Audits of Internal Control and Control Risk PDF

Summary

This chapter details the audits of internal control and control risk. It covers the objectives, components, and procedures related to internal control. It is geared toward a university course.

Full Transcript

Audits of Internal Control
and Control Risk

Chapter 8
 Chapter 8: Audits of Internal Control and Control Risk

Index
Internal Control...................................................................................................................................... 4
Internal Control Objectives.................................................................................................................... 4
Responsibilities for Internal Control...................................................................................................... 5
Five Components of Internal Control.................................................................................................... 5
Control Environment.................................................................................................. 6
Risk Assessment......................................................................................................... 7
Control Activities....................................................................................................... 7
Information and Communication............................................................................... 9
Monitoring.................................................................................................................. 9
Obtain and Document Understanding of Internal Control................................................................... 10
Assess Control Risk............................................................................................................................. 11
Identify Deficiencies and Material Weaknesses.................................................................................. 12
Tests of Controls.................................................................................................................................. 14
Procedures for Tests of Controls.............................................................................. 14
Decide Planned Detection Risk and Design Substantive Tests........................................................... 14
Section 404 Reporting on Internal Control.......................................................................................... 15
Types of Opinion...................................................................................................... 15
Communications to Those Charged with Governance........................................................................ 16
References............................................................................................................................................ 17

2
 Chapter 8: Audits of Internal Control and Control Risk

Objectives
By the end of this lesson the student is expected to be able to:

1) Discuss internal control and the three primary objectives of effective internal
control.
2) Contrast management’s responsibilities for internal controls with the auditor’s
responsibilities for internal controls.
3) Explain the five components of the coso internal control framework.
4) Apply internal control.
5) Assess control risk.
6) Evaluate tests of controls.
7) Decide planned detection risk.
8) State section 404 requirements for auditor reporting on internal control.

3
 Chapter 8: Audits of Internal Control and Control Risk

Internal Control
- A system of internal control consists of policies and procedures designed to provide
management with reasonable assurance that the company achieves its objectives
and goals.
- These policies and procedures are called controls and collectively they make up the
entity’s Internal Control.

Internal Control Objectives
Management has three broad objectives in designing an effective internal control
system.
1- Efficiency and effectiveness of operations
Controls within a company encourage efficient and effective use of its resources to
optimize the company’s goals. An important objective of these controls is accurate
financial and nonfinancial information about the company’s operations for decision
making.

2- Reliability of financial reporting
management is responsible for preparing statements for investors, creditors, and
other users.
Management has both a legal and professional responsibility to be sure that the
information is fairly presented in accordance with reporting requirements of
accounting frameworks such as GAAP and IFRS. The objective of effective
internal control over financial reporting is to fulfill these financial reporting
responsibilities.

3- Compliance with laws and regulations

4
 Chapter 8: Audits of Internal Control and Control Risk

The management of all public companies require to issue a report about the
operating effectiveness of internal control over financial reporting (according to
section 404). In addition to the legal provisions of Section 404, public, nonpublic,
and not-for-profit organizations are required to follow many laws and regulations.
Some relate to accounting only indirectly, such as environmental protection and
civil rights laws. Others are closely related to accounting, such as income tax
regulations and anti-fraud legal provisions.
Unlike management, Auditor internal control objectives do not include efficiency
and effectiveness of operation.

Responsibilities for Internal Control
Responsibilities for internal controls differ between management and the auditor.

Figure 1: Summarize the difference between management and the auditor responsibilities for internal control

Five Components of Internal Control
COSO’s internal control integrated framework is one of the most widely
accepted internal control framework.

5
 Chapter 8: Audits of Internal Control and Control Risk

Figure 2: The components of internal control

Control Environment
The control environment serves as the umbrella for the other four components.
Without an effective control environment, the other four are unlikely to result in
effective internal control, regardless of their quality.
The control environment consists of the actions, policies, and procedures that
reflect the overall attitudes of top management, directors, and owners of an entity
about internal control and its importance to the entity.
Integrity and ethical values are the product of the entity’s ethical and behavioral
standards as well as how they are communicated and reinforced in practice.
Competence is the knowledge and skills necessary to accomplish tasks that define
an individual’s job. Commitment to competence includes management’s
consideration of the competence levels for specific jobs and how those levels
translate into requisite skills and knowledge.
The board of directors is essential for effective corporate governance because it has
ultimate responsibility to make sure management implements proper internal
control and financial reporting processes.

