Some auditors automatically take a substantive approach to the audit, effectively setting control risk at the maximum level. Others may assess control risk at too low a level. The complexity of a control environment, the extensiveness of documentation that often describes it, and the reliance that must be placed on professional judgment when weighing the contribution of each control element toward the reduction of control risk, contribute to the problem of arriving at an appropriate control risk assessment.

Under an approach we developed to simplify and systematize the control risk assessment, the two principal documents for evaluating internal control structure are an application flowchart and a control procedures listing (CPL). Both documents are discussed below.

The Process

The auditor's preliminary assessment of control risk is based on a process in which an accounting application is defined and described, and the control procedures are identified and located within the application. This process may be summarized as follows:

* The client's system documentation and responses to auditor inquiries define the application process. These are sometimes summarized in an application narrative.

* The auditor prepares an application flowchart and, with the aid of the CPL, identifies the application's control procedures, thus documenting his or her understanding, as required by SAS No. 55.

* The auditor preliminarily assesses control risk, by assertion, and decides whether to perform a test of controls. If the auditor decides not to test controls, control risk is set at or near the maximum.

The Control Procedures Listing

A properly designed CPL, which is a refinement of the more familiar internal control questionnaire (ICQ), includes the following features:

TABULAR DATA FOR TABLE 1 OMITTED

* Is organized by financial statement assertion, with emphasis on the existence, completeness, and valuation assertions.

* Identifies only those procedures capable of functioning as control procedures in support of the assertion under which they are listed.

* Includes control procedures relevant to most systems.

* Includes both manual and EDP control procedures in the same document.

* Provides for a cross-reference to a narrative or flowchart to enable the auditor to locate the control.

TABLE2

IMPACTOFCONTROLCOMPONENTONFINANCIALSTATEMENTASSERTION

ControlComponentExistenceCompletenessValuation

SegregationofdutiesXXX

AuthorizationXX

DocumentationXXX

SafeguardsX

IndependentchecksXXX

The CPL lists procedures which, if included in the client's system, could prevent and/or detect misstatement in TABULAR DATA FOR EXHIBIT 1 OMITTED an assertion related to a specific cycle or account balance. Thus, the CPL is organized to enable the auditor to identify control procedures and to consider directly their impact on financial statement assertions.

The auditor indicates on the CPL two key pieces of information with respect to each listed control procedure:

* Whether or not the listed procedure is in place; and

* Where in the transaction process the procedure is performed.

Because the CPL identifies control procedures that should be included in a well-designed system, it can be used effectively by less-experienced staff. Documentation, as well as an auditor's thought process, can be improved by the use of a CPL.

The Role of the Flowchart

An internal control flowchart may be the auditor's best tool for establishing the adequacy of transaction documentation and segregation of duties. Thus, the ability to interpret a flowchart is important to assessing control risk. It will help the auditor identify all prevent/detect control procedures. A well-prepared flowchart will -

* identify the source and disposition of all documents in the accounting application;

* be organized by functional area, so as to permit identification of authorization, custody, and recording functions (It delineates functional responsibility for all aspects of transaction processing.);

* identify all relevant procedures performed on a transaction; and

* identify all existing control procedures for preventing or detecting errors and irregularities.

The auditor develops or obtains an application flowchart prior to completing a CPL. Flowcharts are constructed from client documents or from inquiries and are verified by walkthroughs. Procedures identified in the CPL listing may then be located in the flowchart (or narrative), if they exist. In this way, the auditor determines if controls are in place and documents that determination.

Although we have discussed flowcharts, our remarks apply also to application narratives, which may provide sufficient descriptions of simpler applications.

When Control Procedures Are Net Located

The auditor will not always be able to locate all listed procedures on the flowchart. Possible explanations are -

* the control does not exist (even though it is relevant);

* the control is described in the flowchart for a different, but related, application; or

* the flowchart is inaccurate.

