Evaluation of control risk at the financial statement
level
LEVEL OF
AGGREGATION |
AUDIT
STAGES |
Client acceptance/
retention |
Audit planning |
Control testing |
Substantive testing |
Opinion
formulation |
Financial
statement level |
CR1 |
na |
na |
na |
CR5 |
In the client acceptance stage, CR1 is initially
evaluated, of necessity, based on a
preliminary knowledge of the client's
business, as opposed to a detailed knowledge. In the opinion
formulation stage, CR5 is based on the auditor's far
more detailed knowledge of the business.
Control risk is evaluated as LOW, MODERATE or HIGH. Evidence in
relation to the evaluation of control risk at the financial
statement level is best described as evidence of the nature of the
control environment influencing the
entity's accounting information system. Any evidence that throws
light on this subject is relevant although, in the case of a new
audit engagement, the information is being gathered prior to the
commencement of the audit, and not all information may be available
to the auditor.
The control environment of a client is considered a reflection
of the various control polices established by the client. Some
control environments, such as those with extensive control
policies, will be conducive to the minimization of inherent risk (a
positive control environment), while others, with few or no control
policies, may do little to reduce inherent risk (a negative control
environment).
The following factors are indicative of a positive control
environment:
- a risk averse management philosophy and operating style.
One way of considering management's operating style would be to
consider the extent of management's aversion to risk. The
management of some entity’s tend to be risk-seeking in
nature, some tend to be risk averse and others lie somewhere in
between. Risk seekers may forgo the expense of establishing control
procedures and accept the increased risk of material misstatements
in the unaudited financial statements, whereas management that is
risk averse may opt for controls, even though it may cost a
significant sum to establish and maintain the controls.
- established organizational policies. For example, a
client that has established lines of responsibility within their
organization, particularly in relation to organizational
independence, and the responsibilities of senior management to
report to, in the case of a corpoartion, the board of directors, may be said to have a more
positive control environment than a client that does not.
- well defined authorization policies. The establishment
of policies relating to the assignment of authority to management
and other employees is evidence of a positive control environment.
An important aspect of the management's authorization policies that may
be gleaned prior to the commencement of the audit is whether there
is an assignment of different levels of authority to the different
levels of management, with ultimate authority resting with the
board of directors (or other persons charged with the governance of the entity).
- the presence of an internal audit function. The
existence of an internal audit function can considerably strengthen
the control environment particularly where the internal auditors
are responsible for the monitoring of the extent to which employees
adhere to established control procedures. This information may be
elicited prior to the commencement of the audit.
- well defined information technology policies. Where
policies exist over the design, operation and control of
information within the client, the control environment is
strengthened.
- well defined human resource policies. Where human
resource policies exist that aim to improve the competence of
management and other staff, such as staff recruitment and training
policies, the environment in which internal controls operate is
more likely to be positive.
- the existence of a well-defined risk assessment process. Where management identify risks relevant to the financial reporting process, evaluate and take appropriate action to minimize the risks, the environment in which internal controls operate is
more likely to be positive.
- the existence of an independent audit committee. An
audit committee is a committee comprising a majority of independent
non-executive members of the board of directors to which has been
assigned the oversight of the financial reporting and auditing
process. The existence of an audit committee strengthens the
control environment.
For existing clients, much of this information will be available
from prior year's working papers or from knowledge held by the
auditor and staff employed on previous engagements. However,
auditors also consider any changes in policies or philosophy since
the previous year.
See the Journal of Accountancy article Evaluate the Control Environment.
Control risk at the financial statement level is evaluated as
LOW when the control environment is wholly positive, as MODERATE
when partly positive and as HIGH when the control environment is
either negative or not known to be positive.
Copyright, Australian Educational Research
Pty Ltd. Any person accessing this site agrees to the
Terms of Use.
