understanding the internal control structure and … · • monitoring both external and internal...
TRANSCRIPT
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 1
CHAPTER 8
UNDERSTANDING THE INTERNAL CONTROL
STRUCTURE AND ASSESSING CONTROL RISK
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 2
AUDIT STRATEGY AND INTERNAL
CONTROL STRUCTURE
To reach a conclusion on reliability of underlying accounting data, the auditor can:
• Test the accounting data (substantive approach).
• Perform procedures to review and evaluate the internal control structure to see whether accounting data was developed under conditions likely to ensure accuracy and reliability (lower assessed level of control risk approach).
Auditor adopts the best combination of these approaches.AA
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 3
STRUCTURE OF AND RESPONSIBILITY
FOR INTERNAL CONTROL
Internal control structure is:
Management’s philosophy and operating style, and all the policies and procedures adopted by management to assist in achieving the entity’s objectives
Management is responsible for establishing, maintaining and monitoring the internal control structure.
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 4
INHERENT LIMITATIONS OF
INTERNAL CONTROL STRUCTURE
Inherent limitations arise because of:
• Control breakdowns as a result of the actions of careless, fatigued or deviant staff
• The possibility of management override
• The existence of non-routine transactions for which internal controls were not devised
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 5
REASONABLE ASSURANCE
Internal control structure should be
designed to provide reasonable assurance
that assets are safeguarded and
accounting records are reliable.
Concept of reasonable assurance
recognises that, in some cases, cost of
establishing and maintaining controls can
outweigh benefits of adopting controls.
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 6
OBJECTIVES OF INTERNAL
CONTROL STRUCTURE
Management controls:
• Risks are identified and minimised
• Management decision making is effective and business
processes efficient
Transaction controls:
• Transactions are carried out in accordance with management’s
general or specific authorisations
• Transactions are promptly and accurately recorded so as to
allow the preparation of financial reports
• Access to assets limited in accordance with authorisation
• Asset records are compared with existing assets at reasonable
intervals
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 7
MANAGEMENT CONTROLS
Management controls include activities such as:
• Communicating business objectives and goal
• Establishing lines of authority and accountability
• Establishing and enforcing appropriate codes of corporate conduct
• Monitoring both external and internal risk environments
• Defining policies and procedures for dealing with these risks
• Monitoring performance of key segments of the entity through performance indicators and benchmarking
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 8
TRANSACTION CONTROLS
Performed by staff and lower level management.
Every transaction goes through the identifiable steps of
authorisation, execution and recording. Accuracy and
reliability of transaction records depend on: • Authorisation and approval — Transactions appropriately
authorised.
• Occurrence — Recorded transactions represent events that occurred.
• Completeness — All authorised transactions are recorded.
• Measurement — Transactions are accurately recorded in proper amounts, proper account classification and proper accounting period.
• Safeguarding — Access is restricted to authorised personnel.
• Reconciliation — Recorded amounts are periodically reconciled with counts of assets.
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 9
CHARACTERISTICS OF A
SATISFACTORY INTERNAL CONTROL
STRUCTURE
• Controls to monitor and minimise business risks
• Segregation of incompatible duties and
responsibilities
• System of authorisation, recording and
procedures to provide control over assets,
liabilities, revenues and expenses
• Sound business practices in performance of
duties and functions
• Capabilities commensurate with responsibilities
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 10
ELEMENTS OF THE INTERNAL
CONTROL STRUCTURE
• Control environment
• Information system
• Control procedures
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 11
CONTROL ENVIRONMENT
The control environment includes
management’s overall attitude,
awareness and actions regarding
internal control and its importance
in the entity. AUS 402.04/ISA 400.08
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 12
CONTROL ENVIRONMENT
EVALUATION
The auditor should consider:
• Management’s philosophy and operating style
• Entity’s organisational structure
• Assignment of authority and responsibility
• Existence and effectiveness of internal audit
• Use of information technology
• Competence and integrity of entity’s human resources
• Existence and effectiveness of audit committee
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 13
INFORMATION SYSTEM Consists of methods and records established to:
• Identify, assemble, analyse, classify, record and report exchange transactions and relevant events and conditions; and
• maintain accountability for entity’s assets, liabilities, revenues and expenditures.
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 14
CONTROL PROCEDURES
• Includes both policies and procedures that management has established to
ensure its directives are carried out.
• Control procedures are added to the accounting system to ensure that system produces accurate and reliable data.
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 15
EVALUATING CONTROL
PROCEDURES
The auditor will be interested in control procedures aimed at ensuring internal control objectives concerning:
• Authorisation and approval, e.g. control of access
• Occurrence, e.g. proper use of documents
• Completeness, e.g. accounting for sequence of pre-printed documents
• Measurement, e.g. use of control totals
• Safeguarding, e.g. physical protection
• Reconciliations, e.g. inventory counts
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 16
INTERNATIONAL DEVELOPMENTS
• In 1992, the Committee of Sponsoring Organisations of the Treadway Commission (COSO) in the USA identified an extended set of internal control procedures.
