The auditor obtains an understanding of the design and implementation of internal control to make a preliminary assessment of control risk as part of the auditors overall assessment of the risk of material misstatements. As described in Chapter 9, the auditor uses this preliminary assessment of control risk to plan the audit for each material class of transactions. However, in some instances the auditor may learn that the control deficiencies are significant such that the clients financial statements may not be auditable. So, before making a preliminary assessment of control risk for each material class of transactions, the auditor must first decide whether the entity is auditable. Two primary factors determine auditability: the integrity of management and the ade - quacy of accounting records. The importance of management integrity was discussed in Chapter 8 under client acceptance and continuance. If management lacks integrity, most auditors will not accept the engagement. The accounting records are an important source of audit evidence for most audit objectives. If the accounting records are deficient, necessary audit evidence may not be available. For example, if the client has not kept duplicate sales invoices and vendors invoices, it is usually impractical to do an audit. In complex IT environments, much of the transaction information is available only in electronic form without generating a visible audit trail of documents and records. In that case, the company is usually still auditable; however, auditors must assess whether they have the necessary skills to gather evidence that is in electronic form and can assign personnel with adequate IT training and experience. After obtaining an understanding of internal control, the auditor makes a preliminary assessment of control risk as part of the auditors overall assessment of the risk of material misstatement. This assessment is a measure of the auditors expectation that internal controls will prevent material misstatements from occurring or detect and correct them if they have occurred. The starting point for most auditors is the assessment of entity-level controls. By nature, entity-level controls, such as many of the elements contained in the control environment, risk assessment, and monitoring components, have an overarching impact on most major types of transactions in each transaction cycle. For example, an inef - fective board of directors or managements failure to have any process to identify, assess, or manage key risks, has the potential to undermine controls for most of the transaction-related audit objectives. Thus, auditors generally assess entity-level controls before assessing transaction specific controls. Once auditors determine that entity-level controls are designed and placed in operation, they next make a preliminary assessment for each transaction-related audit objective for each major type of transaction in each transaction cycle. For example, in the sales and collection cycle, the types of transactions usually involve sales, sales returns and allowances, cash receipts, and the provision for and write-off of uncollectible accounts. The auditor also makes the preliminary assessment for controls affecting audit objectives for balance sheet accounts and presentations and disclosures in each cycle.

Many auditors use a control risk matrix to assist in the control risk assessment process at the transaction level. The purpose is to provide a convenient way to organize assessing control risk for each audit objective. Figure 10-5 illustrates the use of a control risk matrix for sales transaction audit objectives of Hillsburg Hardware Co. While Figure 10-5 only illustrates the control risk matrix for transaction-related audit objectives, auditors use a similar control risk matrix format to assess control risk for balance-related and presentation and disclosure-related audit objectives. We now discuss the preparation of the matrix. Identify Audit Objectives The first step in the assessment is to identify the audit objectives for classes of transactions, account balances, and presentation and dis - closure to which the assessment applies. For example, this is done for classes of transactions by applying the specific transaction-related audit objectives introduced earlier, which were stated in general form, to each major type of transaction for the entity. For example, the auditor makes an assessment of the occurrence objective for sales and a separate assessment of the completeness objective. Transaction-related audit objectives are shown for sales transactions for Hillsburg Hardware at the top of Figure 10-5. Identify Existing Controls Next, the auditor uses the information discussed in the previous section on obtaining and documenting an understanding of internal control to identify the controls that contribute to accomplishing transaction-related audit objectives. One way for the auditor to do this is to identify controls to satisfy each objective. For example, the auditor can use knowledge of the clients system to identify controls that are likely to prevent errors or fraud in the occurrence transaction-related audit objective. The same thing can be done for all other objectives. It is also helpful for the auditor to use the five control activities (separation of duties, proper authorization, adequate documents and records, physical control over assets and records, and independent checks on performance) as reminders of controls. For example: Is there adequate separation of duties and how is it achieved? Are transactions properly authorized? Are prenumbered documents properly accounted for? Are key master files properly restricted from unauthorized access? The auditor should identify and include only those controls that are expected to have the greatest effect on meeting the transaction-related audit objectives. These are often called key controls. The reason for including only key controls is that they will be sufficient to achieve the transaction-related audit objectives and also provide audit efficiency. Examples of key controls for Hillsburg Hardware are shown in Figure 10-5. Associate Controls with Related Audit Objectives Each control satisfies one or more related audit objectives. This can be seen in Figure 10-5 for transaction-related audit objectives. The body of the matrix is used to show how each control contributes to the accomplishment of one or more transaction-related audit objectives. In this illustration, a C was entered in each cell where a control partially or fully satisfied an objective. A similar control risk matrix would be completed for balance-related and presentation and disclosure-related audit objectives. For example, the mailing of state ments to customers satisfies three objectives in the audit of Hillsburg Hardware, which is indicated by the placement of each C on the row in Figure 10-5 describing that control. Identify and Evaluate Control Deficiencies, Significant Deficiencies, and Material Weaknesses Auditors must evaluate whether key controls are absent in the design of internal control over financial reporting as a part of evaluating control risk and the likelihood of financial statement misstatements. Auditing standards define three levels of the absence of internal controls:

1. Control deficiency. A control deficiency exists if the design or operation of controls does not permit company personnel to prevent or detect misstate - ments on a timely basis in the normal course of performing their assigned

functions. A design deficiency exists if a necessary control is missing or not properly designed. An operation deficiency exists if a well-designed control does not operate as designed or if the person performing the control is insufficiently qualified or authorized. 2. Significant deficiency. A significant deficiency exists if one or more control deficiencies exist that is less severe than a material weakness (defined below), but important enough to merit attention by those responsible for oversight of the companys financial reporting. 3. Material weakness. A material weakness exists if a significant deficiency, by itself, or in combination with other significant deficiencies, results in a reason - able possibility that internal control will not prevent or detect material financial statement misstatements on a timely basis. To determine if a significant internal control deficiency or deficiencies are a material weakness, they must be evaluated along two dimensions: likelihood and significance. The horizontal line in Figure 10-6 depicts the likeli hood of a misstatement resulting from the significant deficiency, while the vertical line depicts its significance. If there is more than a reasonable possibility (likelihood) that a material misstatement (significance) could result from the significant deficiency or deficiencies, then it is considered a material weakness. A five-step approach can be used to identify deficiencies, significant deficiencies, and material weaknesses:

1. Identify existing controls. Because deficiencies and material weaknesses are the absence of adequate controls, the auditor must first know which controls exist. The methods for identifying controls have already been discussed.

2. Identify the absence of key controls. Internal control questionnaires, flow charts, and walkthroughs are useful tools to identify where controls are lacking and the likelihood of misstatement is therefore increased. It is also useful to examine the control risk matrix, such as the one in Figure 10-5 (p. 309), to look for objectives where there are no or only a few controls to prevent or detect misstatements.

3. Consider the possibility of compensating controls. A compensating control is one elsewhere in the system that offsets the absence of a key control. A common example in a small business is the active involvement of the owner. When a compensating control exists, there is no longer a significant deficiency or material weakness.

4. Decide whether there is a significant deficiency or material weakness. The likeli - hood of misstatements and their materiality are used to evaluate if there are significant deficiencies or material weaknesses.

5. Determine potential misstatements that could result. This step is intended to identify specific misstatements that are likely to result because of the significant deficiency or material weakness. The importance of a significant deficiency or material weakness is directly related to the likelihood and materiality of potential misstatements.