objectives Assessing control risk – process of evaluating the design and operating effectiveness of an entity’s Effectiveness and efficiency of internal control as to how it prevents or detects operations material misstatements in the financial Compliance with laws and regulations statements Reliability of financial reporting Auditor is only concerned with those policies and procedures within the Assessed level of control risk – conclusion accounting and internal control systems reached as a result of assessing control risk that are relevant to the financial statement assertions Financial reporting objective (most Nature of Internal Control relevant objective to the audit) PSA 315 Operational and compliance objectives may be relevant to the audit only if they Internal control is the process designed relate to the data the auditor evaluates and effected by those charged with to determine the reliability of some governance, management and other financial statement assertions personnel to provide reasonable assurance Essential Concepts: Components of internal control
1. IC is a process 1. Control Environment
Means of achieving the entity’s Includes the attitudes, awareness and
objectives actions Those charged with governance 2. IC is effected by those charged with concerning the entity’s internal control governance, management and other personnel Also includes the governance and Accomplished by people at every level of management functions and sets the organizations tone of an organization Responsibility of the management to Foundation for effective internal control establish a control environment providing discipline and structure Factors 3. IC can be expected to provide reasonable o Integrity and ethical values assurance of achieving the entity’s objectives o Management philosophy and Because there are inherent limitations operating style o Cost of IC should not exceed the o Active participating of those expected benefits charged with governance o Directed at routine transactions o Commitment to competence rather than non-routine o Personnel policies and transactions procedures o Human error o Assignment of responsibility and o Possibility of circumvention authority / organizational o Management overriding structure o Procedures may become Organizational structure inadequate (provides framework for planning, directing, and controlling the entity’s o Check accuracy, completeness, operations) and authorization of transactions 2. Risk Assessment o General and application controls Business risk Physical controls o Risk that the entity’s business o Secured facilities, authorization objectives will not be attained for access, periodic counting and o Crucial to every organization comparison with amounts Auditor is only concerned with those Segregation of duties risks that are relevant to the preparation o Assigning different people the of reliable financial statements responsibilities
3. Information and Communication Systems 5. Monitoring
Effective internal control must provide Process of assessing the quality of timely information and communication internal control performance over time Financial reporting system Assessing the design and operation of Encompasses methods and records control o Identify and record all valid Done to ensure that controls continue to transactions operate effectively o Timely basis the transactions Ongoing monitoring (regular o Measure the value of management and supervisory activities) transactions Separate evaluations (non-routine basis) o Determine time period o Present properly Communication IC for small business – may be weak but can be o Providing an understanding of compensated if the owner/manager actively individual roles and participates in the operations of the business responsibilities Open communication channels (help ensure that exceptions are reported and Consideration of Internal Control acted on) Auditors are not responsible for Can take such forms as policy manuals, establishing and maintaining an entity’s accounting and financial reporting, accounting and internal control systems manuals and memoranda because it is the responsibility of the management 4. Control Activities STEPS: Policies and procedures that help ensure 1. Understanding internal control that management directives are carried o Auditor should obtain sufficient out understanding of the Performance reviews components of the entity’s o Reviews and analyses of actual internal control relevant to the performance audit Information processing o Evaluating the design of a control o Determine whether it is preliminary assessment implemented suggests o Walk through test – tracing one o Design of the accounting and or two transactions through the internal control systems entire accounting systems; o operation of the internal confirms the understanding of controls throughout the period how the accounting systems and o auditor will only tests the control procedures function operating effectiveness of the o Auditor is not required to obtain controls that are likely to detect knowledge about the or prevent material effectiveness of the IC misstatements o Uses to identify: types of o auditor should obtain audit potential misstatement, evidence through tests of consider factors, design the control to support any nature, timing and extent assessment of control risk at less 2. Documenting the auditor’s than high level understanding of IC o greater the reliance the auditor o This documentation need not be plans to place on IC the more in any particular form extensive the tests of those o