6
 Chapter 8: Audits of Internal Control and Control Risk

Risk Assessment
- The risk assessment process looks at how management assesses material risks
which might arise.
- It should estimate the significance of those risks and the likelihood that are
occurring.
The risk might include:
Rapid technology changes.
Entrance of new competitors.

- Auditors obtain knowledge about management’s risk assessment process using
questionnaires and discussions with management to determine how management
identifies risks relevant to financial reporting, evaluates the significance and
likelihood of the risks occurring, and decides the actions needed to address the
risks.
Control Activities
Control activities are the policies and procedure that help ensure that necessary
action is taken to address risk. The control activities fall into the following five
types:

1. Adequate separation of duties
- Separation of the custody of assets from accounting.
- Separation of the authorization of transactions from the custody of related
assets.
- Separation of operational responsibility from record-keeping responsibility.
- Separation of its duties from user departments.

7
 Chapter 8: Audits of Internal Control and Control Risk

2. Proper authorization of transactions and activities
Every transaction must be properly authorized if controls are to be satisfactory.
Authorization can be either general or specific. General authorization,
management establishes policies and subordinates are instructed to implement
these general authorizations by approving all transactions within the limits set
by the policy. General authorization decisions include the issuance of fixed price
lists for the sale of products, credit limits for customers, and fixed reorder points
for making acquisitions. Specific authorization applies to individual
transactions. For certain transactions, management prefers to authorize each
transaction. for example is the authorization of a sales transaction by the sales
manager for a used-car company.

3. Adequate documents and records
Documents and records are the records upon which transactions are entered and
summarized. They include such diverse items as sales invoices, purchase orders,
subsidiary records, sales journals, and employee time cards.

4. Physical control over assets and records
To maintain adequate internal control, assets and records must be protected. If
assets are unprotected, they may be stolen. If records are not adequately
protected, they also may be stolen, damaged, altered, or lost, which can
seriously disrupt the accounting process and business operations.
When a company is highly computerized, its computer equipment, programs,
and data files must be protected. The data files are the records of the company
and, if damaged, could be costly or even impossible to reconstruct.

5. Independent checks on performance

8
 Chapter 8: Audits of Internal Control and Control Risk

The need for independent checks arises because internal controls tend to change
over time unless there is frequent review. Personnel are likely to forget or
intentionally fail to follow procedures, or they may become careless unless
someone observes and evaluates their performance. Regardless of the quality of
the controls, personnel can make errors or commit fraud.

Information and Communication
The purpose of accounting information and communication system is to initiate,
record, process, and report the entity’s transactions and to maintain accountability
for the related assets. To understand the design of the accounting information
system, the auditor determines (1) the major classes of transactions of the entity; (2)
how those transactions are initiated and recorded; (3) what accounting records exist
and their nature; (4) how the system captures other events that are significant to the
financial statements, such as declines in asset values; and (5) the nature and details
of the financial reporting process followed, including procedures to enter
transactions and adjustments in the general ledger.

Figure 3: Summarize the purpose of accounting information and communication system

Monitoring
Monitoring activities deal with management’s ongoing and periodic assessment of
the quality of internal control performance.

9
 Chapter 8: Audits of Internal Control and Control Risk

To determine whether controls are operating as intended and modified when
needed.

Obtain and Document Understanding of Internal Control

Figure 4: overview of the process for understanding internal control and assessing control risk

Obtain and Document Understanding of Internal Control design and
operation
- Auditing standards require auditors to obtain and document an understanding
of internal control for every audit.
- In addition to the understanding of the design , the auditor must consider
whether the designed control implemented in practice.
A part of the auditor’s risk assessment procedures involve gathering evidence
related to the design of internal controls, implementation and uses of different
types of evidence.

10
 Chapter 8: Audits of Internal Control and Control Risk

Assess Control Risk
a preliminary assessment of control risk as part of the auditor’s overall
assessment of the risk of material misstatements. The auditor obtains an understanding
of the design and implementation of internal control to achieve the preliminary
assessment.
The auditor uses this preliminary assessment of control risk to plan the audit for each
material class of transactions. However, in some instances the auditor may learn that
the control deficiencies are significant such that the client’s financial statements may
not be auditable.

