440 likes | 680 Views
CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT. Chapter 6. INTERNAL CONTROL. Management’s perspective The auditor’s perspective. INTERNAL CONTROL.
E N D
CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT Chapter 6
INTERNAL CONTROL • Management’s perspective • The auditor’s perspective
INTERNAL CONTROL • Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
THE EFFECT OF INFORMATION TECHNOLOGY ON INTERNAL CONTROL • The effect of an entity’s use of IT can affect any of the components of internal control. • The use of IT affects the way that transactions are initiated, recorded, processed, and reported. • See Table 6-1 for the potential benefits and risks to an entity’s internal control from IT.
BENEFITS FROM IT • Consistent application of predefined business rules and performance of complex calculations in processing large volumes of transactions or data. • Enhancement of the timeliness, availability, and accuracy of information. • Facilitation of additional analysis of information. • Enhancement of the ability to monitor the performance of the entity's activities and its policies and procedures. • Reduction in the risk that controls will be circumvented. • Enhancement of the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems.
RISKS OF IT • Reliance on systems or programs that are inaccurately process data, process inaccurate data, or both. • Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions. • Unauthorized changes to data in master files. • Unauthorized changes to systems or programs. • Failure to make necessary changes to systems or programs. • Inappropriate manual intervention. • Potential loss of data.
PLANNING AN AUDIT STRATEGY • Figure 6-2 presents a flowchart of the auditor's decision process when considering internal control in planning an audit. • The auditor can choose from two audit strategies: • no-reliance or substantive strategy • reliance strategy
A SUBSTANTIVE STRATEGY • An auditor uses a substantive strategy because of one or all of the following factors:
A RELIANCE STRATEGY • An auditor’s decision to follow a reliance strategy involves:
OBTAIN AN UNDERSTANDING OFINTERNAL CONTROL • The auditor’s knowledge from understanding internal control is used to: • Identify the types of potential misstatements. • Consider factors that affect the risk of material misstatement. • Design of tests of controls • Design substantive tests.
OBTAIN AN UNDERSTANDING OF INTERNAL CONTROL • In deciding on the nature and extent of the understanding of the internal control, the auditor should consider the following items: • Knowledge obtained from other sources about the types of misstatements that could occur. • Information from previous audits. • Understanding of the entity's industry and markets. • The assessment of inherent risk. • Judgments about materiality. • The complexity and sophistication of the entity's operations and systems, including IT.
OBTAIN AN UNDERSTANDING OF INTERNAL CONTROL • To properly understand an entity’s internal control, the auditor must understand the five components of internal control:
THE CONTROL ENVIRONMENT • The control environment sets the tone of the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure
FACTORS AFFECTING THE CONTROL ENVIRONMENT • Integrity and ethical values. • A commitment to competence. • Participation of the board of directors or audit committee. • Management’s philosophy and operating style. • Organizational structure. • Assignment of authority and responsibility. • Human resource policies and procedures.
RISK ASSESSMENT Risk assessment is the entity's identification, analysis, and management of risks relevant to the preparation of financial statements that are fairly presented in conformity with GAAP.
SPECIFIC RISKS • Client business risks can arise or change due to:
CONTROL ACTIVITIES Control activities are the policies and procedures that help ensure that necessary actions are taken to address the risks involved in achieving the entity's objectives
CONTROL ACTIVITIES • Control activities that are relevant to the audit include: • Performance reviews • Information processing • Physical control • Segregation of duties
INFORMATION ANDCOMMUNICATION SYSTEMS Information and communication support the identification, capture, and exchange of information in form and time frame that enable people to carry out their responsibilities.
INFORMATION SYSTEM • An information system consists of infrastructure, software, people, procedures, and data. • The information system relevant to the financial reporting objectives, which includes the accounting system, consists of procedures, whether automated or manual, and records established to initiate, record, process, and report entity transactions and to maintain accountability for the related assets and liabilities.
INFORMATION SYSTEM • An effective accounting system encompasses methods and records that will: • Identify and records all valid transactions. • Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting. • Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements.
INFORMATION SYSTEM • Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period. • Present properly the transactions and related disclosures in the financial statements.
COMMUNICATION Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting.
MONITORING Monitoring is a process that assesses the quality of the internal control over time. It involves appropriate personnel assessing the design and operation of controls on a timely basis and taking necessary actions.
THE EFFECT OF ENTITY SIZE ON INTERNAL CONTROL • The size of the entity may affect how the various components of internal control are implemented. • Many small entities have good controls because of significant involvement in day-to-day activities by the owner-manager.
PROCEDURES TO OBTAIN AN UNDERSTANDING • The auditor uses the following audit procedures to obtain an understanding of internal control: • Inquiry of appropriate management, supervisory, and staff personnel. • Inspection of entity documents and reports. • Observation of the entity's activities and operations.
DOCUMENTING THE UNDERSTANDING OF THE INTERNAL CONTROL • A number of tools are available to the auditor for documenting the understanding of the internal control including: • Copies of the entity's procedures manuals and organizational charts. • Narrative descriptions (see Exhibit 6-6). • Internal control questionnaires (see Exhibits 6-1). • Flowcharts (see Figure 6-4).
ASSESSING CONTROL RISK • Assessing control risk below the maximum involves three steps: • Identifying specific controls that will be relied upon. • Performing tests of controls. • Concluding on the assessed level of control risk.
PERFORMING TESTS OF CONTROLS • Audit procedures directed towards evaluating the effectiveness of either the design or operation of an internal control are referred to as tests of controls and include:
DOCUMENTING THE ASSESSED LEVEL OF CONTROL RISK Auditing standards state that the auditor should document the basis for his or her conclusions about the assessed level of control risk. The auditor should also document the assessed level of control risk so that the audit risk model can be used.
PERFORMING SUBSTANTIVE TESTS The last step in the decision process is to perform the substantive tests. The level of detection risk for these tests is based on the planned level of audit risk and the assessed levels of inherent and control risk.
TIMING OF AUDIT PROCEDURES • Auditing procedures can be conducted at: • an interim date, or • at year end • See Figure 6-5
INTERIM TESTS OF CONTROLS • The auditor should consider the following factors in determining the nature and extent of audit work for the remaining period for tests of controls: • the significance of the internal control objective • the evaluation of the design and operation of the control • the planned substantive tests.
INTERIM SUBSTANTIVE TESTS • The auditor should consider the following factors when substantive tests are completed at an interim date:
COMMUNICATION OF INTERNAL CONTROL-RELATED MATTERS Auditing standards (AU 325) requires that the auditor report to the audit committee, or to a similar level of authority when the entity does not have an audit committee, matters which are referred to as reportable conditions.
REPORTABLE CONDITIONS Reportable conditions are significant deficiencies in the design or operation of the internal control which could adversely affect the organization's ability to record, process, summarize, and report financial data consistent with management's assertions (see Table 6-7).
REPORTING ON REPORTABLE CONDITIONS • The following items should be included in the report: • A indication that the purpose of the audit was to report on the financial statements and not to provide assurance on the internal control. • The definition of reportable conditions. • A statement of restrictions on the distribution on the report • See Exhibit 6-7.
MATERIAL WEAKNESSES A material weakness in internal control is defined as a reportable condition in which the design or operation of one or more of the specific internal control elements does not reduce to a relatively low level the risk that errors or irregularities in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions (AU 325.15).