Audit 5 PDF - Internal Control Study

Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...

Document Details

Tags

internal control audit procedures financial statements business management

Summary

This document provides a study of internal control, covering various aspects such as introduction, definitions (internal control, COSO), and the components of internal control. It also covers examples of economic decisions and internal control procedures.

Full Transcript

CHAPTER 5 STUDY AND EVALUATION OF INTERNAL CONTROL INTRODUCTION PSA 315 (Redrafted) provides that the auditor shall obtain an understanding of internal control relevant to the audit. The objectives of the auditor in obtaining an understanding of the client’s internal control are to: 1. I...

CHAPTER 5 STUDY AND EVALUATION OF INTERNAL CONTROL INTRODUCTION PSA 315 (Redrafted) provides that the auditor shall obtain an understanding of internal control relevant to the audit. The objectives of the auditor in obtaining an understanding of the client’s internal control are to: 1. Identify types of potential misstatements in the financial statements. 2. Identify factors that affect the risk of material misstatements in the financial statements. 3. Design the nature, extent and timing of further audit procedures (tests of controls and substantive tests). INTERNAL CONTROL DEFINED Internal Control is the process designed and effected by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting effectiveness and efficiency of operations, and compliance with laws and regulations. INTERNAL CONTROL DEFINED Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. INTERNAL CONTROL DEFINED Internal Control is a Process Internal Control Involves People Internal Control Provides Reasonable Assurance Internal Control is Geared Towards the Achievement of an Entity’s Objectives Objectives fall into three categories: operations, financial reporting, and compliance. This categorization allows focusing on separate aspects of internal control. Examples of Economic Decisions Made by Users of Financial Statements Operations Relating to effective and efficient use of the entity’s resources. These pertain to effectiveness and efficiency of the entity’s operations. They vary based on management’s choices about structure and performance. Financial Reporting Relating to preparation of reliable published financial statements, including prevention of fraudulent public financial reporting. They are driven primarily by external requirements. Compliance Relating to the entity’s compliance with applicable laws and regulations. They are dependent in external factors. Tend to be similar across all entities in some cases and across an industry in others. INTERNAL CONTROL DEFINED Internal Control System – consists of all the policies and procedures adopted by the management of an entity to assist in achieving management’s objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including adherence to management policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting records, and the timely preparation of reliable information. COMPONENTS OF INTERNAL CONTROL Five inter-related components of internal control: 1. Control Environment 2. Risk Assessment Process 3. Control Activities 4. Information System and Related Business Processes Relevant to Financial Reporting and Communication 5. Monitoring of Controls CONTROL ENVIRONMENT Control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. It includes the governance and management function and the attitudes, awareness, and actions of those charged with governance and management concerning the entity’s internal control and its importance in the entity. CONTROL ENVIRONMENT Elements of the Control Environment 1. Communication and enforcement of integrity and ethical values. 2. Commitment to Competence 3. Participation by Those Charged with Governance 4. Management Philosophy and Operating Style 5. Organizational Structure 6. Assignment of Authority and Responsibility 7. Human Resources Policies and Practices Communication and Enforcement of Integrity and Ethical values Integrity is a prerequisite for ethical behavior in all aspects of an enterprise’s activities. Integrity and ethical values are expressed through: 1. Existence and implementation of codes of conduct and other policies regarding acceptable business practice, conflicts of interest, or expected standards or ethical and moral behavior. Communication and Enforcement of Integrity and Ethical values Integrity and ethical values are expressed through: 2. Dealings with employees, suppliers, customers, investors, creditors, insurers, competitors, and auditors. 3. Pressure to meet unrealistic performance targets – particularly for short-term results – and extent to which compensation is based on achieving those performance targets. Commitment to Competence Competence should reflect the knowledge and skills needed to accomplish tasks that define the individual’s job. Commitment to competence is expressed through: 1. Formal or informal job description or other means of defining tasks that comprise particular jobs. 2. Analyses of the knowledge and skills needed to perform jobs adequately. Participation by those Charged with Governance The control environment is influenced significantly by the entity’s board of directors and audit committee. Because of its importance, an active and involved board of directors, boards of trustees or comparable body is critical to effective internal control. Participation by those Charged with Governance Controls involving Board of Directors or Audit Committee include: 1. Independence from management, such that necessary, even if difficult and probing, questions are raised. 2. Frequency and timeliness with which meetings are held with chief financial and/or accounting officers, internal auditors and external auditors. 