Add to collection(s) Add to saved
  1. Business
  2. Accounting

Audit Reporting on Internal Control

advertisement 
Rittenberg/Schwieger/Johnstone
Auditing: A Business Risk Approach
Sixth Edition
Chapter 6
Internal Control over
Financial Reporting
Copyright © 2008 Thomson South-Western, a part of the Thomson Corporation. Thomson, the Star logo,
and South-Western are trademarks used herein under license.
1
Comment on the Quality of an
Organization’s Internal Controls
The quality of an organization's internal controls affects the
reliability of its financial reporting—and its ability to make
good decisions and stay in business
Internal control processes must effectively address risks that
are present in the industry and in the organization
Auditors gain an understanding of their client's control system
in order to
 Better understand the client, its risks, and how it manages
those risks
 Assess control risk and identify types of most likely
misstatements
 Plan extent of substantive testing needed
 Report on effectiveness of internal controls (publicly-held
companies)
2
Define Internal Controls
Internal controls is a process designed to
provide reasonable assurance of
achieving the following:
Generating reliable financial accounting
information
Safeguarding assets
Complying with applicable laws and
regulations
Operating efficiently and effectively
3
Review the Need for Control
Control is part of corporate governance whereby the
owners and creditors of an organization exert control and
require accountability for its resources
Governance begins with stockholders, who delegate
certain responsibilities to the board of directors and in
turn to management
That delegation must occur within a framework of control
and accountability
The control system exists to ensure that
 Responsibilities are properly identified
 Tasks are assigned in accordance with responsibilities
and accountability
4
Who Is Interested in an
Organization's Control System?
Board of directors and the audit committee
Management
Regulators
Internal and external auditors
Suppliers and customers
Investors and creditors
Customers or others using the Web for
commerce
5
Review the Components of an
Internal Control System
 An internal control system consists of five components
 Control environment: overall attitude, awareness, and actions of
significant internal groups to maintain a well-controlled organization
(tone at the top)
 Risk assessment: process designed to identify and manage risks that
may affect its ability to achieve its objectives
 Control activities: policies and procedures established by management
to help ensure that internal control objectives are achieved and risks
mitigated
 Information and communication: process of identifying, capturing, and
exchanging information in a timely fashion to enable the organization
to achieve its objectives
 Monitoring: process that assesses the quality of internal controls over
time
6
What are the components of an
internal control system?
There is a logical loop to an organization's
internal controls, starting with
1. Design of the control environment
2. Identification of organizational risks and
controls to minimize those risks
3. Design and implementation of controls
and a communication system
4. Monitoring of the effectiveness of the
controls to mitigate risk
7
Discuss Understanding & Assessing
the Control Environment
Factors an auditor should look at when evaluating
an organization's control environment:
Management's philosophy and operating style
Organizational structure, including assignment
of authority and responsibility
Board of directors and audit committee
Human resource policies and practices
Integrity and ethical values
Commitment to competence
Compensation and evaluation programs
Effectiveness of the internal audit function
8
Reporting on Internal Control Management Reports to External Parties
The Sarbanes-Oxley Act of 2002 requires publicly held
companies to report on the effectiveness of their internal
controls over financial reporting
The report must describe the following:
 Statement of management's responsibility for establishing and
maintaining effective internal controls over financial reporting
 Identify the framework used by management to evaluate
internal controls
 Assessment of the effectiveness of the company's internal
controls
 Description of any material deficiencies in internal control
 Statement that the report has been audited
The external auditor must attest to management's report
9
Reporting on Internal Control:
Internal Management Reports
Management often requests reports on the quality
of its internal controls in order to ensure the
company can achieve its major objectives and is
not exposed to unnecessary risks
Management receives reports from three sources:
Ongoing monitoring reports from operations
Internal audit reports
External audit reports
10
Audit Reporting on Internal
Control
External auditors of non-public companies must report
significant internal control deficiencies to management
 Such reports are for management's use
 Not intended to be distributed to the public
External auditors of public companies must go beyond the
report to management and also report on management's
assertion regarding the effectiveness of internal controls
over financial reporting
 Includes an opinion on the client's internal controls
 Included in the company's annual report
11
Audit Reporting on Internal
Control
In performing an audit of controls, the
auditor must
Review client documentation including how
controls are supposed to work (design)
Review client testing of controls (operations)
Determine which controls to test, sample
sizes, and how to judge whether a control is
operating effectively
Reach conclusion about the effectiveness of
client internal controls over financial reporting12
Audit Reporting on Internal
Control (continued)
The PCAOB's proposed report on internal
controls would include a(n):
Description of internal control, its objectives,
and inherent limitations
Definition of material deficiency in internal
control
Description of all material deficiencies found
Opinion regarding effectiveness of company's
internal controls
13
Audit Reporting on Internal
Control (continued)
According to the Sarbanes-Oxley Act, if an auditor
identifies significant or material deficiencies in
internal control,
Those deficiencies must be reported to both
management and the audit committee
Deficiencies must be reported to the audit committee
even if management has addressed the deficiency
and implemented new controls
The stated intent of the Sarbanes-Oxley Act is to
ensure boards of directors understand they have
a responsibility to improve the governance of the
organization
14
Discuss Relationship of Controls
to Auditing
 Minimum level of control is necessary for an entity to be
auditable
