Chapter 6

Internal Control in a Financial

Statement Audit

McGraw-Hill/Irwin

2008 The McGraw-Hill Companies, All Rights Reserved

Internal Controls in Financial Statement Audits

What is internal control?
What does the auditor need to know about internal
control?
How does the auditor use his/her knowledge of
Internal control in conducting the audit?
What are the documentation requirements?
What are the communication requirements related
6-2
to the auditors internal control findings?

Internal Control
(315.04 and .13)

LO# 3

Objectives

Reliability of
Financial
Reporting

Effectiveness
& Efficiency of
Operations

Compliance
with Laws &
Regulations

Generally, internal controls pertaining to the preparation of

financial statements for external purposes are the controls
relevant to an auditand not even all of those.
However some operations or compliance controls may be
relevant to the audit, as well (315.04 and .13)
6-3

1.
2.

3.
4.
5.

With which of the following categories of

controls will the auditor likely be most
familiar? Controls focused on
Reliability of financial
reporting
Effectiveness &
efficiency of
operations
Compliance with laws
and regulations
All of the above
equally
2 and 3

6-4

Components of Internal Control

COSO Framework (315.15-.25)

LO# 4

Entitys Risk
Assessment
Process

Control
Environment

Information System and

Related Business Processes
Relevant to Financial
Reporting & Communication

Control
Activities

Monitoring of
Controls
6-5

Control Environment (315.A71 A.80)

What does the auditor need to know(see 315.15)
Factors affecting the auditors evaluation of the
control environment include:
Communications and enforcement of integrity and
ethical values
Commitment to competence
Participation by those charged with governance
Managements philosophy and operating style
Organizational structure
Assignment of authority and responsibility
Human resource policies and practices

6-6

The Entitys Risk Assessment

Process (315.A81 - .A83)
What does the auditor need to know (See
315.16)
Or.. how does the entity assess and
manage risk related to the fair preparation
of financial statements (for example the
risk of failing to record a transaction or
appropriate estimates)
The nature of the entitys risk assessment
process will vary greatly depending on the
size and nature of the client
6-7

The importance of internal control to

management relates to which of the
following internal control components?
1. Control
environment
2. Control
procedures
3. Risk assessment
4. Monitoring
6-8

Information System and Related Processes

(315.19)
The auditors understanding of the information
system should relate to the following:
The classes of transactions that are significant
The procedures (IT and manual) by which those
transactions are initiated, authorized, recorded,
processed, corrected, transferred to the general
ledger and the financial statements
What accounting records support the information
in the financial statements and accounting
6-9
records

Information System and Related Processes

(315.19)
The auditors understanding of the information
system should relate to the following (cont.):
How the system captures events and conditions,
other than transactions, that are significant to the
financial statements (for example, depreciation)
The processes used to prepare the entitys
financial statements (including estimates and
disclosures)
Controls surrounding journal entries, including
6-10
those that are nonrecurring

Control Activities
The auditor should understand the process of
reconciling detailed records to the general ledger for
material accounts (315.21) and, as appropriate, details
related to such control activities as (315.A91):
Information processing (when is the work done and
how)
Physical controls
Segregation of duties (who does the work)
Performance reviews (supervision)
How the entity has responded to risk arising from IT
(See 315.A98-.A101)
6-11

Which of the following types of controls

are least likely to be programmed
controls?
1. Application
controls
2. General controls
3. Both of the above
4. What? Do I look
like a geek
6-12

Monitoring of Controls (315.23 and .A102)

The auditor should obtain an understanding
of:
Major activities the entity conducts to
monitor controls over financial reporting
How the entity initiates remedial action
Impact of the internal audit function, if any
6-13

What Else Does the Auditor Need to

Know About Internal Controls (315.14)
GAAS requires the auditor to:
1. Develop an appropriate understanding of the
design of the clients internal controls (the 5
components) AND
2. Determine whether those controls have been
placed in operation (implemented)
Inquiry alone will not allow the auditor to
determine if the controls have been
implemented. More often than not, what auditors
refer to as a walk through is necessary to
determine whether controls have been placed in
operation (implemented).
6-14

LO# 7

Auditors Use of His/Her Understanding

of Internal Control
The auditor should obtain an understanding of each of
the five components of internal control in order to plan
the audit. This knowledge is used to (315.A42):
Identify types of
potential
misstatements

Consider factors that

affect the risk of
material misstatement

Design tests of controls

(where applicable) and
substantive procedures

6-15

Auditors Use of His/Her Understanding

of Internal Control
Remember the Audit Risk Model
AR = IR X CR X DR
Look at the flowchart on page 195 of the
textbook

6-16

In a GAAS audit an auditor should be

able to determine through inquiry
1. If controls have
been implemented
2. The design of
many relevant
controls
3. The efficiency and
effectiveness of
controls
4. All of the above
6-17

1.

2.
3.

4.
5.

