Lecture Notes Chapter 8

Chapter 8-Understanding and assessing internal control
Internal control is the process designed and implemented by those charged with governance, management and other personnel to provide reasonable assurance regarding the achievement of the entitys objectives concerning financial reporting, the effectiveness and efficiency of operations, and compliance with laws and regulations. ASA 315.4
Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett
8 2 2 2 2 1 2 2
Auditors assessment of risk of material misstatement is affected by their understanding of the control environment ASA315.25
Financial report level
. . . Risks that relate pervasively to the financial report as a whole and potentially affect many assertions(ASA315.A118ff
. . . Assists in determining the nature, timing and extent of further audit procedures at the assertion level necessary to obtain sufficient appropriate audit evidence(ASA315.A122ff)
Assertion level
8 3
The auditor must consider the audit risk for each assertion for each significant account balance, class of transactions and disclosure, and reduce it to an acceptable level.
Internal control is designed and implemented to address business risks that threaten the (ASA315.A51):
reliability of the entitys financial reporting effectiveness and efficiency of the entitys operations compliance with applicable laws and regulations.
8 4
Control risk is the risk that a material misstatement could occur in an assertion and not be prevented or detected on a timely basis by the entitys internal control. If control risk is assessed at less than high, tests of control need to be performed to gain evidence that specific control activities have been effectively and consistently applied throughout the period under audit.
Tests of control will be discussed in chapter 9.
8 5
Achieving satisfactory internal control is initially a management responsibility, although ultimate responsibility rests with those charged with governance.
Preventative controls
Used to prevent undesirable events or errors
Detection controls
Used to identify events or errors if they have occurred.
8 6
control breakdowns as a result of the actions of careless or fatigued staff, or intentional collusion the possibility of management override the existence of non-routine transactions for which internal controls were not devised.
Note: The concept of reasonable assurance recognises that the cost of management establishing and maintaining controls may outweigh the benefits of adopting controls.
8 7
Risks are identified and minimised. Management decision making is effective and business processes efficient. Transactions are carried out in accordance with managements authorisation. Laws, rules and regulations are complied with. Transactions are promptly and accurately recorded. Access to assets is permitted in accordance. with managements authorisation. Asset records are compared with existing assets at reasonable intervals.
8 8
Management controls focus on overall effectiveness and efficiency e.g. Establishing lines of authority, monitoring external and internal risks, etc. Transaction controls deal mostly with the reliability of accounting information e.g. recording transactions, checking for accuracy and the existence of recorded assets, etc.
1-
controls to monitor and minimise business risks. segregation of incompatible duties and responsibilities. system of authorisation, recording and procedures adequate to provide control over assets, liabilities, revenues and expenses. sound business practices such as pre-numbering of transactions and sequence checks. capabilities commensurate with responsibilities.
8 1 0
Five elements of IC outlined in ASA315.14-23:

1.
control environment
2.
3. 4. 5.
entitys risk-assessment process

information system control activities monitoring of controls.
8 1 1
Includes governance and managements overall attitude, awareness and actions regarding IC and its importance in the entity (ASA315.A76ff). Auditors should consider:
communication and enforcement of integrity and ethical values commitment to competence participation by those charged with governance managements philosophy and operating style organisational structure assignment of authority and responsibility human resource policies and practices.
8 1 2
Entitys way of identifying and responding to business risks. Once risks are identified, management needs to consider their significance and how they should be managed. Management may introduce plans to address specific risks or it may accept a risk on a cost-benefit basis.
8 1 3
An effective information system establishes the records and the methods that:
Identify and record all valid transactions. Resolve incorrect processing of transactions. Process and account for system overrides. Transfer information from transaction processing systems to the general ledger. Capture information relevant to financial reporting for events and conditions other than transactions. Present the transactions and related disclosures properly in the financial report.
8 1 4
An important feature of the information system is the audit trail.
Audit trail:
Individual transactions can be traced through each step of the accounts to their inclusion in the financial report and, similarly, from the financial report the amounts can be vouched or traced back to original source documentation.
Main elements:
Source documentsthe initial records of transactions in the system. Processing usually creates a source document when a transaction is executed Journal Ledger. 8 1 5
Policies and procedures established by management to ensure its directives are carried out. Can pertain to:
performance reviews (e.g. comparing actual with budget) information processing, in an information technology (IT) environment comprising general IT controls and application controls (discussed later this chapter) physical controls (e.g. locked storerooms for inventory) segregation of duties (the most basic of which is to have different individuals responsible for handling of assets and the keeping of records relating to those assets).
8 1 6
Control activities can be related to financial report assertions:
occurrence (e.g. authorisation and approval of transactions) completeness (e.g. accounting for sequence of transactions) accuracy (e.g. checking dollar amounts back to supporting documentation) cut-off (e.g. independent review of transaction recording around balance date) classification (e.g. independent checking of account coding).
8 1 7
Monitoring of controls:
A process to assess the effectiveness of the performance of internal control. It involves:

