7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 1/24
Chapter 6 Internal Control in a Financial Statement Audit
Chapter 6 Internal Control in a Financial Statement Audit
LO 1 Introduction
A. The Importance of Internal Control to Management
Management has the responsibility to design and maintain a system of internal
control that provides reasonable assurance that assets and records are properly
safeguarded, and that the entity's information system generates information
that is reliable for decision making
• Management is responsible for providing and maintaining adequate controls
over the entity’s assets and records.
• trong internal controls ensure that assets and records are properly
safeguarded.
• Management needs a control system that generates reliable information to
make informed decisions about issues such as pricing, cost, and profit.
B. The Importance of Internal Control to Auditors
• !uditors need assurance about the reliability of the data generated by the
information systems.
•The auditor uses risk assessment procedures to"
#btain an understanding of the entity’s internal control then,
Identify key controls and types of potential misstatements then,
!scertain $Identify% factors that affect the &#MM and
esign tests of controls and substantive procedures
• There is an inverse relationship bet(een the reliability of internal control and
the amount of substantive evidence required of the auditor.
• The auditor’s understanding of the internal control is a ma)or factor in
determining the overall audit strategy. !uditors’ responsibilities for internal
control include"
$*% obtaining an understanding of internal control
1
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 2/24
Chapter 6 Internal Control in a Financial Statement Audit
$+% assessing control risk.
LO 2 Definition of Internal Control
A. !ccording to C##’s Internal Control-Integrated Framework internal control
is designed and carried out by an entity’s board of directors, management, and
other personnel to provide reasonable assurance about the achievement of theentity’s ob!ecti"es in the follo(ing cate#ories"
* &eliability, timeliness, and transparency of internal and eternal, financial
and nonfinancial reporting-
+ ffectiveness and efficiency of operations, including safeguard of assets-
/ Compliance (ith applicable la(s and regulations
0. !n effective system of internal control allo(s management to focus on
operations and financial performance goals (hile maintaining compliance (ith
relevant la(s and minimi1ing surprises
LO $ Control %ele"ant to the Audit
Irrelevant Controls
• Controls related to management’s planning
• Controls related to management’s operating decision
Relevant Controls
The controls that are of most direct relevance to financial statement audit are
those that contribute to the reliability, timeliness and transparency of eternal
financial reporting. These controls help to prevent or detect and correct materialmisstatements in the financial statements.
• Controls relating to operations and compliance ob)ectives may be relevant (hen
they have an impact on the data the auditor uses to apply auditing procedures.
LO & 'he (ffect of Information 'echnolo#y on Internal Control
• IT technology affects the (ay transactions are initiated, authori1ed, recorded,
processed and reported.
• IT technology includes a combination of manual and automated controls2 It varies(ith the nature and compleity of IT system.
• &isks depend on the nature and characteristics of the entity's information system.
• ! lack of control for one data entry point causes rippling effects for others.
• egregation of duties can be managed through security controls for users. ! user
should only have access to data entry and modification of duties in (hich they
perform.
2
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 3/24
Chapter 6 Internal Control in a Financial Statement Audit
)enefits of I' system (It cannot make judgments)
• Consistent application of predefined business rules
• nhancement of timeliness, availability, and accuracy
• Improve analysis reports of information
• !bility to monitor entity performance
• &eduction in risks and circumventing controls
• nhancement of segregation of duty and security controls
%is*s of I' system
• &eliance on the system
• 3nauthori1ed access that may cause harm to an entity
• 3nauthori1ed changes in master files
• 3nauthori1ed changes to systems
• 4ailure to make system chances
• Inappropriate manual intervention
• 5otential loss of data
LO + 'he COSO Frame,or* -C%I(/
Components of Internal Control
a. Internal control as defined by the C## frame(ork consists of 6 components"
*. The Control environment 7sets the tone of an organi1ation, influencing the
control consciousness of its people. It is the foundation for all othercomponents of internal control, providing discipline and structure
+. The entity’s % isk assessment process
$. The Information system and related business processes relevant tofinancial reporting and communication
&. onitoring of controls
+. (isting control activities
A. Control (n"ironment -Includes the 0'one of an or#aniation/
a. The importance of controls to an entity is reflected in the overall attitude(control consciousness), a(areness of and actions of the 0#, management
and o(ners regarding control. It is the foundation for all other components providing discipline and structure.
