Auditing 81.3550 Internal Control Studies & Risk Assessment Chapter 9 Internal Control Studies &...

Auditing 81.3550Auditing 81.3550

Internal Control Studies & Risk Assessment

Chapter 9

Internal Control Studies & Risk Assessment

Chapter 9

HighlightsHighlights

• What is internal control?• Why is it important?• How do auditors study, evaluate and

document an organization’s internal control processes?

• What types of tests are used?• Understanding the two basic audit

approached commonly used

• What is internal control?• Why is it important?• How do auditors study, evaluate and

document an organization’s internal control processes?

• What types of tests are used?• Understanding the two basic audit

approached commonly used

What is internal control?

Internal control consists of the policies & procedures established & maintained by management to assist in orderly & efficient conduct of business.

•Need to keep in mind the cost vs. benefit of internal control processes and procedures

Internal ControlInternal ControlInternal control is a process designed to

provide reasonable assurance regarding the achievement of management’s objectives regarding:

Internal control is a process designed to provide reasonable assurance regarding the achievement of management’s objectives regarding:

• reliability of controls

• optimizing use of resources

• safeguarding of assets

• preventing & detecting fraud & error

9 - 9Copyright 2003 Pearson Education Canada Inc.

performpreliminaryanalytical

procedures

Steps in audit planningSteps in audit planning

preplan

Why is anunderstand-

ing of internalcontrol im-

portant?

setmateriality, and

assess acceptableaudit risk andinherent risk

understandinternal control

and assesscontrol risk

obtainbackgroundinformation

obtaininformation

about client’s legal obligations


Second Examination Standard:A sufficient understanding of internalcontrol should be obtained to plan the audit.

Why is anunderstanding

of internalcontrol

important?


Audit Risk has 3 components Audit Risk has 3 components which combine to make the which combine to make the

audit risk modelaudit risk model::

= x xauditrisk

inherentrisk

controlrisk

detectionrisk

therisk that material

misstatements will not be prevented ordetected by

internal controls


- internal control is the client’s respon-sibility and should be designed to helpthe client attain goals

- internal control should provide rea-sonable but not absolute assurance;cost/benefit must be considered

- internal control has inherent limita-tions (e.g., misunderstandings, mis-takes, fatigue, carelessness, collusion,management override)

Key Internal Control ConceptsKey Internal Control Concepts

Components of Internal ControlComponents of

Internal Control

the controlenvironment

Control EnvironmentControl Environment

The control environment is theactions, policies, and procedures

that reflect management’s attitude regarding controls and

their importance.

Elements of the Control Environment


• Management Philosophy and Operating Style:– Approach to monitoring and responding to risk– Attitude and actions around financial reporting– Emphasis on meeting goals both financial and

operational– Honesty and type of business behaviours

exhibited and encouraged

• Management Philosophy and Operating Style:– Approach to monitoring and responding to risk– Attitude and actions around financial reporting– Emphasis on meeting goals both financial and

operational– Honesty and type of business behaviours

exhibited and encouraged



• Board of Directors and Audit Committee:– How active of a role does

the committee take in running the company?

– Audit Committees dealings and interest in the auditors and their work

• Board of Directors and Audit Committee:– How active of a role does

the committee take in running the company?

– Audit Committees dealings and interest in the auditors and their work

Elements of The Control Environment


• Organizational Structure– Clearly defined lines of responsibility and

authority

• Organizational Structure– Clearly defined lines of responsibility and

authority



• Methods used in the assignment of authority and responsibly

• Methods used in the assignment of authority and responsibly

What are the formal methods that management uses to communicate internal controls to employees?

CompanyPolicies

EmployeeHandbook

JobDescription

Memo:



• Management Control Methods• Management Control Methods

Do management’s methods send a clear message about the importance of control?

Do management’s methods serve to detect misstatements?



• Systems Development Methodology– Who can make modifications?– What testing is done?

• Systems Development Methodology– Who can make modifications?– What testing is done?

Does management have amethodology for developingand modifying systems and

procedures?



