SlideShare a Scribd company logo

Chapter 7

E
EasyStudy3

Here is how I would explain the trade-offs between tests of controls and substantive procedures based on the table: If control risk is assessed at the maximum level, regardless of inherent risk, the auditor would need to perform substantive procedures with the lowest level of detection risk (highest scope). This means performing a high level of substantive procedures. However, if the auditor performs tests of controls and determines controls are effective, they can assess control risk at a lower level. For example, if controls are effective in addressing some inherent risks, control risk could be assessed at a moderate level. In that case, for a moderate inherent risk, the auditor could perform substantive procedures with a moderate detection risk (moderate scope). This allows the auditor to reduce the

Education
1 of 38
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
7-1 Chapter 5 Internal Control
Internal Control A process, effected by the entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding, achievement of (the entity’s) objectives relating to: ❑Operations ❑Reporting, and ❑Compliance
Control Objectives In each area of internal control (Reporting, Operations and Compliance) ◦ Control objectives and ◦ Sub objectives exist External Reporting Example: Accounts Receivable (A/R) Top level objective – prepare and issue reliable financial information ◦ Detailed level applied to A/R sub objectives ◦ All goods shipped are accurately billed in the proper period ◦ Invoices are accurately recorded for all authorized shipments and only for such shipments ◦ Authorized and only authorized sales returns and allowances are accurately recorded ◦ The continued completeness and accuracy of A/R is ensured ◦ Accounts receivable records are safeguarded
Foreign Corrupt Practices Act Passed in 1977 in response to American corporation practice of paying bribes and kickbacks to officials in foreign countries to obtain business The Act ◦ Requires an effective system of internal control ◦ Makes the payment of bribes to foreign officials illegal
Components of Internal Control - CRIME The Control Environment Risk Assessment Control Activities Information System Relevant to Financial Reporting and Communication Monitoring Activities
Control Environment Commitment to integrity and ethical values. Board of directors demonstrates independence from management and exercises oversight of internal control. Establishment of effective structure, including reporting lines, and appropriate authorities and responsibilities. Commitment to attract, develop, and retain competent employees. Holding employees accountable for internal control responsibilities.
Risk Assessment Clearly specify ROC objectives to allow the identification and assessment of risks related to those objectives. Identify and analyze risks to the achievement of its objectives to determine how they may be managed. Consider potential fraud relating to the achievement of objectives. Identify and assess changes that could impact internal control.
Control Activities Performance reviews Transaction control activities Physical controls Segregation of duties ◦ Segregate Proper authorization, access, recording, and custody of assets (SPARC) ◦ Fundamental principle – ensure two or more persons participate in every transaction
Objectives of an Accounting Information System Identify and record valid transactions Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions Measure the value of transactions appropriately Determine the time period in which the transactions occurred to permit recording in the proper period Present properly the transactions and related disclosures in the financial statements
Monitoring Ongoing monitoring activities ◦ Regularly performed supervisory and management activities ◦ Example: Continuous monitoring of customer complaints Separate evaluations of internal control ◦ Performed on nonroutine basis ◦ Example: Periodic audits by internal audit
Controls over Financial Reporting Preventive ◦ Aimed at avoiding the occurrence of misstatements in the financial statements ◦ Example: Segregation of duties Detective ◦ Designed to discover misstatements after they have occurred ◦ Example: Monthly bank reconciliations Corrective ◦ Needed to remedy the situation uncovered by detective controls ◦ Example: Backups of master file Controls overlap ◦ Complementary – function together ◦ Redundant – address same assertion or control objective ◦ Compensating – reduces risk existing weakness will result in misstatement
