Relevant Controls & RoMMs
Controls are relevant when they address these identified risks.
What are risks of material misstatement (RoMMs)?
This describes taking a transaction/event through a routine set of steps.
What is a process?
Controls performed manually (not through information technology).
What are manual controls?
Comparing two or more items to each other, or to policy, and following up on mismatches.
What are verifications?
These three attributes should be included in audit documentation for a control.
What are nature, approach, and type?
Identifying relevant controls is part of this overall process.
What is the risk assessment process?
This is an action/activity taken to prevent or detect misstatements within a process.
What is a control?
Control activities mostly or wholly performed through technology.
What are automated controls?
A higher-level sign-off or determination that a transaction is valid and within policy.
What are authorizations and approvals?
Nature/approach/type will impact the procedures performed to test this.
What are design and operating effectiveness?
Before selecting relevant controls, you first need to do this with processes/transaction flows and misstatement risks.
What is understanding processes/flows and identifying and assessing misstatement risks?
Verbs like “post,” “document,” or “calculate” usually signal this.
What is a process step?
Controls designed to stop errors/fraud before they result in misstatement.
What are preventive controls?
Securing assets (cash, inventory, securities) and periodically counting/ comparing to records.
What are physical controls and counts?
The “extent of the impact” typically isn’t explicitly documented; instead it’s part of this.
What is the auditor’s thought process and professional judgment?
When selecting relevant controls, consider these three attributes.
What are nature, approach, and type?
Verbs like “review,” “approve,” or “reconcile” usually signal this.
What is a control activity?
Controls designed to find errors/fraud that already happened and could cause misstatement.
What are detective controls?
Controls that ensure accuracy, completeness, and validity of information used by another control.
What are controls over information used in the control (IUC)?
Don’t document a sentence like “Because it’s manual/detective/reconciliation, we will…” because the impact is handled through this planning dimension.
What is determining the nature, timing, and extent of procedures?
A key failure is treating a process step like it’s a control; this can lead to an inappropriate conclusion about reliance.
What is misidentifying a process as a control?
If you planned to rely on controls but fail to identify/test them, this aspect of your substantive procedures can change.
What are the nature, timing, and extent of substantive procedures?
“Authority limits are established in the invoicing system to ensure invoices are approved for payment by those with appropriate authority”—classify nature and approach.
What is automated and preventive?
A management review that requires judgment and compares recorded amounts to expectations for reasonableness.
What are controls with a review element (CRE)?
As a control increases in complexity, this generally increases too.
What is the level of evidence needed to document operating effectiveness?