Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internal Control in a Financial Statement Audit

Published byAlbert Fleming Modified over 6 years ago

Similar presentations

Presentation on theme: "Internal Control in a Financial Statement Audit"— Presentation transcript:

1 Internal Control in a Financial Statement Audit
Chapter 6 Internal Control in a Financial Statement Audit

2 Internal Control Management has the responsibility to maintain controls that provides reasonable assurance that adequate control exists over the entity’s assets and records. The Internal Control System should: - ensure that assets and records are safeguarded - generate reliable information for decision-making The auditor needs assurance about the reliability of the data generated by the information system.

3 Internal Control The auditor uses risk assessment procedures to
- obtain an understanding of the entity’s internal control - identify key controls - identify the types of potential misstatements - design tests of controls and substantive procedures The auditor’s understanding of the internal control is a major factor in determining the overall audit strategy. The auditor has a responsibility to: (1) obtain an understanding of internal control and (2) assess control risk.

4 COSO’s Internal Control: Integrated Framework
Reliability of Financial Reporting Effectiveness and Efficiency of Operations Compliance with Laws and Regulations Objectives

5 Controls Relevant to the Audit
Reliability of Financial Reporting Effectiveness and Efficiency of Operations Compliance with Laws and Regulations Objectives Generally, internal controls pertaining to the preparation of financial statements for external purposes are relevant to an audit.

6 Controls Relevant to the Audit
Reliability of Financial Reporting Effectiveness and Efficiency of Operations Compliance with Laws and Regulations Objectives Controls relating to operations and compliance objectives may be relevant when they relate to data the auditor uses to apply auditing procedures.

7 The Effect of Information Technology on Internal Control
Table 6–1 Potential Benefits and Risks to an Entity’s Internal Control from IT

8 Components of Internal Control
Control Environment Entity’s Risk Assessment Process Information and Communication Control Activities Monitoring Activities

9 Components of Internal Control
Table 6–2 Components of Internal Control

10 Components of Internal Control
Figure 6–1 The Relationship of the Objectives of Internal Control to the Five Components of Internal Control

11 Control Environment Principle 1: The organization demonstrates a commitment to integrity and ethical values. Principle 2: Those charged with governance demonstrates independence from management and exercises oversight of the development and performance of internal control. Principle 3: Management establishes, with those charged with governance oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. Principle 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

12 The Entity’s Risk Assessment Process
The risk assessment process should consider external and internal events and circumstances that may arise and adversely affect the entity’s ability to initiate, record, process and report financial data consistent with management’s financial statement assertions. Changes in the operating environment New personnel New or revamped information systems Rapid growth New technology New business models, products or activities Corporate restructuring International growth New accounting pronouncements Business risk can arise or change due to the following circumstances:

13 The Entity’s Risk Assessment Process
Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control.

14 Control Activities Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. - Performance Reviews - Information Processing Controls - Physical Controls - Segregation of Duties Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives. Principle 12: The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

15 Information and Communication
Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. - Identify and record all valid transactions - Classify transactions properly - Measure the value of transactions properly - Record transactions in the proper period - Properly present transactions and disclosures Principle 14: The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. Principle 15: The organization communicates with external parties regarding matters affecting the functioning of internal control.

16 Monitoring of Controls
Monitoring of controls is a process that assesses the quality of internal control performance over time. Principle 16: The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. Principle 17: The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

17 Planning an Audit Strategy
Audit Risk Model AR = IR × CR × DR In applying the audit risk model, the auditor must assess control risk. The figure on the next slide presents a flowchart of the auditor’s decision process when considering internal control in planning an audit.

18 Planning an Audit Strategy
Figure 6–2 Flowchart of the Auditor’s Consideration of Internal Control and its Relation to Substantive Procedures

19 Substantive Strategy After obtaining an understanding of internal control, an auditor may choose to follow a substantive strategy and set control risk at high for some or all assertions because of one or all of the following factors: Controls are assessed as ineffective. Controls do not pertain to an assertion. Testing the effectiveness of controls is inefficient.

20 Obtain Understanding of Internal Control
Reliance Strategy Obtain Understanding of Internal Control Plan to Rely on Internal Control and Assess Control Risk at a Lower Level

21 Assertions Table 6–4 Assertions about Classes of Transactions and Events and Related Control Activities

22 Obtain an Understanding of Internal Control
The auditor should obtain an understanding of each of the five components of internal control in order to plan the audit. This knowledge is used to: Identify types of potential misstatements Pinpoint the factors that affect the risk of material misstatement Design tests of controls and substantive procedures

23 Example Information & Documentation
Exhibit 6-1 Excerpt from a Questionnaire for Documenting the Auditor’s Understanding of the Control Environment

24 Obtain an Understanding of Internal Control
Understand the control environment. Understand the entity’s risk assessment process. Understand the information system and communications. Understand control activities. Understand monitoring of controls. 24

25 Documenting the Understanding of Internal Control
Procedure Manuals and Organizational Charts Flowcharts Internal Control Questionnaires Narrative Description

26 The Effect of Entity Size on Internal Control
While the basic concepts of the five components should be present in all entities, they are likely to be less formal in a small or midsize entity than in a large entity.

27 The Limitations of an Entity’s Internal Control
Management Override of Internal Control Human Errors or Mistakes Collusion

28 Reasons Cited for Why Fraud Occurred
Figure 6–4 Reasons Cited for Why Fraud Occurred

29 Assessing Control Risk
Identify specific controls that will be relied upon. Perform tests of controls Conclude on the achieved level of control risk.

