Audit Strategy and Internal Control• Internal control is the process designed and implemented by those charged with governance, management and other personnel to provide reasonable assur
Trang 1Chapter 8 Understanding and Assessing Internal Control
Trang 2Audit Strategy and Internal Control
• Internal control is the process designed and
implemented by those charged with governance,
management and other personnel to provide
reasonable assurance regarding the achievement of the entity’s objectives concerning financial reporting, the
effectiveness and efficiency of operations, and
compliance with laws and regulations Refer AUS
402.42/ASA 315.54 (ISA 315.42)
• It is designed and implemented to address business
risks that threaten any of these objectives
• The importance of internal control has increased as
business entities become larger and more complex
Learning Objective 1:
Trang 3Auditor’s requirements
• AUS 402.41/ASA 315.52 (ISA 315.41) requires that the auditor obtain an understanding of internal control
relevant to the audit
• At the financial report level the auditor’s assessment of risk of material misstatement is affected by their
understanding of the control environment Refer AUS 406.05/ASA 330.10 (ISA 330.05)
• At the assertion level, the auditor needs to consider
control risk in their assessment of the risk of material misstatement Refer AUS 406.12/ASA 330.19 (ISA
330.12)
Trang 4Audit strategy
• To reach a conclusion on accuracy and reliability of
underlying accounting data, an auditor can:
– Test the accounting data (substantive approach); or
– Perform procedures to review and evaluate the internal control to see whether accounting data was developed under conditions likely to ensure accuracy and reliability (lower assessed level of control risk approach).
– An auditor adopts the best combination of these
approaches.
Trang 5Responsibility for Internal Control
• Achieving satisfactory internal control is initially a
management responsibility, although ultimate
responsibility rests with the directors
• To maintain control over operations and accounting data, management needs to adopt, maintain and
supervise an appropriate internal control system
Learning Objective 2:
Trang 6Inherent limitations of internal control
• Internal control cannot assure a reliable financial report because it has inherent limitations Therefore, an
auditor can never rely completely on the internal
control
• Inherent limitations arise because of:
– Control breakdowns as a result of the actions of careless, fatigued or deviant staff;
– The possibility of management override; and
– The existence of non-routine transactions for which
internal controls were not devised.
Trang 7Reasonable assurance
• Internal control should be designed to provide
reasonable assurance that assets are safeguarded and accounting records are reliable
• The concept of reasonable assurance recognises
that, in some cases, the cost of establishing and
maintaining controls can outweigh benefits of adopting controls
Trang 8Internal Control Objectives
• Risks are identified and minimised;
• Management decision making is effective and business processes efficient;
• Transactions are carried out in accordance with
management’s authorisation;
• Laws, rules and regulations are complied with;
• Transactions are promptly and accurately recorded;
• Access to assets is limited in accordance with
management’s authorisation; and
• Asset records are compared with existing assets at
Learning Objective 3:
Trang 9Management controls
• Management Controls are the activities undertaken by senior management to mitigate strategic risks to the
entity and to promote the effectiveness of decision
making and the efficiency of business activities
• These include:
– Communicating business objectives and goals;
– Establishing lines of authority and accountability;
– Establishing and enforcing appropriate codes of conduct;
– Monitoring risk environments;
– Defining policies and procedures for dealing with these risks; and
– Monitoring performance through performance indicators
Trang 10transactions, restricting access to assets and checking for
existence of recorded assets.
Trang 11Characteristics of satisfactory internal
control
• Controls to monitor and minimise business risks;
• Segregation of incompatible duties and responsibilities;
• System of authorisation, recording and procedures to provide control over assets, liabilities, revenues and
Trang 12Elements of Internal Control
Trang 13Control environment
• The control environment includes management’s overall attitude, awareness and actions regarding internal
control and its importance in the entity
• Refer AUS 402.67/ASA 315.80 (ISA 315.67)
Trang 14Auditors’ understanding of control
environment
• Auditors should consider:
– Communication and enforcement of integrity and ethical values;
– Commitment to competence;
– Participation by those charged with governance;
– Management philosophy and operating style;
– Organisational structure;
– Assignment of authority and responsibility; and
– Human resource policies and practices.
