Select the internal control misstep you think is the most important and defend your selection.

Misstep No. 1: Assuming the client has no controls Auditors of less complex entities often assume that their client has no controls in place. While their controls may not be sophisticated or documented, virtually all clients have controls over financial reporting. Some questions to consider might be: Has management created a culture of honesty and ethical behavior? Are login credentials required on computers or operating systems? Does the company have policies (formal or less formal) related to the competency of the accountant or bookkeeper? If the answer to any of these questions is "yes," the client has controls. Some auditors believe that the only controls they need to consider are control activities, like performing bank reconciliations. AU-C Section 315 explains that internal control is composed of the following: The control environment; The entity's risk assessment procedures; Control activities; Information and communication, and Monitoring of controls. If a client had no controls in place, there would be no way to prevent or detect and correct a material misstatement. If that's true, it would not be possible to do sufficient audit work to reduce audit risk to an acceptable level. Misstep No. 2: Not understanding which controls are relevant to the audit Auditors are required by paragraph 13 of AU-C Section 315 to obtain an understanding of internal control relevant to the audit. This includes all controls assessed as relevant by the auditor and is not limited to those controls that the auditor plans to test for operating effectiveness. Further, control activities relevant to the audit include those control activities that the auditor judges necessary to understand in order to assess the risks of material misstatements at the assertion level. Controls relevant to a given audit will vary, depending on the client's size, complexity, and nature of operations. Control activities that are always relevant to the audit are defined as those that: Address significant risks (including fraud risks); The auditor intends to rely upon and test for operating effectiveness, Address risks for which substantive procedures alone do not provide sufficient appropriate audit evidence, or Support journal entries. Misstep No. 3: Stopping after determining whether controls exist Peer Review program data show that many auditors think determining whether controls exist is the extent of their responsibilities, but that's not true. Auditors have additional responsibilities concerning a client's system of internal control. After identifying controls that are relevant to the audit, the auditor has to evaluate the design effectiveness of those controls and determine whether the controls are implemented. For example, the design of controls over a client's bank reconciliation processes should be evaluated. The procedures involved in the bank reconciliation should be designed to prevent, or detect and correct, a material misstatement. Does the client's bookkeeper receive the bank statements unopened? Does the client limit who has access to the online banking account? If so, the auditor should evaluate these controls to ensure they are designed effectively to address the risks of misstatement The auditor can obtain audit evidence about the relevant controls' design and implementation by observing the client applying the controls, inspecting documents and reports, or tracing transactions through the client's financial reporting system. All of these procedures can provide evidence that controls were properly designed and implemented and are functioning as intended; however, it is important to understand that directing inquiries at client personnel alone for these purposes is not sufficient. If the design of the client's controls is ineffective or if the controls have not been implemented properly, the auditor is obligated to evaluate the severity of the deficiency. If a significant deficiency or material weakness is assessed, the auditor is obligated to report these deficiencies under AU-C Section 265, Communicating Internal Control Related Matters Identified in an Audit. Misstep No. 4: Improperly assessing control risk Peer Review results indicate that some auditors believe they can default control risk assessments to "maximum" without any consideration of their client's controls. But is this the right approach? Many will be shocked to learn that the answer is "no." Auditors should not default to any level of control risk. An auditor should have a reasonable basis for his or her assessment of control risk, regardless of the assessment level. Defaulting to a control risk assessment of "maximum" without evaluating the design and implementation of relevant controls could lead an auditor to failing to identify risks that are relevant to the audit. The evaluation of the design of controls and the determination of whether the controls are implemented provide the basis for designing an effective response to the risk of material misstatement. The auditor's strategy may or may not include testing the operating effectiveness of controls. In other words, a substantive audit approach may be implemented as long as your audit procedures are responsive and linked) to the assessed risks of material misstatement. Peer Review results also indicate that some auditors believe they can lower their control risk assessment