Case 1

1. For what purposes should an auditor’s knowledge about the internal control structure
elements be utilized in planning the audit?
In all audits, the auditor should gain an understanding of internal control to
sufficiently plan the audit by performing procedures to comprehend the design of controls
relevant to financial statement audits and determining whether they have been
implemented. A lack of knowledge in internal controls may result in dozens of cases of
companies losing millions of dollars due to control failures, fraud, and misconduct. This
resulted from the auditor's lack of knowledge of the internal control structure elements, as
well as overlooking the importance of internal control to an organization's success. A
strong internal control environment can provide reasonable assurance to management and
stakeholders that the organization is operating in accordance with company policies,
industry standards, and regulatory requirements (Clarke, 2020). Thus, an Auditor who
has establish knowledge about internal control structure elements can improve their
efficiency in delivering value and achieving its strategic objectives in the audit planning.
PCAOB (2010) further explains that the auditor may considers knowledge obtained from
other sources about the types of misstatement that could occur, the risk that such
misstatements may occur, and the factors that influence the design of tests of controls,
when applicable, and substantive tests when making a judgment about the understanding
of internal control required to plan the audit. The auditor also takes into account his or
her assessment of inherent risk, materiality judgments, and the complexity and
sophistication of the entity's operations and systems, including the extent to which the
entity relies on manual or automated controls. To sum it up, internal auditors make
recommendations for the improvement of the company’s audit planning thus it’s a must
for the auditors to established their knowledge first in accordance with the internal
control structure element before recommending. In line with that, all companies and
nonprofit organizations can benefit from this auditing. Therefore, auditors should have
the knowledge about the internal control structure elements to operate efficiently
throughout the company and are alert for breakdowns in the company’s internal control
structure.
2. Discuss why an auditor may assess control risk at the maximum level for one or more
assertions embodied in account balance.
Control risk is the risk that a material misstatement in an assertion will not be
prevented or detected in a timely manner by the entity's internal control. The auditor
believes controls are unlikely to pertain to an assertion or be effective, or because
evaluating the effectiveness of controls would be inefficient, the auditor may assess
control risk at the maximum level for some or all assertions. However, the auditor needs
to be satisfied that performing only substantive tests would be effective in restricting
detection risk to an acceptable level (PCAOB, 2010). Let’s take for an instance, the
auditor may decide that performing only substantive tests would be more effective and
efficient than performing controls tests for assertions related to fixed assets and long-term
debt in an entity with a limited number of transactions related to those financial statement
components and when the auditor can easily obtain corroborating evidence in the form of
documents and confirmations. When the auditor is performing only substantive tests to
reduce detection risk to an acceptable level, and the information used by the auditor to
perform such substantive tests is generated by the entity's information system, the auditor
should obtain evidence of the information's accuracy and completeness. In other
circumstances, the auditor may determine that assessing control risk below the maximum
level for certain assertions would be effective and more efficient than performing only
substantive tests. In addition, the auditor may determine that it is not practical or possible
to restrict detection risk to an acceptable level by performing only substantive tests for
one or more financial statement assertions. In such circumstances, the auditor should
obtain evidential matter about the effectiveness of both the design and operation of
controls to reduce the assessed level of control risk (PCAOB, 2010).

3. After obtaining sufficient knowledge about the internal control structure, what procedures
should be performed by an auditor to support his or her conclusion that control risk is at
less than the maximum level?
Assessing control risk below the maximum level involves: Identifying specific
controls relevant to specific assertions, performing tests of controls, and Concluding on
the assessed level of control risk. The procedure that should be performed by an auditor
to support his or her conclusion that control risk is at less than the maximum level is to
obtain evidence about whether a selected control is effective, the control must be tested
 directly; the effectiveness of a control cannot be inferred from the absence of
misstatements detected by substantive procedures. The absence of misstatements detected
by substantive procedures, however, should inform the auditor's risk assessments in
determining the testing necessary to conclude on the effectiveness of a control. Also, the
auditor should incorporate the results of any additional tests of controls performed to
achieve the objective related to expressing an opinion on the financial statements. In
some circumstances, particularly in some audits of smaller and less complex companies,
the auditor might choose not to assess control risk as low for purposes of the audit of the
financial statements. In such circumstances, the auditor's tests of the operating
effectiveness of controls would be performed principally for the purpose of supporting
his or her opinion on whether the company's internal control over financial reporting is
effective as of year-end. The results of the auditor's financial statement auditing
procedures also should inform his or her risk assessments in determining the testing
necessary to conclude on the effectiveness of a control (PCAOB, 202).

