Assessing Control Risk

We know that control risk, inherent risk and detection risk constitute audit risk. Understanding the various factors of audit risk will help auditors assess the level of risk and identify errors and fraud. In this article, we will discuss why we assess internal control. We will discuss documenting internal controls and assessing controls risk.

Gathering Information to Assess Control Risk

Auditors must gather information about the control environment, general computer controls, and specific control activities. Auditors must gain an understanding of internal control. This is required even if they are not planning to rely on them. Discussions with the client, and examining internal documentation such as policy manuals are some ways of collecting information. We can also collect information about the controls by using one or more of the following methods.

We can undertake a narrative discussion about the policies and controls in place. Secondly, we can use a flowchart model that documents the sequence process flow in the transaction cycle. We can also use an internal questionnaire that asks several questions about the controls in place.

Auditors usually use the questionnaire and flowchart formats.

Process of Assessing Controls

Control chart information is carried forward from year to year. Updates if any are done with no changes to the rest of the document. One or two transactions are carried out to sample and check the effectiveness of the format. This process is called a walkthrough, in which the auditor checks if the documentation of controls matches the actual processes of control used in the client firm.

The auditor audits the control risk for each of the transaction cycles. The audit objectives for each transaction cycle are specified. The key control items within the transaction cycle that best match the audit objectives are identified. A few control items (2-3) are picked to conduct the test for effectiveness or efficiency.

Controls can be manual, computer-assisted or automatic. This also impacts the type of control tests that are conducted. Computer controls have less risk of human error, that often occur in manual controls. If the computer system is robust and efficient, repeat tests are not required. On the other hand, the operating effectiveness of manual controls has to be checked throughout the entire period.

Testing Internal Controls and Offering Recommendations

There are several methods to test internal controls. One method is to ask the client's staff questions. However, it is not a reliable technique for gathering audit evidence. Examination of internal documents is another method. It is a much stronger source of evidence. The objective of testing controls is to seek evidence of performance.