Chapter 6 Outline 9th Edition

7/23/2019 Chapter 6 Outline 9th Edition

http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 1/24

Chapter 6 Internal Control in a Financial Statement Audit


LO 1 Introduction

A. The Importance of Internal Control to Management

Management has the responsibility to design and maintain a system of internal

control that provides reasonable assurance that assets and records are properly

safeguarded, and that the entity's information system generates information

that is reliable for decision making

• Management is responsible for providing and maintaining adequate controls

over the entity’s assets and records.

• trong internal controls ensure that assets and records are properly

safeguarded.

• Management needs a control system that generates reliable information to

make informed decisions about issues such as pricing, cost, and profit.

B. The Importance of Internal Control to Auditors

• !uditors need assurance about the reliability of the data generated by the

information systems.

•The auditor uses risk assessment procedures to"

#btain an understanding of the entity’s internal control then,

Identify key controls and types of potential misstatements then,

!scertain $Identify% factors that affect the &#MM and

esign tests of controls and substantive procedures

• There is an inverse relationship bet(een the reliability of internal control and

the amount of substantive evidence required of the auditor.

• The auditor’s understanding of the internal control is a ma)or factor in

determining the overall audit strategy. !uditors’ responsibilities for internal

control include"

$*% obtaining an understanding of internal control

1




$+% assessing control risk.

LO 2 Definition of Internal Control

A. !ccording to C##’s Internal Control-Integrated Framework internal control

is designed and carried out by an entity’s board of directors, management, and

other personnel to provide reasonable assurance about the achievement of theentity’s ob!ecti"es in the follo(ing cate#ories"

* &eliability, timeliness, and transparency of internal and eternal, financial

and nonfinancial reporting-

+ ffectiveness and efficiency of operations, including safeguard of assets-

/ Compliance (ith applicable la(s and regulations

0. !n effective system of internal control allo(s management to focus on

operations and financial performance goals (hile maintaining compliance (ith

relevant la(s and minimi1ing surprises

LO $ Control %ele"ant to the Audit

Irrelevant Controls

• Controls related to management’s planning

• Controls related to management’s operating decision

Relevant Controls

The controls that are of most direct relevance to financial statement audit are

those that contribute to the reliability, timeliness and transparency of eternal

financial reporting. These controls help to prevent or detect and correct materialmisstatements in the financial statements.

• Controls relating to operations and compliance ob)ectives may be relevant (hen

they have an impact on the data the auditor uses to apply auditing procedures.

LO & 'he (ffect of Information 'echnolo#y on Internal Control

• IT technology affects the (ay transactions are initiated, authori1ed, recorded,

processed and reported.

• IT technology includes a combination of manual and automated controls2 It varies(ith the nature and compleity of IT system.

• &isks depend on the nature and characteristics of the entity's information system.

• ! lack of control for one data entry point causes rippling effects for others.

• egregation of duties can be managed through security controls for users. ! user

should only have access to data entry and modification of duties in (hich they

perform.

2




)enefits of I' system (It cannot make judgments)

• Consistent application of predefined business rules

• nhancement of timeliness, availability, and accuracy

• Improve analysis reports of information

• !bility to monitor entity performance

• &eduction in risks and circumventing controls

• nhancement of segregation of duty and security controls

%is*s of I' system

• &eliance on the system

• 3nauthori1ed access that may cause harm to an entity

• 3nauthori1ed changes in master files

• 3nauthori1ed changes to systems

• 4ailure to make system chances

• Inappropriate manual intervention

• 5otential loss of data

LO + 'he COSO Frame,or* -C%I(/

Components of Internal Control

a. Internal control as defined by the C## frame(ork consists of 6 components"

*. The Control environment 7sets the tone of an organi1ation, influencing the

control consciousness of its people. It is the foundation for all othercomponents of internal control, providing discipline and structure

+. The entity’s % isk assessment process

$. The Information system and related business processes relevant tofinancial reporting and communication

&. onitoring of controls

+. (isting control activities

A. Control (n"ironment -Includes the 0'one of an or#aniation/

a. The importance of controls to an entity is reflected in the overall attitude(control consciousness), a(areness of and actions of the 0#, management

and o(ners regarding control. It is the foundation for all other components providing discipline and structure.

