Assessment of Control Risk

After obtaining and documenting the auditors understanding of the

accounting and internal control systems, the auditor should make a
preliminary assessment of control risk, at the assertion level, for each
maternal account balance or class transactions. The auditors preliminary
assessment of control risk may be at a high level (100%) or less than high
level.
When the auditors knowledge of the entitys internal control indicates
that internal controls related to a particular assertion are not effective, the
auditor may simply assess control risk at a high level. Hence, no tests of
controls need to be performed and the auditor will rely primarily on
substantive tests.
On the other hand, if the auditor believes that controls appear to be
reliable, the auditor should determine whether it is efficient to obtain the
evidence to justify an assessment of control risk at a lower level.
If the auditor concludes that it is more efficient to rely on the entitys
internal control systems, the auditor would plan to assess control risk at
less than high level. For this purpose, the auditor should

Identify specific internal control policies or procedures that are likely

to prevent or detect and correct material misstatement relevant to
financial statement assertions, and
Perform test of control to determine the effectiveness of such
policies or procedures.
Performing test of controls
Irrespective of how effective internal control procedures may appear to be
in preventing material misstatements from occurring in the financial
statements, before the auditor can rely on them to reduce substantive
tests, the auditor must test these controls to obtain evidence that they are
working effectively as the preliminary assessment suggests.
Test of controls are performed to obtain evidence about the effectiveness
of the

Design of the accounting and internal control systems, or

Operation of the internal controls throughout the period.
It is important to note that the auditor will only tests the operating
effectiveness of controls that are likely to detect or prevent material
misstatement. That is, the auditor will only test those controls that he or
she plans to rely upon.
According to PSA, the auditor should obtain audit evidence through tests
of control to support any assessment of control risk at less than high level.
The lower the assessment of control risk, the more support the auditor
should obtain that the internal control is suitably designed and operating
effectively. Thus, the greater the reliance the auditor plans to place on
internal control, the more extensive the tests of those controls that need
to be performed.

Nature of tests of control

Test of control generally consist of one (or a combination) of the following
evidence gathering techniques- (1) inquiry, (2) observation, (3) inspection,
and (4) reperformance.
Inquiry consist of searching for the appropriate information about the
effectiveness of internal control from knowledgeable persons inside or
outside the entity.
Observation refers to looking at the process being performed by others.
For example the auditor may observe the payroll payoff procedures or the
performance of internal control procedures that leave no evidence of
performance.
Inspection involves the examination of documents and records to provide
evidence of reliability depending on their nature and source and the
effectiveness of internal control over their processing.
Reperformance involves repeating the activity performed by the client to
determine whether proper results were obtained. For example, the auditor
may reperform the procedure by tracing the sales prices to the authorized
price list in effect at the date of the transaction. If no errors are found, the
auditor can conclude that the procedure is operating as intended.
For certain controls such as segregation of duties, documentary evidence
(audit trail) may not exist. In this case, the auditor will have to test the
effectiveness of the control procedure by making inquiry of appropriate
client personnel and observing the application of the control procedures.
There is a significant overlap between the procedures used to obtain
understanding and test of controls. Notice that inquiry of client personnel,
observation of procedures and inspection of documents are also used
when obtaining understanding about the entitys internal control system.
In fact, many of the procedures used to understand the design of internal
control may provide evidence about the reliability of the clients
accounting and internal control systems. Consequently, obtaining
understanding of the entitys internal control system and assessing control
risks are often done simultaneously.
Timing of tests controls
Auditors usually perform tests of control during interim visit in advance of
period end. However, auditors cannot rely on the results of such tests
without considering the need to obtain further evidence relating to the
remainder of the period. The evidence may be obtained by performing
test of control for the remaining period. This evidence may be obtained by
performing test of control for the remaining period or by reviewing
whether there are changes affecting the entitys internal control system.
In determining whether or not to test the remaining period, the following
factors must be considered.

The result of the interim test.

The length of the remaining period.
Whether changes have occurred in the accounting and internal
control systems during the remaining period.

Extent of test control

The auditor cannot possibly examine all transactions related to
certain control procedures. In an audit, the auditor should determine
the size of the sample sufficient to support the assessed level of
control risk.

Using the result of test control

Based on the results of the tests of control, the auditor should
evaluate whether the internal controls are designed and operating
as intended. The conclusion as a result of the evaluation is called
the assessed level of control risk. The auditor uses the assessed
level of control risk (together with the assessed level of inherent
risk) to determine the acceptable level of detection risk. For
example, if the combined assessed level of inherent and control risk
is high, detection risk need to be low to reduce audit risk to an
acceptably low level. In this regard, the auditor may considering
modifying.
The nature of substantive test from less effective to more effective
procedures.
The timing of substantive tests by performing them at year-end
rather than at interim.
The extent of substantive tests from smaller to larger sample size.
Operating effectiveness vs. implementation
Testing the operating effectiveness of controls is different from obtaining
audit evidence that controls have been implemented. When obtaining
audit evidence of implementation by performing risk assessment
procedures, the auditor determines that the relevant controls exist and
that the entity is using them. When performing tests of the operating
effectiveness of controls, the auditor obtains audit evidence that controls
operate effectively. This includes obtaining audit evidence about how
controls were applied at relevant times during the period under audit, the
consistency with which they were applied, and by whom or by what
means they were applied.
Documenting the assessed level of control risk
After evaluating the results of tests of control and assessing the control
risk, the auditor should document his assessment of control risk.
If the control risk is assessed at a high level, the auditor should document
his conclusion that control risk is at a high level.
If control risk is assessed at less than high level, the auditor should
document his conclusion that control risk is less than high and the basis
for that assessment. This basis is actually the result of test of control.
Hence, the auditor cannot assess control risk at less than high level
without performing tests of control.
Communication of Internal Control Weaknesses
As a result of the auditors consideration of the accounting and internal
control systems, the auditor may become aware of weakness in the
systems. In this regard, the auditor is required to report to the appropriate
level of management material weaknesses in the design or operation of
the accounting and internal control systems, which have come to the
auditors attention. This communication would ordinarily be in writing and
should be done at the earliest opportunity so that the appropriate
corrective actions may be taken as soon as possible. Oral communications
could also be made provided these are adequately documented in the
audit working papers.
It is to be emphasized that auditors are not required to search for and/or
identify internal control weaknesses. The auditors must, however,
communicate internal control weaknesses to the client when they come to
their attention during the course of the audit. These internal control
weaknesses together with other matters of concern are documented in a
formal management letter.