Auditing Theory  Operational effectiveness and efficiency

Chapter 11  Compliance with applicable laws and

Consideration of Internal Control in a regulations
Financial Statement Audit
Determinants of achievement of objectives
Reliable FR Compliance Operations E&E
Applicable PSA Internal/ within entity’s control Management’s
decisions,
PSA 315 “Identifying and Assessing Risks of Material competitor’s actions,
Misstatements through Understanding the Entity and other external factors
Its Environment”
 Accounting and internal control system Internal control system
 Audit risk on components: I C D  ALL policies and procedures (internal controls)
adopted by management to assist in achieving
Widely-accepted concept: internal control is important objectives:
in generating reliable financial info  Orderly and efficient conduct of
business
If audit deems IC as effective, he may decrease amount  Adherence to management policies
of audit evidence to be accumulated.  Safeguarding of assets
 Prevention and detection of F&E
Inadequate IC may preclude conduct of effective audit.  Accuracy and completeness of
accounting records
Nature of Internal Control  Timely preparation of FS
As an entity grows and more people are employed,
mechanisms need to be introduced to keep their Internal control structures VARY depending on:
performance in check  Size of the business
 Nature of operations
Smaller entities have weaker internal control that can  Objectives of organization
be compensated through active participation of owner
in operations Elements of internal control E R I C M

Internal control A. Control Environment

 Process – a means, not an end  Overall attitude, awareness, actions of directors
 Designed and effected by: and management re: IC system and its
 Management – establishment of control importance to the entity
environment & maintenance of P&P  Culture
 TCWG – ensure integrity through  The foundation for effective IC
oversight Factors reflected in control env.:
 Other personnel – perform respective  Function of BOD and its committees
functions  Communication of INTEGRITY and
 Provides REASONABLE assurance – due to ETHICAL values (policy statements, code
limitations: of conduct, management’s example)
 Costs should not exceed benefits  Commitment to COMPETENCE
 Directed at routine transactions  Participation by TCGW – entity must
 Human error have an AUDIT COMMITTEE; control
 Circumvention through collusion consciousness; must be involved in
 Management overriding IC scrutiny, interaction with I/E auditors,
 Inadequacy of procedures due to whistleblowers, review of internal
changes; deterioration of compliance control
 About achieving objectives:  Management’s philosophy and operating style –
 Reliable financial reporting (most conservatism, aggression, attitude towards:
relevant objective to auditor as he is  Business risk
only concerned with those relevant to  Financial reporting
FS assertions)  Meeting budget, profit, goals
  Organizational structure and assignment of Objective of studying internal control
authority – overall framework for planning, 1. Plan the audit
directing, and controlling operations 2. Assess control risk
 Management’s control system: a. Consider the design of controls
 Internal audit f(x) b. Whether they have been implemented
 Personnel P&P c. Effectiveness, if in use – perform tests
 Segregation of duties to determine if they are applied (NOT
 Human Resources Policies and Procedures – required in obtaining understanding of
selection of honest and competent personnel IC to plan an audit)
does not ensure that errors/irregularities will
not occur; people are the most important Design – controls that HAVE BEEN established
element of IC Effectiveness – refers to HOW controls FUNCTIONS

B. Entity’s Risk Assessment Process To assess RISK below max 100%

 Identify specific controls that are likely to
Business risk – risk that business objectives will not be prevent/ detect misstatement
attained as a result of I/E factors s.a technological
developments, changes in customers demand and other
economic changes; management should adapt P&P to Consideration of Internal Control
mitigate such risk; for audit, only those relating to prep ODAPD
of reliable FS are relevant
1. Obtain understanding of IC:
a. Evaluate design – consider capability of
C. Information and Communications System preventing, detecting, correcting MM;
- Timely info must be provided by effective IC
- Communication: providing an understanding of For initial understanding:
roles on internal control for reliable FRF;  Inquiries
electronic, oral, through management’s actions  Inspection of documents
 Observation of processes
D. Control Activities P I P S
- P&P that help ensure that management b. Implementation – control exists and
directives are carried out have been placed in operation;
- Performance reviews: analyses of relationships accomplished through a walkthrough
between data; e.g. actual performance vs (tracing a transaction through the entire
budget, prior-period performance accounting system; confirms auditor’s
- Information processing: checks accuracy, understanding of functions; both
completeness,authorization of transactions; inspection and observation)
computer: general and application controls
- Physical controls: physical security of assets, Use of understanding:
adequate safeguards, authorization for access,  Identification of potential
periodic counting misstatements
- Segregation of duties: difficult to perpetrate  Considering factors that affect RMM
fraud  Design NTE of audit procedures

E. Monitoring 2. Documenting understanding of accounting and

- Assessing quality of internal control internal control
- Ongoing monitoring: built-in; for recurring
activities; e.g. bank reconciliation Commonly used forms:
- Separate evaluations: non-routine monitoring;  Narrative description – memorandum
e.g. functions performed by internal auditor for simple IC
 Flowchart – diagrammatic
representation of IC system
  Internal control questionnaire providing 5. Documenting assessed level of CR
management’s responses to questions
about IC Control risk Conclusion
High level CR is at a high level
3. Assessment of Control Risk Less than high level CR is at less than high level
+ basis for that assessment
4. Perform Tests of Controls – must be performed (tests of controls)
irrespective of how effective controls appear;
obtain evidence about effectiveness of: *auditor cannot assess CR
a. Design of accounting and IC at less than high level w/o
b. Operation of IC ToC
*Auditor only tests controls he plans to rely
upon
*greater reliance on IC = more extensive TC Communication of internal control weaknesses
- Report to appropriate level of management
Nature of tests of control - Communication ordinarily in writing:
(1) Inquiry – searching info about effectiveness management letter
from persons inside or outside - Done at earliest opportunity
(2) Observation – looking at process performed
by OTHERS *Auditors are NOT REQUIRED to search for internal
(3) Inspection – examination of documents to control weaknesses, but must communicate ones that
provide evidence of reliability come to his attention
(4) Reperformance – repeating activity
performed by client to determine whether
correct results were obtained

*some procedures overlap = obtaining understanding

and assessing CR are often done simultaneously

Timing of tests of control

 Usually during interim period
 Obtain further evidence for remaining
period
 Factors: results of interim tests, length
of remaining period, whether changes
have occurred

Extent of tests of control

 Sample size/ number of items should be
determined

Using the results of tests of control

 Evaluation reached: assessed level of
control risk
 Use CR with IR to determine detection
risk
 CR and IR are inversely related to DR

Operating effectiveness vs. implementation

Effectiveness Implementation
Auditor obtains evidence Auditor determines
that controls operate existence of relevant
effectively controls
REPORTABLE CONDITIONS
- Matters coming to the auditor’s attention that
he believes should be reported to the AUDIT
COMMITTEE
- Represent deficiencies in design and
implementation of IC

1. Sole purpose of audit was to report on FS and

not to provide assurance that internal controls
are effective
2. Definition of reportable conditions
3. Restriction of distribution ( info solely for audit
committee, management, others within the
organization

If RC is of such magnitude as to be a material weakness,

report can separate out as a material weakness