View
217
Download
1
Category
Preview:
Citation preview
1
Understanding the EntityUnderstanding the EntityUnderstanding the EntityUnderstanding the Entity
AU Section 314AU Section 314Understanding the Entity and ItsUnderstanding the Entity and Its
Environment and Assessing the RisksEnvironment and Assessing the Risks
Source: SAS No. 109.Source: SAS No. 109.
The Risk Assessment StandardsThe Risk Assessment Standards
C Delano GrayC Delano Gray
June 18, 2008June 18, 2008
2
Risk Assessment StandardsRisk Assessment StandardsRisk Assessment StandardsRisk Assessment Standards
The risk assessment standards consist of:The risk assessment standards consist of:– SAS No. 104, Amendment to Statement on Auditing Standards SAS No. 104, Amendment to Statement on Auditing Standards
No. 1, No. 1, Due Professional CareDue Professional Care– SAS No. 105, Amendment to Statement on Auditing Standards SAS No. 105, Amendment to Statement on Auditing Standards
No. 95, No. 95, Generally Accepted Auditing StandardsGenerally Accepted Auditing Standards– SAS No. 106, Audit EvidenceSAS No. 106, Audit Evidence– SAS No. 107, Audit Risk and Materiality in Conducting an Audit SAS No. 107, Audit Risk and Materiality in Conducting an Audit
(Audit Risk and Materiality)(Audit Risk and Materiality)– SAS, No. 108, Planning and SupervisionSAS, No. 108, Planning and Supervision– SAS No. 109, Understanding the Entity and Its Environment and SAS No. 109, Understanding the Entity and Its Environment and
Assessing the Risks of Material Misstatement (Assessing Risks)Assessing the Risks of Material Misstatement (Assessing Risks)– SAS No. 110, Performing Audit Procedures in Response to SAS No. 110, Performing Audit Procedures in Response to
Assessed Risks and Evaluating the Audit Evidence Obtained Assessed Risks and Evaluating the Audit Evidence Obtained (Performing Procedures)(Performing Procedures)
– SAS No. 111, Amendment to Statement on Auditing Standards SAS No. 111, Amendment to Statement on Auditing Standards No. 39, No. 39, Audit SamplingAudit Sampling
3
Risk Assessment StandardsRisk Assessment StandardsRisk Assessment StandardsRisk Assessment Standards
The risk assessment standards consist of:The risk assessment standards consist of:– SAS No. 112 Communicating Internal Control Related Matters SAS No. 112 Communicating Internal Control Related Matters
Identified in an Audit (Superseded SAS 60)Identified in an Audit (Superseded SAS 60)– SAS No. 113 Omnibus StandardsSAS No. 113 Omnibus Standards– SAS No. 114 The Auditor’s Communication with Those Charged SAS No. 114 The Auditor’s Communication with Those Charged
with Governance (Supersedes SAS 61)with Governance (Supersedes SAS 61)
http://www.aicpa.org/Professional+Resources/Accounting+and+Auhttp://www.aicpa.org/Professional+Resources/Accounting+and+Auditing/Audit+and+Attest+Standards/Authoritative+Standards+and+diting/Audit+and+Attest+Standards/Authoritative+Standards+and+Related+Guidance+for+Non-Issuers/auditing_standards.htmRelated+Guidance+for+Non-Issuers/auditing_standards.htm
Source: AICPASource: AICPA
4
Risk Assessment StandardsRisk Assessment StandardsRisk Assessment StandardsRisk Assessment Standards
The ASB believes that the SASs represent a The ASB believes that the SASs represent a significant strengthening of auditing standards significant strengthening of auditing standards which in turn will improve the quality of audits which in turn will improve the quality of audits conducted under these standardsconducted under these standards
5
ObjectivesObjectivesObjectivesObjectives
The objectives of the SASs are to improve audit The objectives of the SASs are to improve audit effectiveness by requiring:effectiveness by requiring:
A more in-depth understanding of the entity and its A more in-depth understanding of the entity and its environment, including its internal control. environment, including its internal control.
More rigorous assessment of the risks of material More rigorous assessment of the risks of material misstatement (whether caused by error or fraud) of the misstatement (whether caused by error or fraud) of the financial statements. financial statements.
A linkage between the assessed risks and the nature, A linkage between the assessed risks and the nature, timing, and extent of audit procedures performed in timing, and extent of audit procedures performed in response to those risks.response to those risks.
