Eilifsen_3rd_Chap06_PPT.pdf

Full Transcript

Auditing and Assurance Services
A Systematic Approach
Eleventh Edition

CHAPTER 6
Internal Control in a
Financial Statement
Audit

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education.
 Learning Objective 06-1

Internal Control (1 of 2)
Management has the responsibility to maintain controls that
provides reasonable assurance that adequate control exists over
the entity’s assets and records.

The Internal Control System should:
Ensure that assets and records are safeguarded
Generate reliable information for decision making

The auditor needs assurance about the reliability of the data
generated by the information system.

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-2
 Learning Objective 06-1

Internal Control (2 of 2)
The auditor uses risk assessment procedures to:
Obtain an understanding of the entity’s internal control
Identify key controls
Recognize the types of potential misstatements
Design tests of controls and substantive procedures

The auditor’s understanding of the internal control is a major
factor in determining the overall audit strategy.

The auditor has the responsibility to:
1) Obtain an understanding of internal controls
2) Assess control risk

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-3
 Learning Objective 06-2

COSO’s Internal Control –
Integrated Framework

Objectives

Reliability of Effectiveness Compliance
Financial and Efficiency with Laws and
Reporting of Operations Regulations

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-4
 Learning Objective 06-3

Controls Relevant to the Audit
(1 of 2)

Objectives

Reliability of Effectiveness Compliance with
Financial and Efficiency of Laws and
Reporting Operations Regulations

Generally, internal controls pertaining to the preparation of financial
statements for external purposes are relevant to an audit.

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-5
 Learning Objective 06-3

Controls Relevant to the Audit
(2 of 2)

Objectives

Reliability of Effectiveness Compliance with
Financial and Efficiency of Laws and
Reporting Operations Regulations

Controls relating to operations and compliance objectives may be
relevant when they relate to data the auditor uses to apply auditing
procedures.

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-6
 Learning Objective 06-4

The Effect of Information Technology
on Internal Control (Table 6-1)

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-7
 Learning Objective 06-5

The COSO Framework
Components of Internal Control (1 of 7)

Control Environment

Entity’s Risk
Assessment Process

Control Activities

Information and
Communication

Monitoring Activities

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-8
 Learning Objective 06-5

Components of Internal Control (2 of 7)

Control Environment The control environment is the
set of standards, processes, and
Entity’s Risk structures that provides the basis
Assessment Process for carrying out internal control
Control Activities across the organization. The
board of directors and senior
Information and management establish the tone
Communication at the top regarding the
importance of internal control and
Monitoring Activities
expected standards of conduct.

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-9
 Learning Objective 06-5

Components of Internal Control (3 of 7)

Risk assessment involves a
Control Environment dynamic and iterative process for
identifying and analyzing risks to
Entity’s Risk
achieving the entity's objectives,
Assessment Process
thereby forming a basis for
Control Activities determining how risks should be
managed. Management considers
Information and possible changes in the external
Communication environment and within its own
Monitoring Activities business model that may impede
its ability to achieve its
objectives.

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-10
 Learning Objective 06-5

Components of Internal Control (4 of 7)

Control Environment Control activities are the actions
established by policies and
Entity’s Risk procedures to help ensure that
Assessment Process management directives to
mitigate risks to the achievement
Control Activities
of objectives are carried out.
Information and Control activities are performed
Communication at all levels of the entity and at
various stages within business
Monitoring Activities processes, and over the
technology environment.

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-11
 Learning Objective 06-5

Components of Internal Control (5 of 7)
Information is necessary for the
entity to carry out internal control
Control Environment responsibilities in support of
achievement of its objectives.
Entity’s Risk Communication occurs both
Assessment Process internally and externally and
provides the organization with the
Control Activities information needed to carry out day-
to-day internal control activities.
Information and Communication enables personnel to
Communication understand internal control
responsibilities and their importance
Monitoring Activities
to the achievement of objectives and
allows for upward flow of operating
information to management.

