Auditing Lecture 6

Internal Control in a Financial Statement Audit

Major Phases of an Audit – where are we?
Client Acceptance and Continuance

Preliminary Engagement Activities

Plan the audit

Consider Internal Control

Audit Business Processes

Complete the audit

Evaluate results, issue report

2
The Assurance Bucket

evidence evidence
Remaining assurance
needed from test of details

Substantive Analytical
Procedures

Test of Controls

Risk Assessment
Procedures

3
 Learning Objectives

 Definition and components of internal control.

 Develop an understanding of an entity’s internal control.
 Assessment of the level of control risk.
 Types of tests of controls
 Timing of audit procedures
 Auditor’s communication of deficiencies in internal control.

4
Internal Control

• Management has the responsibility to maintain controls that

provide reasonable assurance that adequate control exists over the
entity’s assets and records.
• The Internal Control System should:
- ensure that assets and records are safeguarded
- create an environment in which efficiency and effectiveness
are encouraged and monitored
- generate reliable information for decision-making
• The auditor needs assurance about the reliability of the data
generated by the information system.

5
Internal Control

The auditor uses risk assessment procedures to

- obtain an understanding of the entity’s internal control
- identify the types of potential misstatements
- ascertain factors that affect the risk of material misstatement
- design tests of controls and substantive procedures

The auditor’s understanding of the internal control is a major factor in

determining the overall audit strategy. The auditor has a
responsibility to:
(1) obtain an understanding of internal control and
(2) assess control risk.

6
Objectives of Internal Control

Objectives

Reliability of Effectiveness & Compliance

Financial Efficiency of with Laws &
Reporting Operations Regulations

Controls relevant to auditors?

• Generally, internal controls pertaining to the preparation of financial
statements for external purposes are relevant.
• Controls relating to operations and compliance objectives may be
relevant when they relate to data the auditor uses to apply auditing
procedures.

7
Components of Internal Control

Entity’s Risk
Control
Assessment
Environment
Process

Information and
Communication

Control Monitoring of
Activities Controls

8
Components of Internal Control
Three Objectives of
Internal Controls

Structure of
the Entity

Five
Components

9
Components of Internal Control
Table 6–2 Components of Internal Control

10
 Control Environment

 Principle 1: The organization demonstrates a commitment to integrity and ethical

values.
 Principle 2: Those charged with governance demonstrates independence from
management and exercises oversight of the development and performance of
internal control.
 Principle 3: Management establishes, with those charged with governance,
oversight, structures, reporting lines, and appropriate authorities and
responsibilities in the pursuit of objectives.
 Principle 4: The organization demonstrates a commitment to attract, develop, and
retain competent individuals in alignment with objectives.
 Principle 5: The organization holds individuals accountable for their internal control
responsibilities in the pursuit of objectives.

11
Components of Internal Control
Table 6–2 Components of Internal Control

12
The Entity’s Risk Assessment Process

• consider external and internal events and circumstances that may

arise and adversely affect the entity’s ability to initiate, record,
process and report financial data consistent with the assertions of
management in the financial statements.

Client business risk can arise or change:

Changes in the New or revamped

New personnel
operating information
environment Rapid growth systems
New technology

New accounting
Corporate pronouncements New business
restructuring Expanded
models, products,
international
or activities
growth

13
The Entity’s Risk Assessment Process

Principle 6: The organization specifies objectives with sufficient clarity to

enable the identification and assessment of risks relating to objectives.

Principle 7: The organization identifies risks to the achievement of its

objectives across the entity and analyzes risks as a basis for determining how
the risks should be managed.

Principle 8: The organization considers the potential for fraud in assessing

risks to the achievement of objectives.

Principle 9: The organization identifies and assesses changes that could

significantly impact the system of internal control.

14
Components of Internal Control
Table 6–2 Components of Internal Control

15
Control Activities

Principle 10: The organization selects and develops control activities that
contribute to the mitigation of risks to the achievement of objectives to
acceptable levels.
- Performance Reviews
- Information Processing Controls
- Physical Controls
- Segregation of Duties

Principle 11: The organization selects and develops general control activities
over technology to support the achievement of objectives.

Principle 12: The organization deploys control activities through policies that
establish what is expected and procedures that put policies into action.