Figure 5: Summarize a preliminary assessment of control risk

11
 Chapter 8: Audits of Internal Control and Control Risk

Figure 6: Example of Control Risk Matrix

Identify Deficiencies and Material Weaknesses
A five-step approach used to identify deficiencies, significant deficiencies, and
material weaknesses:

1. Identify existing controls.

12
 Chapter 8: Audits of Internal Control and Control Risk

Because deficiencies and material weaknesses are the absence of adequate
controls, the auditor must first know which controls exist.
The methods for identifying controls have already been discussed.

2. Identify the absence of key controls.
Internal control questionnaires and flow charts are useful tools to identify where
controls are lacking and the likelihood of misstatement is therefore increased. It
is also useful to examine the control risk matrix, such as the one in Figure 10-5
(p. 309), to look for objectives where there are no or only a few controls to
prevent or detect misstatements.

3. Consider the possibility of compensating controls.
A compensating control is one elsewhere in the system that offsets the absence
of a key control. A common example in a small business is the active
involvement of the owner. When a compensating control exists, there is no
longer a significant deficiency or material weakness.

4. Decide whether there is a significant deficiency or material weakness.
The likelihood of misstatements and their materiality are used to evaluate if
there are significant deficiencies or material weaknesses.

5. Determine potential misstatements that could result.
This step is intended to identify specific misstatements that are likely to result
because of the significant deficiency or material weakness.

13
 Chapter 8: Audits of Internal Control and Control Risk

Tests of Controls
The procedures to test the effectiveness of controls in support of a reduced assessed
control risk are called tests of controls.

Procedures for Tests of Controls
The auditor uses four types of procedures to support the operating effectiveness of
internal controls. Management’s testing of internal control include the same types of
procedures.
The four types of procedures are as follows:
Inquire of client personnel.
Examine documents, records, reports.
Observe control-related activities.
Reperform client procedures.

Decide Planned Detection Risk and Design Substantive Tests
The auditor uses the results of the control risk assessment process and tests of controls
to determine the planned detection risk and related substantive tests.

The auditor links the control risk assessments to the balance-related audit objectives.

The auditor determines planned detection risk and related substantive tests for the audit
of financial statements. The auditor achieves this by linking the control risk assessments
to the balance related audit objectives for the accounts affected by the major transaction
types and to the four presentation and disclosure audit objectives. The appropriate level
of detection risk for each balance-related audit objective is then decided using the audit
risk model.
The relationship of transaction-related audit objectives to balance-related audit
objectives and the selection and design of audit procedures for substantive tests of
financial statement balances.

14
 Chapter 8: Audits of Internal Control and Control Risk

Section 404 Reporting on Internal Control
The scope of the auditor’s report on internal control is limited to obtaining reasonable
assurance that material weaknesses in internal control are identified.

Types of Opinion
Unqualified opinion:
The auditor will issue an unqualified opinion on internal control over financial
reporting when two conditions exist:
There are no identified material weaknesses.
There have been no restrictions on the scope of the auditor’s work.

Adverse Opinion:
When material weaknesses exist, the auditor must express an adverse opinion on
the effectiveness of internal control. The most common cause of an adverse
opinion in the auditor’s report on internal control is when management
identified a material weakness in its report.

Qualified or Disclaimer Opinion:
This type of opinion is issued when the auditor is unable to determine if there
are material weaknesses, due to a restriction on the scope of the audit of internal
control over financial reporting or other circumstances where the auditor is
unable to obtain sufficient appropriate evidence.

15
 Chapter 8: Audits of Internal Control and Control Risk

Communications to Those Charged with Governance
Auditor must communicate in writing significant deficiencies and material
weaknesses to the audit committee.
Management letters from the auditor less significant control weaknesses ideas for
operational improvements.

16
 Chapter 8: Audits of Internal Control and Control Risk

References
- Auditing and Assurance Services: An Integrated Approach,14th Edition - Alvin
A Arens, Randal J Elder, Mark S Beasley, ISBN-13: 978-0-13-257595-9.
ISBN-10: 0-13-257595-7
- Auditing Cases, International Edition (9th Edition) by Michael C.
Knapp, ISBN-10: 1133187900. ISBN-13: 978-1133187905

17