Organizational Structure and Human Resources

Questions and Answers

Which factor is considered an external risk to an entity's performance?

Quality of personnel hired

Unassertive audit committee

Technological developments (correct)

Disruption in information systems

What is the first step in risk analysis after identifying risks?

Estimating the significance of a risk (correct)

Assessing the likelihood of the risk occurring

Documenting the identified risks

Considering how the risk should be managed

Which of the following is NOT a component of an information system?

Marketing strategies (correct)

People

Software

Procedures

Which circumstance requires special attention due to potential risks?

Rapid growth

Which of the following best describes the purpose of the financial reporting system in an information system?

To initiate and record transactions

How does changing customer needs impact risk identification?

It creates new risk categories.

What is the last step in risk analysis and management?

Considering how the risk should be managed

Which of these is considered an internal factor that can impact an entity's performance?

Quality of personnel hired

What is a critical component of an effective internal control system?

Risk management process

Which of the following practices is essential for sending messages regarding expected levels of integrity and ethical behavior to employees?

Employee training

What should be established to ensure proper assignment of authority and responsibility in an organization?

Authorization hierarchies

What is a focus area in the entity’s risk assessment process?

Consistency of objectives

What is the purpose of employee candidate background checks within human resources policies?

To identify prior unacceptable actions

Which aspect of human resources controls is crucial for evaluating employee performance?

Promotion criteria

What does the adequacy of definition of key managers' responsibilities influence?

Managerial accountability

What should organizations continually assess to manage risks effectively?

Relevant risks to objectives

What is one factor a auditor must consider when determining the relevance of controls to the audit?

The size of the entity

Which of the following steps is NOT part of an auditor's approach in evaluating client internal control?

Perform a detailed financial audit

What is the primary purpose of obtaining an understanding of the client's internal control?

To identify potential misstatements in the financial statements

Which of the following is an initial action an auditor must take in studying client internal control?

Perform a preliminary review of the internal control structure

Which of the following factors is least likely to influence an auditor's control risk assessment?

The company's public relations efforts

What is the final step in the auditor's approach after determining control risk?

Determine the substantive tests to be performed

Which of the following would be the best method for an auditor to understand a client's internal controls?

Performing a transaction walkthrough

Which component is NOT essential in evaluating the operating effectiveness of internal control?

The personal belief of the auditor

What is the appropriate audit approach when the preliminary control risk assessment is high?

Use primarily substantive tests with no reliance on controls

Which procedure is NOT part of the nature of tests of controls?

Statistical sampling

What term is used to describe differences found during tests of controls?

Deviations

How does the extent of tests of controls change with the reliability on the operating effectiveness of controls?

It increases as reliance on controls increases

Which of the following represents a situation where an auditor would typically apply tests of controls?

When planning reliance on client internal controls

What is the likely effect of a high preliminary control risk assessment on detection risk?

Increases detection risk

When the auditor relies on tests from prior periods, what aspect is critical to ensure?

The controls continue to operate effectively in the current period

What approach is typically taken when the preliminary control risk assessment is less than high?

Use a reliance approach with dual auditing programs

When does a deficiency in internal control exist?

A control is designed, implemented, or operated inadequately to prevent or detect misstatements.

What should an auditor communicate in writing to management regarding significant deficiencies?

Significant deficiencies noted or intended to be communicated to governance.

Which of the following is NOT a required component when communicating significant deficiencies?

A summary of the entire audit process.

Which statement about the purpose of the audit is correct?

The purpose is to express an opinion on the financial statements.

How should the auditor treat other deficiencies found during the audit?

Report those significant enough to merit management's attention.

What should the auditor explain about the limitations of the reporting?

The audit only assesses deficiencies identified during the audit.

What is the auditor's responsibility regarding communicating deficiencies in internal control?

To inform management timely about significant deficiencies.

What impact does the absence of necessary controls have on financial statements?

It can cause misstatements leading to flawed financial reports.

What is the purpose of understanding internal control relevant to an audit?

