Nội dung

http://afr.sciedupress.com Accounting and Finance Research Vol. 7, No. 2; 2018 Impact of a Practical Flowcharts Approach on Educating the Control Risk Assessment Mohamed A. Wahdan1 1 Assistant Professor of Accounting, Accounting Department, Faculty of Commerce, Menoufia University, Egypt. Correspondence: Mohamed A. Wahdan, Assistant Professor of Accounting, Accounting Department, Faculty of Commerce, Menoufia University, Egypt. Received: December 5, 2017 Accepted: January 1, 2018 Online Published: January 4, 2018 doi:10.5430/afr.v7n2p1 URL: https://doi.org/10.5430/afr.v7n2p1 Abstract The assessment of a control risk is a difficult task which has to be learned over the years. Experience is a good teacher in this respect. So, education guided by experience may be expected to be fruitful. The purpose of this paper is to develop practical flowcharts (PFs) to assist in educating the novices the assessment of control risk and to present the results of validation of PFs approach in classroom. The main research questions examined in the paper are: (1) how can the PFs be developed to help students and novice auditors assess the control risk? And (2) to what extent is using PFs effective as a tool to improve the education of assessing the control risk? To answer these questions, adequate field work and experiment were performed. The knowledge is acquired (a) from the literature and (b) from experienced auditors. The findings of the paper indicated that the conceptual model of PFs is successfully designed consisting of eleven submodels and ten PFs. Moreover, using a PFs approach is an effective tool to improve the education of assessing the control risk, i.e., the learning performance of students significantly improved via the PFs assignment. From the results of the validation, it may be concluded that the conceptual model of PFs provides a vital contribution to the auditing literature and the application of it constitutes a new education method of auditing. Keywords: Control Risk, Practical Flowcharts Approach, Auditors, Education 1. Introduction The auditor’s assessment of acceptable audit risk is a key element in the auditing process. Control risk is one component of the audit risk model. The composition of a control risk assessment is a difficult task which has to be learned over the years. Experience is a good teacher in this respect. So, education guided by experience may be expected to be fruitful. Furthermore, one approach to improve auditing education is to employ a practice set within the curriculum (Fanning and Grant, 2017). To assess the control risk, the auditors should obtain an appropriate audit evidence to be able to draw reasonable conclusions on which an assessment is based. Audit evidence has been obtained from tests of controls, substantive procedures or an appropriate mix of them (IFAC, 2010). According to Arens et al. (2014) and Wahdan (2006), there are two audit approaches: (1) the control approach: the auditors focus on the examination of the internal controls to reduce the amount of substantive tests they perform, and (2) the substantive approach: the auditors do not take into account the internal controls and focus their analysis directly on the amounts represented in the financial statements. Standard unqualified audit report loses some credibility when it is combined with an adverse report of entity-level internal controls over financial reporting as alleged by some users (Asare & Wright, 2012; Defond and Lennox, 2017). Furthermore, the firms with material weaknesses of internal control under SOX section 404 are more likely to receive going concern opinion (Jiang et al., 2010) and may be associated with both lower accruals quality and less accurate management guidance (Doyle et al., 2007; Feng et al., 2009; Lenard et al., 2016; Amoal, et al., 2017; Ji et al., 2017). Moreover, the quality of accounting information can only be guaranteed under effective internal control (Li et al., 2012; Feng, 2017). Management in most companies is required to design and maintain an effective internal control system and to make a report on the effectiveness of the internal control over financial reporting at the end of year. Moreover, auditors in a public company are required to evaluate and attest to the management’s report on the effectiveness of the internal control over financial reporting. Since 2004, larger public companies have been required by the SEC to annually obtain an auditor’s report on internal controls over financial reporting (Lopez et al., 2006; Published by Sciedu Press 1 ISSN 1927-5986 E-ISSN 1927-5994 http://afr.sciedupress.com Accounting and Finance Research Vol. 7, No. 2; 2018 Institute of internal Auditors, 2008; Arens, et al., 2014; Romney & Steinbart, 2015). So, an auditor should be skilled and trained in assessing the control risk. In practice, the assessment of control risk in not based on objective rules or criteria but on professional judgment and experience. Inexperienced auditors have difficulties in making this assessment effectively (Hwang et al., 2004). Since company managers and auditors depend on the personal judgements approach during the stage of evaluating the internal controls, this may lead to different company managers and auditors reaching different decisions on the effectiveness of internal controls over financial