Inquiry should determine which of the above is the case. If listed procedures are not identified, control risk should not be assessed at a low or moderate level for the related assertion.

How Many Control Procedures Are Sufficient?

A preliminary assessment of control risk is often made prior to the performance of tests of controls. Tests of controls provide the basis for the auditor's determination of effectiveness in operation. How many controls, then, should an auditor test?

Sometimes only one effective control procedure is sufficient to prevent or detect misstatements and to justify reduction of control risk for the affected assertion. Identifying such a control procedure is key to the conduct of an efficient audit. If the client's system has several procedures in place, each of which supports a particular assertion, it remains a matter of judgment as to how many and what control procedures an auditor would consider to be "key" and therefore the subject of testing. If the controls function independently, control risk can be substantially reduced to the extent all control procedures are found to be effective, thus gaining efficiency as the auditor adjusts the nature, timing, or extent of substantive tests. If, however, the auditor identifies several control procedures related to an assertion, all of which must be functioning in order to prevent or detect misstatements, the auditor would need to test all of them. For example, in an examination of the revenue cycle, the existence assertion would be supported by at least two controls - one to ensure sales transactions arc authorized in accordance with company policies, the other to ensure billing occurs only after shipping.

Preliminary Assessment of Control Risk

The auditor's assessment of control risk depends on control effectiveness - the more effective the control, the lower the risk. Unless control risk is based entirely on the results of a statistical sampling procedure (which, in our experience, is rarely the case), it is difficult to measure the appropriate control risk level. Control risk assessment depends almost exclusively on the exercise of auditor judgment. Rules of thumb can aid the auditor by associating arbitrarily specified ranges of risk levels with judgments as to control effectiveness. Three factors affect the risk assessment:

* Whether sufficient procedures exist to prevent or detect errors or irregularities;

* The auditor's prior experience with the performance of controls (that is, whether the procedures have previously performed as designed); and

* The auditor's assessment of the control environment.

Table 1 illustrates how an auditor's preliminary assessment of control effectiveness can be related to control risk by means of the auditor's internal control findings. If the control environment is conducive to effective control, the auditor will use the lower (more favorable) end of the risk range for a given level of control effectiveness; otherwise, the auditor will choose the higher end of the range.

The results of the auditor's tests of controls determine whether support exists for the auditor's preliminary assessment. If the auditor decides controls are not effective, the auditor should not test them. Otherwise, if controls appear to be at least moderately effective, testing through rigorous use of inquiry, observation, and walk-through of a minimal number of transactions would be appropriate. The auditor may also decide to use audit sampling. If a walk-through procedure is used, the auditor might consider selecting three of each kind of transaction - one at the beginning of the audit period, one during the period, and one at the end of the period. This helps the auditor determine whether the control process has been in effect throughout the period. Under our approach, these procedures involve more than gaining an understanding of the system; they provide support for the auditor's risk assessment.

We do not advocate a "cradle-to-grave" approach, under which a transaction is tracked through every step of the transaction process. Instead, we advise focusing exclusively on the relevant control procedures. An auditor's inquiries should emphasize three determinations -

* how errors and irregularities occur;

* how resulting misstatements are corrected; and

* how often detected misstatements occur (although error prevalence may best be quantified by sampling).

EDP General Controls Evaluation

The CPL will include relevant EDP control procedures for an application. We recommend, however, the auditor do a separate evaluation of EDP general control procedures, because weak general controls may nullify even the strongest application controls. An example is a company's failure to properly restrict access to an online system. If the auditor decides general controls are weak, application control risk related to EDP controls procedures in the CPL would be evaluated at maximum. This assessment might not necessitate a maximum control risk for the assertion if manual control procedures listed for the same assertion are effective.

