Chapter 6

6-1

McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved.

Chapter 6CHAPTER 6INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT

6-2


INTERNAL CONTROL

Management’s perspective The auditor’s perspective

6-3


INTERNAL CONTROL

Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

6-4


THE EFFECT OF INFORMATION TECHNOLOGY ON

INTERNAL CONTROL The effect of an entity’s use of IT can affect any of the

components of internal control. The use of IT affects the way that transactions are

initiated, recorded, processed, and reported. See Table 6-1 for the potential benefits and risks to an

entity’s internal control from IT.

6-5


BENEFITS FROM IT Consistent application of predefined business rules and

performance of complex calculations in processing large volumes of transactions or data.

Enhancement of the timeliness, availability, and accuracy of information.

Facilitation of additional analysis of information. Enhancement of the ability to monitor the performance

of the entity's activities and its policies and procedures. Reduction in the risk that controls will be circumvented. Enhancement of the ability to achieve effective

segregation of duties by implementing security controls in applications, databases, and operating systems.

6-6


RISKS OF IT

Reliance on systems or programs that are inaccurately process data, process inaccurate data, or both.

Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions.

Unauthorized changes to data in master files. Unauthorized changes to systems or programs. Failure to make necessary changes to systems or programs. Inappropriate manual intervention. Potential loss of data.

6-7


PLANNING AN AUDIT STRATEGY

Figure 6-2 presents a flowchart of the auditor's decision process when considering internal control in planning an audit.

The auditor can choose from two audit strategies:no-reliance or substantive strategyreliance strategy

6-8


A SUBSTANTIVE STRATEGY

An auditor uses a substantive strategy because of one or all of the following factors:

6-9


A RELIANCE STRATEGY

An auditor’s decision to follow a reliance strategy involves:

6-10


OBTAIN AN UNDERSTANDING OFINTERNAL CONTROL

The auditor’s knowledge from understanding internal control is used to: Identify the types of potential misstatements. Consider factors that affect the risk of material

misstatement. Design of tests of controls Design substantive tests.

6-11


In deciding on the nature and extent of the understanding of the internal control, the auditor should consider the following items: Knowledge obtained from other sources about the

types of misstatements that could occur. Information from previous audits. Understanding of the entity's industry and markets. The assessment of inherent risk. Judgments about materiality. The complexity and sophistication of the entity's

operations and systems, including IT.

OBTAIN AN UNDERSTANDING OF INTERNAL CONTROL

6-12


OBTAIN AN UNDERSTANDING OF INTERNAL CONTROL

To properly understand an entity’s internal control, the auditor must understand the five components of internal control:

6-13


THE CONTROL ENVIRONMENT

The control environment sets the tone of the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure

6-14


FACTORS AFFECTING THE CONTROL ENVIRONMENT

Integrity and ethical values. A commitment to competence. Participation of the board of directors or audit

committee. Management’s philosophy and operating style. Organizational structure. Assignment of authority and responsibility. Human resource policies and procedures.

6-15


RISK ASSESSMENT

Risk assessment is the entity's identification, analysis, and management of risks relevant to the preparation of financial statements that are fairly presented in conformity with GAAP.

6-16


SPECIFIC RISKS

Client business risks can arise or change due to:

6-17


CONTROL ACTIVITIES

Control activities are the policies and procedures that help ensure that necessary actions are taken to address the risks involved in achieving the entity's objectives

6-18


CONTROL ACTIVITIES

Control activities that are relevant to the audit include: Performance reviews Information processing Physical control Segregation of duties

6-19


INFORMATION ANDCOMMUNICATION SYSTEMS

Information and communication support the identification, capture, and exchange of information in form and time frame that enable people to carry out their responsibilities.

6-20


An information system consists of infrastructure, software, people, procedures, and data.

The information system relevant to the financial reporting objectives, which includes the accounting system, consists of procedures, whether automated or manual, and records established to initiate, record, process, and report entity transactions and to maintain accountability for the related assets and liabilities.

