Professional Documents
Culture Documents
Internal Controls
Internal Controls
Risks for which substantive tests alone will not reduce audit risk to a sufficiently low level
:
Substantial tests may not lower audit risk if the client's accounting system is automated.
Phone-ordered businesses rarely leave a paper trace. Many airlines take phone
reservations (or online reservations) and issue electronic tickets. In a business-to-
business e-commerce system, some organizations never print a purchase order and only
send the vendor an electronic one. In these instances, the auditor can only assess
computer general controls, computer application controls, and manual followup
processes to ensure transaction cycle completeness and accuracy. Without checking cash
receipts internal processes, many charities cannot verify donations. Understanding
internal controls may lead to a lower control risk audit method.
EFFECTS OF PRELIMINARY AUDIT STRATEGIES
An important issue in a private company audit is understanding the minimum level of
understanding of internal control that the auditor needs when performing primarily
substantive approach. An auditor cannot assess control risk at the maximum without
support. Following is a brief summary of the minimum knowledge that the auditor needs
in order to understand the risk of misstatement and to plan a primarily substantive
approach.
Control Environment. Because the control environment has such a pervasive
influence on other aspects of internal control, as well as the risk of misstatement in
the financial statements, the auditor should answer the questions about the control
environment. In every audit, the auditor needs to understand the control
environment’s collective effect on other aspects of internal control.
Risk Assessment. The auditor should understand how management has designed
controls to offset business risks, inherent risks, and the risk of fraud.
Information and Communication. Regardless of audit strategy, AU 319.36 indicates
that the auditor should obtain sufficient knowledge of the information systems
relevant to financial reporting to understand:
o The classes of transactions in the entity’s operations that are significant to
the financial statements.
o How those transactions are initiated.
o The accounting records, supporting documents, and specific accounts in the
financial statements involved in the processing and reporting of
transactions.
o The accounting processing involved from the initiation of a transaction to its
inclusion in the financial statements, including electronic means (such as
computer and electronic data interchange) used to transmit, process,
maintain, and access information.
o The financial reporting process used to prepare the entity’s financial
statements, including significant accounting estimates and disclosures.
The auditor needs to understand the information and communication system in sufficient
detail to identify the points at which misstatements may occur in the accounting system
and to be able to design effective substantive tests.
Control Activities. Control activities are essential to reducing the opportunity for
fraud. At a minimum, auditors should understand how transactions are authorized
and the adequacy of segregation of duties. The degree to which auditors
understand control activities is related to the extent to which the auditor plans to
test those controls and change the nature, timing, or extent of substantive tests.
Monitoring. It is important to understand the types of activities used by the entity,
top management, accounting management, and internal auditors to monitor the
effectiveness of internal control in meeting financial reporting objectives.
Knowledge should also be obtained as to how corrective actions are initiated based
on information gleaned from monitoring activities.
several other factors that should be considered in reaching a judgment about the required
level of understanding, as follows:
Knowledge of the client from previous audits.
Preliminary assessments of materiality and inherent risk
An understanding of the entity and its environment
The complexity and sophistication of the entity’s operations and systems, including
whether the method of controlling information processing is based on manual
procedures independent of the computer or is highly dependent on computerized
controls.
In addition, when significant inherent risks are identified, the auditor must understand
the design of internal controls relevant to those assertions and whether the controls have
been placed in operation.