• Personal Policies and Practices• Personal Policies and Practices

Management should ensure that competent, trustworthy, motivated personnel are employed to meet client goals and objectives.

Employees are the critical component of effective internal control.



• Management reactions to external influences

• Should be aware of these influences and prepared to react properly

• Management reactions to external influences

• Should be aware of these influences and prepared to react properly

Is management aware of external influences such as changes in the

economy and technology?



• Internal Audit• Internal Audit•Does an internal audit department exist? •Does it effectively monitor control policies and procedures, and enhance operational effectiveness and efficiency?•Who does the internal audit department report to?

Components of Internal ControlComponents of

Internal Control

controlsystems

Accounting Systems

+Control Procedures

Components of Internal Control


accountingsystems

Accounting systems have severalsubcomponents - classes of

transactions



Control procedures are policies and procedures, in addition to those related to other components, established to enable the entity to address risks in the achievement of their objectives.

controlprocedures

Categories of Control Categories of Control ProceduresProcedures


• Appropriate segregation of duties– Separate custody of assets from accounting– Separate custody of assets from

authorization of transactions– Separate operational responsibility from

record keeping– Adequate segregation of duties within EDP– Reconciliation – i.e. separate from

transaction data entry clerk

• Appropriate segregation of duties– Separate custody of assets from accounting– Separate custody of assets from

authorization of transactions– Separate operational responsibility from

record keeping– Adequate segregation of duties within EDP– Reconciliation – i.e. separate from

transaction data entry clerk



• Can be difficult in smaller companies due to the costs involved

• Fewer employees make segregation tough

• Can be difficult in smaller companies due to the costs involved

• Fewer employees make segregation tough



• Segregation of duties designed to help prevent loss but difficult if there is collusion

• Collusion is the defeat of adequate separation of duties wherein employees cooperate to perpetrate fraud.

• Segregation of duties designed to help prevent loss but difficult if there is collusion

• Collusion is the defeat of adequate separation of duties wherein employees cooperate to perpetrate fraud.

...we’re agreed.We’ll be rich be-yond our wildest

dreams!

Why is collusion Why is collusion particularly troublesome particularly troublesome

for auditors?for auditors?

Why is collusion Why is collusion particularly troublesome particularly troublesome

for auditors?for auditors?Competent,

untrustworthy, motivated personnel often know how to conceal their fraud.

Competent, untrustworthy, motivated personnel often know how to conceal their fraud.



• Proper authorizations of transactions and activities– general authorization - management

establishes authorization policies– specific authorization - management makes

authorizations on a case-by-case (ie all A/P requests)

• Proper authorizations of transactions and activities– general authorization - management

establishes authorization policies– specific authorization - management makes

authorizations on a case-by-case (ie all A/P requests)

accountspayablepolicies &procedures

cashreceiptspolicies &procedures

personnelpolicies &procedures



• Adequate Documents and Records• Adequate Documents and Records

•should provide reasonable assurance that all assets are properly controlled and all transactions are correctly recorded.

Design and Use of Documents, Input Screens, and Electronic TransactionsDesign and Use of Documents, Input Screens, and Electronic Transactions

• Documents should be prenumbered and accounted for

• Documents should be complete soon after the transaction

• Documents should be understandable, correctly designed including routing and authorizations

• Documents should be prenumbered and accounted for

• Documents should be complete soon after the transaction

• Documents should be understandable, correctly designed including routing and authorizations

• Documents should be designed for multipurpose

• Documents should be designed for multipurpose



• Adequate safeguards over access to and use of assets and records

• Examples include physical: locking rooms, fenced areas, fireproof safes, safe deposit boxes, security guards;

access; backup files and recovery

• Adequate safeguards over access to and use of assets and records

• Examples include physical: locking rooms, fenced areas, fireproof safes, safe deposit boxes, security guards;

access; backup files and recovery



• Independent verification of performance and the accuracy of recorded amounts

• Controls may change or be forgotten about if not followed up on or performed

• Segregation of duties between required

• Independent verification of performance and the accuracy of recorded amounts

• Controls may change or be forgotten about if not followed up on or performed

• Segregation of duties between required


accountingsystems

the controlenvironment

control procedures

What are the elements ofWhat are the elements ofinternal control?internal control?