Limitations of Internal Control Errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc. Controls that depend on the segregation of duties may be circumvented by collusion Management may override the structure Compliance may deteriorate over time
Enterprise Risk Management (ERM) COSO issued a framework in 2004 (revised in 2017) on Enterprise Risk Management (ERM). It does not replace the original COSO internal control framework. It goes beyond internal control to focus on how organizations can effectively manage risks and opportunities. The auditing standards are still structured around the original COSO internal control framework but the risk management framework is useful in evaluating the risk assessment component of internal control.
Auditors’ Consideration of Internal Control Roadmap
Auditors’ Overall Approach with Internal Control Review: Overall approach of an audit 1. Plan the audit 2. Obtain an understanding of the client and its environment, including internal control 3. Assess the risks of material misstatement and design further audit procedures 4. Perform further audit procedures 5. Complete the audit 6. Form an opinion and issue the audit report Steps 2-4 relate most directly to the role of internal control in financial statement audits
Obtain an understanding of the client and its environment, including internal control The understanding of internal control is used to help the auditors to ◦ Identify types of potential misstatements ◦ Consider factors that affect the risks of material misstatement ◦ Design tests of controls (when applicable) and substantive procedures Auditors must consider all five internal control components ◦ Control environment ◦ Accounting information system ◦ Risk assessment ◦ Control activities ◦ Monitoring In doing so, the auditors should also consider areas difficult to control like non-routine transactions
Obtaining the Understanding Procedures include ◦ Inquiring of entity personnel ◦ Observing the application of specific controls ◦ Inspecting documents and reports ◦ Tracing transactions through the information system relevant to financial reporting May also obtain evidence on operating effectiveness of various controls
Documenting the Understanding of Internal Control Questionnaires ◦ Typically standardized by firm Written Narratives ◦ Memos that describe flow of transactions Flowcharts ◦ Systems flowcharts Walk-through ◦ Trace one or two transactions through cycle
Chapter 7
Chapter 7
7-21 Flowchart Symbols
Chapter 7
Assess the Risks of Material Misstatement General approach ◦ Identify risks while obtaining an understanding of the client and its environment, including its internal control ◦ Relate the identified risks to what can go wrong at the relevant assertion level ◦ Consider whether the risks are of a magnitude that could result in a material misstatement ◦ Consider the likelihood that the risks could result in a material misstatement
The Nature of Transactions Consider the nature of the transactions ◦ Routine transactions—e.g., revenue, purchases, and cash receipts and disbursements ◦ Non-routine transactions—e.g., taking of inventory, calculating depreciation expense ◦ Estimation transactions—e.g., determining the allowance for doubtful accounts Generally routine transactions have the strongest controls
Assessing Risks at the Financial Statement Level Examples ◦ Preparing the period-end financial statements, including the development of significant accounting estimate and preparation of the notes ◦ The selection and application of significant accounting policies ◦ IT general controls ◦ The control environment Responses to high risks ◦ Assigning more experience staff or those with specialized skills ◦ Providing more supervision and emphasizing the need to maintain professional skepticism ◦ Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed ◦ Increasing the overall scope of audit procedures, including the nature, timing or extent
Assessing Risks at the Assertion Level Examples ◦ Failure to recognize an impairment loss on a long-lived asset affects only the valuation assertion ◦ Inaccurate counting of inventory at year-end affect the valuation of inventory and the accuracy of cost of goods sold Responses ◦ Decisions are made here as to the appropriate combination of tests of controls and substantive procedures
Perform Further Audit Procedures – Test of Controls Approach: ◦ Identify controls likely to prevent or detect material misstatements ◦ Perform tests of controls to determine whether they are operating effectively Tests of controls address: ◦ How controls were applied ◦ The consistency with which controls were applied ◦ By whom or by what means (e.g., electronically) the controls were applied
