1 chapter 9 the study of internal control and assessment of control risk
Post on 03-Jan-2016
216 Views
Preview:
TRANSCRIPT
1
CHAPTER 9The Study of
Internal Control and Assessment of
Control Risk
2
What is What is internal internal controlcontrol??
Internal control is a process designed toprovide reasonable assurance regardingthe achievement of management’s ob-jectives regarding:
3
- reliability of financial reporting- operational effectiveness and efficiency- compliance with laws and regulations
Internal control is a process designed toprovide reasonable assurance regardingthe achievement of management’s ob-jectives regarding:
The Foreign Corrupt PracticesAct requires “proper recordkeeping
systems” of SEC companies; i.e., reliable financial statements and ac-
counting records.
4
performpreliminaryanalytical
procedures
Steps in audit planningSteps in audit planning
preplan
understandinternal control
and assesscontrol risk
setmateriality, and
assess acceptableaudit risk andinherent risk
obtainbackgroundinformation
obtain information about client’s legal obligations
5
performpreliminaryanalytical
procedures
Steps in audit planningSteps in audit planning
preplan
Why is an understand- ing of internal control im- portant?
setmateriality, and
assess acceptableaudit risk andinherent risk
understandinternal control
and assesscontrol risk
obtainbackgroundinformation
obtain information about client’s legal obligations
6
Second Fieldwork Standard:A sufficient understanding of internalcontrol is to be obtained to plan the audit and to determine the nature, tim-ing, and extent of tests to be performed.
Why is anunderstanding
of internalcontrol
important?
7
Audit Risk has 3 components Audit Risk has 3 components which combine to make the which combine to make the audit risk modelaudit risk model: (AU 312): (AU 312)
= x xaudit risk
inherent risk
control risk
detection risk
therisk that material
misstatements will not be prevented ordetected by
internal controls
8
- internal control is the client’s respon- sibility and should be designed to help the client attain goals- internal control should provide rea- sonable but not absolute assurance; cost/benefit must be considered- internal control has inherent limita- tions (e.g., misunderstandings, mis- takes, fatigue, carelessness, collusion, management override)
Key Internal Control ConceptsKey Internal Control Concepts
9
What are the components of What are the components of internal control?internal control?
10
the controlenvironment
What are the components of What are the components of internal control?internal control?
11
The control environment is theactions, policies, and procedures thatreflect management’s attitude regard-
ing controls and their importance.
All these controls are unnecessary!
12
Factors related to the Control Environment:Factors related to the Control Environment:
- integrity and ethical values
Does man-agement com-municate com-
pany values andbehavioral stan-
dards to personnelthrough policy state-ments, codes of con-
duct, and by example?
Does managementremove or reduce
incentives or temp-tations that mightprompt personnelto engage in dis-honest, illegal,
or unethicalacts?
13
Factors related to the Control Environment:Factors related to the Control Environment:
- commitment to competence
Does management consider com-petence levels for specific jobs
and how those levels translate into requisite skills and knowledge?
14
Factors related to the Control Environment:Factors related to the Control Environment:
- board of directors or audit committee The audit committee maintains communication between the Board of Directors and internal and external auditors. The committee is composed of outside members of the board. SEC companies are required to have an audit committee.
BOARD OFDIRECTORS
auditcommittee
internalauditors
externalauditors
15
Factors related to the Control Environment:Factors related to the Control Environment:
- management’s philosophy and operating style
16
Factors related to the Control Environment:Factors related to the Control Environment:
- management’s philosophy and operating style Consider the following: - their approach to taking and monitoring business risk
17
Factors related to the Control Environment:Factors related to the Control Environment:- management’s philosophy and operating style Consider the following: - their attitude and actions toward financial reporting
18
Factors related to the Control Environment:Factors related to the Control Environment:
- management’s philosophy and operating style Consider the following: - their emphasis on meeting financial and operating goals
...our bonusesare based on net income.We all want fat bonuses!
What can we do?
19
Factors related to the Control Environment:Factors related to the Control Environment:
- organizational structure The auditor should consider lines of responsibility and authority.
20
What are theformal methods that
management uses to communicateinternal controls to
employees?
Factors related to the Control Environment:Factors related to the Control Environment:- assignment of authority and responsibility
EmployeeHandbook
CompanyPolicies
JobDescription
Memo:
21
Factors related to the Control Environment:Factors related to the Control Environment:
- human resource policies and practices Management should ensure that compe- tent, trustworthy, motivated personnel are employed to meet client goals and objectives.