b. 3rinciples that affect the control environment"
1. 3rinciple 14 'he or#aniation demonstrates a commitment to inte#rity
and ethical "alues2the effectiveness of an entity’s internal controls is
3
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 4/24
Chapter 6 Internal Control in a Financial Statement Audit
influenced by the integrity and ethical values of the individuals
$management% (ho create, administer, and monitor the controls
2. 3rinciple 24 'he )oD demonstrates independence from mana#ement
and e5ercises o"ersi#ht of the de"elopment and performance of
internal control2 The board and audit committee must take their fiduciaryresponsibilities seriously and actively oversee the entity's accounting and
reporting policies and procedures. 4actors can impact the effectiveness of
the board or audit committee include the follo(ing"2perience and stature of members and independence from
management
2tent of involvement (ith and scrutiny of the entity's activities
2Information availability and (illingness8 ability to act on information
2tent to (hich difficult questions are raised and pursued (ith
management29ature and etent of interactions (ith internal and eternal
auditors
$. 3rinciple $4 ana#ement establishes ,ith the board o"ersi#ht
structures reportin# lines and appropriate authorities and
responsibilities in the pursuit of ob!ecti"es 2 !n entity's organi1ationalstructure defines ho( authority and responsibility are delegated and
monitored. The appropriateness of an entity's organi1ational structure
depends on"
• si1e of activities
•nature of activities
• eternal influences $eg. regulation%
:. 3rinciple &4 'he or#aniation demonstrates a commitment to attract
de"elop and retain competent indi"iduals in ali#nment ,ith
ob!ecti"es2 The quality of internal control directly relates to the personnel
operating the system. The entity should have personnel policies for" hiring,
orienting, training, evaluating, counseling, promoting, compensating, planning succession, and taking remedial action. Management should
specify competence level for a particular )ob and translate it into the )ob
description.
+. 3rinciple +4 'he or#aniation holds indi"iduals accountable for their
internal control responsibilities in the pursuit of ob!ecti"es.
4
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 5/24
Chapter 6 Internal Control in a Financial Statement Audit
• Management and the board are responsible for establishing
mechanisms to communicate and hold individuals accountable for
performance of internal control responsibilities across theorgani1ation and for implementing corrective action as necessary.
•
Management and the board establish incentives and re(ards forreflecting standards of conduct. Incentives should align (ith short2term and long2term ob)ectives
). 'he entitys ris* assessment process
a. !n entity’s risk assessment process is its process for identifying and
responding to business risks. This process includes ho( managementidentifies risks relevant to the preparation of financial statements. 4or each
identified risk, management must"
• stimate their significance
• !ssesses the likelihood of their occurrence and
• ecides on ho( to manage them.
b. The risk assessment process should consider eternal and internal events and
circumstances that may arise and adversely affect the entity’s ability toinitiate, authorie, record, !rocess and re!ort "inancial data consistent with
the assertions o" management in the F#$.
c. #nce risks have been identified, management should consider theirsignificance, the likelihood of their occurrence and ho( they should be
managed.
;. 3rinciple 64 'he or#aniation specifies ob!ecti"es ,ith sufficient clarity to
enable the identification and assessment of ris*s relatin# to ob!ecti"es.
2Internal control ob)ectives are organi1ed into three categories in the C##4rame(ork" operations, compliance, and reporting.
2In the area of eternal reporting, management must ensure"
2specified ob)ectives including reporting consistent (ith <!!5 (hen
appropriate2in light of materiality considerations
2include faithful reflection of underlying transactions and events,
including important qualitative characteristics $relevance and faithful
representation%.
5
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 6/24
Chapter 6 Internal Control in a Financial Statement Audit
7. 3rinciple 74 'he or#aniation identifies ris*s to the achie"ement of its ob!ecti"es
across the entity and analyes ris*s as a basis for determinin# ho, the ris*s should
be mana#ed.
2!n entity's risk assessment process should consider the possibility of events that
threaten the achievement of ob)ectives.2The entity needs to establish its tolerance for accepting risks and its ability to
operate (ithin those risk levels
8. 3rinciple 84 'he or#aniation considers the potential for fraud in assessin# ris*s
to the achie"ement of ob!ecti"es.
2!ssessment of fraud risk includes incentives and !ressure, o!!ortunity, andrationaliation
9. 3rinciple 94 'he or#aniation identifies and assesses chan#es that could
si#nificantly impact the system of internal control.
C. (5istin# Control Acti"ities $approvals, authori1ations, verifications, reconciliations, etc%
a. Control activities are the policies and procedures that help ensure that
management’s directives are carried out and are implemented to address risksidentified in the risk assessment process.