CASE 2
1. Discuss the form and content of the report on internal control to management based on
your annual audit and the reason or purposes for such a report.
Effective internal control provides reasonable assurance about the reliability of financial
reporting and the preparation of financial statements for external purposes. Moreover, the
internal control report must include: a statement of management's responsibility for establishing
and maintaining adequate internal control; management's assessment of the effectiveness of the
company's internal control as of the end of the company's most recent fiscal year; a statement
identifying the framework used by management to evaluate the effectiveness of the company's
internal control; and a statement that the registered public accounting firm that audited the
company's financial statements included in the annual report has issued an attestation report on
management's assessment of the company's internal control. In an audit of internal control, the
auditor's goal is to express an opinion on the effectiveness of the company's internal control. As a
company's internal control cannot be considered effective if one or more material weaknesses
exist, the auditor must plan and conduct the audit to obtain appropriate evidence sufficient to
obtain reasonable assurance (PCAOB, 2010). The general standards apply to an internal control
audit. Technical training and proficiency as an auditor, independence, and the exercise of due
professional care, including professional skepticism, are all required by these standards. This
standard specifies the fieldwork and reporting requirements for an audit of internal control. In
addition, US Security and Exchange Commission (2003) furtherly provides that in new rules, a
company must file the attestation report of the registered public accounting firm as part of the
annual report. Furthermore, there will be an adding of a requirement that management evaluate
any change in the company's internal control over financial reporting that occurred during a
fiscal quarter and has materially affected, or is reasonably likely to materially affect, the
company's internal control. Nevertheless, Management is seeking internal audit reports that are
easy to read, ‘tell a story’, and get to the point. It should value internal audit reports that provide
a conclusion or opinion on the activity audited (ICAI, 2020). Its reports on internal
controls provide a unique opportunity for management to discuss issues and concerns not
communicated elsewhere in the annual report. Thus, the success of audit reporting is determined
largely by the attitude and approach with which internal auditor carries out the duties. As
auditors, we should aspire to be the agents of positive change in the organization, and strive to be
viewed and accepted as valued insiders.

REFERENCES:

Clarke, I. (2020). Establishing an Effective Internal Control Environment. Retrieved from

https://linfordco.com/blog/internal-control-environment/ on October 30, 2021
ICAI. (2020). Presentation On Internal Audit Reporting. Retrieved from https://www.wirc-
icai.org/images/material/Internal-Audit-Reporting-SP on October 30, 2021
PCAOB. (2010). Auditing Standard No. 5: An Audit of Internal Control Over Financial
Reporting That Is Integrated with An Audit of Financial Statements. Retrieved from
https://pcaobus.org/oversight/standards/archived-standards/details/Auditing_Standard_5 on
October 30, 2021
PCAOB. (2021). AS 2201: An Audit of Internal Control Over Financial Reporting That Is
Integrated with An Audit of Financial Statements. Retrieved from
https://pcaobus.org/oversight/standards/auditing-standards/details/AS2201 on October 30, 2021
PCAOB. (2010). AU Section 319: Consideration of Internal Control in a Financial Statement
Audit. Retrieved from https://pcaobus.org/oversight/standards/archived-standards/details/AU319
on October 30, 2021
US Security and Exchange Commission. (2003). Final Rule: Management's Report on Internal
Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic
Reports. Retrieved from https://www.sec.gov/rules/final/33-8238.htm on October 30, 2021