Chapter 3 CHAPTER 3 INTERNAL CONTROL CONSIDERATION Anp RESPONSES TO ASSESSED RISKS internal Control Consideration Internal Control Consideré eet ‘TOPIC OVERVIEW: This chapter discusses internal controls, assessment of control risks ang how will it affect audit procedures. LEARNING OBJECTIVES: ‘After studying this chapter, you should be able t 1. Describe the objectives and inherent limitation of an internal contro}, 2. Identify and explain each component of internal control. 3. Describe the appropriate responses of the auditor to assessed risks. 4, Explain test of controls and substantive procedures and identify how they are affected by assessed risk. ACCOUNTING AND INTERNAL CONTROL SYSTEMS ‘ARCOUMEINESVSHEIA is a series Of tasks and records of a ‘Wansactions are i. Such systems identify, assemble, analyze, calculate, classify, record, summarize and report transactions and other events. means allthe"poligiesyandyprocedutes (internal sab! + orderly and efficientsconduct oP its business, including adherence to management policies; controls) n of The internal control system extends beyond those matters which relate directly to the functions of the accounting system. INTERNAL CONTROL. Internal control is a prOeéSs, effected by a er and 1, designed to_ providessreasonable regarding the s in the following categories: ‘ Effectivenessia nd @FFIGIEHEY of SPEFALIONS (operational objective); ng (reporting objective); and 28a Chapter 3 - Internal Control Consideration chapter 3 = Internal Control Consideration c. CompLiaceNWithNAPBIIGAbLENaws and (FEGUIRKIOAS (compliance objective). Assurance provided by internal control ‘There is attrectrelationship between an entity'sobjectives and thetcontrols which are implemented to provide assurance of their achievement. However, é . Inherent Limitations of Internal Control The internal control can only provide reasonable assurance because of that may aflecithe'etfectiveness|of intemalicontrols. Such limitations include: (COC CHA) + Management usual requirement that a control be cost-effective (Cost- benefit consideration); + The possibility that a person responsible for exercising control could abuse that responsibility (Management OVerriding the\contr6l); + The possibility of circumvention of controls through Collusion) with or z * The possibility that procedures may become inadequate due to be and compliafiée with procedures may * The potential for Humanjierrom due to carelessness, distraction, mistakes of judgment or the misunderstanding of instructions; and «The fact that most controls tend to be directed at «aniti¢ipateditypes (routine) of \tfaisa@tihs and not at unusual (non-routine) transactions. Areas of Internal Control Areas of internal control can be classified as either administrative control or accounting control. 1. ‘AMMERISEEAEVA control includes, but is not limited to, plangof iomyand the procedures and records that are tl leading to management's authorization of transactions. Administrative controls promote operationalyefficiency a ve sc comprises the (plaiil of and_the that are ‘ith the f It involves systems of internal audit and all other financial matters. Controls Relevant to the Audit The relates to controls pertaining to the mtity’s objective of preparing financial statements for external purposes 29 a.es Chapter 3 ~ Internal Control Consideration _ and the management risk that may give rise to a materi those financial statements. It is a matter of pROReSOHAIjugMent, subject to t whether control, individually rin combination with ethene st PSA the auditor's considerations in assessing the risks of material misstaent® and designing and performing further procedures in response to ancn* risks. In exercising that judgment, the auditor considers the appl” component and factors such as the following: Hee a, The auditor's judgment about materiality; b. The size of the entity; c. The nature of the entity's business, including its organization ownership characteristics; oe 4. The diversity and complexity of the entity's operations; e. Applicable legal and regulatory requirements; and f. The nature and complexity of the systems that are part of the entity's internal control, including the use of service organizations. COMPONENTS OF INTERNAL CONTROL. As discussed in PSA 315 (Redrafted), an internal control has the following components: (CRIME) Control Environment Entity’s Risk assessment process Information and communication systems Control Activities Monitoring of Controls aes ‘al misstatement in eaoge A. The control environment The COMMOMERVIROMMEHE includes the e and (management and the qi. — ee vi goverane andgmanagement concerning the ind its Elements of control environment: (IM CPA HO) 1. Communication and enforcement of Integrity and ethical values; 2. Management's philosophy and operating style; 3. Commitment to competence; 4. Participation by those charged with governance; 5. Assignment of authority and responsibility; 6. Human resources policies and procedures; and 7. Organizational structure. B. The entity's risk assessment process : gon An is the process o} r i 30 ieinternal Control Consideration chapter 3. For financial reporting purposes, the entity's risk assessment process Fo ehow management identifies risks relevant to the preparation of financial statements that are'presented fairly, invallimaterial respectsiin — and isks can arise or change due to circumstances such as the