Internal Control in a Financial Statement Audit Chapter 6 Internal Control in a Financial Statement Audit

Internal Control LO# 1 Management has the responsibility to maintain controls that provide reasonable assurance that adequate control exists over the entity’s assets and records. The Internal Control System should: -ensure that assets and records are safeguarded -generate reliable information for decision making The auditor needs assurance about the reliability of the data generated by the information system. 6-2

Internal Control LO# 1 The auditor’s understanding of the internal control is a major factor in determining the overall audit strategy. The auditor has a responsibility to: (1) obtain an understanding of internal control and (2) assess control risk. 6-3

COSO Framework and Controls Relevant to the Audit LO #2, 3 COSO Framework and Controls Relevant to the Audit Reliability of Financial Reporting (most important for the audit) Effectiveness and Efficiency of Operations Compliance with Laws and Regulations Objectives 6-4

COSO Components of Internal Control LO# 5 COSO Components of Internal Control 6-5

LO# 5 Control Environment 6-6

The Entity’s Risk Assessment Process LO# 5 The Entity’s Risk Assessment Process The risk assessment process should consider external and internal events and circumstances that may arise and adversely affect the entity’s ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. Changes in the operating environment New personnel New or revamped information systems Rapid growth New technology New business models, products, or activities Corporate restructuring International growth New accounting pronouncements Client business risk can arise or change due to the following circumstances: 6-7

Information System and Communication LO# 5 Information System and Communication An effective accounting system gives appropriate consideration to establishing methods and records that will Identify and record all valid transactions. Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting. Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements. Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period. Properly present the transactions and related disclosures in the financial statements. 6-8

Information processing LO# 5 Control Activities Control activities are the policies and procedures that help ensure that management’s directives are carried out. Control activities are commonly categorized into the following types: Performance reviews Information processing Physical controls Segregation of duties 6-9

Monitoring of Controls LO# 5 Monitoring of Controls Monitoring of controls is a process that assesses the quality of internal control performance over time. Effective Monitoring Establishing a foundation for control effectiveness Designing and executing monitoring procedures based on business risks Assessing and reporting results 6-10

Planning an Audit Strategy LO# 6 Planning an Audit Strategy Audit Risk Model AR = IR × CR × DR In applying the audit risk model, the auditor must assess control risk. The figure on the next slide presents a flowchart of the auditor’s decision process when considering internal control in planning an audit. 6-11

LO# 6 Planning an Audit Strategy Figure 6-3 Flowchart of the Auditor’s Consideration of Internal Control and Its Relation to Substantive Procedures 6-12

Substantive Strategy LO# 6 After obtaining an understanding of internal control, an auditor may choose to follow a substantive strategy and set control risk at a relatively high for some or all assertions because of one or all of the following factors: Controls are assessed as ineffective. Controls do not pertain to an assertion. Testing the effectiveness of controls is inefficient. 6-13

Reliance Strategy Obtain Understanding of Internal Control LO# 6 Reliance Strategy Obtain Understanding of Internal Control Plan to Rely on IC and Assess Control Risk at a relatively low level 6-14

LO# 6 Assertions 6-15

Obtain an Understanding of Internal Control LO# 7 Obtain an Understanding of Internal Control The auditor should obtain an understanding of each of the five components of internal control in order to plan the audit. This knowledge is used to: Identify types of potential misstatement Pinpoint the factors that affect the risk of material misstatement Design tests of controls and substantive procedures 6-16

Obtain an Understanding of Internal Control LO# 7 Obtain an Understanding of Internal Control Understand the control environment. Understand the entity’s risk assessment process. Understand the information system and communications. Understand control activities. Understand monitoring of controls. 6-17 17

Documenting the Understanding of Internal Control LO# 8 Documenting the Understanding of Internal Control Procedure Manuals and Organizational Charts Flowcharts Internal Control Questionnaires Narrative Description 6-18

The Effect of Entity Size on Internal Control LO# 8 The Effect of Entity Size on Internal Control While the basic concepts of the five components should be present in all entities, they are likely to be less formal in a small or midsize entity than in a large entity. 6-19

The Limitations of an Entity’s Internal Control LO# 8 The Limitations of an Entity’s Internal Control Override of Internal Control by Management Human Errors or Mistakes Collusion 6-20

Assessing Control Risk LO# 9 Identify specific controls that will be relied upon. Perform tests of controls. Conclude on the achieved level of control risk.* *This means the control risk after testing is completed. Generally, after testing, the CR will either be unchanged or it will be revised higher. 6-21

Performing Tests of Controls LO# 10 Performing Tests of Controls Inquiry of appropriate personnel Inspection of documents indicating the performance of the control Observation of the application of the control Reperformance of the application of the control by the auditor 6-22

Documenting the Achieved Level of Control Risk The auditor’s assessment of control risk and the basis for the achieved level can be documented using a structured working paper, an internal control questionnaire, or a memorandum. Let’s look at an example from EarthWear Clothiers to see how the control risk for two accounts that differ in terms of their nature, size, and complexity is documented. 6-23

An Example of Assessing Control Risks and Its Effects LO# 10 An Example of Assessing Control Risks and Its Effects 6-24

Performing Substantive Procedures LO# 11 Performing Substantive Procedures 6-25

Timing of Audit Procedures LO# 12 Timing of Audit Procedures Interim Year End Let’s look at the EarthWear Clothiers example again to see the timing of their audit procedures. 6-26

LO# 12 Timing of Audit Procedures A Timeline for Planning and Performing the Audit of EarthWear Clothiers 6-27

Interim Audit Procedures LO# 12 Interim Audit Procedures Interim Tests of Controls Assertion being tested not significant Control has been effective in prior audits Efficient use of staff time Interim Substantive Procedures Assertion probably has low control risk May increase the risk of material misstatements Still requires some year-end testing 6-28

Auditing Accounting Applications Processed by Service Organizations LO# 13 Auditing Accounting Applications Processed by Service Organizations In some instances, a client may have some or all of its accounting transactions processed by an outside service organization. Because the client’s transactions are subjected to the controls of the service organization, one of the auditor’s concerns is the internal control system in place at the service organization. It is not uncommon for service organizations to have an auditor issue one of two types of reports on their operations. 6-29

Auditing Accounting Applications Processed by Service Organizations LO# 13 Auditing Accounting Applications Processed by Service Organizations Type 1 Report Describes the service organization’s controls and assesses whether they are suitably designed to achieve specified internal control objectives. Type 2 Report Goes further by testing whether the controls provide reasonable assurance that the related control objectives were achieved during the period. An auditor may reduce control risk below the maximum only on the basis of a service auditor’s Type 2 report. 6-30

Significant Deficiency LO# 14 Auditors must communicate to the audit committee or BOD internal control problems A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented, or detected and corrected, on a timely basis. Material Weakness A Significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. Significant Deficiency 6-31

Examples of internal control problems LO# 14 Examples of internal control problems 6-32

End of Chapter 6