Employees are the critical com-ponent of effective internal control.
22
With competent, trustworthy, motivated per-sonnel, even a poorly designed system ofinternal control may function adequately.
Employees are the critical com-ponent of effective internal control.
23
Without such personnel, even a well-designed system will probably fail.
With competent, trustworthy, motivated per-sonnel, even a poorly designed system ofinternal control may function adequately.
24
Risk assessment for financial reportingis management’s identification and anal-ysis of risks relevant to financial state-
ment preparation in conformity with GAAP.
riskassessment
What are the components of What are the components of internal control?internal control?
25
controlactivities
Control activities are policies and pro-cedures, in addition to those related to
other components, established to enablethe entity to address risks in the achievement of their objectives.
26
1. Adequate separation of duties - separate custody of assets from accounting
Mr. Controller
Categories of Control ActivitiesCategories of Control Activities
27
1. Adequate separation of duties - separate custody of assets from authorization of transactions
As custodian ofthe corporate auto fleet, I hearby authorize retire- ment of auto #43 because of obso- lescence.
#43
joe
Categories of Control ActivitiesCategories of Control Activities
28
1. Adequate separation of duties - separate operational responsibility from record keeping responsibility
Categories of Control ActivitiesCategories of Control Activities
Example: Ace company has two plants; one inGreat Britain and one in the U.S.A. Manage-ment is deciding whether the plant controllersshould report directly to the plant managersor the corporate vice president of finance.
29
plantcontroller
V.P.-production
V.P.- finance
plant manager
plantcontroller
plant manager
plantcontroller
V.P.-production
V.P.- finance
plant manager
plantcontroller
plant manager
plantcontroller
plant manager
Which arrangement creates a potential conflict of interest?
30
plantcontroller
V.P.-production
V.P.- finance
plant manager
plantcontroller
plant manager
Which arrangement creates a potential conflict of interest?
If the plant controller reports directly to theplant manager, a potential conflict of interestexists. In an effort to make that plant’s resultsappear favorable, the plant manager may at-
tempt to influence the plant controller.
31
1. Adequate separation of duties - separate duties within EDP
Categories of Control ActivitiesCategories of Control Activities
32
What kind of company typically has What kind of company typically has difficulty accomplishing adequate difficulty accomplishing adequate
segregation of duties?segregation of duties?
33
What kind of company typically has What kind of company typically has difficulty accomplishing adequate difficulty accomplishing adequate
segregation of duties?segregation of duties?
Small companies frequently have diffi-culty with segregation of duties because
of fewer employees.
34
Collusion is the defeat of adequate sep-aration of duties wherein employees
cooperate to perpetrate fraud.
...we’re agreed.We’ll be rich be-yond our wildest
dreams!
What is collusioncollusion??
35
What is the most effective way to What is the most effective way to preventprevent collusion? collusion?
36
hire competent, trustworthy,motivatedpersonnel
What is the most effective way to What is the most effective way to preventprevent collusion? collusion?
37
Competent, untrustworthy, motivatedpersonnel oftenknow how to conceal theirfraud.
Why is collusion particularly Why is collusion particularly troublesome for auditors?troublesome for auditors?
38
1. Adequate separation of duties2. Proper authorization of transactions and activities
Categories of Control ActivitiesCategories of Control Activities
39
1. Adequate separation of duties2. Proper authorization of transactions and activities - general authorization - management establishes authorization policies
Categories of Control ActivitiesCategories of Control Activities
accountspayablepolicies &procedures
cashreceiptspolicies &procedures
humanresourcespolicies &procedures
40
I’m thepresident and
I want to approveevery cashpayment!
Categories of Control ActivitiesCategories of Control Activities1. Adequate separation of duties2. Proper authorization of transactions and activities - specific authorization - management makes authorizations on a case-by- case basis.
41
1. Adequate separation of duties2. Proper authorization of transactions and activities3. Adequate documents and records should provide reasonable assurance that all assets are properly controlled and all transactions are correctly recorded.
