Chapter 9 The Study of Internal Control and Assessment of Control Risk 9.401 Auditing Chapter 9 The Study of Internal Control and Assessment of Control Risk

Generally Accepted Auditing Standard 5100.02 (ii) A sufficient understanding of internal control should be obtained to plan the audit. When control risk is assessed below maximum, sufficient appropriate audit evidence should be obtained through tests of controls to support the assessment. [Oct. 1992]

Internal Control consists of the policies and procedures established and maintained by management to assist in achieving its objectives

Those objectives are… Effectiveness and efficiency of operations safeguarding of assets Prevention and detection of fraud Reliability of financial reporting Compliance with applicable laws, regulations and policies As far as is practical. Mgmt can and should consider consequences and risks of non-control and costs of control implementation.

Factors Affecting Internal Control The entity’s size The entity’s organization and ownership characteristics The nature of the entity’s business The diversity and complexity of the entity’s operations The entity’s methods of transmitting, processing, maintaining, and accessing information Applicable legal and regulatory requirements

Criteria of Control (COCO) Board of the CICA Monitoring & Learning Purpose Commitment Capability Action A person performs a task guided by an understanding of its purpose (the objective to be achieved) and supported by capability (information, resources, supplies, and skills). The person will need a sense of commitment to perform the task well over time. The person will monitor his or her performance and the external environment to learn about how to do the task better and about changes to be made. The same is true of any team or work group

Elements of Internal Control Elements of internal control include: Control environment General computer control systems and procedures Accounting System Accounting System Control Procedures

Control Environment the collective effect of various factors on establishing, enhancing or reducing the effectiveness of internal control policies and procedures . Such factors include: Management Philosophy and Operating Style; The functioning of the board of directors and internal control, particularly the audit committee; Organizational Structure; Methods of Assigning Authority and Responsibility; Management Monitoring Methods; Internal Audit; and Personnel Policies and Practices Management reaction to external Influences Systems Development Methodology

Control Environment Reflects the overall attitude, awareness, commitment and actions of management concerning the importance of internal control and its emphasis in the entity. Strengths and weaknesses in control environment factors are likely to have a pervasive effect on the financial statements. An effective control environment interacts with control systems. It may reduce the impact that the absence of certain control systems might otherwise have. It also strengthens the impact of controls in place. An ineffective control system may impair the effectiveness of control systems.

General computer control systems Establish controls over info system processing activities Affect multiple classes of transactions

General computer control systems General Control System Means… Org and Mgmt controls -policies and procedures are established -programmer and operator functions separate Systems acquisition, development and maintenance controls -policies and procedures to ensure systems are authorized, efficient and function according to objectives Operations and Information Systems Support -system should be available and used for authorized purposes (=training, documentation, controlled access, backup and recovery)

The Accounting System = the policies and procedures involving the Collection Transcribing Processing And reporting of data

Accounting System Control Procedures = policies and procedures that enhance the reliability of accounting data Occurrence Completeness Accuracy (valuation), Posting Classification Timing -often involves “checks”, “reconciles”, “compares”, “verifies”, “ensures”…..

Segregation of duties Ensures that no-one is in a position to commit or profit from an error/fraud and cover it up. To work, these duties MUST be separate: Authorization of transaction Custody of assets (including cheques, cash, inventory etc.) Recording of transaction Periodic reconciliation

Other Controls Proper Authorization (general or specific) Adequate documents Prenumbered or sequentially numbered + follow-up of missing items Prepared on a timely basis Sufficiently simple, easy to fill out

Other Controls Safeguards over access to and use of assets Safeguards over access to and use of records Physical and logical Independent verification of performance and accuracy of recorded amounts Inventory counts, bank recs. Input or output checks (eg. Check digits, reasonableness limits) Comparison of documents, quantities, prices

Acquiring Understanding of IC At minimum, auditor must acquire understanding of: Control environment General computer control systems and procedures Accounting System

Purpose of Understanding IC Assess auditability (depends on mgmt integrity, adequacy of record and general controls) Familiarity with client to facilitate audit: Major classes of transactions How they’re initiated What records and documents exist How transactions are processed and reported Therefore, helps auditor design tests and identify potential misstatements Assess Preliminary Control Risk

Further Investigation of IC If auditor believes reliance on IC (ie. CR<100%) may be possible AND efficient, investigate further the control procedures in place Make preliminary assessment of Control Risk

Preliminary Assessment of CR Identify transaction audit objective (existence/occurrence, completeness etc.) Identify specific controls remember effects of control environment and general computer controls Identify and evaluate weaknesses Determine potential misstatements that could occur and effect on audit Consider compensating controls

How to investigate IC Update and evaluate previous working papers Inquiries of Client Personnel Read client policy and systems manuals Examine documents and records: perform transaction walk-through Observe activities and operations

Documenting the Understanding of the Internal Control A number of tools are available to the auditor for documenting the understanding of the internal control including: Copies of the entity's procedures manuals and organizational charts Narrative descriptions Internal control questionnaires Flowcharts

Further Investigation of IC If preliminary CR<100%, perform tests of controls on KEY CONTROLS to ensure: Control was operating as described, with sufficient effectiveness, throughout period of reliance Tests may include: Inquiry of personnel (requires corroboration) Examine documents, records, reports Observe activities (eg. Segregation of duties, test data) Reperform procedures if possible If control is computerized, test and ensure controls exist over changes to program

Direction of the Test of Controls Audit Procedures File of shipping documents File of recorded sales (sales journal) Vouch to shipping documents Evidence Sample selection Validity direction Sample selection Evidence Trace to recorded sales Completeness Direction

Further Investigation of IC Revise preliminary control risk with results of tests of controls Calculate detection risk and design substantive procedures Combined approach = reliance on both IC and substantive procedures Substantive approach = no reliance on IC as either unjustified or inefficient

Audit Cost Trade - off

Communications with the Client Systems improvements are communicated to the client by the management letter, which is written at the end of field work Section 5220 requires communication of all significant internal control weaknesses Section 5750 “Communication of Matters Identified During the Financial Statement Audit” eg. Fraud or illegal acts 5220 and 5750 don’t have to be in writing

Communicating Internal Control Weaknesses Reportable conditions Absence of appropriate segregation of duties Absence of appropriate reviews and approvals of transactions Evidence of failure of control procedures Evidence of intentional management override Evidence of willful wrong doing by employees or management, including manipulation, falsification or alteration of accounting records

Material Weaknesses A material weakness in internal control is defined as a reportable condition in which the design or operation of one or more of the specific internal control elements does not reduce to a relatively low level the risk that errors or irregularities in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions (AU 325.15).

Limitations of Internal Control Human failures such as simple errors or mistakes Management override Collusion Cost/benefit Unusual transactions Because of these limitations, as long as the item is material, it is generally necessary to do at least some substantive testing.