Auditor's risk assessment procedures should include what? (3)
3-observation and inspection
Risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity's ability to achieve its objectives and execute its strategies or from the setting of inappropriate objectives and strategies
A function of the desired level of overall audit risk and the assessed levels of inherent and control risk
acceptable level of detection risk
Can the auditor's preliminary assessments of inherent and control risk change as the audit work continues?
The relationship between acceptable level of detection risk, control risk, inherent risk and the assurance provided by substantive tests is
inverse for detection and direct for control and inherent
What is the relationship between control and acceptable level of detection risk
Inverse. Acceptable level of detection risk affects substantive testing
When the inherent and control risk are low, what is the effect on audit and detection risk?
HIGH detection, LOW audit risk
When inherent and control risk are high, what is the effect on audit and detection risk?
LOW detection , LOW audit
PSA 315 states that internal controls are designed and implemented to achieve the entity's objectives with regard to (3)
1-reliability of financial reporting
2-effectiveness and efficiency of operations
3-complaiance with applicable laws and regulations
5 components of entity's internal controls
2-entity's risk assessment process
3-information and communication
5-monitoring of controls
The use of IT in internal control allows an entity to
1-consistently apply predefined business rules and perform complex calculations in processing large volumes of transactions and data
2-enhance the timeliness availability and accuracy of information
3-facilitate additional analysis of information
4-enhance the ability to monitor the performance of the entity's activities and its policies and procedures
5-reduce the risk that control will be circumvented
6-enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases and operating systems.
This involves considering whether the control, individually or in combination with other controls is capable of effectively preventing o detecting and correcting material misstatements
evaluating the design of the control
This means that the control exists and that entity is using it
implantation of control
Risk assessment procedures to obtain an understanding of controls relevant to the audit include (4)
4-tracing transactions thru the information system to financial reporting (reperformance)
PSA 315 requires the auditor to perform risk assessment procedures at what level?
assertion and financial statement level
Are audit procedures designed to evaluate the operating effectiveness of controls in preventing, detecting and correcting material misstatements at the assertion level
The foundation for all other internal control components. PSA 315 states that this includes the governance and management functions and the attitudes awareness and actions of those charged with governance and management concerning the entity's internal control and its importance to the entity. It sets the tone of the organization influencing the control consciousness of the people.
What are the elements of a control environment?(7)
1-communication and enforcement of integrity and ethical values
2-commitment to competence
3-participation by those charged with governance
4-management's philosophy and operating style
6-assignment of authority and responsibility
7-human resource policies and practices
The component of internal control which communicates prospective roles and responsibilities to employees as well as the use of training policies.
Are manual or automate procedures that typically operate at a business process level and apply to the processing of transactions by individual applications
Monitoring activities which are built into the normal recurring activities of an entity and include regular management supervisory activities such as reviewing the purchasing function
ongoing monitoring activities
Internal audit function is part of what element of an internal control?
Are policies and procedures that help ensure that management directives are carries out. They are intended to ensure that necessary actions are taken to address risks that threaten the achievements of an entity's objectives
What are the 5 specific controls which relate to Control Activities?
5-segregation of duties
The primary criterion in designing an internal control
What are the inherent limitations of an internal control?
Management override, Mistakes in judgment and Collusion
Are incompatible functions inherent limitations in an internal control?
NO. This is a failure to segregate functional responsibilities properly
In obtaining an understanding of an entity's internal control, an auditor is required to (3)
1-knowledge of the design and whether they have been implemented
2-document understanding of the entity's internal control procedures
3-peform procedures to evaluate the design of controls
Under PSA 330, Auditor�s responses to assessed risks, the auditor is required to perform tests of controls when (2)
1-his risk assessment includes an expectation of the operating effectiveness of the IC 2-substantve procedures are not sufficient
Testing the operating effectiveness of controls includes obtaining audit evidence about (3)
1- how they are applied
2-if they are consistently applied
3-by whom or by what means they are applied
The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the risk that
material misstatements exist in the financial statements
The auditor ordinarily assesses control risk high when (2)
1-IC is not effective
2-evaluating the effectiveness of IC is not efficient
Control risk is assessed in terms of
Financial Statement Assertions
The process of evaluating the effectiveness of an entity's internal control in preventing or detecting and correcting material misstatements
Assessment of Control risk
The basis for an auditor's conclusions about the assessed level of control risk need not be documented unless the control risk is assessed at what level?
MINIMUM. If maximum, not required
Under PSA 330, if an auditor plans to use the audit evidence about the operating effectiveness of controls obtained in prior audits, the auditor is then required to
obtain audit evidence about whether changes in those specific controls have occurred subsequent to the prior audit. He may then perform inquiry in combination with observation or inspection
Under PSA 330, if an auditor plans to rely on controls that have changed since they were last testes, the auditor is required to
test the operating effectiveness of such controls in the current audit
Is audit evidence of operating effectiveness of IC at a point in time sufficient for the auditor's purpose?
Not All the time. It may be only sufficient for applicable purposes such as when testing controls over physical inventory count at year end
*Tests of controls at a particular time may provide evidence of operating effectiveness throughout the period and vice versa.
FALSE. TOC at a particular time provides evidence of operating effectiveness of IC at that time while TOC throughout the period provides evidence for that period and not vice versa.
The length of time period between retesting controls that have not changed since they were last tested is how many years?
A matter of professional judgment, but should not exceed 2 years, therefore they must be tested at least once every 3rd audit
What procedures are performed by the auditor who wants to detect material misstatements at the assertion level?