Categories of Control ActivitiesCategories of Control Activities
42
DocumentDocumentGuidelinesGuidelinesDocumentsshould be:prenumbered and accountedfor
PURCHASE ORDER 32494 Date: Vendor: 234 Reynolda Rd. Winston-Salem, NC27109 Purchasing agent: Quantity Description Price
WAIT FORESTU N I V E R S I T Y
total cost of order
Est. shipment date: Terms of sale (including discounts and freight costs): Carrier:
Internal Use Only: (routing instructions)1.PO made in purchasing 3. receiving notes ship2.Copies to vendor, receiv. 4. acctg. reconciles
U N I V E R S I T Y
43
DocumentDocumentGuidelinesGuidelinesDocumentsshould be:preparedduring or soon after therelated transaction
PURCHASE ORDER 32494 Date: Vendor: 234 Reynolda Rd. Winston-Salem, NC27109 Purchasing agent: Quantity Description Price
WAIT FORESTU N I V E R S I T Y
total cost of order
Est. shipment date: Terms of sale (including discounts and freight costs): Carrier:
Internal Use Only: (routing instructions)1.PO made in purchasing 3. receiving notes ship2.Copies to vendor, receiv. 4. acctg. reconciles
U N I V E R S I T Y
44
DocumentDocumentGuidelinesGuidelinesDocumentsshould be:understand-able andcorrectlydesigned(includingrouting andauthorization)
PURCHASE ORDER 32494 Date: Vendor: 234 Reynolda Rd. Winston-Salem, NC27109 Purchasing agent: Quantity Description Price
WAIT FORESTU N I V E R S I T Y
total cost of order
Est. shipment date: Terms of sale (including discounts and freight costs): Carrier:
Internal Use Only: (routing instructions)1.PO made in purchasing 3. receiving notes ship2.Copies to vendor, receiv. 4. acctg. reconciles
U N I V E R S I T Y
45
DocumentDocumentGuidelinesGuidelines
Documentsshould be:designedformultiplepurposes
bc
PURCHASE ORDER 32494 Date: Vendor: 234 Reynolda Rd. Winston-Salem, NC27109 Purchasing agent: Quantity Description Price
WAIT FORESTU N I V E R S I T Y
total cost of order
Est. shipment date: Terms of sale (including discounts and freight costs): Carrier:
Internal Use Only: (routing instructions)1.PO made in purchasing 3. receiving notes ship2.Copies to vendor, receiv. 4. acctg. reconciles
U N I V E R S I T Y
a
46
2. Proper authorization of transactions and activities3. Adequate documents and records4. Physical control over assets and records - locking rooms, fenced areas, fireproof safes, safe deposit boxes, security guards, backup files
Categories of Control ActivitiesCategories of Control Activities
47
2. Proper authorization of transactions and activities3. Adequate documents and records4. Physical control over assets and records5. Independent checks on performance - those reviewing performance should be independent of those performing a task
Categories of Control ActivitiesCategories of Control Activities
48
5. Independent checks on performance
Categories of Control ActivitiesCategories of Control Activities
Separation of duties is the leastexpensive method of performing
independent checks.
49
informationand
communication
What are the components of What are the components of internal control?internal control?
50
The accounting information andThe accounting information andcommunication system should becommunication system should be
designed to satisfy audit objectives.designed to satisfy audit objectives.
informationand
communication
51
- existence - the system should ensure that recorded transactions exist - no fictitious transactions
The accounting information andThe accounting information andcommunication system should becommunication system should be
designed to satisfy audit objectives:designed to satisfy audit objectives:
52
- existence- completeness - the system should en- sure that all existing transactions are recorded
The accounting information andThe accounting information andcommunication system should becommunication system should be
designed to satisfy audit objectives:designed to satisfy audit objectives:
53
How do the How do the existenceexistence and and completenesscompletenessobjectives differ?objectives differ?
The accounting information andThe accounting information andcommunication system should becommunication system should be
designed to satisfy audit objectives:designed to satisfy audit objectives:
- existence- completeness
54
How do the How do the existenceexistence and and completenesscompletenessobjectives differ?objectives differ?
Existence con-cerns the existence offictitious data; i.e., overstatement.
55
How do the How do the existenceexistence and and completenesscompletenessobjectives differ?objectives differ?
Existence con-cerns the existence offictitious data; i.e., overstatement.
Completeness concerns omission of information; i.e., under-
statement.