1:. 3rinciple 94 'he or#aniation selects and de"elops control acti"ities that
contribute to the miti#ation of ris*s to the achie"ement of ob!ecti"es to acceptable
le"els.
b. Control activities are commonly categori1ed into the follo(ing four types"
%. &er"ormance reviews
! strong accounting system should have controls that independently
chec* the performance of the individuals or processes in the system.
2. &hysical controls includes
• physical security of assets, including adequate safeguards such as
secured facilities over access to assets and records
• authoriation for access to computer programs and data files
• periodic counting and comparison -reconciliation/ (ith amounts
sho(n on control records $e.g. comparing the results of cash, security
and inventory counts (ith accounting records%
6
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 7/24
Chapter 6 Internal Control in a Financial Statement Audit
/. $egregation o" duties2
• '*+RI'I+ o" transactions vs. RC+R/I0 o"
transactions vs. C$+/1 o" the related assets.
• independent performance of each of these functions reduces the
opportunity for any one person to be in a position to both perpetrate and conceal errors or fraud in the normal course of his
or her duties
2. In"ormation !rocessing controls (including authoriation and document
based controls)
These controls check accuracy, completeness and authoriation of
transactions. There are t(o broad categories of information systemcontrols"
• 0eneral controls 2 relate to the overall
information processing environment and
include controls over data center and
net(ork operations.
• '!!lication controls 2apply to the processing
of individual applications and help ensure
the occurrence $validity%, completeness andaccuracy of transaction processing
11. 3rinciple 114 'he or#aniation selects and de"elops of #eneral control acti"ities
o"er technolo#y to support the achie"ement of ob!ecti"es
20eneral controls3 relate to the overall information processing environment and
include controls over data center and net(ork operations- system soft(are
acquisition, change and maintenance- access security- and application systemacquisition, development, and maintenance.
2 '!!lication controls3 apply to the processing of individual applications and help
ensure the occurrence $validity%, completeness, and accuracy of transaction
processing.
12. 3rinciple 124 'he or#aniation deploys control acti"ities throu#h policies that
establish ,hat is e5pected and procedures that put policies into action.
2 !olicy3 rule or guideline that calls for certain activities to take place in certain
circumstances.2 !rocedure3 is the revie( itself, performed in a timely manner and (ith attention
7
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 8/24
Chapter 6 Internal Control in a Financial Statement Audit
given to factors set forth in policy, such as the nature and volume of purchases,
and their relation to furthering the entity's ob)ectives.
D. Information System and Communication
a. Information is necessary for the entity to carry out internal control
responsibilities that support the achievement of its ob)ectives
1$. 3rinciple 1$4 'he or#aniation obtains or #enerates and uses rele"ant ;uality
information to support the functionin# of internal control.
2The information system relevant to the financial reporting ob)ectives includes the
accounting system and consists of the procedures and records established to
initiate, authori1e, record, process, and report and entity's transactions and tomaintain accountability for the related assets and liabilities. !n effective
accounting system gives appropriate consideration to establishing methods and
records that (ill"
• Identify and record all valid transactions
• escribe on a timely basis the transactions in sufficient detail to permit
proper classification of transactions for financial reporting
• Measure the value of transactions in a manner that permits recording their
proper monetary value in the financial statement $48%.
• etermine the time period in (hich transactions occurred to permit
recording of transactions in the proper accounting period
• 5roperly present the transactions and related disclosures in the financial
statements
1&. 3rinciple 1&4 'he or#aniation internally communicates information includin#
ob!ecti"es and responsibilities for internal control necessary to support the
functionin# of internal control.
1+. 3rinciple 1+4 'he or#aniation communicates ,ith e5ternal parties re#ardin#
matters affectin# the functionin# of internal control.
. onitorin# of Controls
8
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 9/24
Chapter 6 Internal Control in a Financial Statement Audit
a. In +==>, C## issued guidance on monitoring internal control system, (hich
is a process that assesses the quality of internal control performance o"er
time.
b. To provide reasonable assurance that an entity’s ob)ectives (ill be achieved,
management should monitor controls to determine (hether they are operatingeffectively
c. ince risks change over time, management needs to monitor (hether controls
need to be redesigned (hen risks change.
16. 3rinciple 164 'he or#aniation selects de"elops and performs on#oin# and<or
separate e"aluations to ascertain ,hether the components of internal control are
present and functionin#.