Perform Further Audit Procedures – Test of Controls Tests of controls include: ◦ Inquiries of appropriate client personnel ◦ Inspection of documents and reports ◦ Observation of the application of controls ◦ Reperformance of the controls The results of the tests of controls are used to determine the nature, timing and extent of substantive procedures
Effects of Data Analytics Data analytics may be used to perform tests of controls (operating effectiveness); auditors may test controls over the entire population of transactions rather than a sample Will use Urgent Medical Device as an example
Use of the Work of Internal Auditors Work of Internal Auditors may be used in two ways: ◦ Obtaining audit evidence by using the internal auditors’ work performed as a part of their normal responsibilities, and ◦ Using internal auditors to provide direct assistance on the external audit.
Service Organizations Computer service organizations provide processing services to customers who decide not to invest in their own processing of particular data Examples: Outsource processing of payroll or Internet sales; storage of data and records in the service organization’s Cloud
Service Organizations Auditor should obtain understanding of the outsourced function by following one or more of: ◦ Contacting service organization to obtain information. ◦ Visiting service organization an performing necessary procedures. ◦ Obtaining a report from service organization Terms ◦ Service auditor—provides examination of service organization’s controls. ◦ User Auditor—Uses that report.
7-33 Service Organizations Types of Service Auditor Reports ◦ Type 1—Management’s description of the system and the auditor’s assessment of the suitability of the design of controls ◦ Type 2—Attributes of 1, plus assurance on the operating effectiveness of controls ◦ A Type 2 report may provide the user auditor with a basis for assessing control risk below the maximum.
7-34 Relationships Among Deficiencies Deficiency in Internal Control Less than Significant Significant Deficiency Material Weakness
Internal Control in the Small Company Due to lack of employees, internal control is seldom strong in small businesses Specific practices for small businesses ◦ Record all cash receipts immediately ◦ Deposit all cash receipts intact daily ◦ Make all payments by serially numbered checks, with exception of petty cash disbursements ◦ Reconcile bank accounts monthly and retain copies ◦ Use serially numbered invoices, purchase orders, and receiving reports ◦ Issue checks to vendors only in payment of approved invoices that have been matched with purchase orders and receiving reports ◦ Balance subsidiary ledger with control accounts ◦ Prepare comparative financial statements monthly to disclose significant variations in any category of revenue or expense
Assume that you have been hired by Willington, CPA, as a new staff assistant. He informs you that his approach to audits has always been to assess control risk at the maximum and perform all the substantive procedures he considers necessary. However, he has recently read an article in The Journal of Accountancy that indicates that a more efficient audit may sometimes be achieved by performing some tests of controls and thereby assessing control risk at a lower level. Willington shows you the following table that came from the article: Assessed Level of Control Risk Inherent Risk Low Moderate Maximum Low Highest allowable detection risk (lowest allowable scope of substantive procedures) High detection risk (low scope of substantive procedures) Moderate detection risk (moderate scope of substantive procedures) Moderate High detection risk (low scope of substantive procedures) Moderate detection risk (moderate scope of substantive procedures) Low detection risk (very high scope of substantive procedures) Maximum Moderate detection risk (moderate scope of substantive procedures) Low detection risk (very high scope of substantive procedures) Lowest detection risk (highest scope of substantive procedures) Willington understands that the table is only for illustrative purposes and that other “in between” levels of the various risks are possible, but he wants you to use the ones in the table to help him understand the trade-offs between tests of controls and substantive procedures. He understands that these risks would be assessed at the assertion level for the various accounts, but he wants to better understand how the various tests performed in an audit “tie together.” To keep things simple, he says to assume that inherent risk is at the maximum level in all cases.
Chapter 7
Chapter 7

