1 A Framework for Control

• The quality of an organisation’s internal controls affects not only the reliability of its financial
reporting, but also its ability to make good decisions and stay in business.
• Internal control processes must effectively address risks that are present in the industry and
in the organisation
2 A Framework for Control (cont.)
• Auditors gain an understanding of their client’s control system in order to
– better understand the client, its risks, and how it manages those risks
– assess control risk and identify types of most likely misstatements
– plan extent of substantive testing needed
– in some instances to report on effectiveness of internal controls (businesses in Australia
needing to report in the US).
•
3 Internal Control
• Internal control is a process designed to provide reasonable assurance of:
– generating reliable financial accounting information
– safeguarding assets
– complying with applicable laws and regulations
– operating efficiently and effectively.
4 The Need for Control
• Control is part of corporate governance whereby the owners and creditors of an
organisation exert control and require accountability for its resources.
• Governance begins with stockholders, who delegate certain responsibilities to the board of
directors and in turn to management.
• That delegation must occur within a framework of control and accountability. The control
system exists to ensure that:
– responsibilities are properly identified
– tasks are assigned in accordance with responsibilities and accountability.
5 Who Is Interested in an Organisation’s Control Structure?
• Board of directors and the audit committee
• Management
• Regulators
• Internal and external auditors
• Suppliers and customers
• Equity and debt investors
• Customers or others using the web for commerce
6 Components of an Internal Control System
• Control environment: overall attitude, awareness and actions of significant internal groups
to maintain a well-controlled organisation (tone at the top)
• Risk assessment: process designed to identify and manage risks that may affect the
organisation’s ability to achieve its objectives

1
 organisation’s ability to achieve its objectives
7 Components of an Internal Control System (cont.)
• Control activities: policies and procedures established by management to help ensure that
internal control objectives are achieved and risks mitigated
• Information and communication: the process of identifying, capturing and exchanging
information in a timely fashion to enable the organisation to achieve its objectives
• Monitoring: a process that assesses the quality of internal controls over time
•
8 Framework for
Internal Controls
•

9 Components of an Internal Control System (cont.)

• There is a logical loop to an organisation’s internal controls, starting with:
1 design of the control environment
2 identification of organisational risks and controls to minimise those risks
3 design and implementation of controls and a communication system
4 monitoring of the effectiveness of the controls to mitigate risk
5 return to design (managing internal control is an ongoing activity).
10 Understanding the Control Environment
• There are a number of factors an auditor should look at when evaluating an organisation’s
control environment:
– management’s philosophy and operating style
– organisational structure, including assignment of authority and responsibility
– board of directors and audit committee
– human resource policies and practices
– integrity and ethical values
– commitment to competence
– compensation and evaluation programs
– effectiveness of the internal audit function.
11 Internal Reports to Management
• Management often requests reports on the quality of its internal controls in order to ensure
the company can achieve its major objectives and is not exposed to unnecessary risks
• Management receives reports from three sources:
– ongoing monitoring reports from operations
– internal audit reports
– external audit reports.
12 Reporting on Internal Control (cont.)
• In performing an audit of controls, the auditor must:
– review client documentation, including the way controls are supposed to work (design)
– review client testing of controls (operations)

2
 – review client testing of controls (operations)
– determine which controls to test, sample sizes and how to judge whether a control is
operating effectively
– reach a conclusion about the effectiveness of client internal controls over financial
reporting.
13 Reporting on Internal
Control (cont.)
• Matters that an auditor might report on could include:
– a description of the internal control, its objectives and its inherent limitations
– a definition of material deficiency in
internal control
– a description of all material deficiencies found
– an opinion regarding the effectiveness of the company’s internal controlsl.
14 Relationship of Controls
to Auditing
• A minimum level of control is necessary for an entity to be auditable
• The quality of internal controls affects the organisation’s operating effectiveness and
ultimately its ability to remain a going concern.
• The quality of internal controls drives the audit approach and amount of testing.
15 Relationship of Controls
to Auditing (cont.)
• Analysis of control deficiencies helps identify the types of likely misstatements.
• Inadequate controls may place an organisation in violation of federal laws.
• The auditor is required to attest to management’s assessment of the effectiveness of
internal controls over financial reporting for all public companies.
•
16 Accounting Information Systems
• Accounting systems capture, record, summarise and report information.
• An accounting information system is typically not one big system, but a network of smaller
accounting applications/subsystems.
• Each application processes unique types of transactions:
– sales
– accounts receivable
– accounts payable
– cash receipts
– cash disbursements
– payroll
– inventory, etc.
17 Accounting Information Systems
• Each application has its own unique source documents, processes and controls.
• The quality of internal controls can vary between applications.
• The auditor develops an understanding of:

3
 • The auditor develops an understanding of:
– how transactions are entered and processed
– the controls for each significant accounting application.
18 Internal Control & Financial Statement Account Balances
• Auditors assess control risk for each relevant assertion for each important class of
transactions and account balance as a basis for planning the audit.
• Auditors need to understand and evaluate the internal control design for all important
accounting applications.
• Auditors need to evaluate the effectiveness of internal control over financial reporting for
accounting applications that process material transactions.
19 Internal Control &
Financial Statement
Account Balances (cont.)
• Auditors must evaluate controls in systems that:
– record revenue
– deal with significant estimates
– process journal entries near the end of the year to close the books
– deal with off-statement financing or related party transactions.
20 Internal Control &
Financial Statement
Account Balances (cont.)
• Auditors must jointly assess the organisation’s control environment and the specific
accounting system controls to evaluate the risk of material deficiency in internal control.
• To conclude internal controls are effective, auditors must obtain evidence that the control
structure is soundly designed and operating effectively.
•
21 Assessing the Effectiveness of Control Procedures
• Management designs and implements specific control procedures to ensure that the
company will achieve its control objectives – and if the control objectives are achieved, the
management assertions are likely to be valid and the account balance and transactions
properly recorded.
• The auditor assesses the organisation’s control procedures within a framework of control
objectives and management assertions.
•
22 Assessing the Effectiveness of Control Procedures (cont.)
• In order to perform this assessment, the auditor must understand the accounting processes
within each system, the related accounts and the risk associated with incorrect processes.
• With this knowledge, the auditor can identify which management assertions and control
objectives are most likely to be violated.
• From this, the auditor can identify appropriate control procedures that can then be assessed
for effectiveness in design and operation.
23 Overview of Controls Testing: Pervasive Control Activities

4
 • Some control procedures are found in almost all accounting systems:
– segregation of incompatible duties
– authorisation procedures
– documented transaction trail
– physical controls to limit access to assets
– independent reconciliation
– competent, trustworthy employees.
24 Control Effectiveness and Control Risk Assessment
• Process for evaluating controls:
Phase 1 Obtain an understanding of risks and internal controls
Phase 2 Make a preliminary assessment of control risk and decide whether to test
operation of control procedures
Phase 3 Test operating effectiveness of controls
Phase 4 Based on the results of testing, determine whether to revise the assessment of
control risk and incorporate this revision into the substantive testing.
25 Phase 1: Obtain an Understanding
• Auditors must gain an understanding of how each significant accounting application
operates and the control procedures used. Auditors can gather evidence through:
– walk-throughs of the accounting system and processing procedures
– inquiring of management, and accounting and operational employees
– taking plant and operational tours
– reviewing documentation, including accounting manuals and program and system
descriptions
– reviewing prior year audit work papers
• Auditors document understanding using flowcharts, questionnaires and narratives.
26 Phase 2: Make a
Preliminary Assessment of
Control Risk and Effectiveness
• After gaining an understanding, the auditor makes a preliminary assessment of control risk.
This assessment is crucial because it drives the planning for the rest of the audit.
• The relationship between the assessed level of control risk and the rigour of the subsequent
substantive testing is inverse.
27 Phase 2: Make a Preliminary Assessment of Control Risk and Effectiveness (cont.)
• If control risk is assessed as high:
– no reliance is placed on the client’s internal controls
– the amount and rigour of substantive testing must be increased.
• If control risk is assessed as low:
– the auditor would like to rely on the client’s internal controls
– the amount and rigour of substantive testing may not have to be increased. However, the
auditor must test the controls to make sure they are operating effectively.
28 Phase 3: Perform Test

5
 Phase 3: Perform Test
of Controls
• The preliminary assessment of control risk is based on the auditor’s understanding of the
control system and how it has operated in the past.
• When control risk is assessed as low, and the auditor intends to rely on the client’s controls,
the auditor may reduce (or not increase) the amount of substantive testing.
• To ensure that the auditor’s reliance on the client’s control is warranted, the auditor must
test the control to make sure it is operating effectively.
29 Phase 3: Perform Test of Controls (cont.)
• Guidance on sample size for testing controls
• Testing controls across multiple locations
• Dual purpose tests
• Assessing control risk as moderate
30 Phase 4: Update Assessment of Control Risk & Need for Substantive Testing
• If testing indicates the control is not operating effectively, the auditor will revise the
preliminary assessment of control risk and incorporate this revision into the subsequent
substantive testing.