Sei sulla pagina 1di 10

CHAPTER 6: INTERNAL CONTROL

1) INTERNAL CONTROL – OVERVIEW

a) Definition of Internal Control

- internal control is designed and carried out by an entity to provide reasonable assurance about the achievement of the
entity’s objectives in the following categories:

o (1) reliability, timeliness, and transparency of internal and external, nonfinancial and financial reporting;

o (2) effectiveness and efficiency of operations, including safeguarding of assets;

o (3) compliance with applicable laws and regulations.

 help management better control the organization and to provide boards of directors an added ability to oversee internal control

b) Controls Relevant to the Audit

- The controls that are of most direct relevance to a financial statement audit are those that contribute to the reliability,
timeliness, and transparency of external financial reporting. These controls are relevant to an audit because they help to
prevent, or detect and correct, material misstatements in the entity’s financial statements.

- Controls relating to operations, compliance, and other types of reporting may be relevant when they have an impact on
data the auditor uses to apply audit procedures (analytical)

c) The Effect of Information Technology on Internal Control

- (IT) can affect internal control because IT affects the way transactions are initiated, authorized, recorded, processed, and
reported.

- An entity’s mix of manual and automated controls varies with the nature and complexity of the entity’s use of IT.

- The risks to internal control vary depending on the nature and characteristics of the entity’s information system.

2) COSCO FRAMEWORK
- A direct relationship exists between objectives (which reflect what an entity is striving to achieve), components (which
represent what the entity needs to do in order to achieve the objectives), and the structure of the entity (the operating
units, legal entities, and other).

- Requirements: An effective system provides reasonable assurance that the risk of not achieving an entity objective is
reduced to an acceptable level. For a control system to be considered effective, each of the five components and relevant
principles must be present and functioning, and the five components must operate together in an integrated manner.
3) PLANNING AN AUDIT STRATEGY (Substantive vs Reliance)

- Now we discuss on how to get the level of Control Risk in Audit Risk Model

- Step 1: Develop an understanding of internal control by:

o Evaluating the design of controls.

o Determining if the controls have been

- Step 2: Document the understanding of internal control.

- Step 3: Decide whether or not to rely on the entity’s controls for assurance about management’s financial statement
assertions

o Auditor’s risk assessment procedures indicate that the controls are not properly designed or not implemented, the
auditor will not rely on the controls  set control risk at high and use substantive procedures to reduce the risk of
material misstatement

o auditor’s risk assessment procedures suggest that the controls are properly designed and implemented  rely on
the control; tests of controls are required to be performed to obtain audit evidence that the controls are operating
effectively

- Keep in mind:

o there is no single strategy for the entire audit; rather, the auditor establishes a strategy for individual business
processes or by specific assertion within a business process

o even when auditors follow a reliance strategy, the amount of assurance obtained by controls testing will vary from
assertion to assertion..

- a reliance strategy reduces but does not eliminate the need to gather substantive evidence.

a) Substantive Strategy

- a substantive strategy still requires the auditor to have a sufficient understanding of the entity’s internal controls to know
whether they are properly designed and implemented. (5 factors)

- Reasons for substantive strategy for assertions:

o The implemented controls do not pertain (relate) to the assertion the auditor is considering.

o The implemented controls are assessed as ineffective.

o Testing the operating effectiveness of the controls would be inefficient.

- The auditor next documents the level of control risk as being set at high, and substantive procedures are designed and
performed based on the assessment of a high level of control risk. Therefore, when the auditor follows a substantive
strategy, the assurance bucket is filled with some evidence from the risk assessment procedures and an extensive amount
of evidence from substantive procedures

b) Reliance Strategy

- A reliance strategy means that the auditor intends to rely on the entity’s controls.