without testing whether the controls are operating as designed, but that's not true. If the auditor's response (i.e., substantive procedures) to the assessed risk of material misstatement is based on an expectation that controls are operating effectively, then the auditor is required to perform tests of the controls upon which reliance is placed. Evaluating control design and implementation is not the same thing as testing the operating effectiveness of those controls. Many auditors confuse the terms "implementation" and "operating effectiveness," but as paragraph A77 of AU-C Section 315 states, "obtaining audit evidence about the implementation of a manual control at a point in time does not provide audit evidence about the operating effectiveness of the control at other times during the period under audit." Misstep No. 5: Failing to link further procedures to control-related risks Once the auditor has assessed the risks of material misstatement including risk associated with the client's internal control, his or her next step will be to design and perform further audit procedures that are responsive to the client's risks. The auditor should not simply perform the same procedures that were required for another client in the same industry or even those audit procedures performed in the prior year. To illustrate, consider two clients in the manufacturing industry. For both clients, the auditor has assessed the risks of material misstatement related to the rights and obligations assertion in the accounts payable balance as maximum. Client A's bookkeeper records all invoices in the accounting system once the invoice is received. Because the invoices are not matched to a purchase order or otherwise reviewed to confirm their validity, the auditor determines that Client A's controls over the recording of accounts payable are ineffectively designed. A specific concern is the risk of recording fictitious invoices. Alternatively, Client B's bookkeeper records all invoices for authorized purchase orders in the accounting system when the invoice is paid. Because recording of invoices is delayed until payment occurs, the auditor determines that Client B's controls are ineffectively designed because a risk of unrecorded liabilities exists. While both clients are in the same industry and both have maximum risks of material misstatement related to the accounts payable rights and obligations assertion, they may require two very different audit responses. Client A's auditor may determine that the best way to lower detection risk would be to compare invoices received from vendors with a listing of approved vendors and purchase orders. Conversely, Client B's auditor may lower the threshold amount in performing a search for unrecorded liabilities. Misstep No. 1: Assuming the client has no controls Auditors of less complex entities often assume that their client has no controls in place. While their controls may not be sophisticated or documented, virtually all clients have controls over financial reporting. Some questions to consider might be: Has management created a culture of honesty and ethical behavior? Are login credentials required on computers or operating systems? Does the company have policies (formal or less formal) related to the competency of the accountant or bookkeeper? If the answer to any of these questions is "yes," the client has controls. Some auditors believe that the only controls they need to consider are control activities, like performing bank reconciliations. AU-C Section 315 explains that internal control is composed of the following: The control environment; The entity's risk assessment procedures; Control activities; Information and communication, and Monitoring of controls. If a client had no controls in place, there would be no way to prevent or detect and correct a material misstatement. If that's true, it would not be possible to do sufficient audit work to reduce audit risk to an acceptable level. Misstep No. 2: Not understanding which controls are relevant to the audit Auditors are required by paragraph 13 of AU-C Section 315 to obtain an understanding of internal control relevant to the audit. This includes all controls assessed as relevant by the auditor and is not limited to those controls that the auditor plans to test for operating effectiveness. Further, control activities relevant to the audit include those control activities that the auditor judges necessary to understand in order to assess the risks of material misstatements at the assertion level. Controls relevant to a given audit will vary, depending on the client's size, complexity, and nature of operations. Control activities that are always relevant to the audit are defined as those that: Address significant risks (including fraud risks); The auditor intends to rely upon and test for operating effectiveness, Address risks for which substantive procedures alone do not provide sufficient appropriate audit evidence, or Support journal entries. Misstep No. 3: Stopping after determining whether controls exist Peer Review program data show that many auditors think determining whether controls exist is the extent of their responsibilities, but that's not true. Auditors have additional responsibilities concerning a client's system of internal control. After identifying controls that are relevant to the audit, the auditor has to evaluate the design effectiveness of those controls and