CHAPTER 4 INTERNAL CONTROL: BASIC CONCEPT Internal Control – process designed by those charged with governance, management provide reasonable assurance about objective, reliability of financial reporting, effectiveness and efficiency of operation, and compliance with law. Internal control address business risk IC is a process – conducted within function, planning, executing, monitoring, Tool used by management NOT substitute to management IC involve people – effected by BoD, management, and other personnel of entity IC provides REASONABLE ASSURANCE not absolute assurance because of inherent limitation of IC The following are affected by inherent limitations: fraud or error; carelessness, distraction, mistake of judgement; collusion with outside party; abuse responsibility; inadequate procedure due to changes; human errors etc. IC geared toward achievement of objective Operational – effective and efficient use of resources, safeguard resources Financial – preparation of reliable FS including prevention of fraudulent act Compliance – comply with laws and regulation, depend on external factor Internal Control System – consist all policies and procedure adopted by management to achieve objective, adhere to policies, safeguard asset, prevent and detect fraud, accurate and complete accounting record, timely preparation of FS COMPONENT OF INTERNAL CONTROL Control of Environment sets tone of organization, influence control of consciousness to people, foundation for all component of IC provide discipline and structure, include governance and management function, attitude, awareness, action. Primary responsible for prevention and detection of fraud and error test Elements: 1. Communication and enforcement of integrity and ethical values 2. Commitment to competence 3. Participation by those charged with governance 4. Management philosophy and operating style 5. Organizational structure 6. Assign of authority and responsibility 7. Human resource policies and practices The entity risk assessment process focus primarily on developing consistency of objective and goals throughout the organization, identify key success factor, timely reporting of management, process of identifying and responding to business risk and result thereof. Refer to CLIENT PROCESS FOR ASSESSING RISK Risk identification – entity performance can be at risk due to internal (disruption of info; quality of personnel hired; change in management responsibilities; nature of entity activities; unassertive board) and external (technological development; changing customer need; new legislation; natural catastrophes; economic) factor, RI must be COMPREHENSIVE, consider all significant interaction between entity and relevant external parties Risk analysis – estimate significance of risk; assessing likelihood or risk occurring; consider how risk should manage. Involves judgement based on assumption about risk. NOT THEORETICAL exercise, often critical to entity success Information system and communication information system consist of infrastructure, software, people, procedure and data. INFRA and SOFTWARE absent or have LESS SIGNIFICANCE. Methods: record all valid transaction; describe timely basis transaction, measure value of transaction; determine time period which transaction occurred; present properly Information – need at all level of organization to run business, used for operating decision, monitoring performance and allocating resources, essential for developing FS, operate in monitoring mode, capturing specific data, formal or informal Information quality – affect management ability to make decision in managing and controlling activities. Includes: appropriate content, timely-currentaccurate-accessible information Communication – understanding of individual roles and responsibilities pertain to IC over financial reporting, policy manual, accounting and financial reporting etc. Means of communication – policy manual, memoranda, bulletin board, notice Control Activities policies and procedure help ensure management directives carried out,help ensure action taken to address risk. CA occur throughout organization @ all level and functions. TYPES: performance review – analyze actual performance vs. budget, forecast; information processing – check accuracy and completeness and authorization of transaction; physical control – adequate safeguard over asset; segregation of duties – assign different people in recording transactions policies and procedure – a policy establishing what should be done and serving as basis for procedure to effect the policy evaluation and control activities – evaluated directives to address risk for each significant activity Monitoring Activities assess the quality of IC performance over time, assess design and operation of control on timely basis and take action. Ensure to continue operate effectively. WAYS: ongoing activities or separate evaluation. The > degree and effectiveness on ongoing monitoring the < need for separate evaluation AUDITOR CONSIDERATION OF CLIENT INTERNAL CONTROL unreliable – NO test of