Learn why "Internal Control" is a "CRIME"

Learn why "Internal Control" is a "CRIME"

Now remembering the 5 components of Internal Control is easy! Watch as Roger teaches you all new memory aid mnemonics to help recall these important CPA Exam concepts, tested on both the Multiple Choice and Task-Based Simulation portions of the AUD Exam.

Roger Philipp, CPA presents:

All right, let's talk about the five components of internal control. Now when I talk about, you need to understand internal control. What is internal control? That's where this comes in, these are the five components of internal control, the five things we need to understand about internal control.

With internal control the five components, and this gets a lot of testing in multiple choice, in task based simulations and so on. The five components are control environment and that is the overall environment.

First of all we need to sit down and understand the overall environment. Then risk assessment, in other words how do we identify, analyze, and manage the risks that affect the company. Control activities, this is the detail of what we're going to go on with the whole section.

Basically the risk assessment is how does the company go about assessing the risk and that would be the risk of material misstatement and that deals with the detail testing of what is it we need to have segregated within the organization. In other words the person in authorizes should not record, should not have custody, should not do the reconciliation or the bank crack.

Comparing what got recorded or what got deposited in the bank. Information and communication, we need a system that will gather information and communicate issues on a timely basis. Finally, monitoring the system is the system operating as intended.

When we talk about the five components of internal control these are the five elements. Now, it's important to also remember them and this is the order they flow in but a good memory aid mnemonic is CRIME. In other words you need to remember this if not, it is considered a crime.

What is that? That would be your control active or let's do that again. Yeah, control activities, risk assessment, information, monitoring, and control environment. C-R-I-M-E. C-R-I-M-E, that's a crime. C-R-I-M-E, C-R-I-M-E, CRIME.

The actual flow of internal control is going to be in this order. When we talk about the elements of or the five components of internal control, what are they?

First of all is the control environment. When we say you need to understand and as we said earlier there's specific steps to understanding, you need to understand crime.

What is the first element? Control environment which is CHOPPER. Now what does CHOPPER mean? CHOPPER says that when we're looking at the five components, first of all, what we're concerned with is the client's commitment to competency. Is the client concerned with competent, correct, financial statements?

Effective control requires a sincere interest on the part of the employees in performing good work. If they're concerned with good competent information that's a good environment. If not, that could be a problem.

Human resource policies and practices, so what that means is do they have an organizational a policies and procedures manual? It talks about who's supposed to do what, who's supposed to be reporting to whom, and so on.

Do they have a clearly defined organizational structure, an org chart? An org chart kind of says here's CEO, here's the VP, here's the managers, here's the support staff, all the way down. That way we have a clear picture of the organizational structure of who's supposed to be reporting to whom.

What is their participation of those charts with governance? With participation of management, those charts with governance that's what we're looking at as far as are they actively involved? Participation of management, governance, internal auditors are they all involved?

Philosophy and management and operating style. What is their philosophy and operating style? In other words, do they care about issues coming up? Do they care about mistakes, misjudgments, and so on. What is their philosophy? Ethical values and integrity. Does the client have integrity?

Remember whose internal control system is it? Managements, managements controls create the numbers that create the financial statements. We're concerned with what is their philosophy as far as they're ethical. All right, are they ethical? Do they have integrity?

Then finally, responsibility for assigning things like authority. How do they go about assigning authority? That is your CHOPPER, so if you come back over here. Control environment consist of CHOPPER. Commitment to competency, human resource policies and procedures, organizational chart, philosophy, participation and management, ethics and responsibility for reporting authority. That's your CHOPPER, those get tested.

These are the factors that make up the control environment. They'll ask you which of the following is not one of this factors, which one is not part of CHOPPER? Remember that's CHOPPER, CHOPPER, boom, control environment.

The second one is risk assess, so first of all we need to sit down and assess the overall environment.

Remember in the definition of internal control, we need to understand internal control and the environment. First, let's look at the environment, CHOPPER. Then we sit down and say risk assessment. How does management go about identifying, analyzing and managing the risks? These are going to be the risk both internally and externally.

You'll see here a list of risks as far as risk assessment. It says some of the factors, changes in an operating environment. If there's changes in the environment, that gives you certain risks because maybe things weren't fixed correctly.

New personnel, you have new employees coming in. Maybe they're not really well-versed on the operations of the company. Newer revamped information systems, you have a new IT, a new computer IT system. Has it been tested, has it been debugged properly?

Rapid growth as you're involved in an industry where there's a lot of change quickly. That means it's more accessible or more likely to have issues and mistakes with internal control.

New lines of business, new products, new activities. If you have new product lines, again, high and more risk. Corporate restructuring, corporate restructuring so there's changes in the environment.

