300 likes | 471 Views
9.401 Auditing. Chapter 9 The Study of Internal Control and Assessment of Control Risk. Generally Accepted Auditing Standard.
E N D
9.401 Auditing Chapter 9 The Study of Internal Control and Assessment of Control Risk
Generally Accepted Auditing Standard • 5100.02 (ii) A sufficient understanding of internal control should be obtained to plan the audit. When control risk is assessed below maximum, sufficient appropriate audit evidence should be obtained through tests of controls to support the assessment. [Oct. 1992]
Internal Control consists of the policies and procedures established and maintained by management to assist in achieving its objectives
Those objectives are… • Effectiveness and efficiency of operations • safeguarding of assets • Prevention and detection of fraud • Reliability of financial reporting • Compliance with applicable laws, regulations and policies As far as is practical. Mgmt can and should consider consequences and risks of non-control and costs of control implementation.
Factors Affecting Internal Control • The entity’s size • The entity’s organization and ownership characteristics • The nature of the entity’s business • The diversity and complexity of the entity’s operations • The entity’s methods of transmitting, processing, maintaining, and accessing information • Applicable legal and regulatory requirements
Purpose Monitoring &Learning Commitment Capability Action Criteria of Control (COCO)Board of the CICA • A person performs a task guided by an understanding of its purpose (the objective to be achieved) and supported by capability (information, resources, supplies, and skills). The person will need a sense of commitment to perform the task well over time. The person will monitor his or her performance and the external environment to learn about how to do the task better and about changes to be made. The same is true of any team or work group
Elements of Internal Control • Elements of internal control include: • Control environment • General computer control systems and procedures • Accounting System • Accounting System Control Procedures
Control Environment • the collective effect of various factors on establishing, enhancing or reducing the effectiveness of internal control policies and procedures • . Such factors include: • Management Philosophy and Operating Style; • The functioning of the board of directors and internal control, particularly the audit committee; • Organizational Structure; • Methods of Assigning Authority and Responsibility; • Management Monitoring Methods; Internal Audit; and Personnel Policies and Practices • Management reaction to external Influences • Systems Development Methodology
Control Environment • Reflects the overall attitude, awareness, commitment and actions of management concerning the importance of internal control and its emphasis in the entity. • Strengths and weaknesses in control environment factors are likely to have a pervasive effect on the financial statements. • An effective control environment interacts with control systems. It may reduce the impact that the absence of certain control systems might otherwise have. It also strengthens the impact of controls in place. • An ineffective control system may impair the effectiveness of control systems.
General computer control systems • Establish controls over info system processing activities • Affect multiple classes of transactions
The Accounting System = the policies and procedures involving the • Collection • Transcribing • Processing • And reporting of data
Accounting System Control Procedures = policies and procedures that enhance the reliability of accounting data • Occurrence • Completeness • Accuracy (valuation), Posting • Classification • Timing -often involves “checks”, “reconciles”, “compares”, “verifies”, “ensures”…..
Segregation of duties • Ensures that no-one is in a position to commit or profit from an error/fraud and cover it up. • To work, these duties MUST be separate: • Authorization of transaction • Custody of assets (including cheques, cash, inventory etc.) • Recording of transaction • Periodic reconciliation
Other Controls • Proper Authorization (general or specific) • Adequate documents • Prenumbered or sequentially numbered + follow-up of missing items • Prepared on a timely basis • Sufficiently simple, easy to fill out
Other Controls • Safeguards over access to and use of assets • Safeguards over access to and use of records • Physical and logical • Independent verification of performance and accuracy of recorded amounts • Inventory counts, bank recs. • Input or output checks (eg. Check digits, reasonableness limits) • Comparison of documents, quantities, prices
Acquiring Understanding of IC • At minimum, auditor must acquire understanding of: • Control environment • General computer control systems and procedures • Accounting System
Purpose of Understanding IC • Assess auditability (depends on mgmt integrity, adequacy of record and general controls) • Familiarity with client to facilitate audit: • Major classes of transactions • How they’re initiated • What records and documents exist • How transactions are processed and reported Therefore, helps auditor design tests and identify potential misstatements • Assess Preliminary Control Risk
Further Investigation of IC • If auditor believes reliance on IC (ie. CR<100%) may be possible AND efficient, investigate further the control procedures in place • Make preliminary assessment of Control Risk
Preliminary Assessment of CR • Identify transaction audit objective (existence/occurrence, completeness etc.) • Identify specific controls • remember effects of control environment and general computer controls • Identify and evaluate weaknesses • Determine potential misstatements that could occur and effect on audit • Consider compensating controls
How to investigate IC Update and evaluate previous working papers Inquiries of Client Personnel Read client policy and systems manuals Examine documents and records: perform transaction walk-through Observe activities and operations
Documenting the Understanding of the Internal Control A number of tools are available to the auditor for documenting the understanding of the internal control including: • Copies of the entity's procedures manuals and organizational charts • Narrative descriptions • Internal control questionnaires • Flowcharts
Further Investigation of IC • If preliminary CR<100%, perform tests of controls on KEY CONTROLS to ensure: • Control was operating as described, with sufficient effectiveness, throughout period of reliance • Tests may include: • Inquiry of personnel (requires corroboration) • Examine documents, records, reports • Observe activities (eg. Segregation of duties, test data) • Reperform procedures if possible • If control is computerized, test and ensure controls exist over changes to program
Direction of the Test of Controls Audit Procedures File of recorded sales(sales journal) File of shipping documents Vouch to shipping documents Sampleselection Evidence Validitydirection Sampleselection Evidence Trace to recorded sales Completeness Direction
Further Investigation of IC • Revise preliminary control risk with results of tests of controls • Calculate detection risk and design substantive procedures • Combined approach = reliance on both IC and substantive procedures • Substantive approach = no reliance on IC as either unjustified or inefficient
Communications with the Client • Systems improvements are communicated to the client by the management letter, which is written at the end of field work • Section 5220 requires communication of all significant internal control weaknesses • Section 5750 “Communication of Matters Identified During the Financial Statement Audit” eg. Fraud or illegal acts • 5220 and 5750 don’t have to be in writing
Communicating Internal Control Weaknesses Reportable conditions • Absence of appropriate segregation of duties • Absence of appropriate reviews and approvals of transactions • Evidence of failure of control procedures • Evidence of intentional management override • Evidence of willful wrong doingby employees or management, including manipulation, falsification or alteration of accounting records
Material Weaknesses A material weakness in internal control is defined as a reportable condition in which the design or operation of one or more of the specific internal control elements does not reduce to a relatively low level the risk that errors or irregularities in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions (AU 325.15).
Limitations of Internal Control • Human failures such as simple errors or mistakes • Management override • Collusion • Cost/benefit • Unusual transactions Because of these limitations, as long as the item is material, it is generally necessary to do at least some substantive testing.