3. Sufficiency and timeliness with which information is provided to board or committee members, to allow monitoring of management’s objectives and strategies, the entity’s financial position and operating results, and terms of significant agreements. 4. Sufficiency and timeliness with which the board or audit committee is appraised of sensitive information, investigations and improper acts of officers. Management’s Philosophy and Operating Style This factor affects the way the enterprise is managed, including the kinds of business risks accepted. Controls involving Management’s Philosophy and Operating Style: 1. Nature of business risk accepted 2. Frequency of interaction between senior and operating management 3. Attitudes and actions toward financial reporting Organizational Structure An entity’s organization structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled and monitored. Activities may relate to what is sometimes referred to as the value chain: inbound activities, operation or production, outbound, marketing, sales and services. Organizational Structure Controls involving organizational structure are expressed through: 1. Appropriateness of the entity’s organization structure, and its ability to provide the necessary information flow to manage its activities. 2. Adequacy of definition of key manager’s responsibilities, and their understanding of these responsibilities. 3. Adequacy of knowledge and experience of key managers in light of responsibilities. Assignment of Authority and Responsibility This element pertains to how an organization assigns authority and responsibility for operating activities, and how reposting relationships and authorization hierarchies are established. Human Resources Policies And Practices Human resources practices send messages to employees regarding expected levels of integrity, ethical behaviour and competence. Such practices relate to hiring, orientation, training, evaluating, counselling, promoting, compensating and remedial actions. Controls involving human resources policies and practices include: 1. The extent to which policies and procedures for hiring, training, promoting and compensating employees are in place. 2. Appropriateness of remedial action taken in response to departures from approve policies and procedures. Human Resources Policies And Practices Controls involving human resources policies and practices include: 3. Adequacy of employee candidate background checks, particularly with regard to prior actions or activities considered to be unacceptable by the entity. 4. Adequacy of employee retention and promotion criteria and information-gathering techniques and relation to the code of conduct or other behavioral guidelines. THE ENTITY’S RISK ASSESSMENT PROCESS Risk Assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. All entities regardless of size, structure, nature or industry, encounter risks at all levels within their organizations. The goal of internal control in this area focuses primarily on: Developing consistency of objectives and goals throughout the organization, Identifying key success factors, and Timely reporting to management on performance and expectations. THE ENTITY’S RISK ASSESSMENT PROCESS An entity’s risk assessment process is its process for identifying and responding to business risks and results thereof. The process of identifying and analyzing risk is an on-going iterative process and it a critical component of an effective internal control system. Risk Identification An entity’s performance can be at risk due to internal or external factors. Risk arises as objectives increasingly differ from past performance. It is important that risk identification be comprehensive. It should consider all significant interactions between an entity and relevant external parties. Examples of Economic Decisions Made by Users of Financial Statements External Factors Internal Factors Technological developments Disruption in information systems processing Changing customer needs or Quality of personnel hired and expectations methods of training and motivation New legislation and regulation Change in management responsibilities Natural catastrophes Nature of the entity’s activities and employee accessibility to assets, Economic changes Unassertive or ineffective board or audit committee Risk Analysis and Management After the entity has identified entity-wide and activity risks, a risk analysis needs to be performed. The process includes: 1. Estimating the significance of a risk; 2. Assessing the likelihood of the risk occurring; 3. Considering how the risk should be managed. Circumstances Demanding Special Attention Changes in operating environment New personnel New or revamped information systems Rapid growth New technology New business models, products, or activities Corporate restructurings Expanded foreign operations New accounting pronouncements INFORMATION SYSTEM AND COMMUNICATION Information system consists of infrastructure, software, people, procedures, and data. The information system relevant to financial reporting objectives, which includes the financial reporting system, consists of the procedures and records established to initiate, record, process and report entity transactions. Processes which are part of the information system are recording, processing, and reporting. INFORMATION SYSTEM AND COMMUNICATION An information system encompasses methods and records that: 1. Identify and record all valid transactions. 2. Describe on timely basis the transactions in sufficient detail. 3. Measure the value of transactions that permits their proper monetary value. 