control, direct to substantive testing that more extensive reliable – test of control, if effective < high but below maximum, rely on control, substantive test < extensivei Is control reliable NO - @ maximum control risk; internal control not relied upon YES - @ below maximum control risk; TOC/compliance test undertake Is control effective NO - @ maximum control risk; internal control not relied upon YES - @ below maximum control risk internal control relied upon UNDERSTANDING CLIENTS INTERNAL CONTROL SYSTEM Design - seeks to understand the IC systems Operation - determine when there are reliable control Obtaining an understanding of IC structure: Performing a preliminary review - past experience and client industry is used to identify type of misstatement; factors affect MM; design substantive test Identifying transaction cycle - flow of major transaction of beg to end used to evaluate impact of IC and determine nature, timing and extent of substantive test Documenting the system - narrative report, ensure that complying requirements, document IC structure: Narrative memoranda – written description of particular procedure in transaction cycle, describe and explain system flowchart – graphic illustration of physical flow of information IC questionnaire – list of question determine desirable control Performing transaction walk through - verify document IC structure and familiarize auditor with audit trail, may started also @ termination. Rule: should done every year; performed after flowchart have been prepared; auditor prepare flowchart should done walk through Identifying control potentially reliable - evaluate whether client control procedure can be relied. If control not suitable - not perform test of control or discontinue IC structure hence if control assessed @ max level - design substantive test that not rely on IC structure; If control suitable - continue IC structure by assess control risk ASSESSING CONTROL RISK POSSIBLE RISK ASSESSMENT: MAXIMUM(HIGH) AND BELOW THE MAXIMUM(<HIGH) Reliance approach –CRA is < high or below maximum level – test of control and substantive test No Reliance approach – CRA is high or maximum – substantive test only For each IC component, assessed risk are: Control environment; risk assessment process; information system and communication; control activities; monitoring of control Response to Assessed Risk: emphasize to team to maintain professional skepticism; assign staff w/ special skills; provide supervision in selection of audit procedure; make changes to nature, timing, extent of procedure Response @ Assertion Level Prelim control risk assessment HIGH - adopt approach relies on SUBSTANTIVE TEST Prelim control risk assessment <HIGH - test of control test to effectiveness of design or control of IC structure nature of test of control - evidence gathering techniques: inquiry of client personnel; observation to PP; inspection; recalculation control deviation - difference b/w expected and actual incurred (exception, deviation, occurrence, rather than error) timing of test of control - depend on objective and period of reliance of control extent of test of control - more auditor relies on operating effectiveness of control is assessing control risk THE GREATER extent of test of control Reassessment of Control Risk Assessed level of control risk DECREASE auditor modify NET of substantive test. Lower assessed level of control risk MORE assurance from TOC N-nature (change to less using direct to internal rather external) E-extent (decrease select smaller sample size T-timing (number of test @ interim date rather yr end) Assessed level of control risk INCREASE auditor require more effective test @ yr end using larger sample size INVERSE RELATIONSHIP - Assessment control risk and extent of substantive testing under consideration RELIABILITY source and nature of information control over preparation and maintenance free from error and bias QUALITY OF AUDIT EVIDENCE External –obtain from independent source Auditor –obtain directly by auditor Entity – obtained from entity record that operates effective Written – from of document (written or electronic) Originals – original document FINANCIAL STATEMENT ASSERTIONS FS assertion representation by management used by auditor to determine different types of misstatements (PSA 315) Classes of transaction Communication of Audit Matters reportable condition [significant (deficiencies - material weakness) in design/operation of IC structure] by issuing before or after completion of audit a management letter Occurrence – transaction and event recorded that occurred Completeness – all transaction should recorded Accuracy – amount recorded appropriately Cut-off – transaction and event in correct period Classification – recorded in proper amount CHAPTER 5 Account balances AUDIT EVIDENCE Existence – asset, liabilities, equity Rights and obligation – hold or control the right of ALE Completeness – all ALE must be recorded Valuation and allocation – ALE included at appropriate amount PSA 500 design to perform audit procedure purpose