b. 3rinciples that affect the control environment"

1. 3rinciple 14 'he or#aniation demonstrates a commitment to inte#rity

and ethical "alues2the effectiveness of an entity’s internal controls is

3




influenced by the integrity and ethical values of the individuals

$management% (ho create, administer, and monitor the controls

2. 3rinciple 24 'he )oD demonstrates independence from mana#ement

and e5ercises o"ersi#ht of the de"elopment and performance of

internal control2 The board and audit committee must take their fiduciaryresponsibilities seriously and actively oversee the entity's accounting and

reporting policies and procedures. 4actors can impact the effectiveness of

the board or audit committee include the follo(ing"2perience and stature of members and independence from

management

2tent of involvement (ith and scrutiny of the entity's activities

2Information availability and (illingness8 ability to act on information

2tent to (hich difficult questions are raised and pursued (ith

management29ature and etent of interactions (ith internal and eternal

auditors

$. 3rinciple $4 ana#ement establishes ,ith the board o"ersi#ht

structures reportin# lines and appropriate authorities and

responsibilities in the pursuit of ob!ecti"es 2 !n entity's organi1ationalstructure defines ho( authority and responsibility are delegated and

monitored. The appropriateness of an entity's organi1ational structure

depends on"

• si1e of activities

•nature of activities

• eternal influences $eg. regulation%

:. 3rinciple &4 'he or#aniation demonstrates a commitment to attract

de"elop and retain competent indi"iduals in ali#nment ,ith

ob!ecti"es2 The quality of internal control directly relates to the personnel

operating the system. The entity should have personnel policies for" hiring,

orienting, training, evaluating, counseling, promoting, compensating, planning succession, and taking remedial action. Management should

specify competence level for a particular )ob and translate it into the )ob

description.

+. 3rinciple +4 'he or#aniation holds indi"iduals accountable for their

internal control responsibilities in the pursuit of ob!ecti"es.

4




• Management and the board are responsible for establishing

mechanisms to communicate and hold individuals accountable for

performance of internal control responsibilities across theorgani1ation and for implementing corrective action as necessary.

•

Management and the board establish incentives and re(ards forreflecting standards of conduct. Incentives should align (ith short2term and long2term ob)ectives

). 'he entitys ris* assessment process

a. !n entity’s risk assessment process is its process for identifying and

responding to business risks. This process includes ho( managementidentifies risks relevant to the preparation of financial statements. 4or each

identified risk, management must"

• stimate their significance

• !ssesses the likelihood of their occurrence and

• ecides on ho( to manage them.

b. The risk assessment process should consider eternal and internal events and

circumstances that may arise and adversely affect the entity’s ability toinitiate, authorie, record, !rocess and re!ort "inancial data consistent with

the assertions o" management in the F#$.

c. #nce risks have been identified, management should consider theirsignificance, the likelihood of their occurrence and ho( they should be

managed.

;. 3rinciple 64 'he or#aniation specifies ob!ecti"es ,ith sufficient clarity to

enable the identification and assessment of ris*s relatin# to ob!ecti"es.

2Internal control ob)ectives are organi1ed into three categories in the C##4rame(ork" operations, compliance, and reporting.

2In the area of eternal reporting, management must ensure"

2specified ob)ectives including reporting consistent (ith <!!5 (hen

appropriate2in light of materiality considerations

2include faithful reflection of underlying transactions and events,

including important qualitative characteristics $relevance and faithful

representation%.

5




7. 3rinciple 74 'he or#aniation identifies ris*s to the achie"ement of its ob!ecti"es

across the entity and analyes ris*s as a basis for determinin# ho, the ris*s should

be mana#ed.

2!n entity's risk assessment process should consider the possibility of events that

threaten the achievement of ob)ectives.2The entity needs to establish its tolerance for accepting risks and its ability to

operate (ithin those risk levels

8. 3rinciple 84 'he or#aniation considers the potential for fraud in assessin# ris*s

to the achie"ement of ob!ecti"es.

2!ssessment of fraud risk includes incentives and !ressure, o!!ortunity, andrationaliation

9. 3rinciple 94 'he or#aniation identifies and assesses chan#es that could

si#nificantly impact the system of internal control.

