Chapter 6 Internal Control in a Financial Statement Audit.
-
Upload
abel-miles -
Category
Documents
-
view
233 -
download
1
Transcript of Chapter 6 Internal Control in a Financial Statement Audit.
Chapter 6Internal Control in a Financial Statement
Audit
Internal ControlManagement has the responsibility to maintain controls that provide reasonable assurance that adequate control exists over the entity’s assets and records.
The Internal Control System should:
-ensure that assets and records are safeguarded
-generate reliable information for decision making
The auditor needs assurance about the reliability of the data generated by the information system.
LO# 1
6-2
Internal Control
The auditor’s understanding of the internal control is a major factor in determining the overall audit strategy. The auditor has a responsibility to:
(1) obtain an understanding of internal control and
(2) assess control risk.
LO# 1
6-3
COSO Framework and Controls Relevant to the Audit
Reliability of Financial Reporting
(most important for
the audit)
Effectiveness and Efficiency of Operations
Compliance with Laws and Regulations
Objectives
LO #2, 3
6-4
COSO Components of Internal Control
LO# 5
6-5
Control EnvironmentLO# 5
6-6
The Entity’s Risk Assessment Process
The risk assessment process should consider external and internal events and circumstances that may arise and adversely affect the entity’s ability to initiate, record, process, and report financial data consistent with the assertions of management in
the financial statements.
Changes in the operating
environment
New personnel New or revamped information
systemsRapid growth
New technologyNew business
models, products, or activities
Corporate restructuring
International growth
New accounting pronouncements
Client business risk can arise or change due to the following circumstances:
LO# 5
6-7
Information System and Communication
An effective accounting system gives appropriate consideration to establishing methods and records that will
1. Identify and record all valid transactions.
2. Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting.
3. Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements.
4. Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period.
5. Properly present the transactions and related disclosures in the financial statements.
LO# 5
6-8
Control Activities
Control activities are the policies and procedures that help ensure that management’s directives are carried out. Control activities are commonly categorized into the following types:
Performance reviews
Information processing
Physical controls
Segregation of duties
LO# 5
6-9
Monitoring of Controls
Monitoring of controls is a process that assesses the quality of internal control
performance over time.
Effective Monitoring
1. Establishing a foundation for control effectiveness
2. Designing and executing monitoring procedures based on business risks
3. Assessing and reporting results
LO# 5
6-10
Planning an Audit Strategy
Audit Risk Model
AR = IR × CR × DR
In applying the audit risk model, the auditor must assess control risk. The figure on the next slide presents a flowchart of the auditor’s decision process when considering internal control in planning an audit.
LO# 6
6-11
LO# 6
Planning an Audit StrategyFigure 6-3 Flowchart of the Auditor’s Consideration of Internal Control and Its Relation to
Substantive Procedures
6-12
Substantive Strategy
After obtaining an understanding of internal control, an auditor may choose to follow a substantive strategy and set
control risk at a relatively high for some or all assertions because of one or all of the following factors:
Controls do not pertain to an assertion.
Controls are assessed as ineffective.
Testing the effectiveness of controls is
inefficient.
LO# 6
6-13
Reliance Strategy
Obtain Understanding of Internal Control
Plan to Rely on IC and Assess Control Risk at a relatively
low level
LO# 6
6-14
AssertionsLO# 6
6-15
Obtain an Understanding of Internal Control
Identify types of potential
misstatement
Design tests of controls and substantive procedures
Pinpoint the factors that affect the risk of material
misstatement
The auditor should obtain an understanding of each of the five components of internal control in order to plan
the audit. This knowledge is used to:
LO# 7
6-16
Obtain an Understanding of Internal Control
1. Understand the control environment.
2. Understand the entity’s risk assessment process.
3. Understand the information system and communications.
4. Understand control activities.
5. Understand monitoring of controls.
LO# 7
6-17
Documenting the Understanding of Internal Control
Procedure Manuals and Organizational
ChartsFlowcharts
Internal Control Questionnaires
Narrative Description
LO# 8
6-18
The Effect of Entity Size on Internal Control
While the basic concepts of the five components should be present in all entities, they are likely to be less formal in a small or
midsize entity than in a large entity.
LO# 8
6-19
The Limitations of an Entity’s Internal Control
Override of Internal Control by Management
Human Errors or Mistakes
Collusion
LO# 8
6-20
Assessing Control RiskIdentify specific
controls that will be relied
upon.
Perform tests of controls.
Conclude on the achieved level of control risk.*
LO# 9
6-21
*This means the control risk after testing is
completed. Generally, after testing, the CR will either be unchanged or it will be revised higher.
Performing Tests of Controls
Inquiry of appropriate personnel
Inspection of documents indicating the
performance of the control
Observation of the application of the
control
Reperformance of the application of the
control by the auditor
LO# 10
6-22
Documenting the Achieved Level of Control Risk
The auditor’s assessment of control risk and the basis for the achieved level can be documented
using a structured working paper, an internal control questionnaire, or a memorandum.
Let’s look at an example from EarthWear Clothiers to see how the control risk for two
accounts that differ in terms of their nature, size, and
complexity is documented.
LO# 10
6-23
An Example of Assessing Control Risks and Its Effects
LO# 10
6-24
Performing Substantive Procedures
LO# 11
6-25
Timing of Audit Procedures
Interim
Year End
Let’s look at the EarthWear Clothiers example again to see the timing of their audit
procedures.
LO# 12
6-26
Timing of Audit ProceduresA Timeline for Planning and Performing the Audit of EarthWear Clothiers
LO# 12
6-27
Interim Audit Procedures
Interim Tests of Controls
1. Assertion being tested not significant2. Control has been effective in prior audits3. Efficient use of staff time
Interim Substantive Procedures
1. Assertion probably has low control risk2. May increase the risk of material
misstatements 3. Still requires some year-end testing
LO# 12
6-28
Auditing Accounting Applications Processed by Service Organizations
In some instances, a client may have some or all of its accounting transactions processed by an outside service
organization.
Because the client’s transactions are subjected to
the controls of the service organization, one of the auditor’s concerns is the internal control system in
place at the service organization.
It is not uncommon for service organizations to have an auditor
issue one of two types of reports on their operations.
LO# 13
6-29
Type 1 ReportDescribes the service organization’s controls and assesses whether they
are suitably designed to achieve specified internal control objectives.
Type 2 ReportGoes further by testing whether the
controls provide reasonable assurance that the related control objectives were
achieved during the period.
An auditor may reduce control risk below the maximum only on the
basis of a service auditor’s Type 2 report.
LO# 13
Auditing Accounting Applications Processed by Service Organizations
6-30
Auditors must communicate to the audit committee or BOD internal control problems
Significant Deficiency
Material Weakness
A Significant deficiency is a deficiency, or a combination of deficiencies, in internal control
that is less severe than a material weakness, yet important enough to merit attention by those
charged with governance.
A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a
material misstatement of the financial statements will not be prevented, or detected
and corrected, on a timely basis.
LO# 14
6-31
Examples of internal control problems
LO# 14
6-32
End of Chapter 6