ch09 70 360

Chapter 9: Internal Controls and Control Risk
9-1
Copyright © 2007 Pearson Education Canada
Chapter 9 objectives
 Explain why the study of internal control is
important
 List the four components of internal control
 Discuss the relationship between the control
environment and application controls
 Examine how control risk is assessed
 Describe the process used to understand,
document and test internal controls
 Identify internal control reports
9-2
What is Internal Control?
 A process designed and effected by
management (or board or employees) in
providing reasonable assurance about the
achievement of the entity’s objectives
(reliable reporting, effectiveness and
efficiency, compliance with laws)
 See CICA Handbook 5141.042
9-3
GAAS and Internal Controls
 Why is it mandatory
for the auditor to
understand the
internal control
system?
 How likely is it that
there are NO internal
controls at all?
9-4
Management responsibilities with
respect to internal control
 Should be cost-effective
 Provide reliable accounting and operating data
 Safeguard assets and records
 Promote operational efficiency
 Prevent and detect error, fraud or illegal acts
 Ensure compliance with laws and regulations
9-5
Auditor responsibilities with
respect to internal control
 Exercise professional
skepticism
 Document and evaluate
internal controls of
financial systems
 Test controls if reliance
intended
 Communicate weaknesses
that could cause material
errors
9-6
Concepts when studying internal
control
 Remember, it is management’s
responsibility to establish and maintain
internal controls: the auditor evaluates and
may test these controls
 The auditor can provide reasonable, but
not absolute assurance
 Internal controls have inherent limitations
9-7
Inherent limitations of internal
controls
 No such thing as 100%
internal controls
 Effectiveness depends
upon the competency and
dependability of
individuals (or systems)
executing the controls
 Most internal controls can
be overridden using
collusion
9-8
Four components of internal control
9-9
The control environment
 Actions, policies and procedures that reflect the
overall attitudes of top management, directors,
and owners of an entity about controls
 The essence of an effectively controlled
organization lies in the attitude of its
management
 Control environment (CE) factors are assessed as
part of the knowledge of business and are used to
develop a client risk profile
9-10
CE factor: management philosophy
and operating style
 Management should operate ethically and
honestly
 Like behaviour should be encouraged
among employees, perhaps by means of
documented policies such as a code of
ethics
 Service policies could include a
commitment to quality and competence
9-11
CE factor: board of directors and
audit committee
 Board should include independent
directors
 Audit committee should include
independent directors
 Audit committee should have competence
in financial reporting assessment
 Board members should participate actively,
meet with internal and external auditors
9-12
CE factor: organizational structure
 A structure that is appropriate for

planning, directing and controlling
operations
 Authority and responsibility assignments
clear
 Information systems steering committee to
oversee systems development and
management of information systems
9-13
CE factor: methods of assigning
authority and responsibility
 Take into account reporting relationships
and responsibilities within organizational
culture
 Organizational goals, ethical and social
issues considered
 Development and implementation of
policies such as job descriptions and codes
of conduct
9-14
CE factor: management control
methods
 Methods used to implement objectives and
policies (many possible examples)
 Logical access controls and monitoring for
data communications
 Monitoring activities of employees
 Implementing of effective budgeting
systems with follow up of differences
9-15
CE factor: systems development
methodology
 Policies and procedures for selecting,
development/purchase and maintenance of
information systems
 Formal methodologies for customized
systems
 Implementation of systems consistent with
organizational objectives
9-16
CE factor: management reaction to
external influences
 Monitoring of the external environment,
including changes in laws
 Ability to respond to changes in the
external environment, including changes in
business procedures or organizational
structures
9-17
CE factor: human resource policies
and practices
 Hiring practices to ensure
competent and
trustworthy employees
 Evaluation and
compensation processes
to help motivate
employees to continued
competence and honesty
9-18
Role of internal audit
 To help ensure independence, internal
audit should report to the audit committee
of the board of directors
 Can be part of control environment when
effective, competent, independent and
well-trained
 Can contribute to reduced external audit
costs
9-19
Risk assessment
 Involves managements identification and
analysis of risks relevant to the preparation
of financial statements in conformity with
GAAP
 Management needs to: identify risks,
estimate significance, assess likelihood of
occurrence, develop action plans to reduce
the risk to an acceptable level
9-20
Control systems include:
 General controls: control
systems that affect
multiple classes of
transactions (also called
application systems)
 Application (or
accounting system)
controls: can be manual,
computer-assisted, or
fully automated
9-21
Impact of inadequate general
controls
 Organization and management: Cannot
rely on automated or combined controls
 Systems acquisition, development and
maintenance: Cannot rely upon automated
or combined controls
 Operations and information systems
support: May result in going concern
issues
9-22
Accounting (application) system
control procedures
 Appropriate segregation of duties
 Proper authorization of transactions and
activities
 Adequate documents and records
 Adequate safeguards over access to and
use of assets and records
 Independent verification of performance
and the accuracy of recorded amounts
9-23
Monitoring
 Deals with ongoing or periodic assessment
of the quality of internal control
performance by management
 Internal audit department may provide
independent evaluation of the quality of
the monitoring process
9-24
Internal control audit process:
1. Obtain understanding
 Obtain understanding of design and
operation
 Methods used to understand and document
this process:
– Flow charts
– Narrative
– Internal control questionnaire
9-25
Knowing the difference between a
strength and a weakness
 Question 9-17, p. 278
 Identifying the absent control when an
error or fraud occurred
 Which audit objective(s) were not met?
 Also be able to identify: Controls to help
prevent the problem from occurring
9-26
2. Assess control risk
 Using the audit risk model
 Control risk is assessed at one of the following
levels:
– Maximum (100%) – no reliance, only substantive
testing is completed
– High
– Moderate
– Low
 Decide whether controls will be tested or not (it
may be more efficient to only go substantive)
9-27
3. Test controls if reliance is intended
 Procedures completed to ensure that key
controls have been operating:
– Inquiry
– Inspection
– Observation
– Reperformance
 Procedures must be linked to audit
objectives
9-28
Where controls are functioning:
 Identify the errors that are less likely to
occur
 Link to the related substantive test
 Perform less or limited or no substantive
procedures in this area
 More analytical procedures can be used
9-29
Identify the potential impact of
weaknesses
 If a control is not functioning, or does not exist,
this is a WEAKNESS:
– Need to identify potential monetary error (is
the impact MATERIAL?)
– Do expanded substantive tests, if necessary
– Analytical procedures
– No internal controls testing in this area
9-30
4. Decide PDR and substantive tests
 After control testing you are better able to
assess planned detection risk (PDR or just
DR)
 Then substantive tests are designed for
each audit objective based on the PDR for
that cycle or objective
9-31
5. Report potentially material
weaknesses
 Specific wording is required for these
weaknesses
 Must be reported to management, board
and audit committee (GAAS requires)
 Other weaknesses (i.e. non-material)
would also be included in a management
letter
9-32

ch09 70 360

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ch09 70 360

Uploaded by

Copyright:

Available Formats

Chapter 9: Internal Controls and Control Risk

 A structure that is appropriate for

You might also like