Some steps to risk assessment are essential. Following are the steps taken by the auditor for making an assessment of control risk:
5 steps to risk assessment
- Step#l: Consider knowledge acquired from procedures to obtain an understanding.
- Step#2: Identify potential misstatements
- Step#3: Identify the necessary controls
- Step#4: Perform tests of controls
- Step#5: Evaluate the evidence and make the assessment
Step#l: Consider knowledge acquired from procedures to obtain an understanding
The auditor performs procedures to obtain an understanding of relevant internal control structure policies and procedures for significant financial statements assertions. S/he documents the understanding in the form of completed internal control questionnaires, flowcharts and narrative memorandum.
For policies and procedures relevant to particular assertions, the auditor carefully considers the Yes, No, and N/A responses and written comments in the questionnaires and the strengths and weaknesses noted in the flowcharts and narrative memorandum. Analysis of this documentation is the starting point for assessing control risk.
Step#2; Identify potential misstatements
Most audit firms have developed checklists that enumerate the types of potential misstatements that could occur in specific assertions.
And some audit firms use computer software for this purpose. Using either the checklists or the computer software aid and his/her understanding of the entity’s internal control structure, the auditor identifies the potential misstatements applicable to specific assertions given the entity’s circumstances.
Potential misstatements may be identified for assertions pertaining to each major class of transactions and for assertions pertaining to each significant account balance.
Step#3: Identify necessary controls
Whether by using computer software that processes internal control questionnaire responses or manually by using checklists, auditors can identify necessary controls that could likely prevent or detect specific potential misstatements. In some cases, several controls may pertain to a given potential misstatement.
In other cases, a single control may apply. In addition, a single control may pertain to more than one type of potential misstatement. Specifying necessary controls also requires consideration of circumstances and judgment.
Thus, the auditor must assimilate information about a wide variety of possible control policies and procedures related to any of the 1CS components in considering the risk of potential misstatements in particular assertions.
Step#4: Perform tests of controls
In determining the tests to be performed, the auditor considers the types of evidence that will be provided and the cost of performing the test. The tests include selecting sample and inspecting related documents, inquiring of client personnel, observing client personnel performing control procedures, and the auditor’s reperformance certain controls.
The results of each test of controls should provide evidence about the effectiveness of the design and/or operation of the related necessary control. Once the tests to be performed have been selected, it is customary for the auditor prepare a formal written audit program for the planned tests of controls.
Step#5; Evaluate evidence and make assessment
The final assessment of control risk for a financial statement assertion is based evaluating the evidence gained from (i) procedures to obtain an understanding relevant internal control structure policies and procedures and (ii) related test: controls. Based on the nature of the procedures performed, the information obtained might be in the form of any combination of documentary, electronic, mathematical oral, or physical evidence.
When different types of evidence support the s conclusion about the effectiveness of a control, the degree of assurance increases. Conversely, when they support different conclusions, the degree of assurance decreases.
You May Like Also:
- Relationships among audit risk components
- Audit risk model for planning
- Interrelationship among Materiality, Audit Risk and Audit Evidence
- Internal Control: Accounting Administrative Controls
- Components of Internal Control Structure
- Assessment of Control Risk