Chapter 6Chapter 6

Internal Control Internal Control in a Financial in a Financial

Statement AuditStatement Audit

McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

InternalInternal ControlControl

The auditor uses risk assessment procedures to

-obtain an understanding of the entity’s internal control

-identify the types of potential misstatements

-ascertain factors that affect the risk of material misstatement

-design tests of controls and substantive procedures

The auditor’s understanding of the internal control is a major factor in determining the overall audit strategy. The auditor has a responsibility to:

(1) obtain an understanding of internal control and

(2) assess control risk.

LO# 1

6-2

COSOCOSO’’s Internal Control – s Internal Control – Integrated FrameworkIntegrated Framework

Reliability of Financial Reporting

Effectiveness and Efficiency of Operations

Compliance with Laws and

Regulations

Objectives

LO# 2

6-3

The Effect of Information The Effect of Information Technology on Internal ControlTechnology on Internal Control

LO# 4

6-4

Components of Internal ControlComponents of Internal ControlLO# 5

6-5

LO# 6

Planning an Audit StrategyPlanning an Audit StrategyFigure 6-3 Flowchart of the AuditorFigure 6-3 Flowchart of the Auditor’’s Consideration of Internal Control and Its Relation to s Consideration of Internal Control and Its Relation to

Substantive ProceduresSubstantive Procedures

6-6

Obtain an Understanding Obtain an Understanding of Internal Controlof Internal Control

Identify types of potential

misstatement

Design tests of controls and substantive procedures

Pinpoint the factors that affect the risk of material

misstatement

The auditor should obtain an understanding of each of the five components of internal control in order to plan

the audit. This knowledge is used to:

LO# 7

6-7

Documenting the Understanding Documenting the Understanding of Internal Controlof Internal Control

Procedure Manuals and Organizational

ChartsFlowcharts

Internal Control Questionnaires

Narrative Description

LO# 8

6-8

The Limitations of an EntityThe Limitations of an Entity’’s s Internal ControlInternal Control

Override of Internal Control by Management

Human Errors or Mistakes

Collusion

LO# 8

6-9

Assessing Control RiskAssessing Control RiskIdentify specific

controls that will be relied

upon.

Perform tests of controls.

Conclude on the achieved level of control risk.

LO# 9

6-10

Interim Audit ProceduresInterim Audit Procedures

Interim Tests of Controls

1. Assertion being tested not significant2. Control has been effective in prior audits3. Efficient use of staff time

Interim Substantive Procedures

1. Assertion probably has low control risk2. May increase the risk of material

misstatements 3. Still requires some year-end testing

LO# 12

6-11

Auditing Accounting Applications Auditing Accounting Applications Processed by Service OrganizationsProcessed by Service Organizations

In some instances, a client may have some or all of its accounting transactions processed by an outside service

organization.

Because the client’s transactions are subjected to

the controls of the service organization, one of the

auditor’s concerns is the internal control system in

place at the service organization.

It is not uncommon for service organizations to have an auditor

issue one of two types of reports on their operations.

LO# 13

6-12

Communication of Internal Control-Communication of Internal Control-Related MattersRelated Matters

Significant Deficiency

Material Weakness

A Significant deficiency is a deficiency, or a combination of deficiencies, in internal control

that is less severe than a material weakness, yet important enough to merit attention by those

charged with governance.

A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a

material misstatement of the financial statements will not be prevented, or detected

and corrected.

LO# 14

6-13

Types of Controls in an IT Types of Controls in an IT EnvironmentEnvironment

General Controls

1. Data center and network operations

2. System software acquisition, change, and maintenance

3. Access security4. Application system

acquisition, development, and maintenance

Application Controls

1. Data capture controls2. Data validation controls3. Processing controls4. Output controls5. Error controls

LO# 15

6-14

Flowcharting SymbolsFlowcharting SymbolsLO# 16

6-15

End of Chapter 6End of Chapter 6

6-16