9.401 Auditing

Chapter 9Chapter 9

The Study of Internal Control and The Study of Internal Control and Assessment of Control RiskAssessment of Control Risk

Generally Accepted Auditing Standard 5100.02 (ii)5100.02 (ii) A sufficient understanding of A sufficient understanding of

internal control should be obtained to plan the internal control should be obtained to plan the audit. When control risk is assessed below audit. When control risk is assessed below maximum, sufficient appropriate audit evidence maximum, sufficient appropriate audit evidence should be obtained through tests of controls to should be obtained through tests of controls to support the assessment. [Oct. 1992]support the assessment. [Oct. 1992]

Internal Controlconsists of theconsists of the

policies and procedurespolicies and procedures

established and maintained by established and maintained by management management

to assist in achieving its objectivesto assist in achieving its objectives

Those objectives are…1)1) Effectiveness and efficiency of operationsEffectiveness and efficiency of operations

safeguarding of assetssafeguarding of assets Prevention and detection of fraudPrevention and detection of fraud

2)2) Reliability of financial reportingReliability of financial reporting3)3) Compliance with applicable laws, Compliance with applicable laws,

regulations and policiesregulations and policiesAs far as is practicalAs far as is practical. Mgmt can and should . Mgmt can and should

consider consequences and risks of non-consider consequences and risks of non-control and costs of control control and costs of control implementation.implementation.

Factors Affecting Internal Control

The entity’s sizeThe entity’s size The entity’s organization and ownership The entity’s organization and ownership

characteristicscharacteristics The nature of the entity’s businessThe nature of the entity’s business The diversity and complexity of the entity’s The diversity and complexity of the entity’s

operationsoperations The entity’s methods of transmitting, The entity’s methods of transmitting,

processing, maintaining, and accessing processing, maintaining, and accessing informationinformation

Applicable legal and regulatory requirementsApplicable legal and regulatory requirements

Criteria of Control (COCO) Board of the CICA

A person performs a task guided by an understanding of its A person performs a task guided by an understanding of its purposepurpose (the objective to be achieved) and supported by (the objective to be achieved) and supported by capabilitycapability (information, resources, supplies, and skills). The person will need (information, resources, supplies, and skills). The person will need a sense of a sense of commitmentcommitment to perform the task well over time. The to perform the task well over time. The person will person will monitormonitor his or her performance and the external his or her performance and the external environment to environment to learnlearn about how to do the task better and about about how to do the task better and about changes to be made. The same is true of any team or work groupchanges to be made. The same is true of any team or work group

Monitoring &Learning

PurposeCommitment

CapabilityAction

Elements of Internal Control

Elements of internal control include:Elements of internal control include: Control environmentControl environment General computer control systems and General computer control systems and

proceduresprocedures Accounting SystemAccounting System Accounting System Control ProceduresAccounting System Control Procedures

Control Environment the collective effect of various factors on establishing, enhancing or the collective effect of various factors on establishing, enhancing or

reducing the effectiveness of internal control policies and proceduresreducing the effectiveness of internal control policies and procedures . Such factors include:. Such factors include:

Management Philosophy and Operating Style;Management Philosophy and Operating Style; The functioning of the board of directors and internal control, The functioning of the board of directors and internal control,

particularly the audit committee;particularly the audit committee; Organizational Structure;Organizational Structure; Methods of Assigning Authority and Responsibility;Methods of Assigning Authority and Responsibility; Management Monitoring Methods; Internal Audit; and Personnel Management Monitoring Methods; Internal Audit; and Personnel

Policies and PracticesPolicies and Practices Management reaction to external InfluencesManagement reaction to external Influences Systems Development MethodologySystems Development Methodology

Control Environment Reflects the overall Reflects the overall attitude, awareness, commitment and attitude, awareness, commitment and

actions of managementactions of management concerning the importance of concerning the importance of internal control and its emphasis in the entity. internal control and its emphasis in the entity.

Strengths and weaknesses in control environment factors Strengths and weaknesses in control environment factors are likely to have a are likely to have a pervasive effectpervasive effect on the financial on the financial statements. statements. An effective control environment interacts with control An effective control environment interacts with control

systems. It may reduce the impact that the absence of systems. It may reduce the impact that the absence of certain control systems might otherwise have. It also certain control systems might otherwise have. It also strengthens the impact of controls in place.strengthens the impact of controls in place.