C. (5istin# Control Acti"ities $approvals, authori1ations, verifications, reconciliations, etc%

a. Control activities are the policies and procedures that help ensure that

management’s directives are carried out and are implemented to address risksidentified in the risk assessment process.

1:. 3rinciple 94 'he or#aniation selects and de"elops control acti"ities that

contribute to the miti#ation of ris*s to the achie"ement of ob!ecti"es to acceptable

le"els.

b. Control activities are commonly categori1ed into the follo(ing four types"

%. &er"ormance reviews

! strong accounting system should have controls that independently

chec* the performance of the individuals or processes in the system.

2. &hysical controls includes

• physical security of assets, including adequate safeguards such as

secured facilities over access to assets and records

• authoriation for access to computer programs and data files

• periodic counting and comparison -reconciliation/ (ith amounts

sho(n on control records $e.g. comparing the results of cash, security

and inventory counts (ith accounting records%

6




/. $egregation o" duties2

• '*+RI'I+ o" transactions vs. RC+R/I0 o"

transactions vs. C$+/1 o" the related assets.

• independent performance of each of these functions reduces the

opportunity for any one person to be in a position to both perpetrate and conceal errors or fraud in the normal course of his

or her duties

2. In"ormation !rocessing controls (including authoriation and document

based controls)

These controls check accuracy, completeness and authoriation of

transactions. There are t(o broad categories of information systemcontrols"

• 0eneral controls 2 relate to the overall

information processing environment and

include controls over data center and

net(ork operations.

• '!!lication controls 2apply to the processing

of individual applications and help ensure

the occurrence $validity%, completeness andaccuracy of transaction processing

11. 3rinciple 114 'he or#aniation selects and de"elops of #eneral control acti"ities

o"er technolo#y to support the achie"ement of ob!ecti"es

20eneral controls3 relate to the overall information processing environment and

include controls over data center and net(ork operations- system soft(are

acquisition, change and maintenance- access security- and application systemacquisition, development, and maintenance.

2 '!!lication controls3 apply to the processing of individual applications and help

ensure the occurrence $validity%, completeness, and accuracy of transaction

processing.

12. 3rinciple 124 'he or#aniation deploys control acti"ities throu#h policies that

establish ,hat is e5pected and procedures that put policies into action.

2 !olicy3 rule or guideline that calls for certain activities to take place in certain

circumstances.2 !rocedure3 is the revie( itself, performed in a timely manner and (ith attention

7




given to factors set forth in policy, such as the nature and volume of purchases,

and their relation to furthering the entity's ob)ectives.

D. Information System and Communication

a. Information is necessary for the entity to carry out internal control

responsibilities that support the achievement of its ob)ectives

1$. 3rinciple 1$4 'he or#aniation obtains or #enerates and uses rele"ant ;uality

information to support the functionin# of internal control.

2The information system relevant to the financial reporting ob)ectives includes the

accounting system and consists of the procedures and records established to

initiate, authori1e, record, process, and report and entity's transactions and tomaintain accountability for the related assets and liabilities. !n effective

accounting system gives appropriate consideration to establishing methods and

records that (ill"

• Identify and record all valid transactions

• escribe on a timely basis the transactions in sufficient detail to permit

proper classification of transactions for financial reporting

• Measure the value of transactions in a manner that permits recording their

proper monetary value in the financial statement $48%.

• etermine the time period in (hich transactions occurred to permit

recording of transactions in the proper accounting period

• 5roperly present the transactions and related disclosures in the financial

statements

1&. 3rinciple 1&4 'he or#aniation internally communicates information includin#

ob!ecti"es and responsibilities for internal control necessary to support the

functionin# of internal control.

1+. 3rinciple 1+4 'he or#aniation communicates ,ith e5ternal parties re#ardin#

matters affectin# the functionin# of internal control.

. onitorin# of Controls

8




a. In +==>, C## issued guidance on monitoring internal control system, (hich

is a process that assesses the quality of internal control performance o"er

time.

b. To provide reasonable assurance that an entity’s ob)ectives (ill be achieved,

management should monitor controls to determine (hether they are operatingeffectively

c. ince risks change over time, management needs to monitor (hether controls

need to be redesigned (hen risks change.

16. 3rinciple 164 'he or#aniation selects de"elops and performs on#oin# and<or

separate e"aluations to ascertain ,hether the components of internal control are

present and functionin#.