reporting, depending on, among others, their experience and expertise (Curtis & Hayes, 2002; O’Leary, 2003; Wahdan et al., 2009). Such an approach may be ineffective and may lead to different auditors coming to different decisions, developing a personal bias, increasing/decreasing audit scope, and/or giving misleading judgements (Wahdan, 2006). This paper aims at (1) developing practical flowcharts (abbreviated as PFs) to facilitate (i) training by professors and experienced auditors in assessing the control risk and (ii) the learning process of students and novice auditors in assessing the control risk, and (2) investigating whether PFs approach is an effective tool to improve the education of assessing the control risk. Of course, the knowledge in the PFs (that are applicable in practice) should be in accordance with ISA 330 (The Auditor's Responses to Assessed Risks), ISA 400 (Risk Assessments and Internal Control), COSO 2013, and with common practice. The training materials should focus on the audit assessments and relevant procedures that help in assessing the control risk. Two main research questions examined in this paper are: (1) how can the PFs be developed to help students and novice auditors assess the control risk? And (2) to what extent is using PFs effective as a tool to improve the education of assessing the control risk? The paper focuses on both the education of students to a qualified level the assessment of the control risk and the design of the PFs that will help the education process in many ways (Wahdan & Van den Herik (2011). Below, it is mentioned six of them. (1) PFs will help reduce the time required for students and novice auditors to acquire the experiences needed to assess the control risk (2) PFs will support the training of students and novice auditors [Changchit, 2003]. It will provide them with structured knowledge on the assessment of control risk. (3) PFs will improve the education in such a way that the control risk complies with the ISA, COSO requirements and the practical auditing settings (which differ from country to country). (4) PFs will properly encode and arrange all the knowledge associated with the control risk; it organises personal judgements and improves decision consensus as well as audit quality. (5) PFs can be considered as a foundation to design software such as knowledge-based system to help students and novice auditors assess the control risk and to support the experienced auditors as a second opinion (Wahdan, 2006). (6) PFs can be considered as an efficient technique being more readily and understandable than other techniques, such as textbooks, and tabular presentation (Groomer & Heintz, 1999). (7) PFs can provide with the requirements of an effective system of internal control and may enable management to eliminate ineffective, redundant or inefficient controls (COSO, 2013). The conceptual model of PFs focuses on the assessment of control risk, which seeks to determine internal controls’ reliability. To assess the effectiveness of the internal controls for planning audit evidence, auditors need to perform eleven activities: (1) understanding internal controls, (2) evaluating the management integrity, (3) examining documents and records, (4) evaluating control environment, (5) reviewing risk assessment, (6) investigating control procedures, (7) reviewing information and communication, (8) walking-through of significant accounts, (9) performing tests of controls, (10) monitoring and (11) assessing the control risk (COSO, 2013; Arens et al., 2014). To assess the control risk, the results of all above activities should be collected in advance to assess the control risk. The full model consists of eleven submodels that directly lead to the structure of PFs (as presented in section 4). The outline of the paper is as follows. Section 2 reviews the related literature. Section 3 deals with the research methodology. Section 4 presents the conceptual model to design PFs. Section 5 provides the results of an experimental study carried out within one state university in Egypt. Section 6 provides the main conclusion, contribution and limitations as well as points to future work. Published by Sciedu Press 2 ISSN 1927-5986 E-ISSN 1927-5994 http://afr.sciedupress.com Accounting and Finance Research Vol. 7, No. 2; 2018 2. Literature Review There are some studies related to auditing education and some tools used to improve the effectiveness of auditing education. Here some studies that are related to internal controls, practical flowcharts, and other educating tools are presented as follows. Groomer & Heintz (1999) were the first to propose the use of flowcharts in teaching students many types of the audit reports and the formulation of the auditor’s report. However, they based their course materials only on GAAS and ignored the ISA as well as the common practice. They focused on the changes in some Statements of Auditing Standards [SAS No. 79 (Reports on Audited Financial Statements), and SAS No. 82 (Consideration of Fraud in a Financial Statement Audit)] that deal with the reporting issues. Changchit, et al., (2001a) designed an expert system to help transfer control knowledge to management. The findings of the study indicated that the expert system could help managers effectively and efficiently detect the weaknesses in internal controls. Changchit, et