7/29/2019 Summary Chapter10

http://slidepdf.com/reader/full/summary-chapter10 1/3

Summary: Chapter 10 – Auditor of internal control & control risk 

October 5, 2009

IC objectives

3 broad objectives : Reliability of financial reporting, efficiency and effectiveness of operations,

compliance with laws and regulations.

Management and auditor responsibilities for internal control

 Management – establish and maintain the entity’s internal control that

1. provide reasonable, but not absolute, assurance that FS are fairly stated

2. inherent limitation – IC can never be completely effective. Its effectiveness depends on

the competency and dependability of people using it.

Section 404 – mgt of all public co .to issue an internal control report stated that

- mgt is responsible for establishing and maintaining and adequate IC structure and

 procedures for financing report

- an assessment of effectiveness and efficiency of IC (dealing with the design of IC and

operating effectiveness of control)

Also prepare FS in accordance with GAAP, identify framework used to evaluate the

effectiveness and efficiency, which is called COSO.

 Auditor  – understand IC (business and environment) to assess risk of materially misstatement.

The auditor concerns about

1. Control over the reliability of financial reporting

2. Control over classes of transactions.

COSO Component of internal control5 components of IC that mgt designs and implements to provide reasonable assurance.

1. Control environment : actions, policies, and procedures that reflect overall attitudes of top

mgt, directors, owners. Auditor should consider 

- Integrity and ethical values

- Commitment to competence

- BOD or audit committee participation

- Mgt. philosophy and operating style

- Organization structure

- HR policies and practices

2. Risk assessment

3. Control activities :

- Adequate separation of duties

- Proper authorization of transactions and activities

- Adequate doc. and records

- Physical control over assets and records

- Independence checks on performance

1 of 3

7/29/2019 Summary Chapter10

http://slidepdf.com/reader/full/summary-chapter10 2/3

4. Information and communication

5. Monitoring

Obtain and document understanding of internal control

Procedures to obtain an understanding : gathering evidence about design of IC and

whether they have been implemented.

3 types of documents to obtain and document the understanding :

1. narrative (describe: original of every doc. And record in the system, all processing

that takes place, deposition of every doc. , and record in the system, indication of the

controls relevant to the assessment of control risk)

2. Flowchart

3. IC questionnaire

How to evaluate IC implementation

1. Update & evaluate auditor’s previous experience w/ the entity

2. Make inquiries of client personnel3. Examine doc. and records

4. Observe entity activities and ops

5. Perform walkthroughs of the accounting system

Assess control risk  – design whether the entity is auditable.

2 factors determine auditability : integrity if mgt and adequacy of accounting records

1. Assess whether the FS are auditable

2. Determine assessed CR supported by the understanding obtained, assuming the controls

are being followed.

3. Use of a CR Matrix to assess CR :How to assess CR 

- Identify audit objectives

- Indentify existing controls

- Associate controls with related audit objectives

- Identify & evaluate control deficiencies, significant deficiencies, and material

weaknesses by identifying existing controls, identifying the absence of key controls,

consider the possibility of compensating controls, deciding whether there is a significant

deficiency or material weakness, determining potential misstatements that could result.

Test of controls

Procedures for test controls

1. Make enquiries of appropriate client personnel

2. Examine doc., records, and reports

3. Observe control-related activities

4. Reperform client procedures

Extent of procedures

2 of 3

7/29/2019 Summary Chapter10

http://slidepdf.com/reader/full/summary-chapter10 3/3

1. Reliance on evidence from prior year’s audit

2. Testing of control related to significant risks

3. Testing less than the entire audit period

Decide planned detection risk and design substantive tests

Section 404 reporting on internal control

Types of opinions

1. Unqualified when : no identified material weakness, no restrictions on the scope of the

auditor’s work 

2. Adverse when : material weakness exist.

3. Qualified or disclaimer when: auditor is unable to determine if there are material

weakness, due to restriction on the scope of the audit of IC.

Evaluating, reporting, and testing internal control for nonpublic companiesWhat difference from public co.

1. Reporting requirements – no requirement for nonpublic co.

2. Extent of required ICs – Mgt is responsible for establishing adequate IC in nonpublic co.

like mgt. in public co.

3. Extent of understanding needed – auditor only asses to see whether the statements are

auditable and to evaluate environment for mgt’s attitude toward IC.

4. Assessing CR – the assessment of CR at maximum for any or all control-related

objectives when IC for the objective or objectives are nonexistent or ineffective.

5. Extent of tests of controls needed – auditor will not perform tests of controls when the

auditor assesses CR at maximum because of inadequate controls. .

3 of 3