Assessment of control risk and testing of internal controls are the most important parts of the audit

“The overall objective of a financial statement audit is the expression of an opinion on whether the entity’s financial statements give a true and fair view”– Cosserat (2000).

When conducting an audit the auditor must continually bear in mind the overall objectives of the assignment which is usually the issue of an audit report, in accordance with IAS`s and national legislation. For example when using the ACCA guidelines, it is necessary to consider whether;

– proper accounting records have been kept
– all explanations and information has been received
– otherwise undisclosed matters (mainly directors remuneration) have been included
– there are any inconsistencies between the financial statements and the director’s report.
There may also be requirements relating to corporate governance and other special requirements of the client.

In order to carry out the audit successfully, the auditor must plan the scale of their work and assess the client company before it does this. This planning stage is critical to the whole outcome of the audit, as it will highlight any potential weak areas and any threats to the correct opinion being formed.

Planning and audit risk

Audit risk could be defined as the risk that the auditor gives an inappropriate audit opinion. Some level of audit risk will have to be accepted. In practice a firm will quantify its acceptable level of audit risk. The risk of a misstatement comprises of inherent risk (IR) and control risk (CR).

Total audit risk (AR) is the risk of misstatement and the risk that the auditor’s procedures will not discover it (detection risk (DR)). As a formula this can be expressed as: AR = IR x CR x DR.

Although it is the auditor’s judgement that is always used to determine the value to be placed on these items- there is no set rule that the auditor can follow. This is true in my experience and this audit risk formula is rarely used in practice- at the higher level, it is widely regarded as a gimmick which has no use in the real world and is no more than a useful introduction into the world of audit planning. In reality it is very difficult to capture the risks under these specific headings and often the audit company will have its own methods of risk assessment.

ISA 315 requires the auditor to perform the following risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control:

-Inquires of management and others within the entity
-Analytical procedures
-Observation and inspection.

From personal experience, it is this planning stage that “makes or breaks” the audit. If the planning has been done correctly, it will save so much effort in the long run. The initial assessment of the client company will form the basis of the time, skills and personnel required to give the best result.

Control Risk

In order to assess control risk, the auditors need to obtain an understanding of the accounting system and the control environment.

An understanding of the control system enables the auditor to identify the major classes of transactions in the entity’s operations in that they can highlight any of the larger and more material figures. For example a company with a high Fixed Asset figure on the balance sheet may need an audit approach concentrated on this area to determine that the figures reported can be traced back to physical assets and that they are valued correctly. Understanding the control system also should show how such transactions are initiated. This may be in the form of asset additions forms, which have to be signed off at an operational level. At a more basic level, it may show how cheques are raised and then passed for authorisation.

This understanding also helps identify how and where any significant accounting records are kept, the supporting documents that go with them and any authorisation procedures. It is essentially a walkthrough process mapping the accounting and financial reporting process from the initiation of significant transactions and other events to their inclusion in the financial statements.

An understanding of the control environment enables the auditors to assess the likely effectiveness of control procedures. A strong control environment for example one with strong budgetary controls and effective internal audit function increase the effectiveness of control procedures. In a company I used to work for, the key aim at period end was to “ensure we hit forecast.” This led to a number of management overrides and reclassifications that as a result of poor internal controls were allowed to happen. Clearly this would not show the true picture as often successful months were brought back in line with forecast and poor months were bulked up. This is common in many small companies or in particular where managers are judged on results. Subsequently in our case, the year-end audit highlighted a number of weak controls and meant a large swing in the final reported numbers.

After obtaining an understanding, the auditors then make a preliminary assessment of control risk.

The preliminary assessment of control risk is the process of evaluating the likely effectiveness of an entity’s accounting and internal control systems in preventing and correcting material misstatements. There is always some control risk because of the inherent limitations of any internal control system (Cosserat, 2000)

For example, although many IT systems can now filter out errors and mistakes, many human errors or keying input mistakes can not be captured and it is inevitable that mistakes will be made. The characteristics of good internal control will be one that minimizes the potential for these mistakes.

Internal Controls

Examples of a company’s internal controls can range from passwords on their IT equipment to the procedure to authorize payments. These clearly need to be strong to ensure the figures reported in the accounts are an accurate reflection of what is happening within the company. Weak internal controls should immediately set the auditors radar or suspicion levels high as this could mean a lack of care or quality has manifested in the company hence increasing the audit risk.

The more effective the entity’s accounting and internal control systems are assessed to be, the lower the auditors assessment of control risk. Where the auditors obtain satisfactory audit evidence from tests of control as to the effectiveness of the accounting and internal control systems, the extent of substantive procedures may be reduced.

The auditors may conclude that the accounting and internal control systems are not effective or that it is likely to be inefficient to adopt an audit approach which relies on tests of control. In these circumstances the auditors plan the audit approach as if they had made an adverse preliminary assessment of control risk and sufficient appropriate audit evidence needs to be obtained entirely from substantive procedures. The auditors should then plan tests of control (i.e. compliance tests) to support that assessment, carry out those tests and then determine whether the preliminary assessment of control risk is supported. If the auditors assess control risk as high and adopt the predominantly substantive approach they have reason to suppose that one or more of the following assumptions are appropriate:

– There are no significant control procedures that support the assertion
– Any relevant control procedures are unlikely to be effective or
– It would not be efficient to obtain evidence to evaluate the effectiveness of relevant control policies or procedures.

In making this decision, the auditors consider the costs of performing the higher level of substantive procedures required by the predominantly substantive approach to be less than the combined costs of performing sufficient testes of control to support a lower assessed level of control risk approach and the reduced level of substantive procedures that would be appropriate assuming a lower control risk assessment were supported. (Cosserat, 2000).

These additional tests on the internal control will highlight the weak areas. It can be said that a company with adequate internal controls should find themselves subjected to a “gentle” audit. In fact it is amazing to see the difference between an auditor carrying out work on a client they know (or sometimes just believe) have adequate internal controls compared to a client they may look at with professional skepticism. Often small tasks of reviewing balances can be “ticked off” in minutes compared to opening up a can of worms in a firm that cannot explain its procedures. It is this perception that is crucial to the efficiency of the audit and a company with strong accounting records and an audit trail will always find itself under the sympathy of the auditor.

To suggest that these issues are the most important aspects of an audit would be a little unfair on the audit manager who spends time assigning the correctly skilled staff, or the time spent in discussion with management on key issues or even the general documentation of the working papers. As a whole package the audit is made up of so many areas that without all working together, it would not create a report of sufficient standard.

Conclusion

In conclusion, it is clear that the assessment of Control risk and the testing of internal controls are very important elements of an audit. From personal experience I have shown that this planning stage and gaining knowledge of how the company operates helps efficiency in the long term as it identifies any potential problems and helps the auditor focus on areas of weakness and potential threat to the audit opinion.

However, I personally would not say they are the most important parts. A successful audit requires planning in all areas from staff allocation, time, professional knowledge and without all of these ingredients it can not be possible to say with conviction that the results and therefore audit opinion are true and fair. Although important, having good knowledge of the internal controls of a client does not mean the audit will be carried out successfully so it is very difficulty out single out these without at least contemplating the other issues. I think it would be irresponsible to agree with the briefs title indefinitely as this may convey the opinion that the other “ingredients” are not as important when in fact I believe they are.

On a final point though, I would conclude by saying that the planning of an audit which includes an assessment of control risk, testing internal controls and an overall assessment of the audit risk are extremely important as this sets the tone for that particular assignment