al., (2001b) presented another study for the same purpose with results similar to the former. In 2004, Hwang et al. presented a prototype design support model called “CRAS-CBR” using case-based reasoning to help auditors making their professional judgments on the control risk assessment of the accounting systems in the manufacturing industry. The results of the experiment indicated that CRAS-CBR outperforms staff auditor performance and a statistical model. However, this study depends only on a small sample size. Wahdan & Van den Herik (2011) used a practical flowcharts approach to educate youngsters in the formulation of the auditor’s opinion. Since the auditing standards provide only guidelines to apply the standards in practice, it is believed that the knowledge required to build adequate PFs should be acquired not only from GAAS and ISA, but also from the literature as well as from experienced auditors (who know how the auditing standards can be applied in practice) through a questionnaire and interviews. The study of Wahdan (2013) aims at modelling, implementing, and validating a knowledge-based system, called the “Auditor’s Report on Internal Controls” (ARIC), that is capable of formulating the opinion on the effectiveness of internal controls over financial reporting. The knowledge used by ARIC is acquired from the literature, and from experienced auditors. Test cases are used to validate the ARIC performance. The findings of the study indicated that ARIC is successful in achieving the task of evaluating the internal controls over financial reporting. Marand and Bayaz (2015) purposed to discover the impact of computerized accounting systems on the auditing risk management in listed firms of Tehran stock exchange. The results of the study indicated that the computerized accounting system has a positive impact on the inherent risk in forms of reducing the internal control weakness, reducing the risk of sampling related to tests of controls and providing with a suitable method to assess the inherent risk. In 2015, Han et al. dealt with the association between information technology (IT) and audit risk. They found that the IT complexity generates challenges for auditors in evaluating the effectiveness of internal control and detecting accounting irregularities. However, IT decreases the audit risk by improving operations and internal control effectiveness which may decrease the inherent and control risks. Apostolou et al. (2015) reviewed the literature regarding the theoretical and empirical research related to accounting education and found that the articles are categorized into five sections including: (1) curriculum and instruction, (2) instruction by content area, (3) education technology, (4) students, and (5) faculty. They also presented suggestions for research in these areas. In 2015, there were a lot of researches and experiments related to accounting education, for examples: Camp et al. (2015) used alternative quiz formats to motivate students learning in a classroom intervention at one US University. Furthermore, Ryack et al. (2015) explored the challenges of teaching GAAP and IFRS in the second intermediate financial accounting course at two private universities in the US. Glover and Werner (2015) also devoted IFRS course at Drexel University and presented alternative delivery options and the best practice. Moreover, McNellis (2015) inspected the efficacy of alternative approaches for delivering statement of cash flows content across three semesters at a public US University. Greenberg and Wilner (2015) developed a hierarchal concept map framework for integrating concepts in a managerial accounting course. Jackson and Cossitt (2015) investigated whether usage of online tutoring software could benefit intermediate accounting students with a weak knowledge of introductory accounting. Aldamen et al. (2015) examined the effect of using recorded lectures on course performance and attendance for first year students enrolled in a financial accounting course. Published by Sciedu Press 3 ISSN 1927-5986 E-ISSN 1927-5994 http://afr.sciedupress.com Accounting and Finance Research Vol. 7, No. 2; 2018 In 2017, Davis et al. described a case approach for teaching internal control evaluation in sales and cash receipts cycles using Excel spreadsheet tool. The case and spreadsheet application provide students an opportunity to deeply understand and analyse the accounting processes, the internal controls, and the interrelationships between the processes and controls. The finding of the study indicated that the students were significantly increased their abilities to evaluate internal controls by completing the case (their average score increased from 44% to 62%). In 2017, Fanning and Grant compared the manual and computerized practice set, which achieving the learning objectives best. The findings of the study indicated that the computerized practice set decreases the time and energy of the faculty and increases the faculty's ability to help the remote students. However, using a computerized practice set that post the transactions in not beneficial to the student's retention of the knowledge about the accounting process. The best scenario appears to be choosing the option for having students post the transactions. It is remarked that previous studies ignored designing practical flowcharts to help learn the assessment of control risk according to the literature and auditors' experiences. So far, educating the assessment of control risk using practical flowcharts received little attention in the literature. To the best of the author's knowledge, previous research has failed to deal adequately with the complexities of the task of assessing control risk in the auditing classrooms. 