View
229
Download
3
Tags:
Embed Size (px)
Citation preview
9.401 Auditing
Chapter 9Chapter 9
The Study of Internal Control and The Study of Internal Control and Assessment of Control RiskAssessment of Control Risk
Generally Accepted Auditing Standard 5100.02 (ii)5100.02 (ii) A sufficient understanding of A sufficient understanding of
internal control should be obtained to plan the internal control should be obtained to plan the audit. When control risk is assessed below audit. When control risk is assessed below maximum, sufficient appropriate audit evidence maximum, sufficient appropriate audit evidence should be obtained through tests of controls to should be obtained through tests of controls to support the assessment. [Oct. 1992]support the assessment. [Oct. 1992]
Internal Controlconsists of theconsists of the
policies and procedurespolicies and procedures
established and maintained by established and maintained by management management
to assist in achieving its objectivesto assist in achieving its objectives
Those objectives are…1)1) Effectiveness and efficiency of operationsEffectiveness and efficiency of operations
safeguarding of assetssafeguarding of assets Prevention and detection of fraudPrevention and detection of fraud
2)2) Reliability of financial reportingReliability of financial reporting3)3) Compliance with applicable laws, Compliance with applicable laws,
regulations and policiesregulations and policiesAs far as is practicalAs far as is practical. Mgmt can and should . Mgmt can and should
consider consequences and risks of non-consider consequences and risks of non-control and costs of control control and costs of control implementation.implementation.
Factors Affecting Internal Control
The entity’s sizeThe entity’s size The entity’s organization and ownership The entity’s organization and ownership
characteristicscharacteristics The nature of the entity’s businessThe nature of the entity’s business The diversity and complexity of the entity’s The diversity and complexity of the entity’s
operationsoperations The entity’s methods of transmitting, The entity’s methods of transmitting,
processing, maintaining, and accessing processing, maintaining, and accessing informationinformation
Applicable legal and regulatory requirementsApplicable legal and regulatory requirements
Criteria of Control (COCO) Board of the CICA
A person performs a task guided by an understanding of its A person performs a task guided by an understanding of its purposepurpose (the objective to be achieved) and supported by (the objective to be achieved) and supported by capabilitycapability (information, resources, supplies, and skills). The person will need (information, resources, supplies, and skills). The person will need a sense of a sense of commitmentcommitment to perform the task well over time. The to perform the task well over time. The person will person will monitormonitor his or her performance and the external his or her performance and the external environment to environment to learnlearn about how to do the task better and about about how to do the task better and about changes to be made. The same is true of any team or work groupchanges to be made. The same is true of any team or work group
Monitoring &Learning
PurposeCommitment
CapabilityAction
Elements of Internal Control
Elements of internal control include:Elements of internal control include: Control environmentControl environment General computer control systems and General computer control systems and
proceduresprocedures Accounting SystemAccounting System Accounting System Control ProceduresAccounting System Control Procedures
Control Environment the collective effect of various factors on establishing, enhancing or the collective effect of various factors on establishing, enhancing or
reducing the effectiveness of internal control policies and proceduresreducing the effectiveness of internal control policies and procedures . Such factors include:. Such factors include:
Management Philosophy and Operating Style;Management Philosophy and Operating Style; The functioning of the board of directors and internal control, The functioning of the board of directors and internal control,
particularly the audit committee;particularly the audit committee; Organizational Structure;Organizational Structure; Methods of Assigning Authority and Responsibility;Methods of Assigning Authority and Responsibility; Management Monitoring Methods; Internal Audit; and Personnel Management Monitoring Methods; Internal Audit; and Personnel
Policies and PracticesPolicies and Practices Management reaction to external InfluencesManagement reaction to external Influences Systems Development MethodologySystems Development Methodology
Control Environment Reflects the overall Reflects the overall attitude, awareness, commitment and attitude, awareness, commitment and
actions of managementactions of management concerning the importance of concerning the importance of internal control and its emphasis in the entity. internal control and its emphasis in the entity.
Strengths and weaknesses in control environment factors Strengths and weaknesses in control environment factors are likely to have a are likely to have a pervasive effectpervasive effect on the financial on the financial statements. statements. An effective control environment interacts with control An effective control environment interacts with control
systems. It may reduce the impact that the absence of systems. It may reduce the impact that the absence of certain control systems might otherwise have. It also certain control systems might otherwise have. It also strengthens the impact of controls in place.strengthens the impact of controls in place.