17. 3rinciple 174 'he or#aniation e"aluates and communicates internal controldeficiencies in a timely manner to those parties responsible for ta*in# correcti"e
action includin# senior mana#ement and the board of directors as appropriate.
LO 6 3lannin# an Audit Strate#y
!. The audit risk model states that !&?&MM @ & (here &MM ? I& @C&. The
auditor’s assessment of &MM must consider the level of C& in applying the riskmodel.
0. =o, the auditor determines the appropriate level of C&"
1st step4 3sing the information gathered by performing risk assessment
procedures to evaluate the design o" controls and to determine (hether
the controls have been im!lemented .
2nd step4 decide (hether or not the auditor rely on the controls.
• If the auditor’s risk assessment procedures indicate that the controls are
not properly designed or not implemented, the auditor (ill not rely on the
control. The auditor (ill set control risk at maimum and use substantive procedures to reduce the risk of material misstatement to acceptably lo(
level.
• If the auditor’s risk assessment procedures indicate that the controls are
properly designed or implemented, the auditor (ill rely on the control.
Then, tests of controls are required to be performed to obtain audit
9
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 10/24
Chapter 6 Internal Control in a Financial Statement Audit
evidence that the controls are operating effectively. The auditor (ill make
an assessment of control risk based on the results of the tests of controls.
• T(o audit strategy help you to identify A#B the auditor uses the
understanding and assessment of internal control to determine the nature,
timing, and etent of audit procedures"
*% A substanti"e strate#y4
Means that the auditor has decided not to rely on the entity’s
controls and instead use substantive procedures as the main source
of evidence about the assertions in financial statements.
The follo(ing factors may make the auditor decide to follo( a
substantive strategy for some or all assertions"
2 The implemented controls do not pertain to the assertion the
auditor is considering.
2 The implemented controls are assessed as ineffective.
2 Testing the operating effectiveness of the controls (ould beinefficient.
!uditing standards point out that the auditor needs to be satisfied
that performing only substantive procedures (ould be effective in
restricting detection risk to an acceptable level. 4or eample, the
auditor may determine that performing tests of controls for an
entity that has a limited number of long2term debt transactions
because corroborating evidence can be obtained by eamining the
loan agreements and confirming relevant information.
2/ A reliance strate#y4
Means that the auditor intends to rely on the entity’s controls.
9eed more detailed understanding of internal control to develop a
preliminary or plannedD assessment of control risk.
Then, plan and perform test of controls.
3sing the test results to assess the achievedD level of control risk.
The test results indicate that achieved control risk is higher than
planned- the auditor (ill increase the planned substantive
procedure substantive procedures and document the revised control
risk assessment. If the planned level of control risk is supported, no
revisions of the planned substantive procedures are required.
• The level of control risk is documented, and substantive procedures are
then performed. Eeep in mind that there may be different degrees of
control reliance for different business processes or assertion (ithin a
process.
• Eeep in mind there is no single strategy for the entire audit.
10
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 11/24
Chapter 6 Internal Control in a Financial Statement Audit
• 4orm a practical standpoint, the level of control risk is normally set in
terms of the assertions about classes of transactions and events for the
period under audit. $see Table ;2: belo(%
$rd step4 It is important to understand that auditing standards require some
substantive evidence for all significant accounts and assertion. Thus, a
reliance strategy reduces but does not eliminate the need to gather
substantive evidence.
'able 6>& presents the assertions related to transactions and events that (ere discussed in
chapter 6 and control activities that are normally in place for and tracking of
prenumbered documents is a control procedure typically found in each business processto ensure occurrence and completeness.
FI?@%( 6>$ 4lo(chart of the !uditor’s Consideration of Internal Control and Its&elation to ubstantive 5rocedures
11
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 12/24
Chapter 6 Internal Control in a Financial Statement Audit
12
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 13/24
Chapter 6 Internal Control in a Financial Statement Audit
LO 7 @nderstandin# Internal Control
A. O"er"ie,4
a. 3nderstanding of the five components of Internal Controls includes
kno(ledge about design and (hether relevant controls have been put in place.The auditor is required to"
• Identify the types of potential misstatement.
• 5inpoint the factors that affect the risk of material misstatement.
• esign tests of controls and substantive procedures
b. etermining if I s!ecialist needed, the follo(ing factors should be
considered"
• The com!le4ity of the entity’s IT systems and controls and the manner in
(hich they are used in conducting the entity’s business.• The signi"icance o" changes made to eisting systems, or the
implementation of ne( systems.
• The etent to (hich data are shared among systems.
