Chapter 6Chapter 6

Internal Control in a Financial Statement Audit

McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved

6-2

Internal Controls in Financial Statement Audits

What is internal control?

What does the auditor need to know about internal control?

How does the auditor use his/her knowledge of Internal control in conducting the audit?

What are the documentation requirements?

What are the communication requirements related to the auditor’s internal control findings?

6-3

Internal Control(315.04 and .13)

Generally, internal controls pertaining to the preparation of financial statements for external purposes are the controls

relevant to an audit…and not even all of those.However some operations or compliance controls may be

relevant to the audit, as well (315.04 and .13)

Reliability of Financial Reporting

Effectiveness & Efficiency of

Operations

Compliance with Laws & Regulations

Objectives

LO# 3

6-4

With which of the following categories of controls will the auditor likely be most

familiar? Controls focused on 1. Reliability of financial

reporting

2. Effectiveness & efficiency of operations

3. Compliance with laws and regulations

4. All of the above equally

5. 2 and 3

6-5

Components of Internal ControlCOSO Framework (315.15-.25)

Control Environment

Entity’s Risk Assessment

Process

Information System and Related Business Processes

Relevant to Financial Reporting & Communication

Control Activities

Monitoring of Controls

LO# 4

6-6

Control Environment (315.A71 – A.80)

What does the auditor need to know(see 315.15)

Factors affecting the auditor’s evaluation of the control environment include:

Communications and enforcement of integrity and ethical values

Commitment to competenceParticipation by those charged with governanceManagement’s philosophy and operating styleOrganizational structureAssignment of authority and responsibilityHuman resource policies and practices

6-7

The Entity’s Risk Assessment Process (315.A81 - .A83)

What does the auditor need to know (See 315.16)

Or.. how does the entity assess and manage risk related to the fair preparation of financial statements (for example the risk of failing to record a transaction or appropriate estimates)

The nature of the entity’s risk assessment process will vary greatly depending on the size and nature of the client

6-8

The importance of internal control to management relates to which of the

following internal control components?

1 2 3 4

25% 25%25%25%

1. Control environment

2. Control procedures

3. Risk assessment

4. Monitoring

6-9

Information System and Related Processes (315.19)

The auditor’s understanding of the information system should relate to the following:

The classes of transactions that are significant

The procedures (IT and manual) by which those transactions are initiated, authorized, recorded, processed, corrected, transferred to the general ledger and the financial statements

What accounting records support the information in the financial statements and accounting records

6-10

Information System and Related Processes (315.19)

The auditor’s understanding of the information system should relate to the following (cont.):

How the system captures events and conditions, other than transactions, that are significant to the financial statements (for example, depreciation)

The processes used to prepare the entity’s financial statements (including estimates and disclosures)

Controls surrounding journal entries, including those that are nonrecurring

6-11

Control ActivitiesThe auditor should understand the process of

reconciling detailed records to the general ledger for material accounts (315.21) and, as appropriate, details related to such control activities as (315.A91):

Information processing (when is the work done and how)

Physical controlsSegregation of duties (who does the work)Performance reviews (supervision)How the entity has responded to risk arising from IT

(See 315.A98-.A101)

6-12

Which of the following types of controls are least likely to be programmed

controls?

1 2 3 4

25% 25%25%25%

1. Application controls

2. General controls

3. Both of the above

4. What? Do I look like a geek

6-13

Monitoring of Controls (315.23 and .A102)

The auditor should obtain an understanding of:

Major activities the entity conducts to monitor controls over financial reporting

How the entity initiates remedial action

Impact of the internal audit function, if any

6-14

What Else Does the Auditor Need to Know About Internal Controls (315.14)

GAAS requires the auditor to:

1. Develop an appropriate understanding of the design of the client’s internal controls (the 5 components) AND

2. Determine whether those controls have been placed in operation (implemented)

Inquiry alone will not allow the auditor to determine if the controls have been implemented. More often than not, what auditors refer to as a “walk through” is necessary to determine whether controls have been placed in operation (implemented).

6-15

Auditor’s Use of His/Her Understanding of Internal Control

Identify types of potential

misstatements

Design tests of controls (where applicable) and substantive procedures

Consider factors that affect the risk of

material misstatement

The auditor should obtain an understanding of each of the five components of internal control in order to plan

the audit. This knowledge is used to (315.A42):

LO# 7

6-16

Auditor’s Use of His/Her Understanding of Internal Control

Remember the Audit Risk Model

AR = IR X CR X DR

Look at the flowchart on page 195 of the textbook

6-17

In a GAAS audit an auditor should be able to determine through inquiry

1 2 3 4

25% 25%25%25%1. If controls have been implemented

2. The design of many relevant controls

3. The efficiency and effectiveness of controls

4. All of the above

6-18

The auditor should develop an understanding of each of the 5 components

of internal control to allow for:

1 2 3 4 5

20% 20% 20%20%20%1. Proper design of tests of controls, where appropriate

2. Proper design of substantive test

3. A reduction in the level of assessed control risk

4. All of the above

5. Both 1 and 2

6-19

In a GAAS audit, an auditor is required to

1 2 3 4 5

20% 20% 20%20%20%1. Develop an

understanding of the client’s internal control

2. Determine that controls have been implemented

3. Test the efficiency and effectiveness of controls

4. All of the above

5. 1 and 2

6-20

Documenting the Understanding of Internal Control (see 315.33b)

Procedure Manuals and Organizational

ChartsNarrative Description

Internal Control Questionnaires

Flowcharts

LO# 8

6-21

Which of the following are required by GAAS?

