ANSWER FROM ANSWER KEY 11-6. a. Three strategies that the auditor might use when testing a system of internal controls that use information technology include: 1. Assessing control risk based on user controls. 2. Planning for a low control risk assessment based on application controls. 3. Planning for a high control risk assessment based on general controls and manual follow-up. b. The auditor might assess control risk as low based on two of the three above strategies, assuming that the evidence shows that the controls are effectively designed and placed in operation. First the auditor can assess control risk as low based on user controls, such as effective performance reviews by management. Second, the auditor can assess control risk as low based on effective computer application controls. This strategic also involved effective manual follow-up of exceptions noted by application controls. c. The auditor can assess control risk as high based on evidence obtained about both computer controls and manual follow-up procedures. The auditor may be able to develop implications about the effective operation of application controls based on inspection of exception reports and inquiries of those who follow-up on exception reports. However, the auditor must perform direct tests of application controls in order to assess control risk below a high level. 11-8. The advantages of parallel simulation include the following: Because real data are used, the auditor can verify the transactions by tracing them to source documents and approvals. The size of the sample can be greatly expanded at relatively little additional cost. The auditor can independently run the test. The disadvantages include the fact that the auditor may need special training to understand the client’s program and develop a program that simulates the client’s program. The auditor must also take care to determine that the data selected for simulations are representative of actual client transactions. 13-8. 1. Step Determine the objectives of the test of controls 2. Determine procedures to evaluate internal controls 3. Make a decision about the audit sampling technique. 4. Define the population and sampling unit. Professional Judgment Determine audit objectives and how the objectives of the test relate to financial statement assertions. The determination of procedures is a matter of professional judgment that provides evidence about the effective design and operation of internal controls. The choice of using statistical or nonstatistical sampling is a matter of professional judgment. The population depends on the control being tested. In many cases, there may be several ways to identify 5. Use professional judgment to determine sample size. 6. Select a representative sample. 7. Apply audit procedure. 8. Evaluate the sample results. 9. Document conclusions different sampling units for the same control (e.g., each report or each item on a report). Sample size is a function of a variety of factors. The auditor uses professional judgment to make a decision about each judgment that influences sample size. If the auditor uses nonstatistical sampling the auditor also uses professional judgment to determine the sample size used. The auditor uses professional judgment in determining the technique used to select a representative sample from the population. In step 2 the auditor used professional judgment to determine the procedures to be performed. Now the auditor uses judgment to apply those procedures to each sampling unit. Judgment is necessary to determine if evidence supports a control deviation or whether the control functioned effectively. The auditor uses professional judgment to sum the sample results and project the sample results on the population, particularly in a nonstatistical sample. Professional judgment is an integral part of documenting the audit conclusions about effective operation of a control based on sample results.