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-12
 Learning Objective 06-5

Components of Internal Control (6 of 7)

Ongoing evaluations, separate
Control Environment evaluations, or some combination
of the two are used to ascertain
Entity’s Risk whether each of the five
Assessment Process components of internal control,
including controls to effect the
Control Activities
principles within each component,
Information and are present and functioning.
Communication Findings are evaluated and
deficiencies are communicated in
Monitoring Activities a timely manner, with serious
matters reported to senior
management and to the board.

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-13
 Learning Objective 06-5

Components of Internal Control (7 of 7)
(Figure 6-1)

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-14
 Learning Objective 06-5

Control Environment
Principle 1: The organization demonstrates a commitment to
integrity and ethical values.

Principle 2: The board of directors demonstrates independence from
management and exercises oversight of the development
and performance of internal control.

Principle 3: Management establishes, with board oversight,
structures, reporting lines, and appropriate authorities
and responsibilities in the pursuit of objectives.

Principle 4: The organization demonstrates a commitment to attract,
develop, and retain competent individuals in alignment
with objectives.

Principle 5: The organization holds individuals accountable for their
internal control responsibilities in the pursuit of
objectives.
Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-15
 Learning Objective 06-5

The Entity’s Risk Assessment Process
The risk assessment process identifies and responds to
business risks in relation to achieving business objectives

Principle 6: The organization specifies objectives with sufficient
clarity to enable the identification and assessment of
risks relating to objectives.

Principle 7: The organization identifies risks to the achievement of its
objectives across the entity and analyzes risks as a basis
for determining how the risks should be managed.

Principle 8: The organization considers the potential for fraud in
assessing risks to the achievement of objectives.

Principle 9: The organization identifies and assesses changes that
could significantly impact the system of internal control.

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-16
 Learning Objective 06-5

Control Activities
Principle 10: The organization selects and develops control activities
that contribute to the mitigation of risks to the
achievement of objectives to acceptable levels.
- Performance Reviews
- Physical Controls
- Segregation of Duties
- Information Processing Controls

Principle 11: The organization selects and develops general control
activities over technology to support the achievement
of objectives.

Principle 12: The organization deploys control activities through
policies that establish what is expected and procedures
that put policies into action.

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-17
 Learning Objective 06-5

Information and Communication
Principle 13: The organization obtains or generates and uses
relevant, quality information to support the functioning
of internal control.
- Identify and record all valid transactions
- Classify transactions properly
- Measure the value of transactions properly
- Record transactions in the proper period
- Properly present transactions and disclosures

Principle 14: The organization internally communicates information,
including objectives and responsibilities for internal
control, necessary to support the functioning of internal
control.

Principle 15: The organization communicates with external parties
regarding matters affecting the functioning of internal
control.
Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-18
 Learning Objective 06-5

Monitoring of Controls

Monitoring of controls is a process that assesses the quality of
internal control performance over time.

Principle 16: The organization selects, develops, and performs
ongoing and/or separate evaluations to ascertain
whether the components of internal control are present
and functioning.

Principle 17: The organization evaluates and communicates internal
control deficiencies in a timely manner to those parties
responsible for taking corrective action, including senior
management and the board of directors, as
appropriate.

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-19
 Learning Objective 06-6

Planning an Audit Strategy

Audit Risk Model
AR = IR × CR × DR

In applying the audit risk model, the auditor must
assess control risk. The figure on the next slide
presents a flowchart of the auditor’s decision
process when considering internal control in
planning an audit.

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-20
 Learning Objective 06-6

Substantive Strategy
After obtaining an understanding of internal control, an auditor
may choose to follow a substantive strategy and set control risk
at high for some or all assertions because of one or all of the
following factors:

Testing the
Controls do Controls are
effectiveness
not pertain to assessed as
of controls is
an assertion ineffective
inefficient

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-21
 Learning Objective 06-6

Reliance Strategy

Obtain Understanding
of Internal Control

Plan to Rely on Internal
Control and Assess
Control Risk at a Lower
Level

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-22
 Learning Objective 06-7

Obtain an Understanding of
Internal Control (1 of 2)
The auditor should obtain an understanding of each
of the five components of internal control in order to
plan the audit. This knowledge is used to:

Pinpoint the
Identify types of
factors that affect
potential
the risk of material
misstatement
misstatement

Design tests of
controls and
substantive
procedures
Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-23
 Learning Objective 06-7

Obtaining an IT Specialist
The auditor may determine that the
engagement team needs an IT specialist.