• The etent of the entity’s !artici!ation in electronic commerce.
• The entity’s use of emerging technologies.
• The signi"icance o" audit evidence that is available only in electronic form.
c. The (ays that the IT specialists help auditor engagement team"
• Inquire of the entity’s IT personnel about ho( data and transactions are
initiated, authori1ed, recorded, processed, and reported• !nd about ho( IT controls are designed
• Inspect the system’s documentation
• #bserve the operation of IT controls
• 5lan and perform tests of IT controls.
d. The auditor should have sufficient IT2related kno(ledge to communicate the
assertions to the IT specialist, to evaluate (hether the specified procedures,
and to evaluate the results of the audit procedures completed by the IT
specialist.
e. The auditor may use the follo(ing audit procedures to understand a client’s
internal control". Three eamples are"• In;uiry of appropriate management, supervisory, and staff personnel.
• Inspection of entity documents and reports.
• Obser"ation of entity activities and operations.
). @nderstandin# the control en"ironment (because it will directly im!act the
13
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 14/24
Chapter 6 Internal Control in a Financial Statement Audit
achievement o" the objectives o" the IC system)3
a. The auditor should gain sufficient kno(ledge about the control environment
to understand management's and the board's attitudes, a(areness, and actions
concerning the control environment.
b. !uditor uses questionnaire to obtain an understanding of the Control
nvironment
C. @nderstandin# the entitys ris* assessment process"
a. !uditor should understand
• Ao( management considers risk relevant to financial reporting
• Ao( management deal (ith those risks
• It helps determine the magnitude of control risk
D. @nderstandin# the Information System and Communications
a. The auditor should gain enough information of the I to understand the
follo(ing"• The classes of transactions in the entity’s operations that is significant to
the financial statements.
• The control procedures by (hich transactions are initiated, authori1ed,
recorded, processed, and reported, from their occurrence to their inclusion
in the financial statement.
• The related accounting records, (hether electronic or manual, supporting
information and specific accounts in the financial statement that are
involved in initiating, recording, processing, and reporting transactions.
• Ao( the information system captures other events and conditions that are
significant to the financial statements.
• The financial reporting process used to prepare the entity’s financial
statements, including significant accounting estimates and disclosures.
b. The auditor needs to study each business process that affects significant
account balances in the financial statements, (hich includes kno(ing ho(
transactions are done, ho( documents and records are created and moved
through the general ledger, and the financial statement.
c. The auditor must understand the control procedures related to the planning of
the financial statement and the disclosures.
• The procedures used to enter transactions totals into the general ledger,
• The procedures used to initiate, authori1e, record, and process )ournal
entries in the general ledger.
• #ther procedures used to record recurring and nonrecurring ad)ustments to
14
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 15/24
Chapter 6 Internal Control in a Financial Statement Audit
the financial statements.
(. @nderstandin# Control Acti"ities
a. !uditor use (alkthroughs to develop an understanding of control activities
b. !uditor decides to (ork more on control activities if"
• 4ollo(s a reliance strategy• The control activities that relate to assertion for (hich a lo(er level of
control risk is epected
c. !uditor (ork less on control activities if"
• 4ollo(s a substantive strategy
• ets control risk at the maimum
• 0elieves the internal controls are unlikely to be effective
F. @nderstandin# of monitorin# of controls4
a. 3nderstand ma)or types of activities to monitor IC such as source of
documents to support activities- and ho( the latter are used to initiate
corrective actions to IC.
LO 8 Obtain an @nderstandin# of Internal Control
!. /ocumenting the nderstanding o" Internal Control can be achieved by using any
combination of the follo(ing methods.a. 5rocedures 5anuals and #rgani1ational Charts
• Aelp the auditor document understanding of the internal control system
• Manuals include documentation of accounting systems and related control
activities
• #rgani1ational chart presents the designated lines of authority and responsibility
b. Internal Control 6uestionnaire
• 5rovides a systematic and comprehensive (ay to evaluate internal control
• 3sed in areas (ith relatively comple internal control structure
• Contains questions about the factors or characteristics of the five internal
control components-
The control environment,
The entity’s risk assessment process,
The IT system and related business processes,
Control activities, and
15
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 16/24
Chapter 6 Internal Control in a Financial Statement Audit
Monitoring of control.
c. Flowcharts
• 5rovides a diagrammatic $visual depiction% representation of the entity’s
internal control system making it easier for the auditor to perform
(alkthroughs.
