Chapter 9 reading guide

Question 1

What are the three tools used to document our understanding of internal controls and their design
effectiveness?

Answer 1

1. Narratives
   - written description of client’s internal controls
2. Flowcharts
   - Diagrammatic representation showing how transactions flow through the system
3. Internal Control Questionnaires (ICQs)
   - A series of structured questions about controls in each audit area, gives auditor better understanding of the system

Question 2

Describe what the auditor does to evaluate the design effectiveness of internal controls. 4

Answer 2

1. Perform risk assessment procedures (inspection, inquiry, observation, reperformance)
2. document and analyze the system (narratives, flowcharts, ICQ)
3. Identifying strengths and weaknesses
4. Assess Control Deficiencies
   - control deficiency, significant deficiency, material weakness

Question 3

Define the three levels of absence of controls, as per CAS 265. How do the concepts of likelihood and
significance impact this concept?

Answer 3

the 3 levels are

1. Control Deficiency
2. Significant Deficiency
3. Material Weakness

likelihood - probability that a misstatement will occur and not be detected or corrected

significance - potential magnitude of the misstatement that could result if the control fails

Question 4

minor weakness, likelihood and significance level and type of defeciency

Answer 4

low likelihood and low significance, control deficiency

Question 5

more serious weakeness likelihood and significance level and type of defeciency

Answer 5

moderate likelihood and significance, significant defeciency

Question 6

what happens when there is high likelihood and high significance

Answer 6

material weakness

Question 7

definition of control defeciency, reporting requirement for it

Answer 7

exists when the design or operation of a control does not allow management or employees to prevent, or detect and correct misstatements on a timely basis,

usually communicated to management only

Question 8

significant defeciency definition and reporting requirement

Answer 8

control deficiency that is important enough to merit attention by those charged with governance (e.g audit committee)

reported to those charged with governance

Question 9

Definition of material weakness, who should it be reported to

Answer 9

significant defeciency that results in a reasonable possibility that material misstatement in the financial statements will not be prevented or detected in a timely manner

must be reported to both management and the board/ audit committee

Question 10

What is the combined audit approach?

Answer 10

combined audit approach: auditor plans to rely on internal controls to reduce substantive testing

The auditor performs both tests of controls and substantive procedures

Question 11

What is the substantive audit approach?

Answer 11

Substantive audit: when the auditor does not rely on controls and instead obtains audit assurance entirely from substantive procedures

tests of details

substantive analytical procedures

Question 12

In what circumstances would
the auditor choose to assess control risk as high and use a substantive approach? 5

Answer 12

controls are weak, nonexistent or poorly designed

control deficiencies are identified that cannot be mitigated

management lacks integrity or entity is not auditable

control testing would not be effecient (cost>benefit)

entity is small or owner managed

Question 13

Describe how key controls are tested.

Answer 13

key contorls are those that have the greatest impact on preventing or detecting material misstatements

Question 14

What methods of testing are used (key controls)?

Answer 14

inquiry

inspection

observation

reperformance

test data approach

Question 15

test data approach decription and prupose

Answer 15

for IT systems

input dummy data into client system to see whether the program properly processes it

purpose: validates automated control logic