3. The Research Methodology To achieve the research goal, a research methodology consisting of six phases was developed: (1) reviewing the literature, (2) designing a questionnaire, (3) validating the acquired knowledge, (4) designing the PFs, (5) revising the PFs, and (6) applying and testing the PFs in our auditing education at Menoufia University in Egypt. A sample of 34 experienced auditors in seventeen audit firms in Egypt participated in the survey (note: several international audit firms are included and three auditors are from the Central Auditing Organization in Egypt). They cooperated in exploring the auditing tasks to a large extent, in so far as they are required to assess the control risk. Below the six phases are described in more details. (1) A thorough literature review was performed for acquiring knowledge to assess the control risk. (2) The questionnaire coupled with in-depth interviews was used to elicit the knowledge from 34 experienced auditors in audit firms; the required knowledge focused on how the auditor performs the task of assessing the control risk in practice. In order to acquire the audit assessments needed to assess the control risk and to answer the first research question. The questionnaire consisted mainly of questions requiring a response on a five-point Likert-scale (always, often, sometimes, rarely, never). The revised questionnaire was divided into 11 parts (based upon preliminary interviews), each covering one submodel of the proposed flowcharts. Furthermore, when performing structured interviews, the questionnaire was sent to auditors before the interviews. The 11 main domains of questions that cover the procedures required to assess the control risk are presented in PFs (most of the detailed questions and procedures, which have a high weighted Means are presented in PFs). (3) The acquired knowledge was validated by letting the auditors review the results of the knowledge-acquisition process. Disagreements among auditors were solved. The author chose a sample of experienced auditors to decrease the disagreements among the auditor’s points of view and interviewed them individually. Then, if there was still any disagreement, the leading expert made a final decision. For example, the sequence of questions to evaluate the control procedures. Some auditors preferred to use weights for the control procedures such as separation of duties is more important than safeguarding of assets. The flowcharts are modified to reflect the auditors’ points of view. Moreover, It is noted that a high risk cannot be reached by simply having one ‘no’ answer out of many questions asked. (4) PFs were constructed based upon the knowledge collected and elicited in the three phases above. (5) Revision of the PFs was carried out by the auditors (academic and practitioners) to check the validation of the PFs as a tool for assessing the control risk. (6) Based upon the results of the revision and validation process in step five, PFs were enhanced. Subsequently, the PFs were tested in the auditing classroom using ten test cases. 64 students from Menoufia University in Egypt participated. Some feedback information was collected from auditing professors and students about the developed PFs. Finally, findings, conclusion, limitations and suggestions for future research were established. 4. The Conceptual Model for PFs The conceptual model of using PFs is illustrated in Figure 1. The main submodel of the assessing control risk is considered as the output of other ten submodels. The other submodels are (1) understanding internal control, (2) evaluating the management integrity, (3) examining documents and records, (4) evaluating control environment, (5) Published by Sciedu Press 4 ISSN 1927-5986 E-ISSN 1927-5994 http://afr.sciedupress.com Accounting and Finance Research Vol. 7, No. 2; 2018 reviewing risk assessment, (6) investigating control procedures, (7) reviewing information and communications, (8) walking-through of significant accounts, (9) performing tests of controls and (10) monitoring (Wahdan, 2006; Wahdan, 2013, COSO, 2013, Arens et al., 2014; Lawson et al., 2017; Owusu-Boateng et al., 2017). These submodels represent the stages of assessing control risk that cope with the approach applied by the Big-4 audit firms. (7) Reviewing information and communications (2) Evaluating the management integrity (3) Examining documents and records (1) Understanding internal control, (8) Walking-through of significant accounts (4) Evaluating control environment (11) Assessing control risk (9) Performing tests of controls (5) Reviewing risk assessment (6) Investigating control procedures (10) Monitoring Figure 1: The conceptual model for PFs 4.1 Submodel of Assessing Control Risk The purpose of this submodel is to structure the process of examining internal controls and assessing the control risk (CR), which seeks to determine reliability of internal controls and the