You are on page 1of 10

Chapter 6 – Internal Control 4.

IC is designed to help achieve the entity’s


objectives
Assessing control risk – process of evaluating the
design and operating effectiveness of an entity’s  Effectiveness and efficiency of
internal control as to how it prevents or detects operations
material misstatements in the financial  Compliance with laws and regulations
statements  Reliability of financial reporting
 Auditor is only concerned with those
policies and procedures within the
Assessed level of control risk – conclusion accounting and internal control systems
reached as a result of assessing control risk that are relevant to the financial
statement assertions
 Financial reporting objective (most
Nature of Internal Control relevant objective to the audit)
PSA 315  Operational and compliance objectives
may be relevant to the audit only if they
 Internal control is the process designed relate to the data the auditor evaluates
and effected by those charged with to determine the reliability of some
governance, management and other financial statement assertions
personnel to provide reasonable
assurance
Essential Concepts: Components of internal control

1. IC is a process 1. Control Environment

 Means of achieving the entity’s  Includes the attitudes, awareness and


objectives actions
 Those charged with governance
2. IC is effected by those charged with concerning the entity’s internal control
governance, management and other personnel  Also includes the governance and
 Accomplished by people at every level of management functions and sets the
organizations tone of an organization
 Responsibility of the management to  Foundation for effective internal control
establish a control environment providing discipline and structure
 Factors
3. IC can be expected to provide reasonable
o Integrity and ethical values
assurance of achieving the entity’s objectives
o Management philosophy and
 Because there are inherent limitations operating style
o Cost of IC should not exceed the o Active participating of those
expected benefits charged with governance
o Directed at routine transactions o Commitment to competence
rather than non-routine o Personnel policies and
transactions procedures
o Human error o Assignment of responsibility and
o Possibility of circumvention authority / organizational
o Management overriding structure
o Procedures may become  Organizational structure
inadequate (provides framework for
planning, directing, and
controlling the entity’s o Check accuracy, completeness,
operations) and authorization of
transactions
2. Risk Assessment
o General and application controls
 Business risk  Physical controls
o Risk that the entity’s business o Secured facilities, authorization
objectives will not be attained for access, periodic counting and
o Crucial to every organization comparison with amounts
 Auditor is only concerned with those  Segregation of duties
risks that are relevant to the preparation o Assigning different people the
of reliable financial statements responsibilities