- The auditor may need a more detailed understanding of internal control to develop a preliminary or “planned” assessment of
control risk. The auditor will then plan and perform tests of controls.

o If the test results indicate that achieved control risk is higher than planned, the auditor will normally increase the
planned substantive procedures and document the revised control risk assessment.

o If tests of controls support the planned level of control risk, no revisions of the planned substantive procedures are
required

- The level of control risk is documented, and substantive procedures are then performed

- the level of control risk is normally set in terms of the assertions about classes of transactions and events for the period
under audit
4) OBTAIN AN UNDERSTANDING OF INTERNAL CONTROL

a) Overview

- an understanding of each of the five components of internal control, knowledge about the design of relevant controls and
whether they have been placed in operation.

- The auditor uses this knowledge to

o Identify the types of potential misstatement.

o Pinpoint the factors that affect the risk of material misstatement.

o Design tests of controls and substantive procedures

- the auditor should consider the complexity and sophistication of the entity’s operations and systems, including the extent to
which the entity relies on manual controls or on automated controls. The auditor may determine that the engagement team
needs an IT specialist.

- The auditor may use the following audit procedures to obtain an understanding of an entity’s internal control:

o Inquiry of appropriate management, supervisory, and staff personnel.

o Inspection of entity documents and reports.

o Observation of entity activities and operations.

b) Understanding the Control Environment

- to understand management’s and the board of directors’ attitudes, awareness, and actions concerning the control
environment.

c) Understanding the Entity’s Risk Assessment Process

- to understand how management considers risks relevant to financial reporting objectives and decides on appropriate actions
to address those risks
Example: suppose an entity operates in the oil industry, where there is always some risk of environmental damage. The auditor
should obtain sufficient knowledge about how the entity manages its environmental risks, because environmental accidents can
result in costly litigation against the entity

d) Understanding the Information System and Communications

- to understand the following:

o The classes of transactions in the entity’s operations that are significant to the financial statements.

o The control procedures by which transactions are initiated, authorized, recorded, processed, and reported, from
their occurrence to their inclusion in the financial statements.

o The related accounting records, whether electronic or manual, supporting information, and specific accounts in the
financial statements that are involved in initiating, recording, processing, and reporting transactions.

o How the information system captures other events and conditions that are significant to the financial statements.

o The financial reporting process used to prepare the entity’s financial statements, including significant accounting
estimates and disclosures.

- The auditor should understand the control procedures used by the entity to provide assurance that financial statements and
related disclosures are properly prepared and presented. Such procedures include:

o The procedures used to enter transaction totals into the general ledger.

o The procedures used to initiate, authorize, record, and process journal entries in the general ledger.

o Other procedures used to record recurring and nonrecurring adjustments to the financial statements.

e) Understanding Control Activities

Example: in examining the information system that pertains to accounts receivable, the auditor is likely to see how the entity
grants credit to customers.

- When the auditor decides to follow a substantive strategy, little work is done on understanding specific control activities.

- When a reliance strategy is followed, the auditor has to understand the control activities that relate to assertions for which a
lower level of control risk is expected.

- Auditors normally use walkthroughs to develop an understanding of control activities.

f) Understanding Monitoring of Controls

- To understand major types of activities that the entity uses to monitor internal control, including the sources of the
information related to those activities, and how those activities are used to initiate corrective actions to its controls.

g) Documenting the Understanding of Internal Control

- standards require that the auditor document his or her understanding of the entity’s internal control components. Tools:

- Procedures Manuals and Organizational Charts:

o Procedures manuals that document the entity’s policies and procedures. Portions of such manuals may include
documentation of the accounting systems and related control activities

o Entity’s organizational chart presents the designated lines of authority and responsibility

- Internal Control Questionnaires: provide a systematic means for the auditor to investigate various areas such as internal
control. It is used for entities with a relatively complex internal control structure. It contains questions about the important
factors or characteristics of the five internal control components. The auditor’s responses to the questions included in the
internal control questionnaire provide the documentation for his or her understanding

- Flowcharts: The flowchart outlines the configuration of the system in terms of functions, documents, processes, and
reports. Use:

o This documentation facilitates an auditor’s analysis of the system’s strengths and weaknesses.

o Flowcharts are also used to document the auditor’s understanding of an entity’s internal control over financial
reporting

 auditors use a combination of these tools to document their understanding of the components of internal control, depending on
the complexity of the entity’s internal control system.
- Narrative Description: The understanding of internal control may be documented in a memorandum. This documentation
approach is most appropriate when the entity has a simple internal control system

h) The Effect of Entity Size on Internal Control

- While large entities may be able to implement the components in the fashion just described, small to midsize entities
sometimes use alternative approaches and still achieve effective internal control.