4. Determine the time period in which transactions occurred to permit recording of transaction in the proper accounting period 5. Present properly the transactions and related disclosures in the financial statements. INFORMATION SYSTEM AND COMMUNICATION Information Information is needed at all levels of an organization to run the business, and move toward achievement of the entity’s objectives in all categories. An array of information is used. Information Quality The quality of system-generated information affects management’s ability to make appropriate decisions in managing and controlling the entity’s activities. It is critical that reports containing enough appropriate data to support effective control. Guide Questions – Quality of Information Content is appropriate – Is the needed information there? Information is timely – Is it where required? Information is current – Is it the latest available? Information is accurate – Are the data correct? Information is accessible – Can it be obtained easily by appropriate parties? All of these questions must be addressed by the system design. INFORMATION SYSTEM AND COMMUNICATION Communication Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. Means of Communication Communication takes such forms as policy manuals, memoranda, bulletin boards notices and videotaped messages. CONTROL ACTIVITIES Control Activities are policies and procedures, which are the actions of people to implement the policies, to help ensure that management directives identified as necessary to address risks are carried out Types of Control Activities Control Activities can be divided into three categories, based on the nature of the entity’s objectives to which they relate: operations, financial reporting, or compliance. 1. Performance Reviews 2. Information Processing 3. Physical Controls 4. Segregation of duties 1. Performance Reviews These include: Reviews and analyses of actual performance versus budgets, forecasts, and prior period performance; Relating different sets of data – operating or financial – to one another, together with analyses of the relationships and investigative and corrective actions; Comparing internal data with external sources of information; Review of functional or activity performance 2. Information Processing These controls are performed to check accuracy, completeness, and authorization of transactions. Two Broad Groupings of Information Systems General Controls Application Controls Two Broad Groupings of Information Systems General Controls Policies and Procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. Application Controls Controls that apply to the processing of individual applications. These controls help ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed. 3. Physical Controls These activities encompass the physical security of assets. Including adequate safeguards such as; Secured facilities over access to assets and records; Authorization of access to computer programs and data files; Periodic counting and comparison, with amounts shown on control records (for example comparing the results of cash, security and inventory counts with accounting records). 4. Segregation of Duties Assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets is intended to reduce the opportunity to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of the person’s duties. CONTROL ACTIVITIES Policies and Procedures Control activities usually involve two elements; a policy establishing what should be done and, serving as a basis for the second element, procedures to implement the policy. Evaluation of Control Activities Control activities must be evaluated in the context of management directives to address risks associated with established objectives for each significant activity. MONITORING OF CONTROLS Monitoring of Controls is a process to assess the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. The Need to Monitor Controls Internal control systems change over time. The way controls are applied may evolve. Once-effective procedures can become less effective, or perhaps are no longer performed. This can be due to : the arrival of new personnel the varying effectiveness of training and supervision, time and resource constraints, or additional pressures. Methods for Monitoring Controls Monitoring can be done in two ways: through ongoing activities or separate evaluations. Internal control systems usually will be structured to monitor themselves on an ongoing basis to some degree. “The greater the degree and effectiveness of ongoing monitoring, the less need for separate evaluations “ Methods for Monitoring Controls Examples of Ongoing Monitoring Activities 1. In carrying out its regular management activities, operating management obtains evidence that the system of internal control continues to function. 2. Appropriate organizational structure and supervisory activities provide oversight of control functions and identification of deficiencies. 3. Training seminars, planning sessions and other meetings provide important feedback to management on whether controls are effective. Issues to Consider Ongoing Monitoring 1. Extent to which personnel, in carrying out their regular activities, obtain evidence as to whether the system of internal control continues to function. 2. Extent to which communications from external parties corroborate internally generated information, or indicate problems. 3. Periodic comparison of amounts recorded by the accounting system with physical assets. INHERENT LIMITATIONS OF INTERNAL CONTROL 1. Management’s usual requirement that a control be cost effective 2. The fact that most controls tend to be directed at anticipated types of transactions and not at unusual transactions; the potential for human error due to carelessness, distraction, mistakes of judgement or the misunderstanding of instructions; 3. The possibility of circumvention of controls through collusion with parties outside the entity or with employees of the entity. 