Lecture Auditing and assurance services (Second international edition) Chapter 6 Internal control in a financial statement audit

In this chapter, the learning objectives are Understand the importance of internal control to management and auditors, know the definition of internal control, know what controls are relevant to the audit, understand the effect of information technology on internal control, be familiar with the components of internal control, understand how to plan an audit strategy, know how to develop an understanding of an entitys internal control,...

Internal Control in a Financial Statement

Audit

Chapter Six

Internal Control

Management has the responsibility to maintain controls that provides reasonable assurance that adequate control exists over the entity’s assets and records

The Internal Control System should:

-ensure that assets and records are safeguarded -create an environment in which efficiency and effectiveness are encouraged and monitored

-generate reliable information for decision-making The auditor needs assurance about the reliability of the data generated by the information system

Internal Control

The auditor uses risk assessment procedures to

-obtain an understanding of the entity’s internal control -identify the types of potential misstatements

-ascertain factors that affect the risk of material misstatement

-design tests of controls and substantive procedures

The auditor’s understanding of the internal control is a

major factor in determining the overall audit strategy The auditor has a responsibility to:

(1) obtain an understanding of internal control and

(2) assess control risk.

Internal Control

Reliability of Financial Reporting

Effectiveness &

Efficiency of Operations

Compliance with Laws & Regulations Objectives

Controls Relevant to the Audit

Generally, internal controls pertaining to the preparation of financial statements for external

purposes are relevant to an audit

Reliability of Financial Reporting

Effectiveness

& Efficiency

of Operations

Compliance with Laws & Regulations Objectives

Controls Relevant to the Audit

Controls relating to operations and compliance objectives may be relevant when they relate to data the auditor uses

to apply auditing procedures

Reliability of Financial Reporting

Effectiveness

& Efficiency

of Operations

Compliance with Laws &

Regulations Objectives

The Effect of Information Technology

on Internal Control

Components of Internal Control

Control Environment

Entity’s Risk Assessment Process

Information System and Related Business Processes Relevant to Financial Reporting

& Communication

Control Activities

Monitoring of Controls

Components of Internal Control

Components of Internal Control

The Effect of Information Technology

on Internal Control

The Entity’s Risk Assessment Process

The risk assessment process should consider external and internal events and circumstances that may arise and adversely affect the entity’s ability to initiate, record, process and report financial data consistent with the assertions of

management in the financial statements.

Changes in the operating environment

New personnel New or revamped

information systems Rapid growth

New technology

New business models, products,

or activities

Corporate restructuring Expanded

international growth

New accounting pronouncements

Client business risk can arise or change due to the following

circumstances:

Information Systems and

Communication

An effective accounting system gives appropriate consideration to establishing methods and records that

will:

1 Identify and record all valid transactions.

2 Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial

Control Activities

Control activities are the policies and procedures that help ensure that management’s directives are

carried out Those control activities that are

relevant to the audit include:

Performance reviews

Information processing

Physical controls Segregation of duties

Monitoring of Controls

Monitoring of controls is a process that assesses the quality of internal control performance over time

Internal Auditors

An effective internal audit function has clear lines of authority and reporting, qualified personnel, and adequate resources to enable these personnel to carry out

their assigned duties.

Planning an Audit Strategy

Audit Risk Model

AR = IR × CR × DR

In applying the audit risk model, the auditor must assess control risk The figure on the next slide presents a

flowchart of the auditor’s decision process when considering internal control in planning an audit

Planning an Audit Strategy

Controls are assessed as ineffective Testing the

effectiveness

of controls is inefficient.

Reliance Strategy

Obtain Understanding of Internal Control

Plan to Rely on Internal Control and Assess Control Risk Below Maximum

Assertions

Obtain an Understanding

of Internal Control

Identify types of

potential misstatements

Design tests of controls and substantive procedures

Pinpoint the factors that affect the risk of material misstatement

The auditor should obtain an understanding of each of the five components of internal control in order to plan the audit This knowledge is used

to:

Example Information & Documentation

Obtain an Understanding

of Internal Control

1 Understand the control environment.

2 Understand the entity’s risk assessment process.

3 Understand the information system and communications

4 Understand control activities.

5 Understand monitoring of controls.

Documenting the Understanding

of Internal Control

Procedure Manuals and Organisational

Charts

Narrative Description

Internal Control

The Effect of Entity Size

on Internal Control

While the basic concepts of the five components should be present in all entities, they are likely to be less formal in a small or midsize entity than in a large entity.

