Evaluation of Internal Control System
Jan 02, 2016
Learning Objective 1
Contrast management’s need for
internal control with the auditor’s
need to consider internal control
when designing an audit.
Client’s Concerns
Compliance with applicable laws and regulations
Reliability of financial reporting
Efficiency and effectiveness of operations
Auditor Concerns
Controls over classes of transactions
Controls related to reliability of financial reporting
The Control Environment
Integrity and ethical values
Commitment to competence
Board of directors or auditcommittee participation
Management’s philosophyand operating style
The Control Environment
Organizational structure
Assignment of authorityand responsibility
Human resourcespolicies and practices
Risk Assessment
Identify factors affecting risk.
Assess significance of risksand likelihood of occurrence.
Determine actions necessaryto manage risk.
Control Activities
1. Adequate separation of duties
2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
Adequate Separationof Duties
Custody of assets Accounting
Authorizationof transactions
The custody ofrelated assets
Operationalresponsibility
Record-keepingresponsibility
IT Duties User departments
Adequate Documentsand Records
Prenumbered consecutively
Prepared at the time of transaction
Designed for multiple uses
Constructed to encourage correct preparation
Simple enough to ensure understanding
Physical Control overAssets and Records
Physical precautions
Controls related to IT equipment,programs, and data files
Physicalcontrols
Accesscontrols
Backup andrecovery
procedures
Independent Checkson Performance
The need for independent checksarise because internal control tendsto change over time unless there isa mechanism for frequent review.
Information and Communication
The purpose of an accounting informationand communication system is to…
initiate, record, process, and report thetransactions and to maintain accountability
for the related assets.
Monitoring
Management’s ongoing and periodic assessmentof the quality of internal control performance …
to determine whether controls are operatingas intended and modified when needed.
Understanding Internal Controland Assessing Control Risk
Obtain Understanding of Internal Control:Design and Operation
Assess Control Risk Test Controls
Decide Planned Detection Riskand Substantive Tests
Reasons for Sufficiently Understanding Internal Control
SLAuS requires the auditor toobtain an understanding of internal
control for every audit.
Minimum auditplanning matters
• Auditability• Potential material
misstatements• Detection risk• Design of test
Procedures to DetermineDesign and Placement
Update and evaluate auditor’s previousexperience with the entity.
Make inquires of client personnel.
Read client’s policy and systems manuals.
Examine documents and records.
Observe entity activities and operations.
Documentation ofthe Understanding
NarrativeNarrative
FlowchartFlowchartInternalcontrol
questionnaire
Internalcontrol
questionnaire
Learning Objective 4
Assess control risk by linking
strengths and weaknesses of
internal control to transaction-
related audit objectives.
Assess Control Risk
Obtain sufficient understanding for planning.
Assess whether the entity is auditable.
Determine assessed control risk.
Assess if a lower control risk could be supported.
Determine the appropriate assessed control risk.
Assess Control Risk
Identify transaction-related audit objectives.
Identify specific controls.
Identify and evaluate weaknesses.
Identify and Evaluate Weaknesses
Identify existing controls.
Identify the absence of key controls.
Determine misstatements that could result.
Consider compensating controls.
The Control Risk Matrix
Auditors use the control risk matrix toidentify both controls and weaknesses
and to asses control risk.
Tests of Controls
The procedures to test effectivenessof controls in support of a reduced
assessed control risk are calledtests of controls.
Procedures forTests of Controls
Make inquiries of client personnel.
Examine documents, records, and reports.
Observe control-related activities.
Reperform client procedures.
Extent of Procedures
Reliance on evidence from prior year’s audit
Testing less than the entire audit period
Decide Planned Detection Riskand Design Substantive Tests
The auditor uses the results of the control riskassessment process and tests of controls todetermine the planned detection risk and
related substantive tests.
The auditor links the control risk assessmentsto the balance-related audit objectives.