Kế toán, kiểm toán - Chapter 8: Understanding the internal control structure and assessing control risk

CHAPTER 8UNDERSTANDING THE INTERNAL CONTROL STRUCTURE AND ASSESSING CONTROL RISK1Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettAUDIT STRATEGY AND INTERNAL CONTROL STRUCTURETo reach a conclusion on reliability ofunderlying accounting data, the auditor can:Test the accounting data (substantive approach).Perform procedures to review and evaluate the internal control structure to see whether accounting data was developed under conditions likely to ensure accuracy and reliability (lower assessed level of control risk approach).Auditor adopts the best combination of these approaches.AA2Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettSTRUCTURE OF AND RESPONSIBILITY FOR INTERNAL CONTROLInternal control structure is:Management’s philosophy and operating style, and all the policies and procedures adopted by management to assist in achieving the entity’s objectivesManagement is responsible for establishing, maintaining and monitoring the internal control structure.3Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettINHERENT LIMITATIONS OF INTERNAL CONTROL STRUCTUREInherent limitations arise because of:Control breakdowns as a result of the actions of careless, fatigued or deviant staffThe possibility of management overrideThe existence of non-routine transactions for which internal controls were not devised4Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettREASONABLE ASSURANCEInternal control structure should be designed to provide reasonable assurance that assets are safeguarded and accounting records are reliable. Concept of reasonable assurance recognises that, in some cases, cost of establishing and maintaining controls can outweigh benefits of adopting controls.5Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettOBJECTIVES OF INTERNAL CONTROL STRUCTUREManagement controls:Risks are identified and minimisedManagement decision making is effective and business processes efficientTransaction controls:Transactions are carried out in accordance with management’s general or specific authorisationsTransactions are promptly and accurately recorded so as to allow the preparation of financial reportsAccess to assets limited in accordance with authorisationAsset records are compared with existing assets at reasonable intervals6Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettMANAGEMENT CONTROLSManagement controls include activities such as:Communicating business objectives and goalEstablishing lines of authority and accountabilityEstablishing and enforcing appropriate codes of corporate conductMonitoring both external and internal risk environmentsDefining policies and procedures for dealing with these risksMonitoring performance of key segments of the entity through performance indicators and benchmarking7Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettTRANSACTION CONTROLSPerformed by staff and lower level management.Every transaction goes through the identifiable steps ofauthorisation, execution and recording. Accuracy andreliability of transaction records depend on:Authorisation and approval — Transactions appropriately authorised.Occurrence — Recorded transactions represent events that occurred.Completeness — All authorised transactions are recorded.Measurement — Transactions are accurately recorded in proper amounts, proper account classification and proper accounting period.Safeguarding — Access is restricted to authorised personnel.Reconciliation — Recorded amounts are periodically reconciled with counts of assets.8Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettCHARACTERISTICS OF A SATISFACTORY INTERNAL CONTROL STRUCTUREControls to monitor and minimise business risksSegregation of incompatible duties and responsibilitiesSystem of authorisation, recording and procedures to provide control over assets, liabilities, revenues and expensesSound business practices in performance of duties and functionsCapabilities commensurate with responsibilities9Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettELEMENTS OF THE INTERNAL CONTROL STRUCTUREControl environmentInformation systemControl procedures10Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettCONTROL ENVIRONMENTThe control environment includes management’s overall attitude, awareness and actions regarding internal control and its importance in the entity.AUS 402.04/ISA 400.0811Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettCONTROL ENVIRONMENT EVALUATIONThe auditor should consider:Management’s philosophy and operating styleEntity’s organisational structureAssignment of authority and responsibilityExistence and effectiveness of internal auditUse of information technologyCompetence and integrity of entity’s human resourcesExistence and effectiveness of audit committee12Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettINFORMATION SYSTEMConsists of methods and recordsestablished to:Identify, assemble, analyse, classify, record and report exchange transactions and relevant events and conditions; andmaintain accountability for entity’s assets, liabilities, revenues and expenditures.13Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettCONTROL PROCEDURESIncludes both policies and procedures that management has established to ensure its directives are carried out. Control procedures are added to the accounting system to ensure that system produces accurate and reliable data.14Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettEVALUATING CONTROL PROCEDURESThe auditor will be interested in control procedures aimed at ensuring internal control objectives concerning:Authorisation and approval, e.g. control of accessOccurrence, e.g. proper use of documentsCompleteness, e.g. accounting for sequence of pre-printed documentsMeasurement, e.g. use of control totalsSafeguarding, e.g. physical protectionReconciliations, e.g. inventory