Professional Documents
Culture Documents
9-1
Copyright © 2007 Pearson Education Canada
Chapter 9 objectives
Explain why the study of internal control is
important
List the four components of internal control
Discuss the relationship between the control
environment and application controls
Examine how control risk is assessed
Describe the process used to understand,
document and test internal controls
Identify internal control reports
9-2
Copyright © 2007 Pearson Education Canada
What is Internal Control?
A process designed and effected by
management (or board or employees) in
providing reasonable assurance about the
achievement of the entity’s objectives
(reliable reporting, effectiveness and
efficiency, compliance with laws)
See CICA Handbook 5141.042
9-3
Copyright © 2007 Pearson Education Canada
GAAS and Internal Controls
Why is it mandatory
for the auditor to
understand the
internal control
system?
How likely is it that
there are NO internal
controls at all?
9-4
Copyright © 2007 Pearson Education Canada
Management responsibilities with
respect to internal control
Should be cost-effective
Provide reliable accounting and operating data
Safeguard assets and records
Promote operational efficiency
Prevent and detect error, fraud or illegal acts
Ensure compliance with laws and regulations
9-5
Copyright © 2007 Pearson Education Canada
Auditor responsibilities with
respect to internal control
Exercise professional
skepticism
Document and evaluate
internal controls of
financial systems
Test controls if reliance
intended
Communicate weaknesses
that could cause material
errors
9-6
Copyright © 2007 Pearson Education Canada
Concepts when studying internal
control
Remember, it is management’s
responsibility to establish and maintain
internal controls: the auditor evaluates and
may test these controls
The auditor can provide reasonable, but
not absolute assurance
Internal controls have inherent limitations
9-7
Copyright © 2007 Pearson Education Canada
Inherent limitations of internal
controls
No such thing as 100%
internal controls
Effectiveness depends
upon the competency and
dependability of
individuals (or systems)
executing the controls
Most internal controls can
be overridden using
collusion
9-8
Copyright © 2007 Pearson Education Canada
Four components of internal control
9-9
Copyright © 2007 Pearson Education Canada
The control environment
Actions, policies and procedures that reflect the
overall attitudes of top management, directors,
and owners of an entity about controls
The essence of an effectively controlled
organization lies in the attitude of its
management
Control environment (CE) factors are assessed as
part of the knowledge of business and are used to
develop a client risk profile
9-10
Copyright © 2007 Pearson Education Canada
CE factor: management philosophy
and operating style
Management should operate ethically and
honestly
Like behaviour should be encouraged
among employees, perhaps by means of
documented policies such as a code of
ethics
Service policies could include a
commitment to quality and competence
9-11
Copyright © 2007 Pearson Education Canada
CE factor: board of directors and
audit committee
Board should include independent
directors
Audit committee should include
independent directors
Audit committee should have competence
in financial reporting assessment
Board members should participate actively,
meet with internal and external auditors
9-12
Copyright © 2007 Pearson Education Canada
CE factor: organizational structure
9-13
Copyright © 2007 Pearson Education Canada
CE factor: methods of assigning
authority and responsibility
Take into account reporting relationships
and responsibilities within organizational
culture
Organizational goals, ethical and social
issues considered
Development and implementation of
policies such as job descriptions and codes
of conduct
9-14
Copyright © 2007 Pearson Education Canada
CE factor: management control
methods
Methods used to implement objectives and
policies (many possible examples)
Logical access controls and monitoring for
data communications
Monitoring activities of employees
Implementing of effective budgeting
systems with follow up of differences
9-15
Copyright © 2007 Pearson Education Canada
CE factor: systems development
methodology
Policies and procedures for selecting,
development/purchase and maintenance of
information systems
Formal methodologies for customized
systems
Implementation of systems consistent with
organizational objectives
9-16
Copyright © 2007 Pearson Education Canada
CE factor: management reaction to
external influences
Monitoring of the external environment,
including changes in laws
Ability to respond to changes in the
external environment, including changes in
