In this chapter, the learning objectives are Understand the importance of internal control to management and auditors, know the definition of internal control, know what controls are relevant to the audit, understand the effect of information technology on internal control, be familiar with the components of internal control, understand how to plan an audit strategy, know how to develop an understanding of an entitys internal control,...
Chapter Six Internal Control in a Financial Statement Audit © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Internal Control Management has the responsibility to maintain controls that provides reasonable assurance that adequate control exists over the entity’s assets and records The Internal Control System should: -ensure that assets and records are safeguarded -create an environment in which efficiency and effectiveness are encouraged and monitored -generate reliable information for decision-making The auditor needs assurance about the reliability of the data generated by the information system © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Internal Control The auditor uses risk assessment procedures to -obtain an understanding of the entity’s internal control -identify the types of potential misstatements -ascertain factors that affect the risk of material misstatement -design tests of controls and substantive procedures The auditor’s understanding of the internal control is a major factor in determining the overall audit strategy The auditor has a responsibility to: (1) obtain an understanding of internal control and (2) assess control risk © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Internal Control Objectives Reliability of Financial Reporting Effectiveness & Efficiency of Operations © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Compliance with Laws & Regulations Controls Relevant to the Audit Objectives Reliability of Financial Reporting Effectiveness & Efficiency of Operations Compliance with Laws & Regulations Generally, internal controls pertaining to the preparation of financial statements for external purposes are relevant to an audit © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Controls Relevant to the Audit Objectives Reliability of Financial Reporting Effectiveness & Efficiency of Operations Compliance with Laws & Regulations Controls relating to operations and compliance objectives may be relevant when they relate to data the auditor uses to apply auditing procedures © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin The Effect of Information Technology on Internal Control © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Components of Internal Control Entity’s Risk Assessment Process Control Environment Information System and Related Business Processes Relevant to Financial Reporting & Communication Control Activities © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Monitoring of Controls Components of Internal Control © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Components of Internal Control © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Timing of Audit Procedures Interim Year End Let’s look at the EarthWear Clothiers example again to see the timing of their audit procedures © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Timing of Audit Procedures © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Timing of Audit Procedures Interim Tests of Controls Interim Substantive Procedures Assertion being tested not significant Control has been effective in prior audits Efficient use of staff time Assertion probably has low control risk May increase the risk of material misstatements Still requires some year end testing © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Auditing Accounting Applications Processed by Service Organisations In some instances, a client may have some or all of its accounting transactions processed by an outside service organisation Because the client’s transactions are subjected to the controls of the service organisation, one of the auditor’s concerns is the internal control system in place at the service organisation © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin It is not uncommon for service organisations to have an auditor issue one of two types of reports on their operations Auditing Accounting Applications Processed by Service Organisations Report Type Describes the service organisation’s controls and assesses whether they are suitably designed to achieve specified internal control objectives Report Type Goes further by testing whether the controls provide reasonable assurance that the related control objectives were achieved during the period An auditor may reduce control risk below the maximum only on the basis of a service auditor’s report that includes tests of the controls © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Communication of Deficiencies in Internal Control Deficiency A control designed, implemented or operated in such a way that it is unable to prevent, or detect and correct, misstatements in the financial statements on a timely basis; or (2) a control necessary to prevent, or detect and correct, misstatements in the financial statements on a timely basis is missing Significant Deficiency A significant deficiency in internal control is a deficiency or combination of deficiencies in internal control that, in the auditor’s professional judgement, is of sufficient importance to merit the attention of those charged with governance © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Communication of Deficiencies in Internal Control Communication Auditing standards (ISA 265) require that the auditor communicates in written significant control deficiencies to those charged with governance and management The auditor should also communicate to management other control deficiencies judged to be of sufficient importance to merit management’s attention © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Examples of Reportable Conditions © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Types of Controls in an IT Environment © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Computer-Assisted Audit Techniques Computer-assisted audit techniques (CAATs) include: • Generalised audit software packages • Custom audit software • Test data © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Generalized Audit Software © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Custom Audit Software Custom audit software is generally written by auditors for specific audit tasks It may be required when the client’s computer system is not compatible with the auditor’s generalized audit software Custom Custom software: software: (1) (1) Is Is expensive expensive to to develop develop (2) (2) Requires Requires extended extended development development time time (3) (3) May May require require extensive extensive modification modification ifif the the client client changes changes its its accounting accounting application application programs programs © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Test Data Test data are developed by the auditor to test the application controls in the client’s computer programs The technique can be used to check (1) data validation controls and error detection routines, (2) processing logic controls, (3) arithmetic calculations, and (4) the inclusion of transactions in records, files, and reports © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin Flowcharting Symbols © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin End of Chapter © The McGraw-Hill Companies 2010 McGraw-Hill/Irwin .. .Internal Control Management has the responsibility to maintain controls that provides reasonable assurance that adequate control exists over the entity’s assets and records The Internal Control. .. controls and substantive procedures The auditor’s understanding of the internal control is a major factor in determining the overall audit strategy The auditor has a responsibility to: (1) obtain an... may arise and adversely affect the entity’s ability to initiate, record, process and report financial data consistent with the assertions of management in the financial statements Client business