17. 3rinciple 174 'he or#aniation e"aluates and communicates internal controldeficiencies in a timely manner to those parties responsible for ta*in# correcti"e

action includin# senior mana#ement and the board of directors as appropriate.

LO 6 3lannin# an Audit Strate#y

!. The audit risk model states that !&?&MM @ & (here &MM ? I& @C&. The

auditor’s assessment of &MM must consider the level of C& in applying the riskmodel.

0. =o, the auditor determines the appropriate level of C&"

1st step4 3sing the information gathered by performing risk assessment

procedures to evaluate the design o" controls and to determine (hether

the controls have been im!lemented .

2nd step4 decide (hether or not the auditor rely on the controls.

• If the auditor’s risk assessment procedures indicate that the controls are

not properly designed or not implemented, the auditor (ill not rely on the

control. The auditor (ill set control risk at maimum and use substantive procedures to reduce the risk of material misstatement to acceptably lo(

level.

• If the auditor’s risk assessment procedures indicate that the controls are

properly designed or implemented, the auditor (ill rely on the control.

Then, tests of controls are required to be performed to obtain audit

9




evidence that the controls are operating effectively. The auditor (ill make

an assessment of control risk based on the results of the tests of controls.

• T(o audit strategy help you to identify A#B the auditor uses the

understanding and assessment of internal control to determine the nature,

timing, and etent of audit procedures"

*% A substanti"e strate#y4

Means that the auditor has decided not to rely on the entity’s

controls and instead use substantive procedures as the main source

of evidence about the assertions in financial statements.

The follo(ing factors may make the auditor decide to follo( a

substantive strategy for some or all assertions"

2 The implemented controls do not pertain to the assertion the

auditor is considering.

2 The implemented controls are assessed as ineffective.

2 Testing the operating effectiveness of the controls (ould beinefficient.

!uditing standards point out that the auditor needs to be satisfied

that performing only substantive procedures (ould be effective in

restricting detection risk to an acceptable level. 4or eample, the

auditor may determine that performing tests of controls for an

entity that has a limited number of long2term debt transactions

because corroborating evidence can be obtained by eamining the

loan agreements and confirming relevant information.

2/ A reliance strate#y4

Means that the auditor intends to rely on the entity’s controls.

9eed more detailed understanding of internal control to develop a

preliminary or plannedD assessment of control risk.

Then, plan and perform test of controls.

3sing the test results to assess the achievedD level of control risk.

The test results indicate that achieved control risk is higher than

planned- the auditor (ill increase the planned substantive

procedure substantive procedures and document the revised control

risk assessment. If the planned level of control risk is supported, no

revisions of the planned substantive procedures are required.

• The level of control risk is documented, and substantive procedures are

then performed. Eeep in mind that there may be different degrees of

control reliance for different business processes or assertion (ithin a

process.

• Eeep in mind there is no single strategy for the entire audit.

10




• 4orm a practical standpoint, the level of control risk is normally set in

terms of the assertions about classes of transactions and events for the

period under audit. $see Table ;2: belo(%

$rd step4 It is important to understand that auditing standards require some

substantive evidence for all significant accounts and assertion. Thus, a

reliance strategy reduces but does not eliminate the need to gather

substantive evidence.

'able 6>& presents the assertions related to transactions and events that (ere discussed in

chapter 6 and control activities that are normally in place for and tracking of

prenumbered documents is a control procedure typically found in each business processto ensure occurrence and completeness.

FI?@%( 6>$ 4lo(chart of the !uditor’s Consideration of Internal Control and Its&elation to ubstantive 5rocedures

11




12




LO 7 @nderstandin# Internal Control

A. O"er"ie,4

a. 3nderstanding of the five components of Internal Controls includes

kno(ledge about design and (hether relevant controls have been put in place.The auditor is required to"

• Identify the types of potential misstatement.

• 5inpoint the factors that affect the risk of material misstatement.

• esign tests of controls and substantive procedures

b. etermining if I s!ecialist needed, the follo(ing factors should be

considered"

• The com!le4ity of the entity’s IT systems and controls and the manner in

(hich they are used in conducting the entity’s business.• The signi"icance o" changes made to eisting systems, or the

implementation of ne( systems.

• The etent to (hich data are shared among systems.

