The auditor’s study of internal control has the two primary purposes of helping the auditor (1) to plan the audit and (2) to assess control risk, the risk that a material misstatement will not be prevented or detected on a timely basis by internal control. Based on the results obtained while obtaining an understanding of internal control primarily for planning purposes, the auditor decides whether to perform tests of controls to possibly allow a reassessment of control risk.

Advertisement

How good is your understanding on this subject matter? Let’s have fun, take a light quiz.

Do not worry thought. This is not a CPA Exam. In fact, a correct answer of each question is provided underneath the question, and necessary explanations about why the answer is (a) or (b) and so forth. There are 15 questions and answers inside. But before that, let’s do a quick overview what and how assess control risk—and understanding of internal control in broader manner is obtained during an audit session. Read on…

 

Understanding of Internal Control and Assess Control Risk

An auditor obtains an understanding of internal control and documents this understanding using memoranda, questionnaires, checklists, flowcharts, and/or decision tables. The emphasis at this stage is usually on obtaining an understanding of how internal control is purported to function to allow further planning of the audit. Indeed, it is difficult to imagine planning an audit without understanding the essentials of the internal control.

While obtaining an understanding of the system, the auditor may or may not have chosen to perform tests of controls to evaluate the effectiveness of the design and operation of controls. For example, for a continuing client, the auditor may understand the controls well enough to perform some tests. If tests of controls have been performed, the auditor may be able to assess control risk at somewhat below the maximum level; if tests of controls have not been performed, control risk will be assessed at the maximum level.

Regardless of whether any tests of controls have been performed at this stage, the auditor must decide whether to perform (more) tests to possibly allow a lower assessed level of control risk and thereby restrict substantive testing.

For controls that seem weak, a decision will be made to rely in large part on substantive tests—analytical procedures, and/or tests of details of transactions and balances. On the other hand, if controls seem capable of preventing, detecting, and correcting material misstatements, the auditor must decide whether it is more cost effective to perform tests of controls or to directly perform substantive tests.

 

Performing Tests of Controls and Reassess Control Risk

The objective of tests of controls is to evaluate whether internal control operated effectively, thereby supporting a lower assessed level of control risk. The ultimate purpose of assessing control risk is to contribute to the auditor’s evaluation of the risk that material misstatements exist in the financial statements. Tests of controls are concerned with how the control was applied, the consistency with which it was applied, and by whom it was applied throughout the period being audited.

These tests ordinarily include evidence obtained through (1) inquiry of personnel, (2) inspection of documents and reports, (3) observation of the application of the control, and (4) re-performance of the control. When tests of controls justify a lower assessed level of control risk, the scope of substantive testing may be reduced.

Next, let’s go for the quiz…

Question-1. After assessing control risk at below the maximum level, an auditor desires to seek a further reduction in the assessed level of control risk. At this time, the auditor would consider whether:

a. It would be efficient to obtain an understanding of the entity’s information system.

b. The entity’s controls have been placed in operation.

c. The entity’s controls pertain to any financial statement assertions.

d. Additional evidential matter sufficient to support a further reduction is likely to be available.

 

Answer:  (d)

Explanation: (d) is correct because such a reduction is only possible when additional evidential matter, evaluated by performing additional tests of controls, is available. Answer (a) is incorrect because auditors at this point will ordinarily already have obtained the understanding of the information system to plan the audit. Furthermore, an understanding of internal control is needed on all audits. Answer (b) is incorrect because auditors must determine that controls have been placed in operation in all audits. Answer (c) is incorrect because a significant number of controls always pertain to financial statement assertions.

 

Question-2. Assessing control risk at below the maximum level most likely would involve:

a. Performing more extensive substantive tests with larger sample sizes than originally planned.

b. Reducing inherent risk for most of the assertions relevant to significant account balances.

c. Changing the timing of substantive tests by omitting interim-date testing and performing the tests at year-end.

d. Identifying specific controls relevant to specific assertions.

