
RAP
R: Risk
A: Account and Assertion
P: Procedure

For the Procedure part of “RAP”…

VOOP
V: Verb ie: inspect, recalculate, inquire
O: Object (Which Population is the sample being pulled from?)
O: Object (What documents you want the sample agreed to?)
P: Purpose and Procedure (why it’s being done and what we’re looking at)

For Verbs in “VOOP” (Evidence Gathering Techniques):

Technique Test of Controls Substantive - Test Substantive –
of Details Analytical
Procedures
Confirmation X
Inspection X X
Inquiry X X X
Recalculation X X
Observation X X
Analytical Procedures X
Reperformance X X

Evidence Gathering Techniques:

CIIROAR
C: Confirmation
I: Inspection
I: Inquiry
R: Recalculation
O: Observation
A: Analytical Procedures
R: Reperformance
Example Question – Testing Controls #1

You are testing the controls over bank accounts for your audit client, Manitoba Ltd. You
note that the responsibility for bank reconciliations has changed due to a corporate
reorganization halfway through the current financial year. Both the staff member
performing the bank reconciliations and the supervisor have changed. You are only able to
talk to the current staff member and supervisor because the other staff took voluntary
retirement and left the client’s employment three months ago.

a) What techniques are available to you to gather evidence about the bank
reconciliations? Explain how you would use each technique and comment on the
quality of the evidence obtained from each.
b) When you ask the employees responsible for bank reconciliations about how they
perform the reconciliations, there is a possibility that they will not tell the whole
truth about their performance of the reconciliations. Given this, will you bother to
ask them? Explain.
c) Explain the impact of the staff changes on your control testing program.

Example Question – Testing Controls ANSWER #1

a) Techniques available:

• Inquiry, Observation, Inspection of physical evidence and re-performance

• Completed bank recs can be inspected for evidence of errors and follow up

b) Yes, but using professional skepticism, being alert to possible errors or fraud. Auditor
can’t assume staff would lie, but also can’t rely on staff statements alone.

c) Auditor would require evidence that performance of the bank rec was similar in different
periods.

Example Question - Control testing results and documentation #2

Arne Eklund, the audit senior, is reviewing the working papers written by the audit assistant
on the audit of Quebec Creepers, a nursery and retailer of garden accessories. Arne reads
the following description of the results of testing of inventory controls written by the audit
assistant:

The Inventory Manager advises that no changes have been made to the inventory
programs during the current financial year. There are no documents on file authorizing
program changes, so I conclude the Inventory Manager’s statement is true. The Inventory
Manager also advises that management did not attempt to override any controls relating
to inventory. There are no memoranda or emails from management on file instructing the
Inventory Manager to go against procedures, so I conclude the Inventory Manager’s
statement is true.

The audit assistant concludes that the inventory controls have not been changed or
overridden during the financial year, so the results of the interim testing of controls can be
relied on. Required:

a) Examine the statements by the audit assistant. What deficiencies in the testing can
you identify?
b) If the results of testing one control show that the control is not effective, does the
auditor have to increase substantive testing? What other options are available to the
auditor?
c) Explain why it is important for the working papers to be completed with sufficient
detail for another auditor to understand what has been done. Make a list of the
parties who might review the documents.

Example Question - Control testing results and documentation #2 ANSWER

a) Audit assistant is incorrectly interpreting an absence of evidence of an event as

evidence of the absence of an event. There needs to be direct evidence that there
were no changes or overrides. Auditors will need to do further testing.

b) Other options include:

• Testing other controls that could perform the same function

• If not available, auditor must increase substantive testing

c) Working papers must be completed with sufficient detail because:

• Senior staff will be reviewing the results and need to ensure all appropriate steps
were taken when performing the work

• Audit partner must sign off on the work and on audit opinion, which should be based
on sufficient, appropriate audit evidence.

• Regulators (CPAB, CSA, CPA) may review samples of work as audit quality is
monitored

• Working papers could be used as evidence in legal disputes

• General rule: Work should be sufficiently documents to allow another auditor to

conduct the exact same tests and come to same conclusion.