• The etent of the entity’s !artici!ation in electronic commerce.

• The entity’s use of emerging technologies.

• The signi"icance o" audit evidence that is available only in electronic form.

c. The (ays that the IT specialists help auditor engagement team"

• Inquire of the entity’s IT personnel about ho( data and transactions are

initiated, authori1ed, recorded, processed, and reported• !nd about ho( IT controls are designed

• Inspect the system’s documentation

• #bserve the operation of IT controls

• 5lan and perform tests of IT controls.

d. The auditor should have sufficient IT2related kno(ledge to communicate the

assertions to the IT specialist, to evaluate (hether the specified procedures,

and to evaluate the results of the audit procedures completed by the IT

specialist.

e. The auditor may use the follo(ing audit procedures to understand a client’s

internal control". Three eamples are"• In;uiry of appropriate management, supervisory, and staff personnel.

• Inspection of entity documents and reports.

• Obser"ation of entity activities and operations.

). @nderstandin# the control en"ironment (because it will directly im!act the

13




achievement o" the objectives o" the IC system)3

a. The auditor should gain sufficient kno(ledge about the control environment

to understand management's and the board's attitudes, a(areness, and actions

concerning the control environment.

b. !uditor uses questionnaire to obtain an understanding of the Control

nvironment

C. @nderstandin# the entitys ris* assessment process"

a. !uditor should understand

• Ao( management considers risk relevant to financial reporting

• Ao( management deal (ith those risks

• It helps determine the magnitude of control risk

D. @nderstandin# the Information System and Communications

a. The auditor should gain enough information of the I to understand the

follo(ing"• The classes of transactions in the entity’s operations that is significant to

the financial statements.

• The control procedures by (hich transactions are initiated, authori1ed,

recorded, processed, and reported, from their occurrence to their inclusion

in the financial statement.

• The related accounting records, (hether electronic or manual, supporting

information and specific accounts in the financial statement that are

involved in initiating, recording, processing, and reporting transactions.

• Ao( the information system captures other events and conditions that are

significant to the financial statements.

• The financial reporting process used to prepare the entity’s financial

statements, including significant accounting estimates and disclosures.

b. The auditor needs to study each business process that affects significant

account balances in the financial statements, (hich includes kno(ing ho(

transactions are done, ho( documents and records are created and moved

through the general ledger, and the financial statement.

c. The auditor must understand the control procedures related to the planning of

the financial statement and the disclosures.

• The procedures used to enter transactions totals into the general ledger,

• The procedures used to initiate, authori1e, record, and process )ournal

entries in the general ledger.

• #ther procedures used to record recurring and nonrecurring ad)ustments to

14




the financial statements.

(. @nderstandin# Control Acti"ities

a. !uditor use (alkthroughs to develop an understanding of control activities

b. !uditor decides to (ork more on control activities if"

• 4ollo(s a reliance strategy• The control activities that relate to assertion for (hich a lo(er level of

control risk is epected

c. !uditor (ork less on control activities if"

• 4ollo(s a substantive strategy

• ets control risk at the maimum

• 0elieves the internal controls are unlikely to be effective

F. @nderstandin# of monitorin# of controls4

a. 3nderstand ma)or types of activities to monitor IC such as source of

documents to support activities- and ho( the latter are used to initiate

corrective actions to IC.

LO 8 Obtain an @nderstandin# of Internal Control

!. /ocumenting the nderstanding o" Internal Control can be achieved by using any

combination of the follo(ing methods.a. 5rocedures 5anuals and #rgani1ational Charts

• Aelp the auditor document understanding of the internal control system

• Manuals include documentation of accounting systems and related control

activities

• #rgani1ational chart presents the designated lines of authority and responsibility

b. Internal Control 6uestionnaire

• 5rovides a systematic and comprehensive (ay to evaluate internal control

• 3sed in areas (ith relatively comple internal control structure

• Contains questions about the factors or characteristics of the five internal

control components-

The control environment,

The entity’s risk assessment process,

The IT system and related business processes,

Control activities, and

15




Monitoring of control.

c. Flowcharts

• 5rovides a diagrammatic $visual depiction% representation of the entity’s

internal control system making it easier for the auditor to perform

(alkthroughs.

