Add to collection(s) Add to saved
  1. Business
  2. Finance

Chap006

Chapter 6
Internal Control in a
Financial Statement
Audit
McGraw-Hill/Irwin
Copyright © 2008 by The McGraw-Hill Companies, Inc. All rights reserved.
LO# 1
Internal Control
Internal control plays an important role in how management meets
its stewardship or agency responsibilities. Management has the
responsibility to maintain controls that provides reasonable
assurance that adequate control exists over the entity’s assets and
records. Proper internal control not only ensures that assets and
records are safeguarded but also creates an environment in which
efficiency and effectiveness are encouraged and monitored.
Management also needs a control system that generates reliable
information for decision making.
The auditor needs assurance about the reliability of the data
generated by the information system in terms of how it affects the
fairness of the financial statements and how well the assets and
records of the entity are safeguarded.
6-2
LO# 1
Internal Control
The auditor uses risk assessment procedures to obtain an
understanding of the entity’s internal control and uses this
understanding to identify the types of potential
misstatements, ascertain factors that affect the risk of material
misstatement, and design tests of controls and substantive
procedures.
The auditor’s understanding of the internal control is a major
factor in determining the overall audit strategy. The auditor’s
responsibilities for internal control are discussed under two
major topics: (1) obtaining an understanding of internal
control and (2) assessing control risk.
6-3
LO# 2
Internal Control
Objectives
Reliability of
Financial
Reporting
Effectiveness
& Efficiency
of Operations
Compliance
with Laws &
Regulations
6-4
LO# 3
Controls Relevant to the Audit
Objectives
Reliability of
Financial
Reporting
Effectiveness
& Efficiency
of Operations
Compliance
with Laws &
Regulations
Generally, internal controls pertaining to the preparation
of financial statements for external purposes are
relevant to an audit.
6-5
LO# 3
Controls Relevant to the Audit
Objectives
Reliability of
Financial
Reporting
Effectiveness
& Efficiency
of Operations
Compliance
with Laws &
Regulations
Controls relating to operations and compliance
objectives may be relevant when they relate to data the
auditor uses to apply auditing procedures.
6-6
LO# 4
Components of Internal Control
Entity’s Risk
Assessment
Process
Control
Environment
Information System and
Related Business Processes
Relevant to Financial
Reporting & Communication
Control
Procedures
Monitoring of
Controls
6-7
LO# 4
Components of Internal Control
6-8
LO# 4
Components of Internal Control
6-9
The Effect of Information
Technology on Internal Control
LO# 5
6-10
LO# 6
Planning an Audit Strategy
Audit Risk Model
AR = IR × CR × DR
In applying the audit risk model, the auditor must
assess control risk. The figure on the next slide
presents a flowchart of the auditor’s decision
process when considering internal control in
planning an audit.
6-11
LO# 6
Planning an Audit Strategy
6-12
LO# 6
Substantive Strategy
After obtaining an understanding of internal control, an
auditor may choose to follow a substantive strategy and set
control risk at the maximum for some or all assertions
because of one or all of the following factors:
Controls do
not pertain to
an assertion.
Controls are
assessed as
ineffective.
Testing the
effectiveness
of controls is
inefficient.
6-13
LO# 6
Reliance Strategy
Obtain
Understanding of
Internal Control
Plan to Rely on
Internal Control and
Assess Control Risk
Below Maximum
6-14
LO# 6
Assertions
Occurrence
Completeness
Authorization
Accuracy
Cutoff
Classification
6-15
LO# 6
Assertions
6-16
LO# 6
Assertions
6-17
Obtain an Understanding
of Internal Control
LO# 7
The auditor should obtain an understanding of each of
the five components of internal control in order to plan
the audit. This knowledge is used to:
Pinpoint the
factors that affect
the risk of material
misstatement
Identify types of
potential
misstatements
Design tests of
controls and
substantive
procedures
6-18
LO# 7
Control Environment
6-19
LO# 7
The Entity’s Risk
Assessment Process
The risk assessment process should consider external and
internal events and circumstances that may arise and adversely
affect the entity’s ability to initiate, record, process and report
financial data consistent with the assertions of management in
the financial statements.
Client business risk can arise or change due to the following
circumstances:
Changes in the
operating
environment
Corporate
restructuring
New personnel
Rapid growth
New or revamped
information systems
New technology
Expanded
international growth
New accounting
pronouncements
New business
models, products,
or activities
6-20
Information Systems and
Communication
LO# 7
An effective accounting system gives appropriate consideration
to establishing methods and records that will
1. Identify and record all valid transactions.
2. Describe on a timely basis the transactions in sufficient detail to
permit proper classification of transactions for financial reporting.
3. Measure the value of transactions in a manner that permits
recording their proper monetary value in the financial statements.
4. Determine the time period in which transactions occurred to permit
recording of transactions in the proper accounting period.
5. Properly present the transactions and related disclosures in the
financial statements.