of sufficient appropriate evidence Audit evidence enable auditor to form an opinion, PSA 500 required auditor to obtain sufficient and appropriate evidence as basis of opinion Presentation and disclosure Reliance approach – choose render test of control first to prove effectiveness before rendering substantive test No Reliance approach – render directly extensive substantive testing Occurrence and right and obligation – disclose event that occurred Completeness – all disclosure included in FS Classification and understandability – appropriately presented, clear Accuracy and valuation – fairly and appropriate amount Audit evidence used by auditor in arriving at the conclusion, audit evidence includes information about record of FS PROCEDURE AS TO PURPOSE APPROPRIATENESS measure of the quality SUFFICIENCY measure of the quantity, affected by level of risk, high quantity poor quality evidence will NOT cancel out poor quality RELEVANCE logical connection with purpose of audit procedure and assertion Risk assessment procedure – obtain understanding of entity environment including internal control Test of control – test operating effectiveness prevent, detect, correct material misstatement @ assertion level Substantive test – detect material misstatement @ assertion level PROCUDURE AS TO NATURE Inspection on tangible asset – confirm existence but NOT confirm right and obligation or valuation Inspection of document – examination of document internal or external, provides evidence of existence but NOT ownership or value Vouching – examination of supporting document from accounting record (EXISTENCE AND OCCURRENCE) Tracing – start with source document to accounting record (COMPLETENESS) Observation – watching procedure, confirm procedure took Inquiry – seeking information from client staff Confirmation – obtain representation directly from 3rd party Recalculation – checking mathematical accuracy Reperformance – independent execution of procedure Analytical procedure – evaluate and compare FS or non-FS RAP – OOPA; TOC – IIORR; ST – IIOCRA TEST OF CONTROL PROCEDURE *basis of test of control is risk assessment procedure Revenue/Receipt Cycle (Sales Cycle) based on: Selling; Delivery; Accounting; Collection Revenue Cycle Occurrence and Existence Objective: 1 person not responsible for taking order; recorded sales represent goods shipped; goods only supplied to customer w/ good credit; G/S provided @ authorized price TOC: observe segregation of duties; test sample sales, examine authorization, review numerical sequence and monthly statement queries; review credit procedure, examine sample sale order and control for credit term, review customer files; compare prices and examine authorized price and terms Completeness Objective: all revenue related must recorded; all G/S correctly invoice TOC: review numerical sequence; trace sample of document, review reconciliation, inspect open order file Accuracy Objective: all sales correctly journalized TOC: vouch recorded sales to support documents Cut-off Objective: transaction recorded in correct period TOC: compare dates in invoices Classification Objective: all account properly classified TOC: review sales ledger, examine sample invoice, test application code Cash Collection Cycle Occurrence Objective: all valid cash received TOC: observe segregation of duties, examine cash receipt transfer, review monthly bank reconciliation, observe cash sales, inquire result of inspection, observe mail opening, observe prep of cash receipt, review documentation of independent check Completeness Objective: all receipt recorded TOC: observe segregation of duties, examine cash receipt transfer, review monthly bank reconciliation, inquire mgnt statement; examine sample of customer Accuracy, Classification and Valuation Objective: receipt recorded in correct amount; posted to correct account TOC: review reconciliation; review entity procedure, review entries Cut-off Objective: transaction recorded in correct period TOC: review and test reconciliation Presentation and Disclosure Objective: receipt charge to correct amount TOC: review receipt for unusual item, trace cash receipt Purchase/Disbursement Cycle Purchase Cycle Occurrence and Existence Objective: recorded purchases represent goods receive TOC: inspect policies & procedure, observe segregation of duties, examine sample purchase order, review list of purchases, examine report math to PO, observe receipt of goods, inspect sample check,examine documentation Completeness Objective: all purchases recorded TOC: examine invoices, review procedure for documents, examine documentation SUBSTANTIVE TESTING 1. Test of Details of transaction, balances and disclosure details of individual account, evidence pertain to both EXISTENCE and VALUATION timing of test of details - perform BEFORE year end, efficient on related account as of common date, EARLY ST interim testing - should link balance tested early to year end balances Typical types of ST procedure: Completeness, right and obligation, valuation and