evaluating the design and operation of controls taking corrective action where necessary.
Management may monitor controls through ongoing activities such as supervisory activities and/or separate evaluations. In many entities internal auditors contribute to the monitoring process.
8 1 8
8 1 9
8-20
1-
An auditor gains an understanding of the control environment by:

making inquiries of key management personnel
inspecting documented policies and procedures observing activities and operations.
8 2 1
Auditor needs to determine how management identifies business risks, estimates their significance, assesses their likelihood of occurrence and decides upon actions to manage them. If auditor identifies a risk of material misstatements that management failed to identify, they need to consider whether management should have identified it and, if so, why the process failed.
8 2 2
Auditor is required to obtain sufficient knowledge of the information system to understand:

significant classes of transactions initiation of transactions records, documents and accounts accounting processing financial reporting processes controls surrounding journal entries.
Being able to follow transaction flows (the audit trail) is an important technique in understanding the information system.
8 2 3
Auditor is required to obtain an understanding of how the entity monitors internal control over financial reporting and initiates corrective actions.
In many entities, internal auditors contribute to the monitoring of an entitys activities. The auditor needs to obtain an understanding of the sources of the information related to the entitys monitoring activities and the basis upon which management considers the information to be sufficiently reliable.
8 2 4
internal control questionnaires and checklists. narrative memorandawritten description of internal control policies and procedures. flowcharts.
8 2 5
After obtaining an understanding of the five components of internal control, the auditor assesses control risk for the assertions in the related account balances, class of transactions or events and disclosures.
The auditor must decide whether to assess control risk for a particular assertion as high or as less than high.
8 2 6
The auditor may assess control risk as high because the entitys internal control policies and procedures in the area:
are poor and do not support less than a high assessment may be effective, but the audit tests would be more time-consuming than performing direct substantive tests do not pertain to the particular assertion.
8 2 7
The auditor may decide to assess control risk as less than high when it improves audit efficiency. If the auditor assesses control risk as less than high, the auditor must obtain sufficient evidence to support that level.
First, the auditor identifies specific control activities that are likely to prevent or detect material misstatements. Next, the auditor performs tests of controls to evaluate the effectiveness of these control activities.
This process is followed for each account balance or transaction class that is material to the financial report.
8 2 8
Auditors assessment of control risk is used in planning substantive tests for the various assertions within the transaction classes or account balances. The higher the level of assessed control risk, the lower the level of reliance placed on the internal control and the more assurance the auditor must obtain from substantive tests. The impact of effective internal control on the nature, timing and extent of substantive tests will be discussed in chapter 10.
8 2 9
ASA315.18 requires the auditor to have an understanding of the information system, including the related business processes. Many auditors now use what is known as the COBIT (control objectives for information and related technology) framework to identify how the business processes and the IT processes interrelate with each other.
8 3 0
While COBIT is an IT governance framework, it is also useful for auditors in obtaining an understanding of IT. The COBIT framework is organized into four domains as follows:
planning and organizationhow the entity directs the deployment of IT resources and the delivery of services acquisition, implementation and maintenancehow the entity defines and analyses requirements for projects delivery and supporthow the entity establishes physical and logical security to safeguard IT resource. monitoringhow the entity reviews performance and corrects deviations from operational and procedural standards.
8 3 1
The COBIT framework identifies seven categories of threats to the computer information requirements of the entity as follows:
availability confidentiality integrity effectiveness efficiency compliance reliability.
8 3 2
Two main categories:

1.
User controlsthose controls established and maintained by departments whose processing is performed by computer. IT controlsthose controls established and maintained at the location of the computer, for example in data-processing departments.
2.
8 3 3
CAATs are used to help identify IT application controls CAATs are used to perform a walk-through of a computer system. The auditor traces one or more transactions of each type through the system, identifying the related controls over the transaction Copies of the relevant data on a copy of the production software, run on a system that is separate from the actual accounting system, is used to ensure that the data in the system is not compromised
8 3 4
IT controls can be further divided into general and application controls.
general controls are those controls that relate to a number of application systems application controls relate to a particular application.
User controls are always application controls.