amount of audit evidence required to support the assessment of control risk. To assess the effectiveness of the internal controls for planning audit evidence, auditors need to understand the key internal controls and assess the control risk. It is common practice that if the auditors rely on the internal controls, they will reduce the amount of substantive tests, which they have to execute (Arens et al., 2014). A common approach used by auditors, to determine the reliability of the internal controls, consists of three stages: (1) obtaining an understanding of the internal controls at a detailed level, (2) assessing the control risk and identifying the possibility of reducing it, and (3) testing the effectiveness of the internal controls. An auditor may not conclude that the control risk is low before completing all these three stages (Locatelli, 2002; Guy et al., 2003; Wahdan, 2013; Arens et al., 2014). To complete the test of evaluating internal controls, the main submodel of assessing control risk distinguishes ten submodels (see Figure 2). Figure 2 illustrates the steps required to evaluate the effectiveness of internal controls and assess the control risk. Steps in Figure 1 are turned into Figure 2, but in particular sequence according to auditors’ points of view to firstly understand the internal controls, then to assess the control risk, and finally to test the possibility of reducing the control risk. The arrows in Figure 2 indicate that the output from one of the submodels is used as input for the other. For example, the output of the submodel of understanding internal controls forms the input of the following submodels: evaluating management integrity, examining documents and records, evaluating control environment, reviewing risk assessment, and investigating control procedures. The control risk model assesses the proper control risk after collecting the outputs from all submodels (see figure 2). The auditor should decide which level of assessed control risk should be used. If the auditor identifies the assessed level of control risk as the maximum (internal control becomes less effective (Khorwatt, 2015), the conclusion should be documented. However, if it is below the maximum, the bases and reasons of that conclusion should be documented (Guy et al., 2003; Boynton & Johnson, 2006; Arens et al., 2014; Khorwatt, 2015). Published by Sciedu Press 5 ISSN 1927-5986 E-ISSN 1927-5994 http://afr.sciedupress.com Accounting and Finance Research Vol. 7, No. 2; 2018 Does understanding the internal controls support the lower level of CR? F.3 No Yes Is the management integrity unquestionable? F.4 No Yes Are there reliable documents and records? No Disclaimer of opinion Yes Does management consider the internal controls important? F.5 No Yes Does the reviewing risk assessment support the low level of CR? F.6 No Yes Do the investigating control procedures support the low level of CR? F.7 No Yes Does the reviewing information and communication support the low level of CR? F.8 No Yes Do the results of walk-through of significant accounts support the low level of CR? F.9 Yes No R. B4 Do the results of tests of controls support the low level of CR? F.10 R. B4 No Yes Does the monitoring support the low level of CR? F.11 No Yes Yes Assessing CR as low risk and documenting the basis of conclusion Assessing CR as high documenting the conclusion risk Do compensation controls support the low level of CR? and Figure 2: The submodel of assessing control risk. F: Figure 4.2 The Submodel of Understanding Internal Controls The purpose of this submodel is to provide an understanding of the control environment and accounting system sufficient to set up the audit plan of financial statements (Guy et al., 2003; Boynton & Johnson, 2006; Arens et al., 2014). They have to be concerned with the controls regarding the reliability of financial reporting to comply with the second GAAS fieldwork, the SAS 78 (Lenard, 2003), the ISA 330, the ISA 400, COSO 2013, and Sarbanes Oxley act (Krishnan & Visvanathan, 2007; IFAC, 2010; COSO, 2013). The SAS 78 and ISA 400 require the auditor to obtain an understanding of the internal controls for every audit. In obtaining an understanding of internal controls, the auditor should consider two issues; the design of controls and their placement in operation (Arens et al., 2014). Auditors can use five procedures to evaluate the design of controls and placement in the operation: (1) updating and evaluating an auditor’s previous experience with the company, (2) making inquiries of the auditee personnel, (3) reading an auditee’s policy and systems manuals, (4) examining documents and records, and (5) observing the company activities and operations (PCAOB, 2004; Arens et al., 2014).The transaction walk-through can combine observation, documentation, and inquiry. The auditor selects a representative sample of documents for the initiation Published by Sciedu Press 6 ISSN 1927-5986 E-ISSN 1927-5994 http://afr.sciedupress.com Accounting and Finance Research Vol. 7, No. 2; 2018 of a transaction type and traces them through the entire accounting process in the transaction walk-through (Ernst & Young, 2002; Arens et al., 2014). Figure 3 illustrates the PF of understanding internal controls. Does the previous experience with the entity indicate that internal controls can prevent or detect