Narrative description controls that need to be o Flowchart performed o Internal control questionnaire o Nature of tests of controls 3. Assessment of Control Risk Inquiry – searching for o Auditor should make a appropriate information preliminary assessment of Observation – looking at control risk, at the assertion the process level, for each material account Inspection – balance or class transactions examination of o IC are not effective, assess at documents and records high level to provide evidence of No tests of controls reliability need to be performed Reperformance – and the auditor will rely repeating the activity primarily on substantive performed by the client tests to determine whether o IC are reliable/efficient, assess proper results were at less than high level obtained o Identify specific internal control o Significant overlap between the policies or procedures that are procedures used to obtain likely to prevent or detect and understanding and tests of correct material misstatement controls o Perform test of control to o Obtaining understanding of the determine effectiveness of entity’s IC system and assessing procedures control risks are often done 4. Performing test of controls simultaneously o Auditor must test these controls o Auditors usually perform test of to obtain evidence that they are controls during an interim visit working effectively as the in advance of period end o Factors must be considered: Management letter Results of interim test o IC weaknesses and other Length of remaining concerns are documented in period Changes occurred o Auditor should determine the size sample sufficient to support Chapter 7 – Auditing in a computerized the assessed level of control risk environment o Assessed level of control risk is used to determine acceptable level of detection risk *responsibility for the establishments and o There is an inverse relationship implementation of appropriate internal control between detection risk and the systems rests with management and those combined level of inherent and charged with governance control risk Nature of substantive test Characteristics: Timing Lack of visible transaction trails Extent o CIS environment data can be o Audit evidence for entered directly into the implementation (determines computer system without that the relevant controls exist supporting documents and that the entity is using Consistency of performance them) o CIS performs functions exactly o Operating effectiveness (how as programmed controls were applied at the o Clerical errors are eliminated relevant times) Ease of access to data and computer 4. Documenting the assessed level of program control risk o Data and computer programs o Control risk is assessed at a high may be accessed and altered by level the auditor should unauthorized persons leaving no document his conclusion that visible evidence control risk is at a high level o Appropriate controls are o Control risk is assessed at less incorporated than high level, auditor should Concentration of duties document his conclusion that o Proper segregation of duties is control risk is less than high and an essential characteristic of a the basis for that assessment sound ICS (results of tests of control) o What appears to be an Communication of internal control weaknesses incompatible combination of Auditor is required to report to the functions may be combined in a appropriate level of management CIS environment without material weaknesses in the design or weakening the internal control operation of the accounting and internal Systems generated transactions control systems o Certain transactions may be Auditors are not required to search for initiated by the CIS itself without and/or identify IC weaknesses the need for an input o program must be treated and documents modified Vulnerability of data and program access controls storage media o adequate security controls o Information in the system can o should be limited only to be easily changed leaving no operators and other authorized trace of the original content employees o use of passwords data recovery controls General controls o provides for the maintenance of - those control policies and procedures back-up files and off-site storage that relate to the overall CIS procedures organizational controls o should be copied daily to tape or o written plan of the organization disks and secured off-site with clear assignment of o grand-father father son (keep authority and responsibility the two most recent generation o segregation between the user of master files and transaction and CIS department files) must be independent of monitoring controls all departments o designed to ensure CIS controls function is to process are working effectively as transactions planned all changes in computer files must be initiated Application Controls and authorized by the user department - processing of transaction involves o segregation of duties within the o input stage – capturing of mass CIS department data functions within the CIS o processing stage – converting of environment should be data into useful information properly segregated for o output stage – preparation of good organizational information in a form useful controls o those policies and procedures organizational structure that relate to specific use of the should provide for system definite line of authority controls over input and responsibility o designed to provide reasonable o optimal segregation of duties assurance that data submitted dictates that each of the above for processing are complete, tasks