 

Answer: (d)

Explanation: (d) is correct because assessing control risk below the maximum level involves (1) identifying specific controls relevant to specific assertions that are likely to prevent or detect material misstatements in those assertions, and (2) performing tests of controls to evaluate the effectiveness of such controls. So, answer (a) is incorrect because assessing control risk below the maximum may lead to less extensive, not more extensive substantive tests. Answer (b) is incorrect because the actual level of inherent risk is not affected by the level of control risk. Also, one would not expect a change in the assessed level of control risk to result in a change in the assessed level of inherent risk. Answer (c) is incorrect because assessing control risk below the maximum may lead to interim-date substantive testing rather than year-end testing.

 

Question-3. When an auditor increases the assessed level of control risk because certain control activities were determined to be ineffective, the auditor would most likely increase the:

a. Extent of tests of controls.

b. Level of detection risk.

c. Extent of tests of details.

d. Level of inherent risk.

 

Answer:  (c)

Explanation: (c) is correct because increases in the assessed level of control risk lead to decreases in the acceptable level of detection risk. Accordingly, the auditor will need to increase the extent of substantive tests such as tests of details. So, snswer (a) is incorrect because tests of controls are performed to reduce the assessed level of control risk only when controls are believed to be effective. Answer (b) is incorrect because the level of detection risk must be decreased, not increased. Answer (d) is incorrect because the level of inherent risk pertains to the susceptibility of an account to material misstatement independent of related controls.

 

Question-4. An auditor uses the knowledge provided by the understanding of internal control and the assessed level of control risk primarily to:

a. Determine whether procedures and records concerning the safeguarding of assets are reliable.

b. Ascertain whether the opportunities to allow any person to both perpetrate and conceal fraud are minimized.

c. Modify the initial assessments of inherent risk and preliminary judgments about materiality levels.

d. Determine the nature, timing, and extent of substantive tests for financial statement assertions.\

 

Answer: (d)

Explanation: (d) is correct because the auditor uses such knowledge in determining the nature, timing, and extent of substantive tests for financial statement assertions. Answer (a) is incorrect because it is incomplete. For example, while auditors are concerned with the safeguarding of assets, they also need to determine whether the financial statement information is accurate. Answer (b) is incorrect for reasons similar to (a) in that determining whether opportunities are available for committing and concealing fraud is incomplete since this knowledge is also used to ascertain whether the chance of errors is minimized. Answer (c) is incorrect because knowledge provided by the understanding of internal control and the assessed level of control risk is not used to modify initial assessments of inherent risk and preliminary judgments about materiality levels. This knowledge is unrelated to those processes.

 

Question-5. An auditor may compensate for a weakness in internal control by increasing the:

a. Level of detection risk.

b. Extent of tests of controls.

c. Preliminary judgment about audit risk.

d. Extent of analytical procedures.

 

Answer: (d)

Explanation: (d) is correct because increasing analytical procedures decreases detection risk in a manner which may counterbalance the condition in internal control. In effect, the weakness in internal control is compensated for by increased substantive testing. If you have, you can read AU 312 for the relationships among audit risk and its component risks—inherent risk, control risk, and detection risk. Answer (a) is incorrect because increasing both control risk (through a weakness in internal control) and detection risk increases audit risks. In addition, control risk and detection risk do not compensate for one another. Answer (b) is incorrect because increasing the extent of tests of controls is unlikely to be effective since the condition is known to exist. Answer (c) is incorrect because it is not generally appropriate to increase the judgment as to audit risk based on the results obtained.

 

Question-6. Which of the following statements is correct concerning an auditor’s assessment of control risk?

a. Assessing control risk may be performed concurrently during an audit with obtaining an understanding of the entity’s internal control.

b. Evidence about the operation of internal control in prior audits may not be considered during the current year’s assessment of control risk.

c. The basis for an auditor’s conclusions about the assessed level of control risk need not be documented unless control risk is assessed at the maximum level.

d. The lower the assessed level of control risk, the less assurance the evidence must provide that the control procedures are operating effectively.

