Chapter 11
Assessing internal control risk
ACCT 4131
Meiling Zhao
Assistant Professor of Accounting
The Chinese University of Hong Kong
COURSE OUTLINE
●
Part 1: the auditing profession (Introduction: Ch. 1-4)
●
Part 2: basic concepts and framework of audit (Planning stage: Ch. 5-12)
●
●
●
●
Chapter 5: Auditors’ objectives
Chapter 6: How to satisfy these objectives by collecting different types of audit evidence
Chapter 7 – 11: risk assessment and internal control
● Chapter 7-8: Audit Planning, Materiality, and audit risk model
● Chapter 9-11: fraud risk, internal controls, control risk
Chapter 12: Design overall audit strategy
●
Part 3: audit of specific account/cycle (Testing stage: Ch. 13-22)
●
Part 4: completion of audit and audit report (Completion stage: Ch. 23-24)
CHAPTER OUTLINE
●
●
●
●
LO1: Identify the four steps in understanding and testing internal
control.
LO2: Understand requirements for auditor reporting on internal
control.
LO3: Understand the impact of IT environment on control risk
assessment and testing.
LO4: Understand the use of financial statement cycles in an audit and
identify benefits of a cycle approach.
LO1
Identify the four steps in understanding and testing internal
control
Four steps for Understanding Internal Control and
Assessing Control Risk (Auditors)
Step 1
Obtain and document understanding
of internal control
Step 2
Assess control risk
Step 3
Design, perform, and evaluate tests of
controls
Step 4
Decide planned detection risk and
substantive tests
i
Step 1
Obtain and Document Understanding of Internal Control
●
Required for every audit by auditing standards
●
Purpose: assess whether the internal control has the potential to prevent, detect and correct
material misstatements
●
To assess control risk: by gathering evidence about the design of internal controls and whether they have
been implemented
● Design: To understand the five components of IC system in Cha10 – COSO
● Implementation: the controls exist and the entity is using them
Step 1
Obtain and Document Understanding of Internal Control
●
How (Design) : Types of documentation
●
Prepared by managers
Narrative
●
Internal control
questionnaire
How (Implementation) : four audit evidence related to the understanding of internal control
●
Inspection
●
●
●
Do they understand their duties and do what is described in the control design (documentation)?
Observation of employees performing control processes
●
●
Records, documents, files related to/created during the five components of IC framework
Inquiry of entity personnel (explain their duties)
●
EE
Flowchart
Implementation?
Reperformance of specific controls
“System walkthrough”: Tracing one or a few transactions through the accounting system from start to
finish. - Combining the above four evidence
Step 2 Assess Control Risk
(Preliminary assessment of control risk)
●
Steps:
1.
2.
3.
●
4.
●
●
Identify audit objectives (Chapter 5)
Identify existing controls (from Step 1)
Link the identified controls with the related audit objectives
Evaluate whether audit objective is supported by adequate internal control
Identify and evaluate deficiencies and material weaknesses
Types/severity of control deficiency (from less to more severe):
● Control deficiency
● Significant control deficiency
● Material weakness (higher likelihood & significance of misstatement)
The risk assessment here focuses on the design/ existence of the internal control
Level of absence of Internal Controls
●
Control deficiency :
●
●
Significant control deficiency:
●
●
design or operation of controls does not permit management or employees, in the normal course
of per-forming their assigned functions, to prevent or detect and correct misstatements on a
timely basis.
a deficiency or a combination of deficiencies in internal control over financial reporting that is
less severe than a material weakness (defined next) yet important enough to merit attention by
those charged with governance.
Material weakness (higher likelihood & significance of
misstatement):
●
a deficiency or combination of deficiencies in internal control over financial reporting, such that
there is a reasonable possibility that a material misstatement will not be prevented or detected
and corrected on a timely basis.
Risk *
●
->
Evidence
Step 3 Tests of Controls (TOC)
Tests of controls (step3) is not required
●
High IC risk – no TOC
●
●
If the auditor decides internal control risks are at the maximum level (poor IC design), no TOC
since internal controls cannot be relied to reduce substantive tests (directly collect more evidence
via more substantive tests)
Low IC risk - TOC
●
If the auditor assesses the internal control risk to be below the maximum, tests of control must be
conducted to support this reduced level of assessed control risk
Test of Control (TOC)
Auditor’s reaction (Level of evidence to be collected)
Results are satisfactory
(the internal controls are effective in preventing,
or detecting and correcting misstatements)
Continue to use the reduced level of assessed control risk to
determine PDR and planned audit evidence (less evidence)
Results are not satisfactory
Adjust the control risk upward, leading to a lower PDR and more
planned audit evidence (more evidence)
TOC not performed
Use the highest level of control risk to determine PDR, leading to a
lower PDR and more planned audit evidence (more evidence)
Internal Control Risk Assessment
Initial understanding or assessment of CR (control risk)
↓
High
↓
low
↓
↓
no TOC
↑
substantial
tests ($)
Enhance
Toc
to
suppo
the low
-
↓
- low
CK
R
supported
N
↓sub Tests
2
Evidence
is lower
supported
not
updated
or
:
↑R
H
↑
subtests
&
Evidence
Step 3 Tests of Controls (TOC)
●
In practice, when are understanding IC and testing IC (TOC) often conducted?