The Limitations of

an Entity’s Internal Control

Management Override of Internal Control

Human Errors

or Mistakes

Collusion

Factors Contributing to Fraud

Assessing Control Risk

Identify specific controls that will

be relied upon.

Perform tests of

controls

Conclude on the achieved level of control risk.

Tests of Controls

The auditor’s assessment of control risk and the basis for the achieved level can be documented using a structured working paper, an internal control questionnaire, or a memorandum.

Let’s look at an example from EarthWear Clothiers

to see how the control risk for two accounts that differ

in terms of their nature, size and complexity is

documented.

Documenting the Assessed Level of

Control Risk

Substantive Procedures

Timing of Audit Procedures

Interim

Year End

Let’s look at the EarthWear Clothiers

example again to see the timing of their

audit procedures

Timing of Audit Procedures

Timing of Audit Procedures

Interim Tests of

Controls

1 Assertion being tested not significant

2 Control has been effective in prior audits

3 Efficient use of staff time

Interim Substantive Procedures

1 Assertion probably has low control risk

2 May increase the risk of material misstatements

3 Still requires some year end testing

Auditing Accounting Applications Processed by Service Organisations

In some instances, a client may have some or all of

its accounting transactions processed by an

outside service organisation.

Because the client’s transactions are subjected to the controls

of the service organisation, one of the auditor’s concerns is the internal control system

in place at the service

Auditing Accounting Applications Processed by Service Organisations

Report Type 1

Describes the service organisation’s controls and assesses whether they are suitably designed to achieve specified

internal control objectives

Report Type 2

Goes further by testing whether the controls provide reasonable assurance that the related control objectives were

achieved during the period

An auditor may reduce control risk below the maximum only on the basis of a service auditor’s

report that includes tests of the controls

Communication of Deficiencies

in Internal Control Deficiency

A control designed, implemented or operated in such a way that it is unable to

prevent, or detect and correct, misstatements in the financial statements

on a timely basis;

or (2) a control necessary to prevent, or detect and correct, misstatements in the financial statements on a timely basis is

missing

A significant deficiency in internal control

is a deficiency or combination of deficiencies in internal control that, in the

auditor’s professional judgement, is of sufficient importance to merit the attention

of those charged with governance

Significant Deficiency

Communication of Deficiencies

in Internal Control

Auditing standards (ISA 265) require that the auditor communicates in written significant control deficiencies

to those charged with governance and

management

The auditor should also communicate

to management other control deficiencies judged to be of sufficient importance to merit management’s

attention.

Communication

Examples of Reportable

Conditions

Types of Controls in an IT Environment

Computer-Assisted Audit Techniques

Computer-assisted audit techniques

(CAATs) include:

• Generalised audit software packages.

• Custom audit software.

• Test data.

Generalized Audit Software

File or data access

Reads and extracts data from a client's computer files or databases for further audit testing.

Selection operators

Select from files or databases transactions that meet certain criteria.

Arithmetic functions

Perform a variety of arithmetic calculations (addition, subtraction, and so on) on transactions, files, and databases.

Statistical analyses Provide functions supporting various

types of audit sampling.

Report generation Prepares various types of documents

and reports.

Custom Audit Software

Custom audit software is generally written by auditors for specific audit tasks It may be required when the client’s computer system is not compatible with the auditor’s

generalized audit software.

Custom software:

(1) Is expensive to develop.

(2) Requires extended development

time.

(3) May require extensive modification

if the client changes its accounting

if the client changes its accounting

application programs.

Test Data

Test data are developed by the auditor to test the application controls in the client’s computer programs The technique can be used to check (1)

data validation controls and error detection routines,

(2) processing logic controls, (3) arithmetic calculations, and (4) the inclusion of transactions in

records, files, and reports.

Flowcharting Symbols

End of Chapter 6