- While the basic concepts of the five components should be present in all entities, they are likely to be less formal in a small
or midsize entity than in a large entity.

o A small entity can also have effective communication channels due to its size, the fact that there are fewer levels in
the organizational hierarchy, and management’s greater visibility.

o The monitoring component can also be effective in a small to midsize entity as a result of management’s close
involvement in operations

i) The Limitations of an Entity’s Internal Control

- The concept of reasonable assurance recognizes that the cost of an entity’s internal control system should not exceed the
benefits that are expected to be derived. Followings are limitations

- Management Override of Internal Control: The auditor is particularly concerned when senior management is involved in
such activities because it raises serious questions about management’s integrity (harder to detect)

Example: management may enter into concealed side agreements with customers that alter the terms and conditions of the
entity’s standard sales contract in ways that should preclude revenue recognition

- Human Errors or Mistakes: Breakdowns in internal control can occur because of human failures such as simple errors or
mistakes.

Example: If IT personnel do not completely understand how a revenue system should process sales transactions, they may
make software programming errors in modifying or updating the system.

- Collusion: a risk that collusion between individuals will destroy the effectiveness of segregation of duties

Example: an individual who receives cash receipts from customers can collude with the one who records those receipts in the
customers’ records to steal cash from the entity

5) ASSESSING CONTROL RISK: process of evaluating the effectiveness of an entity’s internal control in preventing, or detecting
and correcting, material misstatements in the financial statements

- To set control risk below high (e.g., at moderate or low) to do reliance strategy, the auditor must

o Identify specific controls that will be relied upon.

o Perform tests of the identified controls.

o Conclude on the achieved level of control risk given results of testing.

a) Identifying Specific Controls That Will Be Relied Upon

- understanding of internal control is used to identify the controls that are likely to prevent, or detect and correct, material
misstatement in specific assertions. Some of the controls the auditor will rely on can have a pervasive effect on many
assertions.

b) Performing Tests of Controls

- Tests of controls are performed in order to provide evidence to support the lower level of control risk when using a
relaince strategy.

o Tests of controls directed toward the effectiveness of the design of a control are concerned with evaluating
whether that control is suitably designed to prevent, or detect and correct, material misstatements

o Tests of controls directed toward operating effectiveness are concerned with assessing how the control was
applied, the consistency with which it was applied during the audit period, and by whom it was applied.

- 4 types of procedures that are used for tests of controls


- A combination of these procedures may be necessary to evaluate the effectiveness of the design or operation of a control

- The operating effectiveness of the control can be affected by whether the control is performed manually (human errors,
mistakes) or is automated (more consistent, no need to test as many instances, with different techniques)

c) Concluding on the Achieved Level of Control Risk

- After the planned tests of controls have been completed, the auditor should reach a conclusion on the achieved level of
control risk. With inherent risk, auditor sets level of detection risk determine the nature, timing, and extent of substantive
tests

o If the tests of controls are consistent with the auditor’s planned assessment of control risk, no revision in the
nature, timing, or extent of substantive procedures is necessary.

o If the tests of controls indicate that the controls are not operating as preliminarily assessed (Achieved risk >
planned), the nature, timing, and extent of planned substantive procedures will have to be modified.

d) Documenting the Achieved Level of Control Risk

- can be documented using a structured working paper, an internal control questionnaire, or a memorandum.

