Lesson 16: Assessing Control Risk
Summary
TLDRThis lesson focuses on the importance of auditing internal controls, detailing why auditors assess them and the methods used. It covers understanding control environments, documenting processes through descriptions, flowcharts, and questionnaires, and the significance of walk-throughs. The script also discusses assessing control risk, identifying key controls, and the efficiency of computer controls versus manual controls, setting the stage for the next lesson on control testing.
Takeaways
- đ In auditing, understanding internal controls is mandatory, even if the auditor does not plan to rely on them.
- đ Auditing standards and the audit risk model guide the process of assessing internal controls.
- đŒ The auditor's objective is to evaluate the control environment, computer controls, and specific control activities.
- đïž Documentation of controls can be done through narrative descriptions, flowcharts, or questionnaires.
- đ Flowcharts and questionnaires are often the preferred methods for documenting controls.
- đ Information about controls is often carried forward from year to year, with updates as necessary.
- đ¶ââïž Walk-throughs are performed to confirm that systems function as documented.
- đ The assessment of control risk directly impacts the planned detection risk and the amount of audit work required.
- đ Key controls are identified to address audit objectives within each transaction cycle.
- đ€ Computer controls are generally more effective to test than manual controls due to reduced human error.
- đ ïž Once computer controls are proven to operate as intended, they generally do not require retesting unless there are changes to the system.
Q & A
What was the main focus of the previous lesson?
-The previous lesson focused on explaining what internal controls are, their characteristics, and their objectives.
Why do auditors audit internal controls?
-Auditors audit internal controls to gain an understanding of them, which is necessary to assess audit risk and identify potential errors or fraud.
What does the audit risk model have to do with understanding internal controls?
-Understanding internal controls is necessary to assess audit risk, as it helps to identify the types of potential errors or fraud.
How do auditors gather information about internal controls?
-Auditors gather information about internal controls by discussing them with the client and examining internal documents such as policy manuals.
What are the three methods of documenting understanding of internal controls mentioned in the script?
-The three methods are: 1) A narrative description of the process and controls in place, 2) A flowchart representation of the process flow, and 3) Using an internal control questionnaire.
What is a 'walk-through' in the context of auditing?
-A 'walk-through' is the process of tracing one or a few transactions through the accounting system to confirm the auditor's understanding of how the systems function.
How does the assessment of control risk impact the audit process?
-The assessment of control risk directly impacts the planned detection risk and the extent of audit work required.
What are audit objectives in relation to transaction cycles?
-Audit objectives are essentially management assertions that are specified for each transaction cycle.
Why might auditors choose one control over another to test, even if both address the same objective?
-Auditors might choose one control over another because they believe it is either most effective or more efficient to test.
What is the difference between testing computer controls and manual controls?
-Computer controls can be more effective to test due to less risk of human error, assuming strong general computer controls are in place. Manual controls need to consider operating effectiveness throughout the entire period, which is subject to human frailty.
What happens when a manual control is dependent on an employee who leaves, gets sick, or goes on vacation?
-When an employee performing a manual control leaves, gets sick, or goes on vacation, it can lessen the effectiveness of the manual control due to the dependency on human action.
What is the next step after documenting controls and assessing control risk?
-The next step is to test the controls, which will be the topic of the next lesson.
Outlines
đ Understanding Internal Controls
The script begins by reminding viewers of the previous lesson on internal controls, which focused on their definition, appearance, and objectives. This lesson shifts to the auditor's perspective, emphasizing the necessity of auditing internal controls as per auditing standards. It highlights the importance of understanding these controls to assess audit risk and identify potential errors or fraud. The process of gathering information about the control environment, computer controls, and specific control activities is outlined, including discussions with clients and examining policy manuals. Three methods for documenting understanding are presented: narrative description, flowchart representation, and internal control questionnaires. The preference for flowcharts and questionnaires is noted, along with the practice of updating this information annually. The script also introduces the concept of a 'walk-through' to confirm the functionality of systems as documented.
Mindmap
Keywords
đĄInternal Controls
đĄAuditor
đĄAudit Risk Model
đĄControl Environment
đĄGeneral Computer Controls
đĄSpecific Control Activities
đĄNarrative Description
đĄFlowchart
đĄInternal Control Questionnaire
đĄWalk-through
đĄControl Risk
đĄTransaction Cycles
Highlights
Lesson focuses on the importance of understanding internal controls for auditing purposes.
Auditors must understand internal controls even if they don't plan to rely on them.
Understanding internal controls is essential for assessing audit risk.
Potential errors or fraud are identified by understanding internal controls.
Information about control environment and activities is gathered through discussions and documents.
Three methods for documenting understanding of internal controls are presented.
Narrative description, flowchart, and questionnaire are methods for documenting controls.
Flowcharts and questionnaires are preferred methods for documentation.
Information about controls is often carried forward year to year with updates as needed.