6
KnowledgeKnowledgeKnowledgeKnowledge
This assumes the followingThis assumes the following
Knowledge of the SAS’sKnowledge of the SAS’s
Knowledge of FAS and InterpretationsKnowledge of FAS and Interpretations
Knowledge of Industry Specific StandardsKnowledge of Industry Specific Standards
Knowledge of SOP’s and EITF PronouncementsKnowledge of SOP’s and EITF Pronouncements
Knowledge of Entity’s Industry, Markets, Knowledge of Entity’s Industry, Markets, Competitors and Industry Practices. Competitors and Industry Practices.
7
Overview of SASsOverview of SASs
8
Overview of SASsOverview of SASsOverview of SASsOverview of SASs
SAS No. 104, Amendment to SAS No. 1Amendment to SAS No. 1 SAS No. 104 expands the definition of “reasonable SAS No. 104 expands the definition of “reasonable
assurance” as a “assurance” as a “high”high” level of assurance” level of assurance”
9
Overview of SASsOverview of SASsOverview of SASsOverview of SASs
SAS No. 105, Amendment to SAS 95, Amendment to SAS 95, Generally Generally Accepted Auditing StandardsAccepted Auditing Standards
““Internal control” is replaced by “the entity and its Internal control” is replaced by “the entity and its environment, including its internal control”environment, including its internal control”
““Further audit procedures” replaces “tests to be Further audit procedures” replaces “tests to be performed”performed”
““Audit evidence” replaces “evidential matter”Audit evidence” replaces “evidential matter”
10
Overview of SASsOverview of SASsOverview of SASsOverview of SASs
SAS No. 106, Audit EvidenceSAS No. 106, Audit Evidence
(Amends SAS 31)(Amends SAS 31)
““The auditor must obtain sufficient audit evidence The auditor must obtain sufficient audit evidence by performing audit procedures to afford a by performing audit procedures to afford a reasonable basis for an opinion regarding the reasonable basis for an opinion regarding the financial statements under audit.”financial statements under audit.”
11
Overview of SASsOverview of SASsOverview of SASsOverview of SASs
SAS No. 106, Audit EvidenceSAS No. 106, Audit Evidence Audit evidenceAudit evidence is all the information used by the auditor in is all the information used by the auditor in
arriving at the conclusions on which the audit opinion is arriving at the conclusions on which the audit opinion is based and includes:based and includes:– Entity’s accounting records,Entity’s accounting records,– Confirmations,Confirmations,– Minutes,Minutes,– Industry reports,Industry reports,– Audit procedures such as inquiries, observations, Audit procedures such as inquiries, observations,
inspections, etc. inspections, etc.
12
Overview of SASsOverview of SASsOverview of SASsOverview of SASs
SAS No. 106, Audit EvidenceSAS No. 106, Audit Evidence
Audit Proceduresa. Risk Assessment Procedures
1. Inquiries
2. Analytical procedures
3. Inspection and observation
b. Further Audit Procedures
1. Test of controls
2. Substantive procedures
i. Test of details
ii. Substantive analytical procedures
13
Overview of SASsOverview of SASsOverview of SASsOverview of SASs
SAS No. 106, Audit EvidenceSAS No. 106, Audit Evidence
The use of assertions in obtaining audit evidence – these The use of assertions in obtaining audit evidence – these are management’s implicit or explicit assertions regarding are management’s implicit or explicit assertions regarding the recognition, measurement, presentation and the recognition, measurement, presentation and disclosure of information in the financial statements and disclosure of information in the financial statements and related disclosures.related disclosures.
14
Overview of SASsOverview of SASsOverview of SASsOverview of SASs
SAS No. 106, Audit Evidence (continued)SAS No. 106, Audit Evidence (continued) Categories of AssertionsCategories of Assertions
a.a. Classes of transactionsClasses of transactions
b.b. Account balancesAccount balances
c.c. Presentation and disclosurePresentation and disclosure
15
Overview of SASsOverview of SASsOverview of SASsOverview of SASs
SAS No. 107, Audit Risk and Materiality
(Amends SAS 47)
“The auditors should perform the audit to reduce audit risk to a low level that is (in his or her judgment) appropriate for expressing an opinion on the financial statements.”
