of further audit procedures.
To meet these requirements, the auditor should:
1. Evaluate the design of controls that are relevant to the audit and determine whether the control – either individually or in combination – is capable of effectively preventing or detecting and correcting material misstatements.
2. Determine that the control has been implemented – that is, that the control exists and that the entity is using it.
(AU-C 315.13-14)
The auditor's evaluation of internal control design and the determination of whether controls have been implemented are critical to the assessment of the risks of material misstatement. Remember that even if the auditor's overall audit strategy contemplates performing only substantive procedures for all relevant assertions related to material transactions, account balances, and disclosures, the auditor still needs to evaluate the design of the client's internal control.
NOTE: In evaluating control design, it is helpful to consider:
● Whether control objectives that are specific to the unique circumstances of the client have been considered for all relevant assertions for all significant accounts and disclosures
● Whether the control or combination of controls would – if operated as designed – meet the control objective
● Whether all controls necessary to meet the control objective are in place
When obtaining an understanding about the design of internal controls and determining whether those controls have been implemented, inquiry alone is not sufficient. Thus, for these purposes, the auditor should supplement inquiries with other risk assessment procedures. (AU-C 315.14)
NOTE: To evaluate the design and implementation of internal controls relevant to the audit, the auditor should perform procedures such as:
● Inquiry
● Observation
● Inspection of documentation
● Walk-throughs – tracing transactions through the information systems
(AU-C 315.A76)
Distinguishing between Evaluation of Design and Tests of Controls
Obtaining an understanding of the design and implementation of internal controls is different from testing their operating effectiveness.
● Understanding the design and implementation is required on every audit as part of the process of assessing the risks of material misstatement.
● Testing the operating effectiveness is necessary only when the auditor will rely on the operating effectiveness of controls to modify the nature, timing, and extent of substantive procedures or when substantive procedures alone do not provide the auditor with sufficient audit evidence at the assertion level.
The procedures necessary to understand the design and implementation of controls do provide some limited evidence regarding the operation of the controls. However, the procedures necessary to understand the design and implementation of controls generally are not sufficient to serve as a test of their operating effectiveness for the purpose of placing significant reliance on their operation.
Examples of situations where the procedures the auditor performs to understand the design and implementation of controls may provide sufficient audit evidence about their operating effectiveness include:
● Controls that are automated to the degree that they can be performed consistently provided that general information technology (IT) controls over those automated controls operate effectively during the period.
● Controls that operate only at a point in time rather than continuously throughout the period. For example, if the client performs an annual physical inventory count, the auditor's observation of that count and other procedures to evaluate its design and implementation provide audit evidence that may affect the design of the auditor's substantive procedures.
The required understanding of internal control must include all five components of internal control:
1. The control environment,
2. Risk assessment,
3. Information and communication,
4. Control activities, and
5. Monitoring.
(AU-C 315.A57)
These components may operate at the entity level or the individual transaction level. Obtaining an appropriate understanding of internal control requires the auditor to understand and evaluate the design of all five components of internal control and to determine whether the controls are in use by the client.
Control Environment
The auditor should obtain a sufficient knowledge of the control environment to understand management's and the board of directors' attitudes, awareness, and actions concerning the environment. (AU-C 315.15) Control environment factors include:
1. Communication and enforcement of integrity and ethical values
2. Commitment to competence
3. Participation by those charged with governance
4. Management's philosophy and operating style
5. Organizational structure
6. Assignment of authority and responsibility
7. Human resource policies and practices
(AU-C 315.A79)
NOTE: The auditor should concentrate on the substance of controls (established and acted upon), not their form.
Risk Assessment
The auditor should obtain an understanding of the entity's procedures for business risk, specifically:
● Identifying the risks
● Estimating significance
● Assessing the likelihood of occurrence
● Deciding on an action plan to address the risk
(AU-C 315.16)
Risks can occur because of the following:
1. Changes in operating environment
2. New personnel
3. New or revamped information systems
4. Rapid growth
5. New technology
6. New business models, products, or activities
7. Corporate restructurings
8. Expanded foreign operations
9. New accounting pronouncements
10. Changes in economic conditions
(AU-C