following: Changes in operating environment New personnel New or revamped information systems Rapid growth New technology New business models, products, or activities Corporate restructurings Expanded foreign operations New accounting pronouncements The auditor shall obtain an understanding of whether the entity has’a processifor: (IAM) . relevant to financial reporting objectives «Assessing the significance of risks and the likelihood of their occurrence i + Deciding how to Manage those risks including the related business processes C. The information system, relevant to financial reporting, and communication. Aninformation system consists of a. Infrastructure (physical and hardware components); b. Software c. Processes and procedures; d. People; and e. Input or data. NOTE: Infrastructure and software will be @bsent, or (havewless Significance in systems that are The information system relevant to financial reporting objectives, such as the financial reporting system, (as well as events and a ions. a to maintain se Te i a“ related assets, liabilities, and equity. ities and ial reporting roles and responsibil rting includes: "FR m2 ao oe Communication of financi significant matters relating to financial repo! a between and 31Chapter 3 - Internal Control Consideration ere b, EXtGHHGIGORIMUNIEAEORs, such as those with regulatory authorities D. Control activities berchenintyi are the policies and procedures to help ensure that it. Examples of control activities include those relating to the following: (APIPS) 1, @uthorization * Specific authorization - for ‘Unusual, ‘material, or dinfrequen; — * * General authorization - for fegulaitRSHSaetiOhs 2. ~ examples include actual perform; and prior period performance includes controls from initiation up to the eventual inclusion of transaction in financial reports (for both assets and documents) 5. Segregation of duties Segregation of incompatible function or duties is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of the Person's duties. lance versus budget, forecasts, To achieve optimum segregation of responsibilities, responsibilities should be separated: (I CARE) * Independent checks Custody of assets Authorization of transactions Recording of transactions Execution of transactions the following E. Monitoring of controls, is the Monitoring can be accom) a. Ongoing Monitoring activities (performed by persons within the same line function) plished through b. Separate evaluations (performed by internal auditors, audit committee, and/or exter ‘nal auditors Combination of the two, 32chapter 3 - Internal Control Consideration INTERNAL CONTROL CONSIDERATION is sufficient to plan the audit and develop an effective audit approach. Itinvolves the following steps: Obtain an understanding of the internal control. Preliminary assessment of control risk Determine the overall response to assessed risks Perform test of controls Reassess control risk Final assessment of control risk Determine the nature, timing, and extent of substantive tests necessary to restrict detection risk to an acceptable level. Monee obtain an Understanding of the Internal Control ‘The auditor shall obtain anunderstandingofipolicies an within the is that are rt io the . The understanding of relevant aspects of the accounting and internal control systems, together with the inherent and control risk assessments and other considerations, will enable the auditor to: a) Identify the typesijofpotentialjimateriallimisstatements that could occur in the financial statements; b) Consider factors that affect the risk of material misstatements; and 6). Design appropriate audit procedures. Obtaining an understanding of internal control consists of: 2) Evaluatingithe design oPirelevant controls - involves determining whether those controls, individually or in combination with other controls, is capable of effectivelypreventiny or Wetecting) and b) Determining whether the éontrolsiiave been implemented - involves determining whether the control is in (operation; jmiplémentation of a€ontrol means that the ha 9 Sa” system'silinterialMeontfols and ‘identifying s 4) Performing “walksthFough"t@St to determine whether controls are implemented ©) Fdeitifyingieontrols that are potentially reliable The following procedures are used in obtaining understanding of an entity's internal control: a) Inquiring of entity personnel. sb) Observing the application of specific controls. “ ¢) Inspecting documents and reports. 33 ze _~ internal Control Consideration _ a gugh the information system relevant to Chapter 3 z transactions thre hh Financial reporting: (ie. walkthrougl dL sor’s understanding of internal control i auditor's understan\ Docunenttn of tandngoF mera contol aor commonly us ‘To docume e following: ‘ " Narrative memorandum Is. cea or . ‘particular Flowchart or data flow diagram consists of : = ts through a system, Flowcharts capture the cl 5, allowing the auditors to : Internal control questionnaire (ICQ) consists of a serieswe «Checklist Preliminary Assessment of Control Risk After obtaining an understanding of the accounting and internal control systems, the auditor should make a preliminary assessment of control risk, at the assertion level, for each material account balance or class of transactions. ‘The ARhiniiaeASSESSMIEnLIORCOnUOUFISK:s the process of evaluatingithe effectiveness of an ng = in preventing or detecting and correcting material