Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Monitoring of controls
5.
3.
size of activities
nature of activities
4.
5.
b. The risk assessment process should consider external and internal events and
circumstances that may arise and adversely affect the entitys ability to
initiate, authorize, record, process and report financial data consistent with
the assertions of management in the F/S.
c. Once risks have been identified, management should consider their
significance, the likelihood of their occurrence and how they should be
managed.
10. Principle 9: The organization selects and develops control activities that
contribute to the mitigation of risks to the achievement of objectives to acceptable
levels.
b. Control activities are commonly categorized into the following four types:
1.
Performance reviews
A strong accounting system should have controls that independently
check the performance of the individuals or processes in the system.
2.
3.
4.
Segregation of duties
11. Principle 11: The organization selects and develops of general control activities
over technology to support the achievement of objectives
-General controls: relate to the overall information processing environment and
include controls over data center and network operations; system software
acquisition, change and maintenance; access security; and application system
acquisition, development, and maintenance.
-Application controls: apply to the processing of individual applications and help
ensure the occurrence (validity), completeness, and accuracy of transaction
processing.
12. Principle 12: The organization deploys control activities through policies that
establish what is expected and procedures that put policies into action.
-policy: rule or guideline that calls for certain activities to take place in certain
circumstances.
-procedure: is the review itself, performed in a timely manner and with attention
given to factors set forth in policy, such as the nature and volume of purchases,
and their relation to furthering the entity's objectives.
D. Information System and Communication
a. Information is necessary for the entity to carry out internal control
responsibilities that support the achievement of its objectives
13. Principle 13: The organization obtains or generates and uses relevant, quality
information to support the functioning of internal control.
-The information system relevant to the financial reporting objectives includes the
accounting system and consists of the procedures and records established to
initiate, authorize, record, process, and report and entity's transactions and to
maintain accountability for the related assets and liabilities. An effective
accounting system gives appropriate consideration to establishing methods and
records that will:
15. Principle 15: The organization communicates with external parties regarding
matters affecting the functioning of internal control.
E. Monitoring of Controls
8
16. Principle 16: The organization selects, develops, and performs ongoing and/or
separate evaluations to ascertain whether the components of internal control are
present and functioning.
17. Principle 17: The organization evaluates and communicates internal control
deficiencies in a timely manner to those parties responsible for taking corrective
action, including senior management and the board of directors, as appropriate.
evidence that the controls are operating effectively. The auditor will make
an assessment of control risk based on the results of the tests of controls.
Two audit strategy help you to identify HOW the auditor uses the
understanding and assessment of internal control to determine the nature,
timing, and extent of audit procedures:
1) A substantive strategy:
Means that the auditor has decided not to rely on the entitys
controls and instead use substantive procedures as the main source
of evidence about the assertions in financial statements.
The following factors may make the auditor decide to follow a
substantive strategy for some or all assertions:
- The implemented controls do not pertain to the assertion the
auditor is considering.
- The implemented controls are assessed as ineffective.
- Testing the operating effectiveness of the controls would be
inefficient.
Auditing standards point out that the auditor needs to be satisfied
that performing only substantive procedures would be effective in
restricting detection risk to an acceptable level. For example, the
auditor may determine that performing tests of controls for an
entity that has a limited number of long-term debt transactions
because corroborating evidence can be obtained by examining the
loan agreements and confirming relevant information.
2) A reliance strategy:
Means that the auditor intends to rely on the entitys controls.
Need more detailed understanding of internal control to develop a
preliminary or planned assessment of control risk.
Then, plan and perform test of controls.
Using the test results to assess the achieved level of control risk.
The test results indicate that achieved control risk is higher than
planned; the auditor will increase the planned substantive
procedure substantive procedures and document the revised control
risk assessment. If the planned level of control risk is supported, no
revisions of the planned substantive procedures are required.
The level of control risk is documented, and substantive procedures are
then performed. Keep in mind that there may be different degrees of
control reliance for different business processes or assertion within a
process.