be assigned to different properly authorized and employees accurately translated into systems development and machine readable form documentation controls key verification, field o must be approved by the check, validity check, appropriate level of self-checking digit, limit management and the user check, control totals department controls over processing o designed to provide reasonable o Auditor will have to audit assurance that input data are directly the client’s computer processed accurately, and that program using CAAT data are not lost, added, o White box approach excluded, duplicated or o CAAT improperly changed Computer programs controls over output and data which the o designed to provide reasonable auditor uses as part of assurance that the results of the audit procedures to processing are complete, process data accurate and that these outputs Test data –designed to are distributed only to test effectiveness of the authorized personnel IC procedures which are o CIS outputs must be restricted incorporated in the only to authorized employees client’s computer who will be using such outputs program; determine whether program can correctly handle valid *effectiveness of the general CIS controls is and invalid conditions essential to the effectiveness of CIS application Integrated test facility – controls auditor creates a dummy employee for testing; must be alert to Test controls in a CIS environment the danger of - Auditor’s objectives and scope of the contaminating the audit do not change in a CIS client’s master file environment Parallel simulation – Auditing around the computer auditor write a program o Involves examination of that simulates key documents and reports to features or processes of determine the reliability of the the program under system review o Auditor ignores the client’s data Generalized processing procedures, focusing audit software solely on the input documents (common audit and the CIS output tasks) o Input data are reconciled with Purpose written the output data programs (audit o Can be used if there is visible tasks in specific input document and detailed performance) output o Other CAAT o Black box approach Snapshot – taking Does not permit direct picture of transaction; assessment of actual permits an auditor to processing of track data and evaluate transactions the computer process Computer Assisted Auditing Techniques Systems control audit review files – embedding audit Direct testing of the software modules ending balances within an application o Test of details of transactions system to provide Testing the transactions continuous monitoring which give rise to the of the systems ending balance account application Effectiveness of substantive tests Nature o Relates to the quality of evidence Chapter 8 – Performing Substantive Tests o Appropriate quality of evidence *auditor performs substantive tests to reduce o Auditor would normally prefer the level of detection risk to an acceptable level high quality Timing o At interim date or year end Substantive Tests o Interim procedures Audit procedures designed to Considered less substantiate the account balance or to effective due to detect material misstatements incremental audit risk Based on auditor’s judgment about the involved when auditing expected effectiveness and efficiency interim balance Two types: Higher the risk of Analytical procedures material misstatement o Auditor to obtain corroborative Minimizing the load evidence about a particular during the peak period account Extent o Comparison of financial o To the amount of evidence information with auditor’s needed to satisfy a particular expectations to determine the objective reasonableness of an account o Extent is based on the auditor’s balance judgement o This investigation ordinarily o Increases the extent of begins with inquiries substantive procedures as the o Auditor should focus on those risk of material misstatement accounts that are predictable increases Income statement Relationship between substantive test and accounts tests of control Accounts not subject to management’s Test of controls – provide evidence that indicates discretion a misstatement is likely to occur Relationships in a stable Substantive tests – provide evidence about the environment existence of misstatements in an account Test of details balance o Examining the actual details *auditor relies on the effectiveness of the making up the various account internal control to prevent material errors and balances on substantive tests to verify the amounts o Test of details of balances Audit evidence o Evidence obtained from the auditor is more reliable Refers to the information obtained by o In the form of document the auditor on arriving at the conclusions and written representations on which the audit opinion is based are reliable than oral Obtained as a result of performing tests representations of control and substantive tests Underlying accounting data Cost/benefit consideration when obtaining o Accounting records underlying evidence the financial statements Rationale relationship between the cost Corroborating information of obtaining evidence and the usefulness o Supporting the underlying of information accounting data obtained from Audit evidence does not have to be client and other sources conclusive to be useful Accounting data cannot be considered Persuasive than conclusive sufficient evidence to support an opinion on the financial statements Audit documentation/working papers Qualities of Evidence Working papers o Records kept by the auditor