16
More on Segregation of Duties

For good internal control, the company should

separate the following duties:

 Operational responsibilities (e.g., sales)  Accounting

 Custody of assets (e.g., warehouse manager)  Accounting
 Custody of assets (e.g., warehouse manager)  Authorization of
transactions

 Typically to separate authorization, recording, and custody

17
Components of Internal Control
Table 6–2 Components of Internal Control

18
 Information and Communication
Principle 13: The organization obtains or generates and uses relevant, quality
information to support the functioning of internal control.
- Identify and record all valid transactions
- Classify transactions properly
- Measure the value of transactions properly
- Record transactions in the proper period
- Properly present transactions and disclosures

Principle 14: The organization internally communicates information, including

objectives and responsibilities for internal control, necessary to support the
functioning of internal control.

Principle 15: The organization communicates with external parties regarding

matters affecting the functioning of internal control.

19
Components of Internal Control
Table 6–2 Components of Internal Control

20
Monitoring of Controls

• process that assesses the quality of internal control

performance over time.

Principle 16: The organization selects, develops and performs ongoing and/or
separate evaluations to ascertain whether the components of internal control
are present and functioning.

Principle 17: The organization evaluates and communicates internal control

deficiencies in a timely manner to those parties responsible for taking
corrective action, including senior management and the board of directors, as
appropriate.

21
Consider IC when planning an audit to assess control
risk

Audit Risk Model

AR = IR × CR × DR

• In applying the audit risk model, the auditor must assess control risk.
• What is the decision process when consider internal control in
planning an audit?

22
Planning an audit to assess control risk
Figure 6–2 Flowchart of the Auditor’s Consideration of Internal Control and its Relation to Substantive Procedures

23
Substantive Strategy

• After obtaining an understanding of internal control, an auditor

may choose to follow a substantive strategy and set control risk
at the maximum for some or all assertions because of one or
all of the following factors

Controls are
assessed as
Controls do not Testing the
ineffective.
pertain to an effectiveness
assertion. of controls is
inefficient.

24
Reliance Strategy

Obtain Understanding of Internal

Control

Plan to Rely on Internal Control

and Assess Control Risk Below
Maximum

25
Assertations
Table 6–4 Assertions about Classes of Transactions and Events
and Related Control Activities

26
Obtain an Understanding of Internal Control

1. Understand the control environment.

2. Understand the entity’s risk assessment process.
3. Understand the information system and
communications.
4. Understand control activities.
5. Understand monitoring of controls.

Pinpoint the Design tests of

Identify types of factors that affect controls and
potential the risk of material substantive
misstatements misstatement procedures

27
Documenting the Understanding of Internal Control

Procedure Manuals and

Narrative Description
Organizational Charts

Internal Control
Flowcharts
Questionnaires

28
Documenting – An Example
Exhibit 6-1 Excerpt from a Questionnaire for Documenting
the Auditor’s Understanding of the Control Environment

29
Documenting – An Example

Document System
Narrative Memorandum

Two departments are involved in the cash collection function: the

Mail Room and Cash Receipts. In the mail room, envelopes
containing remittance advices and the customer's checks are opened.
Each check is restrictively endorsed, and a mail room employee
prepares two copies of a list of the day's receipts. Copy 1 of the list of
receipts and all remittance advices are forwarded to Accounts
Receivable for posting; Copy 2 and all checks are forwarded to Cash
Receipts.

In Cash Receipts, Copy 2 of the list of receipts and the checks are used
to prepare a bank deposit slip and two copies of a cash summary
sheet, and to update cash records. Checks and the deposit slip are
hand carried to the First National Bank for deposit, and Copy 2 of the
cash summary is forwarded to Accounts Receivable and General
Accounting for recording. Copy 2 of the cash summary and Copy 2 of
the list of receipts are filed in Cash Receipts.
Documenting – An Example

Exhibit 5.12
Payroll System Flowchart

5-
31
The Effect of Entity Size on Internal Control

• While the basic concepts of the five components should be present

in all entities, they are likely to be less formal in a small or midsize
entity than in a large entity.

32
The Limitations of an Entity’s Internal Control

Management
Override of
Internal
Control
Human Errors
or Mistakes

Collusion

33
Assessing control Risk

Identify specific
controls that will
be relied upon.

Perform tests of
controls

Conclude on the
achieved level of
control risk.

34
Test of Controls

 Auditor should consider:

 Are the control procedures performed?

 How well are they performed?