3. Information and Communication Systems 5. Monitoring


 Effective internal control must provide  Process of assessing the quality of
timely information and communication internal control performance over time
 Financial reporting system  Assessing the design and operation of
 Encompasses methods and records control
o Identify and record all valid  Done to ensure that controls continue to
transactions operate effectively
o Timely basis the transactions  Ongoing monitoring (regular
o Measure the value of management and supervisory activities)
transactions  Separate evaluations (non-routine basis)
o Determine time period
o Present properly
 Communication IC for small business – may be weak but can be
o Providing an understanding of compensated if the owner/manager actively
individual roles and participates in the operations of the business
responsibilities
 Open communication channels (help
ensure that exceptions are reported and Consideration of Internal Control
acted on)  Auditors are not responsible for
 Can take such forms as policy manuals, establishing and maintaining an entity’s
accounting and financial reporting, accounting and internal control systems
manuals and memoranda because it is the responsibility of the
management
4. Control Activities STEPS:
 Policies and procedures that help ensure  1. Understanding internal control
that management directives are carried o Auditor should obtain sufficient
out understanding of the
 Performance reviews components of the entity’s
o Reviews and analyses of actual internal control relevant to the
performance audit
 Information processing o Evaluating the design of a
control
o Determine whether it is preliminary assessment
implemented suggests
o Walk through test – tracing one o Design of the accounting and
or two transactions through the internal control systems
entire accounting systems; o operation of the internal
confirms the understanding of controls throughout the period
how the accounting systems and o auditor will only tests the
control procedures function operating effectiveness of the
o Auditor is not required to obtain controls that are likely to detect
knowledge about the or prevent material
effectiveness of the IC misstatements
o Uses to identify: types of o auditor should obtain audit
potential misstatement, evidence through tests of
consider factors, design the control to support any
nature, timing and extent assessment of control risk at less
 2. Documenting the auditor’s than high level
understanding of IC o greater the reliance the auditor
o This documentation need not be plans to place on IC the more
in any particular form extensive the tests of those
o Narrative description controls that need to be
o Flowchart performed
o Internal control questionnaire o Nature of tests of controls
 3. Assessment of Control Risk  Inquiry – searching for
o Auditor should make a appropriate information
preliminary assessment of  Observation – looking at
control risk, at the assertion the process
level, for each material account  Inspection –
balance or class transactions examination of
o IC are not effective, assess at documents and records
high level to provide evidence of
 No tests of controls reliability
need to be performed  Reperformance –
and the auditor will rely repeating the activity
primarily on substantive performed by the client
tests to determine whether
o IC are reliable/efficient, assess proper results were
at less than high level obtained
o Identify specific internal control o Significant overlap between the
policies or procedures that are procedures used to obtain
likely to prevent or detect and understanding and tests of
correct material misstatement controls
o Perform test of control to o Obtaining understanding of the
determine effectiveness of entity’s IC system and assessing
procedures control risks are often done
 4. Performing test of controls simultaneously
o Auditor must test these controls o Auditors usually perform test of
to obtain evidence that they are controls during an interim visit
working effectively as the in advance of period end
o Factors must be considered:  Management letter
 Results of interim test o IC weaknesses and other
 Length of remaining concerns are documented in
period
 Changes occurred
o Auditor should determine the
size sample sufficient to support Chapter 7 – Auditing in a computerized
the assessed level of control risk environment
o Assessed level of control risk is
used to determine acceptable
level of detection risk *responsibility for the establishments and
o There is an inverse relationship implementation of appropriate internal control
between detection risk and the systems rests with management and those
combined level of inherent and charged with governance
control risk
 Nature of substantive
test Characteristics:
 Timing
 Lack of visible transaction trails
 Extent
o CIS environment data can be
o Audit evidence for
entered directly into the
implementation (determines
computer system without
that the relevant controls exist
supporting documents
and that the entity is using
 Consistency of performance
them)
o CIS performs functions exactly
o Operating effectiveness (how
as programmed
controls were applied at the
o Clerical errors are eliminated
relevant times)
 Ease of access to data and computer
 4. Documenting the assessed level of
program
control risk
o Data and computer programs
o Control risk is assessed at a high
may be accessed and altered by
level the auditor should
unauthorized persons leaving no
document his conclusion that
visible evidence
control risk is at a high level
o Appropriate controls are
o Control risk is assessed at less
incorporated
than high level, auditor should
 Concentration of duties
document his conclusion that
o Proper segregation of duties is
control risk is less than high and
an essential characteristic of a
the basis for that assessment
sound ICS
(results of tests of control)
o What appears to be an
Communication of internal control weaknesses incompatible combination of
 Auditor is required to report to the functions may be combined in a
appropriate level of management CIS environment without
material weaknesses in the design or weakening the internal control
operation of the accounting and internal  Systems generated transactions
control systems o Certain transactions may be
 Auditors are not required to search for initiated by the CIS itself without
and/or identify IC weaknesses
the need for an input o program must be treated and
documents modified