Maybe there's a parent and a bunch of subsidiaries, foreign operations, overseas that deals with laws and regulations as well.

Then finally new accounting pronouncements by the ASB, Auditing Standards Board.

Also things like your, for financial accounting, right. All these different changes, the fast biz and all the different rules, the county standard codifications, your ASCs, all of those affect the numbers.

Now we have to assess the risk, risk assessment, identify the risk, analyze the risk, figure out how to manage the risk. Identify, analyze and manage those risks.

Then we go on to the next one which is what? The control activities. This is really important because the control activities are the policies and procedures that help to make sure that certain things are carried out. When we talk about the control activities, the policies and procedures within the control activities this gives us something called PIPS, P-I-P-S.

All right, there used to be a band called Gladys Knight and the PIPS. “On that midnight train to Georgia.” Ask your parent or ask your grandparents by now.

Anyway, that's PIPS. Now what does PIPS mean? It means that within the control activities, there are certain activities that we want to make sure are being done by different people, certain things that we want to make sure are happening.

The first one is P, performance reviews. Performance review says that we want control over the activity of reviewing performance. What does that mean? It means comparing current year versus PY. What's PY? Prior year.

We want to compare actual versus budget. We want to compare financial to non-financial information. We're going to be doing things like analytical procedures, study of data comparisons relationships to make sure that we're reviewing performance and again, this says that we want policies and procedures to make sure that there are controls over certain activities called controlled activities.

Information processing, we want controls over the way information is processed and we'll talk more about that in IT, information technology where we talk about general controls versus more specific application controls.

We want physical controls. We want controls over who has access to the assets and the assets could be that green stuff you carry around. What's that called? Cash and cash equivalents. It could be the inventory that we're selling so that would be another type of asset, you want to make sure the physical controls.

Then most importantly, circle the next one is your S in PIPS, which is what? Segregation of duties. Now this says there's certain activities we want to make sure are segregated and a good way to remember this is Noah and the ARCCS because Noah built an ARCCS, right?

What does that mean? It says there are certain activities that we want done by different people and this is going to be one of the most important mnemonics, memory aids in internal control. You need to remember this because it really helps you to understand to make sure what needs to be done by different people.

For example the first one says transaction should be executed in accordance with management's authorization. In other words you want to make sure that everything that's happening is supposed to be happening, it was authorized.

The second one says transactions are properly recorded to allow accurate gap financial statements. Let's make sure that they're properly recorded.

The third one talks about custody. Now custody means custody of the assets, custody of cash, custody of the inventory, custody of fixed assets. You want to make sure that not everybody has access to all of those assets or they're going to start to disappear.

The last one is comparison and a comparison says that you want to compare that what got recorded, actually got deposited. That's what it talks about as far as authorization, recording, custody, comparison and the S is segregation. That’s segregation of duties which means segregate this from this from this from this.

As we go through this, what we're going to find is whenever you've got a flowchart, a narrative, an internal control questionnaire, any questions about internal control with strengths and weaknesses, what's good, what's bad, multiple choice, what could go wrong.

The answer always is what? Noah and the ARCCS because the person that does this should not do this, should not do this, should not do this. It basically tells you what you want done by different people. The person that authorizes a transaction should not record it, should not then write the check, have custody of the cash and then at the end of the month do the bank reconciliation. That is a big, big, big no, no. You want to make sure that is not what is happening.

Let's say for example I finally got me a job, Woo-hoo! Right? I got a job, I'm going to start in public accounting and I realize that I need a new suit because I need to get a job and look like a million dollars.

I go to the store and I go to Nordstrom who's having their annual one quarter of 1/10 of 1% sale. I go ahead and say, "Hey, I need to buy me a suit." They say, "Okay, here you go. Here's the suit." I buy the suit and I go, "How much is it?" It's expensive and I go "Well, I've got a credit card." I guess that means I can just charge it and worry about it later.

At the end of the month when you get in the mail, you get this thing called an invoice. “All right, my credit card bill that says how much I owe.” Here it is and let's say it was a great suit on sale for only $2,500. All right, I want it to look like a million bucks. It only cost me 2,500 which a crazy amount for a suit, right? Especially when you're making six bucks an hour after tax, so $2,500.

Now, this is called your invoice you get on the mail and there's that little part you tear off at the bottom and you write in the amount that you're going to pay and then you mail it in with a check. All right, being a starving student/starving a new hire CPA, I'm going to pay the minimum of $25.

Okay, some of us bought homes this way. It's called negative amortization. In other words you pay the minimum and your balance still goes up because you owe more in interest than what you're covering, right? Crazy. Anyway, that's what's happening.

Now, what do you then do? You write a check, you take this bottom part. This is called the remittance advice and you need to learn later on as we go through the cycles it's important to understand not only what the documents are but what they're called.