misstatements. There will always be some control risk because of the inherent limitations of any accounting and internal control system. Assessment of control risk 1. Maximum or high level ¥ The entity's accounting and internal control systems are (not effective; wa ing the would notbetefficient 2. Below maximum or less than high Y The auditor is able to idenitifylinternallicontrolsmrelevant to the n which are likely to prevent or detect and correct @ material misstatement and plans to perform tests of control (0 support the assessment Y Auditor's judgment is that le increas the Overall Response to Assessed Risks ine ler to Fedueelatditirisk a the auditor should at the financial statement 34Internal Control Consideration chapter 3 hould design and perform further audit procedures to respond to 1, I weessed risk at the assertion level. Such responses include: 1 If H, the auditor (relies) on 5 2, If preliminary control risk assessment is LESS THAN HIGH, the auditor performs test of controls. perform Test of Controls ‘the auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls .Tests of control are concerned with the: 4, Design of the accounting and internal control systems 2, Implementation of the accounting and internal control systems 3. Operating effectiveness of the accounting and internal control systems Test of control procedures includes the following: 1. Inspection 3. Observation 5. Walk-through 2, Inquiry 4. Reperformance 6. Recalculation Reassess Control Risk Based on the results of the tests of control, the auditor should evaluate whether the internal controls are designed and operating as contemplated in the preliminary assessment of control risk. The evaluation of deviations may result in the auditor concluding that the assessed level of control risk needs to be revised. In such cases, the auditor would modify the nature, timing and extent of planned substantive procedures. Effect of the reassessment of control risk on the audit approach Effect of the reassessment of control risk on the audit approach Eeseeetement of Control Audit Approach Effect ane CR assessment remains at Reliance or « Less effective Less than High systems approach procedures « Interim testing may be appropriate ¢ Smaller sample size CR assessment is changed Switch to no * More effective to High Reliance approach | procedures « Tests nearer or at year-end « Larger sample size 35Chapter 3 - Internal Control Consideratio Final Assessment of Control Risk Before the conclusion of the audit, based on the results - of th a procedures and other audit evidence obtained by the auditor, te should consider, \¢ auditor et es ——— Determine the nature, timing, and extent of substanti necessary to restrict detection risk to an acceptable level ° "ts Irrespective of the assessed risk of material misstatement, the ano; should design and perform substantive procedures for each materig\ wa" transactions, account balance and disclosures. erial class of RESPONSES TO ASSESSED RISKS The auditor shall design and implement 6vérallimesponses: to laddiess th A8SeSSed risksiofimaterialimisstatement at the financial statementlevel ® Moreover, the auditor shall 4@8ign and perform whose nature, (timing, andyextent are In designing the further audit procedures to be performed, the auditor shall: 1. Consider the reasons for the assessment given to the risk of material misstatement at the assertion level for each class of transactions, account balance, and disclosure, including: The likelihood of material misstatement due to the particular characteristics of the relevant class of transactions, account balance, or disclosure (i.e., the inherent risk); and b. Whether the risk assessment takes account of relevant controls (ie, the control risk), thereby requiring the auditor to obtain audit evidence to determine whether the controls are operating effectively (ie. the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures); and 2. Obtain more persuasive audit evidence, the higl a. her the auditor's assessment of risk. Documentation requirements i Basis for the controirisk | Understanding / Controtrisk | contralrisk Assessment anal assessment assessment High Yes Yes we Less than high Yes Yes 36— | internal Control Consideration HEORETICAL, capter 3 CHAPTER 3: REVIEW QUESTION It is the process designed and effected by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entity's objectives. a._ Internal auditing b. Business strategy ¢_ Internal control d. Accounting process 2, Internal controls are not designed to provide reasonable assurance that a. The recorded accountability for assets is compared with the existing assets at reasonable intervals b, Access to assets is permitted only in accordance with management's authorization ¢ Transactions are executed in accordance with management's authorization 4. Irregularities will be eliminated 3, This is a basic concept of internal control which recognizes that the cost of internal control should not exceed the benefits expected to be derived from it a. Management by exception b, Limited liability c. Management responsibility d._ Reasonable assurance 4, Aninternal control system that is working effectively a. Eliminates risk and potential loss of to the entity b. Cannot be circumvented by management c. Reduces the need for management the review exception reports on a day-to-day basis 4. Is unaffected by changing circumstances and conditions encountered by the entity 5. Which of the following is an example of an inherent limitation in a client's internal control system? a The effectiveness of procedures depends on the segregation of employee duties. b. Procedures are designed to assure the execution and recording of transactions in accordance with management's authorization. ©. In the performance of most control procedures, there are possibilities of errors arising from mistakes in judgment. Procedures for handling large numbers of transactions are processed by information technology (IT) equipment. 