Internal Control
and Control Risk
Chapter 9
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9-1
Learning Objective 1
Contrast management’s need for
internal control with the auditor’s
need to consider internal control
when designing an audit.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9-2
Key Concepts
Management’s
Responsibility
Reasonable
Assurance
Inherent
Limitations
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9-3
Client’s Concerns
Reliability of financial reporting
Efficiency and effectiveness of operations
Compliance with applicable laws
and regulations
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9-4
Auditor Concerns
Controls related to reliability of
financial reporting
Controls over classes of transactions
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9-5
Sales Transaction-Related
Audit Objectives
Objective – General Form Related Audit Objectives
Recorded transactions
Sales are for shipments
exist (existence).
to existing customers.
Existing transactions are Existing sales transactions
recorded (completeness).
are recorded.
Transactions are stated
Sales for goods shipped
correctly (accuracy).
are correctly billed.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9-6
Sales Transaction-Related
Audit Objectives
Objective – General Form Related Audit Objectives
Transactions are properly
Sales transactions are
classified (classification).
properly classified.
Transactions are recorded Sales are recorded on the
on correct dates (timing).
correct dates.
Transactions are properly
Sales transactions are
filed (posting and
properly included in the
summarization).
master files.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9-7
How Frauds Have
Been Discovered
Notification by employee
58%
Internal controls
Internal auditor
Customer notification
51%
43%
41%
Accidental discovery
37%
Management investigation
35%
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9-8
How Frauds Have
Been Discovered
Anonymous reporting
35%
Hot line notification
25%
Employee investigation
21%
Government notification
External auditor
Other sources
16%
4%
20%
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9-9
Learning Objective 2
Describe how information
technology affects
internal control.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 10
Effect of Information
Technology on Internal Control
Information Technology
IT can improve
the effectiveness
and efficiency of
internal controls.
IT also enhances
the timeliness
and accuracy
of information.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 11
Risks Associated With the Use
of Information Technology
Programmed errors
Processing incorrect data
Unauthorized access
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 12
Learning Objective 3
Explain the five components
of internal control.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 13
Five Components
of Internal Control
Control Environment
Risk
Assessment
Control
Activities
Information and
Monitoring
Communication
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 14
The Control Environment
Integrity and ethical values
Commitment to competence
Board of directors or audit
committee participation
Management’s philosophy
and operating style
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 15
The Control Environment
Organizational structure
Assignment of authority
and responsibility
Human resources
policies and practices
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 16
Risk Assessment
Identify factors affecting risk.
Assess significance of risks
and likelihood of occurrence.
Determine actions necessary
to manage risk.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 17
Control Activities
1. Adequate separation of duties
2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 18
Adequate Separation
of Duties
Custody of assets
Accounting
Authorization
of transactions
Operational
responsibility
IT Duties
The custody of
related assets
Record-keeping
responsibility
User departments
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 19
Proper Authorization of
Transactions and Activities
General authorization
Specific authorization
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 20
Adequate Documents
and Records
Prenumbered consecutively
Prepared at the time of transaction
Simple enough to ensure understanding
Designed for multiple uses
Constructed to encourage correct preparation
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 21
Physical Control over
Assets and Records
Physical precautions
Controls related to IT equipment,
programs, and data files
Physical
controls
Access
controls
Backup and
recovery
procedures
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 22
Independent Checks
on Performance
The need for independent checks
arise because internal control tends
to change over time unless there is
a mechanism for frequent review.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 23
Information and Communication
The purpose of an accounting information
and communication system is to…
initiate, record, process, and report the
transactions and to maintain accountability
for the related assets.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 24
Monitoring
Management’s ongoing and periodic assessment
of the quality of internal control performance …
to determine whether controls are operating
as intended and modified when needed.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 25
Learning Objective 4
Explain methods used to
obtain an understanding
of internal control.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 26
Understanding Internal Control
and Assessing Control Risk
Obtain Understanding of Internal Control:
Design and Operation
Assess Control Risk
Test Controls
Decide Planned Detection Risk
and Substantive Tests
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 27
Reasons for Sufficiently
Understanding Internal Control
SAS 55 (as amended by SAS 78 and 594
plus AU319) requires the auditor to
obtain an understanding of internal
control for every audit.
Minimum audit
planning matters
• Auditability
• Potential material
misstatements
• Detection risk
• Design of test
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 28
Procedures to Determine
Design and Placement
Update and evaluate auditor’s previous
experience with the entity.
Make inquires of client personnel.
Read client’s policy and systems manuals.
Examine documents and records.
Observe entity activities and operations.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 29
Documentation of
the Understanding
Narrative
Flowchart
Internal
control
questionnaire
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 30
Learning Objective 5
Assess control risk by linking
strengths and weaknesses of
internal control to transactionrelated audit objectives.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 31
Assess Control Risk
Obtain sufficient understanding for planning.
Assess whether the entity is auditable.
Determine assessed control risk.
Assess if a lower control risk could be supported.
Determine the appropriate assessed control risk.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 32
Assess Control Risk
Identify transaction-related audit objectives.
Identify specific controls.
Identify and evaluate weaknesses.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 33
Identify and Evaluate Weaknesses
Identify existing controls.
Identify the absence of key controls.
Determine misstatements that could result.
Consider compensating controls.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 34
The Control Risk Matrix
Auditors use the control risk matrix to
identify both controls and weaknesses
and to asses control risk.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 35
Communication
Reportable conditions letter
Audit committee communications
Management letters
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 36
Learning Objective 6
Describe the process of designing
and performing tests of controls.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 37
Tests of Controls
The procedures to test effectiveness
of controls in support of a reduced
assessed control risk are called
tests of controls.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 38
Procedures for
Tests of Controls
Make inquiries of client personnel.
Examine documents, records, and reports.
Observe control-related activities.
Reperform client procedures.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 39
Extent of Procedures
Reliance on evidence from prior year’s audit
Testing less than the entire audit period
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 40
Relationship of Assessed Control
Risk and Extend of Procedures
Type of Procedure
Inquiry
Documentation
Observation
Reperformance
Assessed Control Risk
High Level:
Lower Level:
Obtaining an
Tests of
Understanding Only
Controls
Yes – extensive
Yes – with transaction
walk-through
Yes – with transaction
walk-through
No
Yes – some
Yes – using
sample
Yes – multiple
times
Yes – sampling
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 41
Decide Planned Detection Risk
and Design Substantive Tests
The auditor uses the results of the control risk
assessment process and tests of controls to
determine the planned detection risk and
related substantive tests.
The auditor links the control risk assessments
to the balance-related audit objectives.
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 42
End of Chapter 9
©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley
9 - 43