Then we're going to have to understand who deals with which document because you need to know the documents and the employees that deal with the documents and that's where these things called operating cycles come in where we take the company, break it down into the different cycles.

Revenue cycle, expenditure spending cycle, conversion cycle, administrative cycle, personnel and payroll cycle, investment cycle, fixed assets, all these different cycles.

We're going to take the company, break it down and within each cycle, understand the documents and who's doing what. Here we go, we've got this remittance advice, we got this check, I basically stick them in an envelope, lick it shut, throw it in the mail, mail it in and then I send it off. It then gets to the company. When they receive it, the receptionist opens the mail and what's important to understand is who's doing what.

Actually, let's take these documents and go back to my ARCCS. When you think of the mnemonic Noah and the ARCCS, what is this right here? Remittance advice. Well, what is this check? The check is obviously what? Custody of the cash so that means the person that gets this should not do anything else, they shouldn't record it, they shouldn't do the bank crack, they shouldn't authorize the sale.

The person that opens the mail when they receive it, they take it, they stamp it, endorsing it for deposit only into account 103567, whatever it is. They stamp that thing. This is your remittance advice.

That's going to go to what? Accounting. What do they do with the remittance advice? They're going to record the pay down of the account receivable because when you made a sale, what do we do?

We debited accounts receivable, credited sales. Now we need to take this and debit cash, credit receivables. That's going to be for what? Recording. Notice, this is recording, this is custody.

That's how we're going to have to think about things. As we go through the documents, it's imperative that we understand the distinction between what is what. That's kind of how it all ties in, how we're going to be looking at the documents.

When you think of the mnemonic ARCCS, why is it so important? First of all it tells you what you want out of a good system, authorization, recording, custody, comparison and segregation of duties.

Secondly it tells you what has to be done by different people. Person that does this should not do this, should not do this, should not do this, boom. All of these segregated, done by different people.

That's what we mean by Noah and the ARCCS. That's what says under control activities, policies and procedures, PIPS and then within PIPS, ARCCS.

Now, if these things are not happening then what does that say? That is considered either a significant deficiency in internal control or if it's very significant severe that it would have materially affect the numbers called a material weakness. Again, we'll define those later but if these things are not properly happening, that's going to be called a material weakness, significant deficiency.

Okay, so coming back over here to our CRIME, five components of internal control. Look at the overall environment, assess the risk, identifying, analyze what could go wrong, control activities, deals with PIPS and ARCCS, then what do we need to do?

Gather information and communicate it on a timely basis and when we talk about information and communication, it says things like refers to the identification, retention and transfer of information in a timely manner allowing personnel to perform the responsibilities.

Information systems consist of the methods and records used to record, process, summarize and report the company's transactions and to maintain accountability for the related accounts.

Communication involves establishing individual duties and responsibilities in internal control and making them known to the involved personnel. Gather information, make sure that we've properly recorded, processed, summarized and reported it and then finally make sure it's properly communicated.

Then finally let's monitor the system. Monitoring basically says, is the system operating as intended? If it is, that's great. If not, then we have a problem.

You'll see here in the notes, it says the mnemonic CRIME reminds management that it would be a CRIME not to consider all the internal control elements when designing the system. Again, these are your internal control elements and it's important to remember that these are the elements that you need to understand.

When we talk about, we need to understand internal control, what is internal control? CRIME. That's what internal control is. What is the control environment? These are CHOPPER. Those were the factors that make up control environment, risk assessment, control activities, PIPS and ARCCS, information communication and monitoring.

These are the elements and again a good way to remember it is C-R-I-M-E. C, control activities, R, risk assessment, information, monitoring and environment because there's two controls, control activities, control environment. Okay, that's your CRIME, that's what you need to understand.

When we think back on the first page and we talk about, we need to understand the entity and its environment including its internal control. We need to what? Understand, what? CRIME. All right, let's talk about understanding the internal control structure.

Now, as we talked about earlier, the word understanding has some specific-- Remember, it's not just like "You don't understand me," like in a relationship but no, this is serious, this is really understanding. You'll look in your notes, you'll see there's six steps to understanding internal control.

Now, thinking back on the first page. It says, the objective is for the auditor to identify and assess the risk of material misstatement, whether due to error or fraud and [searchers] who are understanding the entity and its environment including its internal control.

We're trying to understand the entity, the environment and its internal control. What is internal control? Internal control is your CRIME. If you don't understand it, it's a CRIME. This is understanding what? CRIME. This is internal control. What is the environment? Boom, your CHOPPER. We need to understand the environment CHOPPER and internal control, CRIME.

Now we've got to say, okay, what are the steps to quote, unquote understand internal control. Let's set that up. This is to understand internal control. These are the steps to understand internal control. In order to understand internal control, first of all, what do we need to do?