Control procedures involve authorization, physical safeguards, segregation of duties, independent checks, and adequate documentation (AU 319.11). Each of these categories affects financial statement assertions; a client's maintenance of adequate documentation also affects auditability of an accounting application. The impact of these categories on the financial statement assertions is indicated in Table 2. When testing control procedures, many auditors design audit tests only for the existence, completeness, and valuation assertions. Generally, the rights and obligations and presentation assertions are audited by reviewing documents and by using comprehensive checklists.

Documentary Evidence - Some Advice

Any functional area that acts on a transaction in some way should produce a documentary record of its action, which would be indicated on the flowchart. Documentary evidence provides the basis for obtaining assurance with respect to all assertions. Two assertions, existence and completeness, are particularly dependent on documentary matter, because a trail of documentary evidence enables the auditor to perform two key procedures - vouching and tracing. Vouching provides support for the existence assertion because it enables the auditor to obtain underlying support for entries in a client's books of account. It also provides support for the valuation of a transaction. Tracing, on the other hand, involves work in the opposite direction, from the source documents to the books of account, enabling the auditor to verify that existing transactions are recorded.

Illustrating the Approach

An abbreviated expenditure cycle application illustrates the process for the existence assertion. The expenditure cycle CPL for the existence assertion is shown in Exhibit 1. The partial flowchart, presented in Exhibit 2, describes the functions of accounts payable and accounting departments over individual transactions. Periodic controls, such as bank reconciliations and budget comparisons, are not described in this example. The CPL identifies seven possible controls procedures labeled DE-1 through DE-7 on the CPL). Five of the controls (DE-1 through DE4, and DE-7) have been located on the flowchart. Note that controls DE5 and DE6 have not been located and may be considered not to exist, thus increasing control risk.

The auditor then decides which located controls are to be tested. In this example, the auditor has decided the key controls to be tested are DE-1 through DE-3, and DE-7. Controls DE-1 and DE-2 might be verified by inquiry, observation, and reperformance whereas DE-3 and DE-7 may be tested by a more extensive inspection of documents. Except for the absence of controls DE-5 and DE-6, satisfactory test results might lead the auditor to decide to accept a lower control risk with respect to the existence assertion if the other identified controls are effective. Otherwise, the auditor might assess control risk at the low-to-moderate level (about 25%).

Putting It All Together

We have focused on control procedures, viewing them in terms of the assertions they affect, and in terms of what could go wrong. (What happens when an exception occurs? How is it corrected? Is it corrected? Which assertions have been affected?) We do not recommend that the auditor evaluate every control procedure in place for a particular risk of misstatement (assertion), because some controls may dominate others. The auditor decides which procedures are sufficient.

Two additional factors have a role to play in the auditor's control risk assessment: the control environment and inherent risk. We recommend setting the latter to 100%. This is a conservative approach and results in the highest extent of testing. The effect of the auditor's judgment as to the control environment can, in our view, be most easily considered as a modification of his or her judgment as to the control procedures. This can be accomplished in two steps:

* Consider the effect of each control component on each of the key assertions of existence, completeness, and valuation.

- If all control components are present, then the control risk is at worst moderate, depending on whether or not errors or irregularities have been disclosed in the past.

- If no control component is present, the control risk is high.

- If some control components are absent, the auditor must exercise judgment as to the effect of their absence on control risk.

* Consider the effect of the control environment on the control risk category decided upon in the previous step. If the control environment is strong, choose a control risk that is toward the lower end of the range indicated in Table 1 for the selected risk category; if the environment is weak, choose a risk level at the higher end of the range.

Tests of controls are not required if control risk for the related assertion is assessed at or near maximum level. The ability of the auditor to support assessment of even moderate risk levels for assertions, however, will yield benefits by enabling the auditor to justify modifications of nature, timing, or extent of substantive tests. By adopting this systematic approach, control work can be more readily integrated with the audit as a whole, resulting in an efficient and effective product.

Neal B. Hitzig, PhD, CPA, is an associate professor at Fordham University.

Julian E. Jacoby, CPA, is a partner at Richard A. Eisner & Co. LLP.