The five components of internal control structure identified by COSO are:
• Control environment
• Monitoring
• Risk assessment
• Information and communication
• Control activities
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 17
IAASB AUDIT RISK SUBCOMMITTEE
Considering revision of applicable auditing standards
to reflect strategic business risk approach.
Approach appears to:
• Enhance required understanding of internal control
• Include requirement to evaluate internal control for:
significant risks; and
other risks for which it is not practicable or possible to reduce audit risk to an acceptably low level using substantive procedures.
Significant change to current standards, where the auditor does not have to evaluate internal controls if control risk is set at high.
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 18
CONSIDERING THE INTERNAL
CONTROL STRUCTURE IN A
FINANCIAL REPORT AUDIT
• For every audit, irrespective of intended reliance on IC, the auditor must obtain sufficient understanding of internal control structure to plan audit and determine tests to be performed.
• The nature and extent of auditor’s consideration of internal control structure varies considerably across audits and depends on audit strategy.
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 19
STEPS IN AUDITOR’S CONSIDERATION
OF INTERNAL CONTROL STRUCTURE
Fig. 8.2 Steps in
auditor’s consideration
of the internal control
structure (p. 338)
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 20
UNDERSTANDING THE
CONTROL ENVIRONMENT
Auditor gains understanding of control
environment by:
• Making enquiries of key management personnel
• Inspecting documented policies and procedures
• Observing activities and operations
• Considering past experience with client
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 21
UNDERSTANDING THE
INFORMATION SYSTEM Auditor required to obtain sufficient
knowledge of information system to
understand:
• Major classes of transactions
• Initiation of transactions
• Records, documents and accounts
• Accounting processing
• Financial reporting procedures
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 22
UNDERSTANDING THE
CONTROL PROCEDURES
An auditor is required to obtain an understanding sufficient to develop an audit plan (AUS 402.23/ISA
400.20).
Procedures include:
• Discussion with client management and staff
• Inspection of documentation
• Observation of the entity’s activities, operations and procedures
• Walkthrough - auditor traces one or a few transactions of each type through the related documents and accounting records, observing related processing and control procedures in operation
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 23
PROCEDURES TO DOCUMENT
UNDERSTANDING OF INTERNAL
CONTROL STRUCTURE
• Internal control questionnaires and checklists
• Narrative memoranda
• Flowcharts
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 24
ASSESSMENT OF
CONTROL RISK AS HIGH
Control risk will be assessed as high when:
• Entity does not have internal controls that relate to specific assertion;
• Testing of internal controls is likely to indicate internal controls are weak; or
• Testing of internal controls is not the most efficient method of obtaining audit evidence.
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 25
ASSESSING CONTROL RISK
AS LESS THAN HIGH
For each assertion where control risk is assessed as less than high:
• Tests of controls need to be performed to ensure design and operation of control is adequate to support lowered assessed level of control
• Detection risk is assessed as higher, and as a result fewer substantive procedures are expected to be performed
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 26
Two main categories:
• User controls: those controls established and maintained by departments whose processing is performed by computer.
• CIS controls: those controls established and maintained in the location of the computer, for example in data-processing departments.
LEVELS OF CONTROL IN
COMPUTERISED SYSTEMS
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 27
• CIS controls can be further divided into general and application controls; general controls if they relate to a number of application systems, application controls if they relate to a particular application.
• User controls are always application controls, given their purpose.
CIS CONTROLS AND GENERAL
AND APPLICATION CONTROLS
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 28
GENERAL CONTROLS
Manual and computer controls that relate to all or many computerised accounting applications to provide a reasonable level of assurance that overall objectives of internal control are achieved.
General controls include: • Segregation of duties • Control over programs • Control over data
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 29
SEGREGATION OF
DUTIES
Auditor especially interested in:
• Separation between CIS and user department functions
• Separation of incompatible functions within CIS department, especially those with an understanding of system from those with access to system
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 30
SEGREGATION OF DUTIES WITHIN CIS
Separate Positions within CIS department
Knowledge: those with an understanding n CIS manager
of systems and programs n Systems analysts
n Applications programmers
Access: those with access to the computer, n Computer operators
production programs and data files n Data-entry clerks (no access to computer
console, data control records or programs)
n Data-control clerks (no access to computer
console)
n Librarian (no access to computer console)
n Systems programmers*
* The position of systems programmer must have access to perform the function.
Systems programmers should have no detailed knowledge of the company’s accounting
systems or application programs.
