Auditors are required to obtain a sufficient understanding of each component of a client's internal control. This understanding is used to assess control risk and plan the audit of the client's financial statements.

Required:

a. For what purposes should an auditor's understanding of the internal control components be used in planning an audit?

instructor's answer (pls dontcopy, use as reference)

In planning an audit, the auditors' understanding of the internal control components should be used to identify the types of potential misstatements that could occur, to consider the factors affecting the risk of material misstatement, and to influence the design of substantive procedures

b. What is required for an audit team to assess control risk below the maximum level?

instructor's answer (pls dontcopy, use as reference)

An audit team obtains an understanding of the design of relevant internal control activities (policies and procedures) and whether they have been implemented. Assessing control risk below the maximum level further involves identifying specific control activities (policies and procedures) relevant to specific assertions that are likely to prevent or detect material misstatements in those assertions. It also involves performing tests of controls to evaluate the operating design and effectiveness of the client's control activities.

c. What should an audit team consider when seeking to reduce the planned assessed level of control risk below the maximum?

instructor's answer (pls dontcopy, use as reference)

When seeking a reduction in the assessed level of control risk below the maximum, an audit team should consider whether additional audit evidence sufficient to support the reduction is likely to be available, and whether it would be efficient to perform tests of controls to obtain that audit evidence. If controls are tested and found to be effective, the final control risk assessment is low and detection risk can be set higher. As a result, the nature, timing, and extent of substantive procedures would likely be adjusted to reflect the increase in detection risk.

d. What are the documentation requirements concerning a client's internal control components and the assessed level of control risk?

instructor's answer (pls dontcopy, use as reference)

An audit team should document the understanding of a client's internal control system components to plan the audit as well as the basis for the conclusion about the assessed level of control risk. If control risk is assessed at the maximum level, the audit team should document that conclusion and the reasons for it. However, if the assessed level of control risk is below the maximum level, the audit team should document the basis for the conclusion that the effectiveness of the design and operation of internal control activities supports that assessed level.