 

Answer: (a)

Explanation: (a) is correct because AU 319 states that assessing control risk may be performed concurrently during an audit with obtaining an understanding of internal control. Answer (b) is incorrect because evidence about the operation of internal control obtained in prior audits may be considered during the current year’s assessment of control risk. Answer (c) is incorrect because the basis for an auditor’s conclusions about the assessed level of control risk needs to be documented when control risk is assessed at levels other than the maximum level. Answer (d) is incorrect because a lower level of control risk requires more assurance that the control procedures are operating effectively.

 

Question-7. Regardless of the assessed level of control risk, an auditor would perform some:

a. Tests of controls to determine the effectiveness of internal control policies.

b. Analytical procedures to verify the design of internal control.

c. Substantive tests to restrict detection risk for significant transaction classes.

d. Dual-purpose tests to evaluate both the risk of monetary misstatement and preliminary control risk.

 

Answer: (c)

Explanation: (c) is correct because ordinarily the assessed level of control risk cannot be sufficiently low to eliminate the need to perform any substantive tests to restrict detection risk for significant transaction classes. Answer (a) is incorrect because tests of controls are unnecessary when control risk is assessed at the maximum level. Answer (b) is incorrect because analytical procedures are not designed to verify the design of internal control. Answer (d) is incorrect because dual-purpose tests (i.e., those that serve as both substantive tests and tests of controls) are not required to be performed, and because the term “preliminary control risk” is unclear.

 

Question-8. Before assessing control risk at a level lower than the maximum, the auditor obtains reasonable assurance that controls are in use and operating effectively. This assurance is most likely obtained in part by:

a. Preparing flowcharts.

b. Performing substantive tests.

c. Analyzing tests of trends and ratios.

d. Inspection of documents.

 

Answer: (d)

Explanation: (d) is correct because inspection of documents is a form of a test of controls, and such tests are used to obtain reasonable assurance that controls are in use and operating effectively. Answer (a) is incorrect because auditors prepare flowcharts to document a company’s internal control, not to obtain assurance that controls are in use and operating effectively. Answer (b) is incorrect because substantive tests relate to the accuracy of accounts and assertions rather than testing controls directly. Answer (c) is incorrect because analyzing tests of trends and ratios is an analytical procedure that does not directly test controls.

 

Question-9. The objective of tests of details of transactions performed as tests of controls is to:

a. Monitor the design and use of entity documents such as prenumbered shipping forms.

b. Determine whether controls have been placed in operation.

c. Detect material misstatements in the account balances of the financial statements.

d. Evaluate whether controls operated effectively.

 

Answer: (d)

Explanation: (d) is correct because the purpose of tests of controls is to evaluate whether internal control operates effectively. Answer (a) is incorrect because while monitoring the design and use of entity documents may be viewed as a test of controls, it is not the objective. Answer (b) is incorrect because determining whether internal control is placed in operation is not directly related to tests of controls; get AU 319 and have a read for the distinction between “placed in operation” and “operating effectiveness.” Answer (c) is incorrect because substantive tests, not tests of controls, are focused on detection of material misstatements in the account balances of the financial statements.

 

Question-10. After obtaining an understanding of internal control and assessing control risk, an auditor decided to perform tests of controls. The auditor most likely decided that:

a. It would be efficient to perform tests of controls that would result in a reduction in planned substantive tests.

b. Additional evidence to support a further reduction in control risk is not available.

c. An increase in the assessed level of control risk is justified for certain financial statement assertions.

d. There were many internal control weaknesses that could allow misstatements to enter the accounting system.