6. Which of the following statements best describes “control environment”? a. Policies and procedures that help ensure that management directives are carried out. 37Chapter 3 - Internal Control Consideration b. The system for transferring information from transaction processing systems to the general ledger or the finane jal reporting system, c. The entity's process for identifying business risks relevant to financiay reporting objectives and deciding bout actions to address those risks, and the results thereof. : a. This includes the governance and management functions and the charged with governance and ‘ntity's internal control and its attitudes, awareness, and actions of those management concerning the importance to the entity. red control environment elements? 7. Which of the following conside! Organizational ‘Commitment a Yes Yes b. Yes Yes & No No d. No Yes sessment process includes how management: A B c D Yes Yes No Yes 8. Anentity’s risk as: © Identifies risk Assess significance and likelihood sroceurrence of these identified risks Yes Yes Yes No * Decides upon actions to manage Yes No Yes No these risks ances such as the following 9, Risks can arise or change due to circums! except: a. There is a change in the regulatory or oper: new law has been passed which prohibits the a main ingredient of the company’s major product). New employees have been hired by the company. The company switched from manual information systems to computerized system. d. The accounting and financial reporting fram for the past five years, and no new pronouncement ating environment (ea use of a chemical which is ework has remained stable ts have been made. 10. As part of a periodic planning exercise, Cedric Naranjo Company discove’® that a political dispute may interfere with the company’s supply sources: This is an example of: a. Control environment c. Control activities b. Risk assessment d. Monitoring of controls 11: 1. Control activities constitute one of the five components of internal control: a rh ¥ ich ofthe following is not included in this internal control component? a Segregation of duties ¢. Aninternal audit function . Performance reviews d. Authorization 38yr crater 3 12 13, 14, 15. ~ Internal Control Consideration Control activities are the policies and procedures that helj les ar ; ensure th Comragement directives are carried out. These include aceivicies reli : Muthorization, performance reviews, information processing, phi sical ‘controls and segregation of duties, There is proper segregati wd cryen an individual who uate whe guthorizes a transaction records it f Maintains custody of an asset has access to the account Minas unting records for ‘authorizes transaction maintains custody of th ea from the transaction. eee stat resid 4. Records a transaction do not compare the accountin asset with the asset itself. ere Under PSA 315, monitoring of controls is an internal control component that involves a process of assessing the quality of internal control performance over time, It involves assessing the design and operation of tontrols on a timely basis and taking necessary corrective actions. Monitoring of controls is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. An entity's ongoing monitoring activities often include a. Periodic reporting by the entity's internal auditors about the functioning of internal control b, The audit of the annual financial statements c. Periodic audits by the audit committee d._ Reviewing the purchasing account The primary purpose of the auditor's consideration of internal control is to provide a basis for a. Determining whether procedures and records that are concerned with the safeguarding of assets are reliable. b. Constructive suggestions to clients concerning deficiencies in internal control. c. Determining the nature, tim! 4. The expression of an opinion. Jing and extent of audit tests to be applied. Which of the following statements concerning the relevance of various types of controls to a financial statement audit is correct? a. Allcontrols are ordinarily relevant to a financial statement audit b. Controls over the reliability of assets and liabilities are of primary importance, while controls over the reliability of financial reporting may also be relevant. © Controls over the reliability directly relevant to a financial statement audi of financial reporting are ordinarily most t, but other controls may also be relevant. ation of controls when a d. An auditor may ordinarily ignore a conside substantive audit approach is taken. 