Welcome to…
ACCG340 Auditing and Assurance Services
Session 4
• Financial report assertions
• Internal controls
• Tests of controls
Learning objectives
1.
Explain financial report assertions and relate business risks to
specific assertions at risk
2.
Outline the relevance of internal control to an auditor
3.
Explain types of internal control and design appropriate
mitigating controls in response to assessed risks for various
scenarios
4.
Explain tests of controls and develop appropriate specific
practical tests of controls
5.
Relate controls (and tests of controls) with specific assertions
2
1. Pre-engagement
activities
2. Planning activities
1.1
1.2
1.3
Accept / reject new client
Established terms of engagement
Engagement letter
2.1
Obtain knowledge of the business
2.1.1 Preliminary analytical procedures
Appraisal of risks, including fraud risk, going concern
Estimate of materiality
Review of control components
2.4.1 Preliminary evaluation of control environment
Develop overall audit plan (i.e. develop an audit strategy) in response to risks
2.5.1 Determine reliance on internal controls
2.5.2 Determine extent and nature of testing
2.5.3 Write audit plan
Assignment of staff
2.2
2.3
2.4
2.5
2.6
3.1
3.2
3. Audit evidence
3.3
4. Opinion formulation and
reporting activities
Tests of control
3.1.1 Conducts tests
3.1.2 Make final evaluation of internal control
3.1.3 Modify audit approach
Substantive testing activities
3.2.1 Conduct substantive tests of transactions and balances
3.2.2 Conduct substantive analytical procedures
3.2.3 Evaluate results of substantive procedures
3.2.4 Modify audit approach
Obtain representations
3.3.1 Management
3.3.2 Solicitors
3.3.3 Bank
4.1
4.2
4.3
4.4
Review financial report
Review audit results
Subsequent events
Fraud and error
5.1
5.2
5.3
5.4
Supervise conduct of examinations
Review work of assistants
Consider appropriateness of continuing relationship with client
Make required special communication
5.4.1 Material weaknesses of internal accounting control
5.4.2 Material errors or irregularities
Consult with appropriate persons in connection with special problems
Document work performed, findings, and conclusions in appropriate working papers
Consider going concern
5. Continuous activities
5.5
5.6
5.7
4.5 Related party transactions
4.6 Formulate audit opinion
4.7 Draft issue reports
A
U
D
I
T
P
R
O
C
E
S
S
Financial report
assertions
Top down audit approach
(Business risk analysis and response)
Business
(external and internal environment factors)
Financial Report
Account
Assertion
Representations made
by management,
explicit or otherwise,
that are embodied in
the financial report, as
used by the auditor to
consider different
types of potential
misstatements that
may occur
5
Financial report assertions
ASA315.A128
• About classes of transactions and events, and related disclosures for the
period under audit (income statement accounts and related disclosures):
Assertion
Definition
Occurrence
Transactions and events that have been
recorded or disclosed have occurred, and such transactions and
events pertain to the entity
Completeness
All transactions and events that should have been recorded
have been recorded, and all related disclosures that should
have been included in the financial statements have been
included
Accuracy
Amounts and other data relating to recorded transactions and
events have been recorded appropriately, and related
disclosures have been appropriately measured and described
6
Financial report assertions
ASA315.A128
• About classes of transactions and events, and related disclosures for the period
under audit (income statement accounts and related disclosures) (cont’d):
Assertion
Definition
Cut-off
Transactions and events have been recorded in the correct
accounting period
Classification
Transactions and events have been recorded in the proper
accounts
Presentation
Transactions and events are appropriately aggregated or
disaggregated and clearly described, and related disclosures are
relevant and understandable in the context of the requirements
of the applicable financial reporting framework.
7
Financial report assertions
ASA315.A128
• About account balances, and related disclosures at period end (balance
sheet accounts and related disclosures):
Assertion
Definition
Existence
assets, liabilities, and equity interests exist.
Rights and
obligations
the entity holds or controls the rights to assets, and liabilities
are the obligations of the entity
Completeness
all assets, liabilities and equity interests that should have been
recorded have been recorded, and all related disclosures that
should have been included in the financial statements have
been included.
8
Financial report assertions
ASA315.A128
• About account balances, and related disclosures at period end (balance
sheet accounts and related disclosures) (cont’d):
Assertion
Definition
Accuracy,
valuation and
allocation
assets, liabilities, and equity interests have been included in the
financial statements at appropriate amounts and any resulting
valuation or allocation adjustments have been appropriately
recorded, and related disclosures have been appropriately
measured and described.
Classification
assets, liabilities and equity interests have been recorded in the
proper accounts.