ControlExamina-

tionOverview Obtain an understanding

of internal control.

HOW?HOW?


ControlExamina-

tionOverview

- review prior year’sworking papers

- interview prior yearauditors

- interview client personnel

- study client policies andprocedures

- study client documents,records, information andcommunication system

Obtain an understandingof internal control.


ControlExamina-

tionOverview How do auditors

document their under-standing of internal

control?


ControlExamina-

tionOverview

- narratives- flowcharts- internal controlquestionnaires

What is aninternal controlquestionnaire?

How do auditors document their under-

standing of internalcontrol?


Internal Control QuestionnaireInternal Control Questionnaire

What are theadvantages provided by

an IC questionnaire?

- a series of questions about internal controls and their application to groupsof accounts and cycles

- generally, a “no” answer indicates aninternal control weakness


What are theadvantages provided by



- can be designed to cover most aspectsof internal control

- is relatively applicable from one en-gagement to another

- when complete, can be quickly re-viewed for weaknesses



- concentrates on pieces of internal con-trol rather than the system as a whole

- has questionable reliability; oral cli-ent responses should be supportedby other evidence

- may be too standardized for someclients, especially smaller clients

What are thedisadvantages of using



Arefinancial statements

auditable?

ControlExamina-

tionOverview


Arefinancial statements

auditable?

ControlExamina-

tionOverview

- management lacksintegrity

- significantly deficientaccounting records orinternal controls

When would theWhen would theanswer be answer be NONO??


ControlExamina-

tionOverview

Assess control risk, basedon understanding.


ControlExamina-

tionOverview

Assess the cost/benefit offurther enhancing under-

standing of internal control.


ControlExamina-

tionOverview

- maximum:poor controls indicatea very risky situationor more efficient to do 100% substantive audit

max. support low

Assesscontrol

risk.


ControlExamina-

tionOverview

- maximum:poor controls indicatea very risky situation ornot efficient

- supportable:risk is at a levelsupported byunderstanding obtained

max. support low

Assesscontrol

risk.


ControlExamina-

tionOverview

- supportable:risk is at a levelsupported byunderstanding obtained

- low:effective controls indi-cate a lower level of riskthat could be supported

max. support low

Assesscontrol

risk.


ControlExamina-

tionOverview

Plan & perform tests of controls.


ControlExamina-

tionOverview

Decidewhether the initial

internal control assessmentwas appropriate.


ControlExamina-

tionOverview

Based on appropriatelevel of detection risk,

perform substantive tests.

When should weaknesses be When should weaknesses be reported to the clientreported to the client??

When should weaknesses be When should weaknesses be reported to the clientreported to the client??

When there are significant deficiencies in the design or operation of internal control.

GAAS requires the auditor to communicate(oral or written) with the

audit committee regarding the significantdeficiencies.

Two Basic Audit ApproachesTwo Basic Audit Approaches

• Substantive Approach– Used when decide not to

rely on internal controls or not cost effective to do so

– CR=Max, DR=Low

– No test of controls required

– Extent of evidence will be high

• Substantive Approach– Used when decide not to

rely on internal controls or not cost effective to do so

– CR=Max, DR=Low

– No test of controls required

– Extent of evidence will be high

• Combination Approach– Used when auditor can

rely on internal controls for a specific assertion

– CR=below Max, DR=Med-High

– Extent of evidence will be medium to low

– Need to not only understand IC system but also do test of controls to support assessment level below max

• Combination Approach– Used when auditor can

rely on internal controls for a specific assertion

– CR=below Max, DR=Med-High

– Extent of evidence will be medium to low

– Need to not only understand IC system but also do test of controls to support assessment level below max

Auditing 81.3550 Internal Control Studies & Risk Assessment Chapter 9 Internal Control Studies &...

Documents

Transcript of Auditing 81.3550 Internal Control Studies & Risk Assessment Chapter 9 Internal Control Studies &...