that Should consider sufficiency and documents the audit appropriateness of audit evidence procedures applied, information Audit evidence must support the obtained and conclusions assessed level of control risk reached Sufficiency PSA 30 requires o Amount of evidence that the o Auditor to document matters auditor should accumulate that support an opinion o Because of the cost/benefit Functions consideration the auditor o Support opinion does not examine all o Compliance with PSA evidence available o Assist the auditor o Competence, materiality, o Future auditors risk and experience o Providing information Appropriateness o Providing adequate defense o Measure of the quality of the audit evidence and its Form, Content and extent of audit relevance to a particular documentation assertion and its reliability Auditor should consider what enables o Relevance (timeliness of the him to understand evidence) o Nature, timing and extent of o Reliability (objectivity of audit procedures evidence and its influence) o Results of audit procedure and o Evidence obtained from the audit evidence independent outside o Significant matters and sources is more reliable than conclusions that generated internally Factors o Evidence generated o Nature of audit procedures internally is more reliable o Identified risks when IC are effective o Extent of judgement o Significance of the audit Risk of material misstatement is greater evidence when accounting estimates are involved o Nature and extent of exceptions Management is responsible for making o Basis for a conclusion not readily accounting estimates included in the determinable financial statements o Audit methodology and tools Auditor’s responsibility to obtain used sufficient appropriate evidence o Estimate is properly accounted Classification of working papers for Permanent file o Reasonable in the circumstances o Contains information of Review and test the process used by continuing significance to the management to develop the estimate auditor in performing recurring Make an independent estimate audits o Make or obtain an independent Current file estimate and compare it o Evidence gathered and Review subsequent events which conclusions reached relevant to confirm the estimate made the audit of a particular year Related Parties Owned by the auditor and the client has no right to the working papers Refers to persons or entities that have Reference source for the client dealing with one another Not considered as part or as a substitute o GAAP requires disclosure for the client’s records o Related party transaction may Cannot be shown to third parties be motivated by other than without client’s permission except when ordinary business consideration o Required by law o Existence of related parties or o Professional right related party transactions may Retained by auditor for a period of time affect the financial statements sufficient to meet the needs of his and the reliability of audit practice and satisfy any pertinence legal evidence requirements of record retention Management’s responsibility Should be properly organized to o Responsible for identification facilitate and review and disclosure of related parties o Heading indexing and transactions with such o Cross-indexing/cross- parties referencing o Requires management to Provide a trail useful to implement adequate accounting supervisor and internal control systems to o Tick marks ensure that transactions with related parties are appropriately Auditing Accounting estimates identified PSA 540 Auditor’s responsibility o Accounting estimate means an o Auditor should obtain and approximation of the amount of review information provided by an item in the absence of a the directors and management precise means of measurement identifying the names of all o Made in conditions of known related parties and uncertainties related party transactions Using the work of an auditor’s expert o Making preliminary assessment of internal auditing Auditor is not expected to have the Competence, expertise required to practice other objectivity, due profession or occupation professional care, scope Expert of function o Person of firm possessing special o Evaluating and testing the work skill, knowledge and experience of internal auditing in a particular field other than External auditor uses accounting and auditing work of internal auditor Auditor’s expert to evaluate and test the o Used by auditor to assist the internal auditor’s work auditor in obtaining sufficient to confirm adequacy for appropriate audit evidence internal auditors Management’s expert purposes o Used by the entity to assist the entity in preparing the financial statements Determining the need for an auditor’s expert o Not all engagement would require the help of an expert Evaluating the auditor’s expert o Assess the competence and objectivity of the experts o Understand the field of the expertise of auditor’s expert o Establish the terms if the agreement with the expert o Evaluate the results of the work of the expert The auditor has sole responsibility for the audit opinion expressed, and that responsibility is not reduced by the auditor’s use of the work of an expert Auditor should not refer to the work of an auditor’s expert in an auditor’s report containing an unmodified opinion Auditor can make a reference to the expert’s work if work is necessary and necessary for readers to understand the reason for expressing a modified opinion
Internal auditing An appraisal activity established within an entity as a service to the entity Two phases