• #utlines the configuration of the system in terms of functions, documents,
processes, and reports
• 4acilitates an analysis of the system strengths and (eaknesses
d. arrative escription ? Memo
• 5rovides a simple, (ritten memorandum that documents the understanding
of internal control
• 3sed for entities (ith simple internal control system
0. The ffect of ntity i1e on Internal Control
a. Farge entities implement the components in the fashion described $e.
Britten code of conduct%
b. Middle and small entities" use less formal or alternative approaches $e.
eveloping culture that emphasi1es integrity, ethics through eample of the
o(ner2manager% because they have"
• ffective communication channels due to the si1e- better control as the
manager is involved in day2to2day activities- less hierarchy, better
management’s visibility- effective monitoring as the manager gets
involved in the operations
C. The Fimitations of an ntity’s Internal Control
a. !n internal control system should be designed and operated to provide
reasonable assurance that an entity’s ob)ectives are being achieved. The
concept of reasonable assurance recogni1es that the cost of an entity’s internal
control system should not eceed the benefits that are epected to derived.
0alancing the cost of controls (ith related benefits requires considerable
estimation and )udgment from management.
b. Fimitations
16
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 17/24
Chapter 6 Internal Control in a Financial Statement Audit
• Ma)or causes of fraud 7 Inade7uate internal control and compliance, and
management override of internal control
• 5anagement +verride of Internal Control
. Management can make a lo(er2level employee to record entities inthe accounting records that are not consistent (ith the substance of the
transactions
. Manager can enter into side agreements (ith customers to alter the
terms and conditions of the sales contract.
• *uman rrors and 5istakes on 8udgment
3nintentional
• Collusion
!nother ma)or cause of fraud
Can destroy segregation of duties
LO 9 Assessin# Control %is*
!. !ssessing control risk
• The process of evaluating the effectiveness of an entity’s internal control in
preventing, or detecting and correcting, material misstatements in the financial
statements. $Can be performed concurrently (ith understanding an entity’s
ICD.%
• Control risk at maimum ? substantive strategy
• Control risk at a lo(er level ? reliance strategy
et control risk belo( maimum
• Identify specific controls relevant to specific assertions
• 5erform test of controls
• Conclude on the achieved level of control risk
0. Identifying pecific controls that (ill be relied upon
• The auditor’s understanding of internal control is used to identify the controls
that are likely to prevent, or detect and correct, material misstatements in
specific assertions.
ome of the controls the auditor (ill rely upon have a pervasive effect on
many assertions. $.g. the conclusion that an entity’s control environment
17
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 18/24
Chapter 6 Internal Control in a Financial Statement Audit
is highly effective may influence the auditor’s decision about (hich
auditing procedures are to be performed.%
ome controls only affect an individual assertion contained in a financial
statement account. $.g. a credit check performed on a customer’s order
specifically related to the valuation assertion for the accounts receivable
balance.
LO 1: 3erformin# 'estin# of Control
3erformin# 'ests of Controls4
Test of controls are performed in order to provide evidence to support the lo(er level
of control risk. 5rocedures that are used for T.#.C include in7uiry, ins!ection o"
documents, observation, re-!er"ormance or combinations o" those !rocedures (i.e.
walkthroughs). $9ote the audit procedures that are 9#T here such as confirmations,
footing and many more. Think about (hy.% The auditor is going to choose controlsto test based on their importance in preventing or detecting a material misstatement.
The auditor (ill need to look at both their design and operating effectiveness.
Test of controls directed to(ard the design e""ectiveness" evaluating (hether
that control is suitably designed to prevent, or detect and correct material
misstatements.
Test of controls directed to(ard the o!erating e""ectiveness" assessing ho( the
control (as applied, the consistency (ith (hich it (as applied during the
audit period, and by (hom it (as applied. The operating effectiveness can be
affected by (hether the control is manual or automated. Manually performed
controls may be sub)ect to human errors and mistakes- (hile automated
controls $if properly designed% should operate more consistently and hence,
does not need to test as many instances.
'ypes of 'ests of Controls (5amplesIn;uiry of appropriate entity personnel. Inquiry of credit manager about the
policies for (riting off uncollectible
accounts.
Inspection of documents, reports, or
electronic files indicating the performance of the control.
Inspect bank reconciliations prepared
by the internal auditors.
Obser"ation of the application of the
control.
#bserve ho( controls are applied to
the handing of cash to ensure that
there is proper segregation of duties.
%eperformance of the application of the control by the auditor.
&eperform the authori1ation controlused for granting credit.