An ineffective control system may impair the An ineffective control system may impair the effectiveness of control systems.effectiveness of control systems.
General computer control systems Establish controls over info system Establish controls over info system
processing activitiesprocessing activities Affect multiple classes of transactionsAffect multiple classes of transactions
General computer control systemsGeneral Control General Control SystemSystem
Means…Means…
Org and Mgmt controlsOrg and Mgmt controls -policies and procedures are -policies and procedures are establishedestablished
-programmer and operator functions -programmer and operator functions separateseparate
Systems acquisition, Systems acquisition, development and development and maintenance controlsmaintenance controls
-policies and procedures to ensure -policies and procedures to ensure systems are authorized, efficient and systems are authorized, efficient and function according to objectivesfunction according to objectives
Operations and Operations and Information Systems Information Systems SupportSupport
-system should be available and -system should be available and used for authorized purposes used for authorized purposes (=training, documentation, (=training, documentation, controlled access, backup and controlled access, backup and recovery)recovery)
The Accounting System
= the policies and procedures involving the = the policies and procedures involving the CollectionCollection TranscribingTranscribing ProcessingProcessing And reporting of dataAnd reporting of data
Accounting System Control Procedures= policies and procedures that enhance the reliability = policies and procedures that enhance the reliability
of accounting dataof accounting data OccurrenceOccurrence CompletenessCompleteness Accuracy (valuation), PostingAccuracy (valuation), Posting ClassificationClassification TimingTiming
-often involves “checks”, “reconciles”, “compares”, -often involves “checks”, “reconciles”, “compares”, “verifies”, “ensures”…..“verifies”, “ensures”…..
Segregation of duties
Ensures that no-one is in a position to Ensures that no-one is in a position to commit or profit from an error/fraud and commit or profit from an error/fraud and cover it up.cover it up.
To work, these duties MUST be separate:To work, these duties MUST be separate: Authorization of transactionAuthorization of transaction Custody of assets (including cheques, Custody of assets (including cheques,
cash, inventory etc.)cash, inventory etc.) Recording of transactionRecording of transaction Periodic reconciliationPeriodic reconciliation
Other Controls
Proper Authorization (general or specific)Proper Authorization (general or specific) Adequate documentsAdequate documents
Prenumbered or sequentially numbered + Prenumbered or sequentially numbered + follow-up of missing itemsfollow-up of missing items
Prepared on a timely basisPrepared on a timely basis Sufficiently simple, easy to fill outSufficiently simple, easy to fill out
Other Controls
Safeguards over access to and use of assetsSafeguards over access to and use of assets Safeguards over access to and use of recordsSafeguards over access to and use of records
Physical and logicalPhysical and logical Independent verification of performance and Independent verification of performance and
accuracy of recorded amountsaccuracy of recorded amounts Inventory counts, bank recs.Inventory counts, bank recs. Input or output checks (eg. Check digits, Input or output checks (eg. Check digits,
reasonableness limits)reasonableness limits) Comparison of documents, quantities, pricesComparison of documents, quantities, prices
Acquiring Understanding of IC
At minimum, auditor must acquire At minimum, auditor must acquire understanding of:understanding of: Control environmentControl environment General computer control systems and General computer control systems and
proceduresprocedures Accounting SystemAccounting System
Purpose of Understanding IC1)1) Assess auditability (depends on mgmt integrity, Assess auditability (depends on mgmt integrity,
adequacy of record and general controls)adequacy of record and general controls)
2)2) Familiarity with client to facilitate audit:Familiarity with client to facilitate audit: Major classes of transactionsMajor classes of transactions How they’re initiatedHow they’re initiated What records and documents existWhat records and documents exist How transactions are processed and How transactions are processed and
reportedreported
Therefore, helps auditor design tests and Therefore, helps auditor design tests and identify potential misstatementsidentify potential misstatements
3)3) Assess Preliminary Control RiskAssess Preliminary Control Risk
Further Investigation of IC
If auditor believes reliance on IC (ie. If auditor believes reliance on IC (ie. CR<100%) may be possible AND efficient, CR<100%) may be possible AND efficient, investigate further the control procedures in investigate further the control procedures in placeplace
Make preliminary assessment of Control Make preliminary assessment of Control RiskRisk
Preliminary Assessment of CR
1)1) Identify transaction audit objective Identify transaction audit objective (existence/occurrence, completeness etc.)(existence/occurrence, completeness etc.)
