Assessing Control Risk

We know that control risk, inherent risk and detection risk constitute audit risk. Understanding the various factors of audit risk will help auditors assess the level of risk and identify errors and fraud. In this article, we will discuss why we assess internal control. We will discuss documenting internal controls and assessing controls risk.

Gathering Information to Assess Control Risk

Auditors must gather information about the control environment, general computer controls, and specific control activities. Auditors must gain an understanding of internal control. This is required even if they are not planning to rely on them. Discussions with the client, and examining internal documentation such as policy manuals are some ways of collecting information. We can also collect information about the controls by using one or more of the following methods.

We can undertake a narrative discussion about the policies and controls in place. Secondly, we can use a flowchart model that documents the sequence process flow in the transaction cycle. We can also use an internal questionnaire that asks several questions about the controls in place.

Auditors usually use the questionnaire and flowchart formats.

Process of Assessing Controls

Control chart information is carried forward from year to year. Updates if any are done with no changes to the rest of the document. One or two transactions are carried out to sample and check the effectiveness of the format. This process is called a walkthrough, in which the auditor checks if the documentation of controls matches the actual processes of control used in the client firm.

The auditor audits the control risk for each of the transaction cycles. The audit objectives for each transaction cycle are specified. The key control items within the transaction cycle that best match the audit objectives are identified. A few control items (2-3) are picked to conduct the test for effectiveness or efficiency.

Controls can be manual, computer-assisted or automatic. This also impacts the type of control tests that are conducted. Computer controls have less risk of human error, that often occur in manual controls. If the computer system is robust and efficient, repeat tests are not required. On the other hand, the operating effectiveness of manual controls has to be checked throughout the entire period.

Testing Internal Controls and Offering Recommendations

There are several methods to test internal controls. One method is to ask the client's staff questions. However, it is not a reliable technique for gathering audit evidence. Examination of internal documents is another method. It is a much stronger source of evidence. The objective of testing controls is to seek evidence of performance.

Let’s take the case of a clerk disbursing payment in a warehouse through a cheque. The documents required to check before doing so are a receiving report, a purchase order, and a purchase invoice. Here, the auditor will check if this is in fact being done routinely and if a three-way match exists.

Another way to test a control is to observe the performance of the control activity. This testing works for undocumented controls but it cannot verify if this process is conducted each time throughout the audit period.

In the case of automated data, test controls include 1) feeding dummy data to the system and 2) seeing if it processes the data as per the control documentation.

Finally, auditors can also conduct performances to test controls. Here, instead of simply checking for evidence of the data, the tests are actually performed by the auditors to check the efficacy of the controls.

The auditor can decide how much to test the controls based on their assessment of the control risk of the firm. If the risk assessment is low, the testing needs to be high to support with evidence why the auditor feels so.

Auditors must also check for compensating control, in the absence of a key control. If it exists elsewhere, it can be used. If such a control does not exist and there is a control gap it needs to be documented on a separate working paper. The working paper will report the problems that can arise from such misstatements and the effect they can have on the evidence. It is also called a control matrix working paper.

Significant control gaps are reported in an internal letter to the audit committee or its equivalent. The letter states the deficiency, talks about its implication and offers recommendations to close the control gap.

In implementing these measures, the auditor aims at reducing control risk to the point that it is not significant. If, however, the auditor assesses and finds control risk very high, they have to conduct a substantive assessment.

High control risk points to processes not being followed. This means that either a redesign of controls is required that better matches actual processes on the ground or that there is a wilful deviation by the management from prescribed controls.

This must be flagged by the auditor and an independent assessment and testing of existing processes undertaken to reduce audit risk. This method is more time-consuming and difficult, but imperative for the auditor to undertake.