4. The possibility that a person reasonable for exercising control could abuse that responsibility 5. The possibility that procedures may become inadequate due to changes in condition and compliance and procedures may deteriorate. RELEVANCE OF CONTROLS TO THE AUDIT It is a matter of the auditor’s professional judgement, whether a control, individually or in combination with others, is relevant to the auditor’s considerations in assessing the risk of material misstatement and designing and performing further procedures in response to assessed risks. RELEVANCE OF CONTROLS TO THE AUDIT Factors considered in Determining the Relevance of Controls to the Audit 1. The auditor’s judgement about materiality 2. The size of the entity 3. The nature of the entity’s business, including its organization and ownership characteristics 4. The diversity and complexity of the entity’s operations 5. Applicable legal and regulatory requirements 6. The nature and complexity of the systems that are part of the entity’s internal control, including the use of service organizations. INTERNAL CONTROL EVALUATION IN FINANCIAL STATEMENT AUDIT The nature, extent and timing of the audit procedures to be performed in gathering audit evidence related to class of transactions, account balances and disclosures take their most significant momentum from a thorough understanding of the design and evaluation of the operating effectiveness of internal control. INTERNAL CONTROL EVALUATION IN FINANCIAL STATEMENT AUDIT An auditor’s approach in the study and evaluation of the client’s internal control is generally consists of the following steps: 1. Obtain an understanding of the client’s internal control structure 2. Make a preliminary assessment of control risk 3. Determine the appropriate response to the assessed risks 4. Reassess control risk 5. Determine the nature, extent and timing of substantive tests STEP 1 – OBTAIN AN UNDERSTANDING OF THE CLIENT’S INTERNAL CONTROL The auditor should obtain and document an understanding of the client’s internal control sufficient to identify potential misstatement in the financial statements. Obtaining an understanding of the internal control structure consists of the following: 1. Performing a preliminary review 2. Identifying transaction cycles 3. Documenting the system 4. Performing a transaction walkthrough 5. Identifying controls that are potentially reliable INTERNAL CONTROL EVALUATION IN FINANCIAL STATEMENT AUDIT Performing a Preliminary Review In determining the level of understanding necessary to plan the audit, an auditor uses sources such as past experience with the client, and an understanding of the industry in which the client operates to determine the risk of material misstatements. Identifying Transaction Cycles Because the number and nature of transactions vary from industry to industry and from company to company, an auditor must identify each client’s major transactions. INTERNAL CONTROL EVALUATION IN FINANCIAL STATEMENT AUDIT Identifying Transaction Cycles The major transaction cycles in a commercial and industrial entity include: Revenue/receivables/cash receipts cycle Purchasing/payables/disbursements cycle Payroll cycle Production/conversion cycle Financing and Investing cycle INTERNAL CONTROL EVALUATION IN FINANCIAL STATEMENT AUDIT Identifying Transaction Cycles Identifying transaction cycles based on common transaction flows provides the following advantages: 1. It enables the auditor to gain an adequate understanding of the flow of transactions from inception to conclusion, to make sure that he has identified all significant processes and has noted and evaluated each phase of the transaction flow. 2. It enables the author to better evaluate the impact of internal control (or lack of it) on specific financial statements items affected and; therefore, assists him in determining the nature, timing and extent of substantive tests. INTERNAL CONTROL EVALUATION IN FINANCIAL STATEMENT AUDIT Documentation of Understanding of Internal Control Documentation is a means of ensuring that auditors comply with significant requirements of generally accepted auditing standards. The following audit processes require documentation: 1. The discussion among the engagement team regarding the susceptibility of the entity’s financial statements to material misstatement, and the significant decision reached; 2. The understanding obtained regarding each of the aspects of the entity and its environment, and each of the five internal control components in order to assess both the sources of information from which the understanding was obtained and several risks. INTERNAL CONTROL EVALUATION IN FINANCIAL STATEMENT AUDIT Documentation of Understanding of Internal Control NARRATIVES A narrative is a written description of a particular phrase or phrases of an accounting system. INTERNAL CONTROL QUESTIONNAIRES Internal Control Questionnaires consist of a series of question designed to identify control points and techniques and detect control responses. Questionnaires require Yes, No, or Not Applicable responses FLOWCHARTS Flowcharts constitute interrelated symbols which diagram the flow of transactions and events through a system, or portions thereof. Combination of Methods The auditor could use any combination of narratives, flowcharts, and/or questionnaires to document an entity’s internal control structure, thereby maximizing the advantages of each. Comparison of the methods Advantages Disadvantages Narrative Can be tailor-made for May become very long and engagement time consuming Internal Control Easy to complete, and Questions may not fit the Questionnaire strengths and weaknesses internal control structure can be easily identified adequately Flowcharting Shows visual Could be time consuming representation of the internal control. Usually unlikely that important portions of internal control will be overlooked Performing a Transaction Walkthrough Following documentation, a single transaction for each major segment of the internal control structure is selected and followed, or walked through the accounting system. The purpose of a walkthrough is to verify narrative, questionnaire, and/or flowchart documentation and to familiarize the auditor with the audit trail. If it isolates differences from narratives, questionnaires or flowcharts, the reason for the differences should be resolved and the auditor’s documentation revised if necessary. Factors Considered in Determining the Relevance of Controls to Audit 1. A walkthrough should be done every year. 2. The walkthrough should be performed after the flowcharts (or narrative outlines) have been prepared or updated. 