2)2) Identify specific controlsIdentify specific controls remember effects of control environment remember effects of control environment
and general computer controlsand general computer controls3)3) Identify and evaluate weaknessesIdentify and evaluate weaknesses
o Determine potential misstatements that Determine potential misstatements that could occur and effect on auditcould occur and effect on audit
o Consider compensating controlsConsider compensating controls
How to investigate IC
Update and evaluate previous working papers
Inquiries of Client Personnel
Read client policy and systems manuals
Examine documents and records: perform transaction walk-through
Observe activities and operations
Documenting the Understanding of the Internal Control
A number of tools are available to the auditor for documenting the understanding of the internal control including:
Copies of the entity's procedures manuals and Copies of the entity's procedures manuals and organizational chartsorganizational charts
Narrative descriptionsNarrative descriptions Internal control questionnaires Internal control questionnaires FlowchartsFlowcharts
Further Investigation of IC If preliminary CR<100%, perform tests of controls If preliminary CR<100%, perform tests of controls
on KEY CONTROLS to ensure:on KEY CONTROLS to ensure: Control was operating as described, with Control was operating as described, with
sufficient effectiveness, throughout period of sufficient effectiveness, throughout period of reliancereliance
Tests may include:Tests may include: Inquiry of personnel (requires corroboration)Inquiry of personnel (requires corroboration) Examine documents, records, reportsExamine documents, records, reports Observe activities (eg. Segregation of duties, test Observe activities (eg. Segregation of duties, test
data)data) Reperform procedures if possibleReperform procedures if possible
If control is computerized, test and ensure controls If control is computerized, test and ensure controls exist over changes to programexist over changes to program
Direction of the Test of Controls Audit Procedures
EvidenceSample
selection
EvidenceSample
selection
File of recorded sales(sales journal)
File of shipping documents
Validitydirection
Completeness Direction
Trace to recorded sales
Vouch to shipping documents
Further Investigation of IC
Revise preliminary control risk with results Revise preliminary control risk with results of tests of controlsof tests of controls
Calculate detection risk and design Calculate detection risk and design substantive proceduressubstantive procedures Combined approach = reliance on both IC Combined approach = reliance on both IC
and substantive proceduresand substantive procedures Substantive approach = no reliance on IC Substantive approach = no reliance on IC
as either unjustified or inefficientas either unjustified or inefficient
Audit Cost Trade - off
Audit Cost Tradeoff
High Medium Low
Control Risk Assessment
Au
dit
co
st
Year end audit workcost
Internal controlevaluation cost
Total Cost
Communications with the Client
Systems improvements are communicated to the Systems improvements are communicated to the client by the management letter, which is written at client by the management letter, which is written at the end of field workthe end of field work
Section 5220 requires communication of all Section 5220 requires communication of all significantsignificant internal control weaknesses internal control weaknesses
Section 5750 “Communication of Matters Identified Section 5750 “Communication of Matters Identified During the Financial Statement Audit” eg. Fraud or During the Financial Statement Audit” eg. Fraud or illegal actsillegal acts
5220 and 5750 don’t have to be in writing5220 and 5750 don’t have to be in writing
Communicating Internal Control Weaknesses
Reportable conditionsReportable conditions Absence of appropriate segregation of dutiesAbsence of appropriate segregation of duties Absence of appropriate reviews Absence of appropriate reviews
and approvals of transactionsand approvals of transactions Evidence of failure of control Evidence of failure of control
proceduresprocedures Evidence of intentional Evidence of intentional
management overridemanagement override Evidence of willful wrong doingEvidence of willful wrong doing
by employees or management, including manipulation, by employees or management, including manipulation, falsification or alteration of accounting recordsfalsification or alteration of accounting records
Material Weaknesses
A material weakness in internal control is defined as a reportable condition in which the design or operation of one or more of the specific internal control elements does not reduce to a relatively low level the risk that errors or irregularities in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions (AU 325.15).
Limitations of Internal Control
Human failures such as simple errors or mistakesHuman failures such as simple errors or mistakes Management overrideManagement override CollusionCollusion Cost/benefitCost/benefit Unusual transactionsUnusual transactions
Because of these limitations, as long as the Because of these limitations, as long as the item is material, it is generally necessary to item is material, it is generally necessary to do at least some substantive testing. do at least some substantive testing.