Question

1a. What is the auditor's responsibility for obtaining an understanding of internal control? What do you feel some of the best ways are to gain this understanding? How does that responsibility differ for audits of public and nonpublic companies, and how does information technology play a factor in this?

2b. What factors will an auditor likely consider when determining the types and timing of audit procedures?

Answer 1

In all audits, the auditor should obtain an understanding of internal control sufficient to plan the audit by performing procedures to understand the design of controls relevant to an audit of financial statements and determining whether they have been placed in operation. In obtaining this understanding, the auditor considers how an entity’s use of information technology (IT) ^{fn 2} and manual procedures may affect controls relevant to the audit. The auditor then assesses control risk for the relevant assertions embodied in the account balance, transaction class, and disclosure components of the financial statements. Regardless of the assessed level of control risk, the auditor should perform substantive procedures for all relevant assertions related to all significant accounts and disclosures in the financial statements.

The auditor may determine that assessing control risk below the maximum level ^{fn 3} for certain assertions would be effective and more efficient than performing only substantive tests. In addition, the auditor may determine that it is not practical or possible to restrict detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions. In such circumstances, the auditor should obtain evidential matter about the effectiveness of both the design and operation of controls to reduce the assessed level of control risk. Such evidential matter may be obtained from tests of controls planned and performed concurrent with or subsequent to obtaining the understanding. ^{fn 4} Such evidential matter also may be obtained from procedures that were not specifically planned as tests of controls but that nevertheless provide evidential matter about the effectiveness of the design and operation of the controls. For certain assertions, the auditor may desire to further reduce the assessed level of control risk. In such cases, the auditor considers whether evidential matter sufficient to support a further reduction is likely to be available and whether performing additional tests of controls to obtain such evidential matter would be efficient.

Alternatively, the auditor may assess control risk at the maximum level because he or she believes controls are unlikely to pertain to an assertion or are unlikely to be effective, or because evaluating the effectiveness of controls would be inefficient. However, the auditor needs to be satisfied that performing only substantive tests would be effective in restricting detection risk to an acceptable level. When evidence of an entity’s initiation, recording, or processing of financial data exists only in electronic form, the auditor’s ability to obtain the desired assurance only from substantive tests would significantly diminish.

Factor that auditor considers while determining types and timing of Audit procedures

• The entity's size.
• The entity's organization and ownership characteristics.
• The nature of the entity's business.
• The diversity and complexity of the entity's operations.
• Applicable legal and regulatory requirements.
• The nature and complexity of the systems that are part of the entity's internal control, including the use of service organizations.