16
Overview of SASsOverview of SASsOverview of SASsOverview of SASs
Audit Risk and Materiality -
"The auditor's consideration of materiality is a matter of professional judgment and is influenced by the auditor’s perception of the needs of users of financial statements”SAS 107.
17
Overview of SASsOverview of SASsOverview of SASsOverview of SASs
SAS No. 108, Planning and SupervisionSAS No. 108, Planning and Supervision
((Amends SAS 1 and SAS 22)Amends SAS 1 and SAS 22)
““The auditor must adequately plan the work and The auditor must adequately plan the work and must properly supervise any assistants.” must properly supervise any assistants.”
18
Overview of SASsOverview of SASsOverview of SASsOverview of SASs
SAS No. 109, Assessing RisksSAS No. 109, Assessing Risks
““The auditor must obtain a sufficient understanding of The auditor must obtain a sufficient understanding of the entity and its environment, including its internal the entity and its environment, including its internal control, to assess the risk of material misstatement of control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further and to design the nature, timing, and extent of further audit procedures.” audit procedures.”
19
Risk Assessment StandardsRisk Assessment StandardsRisk Assessment StandardsRisk Assessment Standards
Enhances the auditor’s application of the audit Enhances the auditor’s application of the audit risk model in practice by requiring:risk model in practice by requiring:– More in-depth understanding of the entity and its More in-depth understanding of the entity and its
environment, including its internal control to better environment, including its internal control to better understand where risks of misstatements are higherunderstand where risks of misstatements are higher May require greater understanding of internal control design May require greater understanding of internal control design
and implementation of controlsand implementation of controls Ability to default to maximum control risk assessment Ability to default to maximum control risk assessment
removedremoved
– Improved linkage between the assessed risks and the Improved linkage between the assessed risks and the nature, timing, and extent of audit procedures nature, timing, and extent of audit procedures performedperformed
20
Risk Assessment StandardsRisk Assessment StandardsRisk Assessment StandardsRisk Assessment Standards
Enhances the auditor’s application of the audit risk Enhances the auditor’s application of the audit risk model:model:
AR = [CR x IR] x DRAR = [CR x IR] x DR
[CR x IR] = RMM[CR x IR] = RMMAR = Audit RiskAR = Audit Risk
CR = Control RiskCR = Control Risk
IR = Inherent RiskIR = Inherent Risk
DR =Detection RiskDR =Detection Risk
RMM = risk of material misstatementRMM = risk of material misstatement
Source: AICPA.Source: AICPA.
21
Risk Assessment StandardsRisk Assessment StandardsRisk Assessment StandardsRisk Assessment Standards
– Internal Control Framework is unchangedInternal Control Framework is unchanged
22
SAS 109SAS 109SAS 109SAS 109
Understanding the Entity and ItsUnderstanding the Entity and ItsEnvironment and Assessing the RisksEnvironment and Assessing the Risks
23
IntroductionIntroduction
.01 .01 This section establishes standards and provides guidance about This section establishes standards and provides guidance about implementing the second standard of field work, as follows:implementing the second standard of field work, as follows:
The auditor must obtain a sufficient understanding of the entity and The auditor must obtain a sufficient understanding of the entity and its environment,its environment,
Its internal control, to assess the risk of material misstatement of the Its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, financial statements whether due to error or fraud,
Design the nature, timing, and extent of further audit procedures.Design the nature, timing, and extent of further audit procedures.
24
.02 .02 The following is an overview of this standard:The following is an overview of this standard: • • Risk assessment procedures and sources of information about the Risk assessment procedures and sources of information about the
entity and its environment, including its internal control. entity and its environment, including its internal control. This section explains the audit procedures that the auditor should This section explains the audit procedures that the auditor should
perform to obtain the understanding of the entity and its perform to obtain the understanding of the entity and its environment, including its internal control (risk assessment environment, including its internal control (risk assessment procedures). procedures).
The audit team should discuss the susceptibility of the entity's The audit team should discuss the susceptibility of the entity's financial statements to material misstatement.financial statements to material misstatement.
25
Risk Assessment StandardsRisk Assessment StandardsRisk Assessment StandardsRisk Assessment Standards
The auditor should assess the risks of material The auditor should assess the risks of material misstatement at the financial statement level and misstatement at the financial statement level and at the relevant assertion level on all audits based at the relevant assertion level on all audits based on the understanding obtainedon the understanding obtained
26
Risk Assessment StandardsRisk Assessment StandardsRisk Assessment StandardsRisk Assessment Standards
New Assertion FrameworkNew Assertion Framework
Classes of Classes of TransactionsTransactions
Account BalancesAccount Balances Presentation and Presentation and DisclosuresDisclosures
–OccurrenceOccurrence –ExistenceExistence –Occurrence and Occurrence and Rights and Rights and obligationsobligations
–CompletenessCompleteness –Rights and Rights and obligationsobligations
–CompletenessCompleteness
–AccuracyAccuracy –CompletenessCompleteness –Classification and Classification and understandabilityunderstandability
–CutoffCutoff –Valuation and Valuation and allocationallocation
–Accuracy and Accuracy and valuationvaluation
–ClassificationClassification
27
Risk Assessment StandardsRisk Assessment StandardsRisk Assessment StandardsRisk Assessment Standards
– Identifying risks through consideringIdentifying risks through considering The entity and its environment, including its internal controlThe entity and its environment, including its internal control Classes of transactions, account balances, and disclosuresClasses of transactions, account balances, and disclosures
– Relating the identified risks to what could go wrong at Relating the identified risks to what could go wrong at the relevant assertion levelthe relevant assertion level
– Significant risksSignificant risks11
11SAS 109SAS 109, Assessing Risks, , Assessing Risks, paragraphs 102-121paragraphs 102-121
28
Risk Assessment StandardsRisk Assessment StandardsRisk Assessment StandardsRisk Assessment Standards
Audit RiskAudit Risk Auditor’s ResponseAuditor’s Response
Financial StatementFinancial Statement Overall responses Overall responses
Account levelAccount level Further Audit Procedures (Tests of Further Audit Procedures (Tests of Controls and Substantive Tests)Controls and Substantive Tests)
29
Risk Assessment StandardsRisk Assessment StandardsRisk Assessment StandardsRisk Assessment Standards
Testing of controls is encouragedTesting of controls is encouraged
The requirement to link assessed risks and the The requirement to link assessed risks and the audit procedures responsive to those risks is audit procedures responsive to those risks is improvedimproved
Risk assessment is a continuous process, not a series of discrete stages
30
Risk Assessment StandardsRisk Assessment StandardsRisk Assessment StandardsRisk Assessment Standards
– Perform further audit procedures that are clearly Perform further audit procedures that are clearly linked to risks at the relevant assertion level by:linked to risks at the relevant assertion level by: Performing tests of the operating effectiveness of controlsPerforming tests of the operating effectiveness of controls Performing substantive proceduresPerforming substantive procedures Evaluating the adequacy of presentation and disclosureEvaluating the adequacy of presentation and disclosure11
11SAS 110SAS 110, Performing Procedures , Performing Procedures SAS, paragraphs 23-68SAS, paragraphs 23-68
– Evaluate whether sufficient competent audit evidence Evaluate whether sufficient competent audit evidence has been obtainedhas been obtained22
22SAS 110SAS 110, Performing Procedures, Performing Procedures, paragraphs 70-76, paragraphs 70-76
Source AICPASource AICPA
31
Risk Assessment StandardsRisk Assessment StandardsRisk Assessment StandardsRisk Assessment Standards
Greater emphasis is placed on testing of Greater emphasis is placed on testing of disclosuresdisclosures
Greater Emphasis is placed on the Evaluation of Greater Emphasis is placed on the Evaluation of Internal ControlsInternal Controls
Guidance on evaluating audit findings is clarified Guidance on evaluating audit findings is clarified and expandedand expanded
Documentation requirements are significantly Documentation requirements are significantly expandedexpanded
32
Significant Changes to Existing Significant Changes to Existing PracticesPracticesSignificant Changes to Existing Significant Changes to Existing PracticesPractices
Identifying and assessing the risks of material Identifying and assessing the risks of material misstatements at both the financial statement misstatements at both the financial statement level and the relevant assertion level by level and the relevant assertion level by performing risk assessment procedures. performing risk assessment procedures.
Designing and performing tailored further audit Designing and performing tailored further audit procedures responsive to assessed risks at the procedures responsive to assessed risks at the relevant assertion levelrelevant assertion level
Linkage of audit procedures to the risk of material Linkage of audit procedures to the risk of material misstatement.misstatement.
33(#)
AU Section 314AU Section 314Understanding the Entity and ItsUnderstanding the Entity and Its
Environment and Assessing the RisksEnvironment and Assessing the Risksof Material Misstatementof Material Misstatement
(Supersedes SAS No. 55)(Supersedes SAS No. 55)Source: SAS No. 109.Source: SAS No. 109.
Effective for audits of financial statements for periods beginning Effective for audits of financial statements for periods beginning on or afteron or after
December 15, 2006. EarlierDecember 15, 2006. Earlier application is permitted.application is permitted.
34
Risk Assessment Overview
Fraud Risk Factors
Respond
Risk Assessment
New Process
Brainstorming
InquiriesAnalytical
Procedures
Other
35
SAS No. 109, Assessing Risks SAS No. 109, Assessing Risks
Risk assessment procedures and sources of Risk assessment procedures and sources of information about the entity and its internal control are:information about the entity and its internal control are:
a.a. InquiriesInquiries
b.b. Analytical proceduresAnalytical procedures
c.c. Observation and inspectionObservation and inspection
Discussion among audit teamDiscussion among audit team
36
SAS No. 109, Assessing Risks SAS No. 109, Assessing Risks Inquiries of management may be directed toward:Inquiries of management may be directed toward:
a.a. External parties – for example, legal counsel, External parties – for example, legal counsel, bankers, valuation experts, etc.bankers, valuation experts, etc.
b.b. Internal – for example those charged with Internal – for example those charged with governance, internal audit, employees other than governance, internal audit, employees other than accounting personnel, in-house counsel, etc.accounting personnel, in-house counsel, etc.
37
SAS No. 109, Assessing RisksSAS No. 109, Assessing Risks
Analytical ProceduresAnalytical Procedures
a.a. Use guidance of SAS 56, Use guidance of SAS 56, Analytical ProceduresAnalytical Procedures
b.b. Helpful In identifying unusual transactions or Helpful In identifying unusual transactions or eventsevents
c.c. Assist in determining amounts, ratios, trends in Assist in determining amounts, ratios, trends in the financial statementsthe financial statements
38
SAS No. 109, Assessing Risks SAS No. 109, Assessing Risks
Observation and inspection include:Observation and inspection include:
a.a. Inspection of documents and manuals (for Inspection of documents and manuals (for example accounting or internal control)example accounting or internal control)
b.b. Reading internal reports and minutesReading internal reports and minutes
c.c. Visit premises and plant facilitiesVisit premises and plant facilities
d.d. Tracing transactions through systems Tracing transactions through systems
39
SAS No. 109, Assessing RisksSAS No. 109, Assessing Risks
The auditor should consider the results of the fraud risk The auditor should consider the results of the fraud risk assessment performed during planning along with assessment performed during planning along with other information gathered in identifying the risks of other information gathered in identifying the risks of material misstatements.material misstatements.
40
SAS No. 109, Assessing Risks SAS No. 109, Assessing Risks
Discussion among audit teamDiscussion among audit team::a.a. Can be held at the same time as the discussion Can be held at the same time as the discussion
specified in SAS 99.specified in SAS 99.
b.b. Objective is for members to gain a better Objective is for members to gain a better understanding of the potential for material understanding of the potential for material misstatements.misstatements.
c.c. An opportunity for more experienced members to An opportunity for more experienced members to share their insights.share their insights.
41
SAS No. 109SAS No. 109, , Assessing RisksAssessing Risks Understanding the entity and its environment, including Understanding the entity and its environment, including
its internal control.its internal control.– Industry, regulatory, and other external factorsIndustry, regulatory, and other external factors– Nature of the entityNature of the entity– Objectives and strategies and the related business Objectives and strategies and the related business
risks that may result in a material misstatement of risks that may result in a material misstatement of the financial statementsthe financial statements
– Measurement and review of the entity's financial Measurement and review of the entity's financial performanceperformance
– Internal controlInternal control
42
SAS No. 109, Assessing Risks SAS No. 109, Assessing Risks
Internal controlInternal control
43
SAS No. 109, SAS No. 109, Assessing Risks Assessing Risks (continued)(continued) The auditor should obtain a sufficient understanding of The auditor should obtain a sufficient understanding of
internal controls to:internal controls to:
a.a. Evaluate the design of controls relevant to the audit, Evaluate the design of controls relevant to the audit,
b.b. Determine whether the controls have been Determine whether the controls have been implemented.implemented.
44
SAS No. 109, SAS No. 109, Assessing Risks Assessing Risks
The auditor should perform risk assessment procedures to The auditor should perform risk assessment procedures to obtain an understanding of internal control. Procedures obtain an understanding of internal control. Procedures include observation, inspection, or performing include observation, inspection, or performing walkthroughs.walkthroughs.
Inquiry alone is not sufficient to evaluate the design of Inquiry alone is not sufficient to evaluate the design of controls and whether they have been implemented.controls and whether they have been implemented.
45
SAS No. 109, SAS No. 109, Assessing Risks Assessing Risks
The auditor should identify and assess the risks of material The auditor should identify and assess the risks of material misstatements at:misstatements at:
a.a. Financial statement level Financial statement level
b.b. The relevant assertion levelThe relevant assertion level
46
Internal ControlsInternal ControlsInternal ControlsInternal Controls
The three primary objectives of effective internal The three primary objectives of effective internal control.control.
47
3. Compliance with laws and regulations
2. Efficiency and effectiveness of operations
1. Reliability of financial reporting
Internal Control ObjectivesInternal Control ObjectivesInternal Control ObjectivesInternal Control Objectives
48
Managements ResponsibilitiesManagements ResponsibilitiesManagements ResponsibilitiesManagements Responsibilities
Contrast management’s responsibilities for Contrast management’s responsibilities for maintaining and reporting on internal controls maintaining and reporting on internal controls with the auditor’s responsibilities for with the auditor’s responsibilities for understanding, testing, and reporting on internal understanding, testing, and reporting on internal controls.controls.
49
Management and Auditor Responsibilities RelatedManagement and Auditor Responsibilities Relatedto Internal Controlto Internal Control
Management and Auditor Responsibilities RelatedManagement and Auditor Responsibilities Relatedto Internal Controlto Internal Control
Management’s responsibilityfor establishing internal control
Reasonable assurance
Inherent limitations
50
Management and Auditor Responsibilities RelatedManagement and Auditor Responsibilities Relatedto Internal Controlto Internal Control
Management and Auditor Responsibilities RelatedManagement and Auditor Responsibilities Relatedto Internal Controlto Internal Control
Design of internal control
Operating effectiveness of controls
51
Management and Auditor Responsibilities RelatedManagement and Auditor Responsibilities Relatedto Internal Controlto Internal Control
Management and Auditor Responsibilities RelatedManagement and Auditor Responsibilities Relatedto Internal Controlto Internal Control
Auditor responsibilities forunderstanding internal control
Control over classes of transactions
Auditor responsibilities for testinginternal control
Controls over the reliabilityof financial reporting
52
Internal ControlInternal ControlInternal ControlInternal Control
The five components of the COSO internal The five components of the COSO internal control framework.control framework.
53
Five Components of Internal ControlFive Components of Internal ControlFive Components of Internal ControlFive Components of Internal Control
Riskassessment
Controlactivities
Information andcommunication
Monitoring
54
The Control EnvironmentThe Control EnvironmentThe Control EnvironmentThe Control Environment
Integrity and ethical values
Commitment to competence
Board of directors or auditcommittee participation
55
The Control EnvironmentThe Control EnvironmentThe Control EnvironmentThe Control Environment
Management’s philosophy and operating style
Organizational structure
Human resource policies and practices
56
Risk AssessmentRisk AssessmentRisk AssessmentRisk Assessment
Identify factors that may increase risk
Assess the likelihood of the risk occurring
Determine actions necessary to manage the risk
Estimate the significance of the risk
57
Control ActivitiesControl ActivitiesControl ActivitiesControl Activities
1. Adequate separation of duties
2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
58
Adequate Separation of DutiesAdequate Separation of DutiesAdequate Separation of DutiesAdequate Separation of Duties
Custody of assets Accounting
Authorizationof transactions
The custody ofrelated assets
Operationalresponsibility
Record-keepingresponsibility
IT duties User departments
from
from
from
from
59
Proper Authorization of Transactions and Proper Authorization of Transactions and ActivitiesActivities
Proper Authorization of Transactions and Proper Authorization of Transactions and ActivitiesActivities
General authorization
Specific authorization
60
Adequate Documents and RecordsAdequate Documents and RecordsAdequate Documents and RecordsAdequate Documents and Records
Prenumbered consecutively
Prepared at the time of transaction
Designed for multiple use
Constructed to encourage correct preparation
61
Physical Control Over AssetsPhysical Control Over Assetsand Recordsand Records
Physical Control Over AssetsPhysical Control Over Assetsand Recordsand Records
The most important type of protectivemeasure for safeguarding assets andrecords is the use of physical precautions.
62
Independent Checks on PerformanceIndependent Checks on PerformanceIndependent Checks on PerformanceIndependent Checks on Performance
The need for independent checks arisesbecause internal control tends to changeover time unless there is a mechanismfor frequent review.
63
Information and CommunicationInformation and CommunicationInformation and CommunicationInformation and Communication
The purpose of an accounting informationand communication system is to…
initiate, record, process, and reportthe entity’s transactions and to maintainaccountability for the related assets.
64
MonitoringMonitoringMonitoringMonitoring
Monitoring activities deal with management’songoing and periodic assessment of thequality of internal control performance…
to determine whether controls are operatingas intended and modified when needed.
65
Documenting ControlsDocumenting ControlsDocumenting ControlsDocumenting Controls
Obtain and document an understanding of Obtain and document an understanding of internal control.internal control.
66
Process for Understanding Internal Control and Process for Understanding Internal Control and Assessing Control RiskAssessing Control Risk
Process for Understanding Internal Control and Process for Understanding Internal Control and Assessing Control RiskAssessing Control Risk
Phase 1
Obtain anunderstanding ofinternal control:design andoperation
Phase 2Assess controlrisk
Phase 3Design, perform,and evaluate testsof controls
Phase 4
Decide planneddetection riskand substantivetests
67
Obtain and Document Understanding of Internal Obtain and Document Understanding of Internal ControlControl
Obtain and Document Understanding of Internal Obtain and Document Understanding of Internal ControlControl
SAS 109 and PCAOB Standard 2 both require auditors to obtain an understandingof internal control for every audit.
Procedures to obtain an understanding: Design of internal controls Whether placed in operation Uses this information as a basis for the
integrated audit
68
Methods UsedMethods UsedMethods UsedMethods Used
Narrative
FlowchartInternalcontrol
questionnaire
69
NarrativeNarrativeNarrativeNarrative
1. The origin of every document and record in the system
2. All processing that takes place
3. The disposition of every document and record in the system
4. An indication of the controls relevant to the assessment of control risk
70
Evaluating Internal Control OperationEvaluating Internal Control OperationEvaluating Internal Control OperationEvaluating Internal Control Operation
Update and evaluate auditor’s previousexperience with the entity
Make inquiries of client personnel
Examine documents and records
Observe entity activities and operations
Perform walk-throughs of the accounting system
71
Control Risks and Audit ObjectivesControl Risks and Audit ObjectivesControl Risks and Audit ObjectivesControl Risks and Audit Objectives
Assess control risk by linking key controls, Assess control risk by linking key controls, significant deficiencies, and material weaknesses significant deficiencies, and material weaknesses to transaction-related audit objectives.to transaction-related audit objectives.
72
Assess Control RiskAssess Control RiskAssess Control RiskAssess Control Risk
Assess whether the financial statementsare auditable.
Determine assessed control risk supportedby the understanding obtained assumingthe controls are being followed.
Use of a control risk matrix to assesscontrol risk.
73
Control Risk MatrixControl Risk MatrixControl Risk MatrixControl Risk Matrix
Many auditors use the control risk matrixto assist in the control risk assessmentprocess.
74
Control Risk MatrixControl Risk MatrixControl Risk MatrixControl Risk Matrix
Identify audit objectives
Identify existing controls
Associate controls with related audit objectives
Identify and evaluate control deficiencies,significant deficiencies, and material weaknesses
75
Evaluating Significant Control Evaluating Significant Control DeficienciesDeficiencies
Evaluating Significant Control Evaluating Significant Control DeficienciesDeficiencies
MaterialWeakness
LIKELIHOOD
SIGNIFICANCE
Material
Immaterial
ProbableRemote
76
Identify Deficiencies and WeaknessIdentify Deficiencies and WeaknessIdentify Deficiencies and WeaknessIdentify Deficiencies and Weakness
Identify existing controls
Identify the absence of key controls
Consider the possibility of compensating controls
Decide whether there is a significant deficiencyor material weakness
Determine potential misstatements that could result
77
CommunicationsCommunicationsCommunicationsCommunications
Management letters
Communications to thosecharged with governance
78
Tests of ControlsTests of ControlsTests of ControlsTests of Controls
The procedures to test effectiveness of controlsin support of a reduced assessed controlrisk are called tests of controls.
79
Procedures for Tests of ControlsProcedures for Tests of ControlsProcedures for Tests of ControlsProcedures for Tests of Controls
1. Make inquiries of client personnel
2. Examine documents, records, and reports
3. Observe control-related activities
4. Reperform client procedures
80
Extent of ProceduresExtent of ProceduresExtent of ProceduresExtent of Procedures
Reliance on evidence from prior year’s audit
Testing of controls related to significant risks
Testing less than the entire audit period
81
Relationship of Assessed ControlRelationship of Assessed ControlRisk and Extent of ProceduresRisk and Extent of Procedures
Relationship of Assessed ControlRelationship of Assessed ControlRisk and Extent of ProceduresRisk and Extent of Procedures
InquiryDocumentation
Observation
Reperformance
Yes–extensiveYes–with transaction
walk-throughYes–with transaction
walk-throughNo
Yes–someYes–using sampling
Yes–at multiple times
Yes–using sampling
Type ofprocedure
High level:Procedures to obtain
an understandingLower level:
Tests of controls
Assessed Control Risk
82
READY??READY??READY??READY??
How to get ready.How to get ready.
Document each significant business process in writing. Assess business Document each significant business process in writing. Assess business risks involved in each process. risks involved in each process.
Identify “key” controls within those processes to mitigate risks. If controls Identify “key” controls within those processes to mitigate risks. If controls aren’t adequate to mitigate risks, you would need to consider implementing aren’t adequate to mitigate risks, you would need to consider implementing stronger controls.stronger controls.
Also, establish a monitoring process whereby these business processes are Also, establish a monitoring process whereby these business processes are evaluated to ensure that “key” controls are operating effectively throughout evaluated to ensure that “key” controls are operating effectively throughout the period.the period.
The control activities questionnaire may be a good starting point to help The control activities questionnaire may be a good starting point to help identify your significant business processes and the key controls for those identify your significant business processes and the key controls for those processesprocesses
83
Decide Planned Detection Risk and Design Decide Planned Detection Risk and Design Substantive TestsSubstantive Tests
Decide Planned Detection Risk and Design Decide Planned Detection Risk and Design Substantive TestsSubstantive Tests
The auditor uses the results of the control riskassessment process and tests of controls todetermine the planned detection risk andrelated substantive tests.
The auditor links the control risk assessmentsto the balance-related audit objectives.
84
Business Objective Business Risk
1.
Audit of Activity: __________________________________________
Ass
ets
Ope
ratio
nal
Per
form
ance
Info
rma
tion
Sys
tem
s
Reg
ulat
ory
&
Leg
al I
ssue
s
Ext
. an
d I
nt.
Env
iron
men
t
Check applicable risk category:
85
Risk Importance of Risk
Control Activities to
Address Risk
Impact on audit
(Test)
A. 1.
2.
86
AUDIT DEPARTMENTCOMPANY NAME:
PREPARED BY: __________________
REVIEWED BY:___________________
DATE: _____/_______/______
SECTION XX: Audit of ………………….
AUDIT DATE: As of mm/dd/yyyy
87
Time BudgetPerformed
byW/P REF
Operational Procedure
Description of Controls
Audit Objective
Audit Scope
Audit Procedure
1.2.
Findings
The following exceptions were noted during the audit:(1) =(2) =All findings were discussed with the responsible manager.
Tickmark Legend
= No Exception Noted = Traced to® = Reviewed P & P Manual.
Conclusion
.
88
Section 404 Reporting on Internal Section 404 Reporting on Internal ControlControl
Section 404 Reporting on Internal Section 404 Reporting on Internal ControlControl
1. The auditor’s opinion on whether management’sassessment of the effectiveness of internal controlover financial reporting as of the end of the fiscalperiod is fairly stated, in all material respects.
2. The auditor’s opinion on whether the companymaintained, in all material respects, effectiveinternal control over financial reporting as ofthe specified date.
89(#)
Questions?Questions?
Thank YouThank You
Recommended