Walk-through is a process to confirm understanding of the accounting system.
Assessment of control risk impacts planned detection risk and audit work required.
Control risk is assessed separately for each major transaction cycle.
Audit objectives are specified for each transaction cycle.
Key controls are identified to address audit objectives within transaction cycles.
Not every control needs to be identified as key; selection is based on effectiveness or efficiency.
Controls can be manual, automated, or computer-assisted, affecting testing methods.
Computer controls are generally more effective to test due to less human error risk.
Once computer controls are tested, retesting is rare unless there are system changes.
Manual controls require ongoing consideration of effectiveness due to human factors.
Changes in personnel can affect the effectiveness of manual controls.
The lesson concludes with readiness to test controls, which will be covered in the next lesson.
Motivational closing to continue striving for success.
Transcripts
0:00:08.000,0:00:14.000
In our last lesson, we talked about what internal
controls were, what they looked like, and what
they set out to achieve.
0:00:14.000,0:00:20.033
In this lesson, we are going to put our auditor
hats back on and figure out why we audit
internal controls and how.
0:00:20.033,0:00:29.033
Auditing standards require the auditor to gain an
understanding of internal controls, regardless of
whether they plan to rely on them.
0:00:29.033,0:00:35.066
Tying back to our lesson on the audit risk
model, we know that understanding is
necessary to assess audit risk,
0:00:35.066,0:00:38.000
and identify the types of potential errors or fraud.
0:00:38.000,0:00:45.000
We gather information about the control
environment, general computer controls, and
specific control activities...
0:00:45.000,0:00:50.066
by discussing them with the client and
examining internal documents, such as policy
manuals.
0:00:50.066,0:00:55.066
We will document our understanding using one
of three methods:
0:00:55.066,0:01:00.066
1.
A narrative description of the process and
controls in place.
0:01:00.066,0:01:08.066
2.
A flowchart representation of the sequential
process flow in the transaction cycle.
0:01:08.066,0:01:15.000
3.
Using an internal control questionnaire, which
asks a series of questions about the controls.
0:01:15.000,0:01:19.066
Flowcharts and questionnaires are probably the
preferred methods.
0:01:19.066,0:01:26.000
A great deal of this information will be carried
forward year to year and will only need to be
updated for repeat engagements.
0:01:26.000,0:01:31.033
We will trace one or few transactions through
the accounting system to confirm our
understanding.
0:01:31.033,0:01:36.033
This is called walk-through, the purpose of
which is to ensure that the systems actually
function...
0:01:36.033,0:01:39.000
as they have been documented in the file.
0:01:39.000,0:01:46.033
The assessment of control risk has a direct
impact on the planned detection risk and the
extent of the audit work required.
0:01:46.033,0:01:50.033
Control risk is separately assessed for each of
the major transaction cycles.
0:01:50.033,0:01:59.000
Audit objectives (which are essentially the
management assertions) are specified for each
transaction cycle.
0:01:59.000,0:02:06.000
Then, key controls within the transaction cycle
are identified that best address the audit
objectives.
0:02:06.000,0:02:12.033
We need not identify every control as key, in
fact, there may be two or three controls...
0:02:12.033,0:02:20.066
that address the same objective and we can
pick the one which we believes is either most
effective or more efficient to test.
0:02:20.066,0:02:26.033
As we have previously noted, controls can be
manual, automated, or computer-assisted.
0:02:26.033,0:02:31.000
The nature of the control will have an impact on
the testing we perform.
0:02:31.000,0:02:39.033
Generally speaking, computer controls can be
more effective to test than manual controls
because there is less risk of human error.
0:02:39.033,0:02:43.000
This of course assumes that there are strong
general computer controls in place.
0:02:43.000,0:02:49.000
Once you prove that a computer is operating as
intended, you need not retest it over and over
again.
0:02:49.000,0:02:55.066
Only if the computer system is changed do you
need to perform more tests, which is rare.
0:02:55.066,0:03:01.000
Whereas, with manual controls, you need to
consider the operating effectiveness throughout
the entire period,
0:03:01.000,0:03:03.000
which is subject to human frailty.
0:03:03.000,0:03:08.066
What happens when the employee performing
the control leaves, gets sick or goes on
vacation?
0:03:08.066,0:03:15.000
That sort of thing happens, which can lessen the
effectiveness of a manual control.
0:03:15.000,0:03:21.066
So at this point, we have documented our
controls, assessed our control risk at less than
maximum-
0:03:21.066,0:03:24.033
indicating that we intend to place some reliance
on the internal controls-
0:03:24.033,0:03:30.000
and we have identified the key controls in place
that address our audit objectives, aka
management assertions.
0:03:30.000,0:03:33.033
We are now ready to test the controls, which
will be the topic of our next lesson.
0:03:33.033,0:03:36.033
Until then, donât stop until you get to the top and
when you get to the top, donât stop.
5.0 / 5 (0 votes)