business procedures or organizational
structures
9-17
Copyright © 2007 Pearson Education Canada
CE factor: human resource policies
and practices
Hiring practices to ensure
competent and
trustworthy employees
Evaluation and
compensation processes
to help motivate
employees to continued
competence and honesty
9-18
Copyright © 2007 Pearson Education Canada
Role of internal audit
To help ensure independence, internal
audit should report to the audit committee
of the board of directors
Can be part of control environment when
effective, competent, independent and
well-trained
Can contribute to reduced external audit
costs
9-19
Copyright © 2007 Pearson Education Canada
Risk assessment
Involves managements identification and
analysis of risks relevant to the preparation
of financial statements in conformity with
GAAP
Management needs to: identify risks,
estimate significance, assess likelihood of
occurrence, develop action plans to reduce
the risk to an acceptable level
9-20
Copyright © 2007 Pearson Education Canada
Control systems include:
General controls: control
systems that affect
multiple classes of
transactions (also called
application systems)
Application (or
accounting system)
controls: can be manual,
computer-assisted, or
fully automated
9-21
Copyright © 2007 Pearson Education Canada
Impact of inadequate general
controls
Organization and management: Cannot
rely on automated or combined controls
Systems acquisition, development and
maintenance: Cannot rely upon automated
or combined controls
Operations and information systems
support: May result in going concern
issues
9-22
Copyright © 2007 Pearson Education Canada
Accounting (application) system
control procedures
Appropriate segregation of duties
Proper authorization of transactions and
activities
Adequate documents and records
Adequate safeguards over access to and
use of assets and records
Independent verification of performance
and the accuracy of recorded amounts
9-23
Copyright © 2007 Pearson Education Canada
Monitoring
Deals with ongoing or periodic assessment
of the quality of internal control
performance by management
Internal audit department may provide
independent evaluation of the quality of
the monitoring process
9-24
Copyright © 2007 Pearson Education Canada
Internal control audit process:
1. Obtain understanding
Obtain understanding of design and
operation
Methods used to understand and document
this process:
– Flow charts
– Narrative
– Internal control questionnaire
9-25
Copyright © 2007 Pearson Education Canada
Knowing the difference between a
strength and a weakness
Question 9-17, p. 278
Identifying the absent control when an
error or fraud occurred
Which audit objective(s) were not met?
Also be able to identify: Controls to help
prevent the problem from occurring
9-26
Copyright © 2007 Pearson Education Canada
Internal control audit process:
2. Assess control risk
Using the audit risk model
Control risk is assessed at one of the following
levels:
– Maximum (100%) – no reliance, only substantive
testing is completed
– High
– Moderate
– Low
Decide whether controls will be tested or not (it
may be more efficient to only go substantive)
9-27
Copyright © 2007 Pearson Education Canada
Internal control audit process:
3. Test controls if reliance is intended
Procedures completed to ensure that key
controls have been operating:
– Inquiry
– Inspection
– Observation
– Reperformance
Procedures must be linked to audit
objectives
9-28
Copyright © 2007 Pearson Education Canada
Where controls are functioning:
Identify the errors that are less likely to
occur
Link to the related substantive test
Perform less or limited or no substantive
procedures in this area
More analytical procedures can be used
9-29
Copyright © 2007 Pearson Education Canada
Identify the potential impact of
weaknesses
If a control is not functioning, or does not exist,
this is a WEAKNESS:
– Need to identify potential monetary error (is
the impact MATERIAL?)
– Do expanded substantive tests, if necessary
– Analytical procedures
– No internal controls testing in this area
9-30
Copyright © 2007 Pearson Education Canada
Internal control audit process:
4. Decide PDR and substantive tests
After control testing you are better able to
assess planned detection risk (PDR or just
DR)
Then substantive tests are designed for
each audit objective based on the PDR for
that cycle or objective
9-31
Copyright © 2007 Pearson Education Canada
Internal control audit process:
5. Report potentially material
weaknesses
Specific wording is required for these
weaknesses
Must be reported to management, board
and audit committee (GAAS requires)
Other weaknesses (i.e. non-material)
would also be included in a management
letter
9-32
Copyright © 2007 Pearson Education Canada