Chapter 6Chapter 6
Internal Controlin a FinancialStatement AuditInternal Controlin a FinancialStatement Audit
McGraw-Hill/Irwin
Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Internal ControlInternal Control
Management has the responsibility to maintain controls thatprovides reasonable assurance that adequate control exists overthe entity’s assets and records.
The Internal Control System should:
-ensure that assets and records are safeguarded
-generate reliable information for decision making
The auditor needs assurance about the reliability of the datagenerated by the information system.
LO# 1
![MCj03418510000[1]](data/images/img2.jpg)
6-2
Internal ControlInternal Control
The auditor uses risk assessment procedures to
-obtain an understanding of the entity’s internal control
-identify the types of potential misstatements
-ascertain factors that affect the risk of materialmisstatement
-design tests of controls and substantive procedures
The auditor’s understanding of the internal control is amajor factor in determining the overall audit strategy. Theauditor has a responsibility to:
(1) obtain an understanding of internal control and
(2) assess control risk.
LO# 1
6-3
COSO’s Internal Control –Integrated FrameworkCOSO’s Internal Control –Integrated Framework
Reliability ofFinancialReporting
Effectivenessand Efficiencyof Operations
Compliancewith Laws andRegulations
Objectives
LO# 2
6-4
Controls Relevant to the AuditControls Relevant to the Audit
Generally, internal controls pertaining to the preparationof financial statements for external purposes arerelevant to an audit.
Reliability ofFinancialReporting
Effectivenessand Efficiencyof Operations
Compliancewith Laws andRegulations
Objectives
LO# 3
6-5
Controls Relevant to the AuditControls Relevant to the Audit
Controls relating to operations and complianceobjectives may be relevant when they relate to data theauditor uses to apply auditing procedures.
Reliability ofFinancialReporting
Effectivenessand Efficiencyof Operations
Compliancewith Laws andRegulations
Objectives
LO# 3
6-6
The Effect of InformationTechnology on Internal ControlThe Effect of InformationTechnology on Internal Control
LO# 4
6-7
Components of Internal ControlComponents of Internal Control
ControlEnvironment
Entity’s RiskAssessmentProcess
Information System andRelated Business ProcessesRelevant to FinancialReporting and Communication
ControlActivities
Monitoring ofControls
LO# 5
6-8
Components of Internal ControlComponents of Internal Control
LO# 5
6-9
Control EnvironmentControl Environment
LO# 5
Principle 1: The organization demonstrates a commitment tointegrity and ethical values.
Principle 2: The board of directors demonstrates independencefrom management and exercises oversight of the developmentand performance of internal control.
Principle 3: Management establishes, with board oversight,structures, reporting lines, and appropriate authorities andresponsibilities in the pursuit of objectives.
Principle 4: The organization demonstrates a commitment toattract, develop, and retain competent individuals in alignmentwith objectives.
Principle 5: The organization holds individuals accountable fortheir internal control responsibilities in the pursuit of objectives.
6-10
The Entity’s RiskAssessment ProcessThe Entity’s RiskAssessment Process
The risk assessment process should consider external andinternal events and circumstances that may arise and adverselyaffect the entity’s ability to initiate, record, process, and reportfinancial data consistent with management’s financialstatement assertions.
Changes in theoperatingenvironment
New personnel
New or revampedinformationsystems
Rapid growth
New technology
New businessmodels, products,or activities
Corporaterestructuring
Internationalgrowth
New accountingpronouncements
Business risk can arise or change due to the following circumstances:
LO# 5
6-11
The Entity’s Risk AssessmentProcessThe Entity’s Risk AssessmentProcess
LO# 5
Principle 6: The organization specifies objectives with sufficientclarity to enable the identification and assessment of risks relatingto objectives.
Principle 7: The organization identifies risks to the achievement ofits objectives across the entity and analyzes risks as a basis fordetermining how the risks should be managed.
Principle 8 The organization considers the potential for fraud inassessing risks to the achievement of objectives.
Principle 9: The organization identifies and assesses changes thatcould significantly impact the system of internal control.
6-12
Control ActivitiesControl Activities
LO# 5
Principle 10: The organization selects and develops controlactivities that contribute to the mitigation of risks to theachievement of objectives to acceptable levels.
- Performance Reviews
- Physical Controls
- Segregation of Duties
- Information Processing Controls
Principle 11: The organization selects and develops generalcontrol activities over technology to support the achievement ofobjectives.
Principle 12: The organization deploys control activities throughpolicies that establish what is expected and procedures that putpolicies into action.
6-13
Information and CommunicationInformation and Communication
LO# 5
Principle 13: The organization obtains or generates and usesrelevant, quality information to support the functioning of internalcontrol.
- Identify and record all valid transactions
- Classify transactions properly
- Measure the value of transactions properly
- Record transactions in the proper period
- Properly present transactions and disclosures
Principle 14: The organization internally communicatesinformation, including objectives and responsibilities for internalcontrol, necessary to support the functioning of internal control.
Principle 15: The organization communicates with externalparties regarding matters affecting the functioning of internalcontrol.
6-14
Monitoring of ControlsMonitoring of Controls
Monitoring of controls is a process thatassesses the quality of internal controlperformance over time.
LO# 5
Principle 16: The organization selects, develops, and performsongoing and/or separate evaluations to ascertain whether thecomponents of internal control are present and functioning.
Principle 17: The organization evaluates and communicatesinternal control deficiencies in a timely manner to those partiesresponsible for taking corrective action, including seniormanagement and the board of directors, as appropriate.