39Chapter 3 - Internal Control Consideration 16. PSA 315 Redrafted requires the auditor to obtain ai : clients internal controls N understanding of the a. Forevery audit b. For first-time audits c. Whenever it would be appropriate d. Sufficient to find any frauds which may exist 17. When obtaining knowledge about an entity's internal control, it important for the auditor to consider the competence of its employee. because their competence bears directly and importantly upon the es a. Cost-benefit relationship of internal control b. Comparison of recorded accountability with assets c. Achievement of the objectives of internal control d. Timing of substantive tests to be performed 18. Obtaining an understanding of internal control involves: A B c D Evaluating the design of a control Yes Yes Yes No Determining whether the control has been implemented Yes Yes No Yes * Testing the effectiveness ofacontrol Yes No Yes_— Yes 19. The primary objective of procedures performed to obtain an understanding of internal control is to provide an auditor with a. Information necessary to prepare flowcharts, b. Evidence to use in reducing detection risk. c. Knowledge necessary to plan the audit. d. Abasis for modifying test of controls, 20. To obtain an understanding of the relevant policies and procedures of internal control, the auditor performs all of the following except: a. Make inquiries b. Make observations c. Design substantive tests d. Inspect documents and records After obtaining an understanding of an entity's internal control, an auditor 21. may assess control risk at the maximum level for some assertions because the auditor a. Believes the internal control policies and procedures are unlikely to be effective. ; - b. Determines that the pertinent internal control components are not W documented. : c. Performs tests of controls to restrict detection risk to an accept level. ae d. Identifies internal control policies and procedures that are It prevent material misstatements. 40 rlChapter 3 - Internal Control Consideration 22, 23. 24. 25, 26. After obtaining an understanding of internal control and assessing control risk, an auditor decided to perform tests of controls. The auditor most likely decided that a, Additional evidence to support a further reduction in control risk is not available. b. It would be efficient to perform tests of controls that would result in a reduction in planned substantive tests. c. An increase in the assessed level of control risk is justified for certain financial statement assertions, d. There were many internal control weaknesses that could allow errors to enter the accounting system, Information about segregation of duties ordinarily is best obtained by a. Performing test of transactions that corroborate management's financial statements assertions, b. Developing audit objectives that reduce control risk. c. Observing employees as they apply specific controls. 4. Obtaining a flowchart of activities performed by entity personnel. In conducting an audit in accordance with PSAs, the auditor is required to identify and assess the risks of material misstatement at the financial statements level, and at the assertion level for classes of transactions, account balances, and disclosure. Some of these risks, in the auditor's judgment, require special audit consideration, such as those that involve fraud or complex transactions. Such risks are called a. Business risks b. Significant risks c. Audit risks d. Material risks The auditor's primary objective in obtaining an understanding of the client's control over the purchasing function is to a. Investigate the recording of unusual transactions regarding raw materials. b. Determine the reliability of financial reporting by the purchasing function. © Observe the annual physical count. d. Ascertain that raw material paid for are on hand. When obtaining an understanding of an entity's internal control, an auditor should concentrate on the substance of controls rather than their form because: a. The controls may be operating effectively but may not be documented. b. Management may establish appropriate controls but not act on them. ©. The controls may be so inappropriate that no reliance is contemplated by the auditor. d. Management may implement controls with costs in excess of benefits. 41Chapter 3 - Internal Control Consideration Chapter 3 - Internal Contro! Cons an understanding of the accounting and internal con nate may trace a few transactions through the account! system. This technique is: a. Reperformance b. Control test cc. Walk-through a. Validity test 28. Control risk assessment procedures include all of the following, except a. Inspection of documents b. Confirmation of bank balances ©. Observation of procedures 4d. Inquiry of client personnel unting 29. Evidence of the performance of control risk assessment procedures includes all of the following, except a. Flowcharts b. Questionnaires c. Lead schedule d. Memoranda 30. Which of the following statements regarding auditor documentation of the client's internal control structure is correct? a. Documentation must include flowcharts. b. Documentation must include procedural write-ups. c. No documentation is necessary although it is desirable. d. No one particular form of documentation is necessary, and the extent of documentation may vary. 31. The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the risk that: a. Specified controls requiring segregation of duties may be circumvented by collusion. b. Tests of controls may fail to identify controls relevant to assertions. c. Material misstatement may exist in the financial statements. d. Entity policies may be circumvented by senior management. 