3. The auditor who prepared or updated the flowcharts should be the one to do the walkthrough. Relationship of Controls to Assertions The relationship may be either direct or indirect. The degree of directness or closeness, of the relationship determines, in part, how likely a specific policy or procedure is to have an effect on a particular assertion for a specific account balance or class of transactions. PSA 315 (Redrafted) groups financial statement assertions into the following categories: 1. Assertions about classes of transactions and events for the period under audit 2. Assertions about account balances at the period end 3. Assertions about presentation and disclosure Assertions about classes Assertions about account Assertions about of transactions and balances at the period presentation and events for the period end disclosure under audit Occurrence Existence Occurrence and Rights and Obligations Completeness Rights and Obligations Completeness Accuracy Completeness Classification and Understandability Cutoff Valuation and Allocation Accuracy and Valuation Classification STEP 2 - MAKE PRELIMINARY ASSESSMENT OF CONTROL RISK The combined assessments of control and inherent risk shall be the basis for determining the nature, timing and extent of substantive tests. In assessing control risk, the auditor: 1. Considers the error or irregularities that could occur and that could result in material misstatements in the financial statements 2. Identifies relevant control procedures designed to prevent the errors or irregularities 3. Perform test of controls on the control procedures to be relied on in designing substantive tests. Pointers When Assessing Control Risks Control Environment 1. The existence of a satisfactory control environment is not an absolute deterrent to fraud. 2. The control environment in itself does not prevent, or detect and correct, material misstatements. Risk Assessment Process 1. Note how management performs the risk assessment process. 2. Consider the existence of material weaknesses in internal control. Information System and Communication 1. There is possibility of inappropriate override of controls over journal entries. 2. Check the resolution of incorrectly processed transactions. 3. Focus on communications with the audit committee and with regulatory authorities. Pointers When Assessing Control Risks Control Activities 1. The auditor’s primary consideration is whether, and how, a specific control activity, prevents or detects and corrects, material misstatements. 2. Consider the risks associated with the information technology. Monitoring of Controls 1. In many entities, internal auditors or personnel performing similar functions contribute to the monitoring of activities. There are two possible risk assessments pertaining to control risk: 1. High Control Risk Assessment The auditor may assess control risk as high or at maximum level when there is high likelihood that significant misstatements may exist in the financial statements because internal controls are inadequate and cannot be relied upon, for all or certain audit objectives. There are two possible risk assessments pertaining to control risk: 2. Less Than High Control Risk Assessment In order to assess risk at less than high or below the maximum level, the auditor must be able to identify specific control structure policies and procedures that are in place and are likely to prevent or detect material misstatements in specific financial statements assertions and must test whether those policies and procedures are designed and operating effectively. STEP 3 - DETERMINE THE APPROPRIATE RESPONSE TO THE ASSESSED RISKS Overall Responses To reduce audit risk to an acceptable level, the auditor should determine overall responses to the assessed risks and should design and perform further audit procedures to respond to assessed risks at the assertion level. Overall Responses the Auditor May Consider 1. Emphasizing to the audit team the need to maintain professional skepticism in gathering and evaluating audit evidence. 2. Assigning more experienced staff or those with special skills or using experts 3. Providing more supervisions 4. Incorporating additional elements of unpredictability in the selection of audit procedures to be performed 5. Making general changes to the nature, timing, or extent of audit procedures Responses at the Assertion Level Preliminary Control Risk Assessment is High Adopt audit approach that relies primarily on substantive tests. The auditor proceeds to step five and only substantive test audit programs are prepared. Preliminary Control Risk Assessment is Less Than High Use reliance approach. Two sets of audit programs are prepared: test of controls and substantive test. Auditor’s Responses at the Assertion Level Preliminary Control Effect on Audit TOC? ST? Risk Assessment Acceptable Approach Detection Risk High/Maximum Decrease No Reliance No Yes Less than High or Increase Reliance Yes Yes Below the Maximum TEST OF CONTROLS used to test either the effectiveness of the design or operation of a client’s internal control policy or procedure in support of less than high control risk assessment applied only to those controls on which the auditor intends to rely when designing substantive tests