The first one says we need to obtain an understanding of the design of internal control performing risk assessment procedures. We need to understand the design of the policies and procedures.

Let's first of all understand the design of the policies and procedures. Understand the design of CRIME. We need to first of all understand CRIME and the policies and procedures. Let's understand the design of the policies and procedures because remember, what was the control activities?

The control activities were the policies and procedures to make sure, give you reasonable assurance that certain controls have certain activities. That's where your Noah and the ARCCS comes in as well.

Now, understanding the design. When we understand the design, what we're trying to do is we're trying to sit down and say, okay, have the controls been placed into operation? In other words have they been put into use? Keyword is have the controls or I'll make this a one.

Have the controls been implemented, have they been implemented? What we're really looking at is you've heard of substance over form, right? In substance, it's a capital lease or in substance it's a purchase in sale even though on form it looks like a rental.

Like a capital lease, what's the true substance over the form? What we're looking at here is we're really looking at is what is the form? What is the form? What does it look like as far as the form? We're trying to understand the design of CRIME. What is the form? The form says, how does it look? Does it look like we've set this up properly?

You'll see in your notes. Have the controls been implemented or put into use to evaluate the implementation of a control means to determine whether the control is actually being used by the entity.

The auditor first considers the design of the control. If the control is improperly designed, it may represent a material weakness in internal control.

An auditor obtains an understanding of the entity in its environment including its internal control, CRIME, through the performance of risk assessment procedures as the name implies these are procedures design to provide the auditor with the adequate understanding to enable the auditor to effectively assess the risk of material misstatement of the financial statements.

The risk assessment procedures, these are the risk assessment procedures. When looking at these risk assessment procedures and your risk assessment procedures are?

A-I-I-O, what is that? That stands for analytical procedures and analytical procedures are the study of data comparisons relationships. That's comparing current year versus prior year. Looking at changes and face the-- Right? It's change between these different numbers.

What did we get versus what did we expect and if you think back to for example the planning of the audit? One of the required things in planning is using analytical procedures.

Also you use it as an overall review. We will learn and audit evidence. It could also be used as a substantive test. It is recommended for that but not required. It says analytical procedures using high level data.

Inquiries of management. Now, inquiries of management it says here and others within the entity, inspection of documents and then finally observation of the application of the controls, so that's observation.

This would be your risk assessment procedures. When we look at your risk assessment procedures, again, these are the procedures that we're using in order to again, assess the risk, assess the risk of material misstatement. The knowledge obtained through risk assessment procedures is used too and this is basically our goal.

What is our goal out of understanding the design? Our goal is to identify the types of potential misstatements. We're going to identify the types of potential misstatements. We're trying to consider the factors that affect the risk and we're trying to help design internal control and substantive task.

Design internal control and substantive test. Those are the goals of your risk assessment procedures. Again, what are the goals of understanding design? Why are we trying to understand the design of CRIME? Why do I need to understand it? I need to understand it so it will first of all help me to identify the types of potential misstatements of what could go wrong, errors and fraud.

Two, consider the factors that affect the risk of those misstatements and finally to design your test of controls and your substantive testing.

That's why we're trying to go through and understand the design. That again is called understand the design. It says determining if these controls have been implemented or placed into operation.

Understanding does not require evaluating their operating effectiveness. The couple of words you're going to see, the design and the effectiveness because in one case we're looking at the design. Are these controls designed properly? Just because they're designed doesn't mean they're operating effectively.

The effectiveness, that comes out of the actual testing but first step back and just go, how does it look? Let's try to understand the design of the policies and procedures. Let's try to understand CRIME, the way that we're going to risk assessment procedures are A-I-I-O.

Analytical procedures, inquiry, inspection, observation that's what we're going to do. Why do we do this? Why do we care? Because we're trying to identify the types of potential misstatements. We're trying to consider the factors that affect the risk of those misstatements and we're trying to help to design our internal control and our substantive testing.

There's a paragraph that says the goal of this understanding is to identify those controls that might reduce the risk of misstatements. If the auditor believes that these controls can be relied upon, test of controls will be performed to evaluate their operating, what? Effectiveness, effectiveness.

Assuming they prove effective, the auditor will be able to reduce substantive testing. That is really the first step. Again, these are the six steps to what? Understanding internal control, that is understanding internal control.

The second step says, what we need to do is we need to actually go and document our understanding. We're trying to document the understanding. Now, with documentation of the understanding, we're trying to go through and document what it is that is supposedly happening.

Again, all we're trying to do is we're trying to go through and see, have the controls been placed into operation? Have the controls been implemented?

Just because they've been implemented or placed into operation, doesn't mean they're operating effectively but have the controls been placed in the operation.