6-15
Planning an Audit StrategyPlanning an Audit Strategy
Audit Risk Model
AR = IR × CR × DR
In applying the audit risk model, the auditormust assess control risk. The figure on thenext slide presents a flowchart of the auditor’sdecision process when considering internalcontrol in planning an audit.
LO# 6
6-16
LO# 6
Planning an Audit StrategyFigure 6-3 Flowchart of the Auditor’s Consideration of Internal Control and Its Relation toSubstantive ProceduresPlanning an Audit StrategyFigure 6-3 Flowchart of the Auditor’s Consideration of Internal Control and Its Relation toSubstantive Procedures
6-17
Substantive StrategySubstantive Strategy
After obtaining an understanding of internal control, anauditor may choose to follow a substantive strategy and setcontrol risk at the maximum for some or all assertionsbecause of one or all of the following factors:
Controls donot pertain toan assertion.
Controls areassessed asineffective.
Testing theeffectivenessof controls isinefficient.
LO# 6
![MCBS01884_0000[1]](data/images/img7.png)
6-18
Reliance StrategyReliance Strategy
ObtainUnderstanding ofInternal Control
Plan to Rely onInternal Control andAssess Control RiskBelow Maximum
LO# 6
![MCBS01886_0000[1]](data/images/img8.png)
6-19
AssertionsAssertions
LO# 6
6-20
Obtain an Understandingof Internal ControlObtain an Understandingof Internal Control
Identify types ofpotentialmisstatement
Design tests ofcontrols andsubstantiveprocedures
Pinpoint thefactors that affectthe risk of materialmisstatement
The auditor should obtain an understanding of each ofthe five components of internal control in order to planthe audit. This knowledge is used to:
LO# 7
6-21
Documenting the Understandingof Internal ControlDocumenting the Understandingof Internal Control
Procedure Manualsand OrganizationalCharts
Flowcharts
Internal ControlQuestionnaires
Narrative Description
LO# 8
6-22
Example Information & DocumentationExample Information & Documentation
LO# 7
6-23
The Effect of Entity Size onInternal ControlThe Effect of Entity Size onInternal Control
While the basic concepts of the fivecomponents should be present in all entities,they are likely to be less formal in a small ormidsize entity than in a large entity.
LO# 8
6-24
The Limitations of an Entity’sInternal ControlThe Limitations of an Entity’sInternal Control
Override ofInternal Controlby Management
Human Errorsor Mistakes
Collusion
LO# 8
6-25
Reasons Cited for Why FraudOccurredReasons Cited for Why FraudOccurred
LO# 8
6-26
Assessing Control RiskAssessing Control Risk
Identifyspecificcontrols thatwill be reliedupon.
Perform testsof controls.
Conclude on theachieved levelof control risk.
LO# 9
6-27
Performing Tests of ControlsPerforming Tests of Controls
Inquiry of appropriatepersonnel
Inspection of documentsindicating theperformance of thecontrol
Observation of theapplication of thecontrol
Reperformance of theapplication of thecontrol by the auditor
LO# 10
6-28
Documenting the Achieved Level ofControl RiskDocumenting the Achieved Level ofControl Risk
The auditor’s assessment of control risk and thebasis for the achieved level can be documentedusing a structured working paper, an internal controlquestionnaire, or a memorandum.
LO# 10
6-29
Performing Substantive ProceduresPerforming Substantive Procedures
LO# 11
6-30
Timing of Audit ProceduresTiming of Audit Procedures
Interim
Year End
Let’s look at the EarthWear Clothiers exampleagain to see the timing of their auditprocedures.
LO# 12
6-31
Timing of Audit ProceduresA Timeline for Planning and Performing the Audit of EarthWear ClothiersTiming of Audit ProceduresA Timeline for Planning and Performing the Audit of EarthWear Clothiers
LO# 12
6-32
Interim Audit ProceduresInterim Audit Procedures
Interim Tests ofControls
1.Assertion being tested not significant
2.Control has been effective in prior audits
3.Efficient use of staff time
InterimSubstantiveProcedures
1.Assertion probably has low control risk
2.May increase the risk of materialmisstatements
3.Still requires some year-end testing
LO# 12
6-33
Auditing Accounting ApplicationsProcessed by Service OrganizationsAuditing Accounting ApplicationsProcessed by Service Organizations
In some instances, a client may have some or all of itsaccounting transactions processed by an outside serviceorganization.
Because the client’stransactions are subjected tothe controls of the serviceorganization, one of theauditor’s concerns is theinternal control system inplace at the serviceorganization.
It is not uncommon for serviceorganizations to have an auditorissue one of two types ofreports on their operations.
LO# 13
6-34
Type 1 Report
Describes the service organization’scontrols and assesses whether theyare suitably designed to achievespecified internal control objectives.
Type 2 Report
Goes further by testing whether thecontrols provide reasonable assurancethat the related control objectives wereachieved during the period.
control riskonlyAn auditor may reducecontrol risk below themaximum only on thebasis of a serviceauditor’s Type 2 report.
LO# 13
Auditing Accounting ApplicationsProcessed by Service OrganizationsAuditing Accounting ApplicationsProcessed by Service Organizations
6-35
Types of Controls in an ITEnvironmentTypes of Controls in an ITEnvironment
GeneralControls
1.Data center and networkoperations
2.System softwareacquisition, change, andmaintenance
3.Access security
4.Application systemacquisition, development,and maintenance
ApplicationControls
1.Data capture controls
2.Data validation controls
3.Processing controls
4.Output controls
5.Error controls
LO# 15
6-36