counts15Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettINTERNATIONAL DEVELOPMENTSIn 1992, the Committee of Sponsoring Organisations of the Treadway Commission (COSO) in the USA identified an extended set of internal control procedures.The five components of internal control structureidentified by COSO are:Control environmentMonitoringRisk assessmentInformation and communicationControl activities16Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettIAASB AUDIT RISK SUBCOMMITTEEConsidering revision of applicable auditing standardsto reflect strategic business risk approach. Approach appears to:Enhance required understanding of internal controlInclude requirement to evaluate internal control for:significant risks; andother risks for which it is not practicable or possible to reduce audit risk to an acceptably low level using substantive procedures.Significant change to current standards, where the auditor does not have to evaluate internal controls if control risk is set at high.17Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettCONSIDERING THE INTERNAL CONTROL STRUCTURE IN A FINANCIAL REPORT AUDITFor every audit, irrespective of intended reliance on IC, the auditor must obtain sufficient understanding of internal control structure to plan audit and determine tests to be performed.The nature and extent of auditor’s consideration of internal control structure varies considerably across audits and depends on audit strategy.18Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettSTEPS IN AUDITOR’S CONSIDERATION OF INTERNAL CONTROL STRUCTUREFig. 8.2 Steps in auditor’s consideration of the internal control structure (p. 338)19Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettUNDERSTANDING THE CONTROL ENVIRONMENTAuditor gains understanding of controlenvironment by:Making enquiries of key management personnelInspecting documented policies and proceduresObserving activities and operationsConsidering past experience with client20Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettUNDERSTANDING THE INFORMATION SYSTEMAuditor required to obtain sufficientknowledge of information system tounderstand:Major classes of transactionsInitiation of transactionsRecords, documents and accountsAccounting processingFinancial reporting procedures21Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettUNDERSTANDING THE CONTROL PROCEDURESAn auditor is required to obtain an understandingsufficient to develop an audit plan (AUS 402.23/ISA 400.20).Procedures include:Discussion with client management and staffInspection of documentationObservation of the entity’s activities, operations and proceduresWalkthrough - auditor traces one or a few transactions of each type through the related documents and accounting records, observing related processing and control procedures in operation22Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettPROCEDURES TO DOCUMENT UNDERSTANDING OF INTERNAL CONTROL STRUCTUREInternal control questionnaires and checklistsNarrative memorandaFlowcharts23Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettASSESSMENT OF CONTROL RISK AS HIGHControl risk will be assessed as high when:Entity does not have internal controls that relate to specific assertion; Testing of internal controls is likely to indicate internal controls are weak; orTesting of internal controls is not the most efficient method of obtaining audit evidence.24Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettASSESSING CONTROL RISKAS LESS THAN HIGHFor each assertion where control risk isassessed as less than high:Tests of controls need to be performed to ensure design and operation of control is adequate to support lowered assessed level of controlDetection risk is assessed as higher, and as a result fewer substantive procedures are expected to be performed25Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettTwo main categories:User controls: those controls established and maintained by departments whose processing is performed by computer.CIS controls: those controls established and maintained in the location of the computer, for example in data-processing departments.LEVELS OF CONTROL IN COMPUTERISED SYSTEMS26Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettCIS controls can be further divided into general and application controls; general controls if they relate to a number of application systems, application controls if they relate to a particular application.User controls are always application controls, given their purpose.CIS CONTROLS AND GENERALAND APPLICATION CONTROLS27Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettGENERAL CONTROLSManual and computer controls that relate toall or many computerised accountingapplications to provide a reasonable level ofassurance that overall objectives of internalcontrol are achieved.General controls include:Segregation of dutiesControl over programsControl over data28Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettSEGREGATION OF DUTIESAuditor especially interested in:Separation between CIS and user department functionsSeparation of incompatible functions within CIS department, especially those with an understanding of system from those with access to system29Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettSEGREGATION OF DUTIES WITHIN CISSeparate Positions within CIS departmentKnowledge: those with an understanding n CIS managerof systems and programs n Systems analysts n Applications programmersAccess: those with access to the computer, n Computer operatorsproduction programs and data files n Data-entry clerks (no access to computer console, data control records or programs) n Data-control clerks (no access to computer console) n Librarian (no access to computer console) n Systems programmers** The position of systems programmer must have access to perform the function. Systems programmers should have no detailed knowledge of the company’s accounting systems or application programs.Table 8.1 Segregation of duties