allocation, existence, occurrence, accuracy, classification and understandability, cut-off ST of detail: Directional Testing - designed to discover both error and omission, particular when testing assertion (existence, completeness, right and obligation, valuation), derives from double entry bookkeeping testing designed to discover errors - start WITH accounting record which recorded, test overstatement/understatement causes omission, ensure prices are correct test designed to discover omission - start OUTSIDE accounting record then match to record ST of detail: Confirmation - PSA 505 designed to gather evidence about (existence, completeness, right and obligation) reduced risk of material misstatement, external confirmation direct from third parties and provides reliable and relevant audit evidence. Confirmation may used by: bank balance; AR balance; stock held by 3rd parties; property title deeds; investment purchased; loans from lender; AP balances Type of confirmation: POSITIVE - ask respondent to reply by giving info NEGATIVE - ask reply only on event of disagreement ST of detail: Physical Inventory Count (PIC) - PSA 501 obtain evidence of existence and condition: evaluate mgnt instruction for recording PIC; observe count procedure; inspect inventory; test counts Inventory count: PIC @ year end - best method PIC before/after year end - length of time, quality of record Perpetual count - ensure inventory counted, satisfactory procedure, correct material differences PLANNING ATTENDANCE @ INVENTORY COUNT Audit plan: planning IC - gain knowledge (review previous yr arrangement, discuss count changes); assess key factor (nature of inventories, risk, identification, method, location of inventory, difficulty in IC & AS); plan procedure (sufficient attention, confirmation, need expert help) Audit plan: review of IC instruction: organization count (supervision, marking inventory, restriction and control of movement, identify damage); counting (ensure counted); recording (serial numbering, inventory sheet signed, count record, count quantity and WIP, delivery receipt, reconciliation, investigation, correction) ATTENDANCE @ INVENTORY COUNT Audit plan: attendance IC: observe staff ff instruction, perform test count, ensure procedure to identify damage, confirm inventory. Confirm necessary amendment, gain an overall impression working paper include: detail of observation, manner point relevant, instance not satisfy, detail of sequence, auditor conclusion. AFTER THE INVENTORY COUNT Audit plan: following the IC: trace items, observe count include in final sheet, inspect final inventory, ensure perpetual record adjusted, confirm cut off, review replies from 3rd parties, confirm client final valuation, follow up queries INVENTORIES HELD BY 3rd PARTIES direct confirmation from 3rd party, inspection of audit procedure ST of detail: Audit Accounting Estimates - PSA 540 means of measurement examples: allowance to reduce inventory, accrued revenue, deferred tax, provision to loss lawsuit, loss on construction contract, provision to warranty Nature of accounting estimates - part of routine information system relevant to reporting operating on continuing basis or non only on year end. Audit procedure in auditing accounting estimates: test the process used by mgnt to develop estimates, develop independent expectation, review subsequent events. 2. Analytical Procedure - used at all state of audit, tool, PSA 520 comparison, suitability, reliability, expectation. It involves consideration of comparison, between element of financial information expected to conform to predicted pattern ,relationship of payroll cost to number of employees PSA 520 using ST: determine suitability, evaluate reliability, develop expectation, determine amount of differences Suitability of analytical procedure: Substantive testing applicable for large volume of transaction Evaluation of whether the expectation is sufficiently precise: accuracy of result can be predicted, degree to which info can be dis segregated, availability of info Acceptable differences: amount of difference of recorded amount from expected values is acceptable depend on materiality and consistency (ASSESSED RISK - INC, AMOUNT OF DIFFERENCE THAT ACCEPTABLE - DEC) Reliability of data: source of information, comparability of info available, nature and relevance of info available, controls Practical Techniques: Ratio - comparable (benchmark) trend - sophisticated technique reasonable - calculate expected value Documentation requirement: outline of program, summary of figures & relationship for period, summary of comparison, detail of all significant fluctuation, audit conclusion reached, information considered Investigation the result of analytical procedure: inquiries of mgnt and obtain relevant responses, perform audit procedure if necessary AUDIT DOCUMENTATION/AUDIT WORKING PAPERS PSA 230 required auditor to prepare documentation on timely basis, working paper term used Function of documentation 1. sufficient and appropriate record on basis of auditor report 2. evidence that audit performed in