 The quality of internal controls affects the operating
effectiveness and ultimately, the organization's ability to
remain a going concern
 The quality of internal controls drives the audit approach
and amount of testing
 Analysis of control deficiencies helps identify the types of
likely misstatements
 Inadequate controls may place an organization in
violation of federal laws
 Auditor is required to attest to management's
assessment of the effectiveness of internal control over
financial reporting for all public companies
15
Review Accounting Information
Systems
Accounting systems capture, record, summarize, and report
information
An accounting information system is typically not one big
system, but a network of smaller accounting
application/subsystem
 Each application processes a unique type of transaction
Examples: sales, accounts receivable, accounts payable,
cash receipt cash disbursements, payroll, inventory, etc
 Each application has its own unique source documents,
processes, and controls
 The quality of internal control can vary between applications
 The auditor develops understanding of how transactions are
entered and processed, and the controls for each significant
accounting application
16
Discuss Internal Control & Financial
Statement Account Balances
Auditor assesses control risk for each relevant
assertion for each important class of
transactions and account balance as a basis for
planning the audit
Auditor needs to understand and evaluate the
internal control design for all important
accounting applications
Auditor needs to evaluate the effectiveness of
internal control over financial reporting for
accounting applications that process material
transactions
17
Discuss Internal Control & Financial
Statement Account Balances
 Auditor has to evaluate controls in systems that
 Record revenue
 Deal with significant estimates
 Process journal entries near the end of the year to close the
books
 Deal with off-statement financing or related party transactions
 Auditor needs to jointly assess organization's control
environment and the specific accounting system controls
to evaluate the risk of material deficiency in internal
control
 To conclude internal controls are effective, auditor must
obtain evidence that the control structure is soundly
designed AND operating effectively
18
Review Assessing the Effectiveness
of Control Procedures
 Management designs and implements specific control procedures to
ensure that the company will achieve its control objectives - and if
the control objectives are achieved, the management assertions are
likely to be valid, and the account balance and transactions properly
recorded
 The auditor assesses the organization's control procedures within a
framework of control objectives and management assertions
 In order to perform this assessment, the auditor must understand
the accounting processes within each system, the related accounts,
and the risk associated with incorrect processes
 With this knowledge, the auditor can identify which management
assertions and control objectives are most likely to be violated
 From this, the auditor can identify appropriate control procedures
that can then be assessed for effectiveness in design and operation
19
Discuss Overview of Controls Testing
- Pervasive Control Activities
Some control procedures are found in almost
all accounting systems:
Segregation of incompatible duties
Authorization procedures
Documented transaction trail
Physical controls to limit access to assets
Independent reconciliation
Competent, trustworthy employees
20
Comment on Control Effectiveness
and Control Risk Assessment
Process for evaluating controls:
Phase 1: Obtain an understanding of risks and internal
controls
Phase 2: Make a preliminary assessment of control risk
and decide whether to test operation of control
procedures
Phase 3: Test operating effectiveness of controls
Phase 4: Based on the results of testing, determine
whether to revise the assessment of control risk and
incorporate this revision into the substantive testing
21
Phase One: Obtain an
Understanding
Auditor needs to gain understanding of each significant
accounting application operates and the control procedures
used
The auditor gathers evidence
 Performing walkthroughs of the accounting system and
processing procedures
 Making inquires of management, and accounting and operational
employees
 Taking plant and operational tours
 Reviewing client documentation including accounting manuals
and program and system descriptions
 Reviewing prior year audit work papers
The auditor documents his/her understanding using flowcharts,
questionnaires, and narratives
22
Phase Two: Make Preliminary
Assessment of Control Risk
After gaining an understanding, the auditor makes a preliminary
assessment of control risk - this assessment is crucial because it
drives the planning for the rest of the audit
The relationship between the assessed level of control risk and the
rigor of the subsequent substantive testing is inverse:
 If control risk is assessed as high,
 No reliance is placed on the client's internal controls
 The amount and rigor of substantive testing must be increased
 If control risk is assessed as low
 The auditor would like to rely on the client's internal controls
 The amount and rigor of substantive testing may not have to be
increased
 However, the auditor must test the controls to make sure they are
operating effectively
23
Phase Three: Perform Tests
of Controls
 The preliminary assessment of control risk is based on
the auditor's understanding of the control system and
how it has operated in the past
 When control risk is assessed low, and the auditor
intends to rely on the client's controls, the auditor may
reduce (or not increase) the amount of substantive
testing
 To ensure that the auditor's reliance on the client's
control is warranted, the auditor must test the control to
make sure it is operating effectively
 Guidance on Sample Size for Testing Controls
 Testing Controls Across Multiple Locations
 Dual Purpose Tests
 Assessing Control Risk as Moderate
24
Phase Four: Update Assessment of
Control Risk & Need for
Substantive Testing
If testing indicates the control is not
operating effectively, the auditor will revise
the preliminary assessment of control risk
and incorporate this revision into the
subsequent substantive testing
25
Related documents
Standar Pekerjaan Lapangan
Standar Pekerjaan Lapangan
qualification of auditors according to the companies act
qualification of auditors according to the companies act
(financial and operational) auditor internal (financial and operational
(financial and operational) auditor internal (financial and operational
Case
Case
Auditor Reporting ppt
Auditor Reporting ppt
MSA 516 Application Controls Project
MSA 516 Application Controls Project
Download
advertisement