56
- existence- completeness- accuracy - the system should ensure that recorded transactions are stated at the correct amounts
The accounting information andThe accounting information andcommunication system should becommunication system should be
designed to satisfy audit objectives:designed to satisfy audit objectives:
57
- existence- completeness- accuracy- classification - the system should en- sure that transactions are properly classified, possibly through use of a chart of accounts.
The accounting information andThe accounting information andcommunication system should becommunication system should be
designed to satisfy audit objectives:designed to satisfy audit objectives:
58
- existence- completeness- accuracy- classification- timing - the system should ensure that transactions are recorded on the cor- rect dates. Generally, transactions should be recorded during or shortly after their occurrence.
The accounting information andThe accounting information andcommunication system should becommunication system should be
designed to satisfy audit objectives:designed to satisfy audit objectives:
59
- existence- completeness- accuracy- classification- timing- posting and summarization -the system should ensure that transactions are included in the accounting records and accurately summarized.
The accounting information andThe accounting information andcommunication system should becommunication system should be
designed to satisfy audit objectives:designed to satisfy audit objectives:
60
monitoring
What are the components of What are the components of internal control?internal control?
61
monitoring
Monitoring activities deal with Monitoring activities deal with ongoing or periodic assessmentongoing or periodic assessment
of internal control.of internal control.
62
Internal auditing departmentsInternal auditing departments frequently perform monitoring frequently perform monitoring
activities.activities.
63
monitoringcontrol
activities
riskassessment
the controlenvironment
information andcommunication
What are the components of What are the components of internal control?internal control?
64
ControlExamina-
tionOverview Obtain an understanding
of internal control.
HOW?HOW?
65
ControlExamina-
tionOverview
- review prior year workpapers- interview prior year auditors- interview client personnel- study client policies and procedures- study client documents, records, information and communication system
Obtain an understandingof internal control.
66
ControlExamina-
tionOverview
- narratives- flowcharts- internal control questionnaires
What is aninternal controlquestionnaire?
How do auditors document their under-
standing of internalcontrol?
67
Internal Control QuestionnaireInternal Control Questionnaire
What are theadvantages provided by
an IC questionnaire?
- a series of questions about internal controls and their application to groups of accounts and cycles- generally, a “no” answer indicates an internal control weakness
68
What are theadvantages provided by
an IC questionnaire?
Internal Control QuestionnaireInternal Control Questionnaire
- can be designed to cover most aspects of internal control - is relatively applicable from one en- gagement to another- when complete, can be quickly re- viewed for weaknesses
69
Internal Control QuestionnaireInternal Control Questionnaire
- concentrates on pieces of internal con- trol rather than the system as a whole- has questionable reliability; oral cli- ent responses should be supported by other evidence- may be too standardized for some clients, especially smaller clients
What are thedisadvantages of using
an IC questionnaire?
70
Arefinancial statements
auditable?
ControlExamina-
tionOverview
- management lacks integrity- significantly deficient accounting records or internal controls
When would theWhen would theanswer be answer be NONO??
71
ControlExamina-
tionOverview
Assess control risk, basedon understanding.
72
ControlExamina-
tionOverview
Assess the cost/benefit offurther enhancing under-
standing of internal control.
73
ControlExamina-
tionOverview
high medium low
Assesscontrol
risk.
74
ControlExamina-
tionOverview
- high: poor controls indicate a very risky situation
high medium low
Assesscontrol
risk.
75
ControlExamina-
tionOverview
- high: poor controls indicate a very risky situation- medium: mix of effective and in- effective controls indi- cate a moderate level of risk
high medium low
Assesscontrol
risk.
76
ControlExamina-
tionOverview
- medium: mix of effective and in- effective controls indi- cate a moderate level of risk- low: effective controls indi- cate a low level of risk
high medium low
Assesscontrol
risk.
77
ControlExamina-
tionOverview
Perform tests of controls.
78
ControlExamina-
tionOverview
Decidewhether the initial
internal control assessmentwas appropriate.
79
ControlExamina-
tionOverview
Based on appropriatelevel of detection risk,
perform substantive tests.
80
What are What are reportable conditionsreportable conditions??
Reportable conditions are signifi-cant internal control deficiencieswhich adversely affect financial
data (AU 325).
81
AU 325requires the auditor to com-
municate (oral or written)with the audit committeeregarding the reportable
conditions.
Reportable conditions are signifi-cant internal control deficiencieswhich adversely affect financial
data (AU 325).
top related