determine whether the controls are implemented. For example, the design of controls over a client's bank reconciliation processes should be evaluated. The procedures involved in the bank reconciliation should be designed to prevent, or detect and correct, a material misstatement. Does the client's bookkeeper receive the bank statements unopened? Does the client limit who has access to the online banking account? If so, the auditor should evaluate these controls to ensure they are designed effectively to address the risks of misstatement The auditor can obtain audit evidence about the relevant controls' design and implementation by observing the client applying the controls, inspecting documents and reports, or tracing transactions through the client's financial reporting system. All of these procedures can provide evidence that controls were properly designed and implemented and are functioning as intended; however, it is important to understand that directing inquiries at client personnel alone for these purposes is not sufficient. If the design of the client's controls is ineffective or if the controls have not been implemented properly, the auditor is obligated to evaluate the severity of the deficiency. If a significant deficiency or material weakness is assessed, the auditor is obligated to report these deficiencies under AU-C Section 265, Communicating Internal Control Related Matters Identified in an Audit. Misstep No. 4: Improperly assessing control risk Peer Review results indicate that some auditors believe they can default control risk assessments to "maximum" without any consideration of their client's controls. But is this the right approach? Many will be shocked to learn that the answer is "no." Auditors should not default to any level of control risk. An auditor should have a reasonable basis for his or her assessment of control risk, regardless of the assessment level. Defaulting to a control risk assessment of "maximum" without evaluating the design and implementation of relevant controls could lead an auditor to failing to identify risks that are relevant to the audit. The evaluation of the design of controls and the determination of whether the controls are implemented provide the basis for designing an effective response to the risk of material misstatement. The auditor's strategy may or may not include testing the operating effectiveness of controls. In other words, a substantive audit approach may be implemented as long as your audit procedures are responsive and linked) to the assessed risks of material misstatement. Peer Review results also indicate that some auditors believe they can lower their control risk assessment without testing whether the controls are operating as designed, but that's not true. If the auditor's response (i.e., substantive procedures) to the assessed risk of material misstatement is based on an expectation that controls are operating effectively, then the auditor is required to perform tests of the controls upon which reliance is placed. Evaluating control design and implementation is not the same thing as testing the operating effectiveness of those controls. Many auditors confuse the terms "implementation" and "operating effectiveness," but as paragraph A77 of AU-C Section 315 states, "obtaining audit evidence about the implementation of a manual control at a point in time does not provide audit evidence about the operating effectiveness of the control at other times during the period under audit." Misstep No. 5: Failing to link further procedures to control-related risks Once the auditor has assessed the risks of material misstatement including risk associated with the client's internal control, his or her next step will be to design and perform further audit procedures that are responsive to the client's risks. The auditor should not simply perform the same procedures that were required for another client in the same industry or even those audit procedures performed in the prior year. To illustrate, consider two clients in the manufacturing industry. For both clients, the auditor has assessed the risks of material misstatement related to the rights and obligations assertion in the accounts payable balance as maximum. Client A's bookkeeper records all invoices in the accounting system once the invoice is received. Because the invoices are not matched to a purchase order or otherwise reviewed to confirm their validity, the auditor determines that Client A's controls over the recording of accounts payable are ineffectively designed. A specific concern is the risk of recording fictitious invoices. Alternatively, Client B's bookkeeper records all invoices for authorized purchase orders in the accounting system when the invoice is paid. Because recording of invoices is delayed until payment occurs, the auditor determines that Client B's controls are ineffectively designed because a risk of unrecorded liabilities exists. While both clients are in the same industry and both have maximum risks of material misstatement related to the accounts payable rights and obligations assertion, they may require two very different audit responses. Client A's auditor may determine that the best way to lower detection risk would be to compare invoices received from vendors with a listing of approved vendors and purchase orders. Conversely, Client B's auditor may lower the threshold amount in performing a search for unrecorded liabilities