• #utlines the configuration of the system in terms of functions, documents,

processes, and reports

• 4acilitates an analysis of the system strengths and (eaknesses

d. arrative escription ? Memo

• 5rovides a simple, (ritten memorandum that documents the understanding

of internal control

• 3sed for entities (ith simple internal control system

0. The ffect of ntity i1e on Internal Control

a. Farge entities implement the components in the fashion described $e.

Britten code of conduct%

b. Middle and small entities" use less formal or alternative approaches $e.

eveloping culture that emphasi1es integrity, ethics through eample of the

o(ner2manager% because they have"

• ffective communication channels due to the si1e- better control as the

manager is involved in day2to2day activities- less hierarchy, better

management’s visibility- effective monitoring as the manager gets

involved in the operations

C. The Fimitations of an ntity’s Internal Control

a. !n internal control system should be designed and operated to provide

reasonable assurance that an entity’s ob)ectives are being achieved. The

concept of reasonable assurance recogni1es that the cost of an entity’s internal

control system should not eceed the benefits that are epected to derived.

0alancing the cost of controls (ith related benefits requires considerable

estimation and )udgment from management.

b. Fimitations

16




• Ma)or causes of fraud 7 Inade7uate internal control and compliance, and

management override of internal control

• 5anagement +verride of Internal Control

. Management can make a lo(er2level employee to record entities inthe accounting records that are not consistent (ith the substance of the

transactions

. Manager can enter into side agreements (ith customers to alter the

terms and conditions of the sales contract.

• *uman rrors and 5istakes on 8udgment

3nintentional

• Collusion

!nother ma)or cause of fraud

Can destroy segregation of duties

LO 9 Assessin# Control %is*

!. !ssessing control risk

• The process of evaluating the effectiveness of an entity’s internal control in

preventing, or detecting and correcting, material misstatements in the financial

statements. $Can be performed concurrently (ith understanding an entity’s

ICD.%

• Control risk at maimum ? substantive strategy

• Control risk at a lo(er level ? reliance strategy

et control risk belo( maimum

• Identify specific controls relevant to specific assertions

• 5erform test of controls

• Conclude on the achieved level of control risk

0. Identifying pecific controls that (ill be relied upon

• The auditor’s understanding of internal control is used to identify the controls

that are likely to prevent, or detect and correct, material misstatements in

specific assertions.

ome of the controls the auditor (ill rely upon have a pervasive effect on

many assertions. $.g. the conclusion that an entity’s control environment

17




is highly effective may influence the auditor’s decision about (hich

auditing procedures are to be performed.%

ome controls only affect an individual assertion contained in a financial

statement account. $.g. a credit check performed on a customer’s order

specifically related to the valuation assertion for the accounts receivable

balance.

LO 1: 3erformin# 'estin# of Control

3erformin# 'ests of Controls4

Test of controls are performed in order to provide evidence to support the lo(er level

of control risk. 5rocedures that are used for T.#.C include in7uiry, ins!ection o"

documents, observation, re-!er"ormance or combinations o" those !rocedures (i.e.

walkthroughs). $9ote the audit procedures that are 9#T here such as confirmations,

footing and many more. Think about (hy.% The auditor is going to choose controlsto test based on their importance in preventing or detecting a material misstatement.

The auditor (ill need to look at both their design and operating effectiveness.

Test of controls directed to(ard the design e""ectiveness" evaluating (hether

that control is suitably designed to prevent, or detect and correct material

misstatements.

Test of controls directed to(ard the o!erating e""ectiveness" assessing ho( the

control (as applied, the consistency (ith (hich it (as applied during the

audit period, and by (hom it (as applied. The operating effectiveness can be

affected by (hether the control is manual or automated. Manually performed

controls may be sub)ect to human errors and mistakes- (hile automated

controls $if properly designed% should operate more consistently and hence,

does not need to test as many instances.

'ypes of 'ests of Controls (5amplesIn;uiry of appropriate entity personnel. Inquiry of credit manager about the

policies for (riting off uncollectible

accounts.

Inspection of documents, reports, or

electronic files indicating the performance of the control.

Inspect bank reconciliations prepared

by the internal auditors.

Obser"ation of the application of the

control.

#bserve ho( controls are applied to

the handing of cash to ensure that

there is proper segregation of duties.

