Upload
viakusnadi
View
47
Download
3
Tags:
Embed Size (px)
Citation preview
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 1
Internal Controland Control Risk
Chapter 10
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 2
Learning Objective 1
Contrast management’s need forinternal control with the auditor’sneed to consider internal control
when designing an audit.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 3
InherentLimitations
ReasonableAssurance
Management’sResponsibility
Key Concepts
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 4
Client’s Concerns
Compliance with applicable laws and regulations
Reliability of financial reportingEfficiency and effectiveness of operations
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 5
Auditor Concerns
Controls over classes of transactions
Controls related to reliability of financial reporting
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 6
Sales Transaction-Related Audit Objectives
Objective – General Form Related Audit ObjectivesRecorded transactions
exist (existence).Sales are for shipmentsto existing customers.
Existing transactions arerecorded (completeness).
Existing sales transactionsare recorded.
Transactions are statedcorrectly (accuracy).
Sales for goods shippedare correctly billed.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 7
Sales Transaction-Related Audit Objectives
Objective – General Form Related Audit ObjectivesTransactions are properlyclassified (classification).
Sales transactions areproperly classified.
Transactions are recordedon correct dates (timing).
Sales are recorded on thecorrect dates.
Transactions are properlyfiled (posting andsummarization).
Sales transactions areproperly included in the
master files.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 8
How Frauds HaveBeen Discovered
Notification by employeeInternal controlsInternal auditorCustomer notificationAccidental discoveryManagement investigation
58%51%
43%41%
37%35%
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 9
How Frauds HaveBeen Discovered
Anonymous reportingHot line notificationEmployee investigationGovernment notificationExternal auditorOther sources
35%25%
21%16%
4%20%
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 10
Learning Objective 2
Describe how informationtechnology affectsinternal control.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 11
Effect of InformationTechnology on Internal
Control
Information Technology
IT can improvethe effectivenessand efficiency ofinternal controls.
IT also enhancesthe timelinessand accuracy
of information.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 12
Risks Associated With the Use of Information Technology
Programmed errors
Processing incorrect data
Unauthorized access
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 13
Learning Objective 3
Explain the five componentsof internal control.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 14
Five Componentsof Internal Control
RiskAssessment
ControlActivities
Information andCommunication Monitoring
Control Environment
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 15
The Control Environment
Integrity and ethical values
Commitment to competence
Board of directors or auditcommittee participation
Management’s philosophyand operating style
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 16
The Control Environment
Organizational structure
Assignment of authorityand responsibility
Human resourcespolicies and practices
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 17
Risk Assessment
Identify factors affecting risk.Assess significance of risks
and likelihood of occurrence.Determine actions necessary
to manage risk.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 18
Control Activities
1. Adequate separation of duties2. Proper authorization of transactions and activities3. Adequate documents and records4. Physical control over assets and records5. Independent checks on performance
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 19
Adequate Separationof Duties
Custody of assetsAuthorizationof transactions
Operationalresponsibility
IT Duties
AccountingThe custody ofrelated assets
Record-keepingresponsibility
User departments
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 20
Proper Authorization of Transactions and Activities
General authorization
Specific authorization
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 21
Adequate Documentsand Records
Prenumbered consecutivelyPrepared at the time of transaction
Designed for multiple usesConstructed to encourage correct preparation
Simple enough to ensure understanding
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 22
Physical Control overAssets and Records
Physical precautions
Controls related to IT equipment,programs, and data files
Physicalcontrols
Accesscontrols
Backup andrecovery
procedures
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 23
Independent Checkson Performance
The need for independent checksarise because internal control tendsto change over time unless there isa mechanism for frequent review.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 24
Information and Communication
The purpose of an accounting informationand communication system is to…
initiate, record, process, and report thetransactions and to maintain accountability
for the related assets.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 25
Monitoring
Management’s ongoing and periodic assessmentof the quality of internal control performance …
to determine whether controls are operatingas intended and modified when needed.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 26
Learning Objective 4
Explain methods used toobtain an understanding
of internal control.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 27
Understanding Internal Control and Assessing Control Risk
Obtain Understanding of Internal Control:Design and Operation
Assess Control Risk Test Controls
Decide Planned Detection Riskand Substantive Tests
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 28
Reasons for Sufficiently Understanding Internal Control
SAS 55 (as amended by SAS 78 and 594plus AU319) requires the auditor toobtain an understanding of internal
control for every audit.
Minimum auditplanning matters
• Auditability• Potential material
misstatements• Detection risk• Design of test
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 29
Procedures to Determine Design and Placement
Update and evaluate auditor’s previousexperience with the entity.
Make inquires of client personnel.Read client’s policy and systems manuals.
Examine documents and records.Observe entity activities and operations.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 30
Documentation ofthe Understanding
Narrative
FlowchartInternalcontrol
questionnaire
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 31
Learning Objective 5
Assess control risk by linkingstrengths and weaknesses of
internal control to transaction-related audit objectives.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 32
Assess Control Risk
Obtain sufficient understanding for planning.Assess whether the entity is auditable.
Determine assessed control risk.Assess if a lower control risk could be supported.Determine the appropriate assessed control risk.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 33
Assess Control Risk
Identify transaction-related audit objectives.
Identify specific controls.
Identify and evaluate weaknesses.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 34
Identify and Evaluate Weaknesses
Identify existing controls.Identify the absence of key controls.
Determine misstatements that could result.Consider compensating controls.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 35
The Control Risk Matrix
Auditors use the control risk matrix toidentify both controls and weaknesses
and to asses control risk.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 36
Communication
Reportable conditions letter
Management lettersAudit committee communications
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 37
Learning Objective 6
Describe the process of designingand performing tests of controls.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 38
Tests of Controls
The procedures to test effectivenessof controls in support of a reduced
assessed control risk are calledtests of controls.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 39
Procedures forTests of Controls
Make inquiries of client personnel.Examine documents, records, and reports.
Observe control-related activities.Reperform client procedures.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 40
Extent of Procedures
Reliance on evidence from prior year’s audit
Testing less than the entire audit period
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 41
Relationship of Assessed Control
Risk and Extend of ProceduresAssessed Control Risk
High Level: Lower Level: Obtaining an Tests of
Type of Procedure Understanding Only ControlsInquiry Yes – extensive Yes – someDocumentation Yes – with transaction Yes – using
walk-through sampleObservation Yes – with transaction Yes – multiple
walk-through timesReperformance No Yes – sampling
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 42
Decide Planned Detection Risk and Design Substantive Tests
The auditor uses the results of the control riskassessment process and tests of controls todetermine the planned detection risk and
related substantive tests.
The auditor links the control risk assessmentsto the balance-related audit objectives.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 43
End of Chapter 10