of account balances. Nature of Test of Controls The test generally consist of one or a combination of the following procedures: Inquiry of client personnel Observation of the application of policies and procedures Inspection Reperformance or recalculation TEST OF CONTROLS Control Deviations When performing test of controls, an auditor may find differences between what was expected and what actually occurred. Such differences are appropriately called exceptions, deviations, or occurrences, rather than errors, because an exception does not necessarily mean that an error has been made. Timing of Test of Controls The timing of test of controls depends on the auditor’s objective and determines the period of reliance on those controls. Another important timing matter is how much to rely on tests of prior periods as evidence that controls are effectively designed and continue to operate effectively during the current audit period. TEST OF CONTROLS Extent of Test of Controls The more the auditor relies on the operating effectiveness of controls in the assessment of risk, the greater is the extent of test of controls. As the rate of expected deviation from a control increases, the auditor increases the extent of testing of the control. STEP 4 - REASSESS LEVEL OF CONTROL RISK If the auditor finds that the risk of material misstatement is higher than originally expected, the auditor should reassess the level of control risk. In evaluating the effectiveness of controls, the auditor considers all the control components taken together. The entity-level components must be effective for internal control as a whole to be effective. Effect of Reassessment of Control Risk on the Audit Approach Reassessment of Control Risk Audit Approach Effect on ST Audit Program CR assessment remains at less Reliance Approach Less effective procedures than high or below the Interim testing may be maximum appropriate Lower sample sizes CR assessment is changed to Switch to More effective procedures high or maximum No-Reliance Tests moved to nearer or at the Approach year-end Larger sample sizes Documentation Should the auditor document the… Understanding Control Risk Basis for the of Internal Assessment? Control Risk Risk Assessment Control? Assessment? High Yes Yes No Less than high Yes Yes Yes STEP 5 – DETERMINE THE NATURE, EXTENT AND TIMING OF SUBSTANTIVE TESTS Irrespective of the assessed risk of material misstatement, the auditor should design and perform substantive procedures for each material class of transactions, account balance and disclosures. The lower the assessed level of control risk, the less evidence the auditor needs from substantive tests. Regardless of the assessed levels of control risk, the auditor should perform some substantive tests for significant account balances and transaction classes. Possible Modifications to the Substantive Test Audit Program As the assessed level of control risk decreases, the auditor may modify substantive tests in the following ways: 1. Changing the nature of substantive tests 2. Changing the timing of substantive tests 3. Changing the extent of substantive tests DEFICIENCIES IN INTERNAL CONTROL PSA 265, Communicating Deficiencies in Internal Control to Those Charged with Governance and Management, provide guidance on how to communicate significant internal control deficiencies noted in an audit of financial statements. A deficiency exists when: a. A control is designed, implemented or operated in such a way that it is unable to prevent, or detect and correct, misstatements in the financial statements on a timely basis; or b. A control necessary to prevent, or detect and correct, misstatements in the financial statements on a timely basis is missing. DEFICIENCIES IN INTERNAL CONTROL The auditor should communicate to management at an appropriate level of responsibility on a timely basis: a. In writing, significant deficiencies in internal control that the auditor has communicated or intends to communicate to those charged with governance, unless it would be inappropriate to communicate directly to management in the circumstances; b. Other deficiencies in internal control identified during the audit that have not been communicated to management by other parties and that, in the auditor’s professional judgment, are of sufficient importance to merit management’s attention. DEFICIENCIES IN INTERNAL CONTROL The auditor shall include in the written communication of significant deficiencies in internal control: a. A description of the deficiencies and an explanation of their potential effects; and b. Sufficient information to enable those charged with governance and management to understand the context of the communication. In particular, the auditor shall explain that: (i) The purpose of the audit was for the auditor to express an opinion on the financial statements; DEFICIENCIES IN INTERNAL CONTROL (ii) The audit included consideration of internal control relevant to the preparation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of internal control; and (iii) The matters being reported are limited to those deficiencies that the auditor has identified during the audit and that the auditor has concluded are of sufficient importance to merit being reported to those charged with governance. ENTERPRISE RISK MANAGEMENT- INTEGRATED FRAMEWORK In response to a need for principle-based guidance to help entities design and implement effective enterprise-wide approach to risk management, COSO issued the Enterprise Risk Management- Integrated Framework in 2004. New COSO Framework 1. Internal Environment 2. Objective Setting 3. Event Identification 4. Risk Assessment 5. Risk Response 6. Control Activities 7. Information and Communication 8. Monitoring ENTERPRISE RISK MANAGEMENT- INTEGRATED FRAMEWORK Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.

Use Quizgecko on...
Browser
Browser