Presentation
assets, liabilities and equity interests are appropriately
aggregated or disaggregated and clearly described, and related
disclosures are relevant and understandable in the context of the
requirements of the applicable financial reporting framework.
9
Auditor response to risk of material
misstatement
• Response at overall (financial report) level
• Response at assertion level
– Develop and undertake audit procedures related to specific assertions to
reduce risk of material misstatement for a specific assertion to an
acceptable level
Illustrative assertions and audit objectives for
inventory
Assertion
Illustrative audit objectives
Existence
•
•
Inventories included in the balance sheet physically exist.
Inventories represent items held for sale in normal course of business.
Rights and
obligations
•
•
Company has legal title or similar rights of ownerships to the inventories
Inventories exclude items billed to customers or owned by others.
Completeness
•
Inventory quantities as per the accounting records include all products,
materials and supplies owned by the company that are on hand.
Inventory quantities include all products, materials and supplies owned
by the company that are in transit or storage at all locations.
•
Accuracy,
valuation and
allocation
•
•
Inventories are properly stated at cost (except when the net realisable
value is lower).
Slow-moving, excess, defective and obsolete items included in inventories
are properly identified and valued.
11
Lecture discussion question 1
What is the key account and key assertion that is affected by each of
the following accounting issues?
• Excessive bad debts
• Inventory purchased in foreign currencies
• Unusual lengthening of the useful lives of assets
• Complex payroll calculations
• Customers cancelling sales orders
• Prepayment of insurance premiums
Lecture discussion question 1 (cont.)
Response discussion points
Issue
Excessive bad debts
Inventory purchased in foreign
currencies
Unusual lengthening of the useful lives of
assets
Complex payroll calculations
Customers cancelling sales orders
Prepayment of insurance premiums
Account: assertion
Internal control
Steps in the planning process
Internal control (IC)
IC is the process designed and implemented by management to
address (minimise) identified significant business risks that threaten
the achievement of entity’s objectives in relation to:
• reliability of financial reporting
• effectiveness and efficiency of its operations
• compliance with applicable laws and regulations.
Why auditors study entity’s
internal control
• Required by standards to obtain an understanding of internal control
relevant to the audit (ASA 315.12)
• The assessed risk of material misstatement at the financial report level is
affected by auditor’s understanding of the control environment (ASA 315.A81)
• In making risk assessments, the auditor may identify the controls that are
likely to prevent, or detect and correct, material misstatement in specific
assertions (ASA 315.A137).
• Understanding the entity and its controls provide a basis for designing and
implementing responses (audit strategy and audit plan i.e. nature, extent,
timing of audit procedures) to the assessed significant risks (ASA 315.3)
Components of internal control (IC)
ASA315.14-24, A77-A121, APPENDIX 1
ASA 315.14-24 outline the following specific components of IC:
•
Control environment
•
Entity’s risk assessment process
•
Information system, including related business processes
•
Control activities
•
Monitoring of controls
Top down approach (Internal control)
Business
Financial Report
Control
environment
and Risk
assessment
processes
Monitoring
Account
Assertion
Information system
Control
activities/procedures
Control environment - ‘Tone at the top’
ASA315.14 & A77-A87
Auditor considers:
•
communication and enforcement of integrity and ethical values
•
commitment to competence
•
participation by those charged with governance
•
management’s philosophy and operating style
•
organisational structure
•
assignment of authority and responsibility
•
human resource policies and practices
The entity’s risk assessment process
ASA 215.15-17 & A88-A89
Auditor needs to understand whether entity has processes for:
•
Identifying business risks relevant to financial reporting
•
Estimating significant of the risks and assessing likelihood of their
occurrence
•
Deciding about actions to address risks
The entity’s risk assessment process (if appropriate) may assist
auditor in identifying risks of material misstatement
Information system including related business
processes
ASA315.18-19 & A90-A98
Auditor obtains understanding of:
•
classes of transactions in operations significant to financial report (FR)
•
procedures (IT and manual) by which transactions are initiated, recorded,
processed, and reported in the FR
•
related accounting records
•
how information system captures events/ conditions other than transactions
•
financial reporting processes used to prepare the FR including significant
accounting estimates
•
controls over journal entries, non-recurring/unusual transactions,
adjustments
Control activities
ASA315.20-21 & A93-A109
Policies and procedures that ensure management’s directives are
carried out including:
• Authorisation
• Performance reviews
• Information processing
• Physical controls
• Segregation of duties
Control activities and assertions
Control activities can be related to financial report assertions:
• occurrence (e.g. authorisation and approval of transactions)
• completeness (e.g. accounting for sequence of transactions)
• accuracy (e.g. checking dollar amounts back to supporting documentation)
• cut-off (e.g. independent review of transaction recording around balance
date)
• classification (e.g. independent checking of account coding).