More Related Content

PPTX
Chapter 1 -introduction to auditing
SaidiBuyera
 
PDF
AUDIT EVIDENCE
MUHAMMAD HUZAIFA CHAUDHARY
 
PPTX
Financial statement
Yamini Kahaliya
 
PPT
Auditing in a computer environment copy
Saleh Rashid
 
PPTX
Chapter 1 auditing and internal control
Tommy Zul Hidayat
 
PPT
Chapter 4 proprietary funds accounting
Mohamed Daahir
 
PPT
Accounting for General and Special Revenue Funds.ppt
Jaafar47
 
PPTX
Audit Evidence Presentation
Sheikh Ali Asghar
 
Chapter 1 -introduction to auditing
SaidiBuyera
 
AUDIT EVIDENCE
MUHAMMAD HUZAIFA CHAUDHARY
 
Financial statement
Yamini Kahaliya
 
Auditing in a computer environment copy
Saleh Rashid
 
Chapter 1 auditing and internal control
Tommy Zul Hidayat
 
Chapter 4 proprietary funds accounting
Mohamed Daahir
 
Accounting for General and Special Revenue Funds.ppt
Jaafar47
 
Audit Evidence Presentation
Sheikh Ali Asghar
 

What's hot (20)

PDF
Chapter 3
EasyStudy3
 
PPTX
Internal controls in auditing
Hardik Shah
 
PPTX
Auditing
Anita Tongli
 
PPT
Technology Auditing, Assurance, Internal Control
Zefren Edior
 
PPT
Financial statements slides final
Hamad301
 
PDF
financial accounting and auditing
Anant Agarwal
 
PPTX
Auditing in Computerized Environment
Dr. Sushil Bansode
 
PDF
Audit, investigation & forensic accounting: Exploring the nexus
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 
PDF
Internal Control
Salih Islam
 
PPTX
Audit of insurance companies
Rabea Jamal
 
PDF
Chapter audit report
EasyStudy3
 
PPTX
Presentation on Conceptual Framework
Anamika Hore
 
PPTX
Verification and valuation of assets and liabilities
Atta Hussain Syed
 
PPTX
9. audit evidence
Syed Osama Rizvi
 
PPTX
Tax evasion & Tax avoidance
Vellore Institute of Technology (VIT)
 
PPTX
Lecture 23 expenditure cycle part ii -fixed assets accounting information sy...
Habib Ullah Qamar
 
PPTX
Audit report
Minali Jain
 
PPT
Simple Bookkeeping & Accounting
jo bitonio
 
PPT
Financial Statements Audit
Salih Islam
 
PPTX
Automation of Accounting process & Advantages/Disadvantages of Computerized a...
Muhammed Raashid
 
Chapter 3
EasyStudy3
 
Internal controls in auditing
Hardik Shah
 
Auditing
Anita Tongli
 
Technology Auditing, Assurance, Internal Control
Zefren Edior
 
Financial statements slides final
Hamad301
 
financial accounting and auditing
Anant Agarwal
 
Auditing in Computerized Environment
Dr. Sushil Bansode
 
Audit, investigation & forensic accounting: Exploring the nexus
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 
Internal Control
Salih Islam
 
Audit of insurance companies
Rabea Jamal
 
Chapter audit report
EasyStudy3
 
Presentation on Conceptual Framework
Anamika Hore
 
Verification and valuation of assets and liabilities
Atta Hussain Syed
 
9. audit evidence
Syed Osama Rizvi
 
Tax evasion & Tax avoidance
Vellore Institute of Technology (VIT)
 
Lecture 23 expenditure cycle part ii -fixed assets accounting information sy...
Habib Ullah Qamar
 
Audit report
Minali Jain
 
Simple Bookkeeping & Accounting
jo bitonio
 
Financial Statements Audit
Salih Islam
 
Automation of Accounting process & Advantages/Disadvantages of Computerized a...
Muhammed Raashid
 
Ad

Similar to Chapter 7 (20)

PDF
Internal control
SALIH AHMED ISLAM
 
PPT
1auditconcepts
Shubham Raj
 
PPT
Internal control 1_ricc_revised
University of St. La Salle-Bacolod BABA
 
PPTX
Week 4 Audit planning and Client evaluation and audit risk assessment.pptx
toammel
 
PPTX
3. financial controllership
Judy Ricamara
 
PPTX
Internal Financial Controls
tarunmallappa
 
PPT
Arens12e 10
John Sy
 
DOCX
Chapter 9Audit Risk AssessmentPrepared by Dr Phil Saj1.docx
mccormicknadine86
 
