Auditing and Assurance Services PDF

Document Details

FerventOphicleide9580

Uploaded by FerventOphicleide9580

Jubail Industrial College

2019

Aasmund Eilifsen, William F. Messier Jr., Steven M. Glover, and Douglas F. Prawitt

Tags

auditing assurance services internal control financial statement audit

Summary

This document is a chapter on internal control in a financial statement audit from a textbook titled "Auditing and Assurance Services". It details the importance of internal controls and provides an overview of COSO's framework.

Full Transcript

Auditing and Assurance Services A Systematic Approach Eleventh Edition CHAPTER 6 Internal Control in a...

Auditing and Assurance Services A Systematic Approach Eleventh Edition CHAPTER 6 Internal Control in a Financial Statement Audit Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. Learning Objective 06-1 Internal Control (1 of 2) Management has the responsibility to maintain controls that provides reasonable assurance that adequate control exists over the entity’s assets and records. The Internal Control System should: Ensure that assets and records are safeguarded Generate reliable information for decision making The auditor needs assurance about the reliability of the data generated by the information system. Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-2 Learning Objective 06-1 Internal Control (2 of 2) The auditor uses risk assessment procedures to: Obtain an understanding of the entity’s internal control Identify key controls Recognize the types of potential misstatements Design tests of controls and substantive procedures The auditor’s understanding of the internal control is a major factor in determining the overall audit strategy. The auditor has the responsibility to: 1) Obtain an understanding of internal controls 2) Assess control risk Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-3 Learning Objective 06-2 COSO’s Internal Control – Integrated Framework Objectives Reliability of Effectiveness Compliance Financial and Efficiency with Laws and Reporting of Operations Regulations Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-4 Learning Objective 06-3 Controls Relevant to the Audit (1 of 2) Objectives Reliability of Effectiveness Compliance with Financial and Efficiency of Laws and Reporting Operations Regulations Generally, internal controls pertaining to the preparation of financial statements for external purposes are relevant to an audit. Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-5 Learning Objective 06-3 Controls Relevant to the Audit (2 of 2) Objectives Reliability of Effectiveness Compliance with Financial and Efficiency of Laws and Reporting Operations Regulations Controls relating to operations and compliance objectives may be relevant when they relate to data the auditor uses to apply auditing procedures. Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-6 Learning Objective 06-4 The Effect of Information Technology on Internal Control (Table 6-1) Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-7 Learning Objective 06-5 The COSO Framework Components of Internal Control (1 of 7) Control Environment Entity’s Risk Assessment Process Control Activities Information and Communication Monitoring Activities Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-8 Learning Objective 06-5 Components of Internal Control (2 of 7) Control Environment The control environment is the set of standards, processes, and Entity’s Risk structures that provides the basis Assessment Process for carrying out internal control Control Activities across the organization. The board of directors and senior Information and management establish the tone Communication at the top regarding the importance of internal control and Monitoring Activities expected standards of conduct. Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-9 Learning Objective 06-5 Components of Internal Control (3 of 7) Risk assessment involves a Control Environment dynamic and iterative process for identifying and analyzing risks to Entity’s Risk achieving the entity's objectives, Assessment Process thereby forming a basis for Control Activities determining how risks should be managed. Management considers Information and possible changes in the external Communication environment and within its own Monitoring Activities business model that may impede its ability to achieve its objectives. Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-10 Learning Objective 06-5 Components of Internal Control (4 of 7) Control Environment Control activities are the actions established by policies and Entity’s Risk procedures to help ensure that Assessment Process management directives to mitigate risks to the achievement Control Activities of objectives are carried out. Information and Control activities are performed Communication at all levels of the entity and at various stages within business Monitoring Activities processes, and over the technology environment. Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-11 Learning Objective 06-5 Components of Internal Control (5 of 7) Information is necessary for the entity to carry out internal control Control Environment responsibilities in support of achievement of its objectives. Entity’s Risk Communication occurs both Assessment Process internally and externally and provides the organization with the Control Activities information needed to carry out day- to-day internal control activities. Information and Communication enables personnel to Communication understand internal control responsibilities and their importance Monitoring Activities to the achievement of objectives and allows for upward flow of operating information to management. Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-12 Learning Objective 06-5 Components of Internal Control (6 of 7) Ongoing evaluations, separate Control Environment evaluations, or some combination of the two are used to ascertain Entity’s Risk whether each of the five Assessment Process components of internal control, including controls to effect the Control Activities principles within each component, Information and are present and functioning. Communication Findings are evaluated and deficiencies are communicated in Monitoring Activities a timely manner, with serious matters reported to senior management and to the board. Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-13 Learning Objective 06-5 Components of Internal Control (7 of 7) (Figure 6-1) Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-14 Learning Objective 06-5 Control Environment Principle 1: The organization demonstrates a commitment to integrity and ethical values. Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. Principle 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-15 Learning Objective 06-5 The Entity’s Risk Assessment Process The risk assessment process identifies and responds to business risks in relation to achieving business objectives Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives. Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control. Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-16 Learning Objective 06-5 Control Activities Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. - Performance Reviews - Physical Controls - Segregation of Duties - Information Processing Controls Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives. Principle 12: The organization deploys control activities through policies that establish what is expected and procedures that put policies into action. Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-17 Learning Objective 06-5 Information and Communication Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. - Identify and record all valid transactions - Classify transactions properly - Measure the value of transactions properly - Record transactions in the proper period - Properly present transactions and disclosures Principle 14: The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. Principle 15: The organization communicates with external parties regarding matters affecting the functioning of internal control. Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-18 Learning Objective 06-5 Monitoring of Controls Monitoring of controls is a process that assesses the quality of internal control performance over time. Principle 16: The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. Principle 17: The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-19 Learning Objective 06-6 Planning an Audit Strategy Audit Risk Model AR = IR × CR × DR In applying the audit risk model, the auditor must assess control risk. The figure on the next slide presents a flowchart of the auditor’s decision process when considering internal control in planning an audit. Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-20 Learning Objective 06-6 Substantive Strategy After obtaining an understanding of internal control, an auditor may choose to follow a substantive strategy and set control risk at high for some or all assertions because of one or all of the following factors: Testing the Controls do Controls are effectiveness not pertain to assessed as of controls is an assertion ineffective inefficient Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-21 Learning Objective 06-6 Reliance Strategy Obtain Understanding of Internal Control Plan to Rely on Internal Control and Assess Control Risk at a Lower Level Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-22 Learning Objective 06-7 Obtain an Understanding of Internal Control (1 of 2) The auditor should obtain an understanding of each of the five components of internal control in order to plan the audit. This knowledge is used to: Pinpoint the Identify types of factors that affect potential the risk of material misstatement misstatement Design tests of controls and substantive procedures Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-23 Learning Objective 06-7 Obtaining an IT Specialist The auditor may determine that the engagement team needs an IT specialist. Evaluate the nature and complexity of the entity’s IT systems Determine whether the engagement team needs an IT specialist Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-24 Learning Objective 06-7 Obtain an Understanding of Internal Control (2 of 2) 1. Understand the control environment. 2. Understand the entity’s risk assessment process. 3. Understand the information system and communications. 4. Understand control activities. 5. Understand monitoring of controls. Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-25 Learning Objective 06-8 Documenting the Understanding of Internal Control Procedures Manuals and Organizational Flowcharts Charts Internal Control Narrative Description Questionnaires Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-26 Learning Objective 06-8 The Effect of Entity Size on Internal Control While the basic concepts of the five components should be present in all entities, they are likely to be less formal in a small or midsize entity than in a large entity. Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-27 Learning Objective 06-8 The Limitation of an Entity’s Internal Control Management Override of Internal Control Human Errors or Mistakes Collusion Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-28 Learning Objective 06-9 Assessing Control Risk Identify specific controls that will be relied upon Perform tests of controls Conclude on the achieved level of control risk Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-29 Learning Objective 06-10 Performing Tests of Controls Inspection of Inquiry of appropriate documents indicating entity personnel the performance of the control Observation of the Reperformance of the application of the application of the control control by the auditor Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-30 Learning Objective 06-10 Documenting the Achieved Level of Control Risk The auditor’s assessment of control risk and the basis for the achieved level can be documented using a structured working paper, an internal control questionnaire, or a memorandum. Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-31 Learning Objective 06-11 Performing Substantive Procedures (Table 6-6) Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-32 Learning Objective 06-12 Timing of Audit Procedures Interim Year End Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-33 Learning Objective 06-12 FIGURE 6-5 A Timeline for Planning and Performing the Audit of EarthWear Clothiers Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-34 Learning Objective 06-12 Interim Audit Procedures Interim Assertion being tested not significant Tests of Control has been effective in prior audits Efficient use of staff time Controls Control environment Availability of information at a later date The purpose of the substantive procedure Interim The assessed risk of material misstatement Substantive The nature of the transactions or balances and relevant assertions Procedures The ability of the auditor to perform appropriate procedures to cover the remaining period Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-35 Learning Objective 06-13 Auditing Accounting Applications Processed by Service Organizations (1 of 2) In some instances, an entity may have some or all of its accounting transactions processed by an outside service organization. Because the entity’s transactions are subjected to the controls of the service It is not uncommon for service organizations to organization, one of the have an auditor issue auditor’s concerns is the one of two types of internal control system in reports on their place at the service operations. organization. Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-36 Learning Objective 06-13 Auditing Accounting Applications Processed by Service Organizations (2 of 2) Type 1 Report Describes the service organization’s controls and assesses whether they are suitably designed to achieve specified An auditor may internal control objectives reduce control risk below high only on the basis Type 2 Report of a service Goes further by providing assurance on auditor’s Type 2 the operating effectiveness of the service report. organization’s controls based on the auditor’s tests of controls Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-37 Learning Objective 06-14 Communication of Internal Control- Related Matters Exists when the design or operation of a control does not allow management or employees, in the Control normal course of performing their assigned Deficiency function, to prevent, or detect and correct, misstatements on a timely basis A deficiency, or a combination of deficiencies, in Significant internal control that is less severe than a material Deficiency weakness but is important enough to merit attention by those charged with governance A deficiency, or combination of deficiencies, in internal control, such that there is a reasonable Material possibility that a material misstatement of the Weakness entity’s financial statements will not be prevented, or detected and corrected, on a timely basis Copyright © 2019 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. 6-38

Use Quizgecko on...
Browser
Browser