To identify types of potential misstatements, factors affecting risk of material misstatements, and to design audit procedures.

Which of the following is NOT one of the objectives of internal control?

Maximizing profit at any cost

Internal control provides _________ assurance regarding the achievement of objectives.

reasonable

The control environment only involves management.

False

Which of the following is NOT a component of internal control?

Financial Analysis

What are the three categories of objectives mentioned in internal control?

Operations, financial reporting, compliance.

What is the role of the control environment in internal control?

It sets the tone of an organization and influences the control consciousness of its people.

Which element is NOT part of the control environment?

Financial Performance Review

Study Notes

### Organization Structure

• The organization structure should be appropriate for information flow management.
• Key management responsibilities should be clearly defined with an understanding of these responsibilities.
• Key managers should have sufficient knowledge and experience relative to their responsibilities.

### Assignment of Authority and Responsibility

• The organization must define how authority and responsibility are assigned for operating activities.
• Reporting relationships and authorization hierarchies need to be established.

### Human Resources Policies and Practices

• Human resource practices play a role in creating an ethical culture.
• These practices should cover hiring, orientation, training, evaluating, counseling, promoting, compensation, and remedial actions.
• Policies and procedures should be in place for hiring, training, promoting, and compensating employees.
• The organization must have a policy for taking remedial action in response to departures from approved policies and procedures.
• Background checks on employee candidates are important to ensuring they meet the organization's ethical standards.
• Employee retention and promotion criteria should reflect their performance in relation to the code of conduct and other behavioral guidelines.

### The Entity’s Risk Assessment Process

• Risk assessment plays a vital role in identifying and responding to business risks.
• Risk assessment is an ongoing process and a crucial component of an effective internal control system.

### Risk Identification

• External and internal factors can impact an entity's performance.
• The risk identification process should be comprehensive and consider all significant interactions between an entity and relevant external parties.

### Risk Analysis and Management

• The process includes estimating the significance of a risk, assessing the likelihood of the risk occurring, and considering how the risk should be managed.
• Specific circumstances like changes in the operating environment, new personnel, new information systems, rapid growth, new technology, new business models, corporate restructurings, expanded foreign operations, and new accounting pronouncements require special attention.

### Information System and Communication

• The information system includes infrastructure, software, people, procedures, and data.
• The financial reporting system is part of the information system and describes transactions in a timely and detailed manner.
• The information system should be designed to identify and record all valid transactions, describe transactions in sufficient detail, and accurately measure the value of transactions.

### Relevance of Controls to the Audit

• The auditor must assess whether controls are relevant to the risk of material misstatement and design further procedures based on those risks.
• The auditor should consider the materiality of the entity, the nature of the entity's business, the diversity and complexity of the entity's operations, applicable legal and regulatory requirements, and the nature and complexity of the entity's internal control systems when evaluating the relevance of controls.

Internal Control Evaluation in Financial Statement Audit

• Auditors should evaluate the design and operating effectiveness of internal control.
• The nature, extent, and timing of audit procedures are influenced by a thorough understanding of internal control.

### Step 1 – Obtain an Understanding of the Client’s Internal Control

• Auditors need to obtain and document an understanding of the client's internal control to identify potential misstatements in financial statements.
• The process of gaining an understanding of the internal control structure includes performing a preliminary review, identifying transaction cycles, documenting the system, performing a transaction walkthrough, and making general changes to audit procedures.

### Responses at the Assertion Level

• Auditors use different audit approaches based on the preliminary control risk assessment, which impacts audit procedures.
• If the preliminary control risk assessment is high, the auditor relies primarily on substantive tests.
• For lower control risk assessments, auditors use a reliance approach, conducting both tests of controls and substantive tests.

### Test of Controls

• Test of controls is used to evaluate the design or operation of a client's internal control and support the decision to rely on those controls or not.
• Test of controls is only applied to controls that the auditor plans to rely on during substantive tests.