Keep in mind there is no single strategy for the entire audit.
10
FIGURE 6-3 Flowchart of the Auditors Consideration of Internal Control and Its
Relation to Substantive Procedures
11
12
The auditor must understand the control procedures related to the planning of
the financial statement and the disclosures.
The procedures used to enter transactions totals into the general ledger,
The procedures used to initiate, authorize, record, and process journal
entries in the general ledger.
Other procedures used to record recurring and nonrecurring adjustments to
14
Monitoring of control.
c. Flowcharts
Ex. Manager can enter into side agreements with customers to alter the
terms and conditions of the sales contract.
Unintentional
Collusion
Test of controls directed toward the operating effectiveness: assessing how the
control was applied, the consistency with which it was applied during the
audit period, and by whom it was applied. The operating effectiveness can be
affected by whether the control is manual or automated. Manually performed
controls may be subject to human errors and mistakes; while automated
controls (if properly designed) should operate more consistently and hence,
does not need to test as many instances.
Examples
LO 11 Substantive Procedures
A. Consist in the last step in the decision process in Audit Strategy. Substantive
Procedures include substantive analytical procedures and test of details
B. The nature, extent and timing of substantive procedures may vary for two
different entities as a function of the detection risk level for the inventory account,
which is part of the purchasing process. In the following examples both client
audit risk is set low
Client one: High RMM, detection risk is low. To achieve a low detection risk
the audit must
Low detection risk strategy: examined at year end because the control risk was
assessed to be high
High detection risk strategy: examined at an interim date because the control
risk assessment indicates little RMM.
b. If the controls are not operating effectively it gives the auditor time to reassess
control risk and modify audit plan.
c. The auditor can also inform management so misstatements can be located.
d. Additional work after the interim period, should address:
Significance of assertion
The evaluation of design and operations of the relevant controls
Results of test of controls
The length of the remaining period
The planned substantive procedures in determining the nature and extent
of audit work for the remaining of period
B. Interim Substantive Procedures
a. Conducting substantive procedures at interim date may increase ROMM, but
can control this by:
Considering when it is appropriate to examine an account at an interim
date and by performing selected audit procedures for the period between
the interim date and year end
b. Consider these factors:
Control environment
Availability of information at a later date
Purpose of Substantive procedures
Assessed ROMM
Nature of the class of transactions or account balances
Ability to perform substantive procedures to cover the remaining period to
reduce ROMM
c. Some additional substantive procedures are ordinarily conducted in the
remaining period.
d. If a misstatement detected, must revise the planned procedures for the
remaining period or additional ones at year end.
C. Service Organizations:
Mortgage bankers: service mortgages
D. The auditors need to understand the clients internal control components in order
to identify controls that are applied by the client or the service organization that
will allow an assessment of reduced control risk.
Type I and Type II Reports
Since service organizations process data for many customers, most of the time
auditor issues an attestation report on their operations. A service organizations
auditor can issue one of two types of reports.
Type I is a report on managements description of a service organizations system
and the suitability of the design of controls at a specific point of time.
Managements description on the system
Written assertion by management that the description fairly represents the
system
The controls are suitable to achieve managements controls by a certain
date
Type II is a report on managements description of a service organizations
system and the suitability of the design and operating effectiveness of control.
Managements description on the system
Written assertion by management that the description fairly represents the
system
The controls are suitable to achieve managements controls by a certain
date
PROVIDES ASSURANCE ON THE OPERATING EFFECTIVENESS
OF CONTROLS
Reports Content
Independent service auditor's report
(i.e. opinion)
Type I
Included
Type II
Included
22
Included
Included
Optional
Included
Optional
Included
E. An auditor may reduce control risk below the max only on the basis of a service
auditors report that includes test of the controls.
F. Although a financial statement audits of private companies do not include audit of
entity's entire system of internal control, the auditor may discover deficiencies in
the entity's internal controls during the audit.
24