PPTX
Lecture 17 sas framework internal control - james a. hall book chapter 3
Habib Ullah Qamar
 
PPT
477 10 (5)
saramkhan5
 
PPT
Compliance audit
Emma Yaks
 
PPTX
Sarbanes oxley internal controls
Illumeo
 
PPT
Internal Audit : an independent service to evaluate an organisation's.ppt
SrabanAhmedMasum
 
PDF
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
PPSX
Internal controls
Geetali Tare
 
PPTX
01.1. Internal Control System_Oct'21.pptx
SMMohsinUddin1
 
PPT
Powerpoint.ppt on intrnal cntrol overview
jcjamerojr
 
PPTX
8. internal control new
Syed Osama Rizvi
 
PPT
FIN-Internal_Controls_Primer_Presentation.ppt
ssusere1a0f0
 
PPT
FIN-Internal_Controls_Primer_Presentation.ppt
bm6tkbry4q
 
Internal control
SALIH AHMED ISLAM
 
1auditconcepts
Shubham Raj
 
Internal control 1_ricc_revised
University of St. La Salle-Bacolod BABA
 
Week 4 Audit planning and Client evaluation and audit risk assessment.pptx
toammel
 
3. financial controllership
Judy Ricamara
 
Internal Financial Controls
tarunmallappa
 
Arens12e 10
John Sy
 
Chapter 9Audit Risk AssessmentPrepared by Dr Phil Saj1.docx
mccormicknadine86
 
Lecture 17 sas framework internal control - james a. hall book chapter 3
Habib Ullah Qamar
 
477 10 (5)
saramkhan5
 
Compliance audit
Emma Yaks
 
Sarbanes oxley internal controls
Illumeo
 
Internal Audit : an independent service to evaluate an organisation's.ppt
SrabanAhmedMasum
 
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
Internal controls
Geetali Tare
 
01.1. Internal Control System_Oct'21.pptx
SMMohsinUddin1
 
Powerpoint.ppt on intrnal cntrol overview
jcjamerojr
 
8. internal control new
Syed Osama Rizvi
 
FIN-Internal_Controls_Primer_Presentation.ppt
ssusere1a0f0
 
FIN-Internal_Controls_Primer_Presentation.ppt
bm6tkbry4q
 
Ad

More from EasyStudy3 (20)