8 3 5
General controls relate to all or many computerised accounting applications. E.g. controls over changes to application software General controls include:
segregation of duties control over programs control over data.
8 3 6
Application controls are manual or automated procedures that operate at a business process level and therefore apply to the processing of individual applications. The reliance that can be placed on application controls often depends on the reliability of the general controls. Application controls contribute to achievement of specific control objectives that the auditor considers in tests of controls.
8 3 7
Control totals: detect errors in input or processing. Generally, there are three types:
financial totals record totals hash totals.
Review and reconciliation of data by users. Formal error correction and resubmission procedures. Authorisation controls help ensure that only valid transactions and batches of transactions are processed.
8 3 8
Usually classified into the following categories:

input controls
file controls
processing controls
output controls.
8 3 9
Auditor should start by examining general controls.

If general controls are unreliable, an auditor has little confidence in programmed application controls and reduced confidence in manual application controls auditor takes more substantive approach to the audit. If general controls are reliable, an auditor makes a preliminary evaluation of application controls. If reliance on application controls is then planned, a more detailed evaluation of these controls is made auditor determines appropriate degree of testing of controls and substantive testing.
8 4 0
An effective internal audit function can significantly strengthen the monitoring of control. ASA 610.A1 recognizes that internal auditing may be useful to the external auditor as it may affect audit risk and therefore the nature, timing and extent of audit procedures. Extent of reliance is dependent on evaluation of internal audit function by external auditor.
Note: ASA610.6ff Relationship between ASA315 & ASA 610

8 4 1
While recognising the similarities between the external and internal audit functions, it is important to bear in mind the fundamental differences between them. The following major differences can be identified: For external audit, above elements regulated by legislation, for internal audit above elements determined by those charged with governance.
8 4 2
1. objectives 2. independence 3. qualifications.
ASA610.15ff requires that when determining whether the work of the internal audit is likely to be adequate for external audit purposes, the external auditor must evaluate the internal audits:
1. Objectivitythe internal audits status in the entity. 2. Technical competencewhether internal auditing personnel have adequate technical training and proficiency. 3. Due professional carewhether internal auditing is properly planned, documented, supervised and reviewed. 4. Effectiveness of communication whether there will be effective communication between internal audit and external auditor.
8 4 3
The external auditor is required to undertake a general evaluation of the internal audit function as part of the review of the clients internal control. ASA610.21-25 requires that an external auditor who relies on specific internal audit work to support an assessment of control risk must evaluate and test that work to ensure that it is adequate for external audit purposes. Purpose of review is to determine whether the work of internal audit is appropriate and to ascertain whether adequate standards have been applied. Internal auditing further considered in Ch. 14.
8 4 4
The study and evaluation of internal control is an important aspect of a financial report audit. The auditor must obtain a sufficient understanding of the entitys internal control, including the internal audit function if applicable. The auditors understanding of the internal control must be documented in the audit working papers through completed flowcharts, questionnaires and/or narrative descriptions. The auditor then needs to perform tests of controls, assess control risk for each significant financial report assertion and document this assessment. The external auditor may use the work of internal auditors.
8 4 5

Lecture Notes Chapter 8

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Lecture Notes Chapter 8

Caricato da

Copyright:

Formati disponibili

Chapter 8-Understanding and assessing internal control

Five elements of IC outlined in ASA315.14-23:

entitys risk-assessment process

An important feature of the information system is the audit trail.

Control activities can be related to financial report assertions:

A process to assess the effectiveness of the performance of internal control. It involves:

An auditor gains an understanding of the control environment by:

Auditor is required to obtain sufficient knowledge of the information system to understand:

Two main categories:

IT controls can be further divided into general and application controls.

User controls are always application controls.

Usually classified into the following categories:

Auditor should start by examining general controls.

Note: ASA610.6ff Relationship between ASA315 & ASA 610

1. objectives 2. independence 3. qualifications.

Potrebbero piacerti anche