1 / 29

Internal Control

Internal Control. Implementation. Use substantive strategy and set control risk at the maximum …due to: • The controls do not pertain to an assertion. • The controls are assessed as ineffective. • Evaluating the effectiveness of controls is inefficient.

deliz
Download Presentation

Internal Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Internal Control

  2. Implementation • Use substantive strategy and set control risk at the maximum …due to: • The controls do not pertain to an assertion. • The controls are assessed as ineffective. • Evaluating the effectiveness of controls is inefficient. • Use reliance strategy and assess CR at less than the maximum involves: • Identifying specific I/C relevant to specific assertions that are likely to prevent or detect material misstatements. • Testing controls to evaluate their effectiveness.

  3. Internal Control Objectives and Basic Control Procedures

  4. Understanding Internal Control • Important to understand each of the five components of internal control • to plan the nature, timing and extent of further audit procedures. • knowledge about the design of relevant internal controls and whether they have been placed in operation by the entity. • This knowledge is used to • Identify the types of potential misstatements. • Determine CR, which in turn affects detection risk. • Assist in the design of further procedures and substantive procedures.

  5. Understanding Internal Control • Understanding of the following items is important: • Judgements about materiality. • Knowledge from previous audits. • Understanding of the entity's industry. • Size of the entity & ownership characteristics. • The complexity and sophistication of the entity's operations and systems.

  6. Understanding Client’s Internal Control • Greater understanding of the following is normally required if a reliance strategy is followed: • Understanding the Control Environment • Understanding Risk Assessment • Understanding Control Procedures • Understanding the Information System and Communications • Understanding Monitoring

  7. Understanding the Control Environment • Learn => managements and the board of directors' attitude, awareness, and actions concerning the control environment, considering both the substance of controls and their collective effect. • The auditor should concentrate on the substance of controls rather than on their form because controls may be established but not acted on. • For example, management may establish formal conflict-of-interest policies but seldom follow up on whether employees are really complying with these policies.

  8. Understanding Risk Assessment • The auditor should obtain sufficient information about the entity's risk assessment process to understand how management considers risks relevant to financial reporting objectives and decides what to do to address those risks. • For example, suppose a client operates in the oil industry, where there is always some risk of environmental damage. The auditor should obtain sufficient knowledge about how the client manages such environmental risk, because environmental accidents can result in costly fines and other penalty against the entity. • In this regard, the auditors emphasis on understanding of the entity's risk assessment process is on those business risks that may result in material misstatement of the financial statements.

  9. Understanding Control Procedures • The auditor is required to obtain an understanding of those control procedures relevant to the audit. • For example, in examining the information system that pertains to accounts receivable, the auditor is likely to see how the entity grants credit to customers. • The extent of the auditors understanding of control procedures is influenced by the audit strategy adopted. • When the auditor decides to follow a substantive strategy approach, little or no work is done on understanding control procedures. When a reliance strategy is followed, the auditor has to understand the control procedures that relate to audit objectives for which a lower level of control risk is expected.

  10. Understanding the Information System and Communications • The auditor should obtain sufficient knowledge of the information system relevant to financial reporting to understand the following: • The classes of trx in the entity's operations that are significant to the F/S. • How those transactions are initiated. • A well-designed accounting and information system that is operating effectively can reduce the risk of material misstatement. • The auditor must learn about each accounting cycle that affects significant account balances in the financial statements. This includes understanding how transactions are initiated, how documents and records are generated, and how the documents and records flow to the general ledger and financial statements. Understanding the information system also requires knowing how the computer is used to process data. • Finally, understanding the information system requires knowledge about how the client prepares accounting estimates and gathers information for significant dis­closures.

  11. Understanding Monitoring • The auditor should know how the entity monitors the performance of internal control over financial reporting, including how corrective action is initiated. • For example, if the client has an internal audit function, the external auditor should understand how management uses the internal auditors to monitor internal control.

