Add to collection(s) Add to saved
  1. Business
  2. Accounting
  3. Managerial Accounting

chapter 9 - McGraw-Hill Education Canada

advertisement 
WHAT YOU REALLY NEED TO KNOW
CHAPTER 9: CONTROL ASSESSMENT AND TESTING
Internal controls are put in place to keep the company on course toward achieving its goals, and to
help anticipate changes that can affect their plans. Management balances the cost of controls with
the benefit of risk reduction. At some point, the costs will exceed the benefits because it is not
possible to reduce risks to zero.
External auditors are not responsible for designing effective internal control for auditees. They are
responsible for evaluating existing internal controls and assessing the risk of a material misstatement
related to them. They use their assessment to determine the audit work required and develop
appropriate audit programs to support their opinion. Public accountants may help design internal
control systems as consulting engagements for nonaudit clients. Such design work must be separate
and apart from an audit engagement because it could impair the public accountant’s objectivity in
assessing those controls in an audit. This is a threat to auditor independence.
External auditors’ documentation of control weaknesses can help management carry out its
responsibility for maintaining effective internal control.
The primary reason for evaluating a company’s internal control is to have a basis for planning the
audit nature, timing, and extent of audit procedures in the detailed audit plan. Auditors must make a
trade-off between costs of evaluating internal control and costs of substantive audit tests. An
efficient audit program looks for the combination of control evaluation and substantive work that
provides an acceptable level of assurance at the lowest total cost.
In a clean audit, the accounting records are easy to verify and accurate. In a dirty audit, however, the
accounting records may be incomplete, riddled with misstatements, and harder to verify. A clean
audit should require less work than a dirty audit, as the controls are likely to be good at meeting their
objective of lowering the risk of material misstatement. Clean audits can proceed efficiently as less
substantive audit work is required.
Auditors rely on controls for more than just efficiencies. There may be risks of misstatements that
substantive procedures alone cannot remove. For example, a completeness assertion is virtually
impossible to verify without some evaluation of control effectiveness.
Examining the business processes and related accounting processes allows the auditor to design audit
procedures to test controls and financial statement transactions and balances. Tests of controls are
performed if it is a less costly way to obtain audit evidence or if effective control is necessary to
getting sufficient appropriate audit evidence. Auditors might try to design dual-purpose tests—tests
of controls that also provide substantive evidence.
Smieliauskas/Bewley, 5e
What You Really Need to Know
© The McGraw-Hill Companies, Inc., 2010
9-1
d
Control Assessment and Testing
The objective of control procedures is to process transactions correctly. Correctly processed
transactions produce accurate account balances. Each control objectives is the flip side of the seven
errors and irregularities which can be found in transactions.
Validity is ensuring that recorded transactions are ones that should be recorded, that is, they really
exist. Completeness is ensuring that valid transactions are not missing from the accounting records.
Authorization is ensuring that transactions are approved before they are recorded, that is, they are
“owned” by the company. Accuracy is ensuring that dollar amounts are calculated correctly.
Classification is ensuring that transactions are recorded in the right accounts and charged or credited
to the right customers or suppliers. Accounting is a general category concerned with ensuring that
the accounting process for a transaction is performed completely and in conformity with GAAP.
Proper period refers to ensuring that transactions are accounted for in the period they occurred in.
This control objective relates to cutoff—part of the existence and completeness assertions.
The control objectives are closely connected to the assertions in management’s financial statements.
For example, the accuracy control objective relates to the existence, completeness and valuation
assertions as mechanical errors will result in overstated, understated, or incorrectly measured
balances. However, recognizing that the control objective is to assess accuracy is more helpful in
designing appropriate tests, such as tests for errors of billing at too low or high a price.
Financial Statement Assertions
Presentation
Existence/ CompleteRights
and
Objectives
Occurrence ness
Valuation Obligations disclosure
Validity
X
X
Completeness
X
X
Authorization
X
X
X
Accuracy
X
Classification
X
Accounting
X
Proper period
X
X
In evaluating controls, if there are significant risks and certain controls are essential to preventing or
detecting these risks, those would be key controls. Key controls must be tested to ensure they worked
effectively through the year being reported on.
.
Work to document and understand the controls is done early in the engagement. This work acquaints
auditors with the overall control environment and the flow of transactions through the accounting
system. Controls can be classified as either General controls or Application controls. General
controls are those that have an overall impact on accounting processes. Application controls address
the control objectives relating to input, processing, and output of data in each accounting process. All
detail control procedures are directed, toward preventing or detecting and correcting errors,
irregularities, frauds, and misstatements.
General Controls include organizational features like capable personnel, segregation of duties,
controlled access, and periodic comparison are general controls. Like environmental controls,
general controls are primarily preventive in nature and pervasively impact various accounting cycles.
Smieliauskas/Bewley, 5e
What You Really Need to Know
© The McGraw-Hill Companies, Inc., 2010
9-2
Control Assessment and Testing
Segregation of duties is an important characteristic of reliable internal control. These are four kinds
of functional responsibilities: Authorization to execute transactions; Recording of transactions;
Custody of assets involved in the transactions; Periodic reconciliation of existing assets to recorded
amounts. Responsibilities are incompatible when they place a single person in a position to create
and conceal errors, irregularities, and misstatements.
