Embed Size (px)
DESCRIPTION
Learning Objectives. LO5 Document an accounting system to identify key controls and weaknesses in order to assess control risk. LO6 Write key control tests for an audit program. - PowerPoint PPT Presentation
Citation preview
Learning ObjectivesLO5 Document an accounting system to identify key controls and weaknesses in order to assess control risk.
LO6 Write key control tests for an audit program.
LO7 Outline the auditor’s responsibility when internal control evaluation work detects or indicates a significant control deficiency or a high risk of fraudulent misstatement.
1
Application Control ActivitiesSpecific procedures used in each accounting process to meet the relevant control objectives.
LO5
2
Documentation of Control ElementsDocumentation of the control structure shows the audit team’s understanding of internal controls and the basis of decisions reached.
A number of tools are available to the auditor for documentation: internal control questionnaires,
formal interview using a checklist, narratives, and flowcharts.
LO5
3
Internal Control Questionnaire (ICQ) and NarrativeThe most efficient means of gathering evidence about internal control is to conduct a formal interview with knowledgeable managers.
The ICQ is a form of checklist covering the control objectives. Use of an ICQ assists the auditor in covering all
the important points. An ICQ is designed so that a response of “no”
typically indicates a control weakness.
LO5
4
Accounting and Control System FlowchartsA picture is worth a thousand words.
Flowcharts can enhance auditors’ evaluations and updating a flow chart is relatively easy. Initial preparation of a flow chart is time
consuming. In some cases, control conscious businesses will have already prepared the flow charts.
LO5
5
Flowchart Guidelines Standardized flow chart symbols should be used. Flowcharts should be drawn with a ruler and
template, or by computer software. The flowchart should progress from top to bottom,
from left to right wherever possible. All relevant information should be on the flowchart,
including explanations. Columns can be used for the various departments to
demonstrate segregation of responsibilities.
LO5
6
Stopping Risk Assessment Work Auditors may decide to stop evaluation work in Phase 1 for two reasons:
Control is too poor to justify reliance. Control risk is set at maximum. Goal is audit effectiveness.
Cost/benefit of reliance is not justified, although control is good. Goal is audit efficiency.
LO5
7
Phase 2 – Assessing the Control RiskFollowing Phase 1, the auditor should make a preliminary assessment of control risk. This involves:
identifying specific control objectives, identifying points in the flow of transactions where
misstatements could occur, identifying specific control procedures in place, identifying the control procedures that must function
to prevent or detect the misstatements, and evaluating the design of control procedures to
determine if it will be effective to test these controls.
LO5
8
Assessing the Control RiskA useful assessment technique is to analyze control strengths and weaknesses.
Strengths are controls that should prevent, detect, or correct errors. Control strengths will be further tested.
Weaknesses are the lack of controls that would allow material misstatements to get by undetected.
A bridge working paper can be used to connect the control evaluation to subsequent procedures.
LO5
9
Control Risk in Complex IT and Ecommerce EnvironmentsBusiness Internet and IT use have an impact on control risk.
Many business models incorporate the Internet. Auditors are concerned with the security of IT
processing
LO5
10
Ecommerce Control AspectsFor an auditee that engages in ecommerce, the following aspects of internal control are particularly relevant:
Security Transaction integrity Process alignment
LO5
11
SecurityExternal access to the auditee’s information system though the internet creates security risks.
Control environment should address this increased risk.
LO5
12
Transaction IntegrityRisks related to the recording and processing of ecommerce transactions include the completeness, accuracy, timeliness, and authorization of information in the financial records.
Control activities related to transaction integrity are required.
LO5
13
Process AlignmentProcess alignment refers to the integration of IT systems so that they operate as one system.
Control objectives for manual and IT-based systems are the same.
The points in the system where misstatements might occur are at input, processing, and output.
LO5
14
InputInputs include:
Activities related to source data preparation. Manual procedures applied to source data. Source data are converted into computer-
readable form. Input files are identified for use in processing.
LO5
15
ProcessingProcessing activities include:
Information being transferred from one program to another.
Computer –readable files are used to supply additional information.
Transactions are initiated by the computer
LO5
16
OutputOutput activities include:
Output files are created / master files are updated.
Master files are changed outside the normal flow of transactions.
Output reports or files are produced. Errors identified by control procedures are
corrected.
LO5
17
Manual and IT Controls over Information ProcessingUse of IT systems for financial reporting will include manual elements.
Controls over manual processed also need to be considered.
LO5
18
Assessing the Control RiskThe information gathered about the client’s control environment, the accounting system and the control procedures should enable the auditor to reach one of three conclusions.
The auditor is required to make the control evaluation for classes of transactions and account balances at the assertion level. Control risk for some assertions regarding a given
balance might be low, and for other assertions regarding the same balance, the control risk might be high.
LO5
19
Phase 2 - Conclusions1. Control risk may be assessed low, and it seems
efficient and cost-effective to test controls leading to a combined approach.
2. Control risk may be assessed low, but it would not be cost-effective or efficient to test those controls. Substantive procedures will provide evidence cheaper than a combined approach.
3. Control risk is assessed high, the auditor will concentrate on substantive procedures and not test controls.
LO5
20