  12. Procedures to Obtain an Understanding • In addition to previous experience with a client, an auditor may use the following audit procedures to learn about internal control: • Inquiry of appropriate management, supervisory, and staff personnel. • Inspection of entity documents and reports. • Observation of entity activities and operations.

  13. Documenting the Understanding of Internal Control • The auditor should document the understanding regarding each of the components of internal control, including the sources of information from which the understanding was obtained; and the procedures to obtain the understanding. • A number of tools are available to the auditor for documenting the under­standing of internal control. These include • Copies of the entity's procedures manuals and organisational charts. • Narrative description. • Internal control questionnaires. • Flowcharts.

  14. Documenting the Understanding of Internal Control Procedures Manuals and Organisational Charts • Procedures manuals that document the company's policies and procedures. • The entity's organisational chart presents the designated lines of authority and responsibility. • Copies of both of these documents can help the auditor document his or her understanding of the internal control. Narrative Description • The understanding of internal control may be documented in a memorandum. • This documentation approach is most appropriate when the entity has a simple internal control system because a narrative description will be difficult to follow and analyse for a more complex entity.

  15. Documenting the Understanding of Internal Control Internal Control • Questionnaires Internal control questionnaires (ICQ) are one of many types of questionnaires used by auditors. • The questionnaires, which consist of a series of questions relating to internal control, serve as "memory joggers" in that they provide a systematic means for the auditor to understand and document information on internal control. • ICQ is more suitable for entities with more complex internal control. Flowcharts • Flowcharts provide a diagrammatic representation, or "picture," of the entity's information system. • The flowchart outlines the configuration of the system in terms of functions, documents, processes, and reports.

  16. Tests of Controls • Audit procedures directed at testing the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level are referred to as tests of controls. • ToC = obtains audit evidence that controls operate effectively. • Substantive strategy = CR highest - tests of controls are normally not performed • Reliance strategy = tests of controls are performed - evidence to support the lower level of control risk. • A number of audit procedures are used as tests of controls, including • Inquiry of appropriate client personnel. • Inspection of documents, reports, and electronic media • Observation of the application of the policies and procedures. • Reperformance of the application of the policy or procedure by the auditor. • E.g, some controls, such as segregation of duties, can be tested only via inquiry or observation. For other controls, documentary evidence may exist, and the auditor can inspect source documents.

  17. Assessing and Documenting the Level of Control Risk • Assessing control risk involves evaluating the effectiveness of an entity's internal controls in preventing or detecting material misstatements in the financial statements. • If - substantive strategy, CR - highest level. • If - reliance strategy, the results of the tests of controls must be evaluated. The conclusion that results from this step is referred to as the assessed level of control risk. • If the tests of controls are consistent with the auditors planned assessment of control risk, no revision in the nature, extent, or timing of substantive procedures is necessary. On the other hand, if the tests of controls indicate that the controls are not operating as preliminarily assessed, the level of control risk will have to be increased, and the nature, extent, and timing of planned substantive testing will have to be modified. • The auditor should document the understanding - internal control components and the results of the risk assessment.

  18. Substantive Procedures • SP relate directly to detection risk. DR - risk that substantive procedures will not detect a material misstatement. • The higher the assessment of inherent and control risk, the lower the detection risk and the more audit evidence the auditor should obtain from the performance of substantive procedures. • Regardless of the level of inherent and control risk, some substantive procedures must be performed for material financial statement items.

  19. Substantive Procedures • Assume that audit risk is set low for both clients but that client 1 has a high level of inherent risk and control risk while client 2 has a low level of inherent risk and control risk. • Client 1 = DR Low; Client 2 = DR High. • For client 1, the low detection risk requires that • (1) more reliable types of evidence, such as confirmation and reperformance, be obtained, • (2) most of the audit work be conducted at year-end, and • (3) the tests be extensive. • Client 2 has a high detection risk, which means that • (1) less reliable types of evidence, such as analytical procedures, can be obtained, • (2) most of the audit work can be conducted at an interim date, and • (3) tests of the inventory account can be limited.

More Related