Chapter Five: Evaluating the Integrity and Effectiveness of the Client’s Control Systems

$C:\My Documents\bits\earth.GIF$

Chapter 5Chapter 5

Evaluating the Integrityand Effectiveness of theClient’s Control SystemsEvaluating the Integrityand Effectiveness of theClient’s Control Systems

$C:\My Documents\bits\earth.GIF$

A Framework for Control

(1) reliability of financial reporting,(2) compliance with applicable laws andregulations, (3) effectiveness and efficiency ofoperations, and (4) safeguarding of assets.A process, effected by an entity’s board of directors,management, and other personnel, designed toprovide reasonable assurance regarding theachievement of objectives in the followingcategories: (1) reliability of financial reporting,(2) compliance with applicable laws andregulations, (3) effectiveness and efficiency ofoperations, and (4) safeguarding of assets.

What is Internal Control?

$C:\My Documents\bits\earth.GIF$

The Need for Control

Control is part of corporate governance

••Governance begins with stockholders.

••Needs to occur within a framework ofcontrol and accountability.

Control is almost as important toshareholders as are the financial results.

Good control makes good businesssense.Good control makes good businesssense.

$C:\My Documents\bits\earth.GIF$

Who is interested in anorganization’s control system?

••The board of directors and the audit committee of theboard.

••Management.

••Regulators.

••Auditors, both internal and external.

••Suppliers and customers.

••Investors and lenders.

••Customers or others using the Web for commerce.

$C:\My Documents\bits\earth.GIF$

Reports on Internal Control

Internal Reports to ManagementInternal Reports to Management

••Ongoing monitoring reports from operations.

••Internal audit reports.

••External audit reports.

External Reports by ManagementExternal Reports by Management

Regulatory Required ReportsRegulatory Required Reports

E-Commerce ReportsE-Commerce Reports

Audit Committee ReportsAudit Committee Reports

$C:\My Documents\bits\earth.GIF$

A Framework forUnderstanding and EvaluatingInternal Controls

Components of an Internal ControlSystemComponents of an Internal ControlSystem

••Control environment

••Risk assessment

••Control activities

••Information and communication

••Monitoring

$C:\My Documents\bits\earth.GIF$

Understanding and Assessingthe Control Environment

••Sets the tone of an organization.

••Management’s philosophy and operating style.

••Organizational structure, including the assignment ofauthority and responsibility.

••Board of directors and the audit committee.

••Human resource policies and practices.

••Integrity and ethical values.

••Commitment to competence.

$C:\My Documents\bits\earth.GIF$

Control Environment:Implications for Control RiskAssessment

••Risk Assessment

••Control Activities

••Information and Communication

••Monitoring

$C:\My Documents\bits\earth.GIF$

Relationship of Controls toAuditing

••Minimum level of control necessary.

••Overall quality of controls can impact ability toremain a going concern.

••Quality of control will significantly affect both auditapproach and amount of testing.

••Analysis of control risk helpful in identifying types oflikely misstatements.

••Inadequate controls may place organizations inviolation of federal laws.

••Auditor may need to issue a formal report.

$C:\My Documents\bits\earth.GIF$

Understanding and EvaluatingAccounting Information Systems

Internal Control and Financial Statement AccountBalances

••Auditor needs to evaluate internal control.

••Auditor needs to evaluate internal control only foraccounting systems that result in material accountbalances.

••Need to assess both overall control structure andspecific control procedures.

••To reduced control risk must have evidence thatcontrol structure is soundly designed and efficient.

$C:\My Documents\bits\earth.GIF$

Assessing the Effectiveness ofControl Procedures

Non-Transaction-Based SystemsNon-Transaction-Based Systems

Transaction-Based SystemsTransaction-Based Systems

Pervasive Control ActivitiesPervasive Control Activities

••Segregation of duties

••Authorization procedures

••Adequate documentation

••Physical controls

••Reconciliation

••Competent, trustworthy employees.

$C:\My Documents\bits\earth.GIF$

Control Risk Assessment

Reconsider and revise assessment ifnecessary.

Phase 4

Phase 1

Obtain an understanding of risks andcontrols.

Phase 2

Preliminary assessment of control risk.

Phase 3

Test controls for effectiveness.

$C:\My Documents\bits\earth.GIF$

Phase One:Obtain an Understanding

••Walk-Throughs

••Inquiries

••Plant and Operational Tours

••Client-Prepared Documentation

••Prior-Year Working Papers

$C:\My Documents\bits\earth.GIF$

Make Preliminary Assessmentof Control RiskPhase Two:Make Preliminary Assessmentof Control Risk

Crucial, because it drives the planningfor the rest of the audit.

highmoreControl risk high means more testing.

lowlessControl risk low means less testing.

Control risk can vary across subsystems.

$C:\My Documents\bits\earth.GIF$

Perform Test of ControlsPhase Three:Perform Test of Controls

Preliminary assessment based onunderstanding of system as it hasoperated in past and how it is designed tooperate.

Things change so the auditor must testthe system.

$C:\My Documents\bits\earth.GIF$

Update Assessment of ControlRisk and Need for SubstantiveTestingPhase Four:Update Assessment of ControlRisk and Need for SubstantiveTesting

Work in gaining an understanding is not anend in itself.

The amount of risk determines the amount,timing and extent of evidence needed.