An ineffective control system may impair the An ineffective control system may impair the effectiveness of control systems.effectiveness of control systems.

General computer control systems Establish controls over info system Establish controls over info system

processing activitiesprocessing activities Affect multiple classes of transactionsAffect multiple classes of transactions

General computer control systemsGeneral Control General Control SystemSystem

Means…Means…

Org and Mgmt controlsOrg and Mgmt controls -policies and procedures are -policies and procedures are establishedestablished

-programmer and operator functions -programmer and operator functions separateseparate

Systems acquisition, Systems acquisition, development and development and maintenance controlsmaintenance controls

-policies and procedures to ensure -policies and procedures to ensure systems are authorized, efficient and systems are authorized, efficient and function according to objectivesfunction according to objectives

Operations and Operations and Information Systems Information Systems SupportSupport

-system should be available and -system should be available and used for authorized purposes used for authorized purposes (=training, documentation, (=training, documentation, controlled access, backup and controlled access, backup and recovery)recovery)

The Accounting System

= the policies and procedures involving the = the policies and procedures involving the CollectionCollection TranscribingTranscribing ProcessingProcessing And reporting of dataAnd reporting of data

Accounting System Control Procedures= policies and procedures that enhance the reliability = policies and procedures that enhance the reliability

of accounting dataof accounting data OccurrenceOccurrence CompletenessCompleteness Accuracy (valuation), PostingAccuracy (valuation), Posting ClassificationClassification TimingTiming

-often involves “checks”, “reconciles”, “compares”, -often involves “checks”, “reconciles”, “compares”, “verifies”, “ensures”…..“verifies”, “ensures”…..

Segregation of duties

Ensures that no-one is in a position to Ensures that no-one is in a position to commit or profit from an error/fraud and commit or profit from an error/fraud and cover it up.cover it up.

To work, these duties MUST be separate:To work, these duties MUST be separate: Authorization of transactionAuthorization of transaction Custody of assets (including cheques, Custody of assets (including cheques,

cash, inventory etc.)cash, inventory etc.) Recording of transactionRecording of transaction Periodic reconciliationPeriodic reconciliation

Other Controls

Proper Authorization (general or specific)Proper Authorization (general or specific) Adequate documentsAdequate documents

Prenumbered or sequentially numbered + Prenumbered or sequentially numbered + follow-up of missing itemsfollow-up of missing items

Prepared on a timely basisPrepared on a timely basis Sufficiently simple, easy to fill outSufficiently simple, easy to fill out

Other Controls

Safeguards over access to and use of assetsSafeguards over access to and use of assets Safeguards over access to and use of recordsSafeguards over access to and use of records

Physical and logicalPhysical and logical Independent verification of performance and Independent verification of performance and

accuracy of recorded amountsaccuracy of recorded amounts Inventory counts, bank recs.Inventory counts, bank recs. Input or output checks (eg. Check digits, Input or output checks (eg. Check digits,

reasonableness limits)reasonableness limits) Comparison of documents, quantities, pricesComparison of documents, quantities, prices

Acquiring Understanding of IC

At minimum, auditor must acquire At minimum, auditor must acquire understanding of:understanding of: Control environmentControl environment General computer control systems and General computer control systems and

proceduresprocedures Accounting SystemAccounting System

Purpose of Understanding IC1)1) Assess auditability (depends on mgmt integrity, Assess auditability (depends on mgmt integrity,

adequacy of record and general controls)adequacy of record and general controls)

2)2) Familiarity with client to facilitate audit:Familiarity with client to facilitate audit: Major classes of transactionsMajor classes of transactions How they’re initiatedHow they’re initiated What records and documents existWhat records and documents exist How transactions are processed and How transactions are processed and

reportedreported

Therefore, helps auditor design tests and Therefore, helps auditor design tests and identify potential misstatementsidentify potential misstatements

3)3) Assess Preliminary Control RiskAssess Preliminary Control Risk

Further Investigation of IC

If auditor believes reliance on IC (ie. If auditor believes reliance on IC (ie. CR<100%) may be possible AND efficient, CR<100%) may be possible AND efficient, investigate further the control procedures in investigate further the control procedures in placeplace

Make preliminary assessment of Control Make preliminary assessment of Control RiskRisk

Preliminary Assessment of CR

1)1) Identify transaction audit objective Identify transaction audit objective (existence/occurrence, completeness etc.)(existence/occurrence, completeness etc.)