PDF
Week 7
EasyStudy3
 
PDF
Chapter 3
EasyStudy3
 
PDF
Week 6
EasyStudy3
 
PDF
2. polynomial interpolation
EasyStudy3
 
PDF
Chapter2 slides-part 2-harish complete
EasyStudy3
 
PDF
L6
EasyStudy3
 
PDF
Chapter 5
EasyStudy3
 
PDF
2
EasyStudy3
 
PDF
Lec#4
EasyStudy3
 
PDF
Chapter 12 vectors and the geometry of space merged
EasyStudy3
 
PDF
Week 5
EasyStudy3
 
PDF
Chpater 6
EasyStudy3
 
PDF
Chapter 5
EasyStudy3
 
PDF
Lec#3
EasyStudy3
 
PDF
Chapter 16 2
EasyStudy3
 
PDF
Chapter 5 gen chem
EasyStudy3
 
PDF
Topic 4 gen chem guobi
EasyStudy3
 
PDF
Gen chem topic 3 guobi
EasyStudy3
 
PDF
Chapter 2
EasyStudy3
 
PDF
Gen chem topic 1 guobi
EasyStudy3
 
Week 7
EasyStudy3
 
Chapter 3
EasyStudy3
 
Week 6
EasyStudy3
 
2. polynomial interpolation
EasyStudy3
 
Chapter2 slides-part 2-harish complete
EasyStudy3
 
L6
EasyStudy3
 
Chapter 5
EasyStudy3
 
2
EasyStudy3
 
Lec#4
EasyStudy3
 
Chapter 12 vectors and the geometry of space merged
EasyStudy3
 
Week 5
EasyStudy3
 
Chpater 6
EasyStudy3
 
Chapter 5
EasyStudy3
 
Lec#3
EasyStudy3
 
Chapter 16 2
EasyStudy3
 
Chapter 5 gen chem
EasyStudy3
 
Topic 4 gen chem guobi
EasyStudy3
 
Gen chem topic 3 guobi
EasyStudy3
 
Chapter 2
EasyStudy3
 
Gen chem topic 1 guobi
EasyStudy3
 

Recently uploaded (20)

PPTX
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PPTX
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
master seminar digital applications in india
ananyaray35
 
Classroom Observation Tools for Teachers
Nicaramirez
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
Basic Mud Logging Guide for educational purpose
wdandworks
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
Institutional Correction lecture only . . .
limvtheghins
 
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
Pre independence Education in Inndia.pdf
goofy5603
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 