Separation of the duties is also an important IT control. Work performed by analysts, programmers,
and operators should be segregated. The designer of a processing system should not do the technical
programming work. Anyone who performs either of these tasks should not be the computer operator
when real data are being processed. People performing each function should not have access to each
other’s work, and only the computer operators should have access to the equipment. Lack of
separation of duties along these lines should be considered a serious weakness in general control.
Applications control activities are specific procedures used in each accounting process to meet the
relevant control objectives. Auditors evaluate activities in terms of how they address financial
reporting risk at the assertion level. The audit starts with documenting the accounting processes and
information systems, and then it identifies the application controls within each system. Auditors’
understanding of the internal controls comes through several sources of information: (1) last year’s
audit experience with the company, (2) auditee personnel responses to enquiries, (3) documents and
records inspection, (4) walk-through observation of the activities and operations of a single
transaction. Working paper documentation should include records showing the audit team’s
understanding of the internal controls. It can be summarized in the form of questionnaires, narratives,
and flow charts.
Control risk assessment involves identifying specific control objectives based on the risks of
misstatements, identifying the points in the flow of transactions where specific misstatements could
occur, identifying specific control procedures designed to prevent or detect misstatements,
identifying the control procedures that must function to prevent or detect misstatements, and,
evaluating the design of control procedures to determine whether it suggests the auditee has strong
control procedures in place and whether it may be cost effective to test these controls as part of the
audit. A useful assessment technique is to analyze control strengths and weaknesses. Weaknesses
are a lack of controls in particular areas that would allow material errors to get by undetected.
Auditors do not need to test control weaknesses just to prove they are weak places as this would be
inefficient. However, auditors do always need to take control weaknesses into account in assessing
the risk of material misstatements in the financial statements.
Complex IT and ecommerce environments are highly automated. Paper documents may not exist.
Documents may be available only in electronic form. When transaction volumes are high, or when
electronic evidence comprising the audit trail is not retained, the auditor may determine that controls
are critical to reducing financial reporting risks to an acceptably low level.
When the auditee engages in ecommerce, the following aspects of internal control critical: security;
transaction integrity; and process alignment. Security includes physical and electronic access as well
as privacy and data backup concerns. Transaction integrity relates to the recording and processing of
ecommerce transactions include the completeness, accuracy, timeliness, and authorization of
Smieliauskas/Bewley, 5e
What You Really Need to Know
© The McGraw-Hill Companies, Inc., 2010
9-3
Control Assessment and Testing
information. Process alignment refers the integration of IT systems so that they operate as one
system.
To reach conclusion on control risk, auditors must determine (a) what degree of compliance with the
control policies and procedures is required, and then (b) what degree of control compliance is
actually present. The degree of compliance required is the criterion that control performance is
assessed against. Auditors perform control tests to determine how well the company’s control
procedures actually worked during the period under audit.
Control tests that depend on documentary evidence, such as signatures, initials, checklists,
reconciliation working papers, and the like, provide better evidence than procedures that leave no
documentary traces.
After the auditor has evaluated and tested internal controls, he is in a strong position to assess the
likelihood of material misstatements. Financial misstatements can arise either from error or fraud.
An error is defined as an unintentional misstatement, whereas fraud is intentional. Intent is not
something that the auditor can observe, so it is often difficult to determine, particularly in the case of
accounting estimates or the choice and application of accounting principles.
The auditor is responsible for reporting all identified deficiencies in internal control, other than
obviously trivial ones, to an appropriate level of management as soon as possible. The appropriate
level of management is usually the one at least one level above those responsible for the deficient
controls. The auditor has a responsibility to report all significant deficiencies in writing to those
charged with governance (audit committee or equivalent). The auditor is required to communicate
material weaknesses or other important issues, such as discovery of a fraud or material misstatement,
to management and those charged with governance. A copy of the written communication should be
placed in the working papers.
For study purposes, we tend to discuss control tests and substantive tests of balances as if these are
easily distinguishable. The auditor’s goal at the planning stage is to select the most cost-effective set
of evidence gathering procedures. A single procedure known as a dual purpose test may produce
both control and substantive evidence that serve both purposes. Many audit procedures can be
designed to serve dual purposes and yield evidence about both controls and financial statement
assertions. This allows the auditor to select an audit approach combining control reliance and
substantive evidence as the basis for a cost effective overall audit plan.
Smieliauskas/Bewley, 5e
What You Really Need to Know
© The McGraw-Hill Companies, Inc., 2010
9-4
Related documents
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Case
Case
Green Impact Auditor
Green Impact Auditor
Mystery Fraud Training Outline
Mystery Fraud Training Outline
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
Accounting 241 Outline
Accounting 241 Outline
Chapter 8: Preliminary Survey & Internal Control Review
Chapter 8: Preliminary Survey & Internal Control Review
Lutz Internal Audit Director 10 22 2015
Lutz Internal Audit Director 10 22 2015
Download
advertisement