Now there's different techniques that are commonly used for figuring out a way to document our understanding and you will see that these are things that we will find out and that's our mnemonic, FIND. These are different ways of documenting your understanding.

The first one is a flowchart. The second one is what we call an ICQ, an internal control questionnaire. The third one is a narrative or a memorandum and the fourth one are decision trees or decision table like an if-then-else. Those are different ways of documenting your understanding.

Now, what is a flowchart? A flowchart is a pictorial description of a sequential process. Huh? A picture tells a thousand words. It is a picture of a process. We will look at flowcharts in the task based simulation class questions but basically what's happening is you've got the flow.

You're going through and you've got your authorization. In this department we're going through and someone's authorizing the sale. Then over here someone is actually going through and recording it. Someone over here is shipping the goods and so on.

We go through the flowchart. It flows from top to bottom, left to right. As you go through this flowchart, basically what's happening is you're walking through a particular cycle.

Now the word cycle, we're going to cover this later but the word cycle as I said earlier is we take the company, break it down into different cycles, revenue cycle, expenditure cycle.

Revenue means we're making a sale, money comes in. Cash has a lot of, what? Inherent risk, a lot of key controls. We're buying something in the spending or expenditure cycle, money's going out, bye-bye bye-bye money.
What does that mean? We're buying an asset, cash out, inherent risk, lot of key controls.

We're going to look at different personnel and payroll. You hire somebody, you got to pay them, same kind of thing. We're looking at those cycles and that will really tell us a lot about what is happening as far as money coming in, money going out and so on. That's going to be a flowchart. We'll look at some of the flowcharting symbols later.

An ICQ is an internal control questionnaire. It's a bunch of yes, no type questions. Yes, no type questions are setup the following way: if you get the answer as a yes, that's good, it's a strength. If you get a no, that's a weakness. With an ICQ, an internal control questionnaire is a bunch of yes, no type questions and you'll see how we go through when we prepare this.

In the real world when I worked at Deloitte for example. I would go and pick up last year's, remember DILLY, do it like last year, last year's ICQ and Xerox that went up the numbers and get ready to ask questions.

Your ICQ, you take and it's asking questions about a particular cycle. What are your questions relating to? They're really relating to Noah and the ARCCS. Your questions are about authorization, recording, custody, comparison. You're going to go and you're going to sit down with the controller.

I remember when I worked back at Deloitte in the real world and I would go "Mr. Controller, Ms. Controller, are you busy?" She's on the phone and she's got three people in her office and papers all over there. ”What do you want?” You're like, “do you have an internal control structure?” “Yes.” Okay yes, that's good. That's a strength, right? I would mark yes then it says, and then you're asking questions.

Remember, I showed you pictures of this thing called the remittance advice and then here's this thing called the check and these two come in.

I'm asking question, I said, when you make a sale, when the check comes in does the person that open the mail not do anything else in ARCCS? Yes, so that's good because the person that open the mail restrictively endorse, stamp it for deposit only so no one else can just cash in. Yes, that's good.

I'll say, when the check's signed, is it deposited? Yes, is it deposited on a daily basis because you don't want checks sitting around for days and weeks and months? Yes, it is.

Does this get recorded in a timely basis, the remittance advice? Yes. Does a person independent of this then go and make sure that the money got deposited? Yes. Does someone else then do the bank reconciliation? Yes, yes, yes, yes.

I'm asking all these questions and the answers I'm getting are yes, yes, yes, yes, yes and I go "Great!" She's like, "Are we done? Please, leave."

Now, do controllers sometimes lie to you? Yes, yes, yes, yes. You realize that you've got to go through and you're just trying to understand.

Now, have I actually tested what she said? No. All I'm trying to do is to see if the controls exist in the sense that have they been implemented?
Have they been placed into operation? According to her yes, they have. According to her she says yes, the controls have been placed in the operation.

Again, I may go in and ask and then she says “no, no, no, no.” Hey, when the check comes in, are they restrictively endorsed? No. Are they deposited on our daily basis? No. Does the person do this after this? No. No, no, no, what's that?

No, no, no is a weakness. I say well, tell me what happens? Well, the checks come in to the person and they open the mail then they take the check and they endorse it. Then they take the check and they deposit it. Then they take the remittance advice and then they record it and then they also have the authority to authorize the write off of bad debts, bad accounts receivable.

What does that mean? That means that they could get the money, put it in their pocket and then authorize the write off of the receivable as an uncollectible which means the company thinks bad debt, write it off and their money really came in and went in their pocket.

Then at the end of the month they do the bank reconciliation and then at the end of that they drive home in their brand new convertible Ferrari. Hello? They make eights bucks an hour, could be a problem.

The point is bad internal control. That would be a material weakness. If you have one person doing everything in ARCCS, authorization, recording, custody, comparison there's no segregation of duties. Hello? That's a bad system.