6-21
LO# 7
Control Activities
Control activities are the policies and procedures that help
ensure that management’s directives are carried out. Those
control procedures that are relevant to the audit include
Performance
reviews
Information
processing
Physical
controls
Segregation
of duties
6-22
LO# 7
Monitoring of Controls
Monitoring of controls is a process that
assesses the quality of internal control
performance over time.
Internal
Auditors
An effective internal audit function
has clear lines of authority and
reporting, qualified personnel, and
adequate resources to enable these
personnel to carry out their assigned
duties.
6-23
LO# 7
The Effect of Entity Size on
Internal Control
While the basic concepts of the five
components should be present in all entities,
they are likely to be less formal in a small or
midsize entity than in a large entity.
6-24
LO# 7
The Limitations of an
Entity’s Internal Control
Management
Override of
Internal
Control
Human Errors
or Mistakes
Collusion
6-25
LO# 7
Factors Contributing to Fraud
6-26
LO# 8
Documenting the Understanding
of Internal Control
Procedure Manuals
and Organizational
Charts
Narrative Description
Internal Control
Questionnaires
Flowcharts
6-27
LO# 9
Assessing Control Risk
Identify
specific
controls that
will be relied
upon.
Perform tests
of controls
Conclude on the
achieved level
of control risk.
6-28
LO# 10
Documenting the Assessed
Level of Control Risk
The auditor’s assessment of control risk and the
basis for the achieved level can be documented
using a structured working paper, an internal control
questionnaire, or a memorandum.
Let’s look at an example from
EarthWear Clothiers to see
how the control risk for two
accounts that differ in terms of
their nature, size and
complexity is documented.
6-29
LO# 10
Documenting the Assessed
Level of Control Risk
6-30
LO# 11
Substantive Procedures
6-31
LO# 12
Timing of Audit Procedures
Interim
Year End
Let’s look at the EarthWear Clothiers example
again to see the timing of their audit
procedures.
6-32
LO# 12
Timing of Audit Procedures
6-33
LO# 12
Interim Audit Procedures
Interim Tests of
Controls
Interim
Substantive
Procedures
1. Assertion being tested not significant
2. Control has been effective in prior audits
3. Efficient use of staff time
1. Assertion probably has low control risk
2. May increase the risk of material
misstatements
3. Still requires some year end testing
6-34
LO# 13
Auditing Accounting Applications
Processed by Service Organizations
In some instances, a client may have some or all of its
accounting transactions processed by an outside service
organization.
Because the client’s
transactions are subjected to
the controls of the service
organization, one of the
auditor’s concerns is the
It is not uncommon for service
internal control system in
organizations to have an auditor
place at the service
issue one of two types of
organization.
reports on their operations.
6-35
LO# 13
Auditing Accounting Applications
Processed by Service Organizations
Report #1
Describes the service organization’s
controls and assesses whether they
are suitably designed to achieve
specified internal control objectives.
An auditor may reduce
control risk below the
maximum only on the
basis of a service
auditor’s report that
includes tests of the
controls.
Report #2
Goes further by testing whether the
controls provide reasonable assurance
that the related control objectives were
achieved during the period.
6-36
LO# 14
Communication of Internal ControlRelated Matters
Reportable
Conditions
Significant deficiencies in the design or
operation of internal control that could
adversely affect the organization’s ability to
initiate, record, process, and report financial
data consistent with management’s assertions.
Material
Weakness
A material weakness is a significant deficiency,
or combination of significant deficiency that
results in more than a remote likelihood that a
material misstatement of the financial
statements will not be prevented or detected.
6-37
LO# 14
Examples of Reportable Conditions
6-38
LO# 15
Types of Controls in an IT
Environment
General
Controls
1. Data center & network
operations
2. System software
acquisition, change and
maintenance
3. Access security
4. Application system
acquisition, development,
and maintenance
Application
Controls
1.
2.
3.
4.
5.
Data capture controls
Data validation controls
Processing controls
Output controls
Error controls
6-39
Types of Controls in an IT
Environment
LO# 15
6-40
Types of Controls in an IT
Environment
LO# 15
6-41
Types of Controls in an IT
Environment
LO# 15
6-42
LO# 16
Flowcharting Symbols
6-43
End of Chapter 6
6-44
Related documents
Chapter 1 - Ross Fuerman
Chapter 1 - Ross Fuerman
(financial and operational) auditor internal (financial and operational
(financial and operational) auditor internal (financial and operational
Chapter 7
Chapter 7
Accounting 241 Outline
Accounting 241 Outline
Senior Financial and Operational Auditor
Senior Financial and Operational Auditor
Example of a Management Representation Letter
Example of a Management Representation Letter
Case
Case
Fundamentals of Auditing Lecture 13 SUBSTANTIVE
Fundamentals of Auditing Lecture 13 SUBSTANTIVE
AUDIT TESTS Audit evidence through Audit Procedures The auditor
AUDIT TESTS Audit evidence through Audit Procedures The auditor
Download