INFORMATION SYSTEM

6-21


INFORMATION SYSTEM

An effective accounting system encompasses methods and records that will: Identify and records all valid transactions. Describe on a timely basis the transactions in

sufficient detail to permit proper classification of transactions for financial reporting.

Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements.

6-22


INFORMATION SYSTEM

Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period.

Present properly the transactions and related disclosures in the financial statements.

6-23


COMMUNICATION

Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting.

6-24


MONITORING

Monitoring is a process that assesses the quality of the internal control over time. It involves appropriate personnel assessing the design and operation of controls on a timely basis and taking necessary actions.

6-25


THE EFFECT OF ENTITY SIZE ON INTERNAL CONTROL

The size of the entity may affect how the various components of internal control are implemented.

Many small entities have good controls because of significant involvement in day-to-day activities by the owner-manager.

6-26


LIMITATIONS OF INTERNAL CONTROL

6-27


PROCEDURES TO OBTAIN AN UNDERSTANDING

The auditor uses the following audit procedures to obtain an understanding of internal control: Inquiry of appropriate management, supervisory,

and staff personnel. Inspection of entity documents and reports. Observation of the entity's activities and

operations.

6-28


DOCUMENTING THE UNDERSTANDING OF THE INTERNAL CONTROL

A number of tools are available to the auditor for documenting the understanding of the internal control including: Copies of the entity's procedures manuals and

organizational charts. Narrative descriptions (see Exhibit 6-6). Internal control questionnaires (see Exhibits 6-1). Flowcharts (see Figure 6-4).

6-29


ASSESSING CONTROL RISK

Assessing control risk below the maximum involves three steps:Identifying specific controls that will be relied

upon.Performing tests of controls.Concluding on the assessed level of control risk.

6-30


PERFORMING TESTS OF CONTROLS

Audit procedures directed towards evaluating the effectiveness of either the design or operation of an internal control are referred to as tests of controls and include:

6-31


DOCUMENTING THE ASSESSED LEVEL OF CONTROL RISK

Auditing standards state that the auditor should document the basis for his or her conclusions about the assessed level of control risk. The auditor should also document the assessed level of control risk so that the audit risk model can be used.

6-32


PERFORMING SUBSTANTIVE TESTS

The last step in the decision process is to perform the substantive tests. The level of detection risk for these tests is based on the planned level of audit risk and the assessed levels of inherent and control risk.

6-33


TIMING OF AUDIT PROCEDURES

Auditing procedures can be conducted at: an interim date, or at year end

See Figure 6-5

6-34


INTERIM TESTS OF CONTROLS

The auditor should consider the following factors in determining the nature and extent of audit work for the remaining period for tests of controls: the significance of the internal control objective the evaluation of the design and operation of the

control the planned substantive tests.

6-35


INTERIM SUBSTANTIVE TESTS

The auditor should consider the following factors when substantive tests are completed at an interim date:

6-36


COMMUNICATION OF INTERNAL CONTROL-RELATED MATTERS

Auditing standards (AU 325) requires that the auditor report to the audit committee, or to a similar level of authority when the entity does not have an audit committee, matters which are referred to as reportable conditions.

6-37


REPORTABLE CONDITIONS

Reportable conditions are significant deficiencies in the design or operation of the internal control which could adversely affect the organization's ability to record, process, summarize, and report financial data consistent with management's assertions (see Table 6-7).

6-38


REPORTING ON REPORTABLE CONDITIONS

The following items should be included in the report: A indication that the purpose of the audit was to

report on the financial statements and not to provide assurance on the internal control.

The definition of reportable conditions. A statement of restrictions on the distribution on

the report See Exhibit 6-7.

6-39


MATERIAL WEAKNESSES

A material weakness in internal control is defined as a reportable condition in which the design or operation of one or more of the specific internal control elements does not reduce to a relatively low level the risk that errors or irregularities in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions (AU 325.15).

Chapter 6

Documents

entitys internal control

ln outlineobtain

ln outlinebenefits

ln outlineplanning

components of internal

process inaccurate data

destruction of data

ln outlinerisks of itreliance