 Vulnerability of data and program  access controls
storage media o adequate security controls
o Information in the system can o should be limited only to
be easily changed leaving no operators and other authorized
trace of the original content employees
o use of passwords
 data recovery controls
General controls o provides for the maintenance of
- those control policies and procedures back-up files and off-site storage
that relate to the overall CIS procedures
 organizational controls o should be copied daily to tape or
o written plan of the organization disks and secured off-site
with clear assignment of o grand-father father son (keep
authority and responsibility the two most recent generation
o segregation between the user of master files and transaction
and CIS department files)
 must be independent of  monitoring controls
all departments o designed to ensure CIS controls
 function is to process are working effectively as
transactions planned
 all changes in computer
files must be initiated
Application Controls
and authorized by the
user department - processing of transaction involves
o segregation of duties within the o input stage – capturing of mass
CIS department data
 functions within the CIS o processing stage – converting of
environment should be data into useful information
properly segregated for o output stage – preparation of
good organizational information in a form useful
controls o those policies and procedures
 organizational structure that relate to specific use of the
should provide for system
definite line of authority  controls over input
and responsibility o designed to provide reasonable
o optimal segregation of duties assurance that data submitted
dictates that each of the above for processing are complete,
tasks be assigned to different properly authorized and
employees accurately translated into
 systems development and machine readable form
documentation controls  key verification, field
o must be approved by the check, validity check,
appropriate level of self-checking digit, limit
management and the user check, control totals
department  controls over processing
o designed to provide reasonable o Auditor will have to audit
assurance that input data are directly the client’s computer
processed accurately, and that program using CAAT
data are not lost, added, o White box approach
excluded, duplicated or o CAAT
improperly changed  Computer programs
 controls over output and data which the
o designed to provide reasonable auditor uses as part of
assurance that the results of the audit procedures to
processing are complete, process data
accurate and that these outputs  Test data –designed to
are distributed only to test effectiveness of the
authorized personnel IC procedures which are
o CIS outputs must be restricted incorporated in the
only to authorized employees client’s computer
who will be using such outputs program; determine
whether program can
correctly handle valid
*effectiveness of the general CIS controls is and invalid conditions
essential to the effectiveness of CIS application  Integrated test facility –
controls auditor creates a
dummy employee for
testing; must be alert to
Test controls in a CIS environment the danger of
- Auditor’s objectives and scope of the contaminating the
audit do not change in a CIS client’s master file
environment  Parallel simulation –
 Auditing around the computer auditor write a program
o Involves examination of that simulates key
documents and reports to features or processes of
determine the reliability of the the program under
system review
o Auditor ignores the client’s data  Generalized
processing procedures, focusing audit software
solely on the input documents (common audit
and the CIS output tasks)
o Input data are reconciled with  Purpose written
the output data programs (audit
o Can be used if there is visible tasks in specific
input document and detailed performance)
output o Other CAAT
o Black box approach  Snapshot – taking
 Does not permit direct picture of transaction;
assessment of actual permits an auditor to
processing of track data and evaluate
transactions the computer process
 Computer Assisted Auditing Techniques  Systems control audit
review files –
embedding audit  Direct testing of the
software modules ending balances
within an application o Test of details of transactions
system to provide  Testing the transactions
continuous monitoring which give rise to the
of the systems ending balance account
application
Effectiveness of substantive tests
 Nature
o Relates to the quality of
evidence
Chapter 8 – Performing Substantive Tests
o Appropriate quality of evidence
*auditor performs substantive tests to reduce o Auditor would normally prefer
the level of detection risk to an acceptable level high quality
 Timing
o At interim date or year end
Substantive Tests o Interim procedures
 Audit procedures designed to  Considered less
substantiate the account balance or to effective due to
detect material misstatements incremental audit risk
 Based on auditor’s judgment about the involved when auditing
expected effectiveness and efficiency interim balance
 Two types:  Higher the risk of
 Analytical procedures material misstatement
o Auditor to obtain corroborative  Minimizing the load
evidence about a particular during the peak period
account  Extent
o Comparison of financial o To the amount of evidence
information with auditor’s needed to satisfy a particular
expectations to determine the objective
reasonableness of an account o Extent is based on the auditor’s
balance judgement
o This investigation ordinarily o Increases the extent of
begins with inquiries substantive procedures as the
o Auditor should focus on those risk of material misstatement
accounts that are predictable increases
 Income statement Relationship between substantive test and
accounts tests of control
 Accounts not subject to
management’s Test of controls – provide evidence that indicates
discretion a misstatement is likely to occur
 Relationships in a stable Substantive tests – provide evidence about the
environment existence of misstatements in an account
 Test of details balance
o Examining the actual details
*auditor relies on the effectiveness of the
making up the various account
internal control to prevent material errors and
balances
on substantive tests to verify the amounts
o Test of details of balances
Audit evidence o Evidence obtained from the
auditor is more reliable
 Refers to the information obtained by
o In the form of document