Monitoring of controls
ASA315.22-24 & A110-A121
Auditor obtains understanding of:
• major activities entity uses to monitor internal control over financial
reporting, including corrective actions to address deficiencies in controls
• e.g. activities such as management’s review of whether bank
reconciliations are prepared on a timely basis
Types of internal controls
PREVENTIVE CONTROLS
• controls used to prevent undesirable events or errors.
DETECTIVE CONTROLS
• controls used to identify/detect events or errors if they have occurred and
prompt correction.
Limitations of internal control (IC)
• Internal control, no matter how effective, can provide an entity with only
reasonable assurance about achieving the entity’s financial reporting
objectives.
• Inherent limitations of controls:
– Poor human judgement in decision-making
– Human error
– Controls can be circumvented through collusion or inappropriate management
override
– Management discretion in designing and implementing controls and nature
and extent of risks assumed
27
Understanding internal control (IC)
Audit procedures in gaining understanding of IC include:
– Enquiries of management and appropriate client personnel
– Inspection of documented policies and procedures
– Observation of activities, operations and procedures
The auditor’s evaluation of IC must be documented e.g. through:
– Flowcharts
– Internal control questionnaires and checklists
– Narratives (e.g. descriptions of IC policies and procedures)
28
Phases of internal control (IC)
evaluation
• Obtain an understanding of IC
– evaluating design of IC
– evaluating implementation of IC
• In relation to significant risks evaluate likelihood of material errors not being
prevented or detected (i.e. existence of mitigating ICs)
• Determine audit approach based on presence/ absence of mitigating controls
(ASA 330)
• Communicate weaknesses in design and implementation of ICs to those
charged with governance or management (ASA 265)
Internal controls and assertions
Determine the key assertion for the internal controls listed below with regard to sales and/or
accounts receivable as appropriate.
A.
B.
C.
D.
E.
Recorded sales are for shipments actually made to non-fictitious customers.
1. The recording of sales is supported by authorised shipping documents and
approved customer orders.
Sales transactions are properly authorised.
1. The customer’s credit is approved by a responsible official.
2. An authorised price list is used.
Existing sales transactions are recorded.
1. A record of shipments is maintained.
2. The shipping document is controlled from the office in a manner that helps
ensure that all shipments are billed.
3. Shipping documents are prenumbered and accounted for.
4. Sales invoices are prenumbered and accounted for.
Recorded sales are for the amount of goods ordered and are correctly billed and recorded.
1. There is independent comparison of the quantity on the shipping document to
sales.
2. There is internal checking, pricing, and additions of sales invoices.
Sales transactions are properly classified on a timely basis.
1. There is independent comparison of dates on shipping documents to dates
recorded.
Lecture discussion question 2
For the following business risks outline preventive and detective
internal controls that would address the risk:
(i) risk that payment is made to suppliers prior to goods being
received
(ii) risk of non-collectibility of individual customers’ balances
Lecture discussion question 2
(i) Risk that payment is made prior to goods being received
Preventive control:
Detective control:
(ii) Risk of non-collectibility of individual customers’ balances
Preventive control :
Detective control :
Assessing control risk
• After obtaining an understanding of the five components of internal control,
the auditor assesses control risk for the assertions related to account
balances, class of transactions or disclosures.
– Control risk is the risk that a material misstatement could occur in an assertion and not
be prevented or detected on a timely basis by the entity’s internal control.
• The auditor must decide whether to assess control risk for a particular
assertion as high or as less than high.
Assessment of control risk as high
• The auditor may assess control risk as high because the entity’s internal
control policies and procedures in the area:
– are poor (unlikely to be effective) and do not support less than a high
assessment
– may be effective, but the audit tests would be more time-consuming than
performing direct substantive tests
– do not pertain to the particular assertion.
Assessing control risk at less than high
• The auditor may decide to assess control risk as less than high when it
improves audit efficiency.
• If the auditor assesses control risk as less than high, the auditor must
obtain sufficient appropriate evidence to support that level.
– First, the auditor identifies specific control activities that are likely to prevent or
detect material misstatements.
– Next, the auditor performs tests of controls to evaluate the effectiveness of these
control activities.
• This process is followed for each account balance or transaction class that
is material to the financial report.
Tests of controls
Tests of controls
• Used to obtain evidence needed to support the conclusion that
specific controls that are likely to prevent or detect misstatements
are effective.
• The evidence should demonstrate both:
– Design effectiveness of the policies and procedures and their ability to prevent or
detect and correct misstatement
– Operating effectiveness of the policies and procedures i.e. their proper and consistent
application.
