Chapter 12
Assessing Control Risk and Reporting on Internal
Control
Process for Understanding Internal Control and Assessing Control
Risk
Obtain and
document
understanding of
internal control Phase I
design and
operation
Assess control risk Phase II
Design, perform,
and evaluate Phase III
tests of controls
Decide planned
detection risk and
substantive tests
Phase IV
Obtain and Document Understanding of Internal Control
Procedures to obtain an understanding, which involve gathering evidence about
the design of internal controls and whether they have been implemented, and
then uses that information as a basis for assessing control risk and for the
integrated audit.
a. Narrative : a written description of a client’s internal controls. A proper
narrative of an accounting system and related controls describes four
things:
1. The origin of every document and record in the system.
2. All processing that takes place.
3. The disposition of every document and record in the system.
4. An indication of the controls relevant to the assessmentof control risk.
b. Flowchart : An internal control fowchart is a diagram of the client’s
documents and their sequential fow in the organization. Flowcharts have
two advantages over narratives: typically they are easier to read and
easier to update.
c. Internal Control Questionnaire : An internal control questionnaire asks a
series of questions about the controls in each audit area as a means of
identifying internal control defciencies.
, Evaluating Internal Control Implementation
Update and Evaluate Auditor’s Previous Experience with the Entity It is especially
useful to determine whether controls that were not previously operating
effectively have been improved.
Make Inquiries of Client Personnel Auditors should ask management, supervisors,
and staff to explain their dutie helps auditors evaluate whether employees
understand their duties and do what is described in the client’s control
documentation.
Examine Documents and Records By examining completed documents, records,
and computer fles, the auditor can evaluate whether information described in
fowcharts and narratives has been implemented.
Observe Entity Activities and Operations further improves their understanding
and knowledge that controls have been implemented.
Perform Walkthroughs of the Accounting System In a walkthrough, the auditor
selects one or a few documents of a transaction type and traces them from
initiation through the entire accounting process. At each stage of processing, the
auditor makes inquiries, observes activities, and examines completed documents
and records. Walkthroughs conveniently combine observation, inspection, and
inquiry to assure that the controls designed by management have been
implemented.
Assess Control Risk
Determine Assessed Control Risk Supported by Understanding Obtained
Assessment of control risk — a measure of the auditor’s expectation that internal
controls will neither prevent material misstatements from occurring nor detect
and correct them if they have occurred; control risk is assessed for each
transaction- related audit objective in a cycle or class of transactions.
Use Control Risk Matrix to Assess Control Risk
Control risk matrix — a methodology used to help the auditor assess control risk
by matching key internal controls and internal control defciencies with
transaction-related audit objectives.
The Steps to Prepare Control Risk Matrix
1. Identify audit objectives
2. Identify existing controls emphasize on key controls
3. Associate controls with related audit objectives
4. Identify and evaluate control defciencies, signifcant defciencies, and
material weaknesses
Auditing standards defne three levels of the absence of internal controls:
Assessing Control Risk and Reporting on Internal
Control
Process for Understanding Internal Control and Assessing Control
Risk
Obtain and
document
understanding of
internal control Phase I
design and
operation
Assess control risk Phase II
Design, perform,
and evaluate Phase III
tests of controls
Decide planned
detection risk and
substantive tests
Phase IV
Obtain and Document Understanding of Internal Control
Procedures to obtain an understanding, which involve gathering evidence about
the design of internal controls and whether they have been implemented, and
then uses that information as a basis for assessing control risk and for the
integrated audit.
a. Narrative : a written description of a client’s internal controls. A proper
narrative of an accounting system and related controls describes four
things:
1. The origin of every document and record in the system.
2. All processing that takes place.
3. The disposition of every document and record in the system.
4. An indication of the controls relevant to the assessmentof control risk.
b. Flowchart : An internal control fowchart is a diagram of the client’s
documents and their sequential fow in the organization. Flowcharts have
two advantages over narratives: typically they are easier to read and
easier to update.
c. Internal Control Questionnaire : An internal control questionnaire asks a
series of questions about the controls in each audit area as a means of
identifying internal control defciencies.
, Evaluating Internal Control Implementation
Update and Evaluate Auditor’s Previous Experience with the Entity It is especially
useful to determine whether controls that were not previously operating
effectively have been improved.
Make Inquiries of Client Personnel Auditors should ask management, supervisors,
and staff to explain their dutie helps auditors evaluate whether employees
understand their duties and do what is described in the client’s control
documentation.
Examine Documents and Records By examining completed documents, records,
and computer fles, the auditor can evaluate whether information described in
fowcharts and narratives has been implemented.
Observe Entity Activities and Operations further improves their understanding
and knowledge that controls have been implemented.
Perform Walkthroughs of the Accounting System In a walkthrough, the auditor
selects one or a few documents of a transaction type and traces them from
initiation through the entire accounting process. At each stage of processing, the
auditor makes inquiries, observes activities, and examines completed documents
and records. Walkthroughs conveniently combine observation, inspection, and
inquiry to assure that the controls designed by management have been
implemented.
Assess Control Risk
Determine Assessed Control Risk Supported by Understanding Obtained
Assessment of control risk — a measure of the auditor’s expectation that internal
controls will neither prevent material misstatements from occurring nor detect
and correct them if they have occurred; control risk is assessed for each
transaction- related audit objective in a cycle or class of transactions.
Use Control Risk Matrix to Assess Control Risk
Control risk matrix — a methodology used to help the auditor assess control risk
by matching key internal controls and internal control defciencies with
transaction-related audit objectives.
The Steps to Prepare Control Risk Matrix
1. Identify audit objectives
2. Identify existing controls emphasize on key controls
3. Associate controls with related audit objectives
4. Identify and evaluate control defciencies, signifcant defciencies, and
material weaknesses
Auditing standards defne three levels of the absence of internal controls:
