Upload
juniper-craig
View
236
Download
4
Embed Size (px)
Citation preview
9 - 1©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Internal Controland Control Risk
Chapter 9
9 - 2©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Learning Objective 1
Contrast management’s need for
internal control with the auditor’s
need to consider internal control
when designing an audit.
9 - 3©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
InherentLimitations
ReasonableAssurance
Management’sResponsibility
Key Concepts
9 - 4©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Client’s Concerns
Compliance with applicable laws and regulations
Reliability of financial reporting
Efficiency and effectiveness of operations
9 - 5©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Auditor Concerns
Controls over classes of transactions
Controls related to reliability of financial reporting
9 - 6©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Sales Transaction-RelatedAudit Objectives
Objective – General Form Related Audit Objectives
Recorded transactionsexist (existence).
Sales are for shipmentsto existing customers.
Existing transactions arerecorded (completeness).
Existing sales transactionsare recorded.
Transactions are statedcorrectly (accuracy).
Sales for goods shippedare correctly billed.
9 - 7©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Sales Transaction-RelatedAudit Objectives
Objective – General Form Related Audit Objectives
Transactions are properlyclassified (classification).
Sales transactions areproperly classified.
Transactions are recordedon correct dates (timing).
Sales are recorded on thecorrect dates.
Transactions are properlyfiled (posting andsummarization).
Sales transactions areproperly included in the
master files.
9 - 8©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
How Frauds HaveBeen Discovered
Notification by employee
Internal controls
Internal auditor
Customer notification
Accidental discovery
Management investigation
58%
51%
43%
41%
37%
35%
9 - 9©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
How Frauds HaveBeen Discovered
Anonymous reporting
Hot line notification
Employee investigation
Government notification
External auditor
Other sources
35%
25%
21%
16%
4%
20%
9 - 10©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Learning Objective 2
Describe how information
technology affects
internal control.
9 - 11©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Effect of InformationTechnology on Internal Control
Information Technology
IT can improvethe effectivenessand efficiency ofinternal controls.
IT also enhancesthe timelinessand accuracy
of information.
9 - 12©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Risks Associated With the Useof Information Technology
Programmed errors
Processing incorrect data
Unauthorized access
9 - 13©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Learning Objective 3
Explain the five components
of internal control.
9 - 14©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Control Environment
Five Componentsof Internal Control
RiskAssessment
ControlActivities
Information andCommunication
Monitoring
9 - 15©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
The Control Environment
Integrity and ethical values
Commitment to competence
Board of directors or auditcommittee participation
Management’s philosophyand operating style
9 - 16©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
The Control Environment
Organizational structure
Assignment of authorityand responsibility
Human resourcespolicies and practices
9 - 17©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Risk Assessment
Identify factors affecting risk.
Assess significance of risksand likelihood of occurrence.
Determine actions necessaryto manage risk.
9 - 18©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Control Activities
1. Adequate separation of duties
2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
9 - 19©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Adequate Separationof Duties
Custody of assets Accounting
Authorizationof transactions
The custody ofrelated assets
Operationalresponsibility
Record-keepingresponsibility
IT Duties User departments
9 - 20©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Proper Authorization of Transactions and Activities
General authorization
Specific authorization
9 - 21©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Adequate Documentsand Records
Prenumbered consecutively
Prepared at the time of transaction
Designed for multiple uses
Constructed to encourage correct preparation
Simple enough to ensure understanding
9 - 22©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Physical Control overAssets and Records
Physical precautions
Controls related to IT equipment,programs, and data files
Physicalcontrols
Accesscontrols
Backup andrecovery
procedures
9 - 23©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Independent Checkson Performance
The need for independent checksarise because internal control tendsto change over time unless there isa mechanism for frequent review.
9 - 24©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Information and Communication
The purpose of an accounting informationand communication system is to…
initiate, record, process, and report thetransactions and to maintain accountability
for the related assets.
9 - 25©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Monitoring
Management’s ongoing and periodic assessmentof the quality of internal control performance …
to determine whether controls are operatingas intended and modified when needed.
9 - 26©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Learning Objective 4
Explain methods used to
obtain an understanding
of internal control.
9 - 27©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Understanding Internal Controland Assessing Control Risk
Obtain Understanding of Internal Control:Design and Operation
Assess Control Risk Test Controls
Decide Planned Detection Riskand Substantive Tests
9 - 28©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Reasons for Sufficiently Understanding Internal Control
SAS 55 (as amended by SAS 78 and 594plus AU319) requires the auditor toobtain an understanding of internal
control for every audit.
Minimum auditplanning matters
• Auditability• Potential material
misstatements• Detection risk• Design of test
9 - 29©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Procedures to DetermineDesign and Placement
Update and evaluate auditor’s previousexperience with the entity.
Make inquires of client personnel.
Read client’s policy and systems manuals.
Examine documents and records.
Observe entity activities and operations.
9 - 30©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Documentation ofthe Understanding
NarrativeNarrative
FlowchartFlowchartInternalcontrol
questionnaire
Internalcontrol
questionnaire
9 - 31©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Learning Objective 5
Assess control risk by linking
strengths and weaknesses of
internal control to transaction-
related audit objectives.
9 - 32©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Assess Control Risk
Obtain sufficient understanding for planning.
Assess whether the entity is auditable.
Determine assessed control risk.
Assess if a lower control risk could be supported.
Determine the appropriate assessed control risk.
9 - 33©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Assess Control Risk
Identify transaction-related audit objectives.
Identify specific controls.
Identify and evaluate weaknesses.
9 - 34©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Identify and Evaluate Weaknesses
Identify existing controls.
Identify the absence of key controls.
Determine misstatements that could result.
Consider compensating controls.
9 - 35©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
The Control Risk Matrix
Auditors use the control risk matrix toidentify both controls and weaknesses
and to asses control risk.
9 - 36©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Communication
Reportable conditions letter
Management letters
Audit committee communications
9 - 37©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Learning Objective 6
Describe the process of designing
and performing tests of controls.
9 - 38©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Tests of Controls
The procedures to test effectivenessof controls in support of a reduced
assessed control risk are calledtests of controls.
9 - 39©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Procedures forTests of Controls
Make inquiries of client personnel.
Examine documents, records, and reports.
Observe control-related activities.
Reperform client procedures.
9 - 40©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Extent of Procedures
Reliance on evidence from prior year’s audit
Testing less than the entire audit period
9 - 41©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Relationship of Assessed ControlRisk and Extend of Procedures
Assessed Control Risk High Level: Lower Level: Obtaining an Tests of
Type of Procedure Understanding Only Controls
Inquiry Yes – extensive Yes – someDocumentation Yes – with transaction Yes – using
walk-through sampleObservation Yes – with transaction Yes – multiple
walk-through timesReperformance No Yes – sampling
9 - 42©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
Decide Planned Detection Riskand Design Substantive Tests
The auditor uses the results of the control riskassessment process and tests of controls todetermine the planned detection risk and
related substantive tests.
The auditor links the control risk assessmentsto the balance-related audit objectives.