●
●
●
Simultaneously during the interim audit;
Also combined with the procedure of understanding the client’s business and industry (Step 2 in
initial planning of an audit, Chapter 7)
Commonly used audit procedures in testing the operating effectiveness of internal
controls:
●
Make inquiries of client personnel
●
●
Examine documents, records, and reports
●
●
E.g., check signatures of document (authorization)
Observe control-related activities
●
●
E.g., inquire the person who controls online-access security password assignment (authorization)
E.g., separation of duties
Re-perform client procedures
●
E.g., trace the sales prices to authorized price list at the date of transaction
Step 4 Decide Planned Detection Risk and Design
Substantive Tests
The auditor uses the results from step 2 and step 3 to determine the PDR, and
the planned audit evidence (evidence to be collected through substantive tests).
●
AAR
IR* CR
=PDR
Planned
audit
evidence
LO2
Understand requirements for auditor reporting on internal
control
Reporting of internal control
Most severe
Least severe
Material weakness
Adverse opinion on ICOFR
(stock exchange)
Significant deficiency
Brought to written attention of audit
committee/those charged with
governance (required)
Deficiency
Communicate to management
(not required)
LO3
Understand the impact of IT environment on control risk
assessment and testing
Responsibility of understanding and assessing risks
related to IT
●
●
Regardless of the impact of IT on financial statements (weak or strong),
auditors are responsible for obtaining an understanding of the related controls
When the impact of IT on financial statements is significant (that is, when
traditional documents and records are generally only available in electronic
forms), the auditor must “audit through the computer” using different
approaches
●
●
●
Approach 1: Test data approach
Approach 2: Parallel simulation
Approach 3: Embedded audit module approach
Approach 1: Test data approach
●
●
Test data approach auditors process their own test data using the
client’s computer system and application program to determine
whether the Iautomated controls correctly process the test dataI
This is re-performance (type of audit evidence)
Approach 2: Parallel simulation
●
Auditors use auditor-controlled software to do the same
operations that the client’s software does, using the client’s data
files. Auditors then compare the output from their software to that
from the client’s system.
●
●
●
●
Simplest example: use excel spreadsheet
Often used in recalculation
There are many commercial Generalized audit software (GAS) designed
specifically for parallel simulation. Spreadsheet software can also be used.
Audit analytics (Course project)
●
●
https://www.softwareadvice.com/audit/
https://idea.caseware.com/products/idea
Approach 3: Embedded audit module approach
●
●
●
●
Auditors insert an audit module (code) into the client’s application
system to Iidentify specific types of transactions.I
⑦
The intention is to give auditors real-time notifications of
transactions that might be in error, or which possess characteristics
②
that are worthy of further review.
For example, auditors might use an embedded module to identify all
purchases exceeding $25,000 for follow-up with more detailed
examination.
Often used to identify unusual transactions
LO4
Understand the use of financial statement cycles in an audit and
identify benefits of a cycle approach
Cycle approach
▪
Cycle approach
▪
Group closely related types of transactions and account balances into the same
segment, and audit by segment.
▪
E.g., accounts receivable and sales are grouped into the same cycle.
▪
Sales amount and AR balance should have some inherent and stable connections. Thus, misstatements of
one account often imply misstatement of the other account.
▪
A common/efficient way of organizing an audit: by financial statement cycles
▪
This is also a natural choice given the nature of internal control.
●
●
For example, a company’s internal control of purchase transactions may cover purchase of inventory,
office supplies, small tools, equipment, prepayment, etc.
Therefore, auditors often group all types of purchases into one cycle to facilitate their understanding and
testing of the internal control, even though these transactions are recorded in different accounts.
Financial Statements Cycles
Cycle
Accounts affected (incomplete)
Sales and collection
P&L: sales, sales returns and allowance, bad debts expense
B/S: receivables, cash, allowance for uncollectible accounts
Acquisition and payments
P&L: SG&A, income tax, gain/loss
B/S: cash, payables, inventories, prepayments, PPE, accumulated
depr.,
Payroll and personnel
accrued payroll, salaries expense, payroll tax, cash
Inventory and
warehousing
inventory, cost of goods sold
Capital acquisition and
repayment
capital stock related accounts, dividends, dividends payable,
notes payable, long-term notes payable, cash, R.E., interest exp
Chapter 11 Summary
●
●
●
●
4 steps in understanding and testing internal control.
Requirements for auditor reporting on internal control.
IT environment on control risk assessment and testing.
Cycle approach.
COURSE OUTLINE
●
Part 1: the auditing profession (Introduction: Ch. 1-4)
●
Part 2: basic concepts and framework of audit (Planning stage: Ch. 5-12)
●
●
●
●
Chapter 5: Auditors’ objectives
Chapter 6: How to satisfy these objectives by collecting different types of audit evidence
Chapter 7 – 11: risk assessment and internal control
● Chapter 7-8: Audit Planning, Materiality, and audit risk model
● Chapter 9-11: fraud risk, internal controls, control risk
Chapter 12: Design overall audit strategy
●
Part 3: audit of specific account/cycle (Testing stage: Ch. 13-22)
●
Part 4: completion of audit and audit report (Completion stage: Ch. 23-24)