30 Performing Tests of Controls
Inquiry of appropriate entity personnel Inspection of documents indicating the performance of the control Observation of the application of the control Reperformance of the application of the control by the auditor

31 Documenting the Achieved Level of Control Risk
The auditor’s assessment of control risk and the basis for the achieved level can be documented using a structured working paper, an internal control questionnaire or a memorandum. Let’s look at an example from EarthWear Clothiers to see how the control risk for two accounts that differ in terms of their nature, size and complexity is documented.

32 An Example of Assessing Control Risks and Its Effects
Table 6–5 An Example of How Account Characteristics Affect the Auditor’s Understanding of Internal Control, Control Risk Assessment and Planned Substantive Procedures

33 An Example of Assessing Control Risks and Its Effects
Table 6–5 (continued)

34 Performing Substantive Procedures
Table 6–6 Audit Strategies for the Nature, Timing and Extent of Substantive Procedures Based on Different Levels of Detection Risk for Inventory

35 Timing of Audit Procedures
Interim Year End Let’s look at the EarthWear Clothiers example again to see the timing of its audit procedures.

36 Timing of Audit Procedures
Figure 6–5 A Timeline for Planning and Performing the Audit of EarthWear Clothiers

37 Interim Audit Procedures
Interim Tests of Controls Assertion being tested not significant Control has been effective in prior audits Efficient use of staff time Interim Substantive Procedures Control environment Availability of information at a later date The purpose of the substantive procedure The assessed risk of material misstatement The nature of the transactions or balances and relevant assertions The ability of the auditor to perform appropriate procedures to cover the remaining period

38 Auditing Accounting Applications Processed by Service Organizations
In some instances, an entity may have some or all of its accounting transactions processed by an outside service organization. Because the entity’s transactions are subjected to the controls of the service organization, one of the auditor’s concerns is the internal control system in place at the service organization. It is not uncommon for service organizations to have an auditor issue one of two types of reports on their operations.

39 Auditing Accounting Applications Processed by Service Organizations
Type 1 Report Describes the service organization's controls and assesses whether they are suitably designed to achieve specified internal control objectives. Type 2 Report Goes further by providing assurance on the operating effectiveness of the service organization’s controls based on the auditor’s tests of controls. An auditor may reduce control risk below high only on the basis of a service auditor’s type 2 report.

40 Communication of Deficiencies in Internal Control
(1) A control designed, implemented or operated in such a way that it is unable to prevent, or detect and correct, misstatements in the financial statements on a timely basis; or (2) a control necessary to prevent, or detect and correct, misstatements in the financial statements on a timely basis is missing. Deficiency A significant deficiency in internal control is a deficiency or combination of deficiencies in internal control that, in the auditor’s professional judgement, is of sufficient importance to merit the attention of those charged with governance. Significant Deficiency

41 Communication of Deficiencies in Internal Control
Auditing standards (ISA 265) require that the auditor communicates in written significant control deficiencies to those charged with governance and management. The auditor should also communicate to management other control deficiencies judged to be of sufficient importance to merit management’s attention. Communication

42 Examples of Indicators of Significant Deficiencies
Table 6–7 Examples of Indicators of Significant Deficiencies in Internal Control

43 Types of Controls in an IT Environment
General Controls Data center and network operations System software acquisition, change and maintenance Access security Application system acquisition, development and maintenance Application Controls Data capture controls Data validation controls Processing controls Output controls Error controls

44 Types of Controls in an IT Environment
Table 6–8 Common Data Validation Controls

45 Computer-Assisted Audit Techniques
Computer-assisted audit techniques (CAATs) include: Generalized audit software. Custom audit software. Test data.

46 Generalized Audit Software
Table 6–9 Functions Performed by Generalized Audit Software

47 Custom Audit Software Custom audit software is generally written by auditors for specific audit tasks. It may be required when the entity’s computer system is not compatible with the auditor’s generalized audit software. Custom software: Is expensive to develop. Requires extended development time. May require extensive modification if the entity changes its accounting application programs.

48 Test Data Test data are developed by the auditor to test the application controls in the entity’s computer programs. The technique can be used to check: (1) data validation controls and error detection routines, (2) processing logic controls, (3) arithmetic calculations, and (4) the inclusion of transactions in records, files and reports.

49 Figure 6–6 Flowcharting Symbols

Download ppt "Internal Control in a Financial Statement Audit"

Similar presentations

Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Internal Control–Integrated Framework

Internal Control–Integrated Framework
Internal Control and Control Risk

Internal Control and Control Risk
Internal Control.

Internal Control.
Internal Control Chapter 7 covers two distinct, but related topics:

Internal Control Chapter 7 covers two distinct, but related topics:
INTERNAL CONTROL. INTERNAL CONTROL DEFINED  INTERNAL CONTROL IS A PROCESS - EFFECTED BY AN ENTITY'S BOARD OF DIRECTORS, MANAGEMENT, AND OTHER PERSONNEL.

INTERNAL CONTROL. INTERNAL CONTROL DEFINED  INTERNAL CONTROL IS A PROCESS - EFFECTED BY AN ENTITY'S BOARD OF DIRECTORS, MANAGEMENT, AND OTHER PERSONNEL.
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.

Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Section 404 Audits of Internal Control and Control Risk

Section 404 Audits of Internal Control and Control Risk
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Financial Audit Autonomous Bodies Internal Control and Risk Assessment Session 1.8 1 Internal Control and Risk Assessment.

Financial Audit Autonomous Bodies Internal Control and Risk Assessment Session Internal Control and Risk Assessment.
Auditing Internal Control over Financial Reporting

Auditing Internal Control over Financial Reporting
Audit objectives, Planning The Audit

Audit objectives, Planning The Audit
Auditing Internal Control over Financial Reporting

Auditing Internal Control over Financial Reporting
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.

Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.

Similar presentations

Ads by Google