%eperformance of the application of the control by the auditor.

&eperform the authori1ation controlused for granting credit.

18




Concludin# on the Achie"ed Le"el of Control %is*4

2 !fter T.#.C, the auditor should reach a conclusion on the achieved level o" control

risk. 3sing the achieved level of control risk together (ith the assess level of

inherent risk to determine the level of detection risk use the level of detection risk

to determine the nature, timing, and etent of substantive tests.

2 If T.#.C is consistent (ith the planned assessment of control risk, no revision in the

nature, timing or etent of substantive procedures is necessary. #ther(ise, a revision

is needed.

Documentin# the Achie"ed Le"el of Control %is*

2 The auditor should document the achieved level of control risk for the controls

evaluated, using a structured (orking paper, an internal control questionnaire, or a

memorandum

(4am!le o" how account characteristics a""ect the auditor9s understanding o" internal

control, control risk assessment and !lanned substantive !rocedures is described in table

:-;, !<=>)

LO 11 Substanti"e 3rocedures

!. Consist in the last step in the decision process in !udit trategy. ubstantive

5rocedures include substantive analytical procedures and test of details

0. The nature, etent and timing of substantive procedures may vary for t(o

different entities as a function of the detection risk level for the inventory account,

(hich is part of the purchasing process. In the follo(ing eamples both client

audit risk is set lo(

• Client one4 Aigh &MM, detection risk is lo(. To achieve a lo( detection risk

the audit must

#btain more reliable types of evidence $confirmation and re2

performance%

Conduct most of the audit (ork at year end

Make the test more etensive $larger sample si1e%

Must fill the !ssurance 0uckets almost (ith ubstantive vidence

19




• Client t,o4 lo( &MM, detection risk is high (hich means"

Fess reliable types of evidence can be used

Most of the audit (ork can be conducted at an interim date

Test of the inventory account (ould involve a smaller sample si1e

! ma)or difference bet(een these t(o strategies involves the physical

eamination of the inventory on hand.

• Fo( detection risk strategy" eamined at year end because the control risk (as

assessed to be high

• Aigh detection risk strategy" eamined at an interim date because the control

risk assessment indicates little &MM.

LO 12 'imin# of Audit 3rocedures

The interim tests of controls are conducted sometime during the time frame G8/*2

**8/=.

!. Interim Test of Controls

a. Test controls at interim date because"

!ssertion being tested may not be significant

The control has been effective in prior audits

20




fficient to conduct the tests at that time

b. If the controls are not operating effectively it gives the auditor time to reassesscontrol risk and modify audit plan.

c. The auditor can also inform management so misstatements can be located.

d. !dditional (ork after the interim period, should address"• ignificance of assertion

• The evaluation of design and operations of the relevant controls

• &esults of test of controls

• The length of the remaining period

• The planned substantive procedures in determining the nature and etent

of audit (ork for the remaining of period

0. Interim ubstantive 5rocedures

a. Conducting substantive procedures at interim date may increase &#MM, butcan control this by"

• Considering (hen it is appropriate to eamine an account at an interim

date and by performing selected audit procedures for the period bet(een

the interim date and year end b. Consider these factors"

• Control environment

• !vailability of information at a later date

• 5urpose of ubstantive procedures

• !ssessed &#MM

• 9ature of the class of transactions or account balances

• !bility to perform substantive procedures to cover the remaining period to

reduce &#MMc. ome additional substantive procedures are ordinarily conducted in the

remaining period.

d. If a misstatement detected, must revise the planned procedures for the

remaining period or additional ones at year end.

LO 1$ Auditin# Accountin# Applications 3rocessed by Ser"ice Or#aniations

!. Bhen a service organi1ation provides accounting services to an entity, thoseservices are considered part of the entity's information system and relevant to

financial reporting.

0. !uditor’s Concerns0ecause the entity's transactions are sub)ected to the controls of the service

organi1ation, one auditor concern is the internal control system at the service

organi1ation.

• ignificance of Control of service relies on the nature and materiality of

the transactions and the degree of interaction the transactions activities and

the client’s activities Heample" if client initiates transactions and service

21




organi1ations eecutes and does !CCT. processing of transactions ? Farge

degree of interaction

• !fter obtaining an understanding of internal control, the auditor identifies

controls that are applied by the entity or the service organi1ation that

might allo( an assessment of reduced control risk.