Table 8.1 Segregation of duties within CIS (p. 352)
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 31
CONTROL OVER
PROGRAMS
Includes control over:
• Development or acquisition of new programs
• Changes to existing programs
• Access to programs
• Systems software
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 32
CONTROL OVER DATA • Control procedures in user departments to
ensure restricted access (e.g. key passes)
• Control procedures in CIS departments at input
and processing stage
• Restriction of access to data files (e.g. password)
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 33
OTHER GENERAL
CONTROLS
• These include controls that back up hardware,
software and files and ensure recovery when
computer installation or particular files or
programs are damaged.
• These do not normally have an effect on an
auditor’s control risk assessment.
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 34
APPLICATION CONTROLS
• Relate to individual computerised accounting applications (e.g. debtors)
• Contribute to achievement of specific control objectives considered by auditor in tests of controls
• Can be programmed or manual and located in either the user departments or CIS department
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 35
USER DEPARTMENT APPLICATION
CONTROLS
• Control totals: Financial totals Record totals Hash totals
• Review and reconciliation of data
• Error correction and resubmission procedures
• Authorisation of each transaction and batch of transactions
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 36
CIS APPLICATION
CONTROLS Usually classified in the following
categories:
• Input
• File
• Processing
• Output
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 37
INPUT CONTROLS • Control totals
• Key verification
• Key entry verification
• Programmed controls:
Check digit
Limit or reasonableness test
Field test
Valid code test
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 38
FILE CONTROLS
Include:
• Internal file labels — computer-
readable data that identifies
content of file
• External file labels — printed or
handwritten labels attached to disk
or tape
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 39
PROCESSING CONTROLS
• Programmed control procedures:
Checking numerical sequence of records
Comparing related fields
• Run-to-run control totals
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 40
OUTPUT CONTROLS
These include:
• Restricted distribution
• Automatic dating of reports
• Page numbering
• End-of-report messages
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 41
RELATIONSHIP BETWEEN THE
REVIEW OF GENERAL AND
APPLICATION CONTROLS
• Should start internal control evaluation by looking at general controls.
• If general controls are unreliable, auditor has little confidence in programmed application controls and reduced confidence in manual application controls => auditor takes more substantive approach to the audit.
• If general controls are reliable, auditor makes preliminary evaluation of application controls. If reliance on application controls is then planned, a more detailed evaluation of these controls is made => auditor determines appropriate degree of testing of controls and substantive testing.
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 42
CONTROL SYSTEMS IN DIFFERENT
ENVIRONMENTS: DATABASE SYSTEMS
• A database is a computer-readable file of records that is used by many accounting applications.
• In order to handle processing of data, a system software program called a database management system (DBMS) is used.
• Guidance on auditing database systems is contained in AGS 1022/IAPS 1003.
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 43
STAND-ALONE PC SYSTEMS
• In such systems the distinction between general and application controls might be blurred and controls might be less structured. For this reason control risk might be assessed at maximum level.
• Guidance on auditing stand-alone PC systems is contained in AGS 1018/ IAPS 1001.
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 44
LANS AND OTHER NETWORKS
• Networking PCs means that processing is distributed to PCs at many locations.
• This can cause problems with security and control procedures as they are more dispersed and intensify control risk.
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 45
COMPUTER SERVICE BUREAU
• Computer service bureau is a centre or service entity that performs computer applications for another company.
• A common application processed through a service entity is payroll.
• AUS 404/ISA 402 provides an auditor with guidance on audit implications of using a computer service entity.
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 46
CONSIDERING THE WORK OF
AN INTERNAL AUDITOR
• AUS 604/ISA 610 recognises that an external auditor is able to use the work of an internal auditor to assist in an audit engagement.
• Extent of reliance is dependent on evaluation of internal audit function by external auditor.
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 47
DIFFERENCES BETWEEN INTERNAL
AND EXTERNAL AUDITOR
• These differences are:
Objectives
Independence
Qualifications of each of the auditors
• For an external audit, each of these elements is regulated by the Corporations Act, while they are determined by management for an internal audit.
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 48
EVALUATING INTERNAL AUDIT
External auditors should consider:
• Organisational status
• Scope of internal auditing
• Technical competence
• Due professional care
Copyright 2003 McGraw-Hill Australia Pty Ltd
PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett
Slides prepared by Roger Simnett 49
USING THE SERVICES OF
INTERNAL AUDIT
• Overall responsibility for audit engagement remains with external auditor.
• External auditor is required to undertake general evaluation as part of review of IC structure.
• If external auditor plans to rely on internal audit, they should carefully review internal auditor’s working papers and procedures to ensure testing is sufficient to meet their requirements, and that conclusions outlined in working papers are appropriate.