12-1
Chapter 12
Assessing Control Risk and Reporting
on Internal Controls
Concept Checks
P. 381
1. As illustrated by Figure 12–1, there are four phases in the process of
understanding internal control and assessing control risk. In the first
uses the results of tests of controls to assess control risk and to ultimately
2. The purpose of a control risk matrix is to assist the auditor in assessing
related audit objective.
3. The four types of procedures used by auditors to test whether internal
controls are operating effectively are (1) inquiring of appropriate personnel
regarding the operation of controls; (2) examine documents and records
P. 386
1. The financial statement audit findings are relevant to the auditor’s opinion on
the effectiveness of internal controls over financial reporting because the
indicate a potential control deficiency or significant deficiency.
12-2
Concept Check, P. 386 (continued)
2. Auditors are required to perform integrated audits, an audit of the financial
statements coupled with an audit of internal control over financial reporting,
on audit engagements of large publicly traded companies (accelerated
filers). For integrated audits, the auditor issues an opinion on the
Review Questions
12–1 The auditor’s responsibility for obtaining an understanding of internal
control for a large public company, when an opinion is issued on the
effectiveness of internal controls, is significantly greater than the understanding
necessary when the auditor is solely expressing an opinion on the financial
statements. To express an opinion on internal controls for a large public
12–2 Maier is correct in her belief that internal controls frequently do not
function in the manner they are supposed to. However, regardless of this,
her approach ignores the value of beginning the understanding of internal
control by preparing or reviewing a rough flowchart or other internal control
12–3 In a walkthrough of internal control, the auditor selects one or a few
documents for the initiation of a transaction type and traces them through the
entire accounting process. At each stage of processing, the auditor makes
12-3
12–3 (continued)
12–4 For many control activities, documentation of their performance is more
objectively evaluated in contrast to the evaluation of the control environment.
Due to the nature of the subcomponents that constitute the control
environment, such as integrity and ethical values and commitment to
competence, the nature of evidence used to evaluate the control environment
may differ somewhat from the nature of evidence used to evaluate control
and perception of management’s integrity. Because of the more judgmental
nature of many of the control environment subcomponents, auditors often make
numerous inquiries and perform extensive observation of client personnel in the
performance of policies and procedures to evaluate those subcomponents of
a transaction amount.
12–5 A significant deficiency exists if one or more control deficiencies exist
that are less severe than a material weakness, but important enough to merit
attention by those responsible for oversight of the company’s financial
contain an unqualified opinion. However, if the deficiency is deemed to be a
material weakness, the auditor must express an adverse opinion on the
effectiveness of internal control over financial reporting.
disclosures and related assertions in the financial statements.
12-4
12–6 (continued)
maximum, the auditor designs and performs a combination of tests of controls
and substantive procedures. Thus, for a nonpublic company or smaller public
company, the tests of controls vary based on the auditor’s assessment of
control risk.
adequate to identify any changes to computerized processes. The ability to rely
on prior year tests of automated controls is due to the systematic nature of IT–
based procedures. That is, once an automated control is programmed to perform
correctly, it should continue performing in that manner until the underlying
12–8 When the auditor’s risk assessment procedures identify significant
risks, the auditor is required to test the operating effectiveness of controls that
mitigate these risks in the current year audit, if the auditor plans to rely on those
controls to support a control risk assessment below 100%. Thus, tests of
12–9 The fact that your client has outsourced the majority of its accounting
information system to a third–party data center does not change your professional
responsibilities. One of the principles underlying auditing standards requires the
auditor to obtain an understanding of internal controls in all audits. Thus, the
their own testing of those controls or they may be able to obtain a service
12-5
12–9 (continued)
(referred to as a Type 2 report).
12–10 The auditor uses the control risk assessments and the results of tests
of controls to determine the appropriate level of detection risk and the nature
and extent of substantive tests for the audit engagement. The auditor links the
presentation and disclosure audit objectives.
12–11 If the auditor assesses control risk as high for a transaction–related
audit objective, then in order to maintain a desired level of audit risk, the auditor
will need to set a lower level of detection risk. A lower level of detection risk in
turn means more extensive substantive testing.
there are no identified material weaknesses as of the balance
sheet date; and
there have been no restrictions on the scope of the auditor’s work.
