acct3014 lecture04 s12013 unload
TRANSCRIPT
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
1/27
Business School
Auditing and Assurance
Assessing Business Risk
Internal Controls and Assessment
The University of SydneyBusiness School
WELCOME
ACCT3014 - Auditing and AssuranceSemester 1, 2013
Week 4 LectureMore on Planning the Audit, and the
importance of Internal Controls
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
2/27
2
Business Risk
Which of the following best describes Business Risk?
a) The risk that the financial errors contain material errorsb) The risk that the company will not achieve its objectivesc) The risk of the auditor forming the wrong opiniond) Economic factors that may cause cash outflows from the company
Which of the following is correct relating to risk?
a) Understanding BR is the responsibility of directors onlyb) Only internal auditors need to understand business risksc) External auditors should concern themselves with audit risk only
d) Auditors should identify significant risks to be covered in their auditwork
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
3/27
3
Lecture Outline
Linking of Business Risk to a key general ledger account What are Assertions and linking the Business Risk to the
applicable key account and then the relevant assertion
Internal Controls
What are they and why important Why is the Auditor required to evaluate Internal Controls
Linking Assertions to Internal Controls
Do the right internal controls exist, and
Test them to determine if the internal controls are effective
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
4/27
4
Business Risk Approach
Overall BR
External Factors (Industry, regulatory, economic) Internal Factors (Company's Objectives, Nature..) Assess Fraud Risk and Non-compliance with Laws etc
Some BR
Significant business risks may increase the risk of material
misstatement and these are the risks that the Auditor needsto address
InternalControls
Auditor needs to then understand Internal Controls andevaluate whether they address/minimise the BRs identified
as key by the Auditor
The BR Approach is about identifying significant BR and using appropriateaudit procedures to plan and conduct the audit.....its an iterative process
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
5/27
5
Business Risk and Audit Risk
Business Risk
Risk that an event/
Action could
adversely
Affect a company's
Ability to meet its
goals
Could lead to?
Material
Misstatement
Risk that the financial
Statements have
material/significant
Errors in them
Inherent Risk
The chance of
misstatements if no
internal controls
prevent it
Control Risk
Risk that the
Companys Internal
Controls will not
prevent or detect andcorrect errors
Material
MisstatementRisk that the financial
Statements have
material/significant
Errors in them
Inverse
relationship
Audit Risk: Risk that the Auditor gives an inappropriate audit opinionOn the Financial Statements that contain material misstatements
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
6/27
Link BR to Key Account
6
Indentify theBusiness Risk
Does the Risk
Apply to your
Client
If NoNo effect onAudit Plan
If Yes
What is the KeyAccount that may
be misstated?
An over or anunderstatementof the $
What key Assertion
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
7/27
What Are Assertions
Each Key account has a number of characteristics
The assertions assist both Management and the Auditor validate that the $associated with the key account meets all assertions applicable
For a Balance sheet account the priority of assertions will differ:
By example
Asset Inventory
Need to validate Existence and Valuation as a priority
Liability Accounts Payable
Need to validate Completeness and Valuation as a priority
For An Income Statement some of the assertions change
By example
Sales Existence becomes Occurrence
Valuation becomes accuracy
7
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
8/278
Balance Sheet Assertions
Assertion Definition Example
Existence Do Assets and Liabilities actuallyexist? Are they real? Importantwhen the Auditor believes that
there is a risk of overstatement
PPEInventory
Completeness Have the Assets & Liabilitiesbeen accounted for? Are yousure that they have beenrecorded?
Trade CreditorsAccruals
Valuation & Allocation Have the Assets, Liabilities and
Equity accounts been recordedat their correct amounts?
Provisions
IntangiblesAccounts Receivables
Rights and Obligations Are the recorded assets ownedby the client? Are the recordedliabilities commitments of theclient? Risk when the Auditorbelieves that A/L are not ownedby the client.
Inventory
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
9/279
Income Statement Assertions
Assertion Definition Example
Occurrence Did the revenue or expensetransaction actually take place?
Auditor concerned with the risk ofoverstatement where events arerecorded but did not actuallyoccur
Sales Revenue
Completeness Are you sure that revenues andexpenses have been recorded?Risk of understatement oftenwhen expenses incurred but notrecorded
RevenueExpenses
Accuracy Are the Revenues and Expenses
recorded at the correct amounts?
Complex discount terms
Foreign exchange calculations
Cut-Off Are transactions recorded in thecorrect accounting period?
Revenue
Classification Auditors tests whether revenueand expenses are recorded inproper accounts
All items but in particularexpenses as high risk incorrectlycapitalised
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
10/27
Assertions and Internal controls
Given Assertions are important to ensure Managements correct reportingof financial data in the financial statements, it is critical that company rulesare in place to achieve this goal.