1 2 3 4 5

20% 20% 20%20%20%1. Documentation of the

auditor’s understanding of internal control

2. Determination that key internal controls have been implemented

3. Tests of controls

4. All of the above

5. Both 1 and 2

6-22

Auditing Accounting Applications Processed by Service Organizations

(402)In some instances, a client may have some or all of its

accounting transactions processed by an outside service organization.

Because the client’s transactions are subjected to

the controls of the service organization, one of the

auditor’s concerns is the internal control system in

place at the service organization.

It is not uncommon for service organizations to have a service auditor issue one of two types of reports on their operations.

LO# 13

6-23

Type 1 Report Describes the service organization’s controls

and assesses whether they are suitably designed to achieve specified internal control

objectives and implemented.

Type 2 ReportGoes further by testing whether the

controls provide reasonable assurance that the related control objectives were

achieved during the period. (i.e., the auditor performs test of controls)

An auditor may reduce control riskcontrol risk below the maximum onlyonly on the

basis of a service auditor’s report that includes tests of the

controls (Type 2).

LO# 13Auditing Accounting Applications Processed by Service Organizations

(402)

6-24

The auditor can use a type 1 report related to a service center’s controls to

1. Document the understanding of the service center’s controls

2. Reduce the assessed level of control risk below the maximum

3. Both 1 and 2

4. None of the above

6-25

Communication of Internal Control-Related Matters

(See 265.07 and .11 through .16 )

Material Weakness

Significant Deficiency

The most serious of shortcomings. Must be

communicated in writing to both those charged with

governance and management

The second most serious of shortcoming. Must be

communicated in writing to both those charged with

governance and management

LO# 14

6-26

Communication of Internal Control-Related Matters

Other deficiencies should be communicate to management either in writing or orally if others have not so communicated and the auditor feels the issues merit management attention (265.12b)

All communications regarding internal control weaknesses should be made no later than 60 days following the report release date (265.13)

6-27

Communication of Internal Control-Related Matters

Written communications regarding significant deficiencies and material weaknesses should include (see 265.14)

Any written communication indicating that no significant deficiencies were identified would be inappropriate (265.15 and .16).

6-28

Which of the following, if discovered, is the auditor required to communicate to management

1. 2. 3. 4. 5.

20% 20% 20%20%20%1. Material weaknesses in internal control

2. Significant deficiencies in internal control

3. Deficiencies in internal control

4. All of the above

5. Both 1 and 2

6-29

Which of the following can the auditor not issue as a written communication?

1. 2. 3. 4.

25% 25%25%25%1. A statement that no material weaknesses were identified

2. A statement that no significant deficiencies were identified

3. A restriction on the use of the auditor’s internal control communication

4. All of the above can be issued in writing

6-30

Internal Control Under PCAOBAuditor’s responsibilities for both examining and

reporting on internal control in a PCAOB engagement per AS 5 are much more extensive

Management’s Responsibilities (CEO & CFO) Accept responsibility for the effectiveness of the

entity’s ICFR Evaluate the effectiveness of the entity’s ICFR using

suitable control criteria Support the evaluation with sufficient evidence,

including documentation Present a written assessment of the effectiveness of

ICFR as of the end of the most recent fiscal year

6-31

Internal Control Under PCAOB

Auditor’s Responsibility Integrate an audit of management’s assertion

about the effectiveness of ICFR with the audit of the financial statements

Express an opinion on the effectiveness of the entity’s ICFR as of a point in time

To express an opinion on ICFR, the auditor’s evaluation of ICFR would need to be much more extensive than the evaluation of ICFR required to support the opinion on the financial statements as required by GAAS

6-32

The examination of an audit client’s internal control in a PCAOB audit would be

A. In the same depth as in a SAS GAAS audit

B. In more depth than in a SAS GAAS audit

C. In less depth than in a SAS GAAS audit

In the s

ame depth

as in a S.

.

In more

depth th

an in

a SA...

In less

depth th

an in

a SA

S...

0% 0%0%

6-33

The auditor’s reporting responsibilities related to ICFR in a SAS GAAS audit differ from those in a

PCAOB audit in that A. A SAS GAAS audit

does not require the auditor to issue any report related to ICFR findings

B. A SAS GAAS audit requires the auditor to issue a report on ICFR findings for public distribution

C. A SAS GAAS audit does not allow the auditor to issue an opinion on ICFR

A SAS GAAS a

udit does n

ot ...

A SAS GAAS a

udit require

s t..

A SAS GAAS a

udit does n

ot ...

0% 0%0%