the auditor on arriving at the conclusions
and written representations
on which the audit opinion is based
are reliable than oral
 Obtained as a result of performing tests
representations
of control and substantive tests
 Underlying accounting data Cost/benefit consideration when obtaining
o Accounting records underlying evidence
the financial statements
 Rationale relationship between the cost
 Corroborating information
of obtaining evidence and the usefulness
o Supporting the underlying
of information
accounting data obtained from
 Audit evidence does not have to be
client and other sources
conclusive to be useful
 Accounting data cannot be considered
 Persuasive than conclusive
sufficient evidence to support an
opinion on the financial statements Audit documentation/working papers
Qualities of Evidence  Working papers
o Records kept by the auditor that
 Should consider sufficiency and
documents the audit
appropriateness of audit evidence
procedures applied, information
 Audit evidence must support the
obtained and conclusions
assessed level of control risk
reached
 Sufficiency
 PSA 30 requires
o Amount of evidence that the
o Auditor to document matters
auditor should accumulate
that support an opinion
o Because of the cost/benefit
 Functions
consideration the auditor
o Support opinion
does not examine all
o Compliance with PSA
evidence available
o Assist the auditor
o Competence, materiality,
o Future auditors
risk and experience
o Providing information
 Appropriateness
o Providing adequate defense
o Measure of the quality of
the audit evidence and its Form, Content and extent of audit
relevance to a particular documentation
assertion and its reliability  Auditor should consider what enables
o Relevance (timeliness of the him to understand
evidence) o Nature, timing and extent of
o Reliability (objectivity of audit procedures
evidence and its influence) o Results of audit procedure and
o Evidence obtained from the audit evidence
independent outside o Significant matters and
sources is more reliable than conclusions
that generated internally  Factors
o Evidence generated o Nature of audit procedures
internally is more reliable o Identified risks
when IC are effective o Extent of judgement
o Significance of the audit  Risk of material misstatement is greater
evidence when accounting estimates are involved
o Nature and extent of exceptions  Management is responsible for making
o Basis for a conclusion not readily accounting estimates included in the
determinable financial statements
o Audit methodology and tools  Auditor’s responsibility to obtain
used sufficient appropriate evidence
o Estimate is properly accounted
Classification of working papers
for
 Permanent file o Reasonable in the circumstances
o Contains information of  Review and test the process used by
continuing significance to the management to develop the estimate
auditor in performing recurring  Make an independent estimate
audits o Make or obtain an independent
 Current file estimate and compare it
o Evidence gathered and  Review subsequent events which
conclusions reached relevant to confirm the estimate made
the audit of a particular year
Related Parties
 Owned by the auditor and the client has
no right to the working papers  Refers to persons or entities that have
 Reference source for the client dealing with one another
 Not considered as part or as a substitute o GAAP requires disclosure
for the client’s records o Related party transaction may
 Cannot be shown to third parties be motivated by other than
without client’s permission except when ordinary business consideration
o Required by law o Existence of related parties or
o Professional right related party transactions may
 Retained by auditor for a period of time affect the financial statements
sufficient to meet the needs of his and the reliability of audit
practice and satisfy any pertinence legal evidence
requirements of record retention  Management’s responsibility
 Should be properly organized to o Responsible for identification
facilitate and review and disclosure of related parties
o Heading indexing and transactions with such
o Cross-indexing/cross- parties
referencing o Requires management to
 Provide a trail useful to implement adequate accounting
supervisor and internal control systems to
o Tick marks ensure that transactions with
related parties are appropriately
Auditing Accounting estimates
identified
 PSA 540  Auditor’s responsibility
o Accounting estimate means an o Auditor should obtain and
approximation of the amount of review information provided by
an item in the absence of a the directors and management
precise means of measurement identifying the names of all
o Made in conditions of known related parties and
uncertainties related party transactions
Using the work of an auditor’s expert o Making preliminary assessment
of internal auditing
 Auditor is not expected to have the
 Competence,
expertise required to practice other
objectivity, due
profession or occupation
professional care, scope
 Expert
of function
o Person of firm possessing special
o Evaluating and testing the work
skill, knowledge and experience
of internal auditing
in a particular field other than
 External auditor uses
accounting and auditing
work of internal auditor
 Auditor’s expert
to evaluate and test the
o Used by auditor to assist the
internal auditor’s work
auditor in obtaining sufficient
to confirm adequacy for
appropriate audit evidence
internal auditors
 Management’s expert
purposes
o Used by the entity to assist the
entity in preparing the financial
statements
 Determining the need for an auditor’s
expert
o Not all engagement would
require the help of an expert
 Evaluating the auditor’s expert
o Assess the competence and
objectivity of the experts
o Understand the field of the
expertise of auditor’s expert
o Establish the terms if the
agreement with the expert
o Evaluate the results of the work
of the expert
 The auditor has sole responsibility for
the audit opinion expressed, and that
responsibility is not reduced by the
auditor’s use of the work of an expert
 Auditor should not refer to the work of
an auditor’s expert in an auditor’s report
containing an unmodified opinion
 Auditor can make a reference to the
expert’s work if work is necessary and
necessary for readers to understand the
reason for expressing a modified opinion

Internal auditing
 An appraisal activity established within
an entity as a service to the entity
 Two phases

You might also like