12–13 The most significant difference in the assessment of control risk for
integrated audits versus financial statement–only audits is that control risk may
be assessed at maximum for some or all audit objectives for nonpublic
for nonpublic companies.
12–14 “Auditing through the computer” represents an audit approach whereby
the auditor tests the design and operating effectiveness of internal controls
embedded in applications that are only available electronically to determine the
12-6
12–14 (continued)
operating effectively through one of the three approaches mentioned above, the
auditor does not need to test a sample of transactions in order to rely on
controls.
How effectively does the test data represent all relevant conditions
that the auditor wants to test?
How certain is the auditor that the application programs being tested
by the auditor’s test data are the same programs used by the client
throughout the year to process actual transactions?
Parallel simulation with audit software involves the auditor’s use of an
auditor–controlled software program to perform parallel operations to the
client’s software by using the same data files. Because the auditor’s software is
designed to parallel an operation performed by the client’s software, this strategy is
vacation pay is fairly stated at year–end.
Multiple Choice Questions From CPA Examinations
12–16 a. (3) b. (2) c. (4)
12–17 a. (2) b. (4) c. (4)
12–18 a. (3) b. (3) c. (3)
12–19 a. (4) b. (1) c. (2)
12-7
Discussion Questions and Problems
transactions and activities.
b. Recorded transactions exist.
c. An unauthorized or invalid time record turned in by an
existing employee. The time record may be for an employee
changes on time cards.
2. a. Adequate documents and records.
b. Existing transactions are recorded.
before preparation of payroll starts.
d. An employee would not be paid for a time period. (The
question.
3. a. Independent check on performance.
b. Recorded transactions are stated at the correct amounts.
withholding incorrectly.
d. Payroll checks incorrectly calculated could be paid to
employees.
payroll.
12-8
12–20 (continued)
4. a. Adequate documents and records.
b. Existing transactions are recorded.
voided check.
d. An employee who is supposed to void a check could record
it as voided on the books and cash the check. At month–end
bank reconciliation.
e. Test month–end bank reconciliations in detail to determine
that the account reconciles properly, that all supporting
5. a. Proper authorization of transactions and activities.
b. Recorded transactions exist and recorded transactions are
stated at the correct amounts.
competent employees minimizes the likelihood of
unintentional errors.
d. Several types of intentional misstatements could occur if a
hired.
e. An examination of cancelled checks and supporting
documents, including time records and personnel records,
employees who are not competent.
6. a. Proper authorization of transactions and activities.
b. Recorded transactions exist.
number.
d. A fictitious payroll check could be processed for a
fictitious employee if invalid employee numbers are
included in the employee master file.
rejected by the software application.
12-9
12–20 (continued)
7. a. Adequate separation of duties.
b. Recorded transactions exist.
checks.
d. If one person kept a record of time, prepared the payroll,
and distributed the checks, that person could add a
nonexistent employee to the payroll, process the
account without detection.
e. Perform a surprise payoff in which the auditor accounts for
all paychecks and distributes them to the employees, who
or payroll direct deposit notifications.
8. a. Proper authorization of transactions and activities, and
adequate documents and records.
b. Recorded transactions exist.
former employee is prevented.
d. A terminated employee could be continued on the payroll
with someone else obtaining the paycheck.
direct deposit notifications.
9. a. Physical control over assets and records, and adequate
segregation of duties.
b. Recorded transactions exist.
c. Checks prepared for nonexistent employees or employees
12-10
12–20 (continued)
adequate separation of duties.
b. Recorded transactions exist and recorded transactions are
stated at the correct amounts.
c. Preparation of a check for a fictitious employee or
preparation of checks using an unapproved pay rate are
prevented.
e. Attempt to access the online payroll master file using a
password that is not allowed access to that master file.
12–21 a. The size of a company has a significant effect on the nature of the
compensating control. The owner–manager’s interest in the
organization and close relationship with the personnel enable him
or her to evaluate the competence of the employees and the
effectiveness of internal controls.
degree, independent checks on performance.
b. Phersen and Collier take opposite and extreme views as to the
credence given to internal control in a small firm. Phersen seems
to treat a small firm in the same manner as he would a large firm,
she completely ignores the possibility of a severe deficiency in the