2)2) Identify specific controlsIdentify specific controls remember effects of control environment remember effects of control environment

and general computer controlsand general computer controls3)3) Identify and evaluate weaknessesIdentify and evaluate weaknesses

o Determine potential misstatements that Determine potential misstatements that could occur and effect on auditcould occur and effect on audit

o Consider compensating controlsConsider compensating controls

How to investigate IC

Update and evaluate previous working papers

Inquiries of Client Personnel

Read client policy and systems manuals

Examine documents and records: perform transaction walk-through

Observe activities and operations

Documenting the Understanding of the Internal Control

A number of tools are available to the auditor for documenting the understanding of the internal control including:

Copies of the entity's procedures manuals and Copies of the entity's procedures manuals and organizational chartsorganizational charts

Narrative descriptionsNarrative descriptions Internal control questionnaires Internal control questionnaires FlowchartsFlowcharts

Further Investigation of IC If preliminary CR<100%, perform tests of controls If preliminary CR<100%, perform tests of controls

on KEY CONTROLS to ensure:on KEY CONTROLS to ensure: Control was operating as described, with Control was operating as described, with

sufficient effectiveness, throughout period of sufficient effectiveness, throughout period of reliancereliance

Tests may include:Tests may include: Inquiry of personnel (requires corroboration)Inquiry of personnel (requires corroboration) Examine documents, records, reportsExamine documents, records, reports Observe activities (eg. Segregation of duties, test Observe activities (eg. Segregation of duties, test

data)data) Reperform procedures if possibleReperform procedures if possible

If control is computerized, test and ensure controls If control is computerized, test and ensure controls exist over changes to programexist over changes to program

Direction of the Test of Controls Audit Procedures

EvidenceSample

selection

EvidenceSample

selection

File of recorded sales(sales journal)

File of shipping documents

Validitydirection

Completeness Direction

Trace to recorded sales

Vouch to shipping documents

Further Investigation of IC

Revise preliminary control risk with results Revise preliminary control risk with results of tests of controlsof tests of controls

Calculate detection risk and design Calculate detection risk and design substantive proceduressubstantive procedures Combined approach = reliance on both IC Combined approach = reliance on both IC

and substantive proceduresand substantive procedures Substantive approach = no reliance on IC Substantive approach = no reliance on IC

as either unjustified or inefficientas either unjustified or inefficient

Audit Cost Trade - off

Audit Cost Tradeoff

High Medium Low

Control Risk Assessment

Au

dit

co

st

Year end audit workcost

Internal controlevaluation cost

Total Cost

Communications with the Client

Systems improvements are communicated to the Systems improvements are communicated to the client by the management letter, which is written at client by the management letter, which is written at the end of field workthe end of field work

Section 5220 requires communication of all Section 5220 requires communication of all significantsignificant internal control weaknesses internal control weaknesses

Section 5750 “Communication of Matters Identified Section 5750 “Communication of Matters Identified During the Financial Statement Audit” eg. Fraud or During the Financial Statement Audit” eg. Fraud or illegal actsillegal acts

5220 and 5750 don’t have to be in writing5220 and 5750 don’t have to be in writing

Communicating Internal Control Weaknesses

Reportable conditionsReportable conditions Absence of appropriate segregation of dutiesAbsence of appropriate segregation of duties Absence of appropriate reviews Absence of appropriate reviews

and approvals of transactionsand approvals of transactions Evidence of failure of control Evidence of failure of control

proceduresprocedures Evidence of intentional Evidence of intentional

management overridemanagement override Evidence of willful wrong doingEvidence of willful wrong doing

by employees or management, including manipulation, by employees or management, including manipulation, falsification or alteration of accounting recordsfalsification or alteration of accounting records

Material Weaknesses

A material weakness in internal control is defined as a reportable condition in which the design or operation of one or more of the specific internal control elements does not reduce to a relatively low level the risk that errors or irregularities in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions (AU 325.15).

Limitations of Internal Control

Human failures such as simple errors or mistakesHuman failures such as simple errors or mistakes Management overrideManagement override CollusionCollusion Cost/benefitCost/benefit Unusual transactionsUnusual transactions

Because of these limitations, as long as the Because of these limitations, as long as the item is material, it is generally necessary to item is material, it is generally necessary to do at least some substantive testing. do at least some substantive testing.