 

Answer: (a)

Explanation: (a) is correct because tests of controls will be performed when they are expected to result in a cost effective reduction in planned substantive tests. Answer (b) is incorrect because tests of controls are only performed when they are likely to support a further reduction in the assessed level of control risk. Answer (c) is incorrect because tests of controls are designed to decrease the assessed level of control risk, not increase it. Answer (d) is incorrect because internal control weaknesses normally result in more substantive testing and less tests of controls.

 

Question-11. In assessing control risk, an auditor ordinarily selects from a variety of techniques, including:

a. Inquiry and analytical procedures.

b. Re-performance and observation.

c. Comparison and confirmation.

d. Inspection and verification.

 

Answer: (b)

Explanation: Answer (b) is correct because tests of controls include inquiries of appropriate entity personnel, inspection of documents and reports, observation of the application of the policy or procedure, and re-performance of the application of the policy or procedure.

 

Question-12. Which of the following types of evidence would an auditor most likely examine to determine whether controls are operating as designed?

a. Confirmations of receivables verifying account balances.

b. Letters of representations corroborating inventory pricing.

c. Attorneys’ responses to the auditor’s inquiries.

d. Client records documenting the use of computer programs.

 

Answer: (d)

Explanation: (d) is correct because inspection of client records documenting the use of computer programs will provide evidence to help the auditor evaluate the effectiveness of the design and operation of internal control; the client’s control over use of its computer programs in this case is documentation of the use of the programs. In order to test this control, the auditor will inspect the documentation records. Find a material about AU 319 and have a read for information on the nature of tests of controls. Answer (a) is incorrect because the confirmation process is most frequently considered a substantive test, not a test of a control. Answer (b) is incorrect because letters of representations provide corroborating information on various management representations obtained throughout the audit and therefore only provides limited evidence on internal control. Answer (c) is incorrect because attorneys’ responses to auditor inquiries most frequently pertain to litigation, claims, and assessments.

 

Question-13. Which of the following is not a step in an auditor’s decision to assess control risk at below the maximum?

a. Evaluate the effectiveness of internal control with tests of controls.

b. Obtain an understanding of the entity’s information system and control environment.

c. Perform tests of details of transactions to detect material misstatements in the financial statements.

d. Consider whether controls can have a pervasive effect on financial statement assertions.

 

Answer: (c)

Explanation: (c) is correct because performing tests of details of transactions to detect material misstatements pertains more directly to detection risk rather than inherent or control risk. Answer (a) is incorrect because auditors evaluate the effectiveness of internal control with tests of controls. Answer (b) is incorrect because obtaining an understanding of the entity’s information system and control environment is a preliminary step for considering control risk. Answer (d) is incorrect because auditors will consider the effect of internal control on the various financial statement assertions.

 

Question-14. To obtain evidential matter about control risk, an auditor selects tests from a variety of techniques including:

a. Inquiry.

b. Analytical procedures.

c. Calculation.

d. Confirmation.

 

Answer: (a)

Explanation: (a) is correct because auditors test controls to provide evidence for their assessment of control risk through inquiries of appropriate personnel, inspection of documents and records, observation of the application of controls, and reperformance of the application of the policy or procedure. Answers (b), (c), and (d) are incorrect because analytical procedures, calculation, and confirmation relate more directly to substantive testing and are not primary methods to test controls for purposes of assessing control risk.

 

Question-15. Which of the following is least likely to be evidence the auditor examines to determine whether controls are operating effectively?

a. Records documenting usage of computer programs.

b. Canceled supporting documents.

c. Confirmations of accounts receivable.

d. Signatures on authorization forms.

 

Answer: (c)

Explanation: (c) is correct because confirmation of accounts receivable is a substantive test, not a test of a control. Answer (a) is incorrect because records documenting the usage of computer programs may be tested to determine whether access is appropriately controlled. Answer (b) is incorrect because examining canceled supporting documents may help the auditor to determine that the structure will not allow duplicate billing to result in multiple payments. Answer (d) is incorrect because proper signatures will help the auditor to determine whether the authorization controls are functioning adequately.