18
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 19/24
Chapter 6 Internal Control in a Financial Statement Audit
Concludin# on the Achie"ed Le"el of Control %is*4
2 !fter T.#.C, the auditor should reach a conclusion on the achieved level o" control
risk. 3sing the achieved level of control risk together (ith the assess level of
inherent risk to determine the level of detection risk use the level of detection risk
to determine the nature, timing, and etent of substantive tests.
2 If T.#.C is consistent (ith the planned assessment of control risk, no revision in the
nature, timing or etent of substantive procedures is necessary. #ther(ise, a revision
is needed.
Documentin# the Achie"ed Le"el of Control %is*
2 The auditor should document the achieved level of control risk for the controls
evaluated, using a structured (orking paper, an internal control questionnaire, or a
memorandum
(4am!le o" how account characteristics a""ect the auditor9s understanding o" internal
control, control risk assessment and !lanned substantive !rocedures is described in table
:-;, !<=>)
LO 11 Substanti"e 3rocedures
!. Consist in the last step in the decision process in !udit trategy. ubstantive
5rocedures include substantive analytical procedures and test of details
0. The nature, etent and timing of substantive procedures may vary for t(o
different entities as a function of the detection risk level for the inventory account,
(hich is part of the purchasing process. In the follo(ing eamples both client
audit risk is set lo(
• Client one4 Aigh &MM, detection risk is lo(. To achieve a lo( detection risk
the audit must
#btain more reliable types of evidence $confirmation and re2
performance%
Conduct most of the audit (ork at year end
Make the test more etensive $larger sample si1e%
Must fill the !ssurance 0uckets almost (ith ubstantive vidence
19
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 20/24
Chapter 6 Internal Control in a Financial Statement Audit
• Client t,o4 lo( &MM, detection risk is high (hich means"
Fess reliable types of evidence can be used
Most of the audit (ork can be conducted at an interim date
Test of the inventory account (ould involve a smaller sample si1e
! ma)or difference bet(een these t(o strategies involves the physical
eamination of the inventory on hand.
• Fo( detection risk strategy" eamined at year end because the control risk (as
assessed to be high
• Aigh detection risk strategy" eamined at an interim date because the control
risk assessment indicates little &MM.
LO 12 'imin# of Audit 3rocedures
The interim tests of controls are conducted sometime during the time frame G8/*2
**8/=.
!. Interim Test of Controls
a. Test controls at interim date because"
!ssertion being tested may not be significant
The control has been effective in prior audits
20
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 21/24
Chapter 6 Internal Control in a Financial Statement Audit
fficient to conduct the tests at that time
b. If the controls are not operating effectively it gives the auditor time to reassesscontrol risk and modify audit plan.
c. The auditor can also inform management so misstatements can be located.
d. !dditional (ork after the interim period, should address"• ignificance of assertion
• The evaluation of design and operations of the relevant controls
• &esults of test of controls
• The length of the remaining period
• The planned substantive procedures in determining the nature and etent
of audit (ork for the remaining of period
0. Interim ubstantive 5rocedures
a. Conducting substantive procedures at interim date may increase &#MM, butcan control this by"
• Considering (hen it is appropriate to eamine an account at an interim
date and by performing selected audit procedures for the period bet(een
the interim date and year end b. Consider these factors"
• Control environment
• !vailability of information at a later date
• 5urpose of ubstantive procedures
• !ssessed &#MM
• 9ature of the class of transactions or account balances
• !bility to perform substantive procedures to cover the remaining period to
reduce &#MMc. ome additional substantive procedures are ordinarily conducted in the
remaining period.
d. If a misstatement detected, must revise the planned procedures for the
remaining period or additional ones at year end.
LO 1$ Auditin# Accountin# Applications 3rocessed by Ser"ice Or#aniations
!. Bhen a service organi1ation provides accounting services to an entity, thoseservices are considered part of the entity's information system and relevant to
financial reporting.
0. !uditor’s Concerns0ecause the entity's transactions are sub)ected to the controls of the service
organi1ation, one auditor concern is the internal control system at the service
organi1ation.
• ignificance of Control of service relies on the nature and materiality of
the transactions and the degree of interaction the transactions activities and
the client’s activities Heample" if client initiates transactions and service
21
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 22/24
Chapter 6 Internal Control in a Financial Statement Audit
organi1ations eecutes and does !CCT. processing of transactions ? Farge
degree of interaction
• !fter obtaining an understanding of internal control, the auditor identifies
controls that are applied by the entity or the service organi1ation that
might allo( an assessment of reduced control risk.