misstatements in the financial statements? Is there an adequate documentation of the accounting systems indicating an effective operation? Is there an adequate documentation of the controls procedures indicating an effective design of controls? Does the examination of the documents and records ensure that internal controls can prevent or detect misstatements? Do the inquiries with client personnel ensure that internal controls can prevent or detect misstatements? Does the observation of the specific controls applied ensure that control procedures have been placed in operation? Does reading the client policy and the system manuals ensure that internal controls can prevent or detect misstatements in the financial statements? Did the design of controls provide the reasonable assurance regarding preventing or detecting misstatements in the F.S.? Understanding of internal control system supports the low level of control risk Understanding of internal control system does not support the low level of control risk Figure 3: Understanding internal control 4.3 The Management Integrity Submodel The purpose of this submodel is to contribute to assess whether the financial statements are auditable. For example, in figure 4, the management integrity is affected by many factors. Some factors indicate a lack of management integrity, including the presence of one or a few individuals dominating management of the enterprise, improper accounting system, improper internal controls, false earnings, poor reputation, taking unusual risks, considerable turnover in senior positions, poor relationships with external auditors, and/or problems with customers, stockholders, or employees. If management integrity is questionable, false representations cause the auditor to rely on unreliable evidence. The management integrity is classified as a factor of business risk which affects the control risk (Khorwatt, 2015). Figure 4 illustrates the PF of evaluating the management integrity. Published by Sciedu Press 7 ISSN 1927-5986 E-ISSN 1927-5994 http://afr.sciedupress.com Accounting and Finance Research Vol. 7, No. 2; 2018 Did one or a few individuals dominate management? Was there proper accounting system? Was there proper internal control system? Did management want to show higher earnings? Did management have a poor reputation in the industry? Did management have a reputation for risk taking? Was there a high turnover in internal accounting and auditing personnel? Did management cooperate with the external auditor to save audit evidence? Were there problems between the management and customers, stockholders, and employees? Were there indicators in the minutes of board of directors, which show problems integrity? Were the effects of matter so material to indicate problems integrity? Management integrity is unquestionable Management integrity is questionable Figure 4: The management integrity 4.4 The Submodel of Examining Documents and Records The purpose of this submodel is to contribute to assess the adequacy of documents and records to help auditors assess whether the financial statements are auditable, if the accounting records (source of the audit evidence) are unreliable and/or inadequate, the audit evidence may not be accessible. Moreover, improper documentation process provides opportunity to misappropriate the assets (Zakaria & Nawawi, 2016). When the auditor concludes that the financial statements are not auditable, the engagement is withdrawn or a disclaimer of opinion is issued (Arens et al., 2014) as illustrated in figure 2. 4.5 The Submodel of Control Environment The purpose of this submodel is to evaluate control environment (management attitude). This evaluation is essential for the preliminary assessment of the level of control risk (Hwang et al., 2004; COSO, 2013). Control environment consists of actions, policies, and procedures that affect management attitudes with respect to internal controls. The auditor should understand the control environment to assess the management’s attitude and awareness regarding the controls importance (Colbert, 2000; Munter, 2003; IFAC, 2010; Institute of internal Auditors, 2011). If management gives less attention to internal controls, the management’s control objectives will not be effectively achieved (Arens et al., 2014), the control procedures may be unreliable and the control risk should be at the maximum. Figure 5 illustrates the PF of control environment. The auditor can use five procedures to understand and assess control environment in the organization: (1) organization’s integrity and ethical values, (2) board of director’s independence, Published by Sciedu Press 8 ISSN 1927-5986 E-ISSN 1927-5994 http://afr.sciedupress.com Accounting and Finance Research Vol. 7, No. 2; 2018 (3) responsibilities and authorities throw organizational structure, (4) competent individuals (5) accountability (KPMG, 2013; Arens et al., 2014; Khorwatt, 2015; DEO, 2016). Is the organization commitment to integrity and ethical values? Does the board of directors is independence from management and exercises oversight of the development and performance of internal control? Does the management establishes organizational structure and determine authorities and responsibilities in the pursuit of objectives? Does the organization committed to attract, develop, and retain competent