Internal Control and Control Risk

Learning Objective 1 Contrast managements need for internal control with the auditors need to consider internal control when designing an audit.

Key Concepts

Managements Responsibility

Reasonable Assurance
Inherent Limitations

Clients Concerns
Reliability of financial reporting
Efficiency and effectiveness of operations

Compliance with applicable laws and regulations

Auditor Concerns
Controls related to reliability of financial reporting

Controls over classes of transactions

Sales Transaction-Related Audit Objectives

Objective General Form Related Audit Objectives
Recorded transactions Sales are for shipments exist (existence). to existing customers. Existing transactions are Existing sales transactions recorded (completeness). are recorded. Transactions are stated Sales for goods shipped correctly (accuracy). are correctly billed.

Sales Transaction-Related Audit Objectives

Objective General Form Related Audit Objectives
Transactions are properly Sales transactions are classified (classification). properly classified. Transactions are recorded Sales are recorded on the on correct dates (timing). correct dates. Transactions are properly Sales transactions are filed (posting and properly included in the summarization). master files.

How Frauds Have Been Discovered

Notification by employee
Internal controls Internal auditor Customer notification Accidental discovery 58% 51%

43%
41% 37% 35%

Management investigation

How Frauds Have Been Discovered

Anonymous reporting
Hot line notification Employee investigation Government notification External auditor 4% 20% 35% 25%

21%
16%

Other sources

Learning Objective 2 Describe how information technology affects internal control.

Effect of Information Technology on Internal Control

Information Technology

IT can improve the effectiveness and efficiency of internal controls.

IT also enhances the timeliness and accuracy of information.

Risks Associated With the Use of Information Technology

Programmed errors Processing incorrect data Unauthorized access

Learning Objective 3 Explain the five components of internal control.

Five Components of Internal Control

Control Environment

Risk Assessment

Control Activities

Information and Monitoring Communication

The Control Environment

Integrity and ethical values

Commitment to competence
Board of directors or audit committee participation Managements philosophy and operating style

The Control Environment

Organizational structure Assignment of authority and responsibility Human resources policies and practices

Risk Assessment
Identify factors affecting risk.
Assess significance of risks and likelihood of occurrence. Determine actions necessary to manage risk.

Control Activities
1. Adequate separation of duties
2. Proper authorization of transactions and activities 3. Adequate documents and records 4. Physical control over assets and records 5. Independent checks on performance

Adequate Separation of Duties

Custody of assets
Authorization of transactions Operational responsibility IT Duties

Accounting
The custody of related assets Record-keeping responsibility User departments

Proper Authorization of Transactions and Activities

General authorization

Specific authorization

Adequate Documents and Records

Prenumbered consecutively
Prepared at the time of transaction Simple enough to ensure understanding Designed for multiple uses Constructed to encourage correct preparation

Physical Control over Assets and Records

Physical precautions Controls related to IT equipment, programs, and data files Backup and recovery procedures

Physical controls

Access controls

Independent Checks on Performance

The need for independent checks arise because internal control tends to change over time unless there is a mechanism for frequent review.

Information and Communication

The purpose of an accounting information and communication system is to initiate, record, process, and report the transactions and to maintain accountability for the related assets.

Monitoring
Managements ongoing and periodic assessment of the quality of internal control performance to determine whether controls are operating as intended and modified when needed.

Learning Objective 4 Explain methods used to obtain an understanding of internal control.

Understanding Internal Control and Assessing Control Risk

Obtain Understanding of Internal Control: Design and Operation
Assess Control Risk Test Controls

Decide Planned Detection Risk and Substantive Tests

Reasons for Sufficiently Understanding Internal Control

SAS 55 (as amended by SAS 78 and 594 plus AU319) requires the auditor to obtain an understanding of internal control for every audit. Auditability Potential material misstatements Detection risk Design of test

Minimum audit planning matters

Procedures to Determine Design and Placement

Update and evaluate auditors previous experience with the entity. Make inquires of client personnel.
Read clients policy and systems manuals. Examine documents and records.

Observe entity activities and operations.

Documentation of the Understanding

Narrative

Flowchart
Internal control questionnaire

Learning Objective 5 Assess control risk by linking strengths and weaknesses of internal control to transactionrelated audit objectives.

Assess Control Risk

Obtain sufficient understanding for planning.
Assess whether the entity is auditable. Determine assessed control risk. Assess if a lower control risk could be supported. Determine the appropriate assessed control risk.

Assess Control Risk

Identify transaction-related audit objectives. Identify specific controls. Identify and evaluate weaknesses.

Identify and Evaluate Weaknesses

Identify existing controls.
Identify the absence of key controls. Determine misstatements that could result. Consider compensating controls.

The Control Risk Matrix

Auditors use the control risk matrix to identify both controls and weaknesses and to asses control risk.

Communication
Reportable conditions letter Audit committee communications Management letters

Learning Objective 6 Describe the process of designing and performing tests of controls.

Tests of Controls

The procedures to test effectiveness of controls in support of a reduced assessed control risk are called tests of controls.

Procedures for Tests of Controls

Make inquiries of client personnel.
Examine documents, records, and reports. Observe control-related activities. Reperform client procedures.

Extent of Procedures

Reliance on evidence from prior years audit Testing less than the entire audit period

Relationship of Assessed Control Risk and Extend of Procedures

Assessed Control Risk High Level: Lower Level: Obtaining an Tests of Understanding Only Controls

Type of Procedure

Inquiry Documentation
Observation Reperformance

Yes extensive Yes with transaction walk-through Yes with transaction walk-through No

Yes some Yes using sample Yes multiple times Yes sampling

Decide Planned Detection Risk and Design Substantive Tests

The auditor uses the results of the control risk assessment process and tests of controls to determine the planned detection risk and related substantive tests.
The auditor links the control risk assessments to the balance-related audit objectives.

End of Chapter 10