Nature of Test of Controls

• The test generally consists of inquiry of client personnel, observation of policy application, inspection, and reperformance or recalculation.

### Control Deviations

• When conducting test of controls, auditors may identify differences between expectations and actual occurrences.
• These differences are referred to as exceptions, deviations, or occurrences, and do not necessarily indicate errors.

### Timing of Test of Controls

• The timing of test of controls depends on the auditor's objective and determines the reliance period on those controls.
• Test of controls conducted in prior years can provide evidence about the design and operation of controls in the current audit period.

### Extent of Test of Controls

• The extent of test of controls is directly related to the level of reliance on the operating effectiveness of controls in the risk assessment.
• As the rate of expected deviation from a control increases, the auditor expands the extent of testing.
• The extent of substantive tests can also be changed as a result of the results of test of controls.

### Deficiencies in Internal Control

• A deficiency in internal control exists when a control is unable to prevent or detect and correct misstatements in the financial statements or when a necessary control is missing.
• The auditor must communicate significant deficiencies in internal control to management and those charged with governance.
• The auditor should also communicate other deficiencies in internal control that have not been reported by other parties and are important enough to merit management's attention.

### Content for Communication

• The auditor must include a description of deficiencies, their potential effects, and enough information for management to understand the context.
• The auditor must also clearly explain that the purpose of the audit was to provide an opinion on the financial statements, the audit included consideration of internal control, and the reported deficiencies are only those identified by the auditor.

Internal Control Defined

• Definition: A process designed and implemented by those in charge of governance, management, and personnel to provide reasonable assurance that the organization's objectives are met regarding reliable financial reporting, operational effectiveness and efficiency, and compliance with laws and regulations.
• COSO Framework: Defines internal control as a process encompassing the board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives related to operations, financial reporting, and compliance with applicable laws and regulations.

Purpose of Internal Control

• Operations: To ensure the effective and efficient use of resources
• Financial Reporting: To prepare reliable financial statements and prevent fraudulent public reporting
• Compliance: To ensure compliance with relevant laws and regulations

Internal Control System

• Definition: Comprises all the policies and procedures adopted by management to achieve management's objectives, encompassing business conduct, asset safeguarding, fraud and error prevention/detection, accounting record accuracy and completeness, and timely preparation of reliable information.

Components of Internal Control

• Five interrelated elements:
  • Control Environment
  • Risk Assessment Process
  • Control Activities
  • Information System and Related Business Processes Relevant to Financial Reporting and Communication
  • Monitoring of Controls

The Control Environment

• Definition: Sets the tone of the organization, influencing the control consciousness of its people. It's the foundation for all other internal control components, offering discipline and structure.
• Includes: Governance and management functions, along with the attitudes, awareness, and actions of those responsible for governance related to internal control and its significance.

Elements of the Control Environment

• 1. Communication and Enforcement of Integrity and Ethical Values:
  • Integrity: Crucial for ethical conduct in every aspect of the organization
  • Expression of Integrity: Through codes of conduct, policies on business practices, conflicts of interest, expected standards of ethical and moral behavior, dealings with employees, suppliers, customers, investors, and creditors.
• 2. Commitment to Competence: Having the necessary skills, knowledge, and experience to perform duties effectively.
• 3. Participation by Those Charged with Governance: The active engagement of the board of directors in overseeing internal control.
• 4. Management Philosophy and Operating Style: The approach and attitude of management towards internal control and risk management.
• 5. Organizational Structure: The way the organization is structured, including the lines of authority and responsibility.
• 6. Assignment of Authority and Responsibility: Clear delegation of responsibilities and accountability for internal control.
• 7. Human Resources Policies and Practices: Policies and practices for hiring, training, and evaluating personnel, promoting a culture of ethical behavior.

Description

This quiz explores key concepts in organizational structure and human resource policies. It emphasizes the importance of defined responsibilities, authority hierarchies, and ethical practices in managing an organization. Test your knowledge on how these elements contribute to effective information flow and staff management.