Without properly understanding controls, an auditor may not identify risks associated with the client’s internal controls and therefore may not design and implement appropriate responses. By analyzing the results of hundreds of peer reviews, we have detected trends that are leading to noncompliance with AU-C sections 315 and 330. Here are the most common missteps in practice detected through that analysis and ways to avoid them.
Misstep No. 1: Assuming the client has no controls
Auditors of less complex entities often assume that their client has no controls in place. While their controls may not be sophisticated or documented, virtually all clients have controls over financial reporting.
Misstep No. 2: Not understanding which controls are relevant to the audit
Further, control activities relevant to the audit include those control activities that the auditor judges necessary to understand in order to assess the risks of material misstatements at the assertion level. Other controls relevant to a given audit will vary, depending on the client’s size, complexity, and nature of operations.
Misstep No. 3: Stopping after determining whether controls exist
All different procedures can provide evidence that controls were properly designed and implemented and are functioning as intended; however, it is important to understand that directing inquiries at client personnel alone for these purposes is not sufficient.
Misstep No. 4: Improperly assessing control risk
Evaluating control design and implementation is not the same thing as testing the operating effectiveness of those controls. Many auditors confuse the terms “implementation” and “operating effectiveness,” but as paragraph .A77 of AU-C Section 315 states, “obtaining audit evidence about the implementation of a manual control at a point in time does not provide audit evidence about the operating effectiveness of the control at other times during the period under audit.”
Misstep No. 5: Failing to link further procedures to control-related risks
Understanding a client’s internal control gives auditors insight into the testing needed to assess management’s assertions