Remember back in section one, we talked about fraud risk factors. We talked about the overall fraud risk factors and we talked about things that were fraud risk factors that dealt with the fraud.

One of the things we said is if there's a bad segregation of duties or remember the fraud risk triangle about the motivation, incentive over pressure, opportunity, what's opportunity? A lack of internal control. You have a lack of internal control, that's the opportunity for these material weaknesses, significant deficiencies to occur and either not be detected or not be prevented and corrected and so on.

Prevented, detected and corrected that's a problem. That's what we're looking at, that's an ICQ, a bunch of yes, no questions asking about the system.

Then you've got a narrative or a memorandum. That's a detailed written description of the internal control structure. That's going to be a narrative, a description or a memorandum and we'll look on an ICQ on that or we'll look at a TBS, task based simulation on that.

Then you've got a decision table, decision tree which basically depicts the logic of either an operation or of a process. That's like if-then-else and it goes this way and that way and so on.

That's your mnemonic FIND, F-I-N-D which you don't really need to remember but what you need to remember is what each of these are. We'll look at flowcharts. We'll look at ICQs and so forth.

It's important, again, what are you documenting? We're documenting right here just based on these two, understanding the design of CRIME and documenting your understanding of CRIME. Again, have we done any testing yet? No, we have not.

The next step is to do what? The next step is to assess your CR. Now, what is your CR? A control risk or assess your RMM which is your risk of material misstatement. What we're going to do is we're basically assessing your control risk and the big question here is based on what's supposedly happening, do we intend to rely?

That's the big question, do we intend to rely? Because at this point we're saying, all right, all we've done is these two things. Based on these two things, do we think that there's a basis for reliance on internal control?

The first one says it's understand the design of the policies procedures, understand how it's supposedly designed, CRIME.

The second one says document your understanding. We'll document it through FIND, flowcharts, ICQs, narratives, decision tables, decision trees and then now let's do we think we can rely?

Now at this point we're asking, can I, can I not rely? If I think I can rely, great. If I can't, okay then what are we going to do? Well at this point what do I do? Well, if I say no that means I don't think I can rely on internal control.

That means my risk of material misstatement or my control risk is at a maximum level. Therefore what do I do? I'm going to do what we call a substantive approach audit. What's this substantive approach? That's where you're going to do more substantive testing.

I go "You know what, internal controls don't exist. They don't appear to be even inexistent. They're not implemented, they're not placed into use. You know what, there's not much for me to rely on, I'll do a substantive approach."

If we say "Yeah, everything sounds good." That means I think control risk or RMM is below the maximum then what I'll do is what we call a reliance approach or a combined approach. The combined approach is really your integrated audit where you're combining internal control testing with substantive testing. That's your combined approach, your integrated audit, that is called your combined approach.

For example, back up here when I'm doing my ICQ, my yes, no. I'm saying “hey, does this happen?” Does this happen? Does this happen? No, no, no, no. I go "Oh." Do I think I can rely based on that? No. Control risk high, better do more substantive testing.

If I say “hey, does this happen?” Yes, yes, yes, yes. That's fabulous. You know what, it sounds like it's slow. I can do a combined approach and do more reliance testing.

Okay, now let's review what CR high and low means. Come on down. As we said, if reliance is low that means we think control risk is high. We want this to be low, we better do more substantive testing.

If instead they say yes, yes, yes reliance is high. We think control risk is low. We are willing to let this go up by doing less substantive and doing less substantive, we'll define substantive testing to substantiate or corroborate a number as tests of details of accounts, balances and transactions.

Just remember the word tested details because we're testing the detail of the account that balance of the transaction. That's called T, test of details, test of details. That's substantive, so we're going to do more test of details, less test of details. That would affect how much you're going to do.

Again, this is why we're looking at internal control. What does it say? You need to understand internal control, that's why, boom, boom, boom. That's how it all kind of ties together back here so we assess RMM.

Now, what was RMM? Let's review again. We said audit risk-- Man, let's do it way over here. Audit risk equals, what? IR times CR times DR. In solving for DR, audit risk over IR times CR equals DR.

We just said inverse relationship but remembering IR, CR together is RMM, risk of material misstatement. If we're looking it at this way, risk of material misstatement that is inherent risk and control risk together. That means inherent risk is a risk inherent in any element assuming no controls. Control risk is the risk, the internal control structure won't detect it.

You'll see on the exam, they may use the term RMM, they may use the term control risk. In either case, same effect. If RMM is down, this goes up. RMM is high, this goes down.

I just want you to realize, so for the questions don't freak out whether it's RMM treat it like CR. If it's CR treat it like RMM but they both effect inverse relationship between that and detection risk. RMM low, detection risk high. RMM high, detection risk low.