32. An auditor may decide to assess control risk at the maximum level for certain assertions because the auditor believes a. Evaluating the effectiveness of policies and procedures is inefficient. b. Sufficient evidential matter to support the assertions is likely to be available, ‘ More emphasis on tests of controls than substantive tests is warranted: Considering the relationship of assertions to specific account balances is more efficient. 33. An auditor's flowchart of a client's accounting system is a diagrammati representation that depicts the auditor's a. Assessment of control environment’s effectiveness 42Chapter 3 ~ Internal Control Consideration 34, 35. 36. L I 37. 38. b, Identification of weaknesses in the system Understanding of the system d. Assessment of control risk Which of the following statements is true? a. Tests of controls are necessary if the auditor plans to use the primarily substantive approach. b. Tests of controls are necessary if the auditor plans to assess the level of control risk at maximum, The auditor can simultaneously obtain an understanding of i control and perform tests of controls, a After performing tests of controls, the auditor will always assess control risk at maximum. ternal After documenting internal control in an audit engagement, the auditor may perform tests on: a. Those controls that the auditor plans to rely on. b. Those controls that were reviewed (selected on a random basis). ¢ Those controls in which deficiencies or weaknesses were identified, 4. Those controls that have a material effect on the balances in the financial statements, In a financial statement audit, the auditor is required to perform test of controls when The auditor's risk assessment includes expectation of the operating effectiveness of controls. When substantive procedures alone do not provide sufficient appropriate audit evidence at the assertion level, a. lonly b. Either I or II © only 4. Neither I nor Il Tests of controls are used to test whether controls are: a. Properly incorporated in the financial statements b. Placed in operation or implemented © Properly documented by the client Operating effectively Tests of controls may include the following, except: a. Reperformance of internal control procedures i b. Inquiries about, and observation of, internal controls which leave no audit ti : Inspection of documentary support to transactions evidencing authorization 4. Analytical procedures involving comparison of operating expenses with budget amount 43ae 39. An auditor intends to perform test of controls on a client procedures that leaves no audit trail of documentary evidence. most likely will test the procedure by ; a. Inquiry and inspection b. Inquiry and observation c. Confirmation and reperformance 4d. Analytical procedures and confirmation Chapter 3 - Internal Control Consideration Scontroy The auditor 40. Which of the followi is the auditor's purpos a nelchiee le fg purpose of further testing interna a. Provide a basis for reducing the assessed level of control risk b. that which resulted from the auditor's initial understanding of ineeo control. a b. Reduce the risk that errors or fraud which are not prevented detected by internal control are not detected by the independent audit, Provide assurance that transactions are executed in accordance with management's authorization and access to assets is limited by a proper segregation of functions. 4. Provide assurance that transactions are recorded as necessary to permit the preparation of the financial statements in accordance with PFRS. 41. Which of the following is not a characteristic of the lower control risk approach? a. The auditor usually plans to place considerable reliance on the controls. b. The auditor plans to perform extensive tests of controls. c. Control risk is usually assessed at maximum level. d. A Substantive tests are usually restricted. control that reduces the risk that an existing or potential control weakness will result in a failure to meet a control objective is referred to as a. Compensating control b. Non-routine control c. Conditional control d. Offset control 43. When a compensating control exists, a weakness in the system: a. Isno longer a concern because the potential for misstatement 42. has beet sufficiently reduced. ibe b. Is reduced but it is not removed; therefore, it is still of concern {° auditor. ive c. Could cause 2 material loss, so it must be tested using substan procedures. is and d. Is magnified and must be removed from the sampling proces examined in its entity. 44 nnChapter 3 - Internal Control Consideration 44, If no changes have occurred since the controls were last tested, a CPA should a. Rely on the prior year audit's assessment of internal controls and use this assessment in the current year, b. Test the operating effectiveness of such fourth audit. c. Rely entirely on the performance of substantive audit Procedures. 4. Test the operating effectiveness of such controls at least once in every third audit controls at least once in every 45. Regardless of the assessed level of control risk, an auditor would perform some a. Test of controls to determine the operating effectiveness of internal control policies b. Analytical procedures to verify the design of internal control procedures Substantive test to restrict detection risk for significant classes of transactions d. Dual-purpose test to evaluate both the risk of monetary misstatement and preliminary control risk