Auditing and Assurance Services 9/e
advertisement
Internal Control and Control Risk Chapter 10 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 1 Learning Objective 1 Contrast management’s need for internal control with the auditor’s need to consider internal control when designing an audit. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 2 Key Concepts Management’s Responsibility Reasonable Assurance Inherent Limitations ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 3 Client’s Concerns Reliability of financial reporting Efficiency and effectiveness of operations Compliance with applicable laws and regulations ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 4 Auditor Concerns Controls related to reliability of financial reporting Controls over classes of transactions ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 5 Sales Transaction-Related Audit Objectives Objective – General Form Related Audit Objectives Recorded transactions Sales are for shipments exist (existence). to existing customers. Existing transactions are Existing sales transactions recorded (completeness). are recorded. Transactions are stated Sales for goods shipped correctly (accuracy). are correctly billed. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 6 Sales Transaction-Related Audit Objectives Objective – General Form Related Audit Objectives Transactions are properly Sales transactions are classified (classification). properly classified. Transactions are recorded Sales are recorded on the on correct dates (timing). correct dates. Transactions are properly Sales transactions are filed (posting and properly included in the summarization). master files. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 7 How Frauds Have Been Discovered Notification by employee 58% Internal controls Internal auditor Customer notification 51% 43% 41% Accidental discovery 37% Management investigation 35% ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 8 How Frauds Have Been Discovered Anonymous reporting 35% Hot line notification 25% Employee investigation 21% Government notification External auditor Other sources 16% 4% 20% ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 9 Learning Objective 2 Describe how information technology affects internal control. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 10 Effect of Information Technology on Internal Control Information Technology IT can improve the effectiveness and efficiency of internal controls. IT also enhances the timeliness and accuracy of information. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 11 Risks Associated With the Use of Information Technology Programmed errors Processing incorrect data Unauthorized access ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 12 Learning Objective 3 Explain the five components of internal control. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 13 Five Components of Internal Control Control Environment Risk Assessment Control Activities Information and Monitoring Communication ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 14 The Control Environment Integrity and ethical values Commitment to competence Board of directors or audit committee participation Management’s philosophy and operating style ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 15 The Control Environment Organizational structure Assignment of authority and responsibility Human resources policies and practices ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 16 Risk Assessment Identify factors affecting risk. Assess significance of risks and likelihood of occurrence. Determine actions necessary to manage risk. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 17 Control Activities 1. Adequate separation of duties 2. Proper authorization of transactions and activities 3. Adequate documents and records 4. Physical control over assets and records 5. Independent checks on performance ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 18 Adequate Separation of Duties Custody of assets Accounting Authorization of transactions Operational responsibility IT Duties The custody of related assets Record-keeping responsibility User departments ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 19 Proper Authorization of Transactions and Activities General authorization Specific authorization ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 20 Adequate Documents and Records Prenumbered consecutively Prepared at the time of transaction Simple enough to ensure understanding Designed for multiple uses Constructed to encourage correct preparation ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 21 Physical Control over Assets and Records Physical precautions Controls related to IT equipment, programs, and data files Physical controls Access controls Backup and recovery procedures ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 22 Independent Checks on Performance The need for independent checks arise because internal control tends to change over time unless there is a mechanism for frequent review. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 23 Information and Communication The purpose of an accounting information and communication system is to… initiate, record, process, and report the transactions and to maintain accountability for the related assets. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 24 Monitoring Management’s ongoing and periodic assessment of the quality of internal control performance … to determine whether controls are operating as intended and modified when needed. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 25 Learning Objective 4 Explain methods used to obtain an understanding of internal control. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 26 Understanding Internal Control and Assessing Control Risk Obtain Understanding of Internal Control: Design and Operation Assess Control Risk Test Controls Decide Planned Detection Risk and Substantive Tests ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 27 Reasons for Sufficiently Understanding Internal Control SAS 55 (as amended by SAS 78 and 594 plus AU319) requires the auditor to obtain an understanding of internal control for every audit. Minimum audit planning matters • Auditability • Potential material misstatements • Detection risk • Design of test ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 28 Procedures to Determine Design and Placement Update and evaluate auditor’s previous experience with the entity. Make inquires of client personnel. Read client’s policy and systems manuals. Examine documents and records. Observe entity activities and operations. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 29 Documentation of the Understanding Narrative Flowchart Internal control questionnaire ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 30 Learning Objective 5 Assess control risk by linking strengths and weaknesses of internal control to transactionrelated audit objectives. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 31 Assess Control Risk Obtain sufficient understanding for planning. Assess whether the entity is auditable. Determine assessed control risk. Assess if a lower control risk could be supported. Determine the appropriate assessed control risk. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 32 Assess Control Risk Identify transaction-related audit objectives. Identify specific controls. Identify and evaluate weaknesses. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 33 Identify and Evaluate Weaknesses Identify existing controls. Identify the absence of key controls. Determine misstatements that could result. Consider compensating controls. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 34 The Control Risk Matrix Auditors use the control risk matrix to identify both controls and weaknesses and to asses control risk. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 35 Communication Reportable conditions letter Audit committee communications Management letters ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 36 Learning Objective 6 Describe the process of designing and performing tests of controls. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 37 Tests of Controls The procedures to test effectiveness of controls in support of a reduced assessed control risk are called tests of controls. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 38 Procedures for Tests of Controls Make inquiries of client personnel. Examine documents, records, and reports. Observe control-related activities. Reperform client procedures. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 39 Extent of Procedures Reliance on evidence from prior year’s audit Testing less than the entire audit period ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 40 Relationship of Assessed Control Risk and Extend of Procedures Type of Procedure Inquiry Documentation Observation Reperformance Assessed Control Risk High Level: Lower Level: Obtaining an Tests of Understanding Only Controls Yes – extensive Yes – with transaction walk-through Yes – with transaction walk-through No Yes – some Yes – using sample Yes – multiple times Yes – sampling ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 41 Decide Planned Detection Risk and Design Substantive Tests The auditor uses the results of the control risk assessment process and tests of controls to determine the planned detection risk and related substantive tests. The auditor links the control risk assessments to the balance-related audit objectives. ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 42 End of Chapter 10 ©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 43