Evaluate the nature
and complexity of the
entity’s IT systems

Determine whether
the engagement
team needs an IT
specialist

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-24
 Learning Objective 06-7

Obtain an Understanding of
Internal Control (2 of 2)

1. Understand the control environment.
2. Understand the entity’s risk assessment process.
3. Understand the information system and
communications.
4. Understand control activities.
5. Understand monitoring of controls.

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-25
 Learning Objective 06-8

Documenting the Understanding of
Internal Control

Procedures Manuals
and Organizational Flowcharts
Charts

Internal Control
Narrative Description
Questionnaires

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-26
 Learning Objective 06-8

The Effect of Entity Size on
Internal Control

While the basic concepts of the five
components should be present in all entities,
they are likely to be less formal in a small or
midsize entity than in a large entity.

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-27
 Learning Objective 06-8

The Limitation of an Entity’s
Internal Control
Management
Override of
Internal Control

Human Errors or
Mistakes

Collusion

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-28
 Learning Objective 06-9

Assessing Control Risk

Identify specific
controls that
will be relied
upon

Perform tests of
controls

Conclude on the
achieved level of
control risk

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-29
 Learning Objective 06-10

Performing Tests of Controls

Inspection of
Inquiry of appropriate documents indicating
entity personnel the performance of the
control

Observation of the Reperformance of the
application of the application of the
control control by the auditor

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-30
 Learning Objective 06-10

Documenting the Achieved Level
of Control Risk
The auditor’s assessment of control risk
and the basis for the achieved level can
be documented using a structured
working paper, an internal control
questionnaire, or a memorandum.

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-31
 Learning Objective 06-11

Performing Substantive Procedures
(Table 6-6)

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-32
 Learning Objective 06-12

Timing of Audit Procedures

Interim

Year End

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-33
 Learning Objective 06-12

FIGURE 6-5 A Timeline for Planning and Performing
the Audit of EarthWear Clothiers

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-34
 Learning Objective 06-12

Interim Audit Procedures

Interim Assertion being tested not significant
Tests of Control has been effective in prior audits
Efficient use of staff time
Controls

Control environment
Availability of information at a later date
The purpose of the substantive procedure
Interim The assessed risk of material misstatement
Substantive The nature of the transactions or balances
and relevant assertions
Procedures The ability of the auditor to perform
appropriate procedures to cover the
remaining period

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-35
 Learning Objective 06-13

Auditing Accounting Applications Processed
by Service Organizations (1 of 2)

In some instances, an entity may have some or all of its
accounting transactions processed by an outside service
organization.

Because the entity’s
transactions are subjected to
the controls of the service It is not uncommon for
service organizations to
organization, one of the
have an auditor issue
auditor’s concerns is the one of two types of
internal control system in reports on their
place at the service operations.
organization.

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-36
 Learning Objective 06-13

Auditing Accounting Applications Processed
by Service Organizations (2 of 2)

Type 1 Report
Describes the service organization’s
controls and assesses whether they are
suitably designed to achieve specified An auditor may
internal control objectives reduce control
risk below high
only on the basis
Type 2 Report of a service
Goes further by providing assurance on auditor’s Type 2
the operating effectiveness of the service report.
organization’s controls based on the
auditor’s tests of controls

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-37
 Learning Objective 06-14

Communication of Internal Control-
Related Matters
Exists when the design or operation of a control
does not allow management or employees, in the
Control
normal course of performing their assigned
Deficiency function, to prevent, or detect and correct,
misstatements on a timely basis

A deficiency, or a combination of deficiencies, in
Significant internal control that is less severe than a material
Deficiency weakness but is important enough to merit
attention by those charged with governance

A deficiency, or combination of deficiencies, in
internal control, such that there is a reasonable
Material
possibility that a material misstatement of the
Weakness entity’s financial statements will not be prevented,
or detected and corrected, on a timely basis

Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution
without the prior written consent of McGraw-Hill Education. 6-38