 Who performed them?

 Risk factors

 Changes in personnel

 Seasonal fluctuations in volume of transactions

35
 Class Discussion

Which of the following statements is true?

1. A mandatory holiday policy can improve the control environment
because employees who do not take holidays may become too tired
2. A mandatory holiday policy can improve the control environment
because it increases the scope for cross-checking of employees’
work
3. A mandatory holiday policy has no effect upon the control
environment
4. It is against the law to have a mandatory holiday policy

36
Document Assessment of Control Risk

The auditor’s assessment of control risk and the basis for the
achieved level can be documented using a structured working
paper, an internal control questionnaire, or a memorandum.

Let’s look at an example from EarthWear

Clothiers to see how the control risk for two
accounts that differ in terms of their nature,
size and complexity is documented.

37
Document Assessment of Control Risk – Example

38
 Perform Substantive Procedures
Table 6–6 Audit Strategies for the Nature, Timing and Extent of Substantive
Procedures Based on Different Levels of Detection Risk for Inventory
inherit/control risk high

39
Timing of Audit Procedures

Interim Year End

Figure 6–5 A Timeline for Planning and Performing the Audit of EarthWear
Clothiers

40
Interim Audit Procedures

1. Assertion being tested not significant

Interim Tests of
2. Control has been effective in prior audits
Controls 3. Efficient use of staff time

1. Control environment
2. Availability of information at a later date
3. The purpose of the substantive procedure
Interim 4. The assessed risk of material misstatement
Substantive 5. The nature of the transactions or balances and
Procedures relevant assertions
6. The ability of the auditor to perform
appropriate procedures to cover the
remaining period

41
Communication of Deficiencies in Internal Control

A control designed, implemented or operated in

such a way that it is unable to prevent, or detect
Deficiency and correct, misstatements in the financial
statements on a timely basis;
or a control necessary to prevent, or detect and
correct, misstatements in the financial statements
on a timely basis is missing.

A significant deficiency in internal control is a

Significant deficiency or combination of deficiencies in
internal control that, in the auditor’s professional
Deficiency judgement, is of sufficient importance to merit
the attention of those charged with governance.

42
Communication of Deficiencies in Internal Control

Auditing standards (HKSA 265) require that the

auditor communicates in written significant
Communication control deficiencies to those charged with
governance and management.

The auditor should also communicate to

management other control deficiencies judged
to be of sufficient importance to merit
management’s attention.

43
Table 6–7 Examples of Indicators of Significant Deficiencies in Internal Control

44
 Case Questions

1. What is the process used during planning and risk assessment

to identify RMM?
2. Describe the company’s policy on vendor bank account change
requests, the control steps and changes made
3. Does the Assistance Controllers failure to adequately review
the Vendor Change Form present a deficiency in the design or
operating effectives of control?
4. Is the failure in the Vendor Change Form control indicative of a
material weakness in ICFR?
5. What implications might a material weakness have on other
controls?

45
Internal Controls in IT Environment
The Effect of Information Technology on Internal Control
Table 6–1 Potential Benefits and Risks to an Entity’s Internal Control from IT

47
Types of Control in an IT Environment

General Application
Controls Controls

1. Data center and network operations 1. Data capture controls

2. System software acquisition, change 2. Data validation controls
and maintenance 3. Processing controls
3. Access security 4. Output controls
4. Application system acquisition, 5. Error controls
development and maintenance

48
Data Validation Controls

Table 6–8 Common Data Validation Controls

Computer-Assisted Audit Techniques

Computer-assisted audit techniques (CAATs) include:

• Generalized audit software.
• Custom audit software.
• Test data.
Generalized Audit Software

Table 6–9 Functions Performed by Generalized Audit Software

Custom Audit Software

• Custom audit software is generally written by auditors for

specific audit tasks. It may be required when the entity’s
computer system is not compatible with the auditor’s
generalized audit software.

Custom software:
(1) Is expensive to develop.
(2) Requires extended development time.
(3) May require extensive modification if the entity changes
its accounting application programs.
Test Data

Test data are developed by the auditor to test the application controls in
the entity’s computer programs. The technique can be used to check:
(1) data validation controls and error detection routines,
(2) processing logic controls,
(3) arithmetic calculations, and
(4) the inclusion of transactions in records, files and reports.
 Exercise

6-15, 6-18
6-22

54