within CIS (p. 352)30Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettCONTROL OVER PROGRAMSIncludes control over:Development or acquisition of new programsChanges to existing programsAccess to programsSystems software31Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettCONTROL OVER DATAControl procedures in user departments to ensure restricted access (e.g. key passes)Control procedures in CIS departments at input and processing stageRestriction of access to data files (e.g. password) 32Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettOTHER GENERAL CONTROLSThese include controls that back up hardware, software and files and ensure recovery when computer installation or particular files or programs are damaged.These do not normally have an effect on an auditor’s control risk assessment.33Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettAPPLICATION CONTROLSRelate to individual computerised accounting applications (e.g. debtors)Contribute to achievement of specific control objectives considered by auditor in tests of controlsCan be programmed or manual and located in either the user departments or CIS department34Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettUSER DEPARTMENT APPLICATIONCONTROLSControl totals:Financial totalsRecord totalsHash totalsReview and reconciliation of dataError correction and resubmission proceduresAuthorisation of each transaction and batch of transactions35Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettCIS APPLICATION CONTROLSUsually classified in the followingcategories:InputFileProcessingOutput36Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettINPUT CONTROLSControl totalsKey verificationKey entry verificationProgrammed controls:Check digitLimit or reasonableness testField testValid code test37Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettFILE CONTROLSInclude:Internal file labels — computer-readable data that identifies content of fileExternal file labels — printed or handwritten labels attached to disk or tape38Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettPROCESSING CONTROLSProgrammed control procedures:Checking numerical sequence of recordsComparing related fieldsRun-to-run control totals39Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettOUTPUT CONTROLSThese include:Restricted distributionAutomatic dating of reportsPage numberingEnd-of-report messages40Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettRELATIONSHIP BETWEEN THE REVIEW OF GENERAL AND APPLICATION CONTROLSShould start internal control evaluation by looking at general controls.If general controls are unreliable, auditor has little confidence in programmed application controls and reduced confidence in manual application controls => auditor takes more substantive approach to the audit.If general controls are reliable, auditor makes preliminary evaluation of application controls. If reliance on application controls is then planned, a more detailed evaluation of these controls is made => auditor determines appropriate degree of testing of controls and substantive testing.41Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettCONTROL SYSTEMS IN DIFFERENT ENVIRONMENTS: DATABASE SYSTEMSA database is a computer-readable file of records that is used by many accounting applications.In order to handle processing of data, a system software program called a database management system (DBMS) is used.Guidance on auditing database systems is contained in AGS 1022/IAPS 1003.42Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettSTAND-ALONE PC SYSTEMSIn such systems the distinction between general and application controls might be blurred and controls might be less structured. For this reason control risk might be assessed at maximum level.Guidance on auditing stand-alone PC systems is contained in AGS 1018/ IAPS 1001.43Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettLANS AND OTHER NETWORKSNetworking PCs means that processing is distributed to PCs at many locations. This can cause problems with security and control procedures as they are more dispersed and intensify control risk.44Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettCOMPUTER SERVICE BUREAUComputer service bureau is a centre or service entity that performs computer applications for another company.A common application processed through a service entity is payroll.AUS 404/ISA 402 provides an auditor with guidance on audit implications of using a computer service entity.45Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettCONSIDERING THE WORK OF AN INTERNAL AUDITORAUS 604/ISA 610 recognises that an external auditor is able to use the work of an internal auditor to assist in an audit engagement.Extent of reliance is dependent on evaluation of internal audit function by external auditor.46Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettDIFFERENCES BETWEEN INTERNAL AND EXTERNAL AUDITORThese differences are:ObjectivesIndependenceQualifications of each of the auditorsFor an external audit, each of these elements is regulated by the Corporations Act, while they are determined by management for an internal audit.47Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettEVALUATING INTERNAL AUDITExternal auditors should consider:Organisational statusScope of internal auditingTechnical competenceDue professional care48Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger SimnettUSING THE SERVICES OF INTERNAL AUDITOverall responsibility for audit engagement remains with external auditor.External auditor is required to undertake general evaluation as part of review of IC structure.If external auditor plans to rely on internal audit, they should carefully review internal auditor’s working papers and procedures to ensure testing is sufficient to meet their requirements, and that conclusions outlined in working papers are appropriate.49Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & SimnettSlides prepared by Roger Simnett