Pertemuan 3

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 1

Internal Controland Control Risk

Chapter 10


Learning Objective 1

Contrast management’s need forinternal control with the auditor’sneed to consider internal control

when designing an audit.


InherentLimitations

ReasonableAssurance

Management’sResponsibility

Key Concepts


Client’s Concerns

Compliance with applicable laws and regulations

Reliability of financial reportingEfficiency and effectiveness of operations


Auditor Concerns

Controls over classes of transactions

Controls related to reliability of financial reporting


Sales Transaction-Related Audit Objectives

Objective – General Form Related Audit ObjectivesRecorded transactions

exist (existence).Sales are for shipmentsto existing customers.

Existing transactions arerecorded (completeness).

Existing sales transactionsare recorded.

Transactions are statedcorrectly (accuracy).

Sales for goods shippedare correctly billed.


Sales Transaction-Related Audit Objectives

Objective – General Form Related Audit ObjectivesTransactions are properlyclassified (classification).

Sales transactions areproperly classified.

Transactions are recordedon correct dates (timing).

Sales are recorded on thecorrect dates.

Transactions are properlyfiled (posting andsummarization).

Sales transactions areproperly included in the

master files.


How Frauds HaveBeen Discovered

Notification by employeeInternal controlsInternal auditorCustomer notificationAccidental discoveryManagement investigation

58%51%

43%41%

37%35%


How Frauds HaveBeen Discovered

Anonymous reportingHot line notificationEmployee investigationGovernment notificationExternal auditorOther sources

35%25%

21%16%

4%20%



Describe how informationtechnology affectsinternal control.


Effect of InformationTechnology on Internal

Control

Information Technology

IT can improvethe effectivenessand efficiency ofinternal controls.

IT also enhancesthe timelinessand accuracy

of information.


Risks Associated With the Use of Information Technology

Programmed errors

Processing incorrect data

Unauthorized access



Explain the five componentsof internal control.


Five Componentsof Internal Control

RiskAssessment

ControlActivities

Information andCommunication Monitoring

Control Environment


The Control Environment

Integrity and ethical values

Commitment to competence

Board of directors or auditcommittee participation

Management’s philosophyand operating style


The Control Environment

Organizational structure

Assignment of authorityand responsibility

Human resourcespolicies and practices


Risk Assessment

Identify factors affecting risk.Assess significance of risks

and likelihood of occurrence.Determine actions necessary

to manage risk.


Control Activities

1. Adequate separation of duties2. Proper authorization of transactions and activities3. Adequate documents and records4. Physical control over assets and records5. Independent checks on performance


Adequate Separationof Duties

Custody of assetsAuthorizationof transactions

Operationalresponsibility

IT Duties

AccountingThe custody ofrelated assets

Record-keepingresponsibility

User departments


Proper Authorization of Transactions and Activities

General authorization

Specific authorization


Adequate Documentsand Records

Prenumbered consecutivelyPrepared at the time of transaction

Designed for multiple usesConstructed to encourage correct preparation

Simple enough to ensure understanding


Physical Control overAssets and Records

Physical precautions

Controls related to IT equipment,programs, and data files

Physicalcontrols

Accesscontrols

Backup andrecovery

procedures


Independent Checkson Performance

The need for independent checksarise because internal control tendsto change over time unless there isa mechanism for frequent review.


Information and Communication

The purpose of an accounting informationand communication system is to…

initiate, record, process, and report thetransactions and to maintain accountability

for the related assets.


Monitoring

Management’s ongoing and periodic assessmentof the quality of internal control performance …

to determine whether controls are operatingas intended and modified when needed.



Explain methods used toobtain an understanding

of internal control.


Understanding Internal Control and Assessing Control Risk

Obtain Understanding of Internal Control:Design and Operation

Assess Control Risk Test Controls

Decide Planned Detection Riskand Substantive Tests


Reasons for Sufficiently Understanding Internal Control

SAS 55 (as amended by SAS 78 and 594plus AU319) requires the auditor toobtain an understanding of internal

control for every audit.

Minimum auditplanning matters

• Auditability• Potential material

misstatements• Detection risk• Design of test


Procedures to Determine Design and Placement

Update and evaluate auditor’s previousexperience with the entity.

Make inquires of client personnel.Read client’s policy and systems manuals.

Examine documents and records.Observe entity activities and operations.


Documentation ofthe Understanding

Narrative

FlowchartInternalcontrol

questionnaire



Assess control risk by linkingstrengths and weaknesses of

internal control to transaction-related audit objectives.


Assess Control Risk

Obtain sufficient understanding for planning.Assess whether the entity is auditable.

Determine assessed control risk.Assess if a lower control risk could be supported.Determine the appropriate assessed control risk.


Assess Control Risk

Identify transaction-related audit objectives.

Identify specific controls.

Identify and evaluate weaknesses.


Identify and Evaluate Weaknesses

Identify existing controls.Identify the absence of key controls.

Determine misstatements that could result.Consider compensating controls.


The Control Risk Matrix

Auditors use the control risk matrix toidentify both controls and weaknesses

and to asses control risk.


Communication

Reportable conditions letter

Management lettersAudit committee communications



Describe the process of designingand performing tests of controls.


Tests of Controls

The procedures to test effectivenessof controls in support of a reduced

assessed control risk are calledtests of controls.


Procedures forTests of Controls

Make inquiries of client personnel.Examine documents, records, and reports.

Observe control-related activities.Reperform client procedures.


Extent of Procedures

Reliance on evidence from prior year’s audit

Testing less than the entire audit period


Relationship of Assessed Control

Risk and Extend of ProceduresAssessed Control Risk

High Level: Lower Level: Obtaining an Tests of

Type of Procedure Understanding Only ControlsInquiry Yes – extensive Yes – someDocumentation Yes – with transaction Yes – using

walk-through sampleObservation Yes – with transaction Yes – multiple

walk-through timesReperformance No Yes – sampling


Decide Planned Detection Risk and Design Substantive Tests

The auditor uses the results of the control riskassessment process and tests of controls todetermine the planned detection risk and

related substantive tests.

The auditor links the control risk assessmentsto the balance-related audit objectives.


End of Chapter 10