Trang 15Entity’s risk assessment process
• An entity’s risk assessment process is its way of
identifying and responding to business risks
• Once risks are identified, management needs to
consider their significance and how they should be
managed
• Management may introduce plans to address specific risks or it may accept a risk on a cost-benefit basis
Trang 16Information system
• Consists of methods and records established to:
– Identify, assemble, analyse, classify, record and report exchange transactions and relevant events and
conditions; and
– Maintain accountability for an entity’s assets, liabilities, revenues and expenditures.
Trang 17Effective information systems
• An effective information system establishes records and methods that:
– Identify and record all valid transactions;
– Describe on a timely basis the transactions in sufficient detail to permit proper classification for financial reporting;
– Measure the value of transactions in a manner that
permits recording of their proper monetary value in the financial report;
– Determine the period in which transactions occurred, to permit recording of transactions in the proper accounting period; and
– Present the transactions and related disclosures properly
in the financial report.
Trang 18Audit trail
• Audit Trail:
– Individual transactions can be traced through each step of the accounts to their inclusion in the financial report and, similarly, from the financial report the amounts can be
vouched or traced back to original source documentation
• Main elements:
– Source documents: the initial record of transactions in the system Processing usually creates a source document when a transaction is executed;
– Journal; and
– Ledger.
Trang 20Control activities (cont.)
• Performance review control activities independently
check the performance of individuals or process (eg comparing actual performance with budget)
• Information processing control activities comprise
application controls and general IT controls Application controls apply to processing of individual applications while general controls are policies and procedures that apply to many applications
• Physical control activities include measures such as
locked storerooms for inventory and fireproof safes for cash and securities on hand
Trang 21Segregation of duties
• Is an integral part of the plan of organisation A person should not be in a position to both perpetrate and
conceal errors or fraud in the normal course of duties
• The most basic segregation of duties is to have different individuals or departments responsible for custody of assets and the keeping of records relating to those
assets
Trang 223 Custody: the physical act of accepting, delivering or
maintaining the asset; and
4 Recording: the entry of the transaction data into the
accounting system.
• Ideally, all four phases should be kept separate
Trang 23Evaluating control activities
• The auditor will be interested in control activities related
to the following assertions :
Trang 24Monitoring of controls
• Monitoring of controls:
– A process to assess the effectiveness of the performance
of internal control Involves:
Evaluating the design and operation of controls; and
Taking corrective action where necessary.
• Management may monitor controls through ongoing
activities such as supervisory activities and/or separate evaluations
• In many entities internal auditors contribute to
monitoring process
Trang 25Internal auditor as an aid to monitoring
• Internal audit function:
– An individual, group or department within an entity that acts as a separate, higher level of control to determine that the internal control is functioning effectively
May make special inquiries at management’s direction or generally review operating practices to promote increased efficiency
• Effective internal audit function can significantly
strengthen the monitoring of control
Trang 26Internal audit and external audit
• Internal audit may effect external audit:
1 The internal audit function is a higher level, important part of the internal control.
2 The internal auditors may have documentation of the internal control These documents may help the external auditor obtain an understanding of internal control.
3 The internal auditors may provide direct assistance to the independent auditor by making substantive tests or tests of controls.
• Many internal audit departments have also become
involved in assessing business risks, which may be
Trang 27Considering Internal Control in a Financial
Report Audit
• For every audit, irrespective of intended reliance on
internal control, an auditor must obtain sufficient
understanding of internal control to plan the audit and determine tests to be performed
• The nature and extent of an auditor’s consideration of internal control varies considerably across audits and depends on audit strategy
Learning Objective 5:
Trang 28Steps in the auditor’s consideration of
internal control structure
• Obtain an understanding of the control environment
• Obtain an understanding of the risk assessment process
• Obtain an understanding of the information system
• Obtain an understanding of the control activities
• Obtain an understanding of the
Trang 29Understanding internal control
• The auditor obtains an understanding of internal
controls to:
– Identify the types of potential misstatements that could occur and the factors that contribute to the risk that they will occur;
– Understand the accounting system sufficiently to identify the client documents etc that may be available and
ascertain what data will be used in audit tests; and
– Determine an efficient and effective approach to the audit.
