9 - 1 ©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 9.

9 - 1©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley

Internal Controland Control Risk

Chapter 9


Learning Objective 1

Contrast management’s need for

internal control with the auditor’s

need to consider internal control

when designing an audit.


InherentLimitations

ReasonableAssurance

Management’sResponsibility

Key Concepts


Client’s Concerns

Compliance with applicable laws and regulations

Reliability of financial reporting

Efficiency and effectiveness of operations


Auditor Concerns

Controls over classes of transactions

Controls related to reliability of financial reporting


Sales Transaction-RelatedAudit Objectives

Objective – General Form Related Audit Objectives

Recorded transactionsexist (existence).

Sales are for shipmentsto existing customers.

Existing transactions arerecorded (completeness).

Existing sales transactionsare recorded.

Transactions are statedcorrectly (accuracy).

Sales for goods shippedare correctly billed.


Sales Transaction-RelatedAudit Objectives

Objective – General Form Related Audit Objectives

Transactions are properlyclassified (classification).

Sales transactions areproperly classified.

Transactions are recordedon correct dates (timing).

Sales are recorded on thecorrect dates.

Transactions are properlyfiled (posting andsummarization).

Sales transactions areproperly included in the

master files.


How Frauds HaveBeen Discovered

Notification by employee

Internal controls

Internal auditor

Customer notification

Accidental discovery

Management investigation

58%

51%

43%

41%

37%

35%


How Frauds HaveBeen Discovered

Anonymous reporting

Hot line notification

Employee investigation

Government notification

External auditor

Other sources

35%

25%

21%

16%

4%

20%



Describe how information

technology affects

internal control.


Effect of InformationTechnology on Internal Control

Information Technology

IT can improvethe effectivenessand efficiency ofinternal controls.

IT also enhancesthe timelinessand accuracy

of information.


Risks Associated With the Useof Information Technology

Programmed errors

Processing incorrect data

Unauthorized access



Explain the five components

of internal control.


Control Environment

Five Componentsof Internal Control

RiskAssessment

ControlActivities

Information andCommunication

Monitoring


The Control Environment

Integrity and ethical values

Commitment to competence

Board of directors or auditcommittee participation

Management’s philosophyand operating style


The Control Environment

Organizational structure

Assignment of authorityand responsibility

Human resourcespolicies and practices


Risk Assessment

Identify factors affecting risk.

Assess significance of risksand likelihood of occurrence.

Determine actions necessaryto manage risk.


Control Activities

1. Adequate separation of duties

2. Proper authorization of transactions and activities

3. Adequate documents and records

4. Physical control over assets and records

5. Independent checks on performance


Adequate Separationof Duties

Custody of assets Accounting

Authorizationof transactions

The custody ofrelated assets

Operationalresponsibility

Record-keepingresponsibility

IT Duties User departments


Proper Authorization of Transactions and Activities

General authorization

Specific authorization


Adequate Documentsand Records

Prenumbered consecutively

Prepared at the time of transaction

Designed for multiple uses

Constructed to encourage correct preparation

Simple enough to ensure understanding


Physical Control overAssets and Records

Physical precautions

Controls related to IT equipment,programs, and data files

Physicalcontrols

Accesscontrols

Backup andrecovery

procedures


Independent Checkson Performance

The need for independent checksarise because internal control tendsto change over time unless there isa mechanism for frequent review.


Information and Communication

The purpose of an accounting informationand communication system is to…

initiate, record, process, and report thetransactions and to maintain accountability

for the related assets.


Monitoring

Management’s ongoing and periodic assessmentof the quality of internal control performance …

to determine whether controls are operatingas intended and modified when needed.



Explain methods used to

obtain an understanding

of internal control.


Understanding Internal Controland Assessing Control Risk

Obtain Understanding of Internal Control:Design and Operation

Assess Control Risk Test Controls

Decide Planned Detection Riskand Substantive Tests


Reasons for Sufficiently Understanding Internal Control

SAS 55 (as amended by SAS 78 and 594plus AU319) requires the auditor toobtain an understanding of internal

control for every audit.

Minimum auditplanning matters

• Auditability• Potential material

misstatements• Detection risk• Design of test


Procedures to DetermineDesign and Placement

Update and evaluate auditor’s previousexperience with the entity.

Make inquires of client personnel.

Read client’s policy and systems manuals.

Examine documents and records.

Observe entity activities and operations.


Documentation ofthe Understanding

NarrativeNarrative

FlowchartFlowchartInternalcontrol

questionnaire

Internalcontrol

questionnaire



Assess control risk by linking

strengths and weaknesses of

internal control to transaction-

related audit objectives.


Assess Control Risk

Obtain sufficient understanding for planning.

Assess whether the entity is auditable.

Determine assessed control risk.

Assess if a lower control risk could be supported.

Determine the appropriate assessed control risk.


Assess Control Risk

Identify transaction-related audit objectives.

Identify specific controls.

Identify and evaluate weaknesses.


Identify and Evaluate Weaknesses

Identify existing controls.

Identify the absence of key controls.

Determine misstatements that could result.

Consider compensating controls.


The Control Risk Matrix

Auditors use the control risk matrix toidentify both controls and weaknesses

and to asses control risk.


Communication

Reportable conditions letter

Management letters

Audit committee communications



Describe the process of designing

and performing tests of controls.


Tests of Controls

The procedures to test effectivenessof controls in support of a reduced

assessed control risk are calledtests of controls.


Procedures forTests of Controls

Make inquiries of client personnel.

Examine documents, records, and reports.

Observe control-related activities.

Reperform client procedures.


Extent of Procedures

Reliance on evidence from prior year’s audit

Testing less than the entire audit period


Relationship of Assessed ControlRisk and Extend of Procedures

Assessed Control Risk High Level: Lower Level: Obtaining an Tests of

Type of Procedure Understanding Only Controls

Inquiry Yes – extensive Yes – someDocumentation Yes – with transaction Yes – using

walk-through sampleObservation Yes – with transaction Yes – multiple

walk-through timesReperformance No Yes – sampling


Decide Planned Detection Riskand Design Substantive Tests

The auditor uses the results of the control riskassessment process and tests of controls todetermine the planned detection risk and

related substantive tests.

The auditor links the control risk assessmentsto the balance-related audit objectives.


End of Chapter 9