Chapter 7

  • 2. Internal Control A process, effected by the entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding, achievement of (the entity’s) objectives relating to: ❑Operations ❑Reporting, and ❑Compliance
  • 3. Control Objectives In each area of internal control (Reporting, Operations and Compliance) ◦ Control objectives and ◦ Sub objectives exist External Reporting Example: Accounts Receivable (A/R) Top level objective – prepare and issue reliable financial information ◦ Detailed level applied to A/R sub objectives ◦ All goods shipped are accurately billed in the proper period ◦ Invoices are accurately recorded for all authorized shipments and only for such shipments ◦ Authorized and only authorized sales returns and allowances are accurately recorded ◦ The continued completeness and accuracy of A/R is ensured ◦ Accounts receivable records are safeguarded
  • 4. Foreign Corrupt Practices Act Passed in 1977 in response to American corporation practice of paying bribes and kickbacks to officials in foreign countries to obtain business The Act ◦ Requires an effective system of internal control ◦ Makes the payment of bribes to foreign officials illegal
  • 5. Components of Internal Control - CRIME The Control Environment Risk Assessment Control Activities Information System Relevant to Financial Reporting and Communication Monitoring Activities
  • 6. Control Environment Commitment to integrity and ethical values. Board of directors demonstrates independence from management and exercises oversight of internal control. Establishment of effective structure, including reporting lines, and appropriate authorities and responsibilities. Commitment to attract, develop, and retain competent employees. Holding employees accountable for internal control responsibilities.
  • 7. Risk Assessment Clearly specify ROC objectives to allow the identification and assessment of risks related to those objectives. Identify and analyze risks to the achievement of its objectives to determine how they may be managed. Consider potential fraud relating to the achievement of objectives. Identify and assess changes that could impact internal control.
  • 8. Control Activities Performance reviews Transaction control activities Physical controls Segregation of duties ◦ Segregate Proper authorization, access, recording, and custody of assets (SPARC) ◦ Fundamental principle – ensure two or more persons participate in every transaction
  • 9. Objectives of an Accounting Information System Identify and record valid transactions Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions Measure the value of transactions appropriately Determine the time period in which the transactions occurred to permit recording in the proper period Present properly the transactions and related disclosures in the financial statements
  • 10. Monitoring Ongoing monitoring activities ◦ Regularly performed supervisory and management activities ◦ Example: Continuous monitoring of customer complaints Separate evaluations of internal control ◦ Performed on nonroutine basis ◦ Example: Periodic audits by internal audit
  • 11. Controls over Financial Reporting Preventive ◦ Aimed at avoiding the occurrence of misstatements in the financial statements ◦ Example: Segregation of duties Detective ◦ Designed to discover misstatements after they have occurred ◦ Example: Monthly bank reconciliations Corrective ◦ Needed to remedy the situation uncovered by detective controls ◦ Example: Backups of master file Controls overlap ◦ Complementary – function together ◦ Redundant – address same assertion or control objective ◦ Compensating – reduces risk existing weakness will result in misstatement
  • 12. Limitations of Internal Control Errors may arise from misunderstandings of instructions, mistakes of judgment, fatigue, etc. Controls that depend on the segregation of duties may be circumvented by collusion Management may override the structure Compliance may deteriorate over time
  • 13. Enterprise Risk Management (ERM) COSO issued a framework in 2004 (revised in 2017) on Enterprise Risk Management (ERM). It does not replace the original COSO internal control framework. It goes beyond internal control to focus on how organizations can effectively manage risks and opportunities. The auditing standards are still structured around the original COSO internal control framework but the risk management framework is useful in evaluating the risk assessment component of internal control.
  • 15. Auditors’ Overall Approach with Internal Control Review: Overall approach of an audit 1. Plan the audit 2. Obtain an understanding of the client and its environment, including internal control 3. Assess the risks of material misstatement and design further audit procedures 4. Perform further audit procedures 5. Complete the audit 6. Form an opinion and issue the audit report Steps 2-4 relate most directly to the role of internal control in financial statement audits
  • 16. Obtain an understanding of the client and its environment, including internal control The understanding of internal control is used to help the auditors to ◦ Identify types of potential misstatements ◦ Consider factors that affect the risks of material misstatement ◦ Design tests of controls (when applicable) and substantive procedures Auditors must consider all five internal control components ◦ Control environment ◦ Accounting information system ◦ Risk assessment ◦ Control activities ◦ Monitoring In doing so, the auditors should also consider areas difficult to control like non-routine transactions
  • 17. Obtaining the Understanding Procedures include ◦ Inquiring of entity personnel ◦ Observing the application of specific controls ◦ Inspecting documents and reports ◦ Tracing transactions through the information system relevant to financial reporting May also obtain evidence on operating effectiveness of various controls
  • 18. Documenting the Understanding of Internal Control Questionnaires ◦ Typically standardized by firm Written Narratives ◦ Memos that describe flow of transactions Flowcharts ◦ Systems flowcharts Walk-through ◦ Trace one or two transactions through cycle
  • 23. Assess the Risks of Material Misstatement General approach ◦ Identify risks while obtaining an understanding of the client and its environment, including its internal control ◦ Relate the identified risks to what can go wrong at the relevant assertion level ◦ Consider whether the risks are of a magnitude that could result in a material misstatement ◦ Consider the likelihood that the risks could result in a material misstatement
