Upload
mricky
View
1.004
Download
3
Tags:
Embed Size (px)
Citation preview
Chapter 6Chapter 6
Internal Control in a Financial Statement
Audit
McGraw-Hill/Irwin Copyright © 2008 by The McGraw-Hill Companies, Inc. All rights reserved.
6-2
Internal Control
The auditor uses risk assessment procedures to obtain an understanding of the entity’s internal control and uses this
understanding to identify the types of potential misstatements, ascertain factors that affect the risk of material misstatement,
and design tests of controls and substantive procedures.
The auditor’s understanding of the internal control is a major factor in determining the overall audit strategy. The auditor’s responsibilities for internal control are discussed under two
major topics: (1) obtaining an understanding of internal control and (2) assessing control risk.
LO# 1
6-3
Internal Control
Reliability of Financial Reporting
Effectiveness & Efficiency
of Operations
Compliance with Laws & Regulations
Objectives
LO# 2
6-4
Controls Relevant to the Audit
Generally, internal controls pertaining to the preparation of financial statements for external purposes are
relevant to an audit.
Reliability of Financial Reporting
Effectiveness & Efficiency
of Operations
Compliance with Laws & Regulations
Objectives
LO# 3
6-5
Controls Relevant to the Audit
Controls relating to operations and compliance objectives may be relevant when they relate to data the
auditor uses to apply auditing procedures.
Reliability of Financial Reporting
Effectiveness & Efficiency
of Operations
Compliance with Laws & Regulations
Objectives
LO# 3
6-6
Components of Internal Control
Control Environment
Entity’s Risk Assessment
Process
Information System and Related Business Processes
Relevant to Financial Reporting & Communication
Control Procedures
Monitoring of Controls
LO# 4
6-7
The Effect of Information Technology on Internal Control
LO# 5
6-8
Planning an Audit Strategy
Audit Risk Model
AR = IR × CR × DRIn applying the audit risk model, the auditor must assess control risk. The figure on the next slide
presents a flowchart of the auditor’s decision process when considering internal control in
planning an audit.
LO# 6
6-9
LO# 6
Planning an Audit Strategy
6-10
Substantive Strategy
After obtaining an understanding of internal control, an auditor may choose to follow a substantive strategy and set
control risk at the maximum for some or all assertions because of one or all of the following factors:
Controls do not pertain to an assertion.
Controls are assessed as ineffective.
Testing the effectiveness of controls is
inefficient.
LO# 6
6-11
Reliance Strategy
Obtain Understanding of Internal Control
Plan to Rely on Internal Control and Assess Control Risk
Below Maximum
LO# 6
6-12
AssertionsLO# 6
6-13
AssertionsLO# 6
6-14
Obtain an Understanding of Internal Control
Identify types of potential
misstatements
Design tests of controls and substantive procedures
Pinpoint the factors that affect the risk of material
misstatement
The auditor should obtain an understanding of each of the five components of internal control in order to plan
the audit. This knowledge is used to:
LO# 7
6-15
Control EnvironmentLO# 7
6-16
The Entity’s Risk Assessment Process
The risk assessment process should consider external and internal events and circumstances that may arise and adversely affect the entity’s ability to initiate, record, process and report financial data consistent with the assertions of management in
the financial statements.
Changes in the operating
environment
New personnel New or revamped information systemsRapid growth
New technology
New business models, products,
or activities
Corporate restructuring Expanded
international growth
New accounting pronouncements
Client business risk can arise or change due to the following circumstances:
LO# 7
6-17
Information Systems and Communication
An effective accounting system gives appropriate consideration to establishing methods and records that will
1. Identify and record all valid transactions.
2. Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting.
3. Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements.
4. Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period.
5. Properly present the transactions and related disclosures in the financial statements.
LO# 7
6-18
Control Activities
Control activities are the policies and procedures that help ensure that management’s directives are carried out. Those
control procedures that are relevant to the audit include
Performance reviews
Information processing
Physical controls
Segregation of duties
LO# 7
6-19
Monitoring of Controls
Monitoring of controls is a process that assesses the quality of internal control
performance over time.
Internal Auditors
An effective internal audit function has clear lines of authority and
reporting, qualified personnel, and adequate resources to enable these
personnel to carry out their assigned duties.
LO# 7
6-20
The Effect of Entity Size on Internal Control
While the basic concepts of the five components should be present in all entities, they are likely to be less formal in a small or
midsize entity than in a large entity.
LO# 7
6-21
The Limitations of an Entity’s Internal Control
Management Override of
Internal Control
Human Errors or Mistakes
Collusion
LO# 7
6-22
Factors Contributing to Fraud
LO# 7
6-23
Documenting the Understanding of Internal Control
Procedure Manuals and Organizational
ChartsNarrative Description
Internal Control Questionnaires
Flowcharts
LO# 8
6-24
Assessing Control RiskIdentify specific
controls that will be relied
upon.
Perform tests of controls
Conclude on the achieved level of control risk.
LO# 9
6-25
Substantive Procedures
LO# 11
6-26
Timing of Audit Procedures
Interim
Year End
Let’s look at the EarthWear Clothiers example again to see the timing of their audit
procedures.
LO# 12
6-27
Timing of Audit Procedures
LO# 12
6-28
Interim Audit Procedures
Interim Tests of Controls
1. Assertion being tested not significant2. Control has been effective in prior audits3. Efficient use of staff time
Interim Substantive Procedures
1. Assertion probably has low control risk2. May increase the risk of material
misstatements 3. Still requires some year end testing
LO# 12
6-29
Auditing Accounting Applications Processed by Service Organizations
In some instances, a client may have some or all of its accounting transactions processed by an outside service
organization.
Because the client’s transactions are subjected to
the controls of the service organization, one of the
auditor’s concerns is the internal control system in
place at the service organization.
It is not uncommon for service organizations to have an auditor
issue one of two types of reports on their operations.
LO# 13
6-30
Report #1Describes the service organization’s controls and assesses whether they
are suitably designed to achieve specified internal control objectives.
Report #2Goes further by testing whether the
controls provide reasonable assurance that the related control objectives were
achieved during the period.
An auditor may reduce control riskcontrol risk below the maximum onlyonly on the
basis of a service auditor’s report that includes tests of the
controls.
LO# 13
Auditing Accounting Applications Processed by Service Organizations
6-31
Communication of Internal Control-Related Matters
Reportable Conditions
Material Weakness
Significant deficiencies in the design or operation of internal control that could
adversely affect the organization’s ability to initiate, record, process, and report financial
data consistent with management’s assertions.
A material weakness is a significant deficiency, or combination of significant deficiencies that results in more than a remote likelihood that a
material misstatement of the financial statements will not be prevented or detected.
LO# 14
6-32
Examples of Reportable Conditions
LO# 14
6-33
Types of Controls in an IT Environment
General Controls
1. Data center & network operations
2. System software acquisition, change and maintenance
3. Access security4. Application system
acquisition, development, and maintenance
Application Controls
1. Data capture controls2. Data validation controls3. Processing controls4. Output controls5. Error controls
LO# 15
6-34
End of Chapter 6