The auditor should develop an

understanding of each of the 5 components
of internal control to allow for:
Proper design of tests
of controls, where
appropriate
Proper design of
substantive test
A reduction in the level
of assessed control
risk
All of the above
6-18
Both 1 and 2

In a GAAS audit, an auditor is required to

1. Develop an
understanding of the
clients internal control
2. Determine that controls
have been implemented
3. Test the efficiency and
effectiveness of controls
4. All of the above
5. 1 and 2
6-19

LO# 8

Documenting the Understanding of Internal

Control (see 315.33b)
Procedure Manuals
and Organizational
Charts

Narrative Description

Internal Control
Questionnaires

Flowcharts

6-20

Which of the following are required by

GAAS?
1. Documentation of the
auditors
understanding of
internal control
2. Determination that key
internal controls have
been implemented
3. Tests of controls
4. All of the above
5. Both 1 and 2

6-21

Auditing Accounting Applications

Processed by Service Organizations
(402)

LO# 13

In some instances, a client may have some or all of its

accounting transactions processed by an outside service
organization.
Because the clients
transactions are subjected to
the controls of the service
organization, one of the
auditors concerns is the
internal control system in
place at the service
organization.

It is not uncommon for service

organizations to have a service
auditor issue one of two types
of reports on their operations.
6-22

Auditing Accounting Applications

Processed by Service Organizations
(402)

LO# 13

Type 1 Report
Describes the service organizations controls
and assesses whether they are suitably
designed to achieve specified internal control
objectives and implemented.
An auditor may reduce
control risk below the
maximum only on the
basis of a service
auditors report that
includes tests of the
controls (Type 2).

Type 2 Report
Goes further by testing whether the
controls provide reasonable assurance
that the related control objectives were
achieved during the period. (i.e., the
auditor performs test of controls)
6-23

The auditor can use a type 1 report related

to a service centers controls to
1. Document the
understanding of the
service centers
controls
2. Reduce the
assessed level of
control risk below the
maximum
3. Both 1 and 2
4. None of the above

6-24

Communication of Internal ControlRelated Matters

(See 265.07 and .11 through .16 )

LO# 14

Material
Weakness

The most serious of

shortcomings. Must be
communicated in writing to
both those charged with
governance and management

Significant
Deficiency

The second most serious of

shortcoming. Must be
communicated in writing to
both those charged with
6-25
governance and management

Communication of Internal
Control-Related Matters
Other deficiencies should be communicate
to management either in writing or orally if
others have not so communicated and the
auditor feels the issues merit management
attention (265.12b)
All communications regarding internal
control weaknesses should be made no
later than 60 days following the report
release date (265.13)
6-26

Communication of Internal
Control-Related Matters
Written communications regarding
significant deficiencies and material
weaknesses should include (see 265.14)
Any written communication indicating that
no significant deficiencies were identified
would be inappropriate (265.15 and .16).

6-27

Which of the following, if discovered, is the

auditor required to communicate to management
1. Material weaknesses
in internal control
2. Significant
deficiencies in
internal control
3. Deficiencies in
internal control
4. All of the above
5. Both 1 and 2
6-28

Which of the following can the auditor

not issue as a written communication?
1. A statement that no
material weaknesses
were identified
2. A statement that no
significant deficiencies
were identified
3. A restriction on the use
of the auditors internal
control communication
4. All of the above can be
issued in writing

6-29

Internal Control Under PCAOB

Auditors responsibilities for both examining and
reporting on internal control in a PCAOB
engagement per AS 5 are much more extensive
Managements Responsibilities (CEO & CFO)
Accept responsibility for the effectiveness of the
entitys ICFR
Evaluate the effectiveness of the entitys ICFR using
suitable control criteria
Support the evaluation with sufficient evidence,
including documentation
Present a written assessment of the effectiveness of
ICFR as of the end of the most recent fiscal year
6-30

Internal Control Under PCAOB

Auditors Responsibility
Integrate an audit of managements assertion
about the effectiveness of ICFR with the audit
of the financial statements
Express an opinion on the effectiveness of the
entitys ICFR as of a point in time
To express an opinion on ICFR, the auditors
evaluation of ICFR would need to be much
more extensive than the evaluation of ICFR
required to support the opinion on the
financial statements as required by GAAS
6-31

The examination of an audit clients internal

control in a PCAOB audit would be
A. In the same depth
as in a SAS GAAS
audit
B. In more depth
than in a SAS
GAAS audit
C. In less depth than
in a SAS GAAS
audit
6-32

The auditors reporting responsibilities related to

ICFR in a SAS GAAS audit differ from those in a
PCAOB audit in that
A. A SAS GAAS audit
does not require the
auditor to issue any
report related to ICFR
findings
B. A SAS GAAS audit
requires the auditor to
issue a report on ICFR
findings for public
distribution
C. A SAS GAAS audit
does not allow the
auditor to issue an
opinion on ICFR
6-33