  • 24. The Nature of Transactions Consider the nature of the transactions ◦ Routine transactions—e.g., revenue, purchases, and cash receipts and disbursements ◦ Non-routine transactions—e.g., taking of inventory, calculating depreciation expense ◦ Estimation transactions—e.g., determining the allowance for doubtful accounts Generally routine transactions have the strongest controls
  • 25. Assessing Risks at the Financial Statement Level Examples ◦ Preparing the period-end financial statements, including the development of significant accounting estimate and preparation of the notes ◦ The selection and application of significant accounting policies ◦ IT general controls ◦ The control environment Responses to high risks ◦ Assigning more experience staff or those with specialized skills ◦ Providing more supervision and emphasizing the need to maintain professional skepticism ◦ Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed ◦ Increasing the overall scope of audit procedures, including the nature, timing or extent
  • 26. Assessing Risks at the Assertion Level Examples ◦ Failure to recognize an impairment loss on a long-lived asset affects only the valuation assertion ◦ Inaccurate counting of inventory at year-end affect the valuation of inventory and the accuracy of cost of goods sold Responses ◦ Decisions are made here as to the appropriate combination of tests of controls and substantive procedures
  • 27. Perform Further Audit Procedures – Test of Controls Approach: ◦ Identify controls likely to prevent or detect material misstatements ◦ Perform tests of controls to determine whether they are operating effectively Tests of controls address: ◦ How controls were applied ◦ The consistency with which controls were applied ◦ By whom or by what means (e.g., electronically) the controls were applied
  • 28. Perform Further Audit Procedures – Test of Controls Tests of controls include: ◦ Inquiries of appropriate client personnel ◦ Inspection of documents and reports ◦ Observation of the application of controls ◦ Reperformance of the controls The results of the tests of controls are used to determine the nature, timing and extent of substantive procedures
  • 29. Effects of Data Analytics Data analytics may be used to perform tests of controls (operating effectiveness); auditors may test controls over the entire population of transactions rather than a sample Will use Urgent Medical Device as an example
  • 30. Use of the Work of Internal Auditors Work of Internal Auditors may be used in two ways: ◦ Obtaining audit evidence by using the internal auditors’ work performed as a part of their normal responsibilities, and ◦ Using internal auditors to provide direct assistance on the external audit.
  • 31. Service Organizations Computer service organizations provide processing services to customers who decide not to invest in their own processing of particular data Examples: Outsource processing of payroll or Internet sales; storage of data and records in the service organization’s Cloud
  • 32. Service Organizations Auditor should obtain understanding of the outsourced function by following one or more of: ◦ Contacting service organization to obtain information. ◦ Visiting service organization an performing necessary procedures. ◦ Obtaining a report from service organization Terms ◦ Service auditor—provides examination of service organization’s controls. ◦ User Auditor—Uses that report.
  • 33. 7-33 Service Organizations Types of Service Auditor Reports ◦ Type 1—Management’s description of the system and the auditor’s assessment of the suitability of the design of controls ◦ Type 2—Attributes of 1, plus assurance on the operating effectiveness of controls ◦ A Type 2 report may provide the user auditor with a basis for assessing control risk below the maximum.
  • 34. 7-34 Relationships Among Deficiencies Deficiency in Internal Control Less than Significant Significant Deficiency Material Weakness
  • 35. Internal Control in the Small Company Due to lack of employees, internal control is seldom strong in small businesses Specific practices for small businesses ◦ Record all cash receipts immediately ◦ Deposit all cash receipts intact daily ◦ Make all payments by serially numbered checks, with exception of petty cash disbursements ◦ Reconcile bank accounts monthly and retain copies ◦ Use serially numbered invoices, purchase orders, and receiving reports ◦ Issue checks to vendors only in payment of approved invoices that have been matched with purchase orders and receiving reports ◦ Balance subsidiary ledger with control accounts ◦ Prepare comparative financial statements monthly to disclose significant variations in any category of revenue or expense
  • 36. Assume that you have been hired by Willington, CPA, as a new staff assistant. He informs you that his approach to audits has always been to assess control risk at the maximum and perform all the substantive procedures he considers necessary. However, he has recently read an article in The Journal of Accountancy that indicates that a more efficient audit may sometimes be achieved by performing some tests of controls and thereby assessing control risk at a lower level. Willington shows you the following table that came from the article: Assessed Level of Control Risk Inherent Risk Low Moderate Maximum Low Highest allowable detection risk (lowest allowable scope of substantive procedures) High detection risk (low scope of substantive procedures) Moderate detection risk (moderate scope of substantive procedures) Moderate High detection risk (low scope of substantive procedures) Moderate detection risk (moderate scope of substantive procedures) Low detection risk (very high scope of substantive procedures) Maximum Moderate detection risk (moderate scope of substantive procedures) Low detection risk (very high scope of substantive procedures) Lowest detection risk (highest scope of substantive procedures) Willington understands that the table is only for illustrative purposes and that other “in between” levels of the various risks are possible, but he wants you to use the ones in the table to help him understand the trade-offs between tests of controls and substantive procedures. He understands that these risks would be assessed at the assertion level for the various accounts, but he wants to better understand how the various tests performed in an audit “tie together.” To keep things simple, he says to assume that inherent risk is at the maximum level in all cases.