6) SUBSTANTIVE PROCEDURES

- two examples of how the nature, timing, and extent of substantive procedures may vary for two different entities as a
function of the detection risk level

- For entity 1, to achieve a low detection risk the auditor must (1) obtain more reliable types of substantive evidence, such as
confirmation and reperformance; (2) conduct most of the substantive audit work at year-end (as such tests are usually
considered to be stronger than tests done at an interim date); and (3) make the tests more extensive (larger sample size).

- entity 2 has a high detection risk, which means that (1) less reliable types of evidence, such as analytical procedures, can
be obtained; (2) most of the audit work can be conducted at an interim date; and (3) tests of the inventory account would
involve a smaller sample size
7) TIMING OF AUDIT PROCEDURE

a) Interim Test of Control

- Reasons:

o Assertions being tested not significant

o Control has been effective in prior audit

o Efficient use of staff time

o staff accountants may be less busy than at year-end

o if the controls are found not to be operating effectively, auditor will ahve more time to reassess the control risk and
modify the audit plan + gives the auditor time to inform management so that likely misstatements can be located
and corrected before the rest of the audit is performed

- the need for additional audit work in the period following the interim testing period: the auditor would inquire about the
nature and extent of changes in policies, procedures, or personnel that occurred subsequent to the interim period

b) Interim Substantive Procedures

- Reason:

o Assertion has low control risk

o May increase the risk of MM

o Still require year-end testings

8) AUDIT ACCOUNTING APPLICATIONS PROCESSED BY SERVICE ORGANIZATIONS

- an entity may contract to have some or all of its accounting transactions processed by an outside service organization.

- Because the entity’s transactions are subjected to the controls of the service organization, one of the auditor’s concerns is
the internal control system in place at the service organization.

9) COMMUNICATION OF INTERNAL CONTROL – RELATED MATTERS

- Public company must prepare an assertion on internal control effectiveness and their registered auditors must issue an
opinion on the effectiveness of internal control. Not required for private company.

- the auditor may discover deficiencies in the entity’s internal controls during the audit.

o A control deficiency in internal control exists when the design or operation of a control does not allow
management or employees, in the normal course of performing their assigned functions, to prevent, or detect and
correct, misstatements on a timely basis.

o A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a
reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or
detected and corrected, on a timely basis.

o A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe
than a material weakness yet important enough to merit attention by those charged with governance.
 The auditor must communicate, in writing, any discovered significant deficiencies and material weaknesses to management and
those charged with governance

10) ADVANCED MODULE 1: TYPES OF CONTROLS IN AN IT ENVIRONMENT

- there are two broad categories of information systems control activities: general controls and application controls.

o General controls relate to the overall information processing environment and have a pervasive effect on the
entity’s computer operations. General controls are sometimes referred to as supervisory, management, or
information technology controls.

o Application controls apply to the processing of specific computer applications and are part of the computer
programs used in the accounting system (for example, revenues or purchasing).

a) General Control

- Data center and network operations.

- System software acquisition, change, and maintenance.

- Access security.

- Application system acquisition, development, and maintenance.

b) Application Control

- Data capture controls: occurrence, completeness, and accuracy assertions.

- Data validation controls.

- Processing controls.

- Output controls.

- Error controls

11) ADVANCED MODULE 2: FLOWCHARTING TECHNIQUES

- A document flowchart (or data flow diagramming) represents the flow of documents among departments in the entity.

- A systems flowchart extends this approach by including the processing steps, including computer processing, in the
flowchart.

- A program flowchart illustrates the operations performed by the computer in executing a program

a) Symbols
b) Organization and Flow

- starts in the upper left part of the page and proceeds to the lower right part of the page. When it is necessary to show the
movement of a document or report back to a previous function, an on-page connector should be used. When the flowchart
continues to a subsequent page, the movement of documents or reports can be handled by using an off-page connector.
Flow arrows show the movement of documents, records, or information. When processes or activities cannot be fully
represented by flowchart symbols, the auditor should supplement the flowchart with written comments

Potrebbero piacerti anche