Govur University Logo
--> --> --> -->
Govur University Logo
Sign In
...
Home All Courses Business and Economics Courses Certified Public Accountant (CPA) Mastery Certification Flashcard

Outline the key steps in assessing control risk and its relation to substantive procedures.



Assessing control risk is a crucial step in the audit process, as it directly influences the nature, timing, and extent of substantive procedures that an auditor performs. Control risk is the risk that a material misstatement could occur in an assertion about an account balance or class of transactions and not be prevented, or detected and corrected, on a timely basis by the entity's internal control.

The key steps in assessing control risk are:

1. Understanding the Entity and its Environment: The auditor begins by gaining a thorough understanding of the entity's industry, regulatory environment, and overall operations. This includes understanding the entity's organizational structure, ownership and governance, business model, and key processes. This broader understanding sets the stage for evaluating the internal control system.

*Example:If auditing a manufacturing company, the auditor would understand the production process, the inventory management system, and the key suppliers and customers.

2. Identifying Relevant Controls: The auditor identifies the controls that are relevant to the audit. These are the controls that are designed to prevent or detect and correct material misstatements in the financial statements. This step involves identifying controls at both the entity level and the transaction level. Entity-level controls are pervasive controls that affect multiple accounts and assertions, such as the control environment, risk assessment process, and monitoring of controls. Transaction-level controls are specific controls that apply to individual transactions or account balances, such as segregation of duties, authorization of transactions, and reconciliations.

*Example:For revenue recognition, relevant controls might include controls over order processing, credit approval, shipping, billing, and cash collection. The auditor would identify these controls by reviewing process documentation, interviewing personnel, and observing operations.

3. Evaluating the Design of Controls: The auditor evaluates whether the identified controls, if operating effectively, could prevent or detect and correct material misstatements. This involves assessing whether the controls are properly designed to achieve their intended objectives. The auditor considers factors such as the clarity of control procedures, the competence of personnel performing the controls, and the adequacy of documentation.

*Example:A control requiring a sales manager to approve all credit sales over a certain amount is well-designed if the approval process includes a review of the customer's creditworthiness and payment history. However, if the sales manager routinely approves all credit sales without proper review, the control is not effectively designed.

4. Determining Whether Controls Have Been Implemented: The auditor determines whether the designed controls have been put in place and are being used. This step involves performing procedures such as inquiries of personnel, observation of control activities, and inspection of documents.

*Example:To determine whether the credit approval control has been implemented, the auditor might inquire of the sales manager about the approval process, observe the manager reviewing credit reports, and inspect documentation to verify that credit approvals are being documented.

5. Testing the Operating Effectiveness of Controls: If the auditor plans to rely on the controls to reduce substantive procedures, the auditor must test the operating effectiveness of the controls. This involves performing procedures to determine whether the controls are operating as designed and whether they are consistently applied throughout the period. The nature, timing, and extent of testing depend on the assessed level of control risk and the extent to which the auditor plans to rely on the controls.

*Example:To test the operating effectiveness of the credit approval control, the auditor might select a sample of credit sales transactions and examine the related documentation to verify that the sales manager approved the credit sale and that the approval was based on a proper review of the customer's creditworthiness.

6. Documenting the Assessment of Control Risk: The auditor documents the understanding of the entity's internal control, the assessment of control risk, and the basis for that assessment. This documentation provides evidence that the auditor performed the assessment in accordance with auditing standards.

*Example:The auditor's documentation might include flowcharts of key processes, narratives describing the controls, and the results of testing procedures.

The relationship between control risk and substantive procedures is inverse. If the auditor assesses control risk as low, meaning that the auditor believes that the internal controls are effective in preventing or detecting and correcting material misstatements, the auditor can perform fewer substantive procedures. Substantive procedures are designed to detect material misstatements in the financial statements. They include tests of details (examining individual transactions and balances) and analytical procedures (evaluating financial information by studying plausible relationships among financial and nonfinancial data).

Conversely, if the auditor assesses control risk as high, meaning that the auditor believes that the internal controls are not effective, the auditor must perform more extensive substantive procedures. This is because the auditor cannot rely on the internal controls to prevent or detect material misstatements, so the auditor must obtain more direct evidence about the accuracy of the financial statement assertions.

*Example:If the auditor assesses control risk as low for revenue recognition, the auditor might perform fewer tests of details of sales transactions and rely more on analytical procedures, such as comparing revenue trends to industry averages and prior periods. However, if the auditor assesses control risk as high for revenue recognition, the auditor would perform more extensive tests of details, such as examining a larger sample of sales transactions and confirming balances with customers.

In summary, assessing control risk is a critical step in the audit process that directly impacts the nature, timing, and extent of substantive procedures. By understanding the entity's internal control system and assessing the effectiveness of controls, the auditor can design an audit that is both effective and efficient. A lower assessed control risk allows the auditor to reduce the scope of substantive procedures, while a higher assessed control risk requires the auditor to perform more extensive substantive procedures to obtain sufficient appropriate audit evidence.