1. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.1 Control Risk, Audit Planning and Test of Controls Principles of Auditing: An Introduction to International Standards on Auditing - Ch. 8 Rick Stephan Hayes, Roger Dassen, Arnold Schilder, Philip Wallage

2. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.2 Understanding, Assessing and Testing Internal Controls Assessment of control risk includes three steps: (See Illustration 8.1) (1) Obtaining an understanding of internal controls culminating in documentation of the controls (2) An initial assessment and response to assessed risk based on the design of internal controls culminating in an audit planning memorandum and audit plan (audit program). (3) A final assessment based upon test of controls of operating effectiveness

3. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.3 Illustration 8.1

4. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.4 Audit Risk, the risk that the auditor gives a wrong opinion based on the evidence, has three components: inherent risk, detection risk, and control risk Audit Risk Detection Risk Inherent Risk Control Risk

5. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.5 Procedures to obtain an understanding Procedures to obtain an understanding are procedures used by the auditor to gather evidence about the design and placement in operation of specific control policies and procedures.

6. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.6 Information System Understanding The auditor should obtain an understanding of the information system in the following areas:  The classes of transactions significant to the financial statements.  The procedures by which those transactions are initiated, recorded, processed and reported in the financial statements.  The related accounting records,  How the information system captures events and conditions,  The financial reporting process used to prepare the entity ’ s financial statements

7. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.7 Documentation of the Understanding of internal control (1) The discussion among the audit team regarding the susceptibility of the entity’s financial statements to material misstatement due to error or fraud. (2) The understanding obtained regarding each of the internal control components, the sources of information for the understanding, and the risk assessment procedures. (3) The results of the risk assessment both at the financial statement level and at the assertion level. (4) The controls evaluated as a result of identification of significant risks and risks for which it is not possible to reduce risks of material misstatement.

8. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.8 Common documentation techniques  narrative descriptions (Illustration 8.4, 8.5)  a written description of a client's internal control structure  internal control questionnaire (Illustration 8.6)  a series of questions about the controls in each audit area – mostly require “yes” or “no”  check lists (Illustration 8.7)  a list of controls that should normally be in place  flow charts (Illustration 8.8)  a symbolic, diagrammatic representation of the clients documents and their sequential flow in the organization.

9. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.9 Steps in Assessing Control Risks ¬ Determine financial statement assertion about significant account balances and transactions.  E.g., completeness of payables balance ­ Based on the assertions, determine audit objectives  E.g., 'all accounts payable are recorded' ¯ For each of these audit objective determine if you can rely on internal controls  E.g.,is the initial recording of purchase orders reviewed ® Identify the relevant internal controls for the most material financial statement assertion or audit objective  E.g., completeness – review cash disbursements after balance sheet date for unrecorded liabilities

10. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.10 When assessing controls the auditor looks for ‘weaknesses’ in the controls for two reasons: F to determine the nature and extent of the substantive tests to be performed I to formulate constructive suggestions for improvements. 3A management letter will contain communications of reportable conditions that are significant deficiencies in internal control

11. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.11  Weaknesses in internal control are the absence of adequate controls, which increases the risk of misstatements existing in the financial statements.  controls do not exist at all where there should be controls  controls are not operating properly.  In some cases, the presence of the weakness might be so important or pervasive that it may materially affect the financial statements. This is called a material weakness in internal control.

12. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.12 A four-step approach to identify significant weaknesses is sometimes recommended: 1 Identify existing controls. 2 Identify the absence of key controls (where controls are lacking). 3 Determine potential material misstatements that could result. 4 Consider the possibility of compensating controls. A compensating control is one elsewhere in the system that offsets a weakness.

13. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.13 If internal controls are assessed below the maximum (at medium or low risk) the assessment must be supported by tests of control.

14. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.14 Overall response to assessed risk may include (1) emphasizing to the audit team the need to maintain professional skepticism in gathering and evaluating audit evidence (2) assigning more experienced staff or assigning staff with special skills or using experts. (3) providing more supervision. (4) incorporating additional elements of unpredictability in the selection of further audit procedures to be performed.

15. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.15 NET Nature Extent and Timing Nature of audit procedures refers to both their purpose (tests of controls or substantive procedures) and their type (inspection, observation, inquiry, confirmation, recalculation, reperformance, or analytical procedures ). Extent generally means the quantity of an audit procedure to be performed (e.g., the size of an audit sample or the number of observations). Timing refers to when audit procedures are performed or the period or date to which the audit evidence applies.

16. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.16 The Audit Planning Memo Includes =Background information =The objectives of the audit =The assessment of engagement risk and potential follow-up =An identification of other auditors or experts that will be relied upon in the audit =An assessment of materiality. =Inherent risks

17. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.17 Audit Planning Memo Also Includes =Conclusions regarding the control environment =Classification of the client’s CIS environment =An evaluation of the quality of the accounting and internal control systems =Audit approach for each account balance and audit objective for which an inherent risk has been identified. =The timing and scheduling of audit work. =Audit budget, detailed for each level of expertise available in the audit team.

18. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.18 Audit Plan (Audit Program) H‘The auditor should develop an audit plan in order to implement the overall audit strategy.’ HThe audit plan (program) serves as a set of instructions to assistants involved in the audit and as a means to control and record the proper execution of the work. (Illustration 8.9)

19. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.19 Tests of Controls TESTS OF CONTROLS are audit procedures to test the effectiveness of control policies and procedures in support of a reduced control risk.

20. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.20 Tests of controls are necessary in two circumstances. (2006 ISA 500 – not in text) 1.When the auditor’s risk assessment includes an expectation of the operating effectiveness of controls, the auditor is required to test those controls to support the risk assessment. 2.When substantive procedures alone do not provide sufficient appropriate audit evidence, the auditor is required to perform tests of controls to obtain audit evidence about their operating effectiveness.

21. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.21 Timing of Tests of Controls The timeliness of evidential matter is about when the evidence was obtained and the portion of the audit period to which it may be applied.  some tests of controls, such as observation of inventory, pertain only to the point in time at which the auditing procedure was applied  the auditor performs other tests that are capable of providing audit evidence that the control operated effectively at relevant times during the audit period.

22. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.22 Extent of Tests of Control The more reliance the auditor puts on controls in their audit, the greater is the extent (amount) of the auditor’s tests of controls. In addition, as the rate of expected variability of the control increases, the auditor increases the extent of testing of that control.

23. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.23 Evaluate Sufficiency and Appropriateness of Audit Evidence What is sufficient appropriate audit evidence is influenced by such factors as the:  Significance of the potential misstatement  Effectiveness of management’s responses and controls to address the risks.  Experience gained during previous audits with respect to similar potential misstatements.  Results of audit procedures performed,  Source and reliability of the available information.  Persuasiveness of the audit evidence.  Understanding of the entity and its environment, including its internal control.

24. [Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 8.24 Thank You for Your Attention Any Questions?