Trang 30application of the operation of the control.
– An auditor who decides to reduce the assessed level of control risk to less than high must consider operating
effectiveness and gather evidence to support this
assessment.
Trang 31Procedures for understanding the control
environment
• An auditor gains an understanding of the control
environment by:
– Making enquiries of key management personnel;
– Inspecting documented policies and procedures;
– Observing activities and operations; and
– Considering past experience with client.
Trang 32Procedures for understanding the risk
assessment process
• An auditor needs to determine how management
identifies business risks relevant to the financial report, estimate the significance of the risks, assess their
likelihood of occurrence, and decides upon actions to manage them
• An auditor will inquire of management about business risks that management have identified and consider
whether they may result in a material misstatement
• If an auditor identifies risk of material misstatements
during the audit that management failed to identify, they need to consider whether management should have
identified it and, if so, why the process failed
Trang 33Procedures for understanding the
– Records, documents and accounts;
– Accounting processing; and
– Financial reporting procedures.
Trang 34Procedures for understanding the control
activities
• An auditor is required to obtain an understanding
sufficient to develop an audit plan
– Walkthrough – an auditor traces one or a few transactions
of each type through the related documents and
accounting records, observing related processing and
Trang 35Procedures for understanding monitoring
of controls
• The auditor is required to obtain an understanding of how the entity monitors internal control over financial reporting and initiates corrective actions
• In many entities internal auditors contribute to the
monitoring of an entity’s activities
• The auditor needs to obtain an understanding of the
sources of the information related to the entity’s
monitoring activities and the basis upon which
management considers the information to be sufficiently reliable
Trang 36Procedures to document the understanding of internal control
• Internal control questionnaires and checklists;
• Narrative memoranda – written description of internal control policies and procedures; and
• Flowcharts
Trang 37Assessing control risk
• After obtaining an understanding of the components of internal control, the auditor assesses control risk for the assertions in the account balance, transaction class and disclosure
• The auditor must decide whether to assess control risk for a particular assertion at high or at less than high
Trang 38Assessment of control risk at high
• Control risk will be assessed at high because the
entity’s internal control policies and procedures in the area:
– Are poor and do no support less than a high assessment;
– May be effective, but the audit tests to gather evidence of their effectiveness would be more time consuming than performing substantive tests; or
– Do not pertain to the particular assertion.
Trang 39Assessing control risk at less than high
• An auditor must support assessment where control risk
is assessed at less than high:
– First, the auditor identifies specific control activities
relevant to particular assertions that are likely to prevent
or detect material misstatements in those assertions.
– Next, the auditor performs tests of controls to evaluate the effectiveness of these control activities This process is followed for each account balance or transaction class that is material to the financial report This is discussed in Chapter 9.
Trang 40Levels of Control in Computerised
Trang 41General and application controls
• IT controls can be further divided into general and
application controls General controls are those controls that relate to a number of application systems;
application controls relate to a particular application
• User controls are always application controls, given
their purpose
Trang 42General controls
• General controls are manual and computer controls that relate to all or many computerised accounting
applications These provide a reasonable level of
assurance that overall objectives of internal control are achieved
• General controls include:
– Segregation of duties;
– Control over programs; and
– Control over data.
Trang 43Segregation of duties within it
Trang 44Control over programs
• Includes control over:
– Development or acquisition of new programs;
– Changes to existing programs;
– Access to programs; and
– Specialised systems software.
– Modifications or access should be appropriately
authorised, approved and tested.