C. ervice #rgani1ations"

• Mortgage bankers" service mortgages

• Trust departments" invest or hold assets for employee benefit plans

• IT service Center $most freq%" process payroll and related accounting

reports

. The auditors need to understand the client’s internal control components in order

to identify controls that are applied by the client or the service organi1ation that(ill allo( an assessment of reduced control risk.

'ype I and 'ype II %eports

ince service organi1ations process data for many customers, most of the time

auditor issues an attestation report on their operations. ! service organi1ation’s

auditor can issue one of t(o types of reports.

'ype I is a report on management’s description of a service organi1ation’s system

and the suitability of the design of controls at a specific point of time.

• Managements description on the system• Britten assertion by management that the description fairly represents the

system

• The controls are suitable to achieve management’s controls by a certain

date

'ype II is a report on management’s description of a service organi1ation’ssystem and the suitability of the design and operating effectiveness of control.

• Managements description on the system

• Britten assertion by management that the description fairly represents the

system

•

The controls are suitable to achieve management’s controls by a certaindate

• 5&#JI !3&!9C #9 TA #5&!TI9< 44CTIJ9

#4 C#9T&#F

&eports Content Type I Type II

Independent ser"ice auditors report

-i.e. opinion/

Included Included

22




Ser"ice or#aniations description of

controls.

Included Included

Information pro"ided by the

independent ser"ice auditorB includes

a description of the ser"ice auditors

tests of operatin# effecti"eness andthe results of those tests

#ptional Included

Other information pro"ided by the

ser"ice or#aniation -e.#. #lossary of

terms/.

#ptional Included

. !n auditor may reduce control risk belo( the ma only on the basis of a service

auditor’s report that includes test of the controls.

4. !lthough a financial statement audits of private companies do not include audit of entity's entire system of internal control, the auditor may discover deficiencies in

the entity's internal controls during the audit.

LO 1& Communicatin# of Internal Control>%elated atters

!. 3nder the arbanes2#ley !ct of +==+ management of public companies must

prepare an assertion on the internal control and the auditor must issue an opinionon the effectiveness of the internal control. 4or !rivate com!anies there’s no need

to audit their internal control but the auditor (ill find deficiencies during the

audit.

• ! control de"iciency in the internal control eists (hen the operation of

control does not allo( management or employees to perform their assignedfunctions.

• ! material weakness is a combination of deficiencies (hen there is areasonable possibility that material misstatement of the financial statements(ill not be prevented, detected and corrected.

• ! signi"icant de"iciency is a combination of deficiencies that is less severe

than material (eakness but important enough to get the attention of those in

charged.

0. amples of circumstances that may be control deficiencies, significant

deficiencies, or material (eakness"

Deficiencies in the desi#n of controls

• Inadequate design of internal control over the preparation of the financial

statements being audited.

• Inadequate design of internal control over a significant account or process.

• Inadequate documentation of the components of internal control.

• Insufficient control consciousness (ithin the organi1ation, for eample, the

tone at the top and the control environment.

23




• !bsent or inadequate segregation of duties (ithin a significant account or

process.

• !bsent or inadequate controls over the safeguarding of assets.

• Inadequate design of information technology general and application controls.

• mployees or management (ho lack the qualifications and training to fulfill

their assigned functions• Inadequate design of monitoring controls

• The absence of an internal process to report deficiencies in internal control to

management on a timely basis.

Failures in the operation of internal control

• 4ailure in the operation of effectively designed controls over a significant

account or process.

• 4ailure of the information and communication component of internal control

to provide complete and accurate output because of deficiencies in timeliness,

completeness, or accuracy.• 4ailure of controls designed to safeguard assets from loss, damage, or

misappropriation.

• 4ailure to perform reconciliations of significant accounts

• 3ndue bias or lack of ob)ectivity by those responsible for accounting

decisions

• Misrepresentation by client personnel to the auditor $ an indicator of fraud%.

• Management override of controls.

• 4ailure of an application control caused by a deficiency in the design or

operation of an IT general control.

• !n observed deviation rate that eceeds the number of deviations epected by

the auditor in a test of operation effectiveness of a control.

24

Chapter 6 Outline 9th Edition

Documents