That's why we go through we say, let's assess the risk of material misstatements which is IR, CR but mainly the CR because IR, we really looked at in the planning phase of trying to figure out how much we're going to do.

It says here under number three, the auditor should perform the risk assessment to identify and assess the risk of material misstatement at the financial statement level and at the relevant assertion level for classes of transactions, account balances and disclosures.

The auditor may use either a substantive or combined approach. The auditor needs to identify the risks, relate the identified risks to the types of potential misstatements. Consider whether the risks are so significant that they could result in a material misstatement and consider the likelihood or probability that the identified risk could result a material misstatement.

The big questions is do we think we can rely or not rely? If we say no, why would we not rely? Because we're assessing control risk at the max because we think the controls appeared to be ineffective, inadequate or weak or we might say the cost exceeds the benefit.

Why would we say yes, we're going to rely because we think the operating effectiveness of the controls looks good or because substantive procedures alone won't provide enough evidence so we need to do some internal control testing. That's what we're looking at, do we think we can or do we think that we can't rely?

Then we go on to the fourth one which is, what? Your tests of controls. This is your T of C, test of controls. With your test of controls, your T of C, this is where we're actually testing the operating effectiveness of the design.

Remember up here we said we're looking at the form. This is where we're really looking at in substance. Remember it was substance over form. First you look at the form. If you think the form looks good then you go ahead and test the substance.

We've gone through these first three steps. Have we done any actual testing yet? No. We understood the design, document it and then we assess it. Do I think I can rely? No, we're done. Yes, we continue.

Over here, do we think we can rely? No, then we do more substantive testing. Now, for a nonpublic, non issuer which is not PCOB, which is auditing standards board, AICPA audit. If we say no then we're done, we're going to do more substantive testing.

If it's a PCAOB public company issuer then even if we say no, we still have to do T of C anyway. Why? Because you have to give an opinion. Remember in a public, you have to give an opinion. Nonpublic, you don't unless you're hired as a separate attestation engagement to give an opinion.

T of C is test of controls, test of compliance. This is where you're actually testing the operating effectiveness of the design. Think about it this way, right.

Let's say you're trying to find out someone special in your life, all right. You go where everybody goes to find that special person, to a bar. All right, so you go there, what do you look at first? The form, if you like the form, "You go, she looks fine." Let's see if there's any substance.

If there's no substance, all right, we'll just date for a little while. If you don't like the form, who cares about-- I'm just kidding, but there might be great substance. Sometimes you don't like the form but you get to know them and you like the substance and then the form seems to improve. Those marriages last longer. If it's just based on form and there's no substance, see how you can relate this to life in general. Just very good.

Anyway, the point is here, this is the form, boom, this is T of C. What am I testing for? The actual substance, in other words are these controls that we're trying to look at, have they really been, are they operating as design?

This is where we're testing the operating effectiveness of the design. Operating effectiveness of the design. That's what test of controls are,
that's what T of C is.

On your notes it says, to test the effectiveness of the design and operation of a control, what is the substance? The auditor must consider how the control was applied, the consistency with which it was applied and by whom it was applied. So how it's applied, how often are they consistent and who did it.

Now, this is where we're going to look at four procedures for testing the controls. Remember earlier we said Noah and the what? Noah and the ARCCS. Well, I don't know if you read all the religious books but if you didn't know this, Noah built an arc and he sailed to Rio, Rio de Janeiro, carnival, here you go, here's some beads, show-- Anyway, that's carnival, that's in Rio de Janeiro. What happens here, Noah built an arc and sailed to Rio. Noah built an arc and he sailed to Rio. What?

We know what ARCCS is, what is it? Authorization, record it, custody, comparison and segregate. A person who does this should not do this, should not do this, should not do this.

How do you test for ARCCS? You test it in a similar way to your risk assessment procedures but instead of analytical procedures, we're going to call that reperformance. Reperformance, inquiry, inspection and observation. These are your tests to test for ARCC.

What does that mean? First of all you're going to re-perform the procedure. We're going to take the procedure, we're going to actually go through and we're going to look at the documents. We're going to pull those documents. Remember the purchase, requisition or the remittance advice and the check.

We're going to take those, we're going to look at those, we're going to trace them through, we're going to see where they end up, we're going to make sure the document, the transaction was complete. That's called tracing completed, we'll cover later.

We trace it into the books and records. That's what we're trying to do to make sure that it looks good. We're going to ask questions, inquire. We're going to inspect the actual documents and then observe.

Now, observation is the best because watch, I'm going to hide behind the desk and I'm going to observe what people are actually doing. Even though I inquire of the controller, even I look at documents, all of that.