• Evidence necessary to support a specific level of control risk is a
matter of professional judgment.
37
Tests of controls (Procedures)
ASA330.8 & A20-A24
Tests of controls include:
• Enquiries of client personnel
• Observing activities and procedures
e.g. observation of counting during a stock take
• Inspection of documents and records
• Re-performance of procedures
38
Lecture discussion question 3
You are the auditor on the MBI Limited (MBI) engagement. MBI
manufactures and sells electronic products to the consumer and
corporate market. During the year MBI has embarked on a strategy
to expand its market share in the corporate market. The number of
corporate customers on the books have increased substantially and
management has informed you that they have had issues managing
the expansion and there have been instances where recorded sales
were not accompanied by shipments of goods.
Lecture discussion question 3
Based on the above information and for the Sales account,
(i) identify the key assertion at risk
(ii) provide a brief explanation of why this represents a risk to the
auditor
(iii) for the assertion listed in (i) above, describe a specific practical
preventive control that would appropriately address the risk in
(ii) above
(iv) For the control identified in (vii) above, describe a specific
practical test of control
40
Lecture discussion question 3
Key
assertion
Explanation of risk
Preventive control
Test of control
Supplementary material
SLIDES IN THIS SECTION PROVIDE
GREATER DEPTH TO THIS WEEK’S
SEMINAR LECTURE CONTENT. THEY
WILL NOT BE COVERED DURING
SEMINARS BUT ARE EXAMINABLE.
Examples of basic types of internal
control activities/procedures
CONTROL
EXAMPLES
Independent
approval, review,
checking or
recalculation
Authorisation of purchase or sales invoices
Matching of
independently
generated
documents
Matching of sales invoices and shipping
documents
Pre-numbering and
sequence checking
of key documents
Pre-numbered shipping documents, sales
invoices, cheques, vouchers, etc.
Recalculation of arithmetic on vouchers
Subsequent review of individual transactions
Matching of purchase invoices and receiving
reports
Examples of basic types of internal
control activities/procedures (cont.)
CONTROL
EXAMPLES
Maintenance of
independent control
totals
Recording of cash receipts total before
banking
Use of batch controls
Use of control accounts
Bank reconciliations
Comparison with
independent 3rd party Reconciling suppliers’ statements
information
Independent 3rd party Sending statements to customers
confirmation
Requests for confirmation of recorded data
Examples of basic types of internal
control activities/procedures (cont.)
CONTROL
EXAMPLES
Cancellation of
documentation
Immediate endorsement of incoming
cheques
Defacing spoiled or cancelled cheques
Segregation of
Segregation of duties among transactions
personnel, operations initiation, approval and recording
and assets
Function segregation
Timeliness of
operation
Prompt deposit of cash receipts
Prompt processing of transactions
Example internal control questionnaire (partial) for Sales
Client_________________________________________________________________Audit Date _________________________
Auditor ______________ Date Completed____________ Reviewed by ___________ Date Completed______________________
Objective (italic) and question
Sales
A. Recorded sales are for shipments actually made to non-fictitious
customers
1. Is the recording of sales supported by authorised shipping
documents and approved customer orders?
B. Sales transactions are properly authorised.
1. Is the customer's credit approved by a responsible official?
2. Is a prenumbered written shipping order required for any
merchandise to leave the premises?
3. Is an authorised price list used?
C. Existing sales transactions are recorded.
1. Is a recoed of shipments maintained?
2. Is the shipping document controlled from the office in a manner
that helps ensure that all shipments are billed?
3. Are shipping documents prenumbered and accounted for?
4. Are sales invoices prenumbered and accounted for?
D. Recorded sales are for the amount of goods ordered and are
correctly billed and recorded.
1. Is there independent comparison of the quantity on the
shipping document to sales
2. IS there internal verification, extensions, pricing, and footing of
sales invoices?
3. Are monthly statements sent to customers?
E. Sales transactions are properly classified.
1. Is there independent comparison of dates on shipping
documents to dates recorded?
F. Sales are recorded on a timely basis.
1. Is there independent comparison of dates on shipping
documents to dates recorded?
G. Sales transactions are properly included in the subsidiary records
and correctly summarised.
1. Are journals independently footed and traced to the general
ledger and subsidiary records?
2. Is there a monthly reconciliation of the accounts receivable
subsidiary records to the general ledger?
Yes
Answer
No
N/A
Remarks

Pam Dilley examines
underlying documentation

By Chulick





Prenumbered but not accounted
for additional substantive
testing required

By Pam Dilley, controlled by
Chulick
By Pam Dilley







All sales are on account and
there is only one sales account
There is a weakness in the
system and additional
substantive testing required