individuals in alignment with objectives? Does the organization hold individuals accountable for their internal control responsibilities for the pursuit of objectives? Evaluation of control environment supports the low level of control risk Evaluation of control environment does not support the low level of control risk Figure 5: Control environment evaluation 4.6 The Submodel of Risk Assessment The purpose of this submodel is to illustrate the steps of risk assessment and how this process affects the assessment of control risk. In designing and operating internal controls to minimize errors and fraud, management identifies and analyses the risks related to the preparation of financial statements in accordance with related accounting standards. Once management identifies risks, it assesses the significance of those risks and its likelihood of occurring and develops actions needed (manage risk) to reduce the risks to an acceptable level (Deshmukh, 2004; KPMG, 2013; Arens et al., 2014). On the other side, the auditors assess risks to decide the evidence needed in the audit. Risk assessment requires management to consider the impact of possible changes in its business and external environment that may make internal control ineffective (COSO, 2013). The auditors’ assessment of the risk consists of three stages (PCAOB, 2005): (1) Risk identification; the auditor estimates the expected risks in financial statements, based on his understanding of the company, its industry and business processes. (2) Risk analysis; the auditor analyzes and assesses how the risks identified might affect the financial statements. (3) Auditor response; the auditor decides how to conduct the audit and obtain a high level of assurance that material misstatements in financial statements will be detected. Figure 6 illustrates the PF of risk assessment. Published by Sciedu Press 9 ISSN 1927-5986 E-ISSN 1927-5994 http://afr.sciedupress.com Accounting and Finance Research Vol. 7, No. 2; 2018 Does the organization define its objectives with sufficient clarity to enable the identification and assessment of risks related to financial reporting? Does the management identify risks and their significance and likelihood of occurring as a basis for risk management? Does the organization take the potential actions for reducing the risks to an acceptable level? Risk assessment supports the low level of control risk Risk assessment does not support the low level of control risk Figure 6: Risk assessment 4.7 The Submodel of Control Procedures The purpose of this submodel is to test the effectiveness of the five types of control activities and how this evaluation affects the assessment of control risk. Control activities are the policies and procedures that help ensure that necessary actions are taken to address risks to the achievement of the organization’s objectives (COSO, 2013; Arens et al., 2014). As shown in figure 6, control activities include adequate segregation of duties, proper authorisation of transactions and activities, adequate documents and records, safeguarding controls, and independent checks on performance (Changchit et al., 2001a; Changchit et al., 2001b; Deshmukh, 2004; Arens et al., 2014). Figure 7 illustrates the PF of control procedures in more details. 4.8 The Submodel of Information and Communications The purpose of this submodel is to evaluate the effectiveness of the accounting information and communication system in initiating, recording, processing, and reporting the organization’s transactions and in maintaining accountability for the related assets as well as how this evaluation affects the assessment of control risk. The accounting information and communication system has several subcomponents (classes of transactions) and must satisfy all of the six transaction-related audit objectives (occurrence, completeness, accuracy, posting and summarization, classification, and timing) for each class of transactions (Arens et al., 2014). Information is necessary for an organization to carry out internal control responsibilities to support the achievement of its objectives (COSO, 2013). So, management should have relevant and quality information to support the functioning of other internal controls. Communication occurs both internally and externally and provides the organization with the information needed to carry out day-to-day internal control activities. The auditor can use three procedures to evaluate the information and communication: (1) relevant and quality information (2) internally communicates information (3) communicates with external parties, in particular external auditors. Figure 8 illustrates the PF of information and communications. 4.9 The Submodel of Walk-through of Significant Accounts The purpose of this submodel is to evaluate the results of the tests of significant accounts and to test whether the results of investigating the significant accounts support the low assessment of control risk (Ernst & Young, 2002; Arens et al., 2014). Significant accounts include transactions with related parties, high amount transactions, transactions affected by judgements (subjectivity), suspense accounts and changed accounts during the current period (Wahdan, 2006). Figure 9 illustrates the PF of walk-through of significant accounts. Published by Sciedu Press 10 ISSN 1927-5986 E-ISSN 1927-5994