Let's say for example my job is to authorize this but I decide, "You know what, I think I need another cigarette break." I say to my employee "Hey, I'm going to go outside and have another cigarette," because I have that sexy cigarette voice.

Right, I don't know if you remember back in elementary school, they made you watch, at least us. They made us watch these commercials where "Hi, I've been smoking for 20 years and I don't mind it. It doesn't affect--"
and they have a little stoma in their throat and they're smoking through there. Anyway, it affected me. I remember that from when I was in third grade.

The point is I go out and I'm smoking out and my employee is actually signing it. Even though I look at a document and it has the initials RP, even thought I ask questions, I looked at the document, I walked it through.

The best thing is to observe what people are doing because that tells you what's really happening. They've asked that before which is the most effective, the answer being observation.

Now, as we go through this, we're tying these together, ARCC and RIO. ARCC and RIO. This is your T of C. When we talk about test of controls, test of compliance, how do you test for authorization? We reperform, ask questions, inspect, observe. How do you test for recorded, reperfrom, ask questions, inspect. By tying these together, that's how you do your testing.

Now with internal control, we're looking for dollars or percentages. What does that mean? I'm sorry, not dollars. We're looking at frequency or percentages because how often did the mistake happen. The frequency was one out of 20 or 5%.

The reason I corrected myself is because in substantive testing that's when we're looking at dollars because I don't care how much the mistake was. All I care about is how often does it happen. The fact that it happened regardless of whether it's a dollar or a hundred million dollars, that's a problem.

Whereas later on when I'm saying okay, it happened but did it materially affect the numbers? That affects my opinion because maybe there is a dollar mistake. You know what, it shouldn't happen, it's a problem but in my opinion the numbers are presented fairly.

However for internal control, we don't care about dollars, we care about frequencies or percentages. When we talk about statistical sampling, we're going to deal with it for both internal control and substantive testing, internal control and dollars.

We call it differently, we call it attribute sampling. Testing for an attribute or a characteristic, that's internal control. We'll call it variable sampling, that's dollars, that's substantive testing. I never knew that. That's how it kind of ties together, that's where we're going to be looking at.

It says, if the auditor plans to use the audit evidence about operating effectiveness of controls obtained in prior audits and the controls have not changed since they were last tested, the auditor should test the operating effectiveness in such controls at least once every three years. You'll see that once every three years. The auditor will determine the controls have not changed since they were last tested through the performance of risk assessment procedures.

Then we're going to reassess our RMM or our CR to determine our DR. At this point, step five is to reassess CR to determine DR. This is where you reassess either CR or if you want to call it RMM to reassess DR.

What does that mean? Come on down. I thought reliance was high. I thought control risk or RMM was low. Since I thought it was low, I thought this was going to go up.

What did I do? I thought I could rely so I went and I did T of C, test of controls. When I did the test of controls, I'm like "Oh my gosh, mistake, mistake, mistake, mistake." In reality reliance isn't high, reliance should be low therefore I need to do more substantive testing.

You reassess CR to determine your DR then the last step is to document the basis for conclusions. At this point you document the basis or the reasons for the conclusions.

In documenting the basis it says, the auditor is required to communicate significant deficiencies and material weaknesses to management and those charged with governance.

The basis for risk assessment must always be documented. The auditor needs to document the assessment of the risk of material misstatement, the basis for the assessment, significant risks identified and related controls evaluated and risks identified that required test of controls to obtain sufficient, audit evidence in the related controls evaluated.

Now, I keep mentioning those words material weakness, significant deficiency. We're going to cover those later but a material weakness is a deficiency in internal control such that there is a reasonable possibility the material misstatement of the entity statements will not be prevented or detected and corrected on a timely basis.

That a material issue is going to occur it floats through one of the financial statements. Versus a significant deficiency is that efficiency or a combination is an internal control that is less severe than a material weakness yet important enough to merit attention to those charged with governance.

Again, that's what we're looking at. What have we talked about this far? We said that we need to understand internal control. These are the steps to understand it.

If you wanted to remember it, you could say U-P-D-A-T-E-D. UPDATED is my mnemonic. U-P-D-A-T-E-D, understand the design of the policies and procedures, document it, assess control risk, test of controls, reassess and then document your conclusion or you can just remember it but that's your UPDATED.

What do we need to do? Understand the design, document it, assess it, do T of C, reassess, document it. What are we doing? Understanding what? We're trying to understand our CRIME. We're trying to understand the five components of internal control because that's what it says back on page one.

Back on page one, let's look one more time. The objective is to understand the entity and its environment including the internal control thereby providing a basis for designing and implementing responses to the assess risk of material misstatement.

We're trying to understand these are the six steps to understand what? CRIME. Why do we need to understand the control environment and the internal control? We need to understand it so we can then decide how much substantive testing we need to do.