Kế toán, kiểm toán - Chapter six: Internal control in a financial statement audit

Internal Control in a Financial Statement AuditChapter SixInternal ControlManagement has the responsibility to maintain controls that provides reasonable assurance that adequate control exists over the entity’s assets and records. The Internal Control System should: -ensure that assets and records are safeguarded -create an environment in which efficiency and effectiveness are encouraged and monitored -generate reliable information for decision-makingThe auditor needs assurance about the reliability of the data generated by the information system. Internal ControlThe auditor uses risk assessment procedures to -obtain an understanding of the entity’s internal control -identify the types of potential misstatements -ascertain factors that affect the risk of material misstatement -design tests of controls and substantive proceduresThe auditor’s understanding of the internal control is a major factor in determining the overall audit strategy. The auditor has a responsibility to: (1) obtain an understanding of internal control and (2) assess control risk.Internal ControlReliability of Financial ReportingEffectiveness & Efficiency of OperationsCompliance with Laws & RegulationsObjectivesControls Relevant to the AuditGenerally, internal controls pertaining to the preparation of financial statements for external purposes are relevant to an audit. Reliability of Financial ReportingEffectiveness & Efficiency of OperationsCompliance with Laws & RegulationsObjectivesControls Relevant to the AuditControls relating to operations and compliance objectives may be relevant when they relate to data the auditor uses to apply auditing procedures. Reliability of Financial ReportingEffectiveness & Efficiency of OperationsCompliance with Laws & RegulationsObjectivesThe Effect of Information Technology on Internal ControlComponents of Internal Control Control EnvironmentEntity’s Risk Assessment ProcessInformation System and Related Business Processes Relevant to Financial Reporting & CommunicationControl ActivitiesMonitoring of ControlsComponents of Internal ControlComponents of Internal ControlThe Effect of Information Technology on Internal ControlThe Entity’s Risk Assessment ProcessThe risk assessment process should consider external and internal events and circumstances that may arise and adversely affect the entity’s ability to initiate, record, process and report financial data consistent with the assertions of management in the financial statements.Changes in the operating environmentNew personnelNew or revamped information systemsRapid growthNew technologyNew business models, products, or activitiesCorporate restructuringExpanded international growthNew accounting pronouncementsClient business risk can arise or change due to the following circumstances:Information Systems and CommunicationAn effective accounting system gives appropriate consideration to establishing methods and records that will:Identify and record all valid transactions.Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting.Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements. Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period.Properly present the transactions and related disclosures in the financial statements.Control ActivitiesControl activities are the policies and procedures that help ensure that management’s directives are carried out. Those control activities that are relevant to the audit include:Performance reviewsInformation processingPhysical controlsSegregation of dutiesMonitoring of ControlsMonitoring of controls is a process that assesses the quality of internal control performance over time. Internal AuditorsAn effective internal audit function has clear lines of authority and reporting, qualified personnel, and adequate resources to enable these personnel to carry out their assigned duties.Planning an Audit StrategyAudit Risk ModelAR = IR × CR × DR In applying the audit risk model, the auditor must assess control risk. The figure on the next slide presents a flowchart of the auditor’s decision process when considering internal control in planning an audit. Planning an Audit StrategySubstantive StrategyAfter obtaining an understanding of internal control, an auditor may choose to follow a substantive strategy and set control risk at the maximum for some or all assertions because of one or all of the following factors:Controls do not pertain to an assertion.Controls are assessed as ineffective. Testing the effectiveness of controls is inefficient.Reliance StrategyObtain Understanding of Internal ControlPlan to Rely on Internal Control and Assess Control Risk Below MaximumAssertionsObtain an Understanding of Internal ControlIdentify types of potential misstatementsDesign tests of controls and substantive proceduresPinpoint the factors that affect the risk of material misstatementThe auditor should obtain an understanding of each of the five components of internal control in order to plan the audit. This knowledge is used to:Example Information & DocumentationObtain an Understanding of Internal ControlUnderstand the control environment.Understand the entity’s risk assessment process.Understand the information system and communications. Understand control activities.Understand monitoring of controls.Documenting the Understanding of Internal ControlProcedure Manuals and Organisational ChartsNarrative DescriptionInternal Control QuestionnairesFlowchartsThe Effect of Entity Size on Internal ControlWhile the basic concepts of the five components should be present in all entities, they are likely to be less formal in a small or midsize entity than in a large entity.The Limitations of an Entity’s Internal ControlManagement Override of Internal ControlHuman Errors or MistakesCollusionFactors Contributing to FraudAssessing Control RiskIdentify specific controls that will be relied upon.Perform tests of controlsConclude on the achieved level of control risk.Tests of ControlsThe auditor’s assessment of control risk and the basis for the achieved level can be documented using a structured working paper, an internal control questionnaire, or a memorandum.Let’s look at an example from EarthWear Clothiers to see how the control risk for two accounts that differ in terms of their nature, size and complexity is documented.Documenting the Assessed Level of Control RiskSubstantive ProceduresTiming of Audit ProceduresInterimYear EndLet’s look at the EarthWear Clothiers example again to see the timing of their audit procedures. Timing of Audit ProceduresTiming of Audit ProceduresInterim Tests of ControlsAssertion being tested not significantControl has been effective in prior auditsEfficient use of staff timeInterim Substantive ProceduresAssertion probably has low control riskMay increase the risk of material misstatements Still requires some year end testingAuditing Accounting Applications Processed by Service OrganisationsIn some instances, a client may have some or all of its accounting transactions processed by an outside service organisation.Because the client’s transactions are subjected to the controls of the service organisation, one of the auditor’s concerns is the internal control system in place at the service organisation.It is not uncommon for service organisations to have an auditor issue one of two types of reports on their operations. Auditing Accounting Applications Processed by Service OrganisationsReport Type 1Describes the service organisation’s controls and assesses whether they are suitably designed to achieve specified internal control objectives. Report Type 2Goes further by testing whether the controls provide reasonable assurance that the related control objectives were achieved during the period. An auditor may reduce control risk below the maximum only on the basis of a service auditor’s report that includes tests of the controls.Communication of Deficiencies in Internal ControlDeficiencyA control designed, implemented or operated in such a way that it is unable to prevent, or detect and correct, misstatements in the financial statements on a timely basis; or (2) a control necessary to prevent, or detect and correct, misstatements in the financial statements on a timely basis is missing.A significant deficiency in internal control is a deficiency or combination of deficiencies in internal control that, in the auditor’s professional judgement, is of sufficient importance to merit the attention of those charged with governance.Significant DeficiencyCommunication of Deficiencies in Internal ControlAuditing standards (ISA 265) require that the auditor communicates in written significant control deficiencies to those charged with governance and management. The auditor should also communicate to management other control deficiencies judged to be of sufficient importance to merit management’s attention.CommunicationExamples of Reportable Conditions Types of Controls in an IT EnvironmentComputer-Assisted Audit TechniquesComputer-assisted audit techniques (CAATs) include: Generalised audit software packages. Custom audit software. Test data.Generalized Audit SoftwareCustom Audit SoftwareCustom audit software is generally written by auditors for specific audit tasks. It may be required when the client’s computer system is not compatible with the auditor’s generalized audit software.Custom software: Is expensive to develop. Requires extended development time. May require extensive modification if the client changes its accounting application programs.Test DataTest data are developed by the auditor to test the application controls in the client’s computer programs. The technique can be used to check (1) data validation controls and error detection routines, (2) processing logic controls, (3) arithmetic calculations, and (4) the inclusion of transactions in records, files, and reports.Flowcharting SymbolsEnd of Chapter 6