C. ervice #rgani1ations"
• Mortgage bankers" service mortgages
• Trust departments" invest or hold assets for employee benefit plans
• IT service Center $most freq%" process payroll and related accounting
reports
. The auditors need to understand the client’s internal control components in order
to identify controls that are applied by the client or the service organi1ation that(ill allo( an assessment of reduced control risk.
'ype I and 'ype II %eports
ince service organi1ations process data for many customers, most of the time
auditor issues an attestation report on their operations. ! service organi1ation’s
auditor can issue one of t(o types of reports.
'ype I is a report on management’s description of a service organi1ation’s system
and the suitability of the design of controls at a specific point of time.
• Managements description on the system• Britten assertion by management that the description fairly represents the
system
• The controls are suitable to achieve management’s controls by a certain
date
'ype II is a report on management’s description of a service organi1ation’ssystem and the suitability of the design and operating effectiveness of control.
• Managements description on the system
• Britten assertion by management that the description fairly represents the
system
•
The controls are suitable to achieve management’s controls by a certaindate
• 5&#JI !3&!9C #9 TA #5&!TI9< 44CTIJ9
#4 C#9T&#F
&eports Content Type I Type II
Independent ser"ice auditors report
-i.e. opinion/
Included Included
22
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 23/24
Chapter 6 Internal Control in a Financial Statement Audit
Ser"ice or#aniations description of
controls.
Included Included
Information pro"ided by the
independent ser"ice auditorB includes
a description of the ser"ice auditors
tests of operatin# effecti"eness andthe results of those tests
#ptional Included
Other information pro"ided by the
ser"ice or#aniation -e.#. #lossary of
terms/.
#ptional Included
. !n auditor may reduce control risk belo( the ma only on the basis of a service
auditor’s report that includes test of the controls.
4. !lthough a financial statement audits of private companies do not include audit of entity's entire system of internal control, the auditor may discover deficiencies in
the entity's internal controls during the audit.
LO 1& Communicatin# of Internal Control>%elated atters
!. 3nder the arbanes2#ley !ct of +==+ management of public companies must
prepare an assertion on the internal control and the auditor must issue an opinionon the effectiveness of the internal control. 4or !rivate com!anies there’s no need
to audit their internal control but the auditor (ill find deficiencies during the
audit.
• ! control de"iciency in the internal control eists (hen the operation of
control does not allo( management or employees to perform their assignedfunctions.
• ! material weakness is a combination of deficiencies (hen there is areasonable possibility that material misstatement of the financial statements(ill not be prevented, detected and corrected.
• ! signi"icant de"iciency is a combination of deficiencies that is less severe
than material (eakness but important enough to get the attention of those in
charged.
0. amples of circumstances that may be control deficiencies, significant
deficiencies, or material (eakness"
Deficiencies in the desi#n of controls
• Inadequate design of internal control over the preparation of the financial
statements being audited.
• Inadequate design of internal control over a significant account or process.
• Inadequate documentation of the components of internal control.
• Insufficient control consciousness (ithin the organi1ation, for eample, the
tone at the top and the control environment.
23
7/23/2019 Chapter 6 Outline 9th Edition
http://slidepdf.com/reader/full/chapter-6-outline-9th-edition 24/24
Chapter 6 Internal Control in a Financial Statement Audit
• !bsent or inadequate segregation of duties (ithin a significant account or
process.
• !bsent or inadequate controls over the safeguarding of assets.
• Inadequate design of information technology general and application controls.
• mployees or management (ho lack the qualifications and training to fulfill
their assigned functions• Inadequate design of monitoring controls
• The absence of an internal process to report deficiencies in internal control to
management on a timely basis.
Failures in the operation of internal control
• 4ailure in the operation of effectively designed controls over a significant
account or process.
• 4ailure of the information and communication component of internal control
to provide complete and accurate output because of deficiencies in timeliness,
completeness, or accuracy.• 4ailure of controls designed to safeguard assets from loss, damage, or
misappropriation.
• 4ailure to perform reconciliations of significant accounts
• 3ndue bias or lack of ob)ectivity by those responsible for accounting
decisions
• Misrepresentation by client personnel to the auditor $ an indicator of fraud%.
• Management override of controls.
• 4ailure of an application control caused by a deficiency in the design or
operation of an IT general control.
• !n observed deviation rate that eceeds the number of deviations epected by
the auditor in a test of operation effectiveness of a control.
24