accordance w/ PSAs and legal requirement ** Working paper - organizing, cataloging, cross referencing evidence, aid the auditor in providing assurance. audit documentation called audit file or audit working papers or audit client file Forms and content of documentation nature, timing, extent of audit procedure comply w. PSA, result of audit procedure/evidence, significant matters arise during audit and conclusion Types of working paper 1. Permanent paper - contain historical or continuing nature pertinent to current audit, It includes: AIO, bylaws, contract; analyses from previous, long term debt, goodwill, fixed asset; info related to understanding, chart, IC info 2. Current file - evidence gathered, description of auditing procedure performed, conclusion relevant to audit Working (top) trial balance - list of all FS before adjustment Proposed adjusting & reclassifying entries - FS must be corrected when discovered MM but must approve by client lead schedule - notes to FS supporting schedule - largest portion support specific amount on FS Working paper element - heading, dates and initial of staff, indexing number, tick marks and legend *auditor should record the identifying characteristic of specific items Significant matters - matter give rise to risk, result of audit procedure, circumstances causes auditor difficulty, findings result in modification of audit report Documentation of inconsistencies - how auditor addressed the contradiction in forming final conclusion Recommended for you Document continues below Action PLAN 2 Management Accounting 100% (9) Cvp - Lecture notes 6 57 Management Accounting 100% (3) Law on Corporations - Module 1 - Lesson 1 6 Management Accounting 100% (1) Local media 4544627574840358309 2 Management Accounting 100% (1) AUDIT SAMPLING PSA 530 - when designing audit procedure determine appropriate means for selecting items for testing: selecting all items (100%), selecting specific items, audit sampling. Selecting all items (100% examination) is unlikely in case of TOC but common in test of details Selecting specified items based on factors as auditor understand entity, the risk of MM and characteristic of population it includes: high value or key items, all items over a certain amount, items to obtain information, items to test control activities. Audit Sampling involves application of audit procedure to less than 100% of items w/in class of transaction have chance of selection. Error - control deviations, when performing TOC, MM, TOD Total Error - use to mean either rate of deviation or total misstatement Anomalous Error - arise from isolated event that not recurred Sampling Unit - individual items constituting a population AUDIT PROCEDURE AND INVOLVEMENT OF AUDIT SAMPLING Risk assessment procedures - PSA 315 do not involve use of audit sampling but often plan and perform TOC Test of Control - PSA 330 performs when auditor risk assessment include expectation of operating effectiveness of control. Audit sampling for TOC is appropriate when application of control leaves audit evidence of performance Substantive Procedure - concerned w/ amount: TOD (class of transaction, account balance, disclosure); Substantive analytical procedure. Purpose is obtain evidence to detect MM @ assertion level. Audit sampling relate ONLY to TOD TYPES OF AUDIT SAMPLING PLANS TOC - obtain evidence about entity complying w/ control procedure. Attribute is auditor characteristic of interest attribute sampling plan - used to test entity rate of occurrence of prescribed control procedure, rate of compliance deviation and aid auditor in evaluating control effectiveness. ST - obtain evidence about monetary error exist w/in class of transaction, Variable auditor characteristic of interest variable sampling plan - used to test recorded balance fairly stated AUDIT SAMPLING AND ITS IMPLICATION TO AUDIT RISK Audit Risk - auditor may unknowingly fail to modify opinion on MM FS Risk of MM - material error will occur in process by which FS developed Inherent Risk - susceptibility of an account balance to error when combined w/ error in other account could be material and that not monitored by related control procedure Control Risk - risk that error could occur, could be material when combined w/ error in other account but will not detected/prevented by entity IC structure Detection Risk - material error that occur will not be detected by auditor Sampling Risk - uncertainties related to sampling, arise from possibility that auditor conclusion may different from sampling reach TOC: r isk of assessing control risk too high (under reliance) - risk that a sample deviation rate support assessing control risk @ maximum risk of assessing control risk is too low (over reliance) Non-Sampling risk - uncertainties arising from factors unrelated to sampling, include all aspect of audit risk not due to sampling. Risk a sample does support assessing control risk below the maximum ST: risk of incorrect rejection - risk that sample support conclusion that recorded account balance risk of incorrect acceptance