Thus the rules, the Internal controls, are important to both Management(charged with the requirement to safeguard the assets and resources ofthe operation), and also the Auditor (charged to provide reasonableassurance as to the True and Fairness of Managements financial reports)
10
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
11/27
2. Planning activities
ASA 300/315
2.1 Obtain knowledge of the business
ASA 315 (including ASA 250)
2.1.1 Preliminary analytical procedures2.2 Appraisal of risks, includingf raud r isk
(ASA 240) going concern (ASA 570)ASA 315
2.3 Estimate of materiality
2.4 Review of control components2.4.1 Preliminary evaluation of control environment
2.5 Develop overall audit plan (i.e. develop an audit strategy)
in response to risks
ASA 330
2.5.1 Determine reliance on internal controls
2.5.2 Determine extent and nature of testing
2.5.3 Write audit plan2.6 Assignment of staff
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
12/27
The Committee of Sponsoring Organizations of the Treadway Commission(COSO) is a joint initiative of the five private sector organisations (USA)
dedicated to providing thought leadership through the development of
frameworks and guidance on enterprise risk management, internal control
and fraud deterrence...
19/12/2011 New Integrated Framework Released for Public Comments:
COSO Internal Control Framework
Compliments Google Images 28/2/2012
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
13/27
Internal Control=Management Responsibility
Management (not the auditor), must establish andmaintain the entity's control structure
Control structure aids management to ensure:
- irregularities are prevented or detected and corrected
- assets are safeguarded- financial records are accurately reflected
- adherence to management policies
- operational efficiency is promoted that preventsunnecessary duplication of effort
Because of its inherent limitations, an internal controlstructure cannot be regarded as completely effective,
regardless of the care taken in its design and
implementation
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
14/27
Mandated by ASA 315.12:
The auditor shall obtain an understanding of internal control relevant to the
audit.
The purpose (ASA 315.3) is to identify and assess the risks of materialmisstatement of the financial report, whether due to fraud or error, thereby
providing a basis for designing and implementing responses (i.e. audit
strategy in terms of timing, nature and extent of audit procedures) to the
assessed significant risks.
Why Auditors Study Entitys Internal Control
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
15/27
Some Key Concepts
1. Each company will have these rulesa) Some rules will be common across companies and some will be linked to
specialised activities
2. The rules need to change (updated or amended) as the companyactivities change.
1. Important if a new business division is started or acquired
2. IT systems change
3. If there are restructuring issues (staff sacked impacts segregation of duties)
3. A key rule segregation of duties costs money (more staff). So even if
the rule would protect assets or information, Management may decidenot to implement the rule based on a cost benefit analysis.
4. Both management and the external auditor need to know if a rule isworking. Having a rule but it not operating means the rule does notexist.
15
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
16/27
Internal Control (IC)
IC is designed and implemented to address (minimise) identifiedsignificant business risks. ASA 315.14-24 outlines the followingspecific components of IC:
- the control environment
- the entities risk assessment process
- the information system, including related business
processes
- control activities
- monitoring of controls
Auditors evaluation of IC must be documented (flow charts,
questionnaires, narrative).
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
17/27
Auditor considers: communication and enforcement of integrity and ethical values
commitment to competence
participation by those charged with governance
managements philosophy and operating style
organisational structure
assignment ofauthority and responsibility
human resource policies and practices
If Management do not obey or
override the ICs then staff
will follow this example
Control Environment - the tone at thetop(ASA315.14 and A69-A78)
Compliments Google Images 28/2/2012
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
18/27
Auditor obtains an understanding of:
classes of transactions
procedures (including IT) by which transactions are
initiated, recorded, processed, and reported in the
financial report
related accounting records
how the information system captures events/ conditions
other than classes of transactions
financial reporting processes used to prepare the
financial report
controls over journal entries, non-recurring/unusual
transactions, adjustments
Information System Including Related BusinessProcesses (ASA 315.18 and A81-A87)
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
19/27
Control Activities (ASA 315.20-21 and A88-A97)
Authorisation
Performance reviews
Information processing
Physical controls
Segregation of duties
Control activities are policies and procedures that help ensurethat management directives are carried out to address risks
that threaten the achievement of entity objectives
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
20/27
Independent Approval, Review, Checking or Recalculation
e.g., - Authorization of Purchase or Sales Invoices
- Recompilation of Arithmetic on Vouchers
- Subsequent Review of Individual Transactions
Matching of Independently Generated Documents
e.g., - Matching of Sales Invoices and Shipping Documents- Matching of Purchase Invoices and Receiving Reports
Prenumbering and Sequence Checking of Key Documents
e.g., - Prenumbered Shipping Documents, Sales Invoices, Cheques,
Vouchers, etc. Maintenance of Independent Control Totals
e.g., - Recording of Cash Receipts Total Before Banking
- Use of Batch Controls
- Use of Control Accounts
Examples of Basic Types of InternalControl Activities/Procedures
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
21/27
Comparison with Independent 3rd Party Information
e.g., - Bank Reconciliations
- Reconciling Suppliers Statements
Independent 3rd Party Confirmation
e.g., - Sending Statements to Customers
- Requests for Confirmation of Recorded Data
Cancellation of Documentation
e.g., - Immediate Endorsement of Incoming Cheques
- Defacing Spoiled or Cancelled Cheques
Segregation of Personnel, Operations and Assets
e.g., - Segregation of Duties Among Transactions Initiation, Approval and Recording
- Function Segregation
Timeliness of Operation
e.g., - Prompt Deposit of Cash Receipts
- Prompt Processing of Transactions
Examples of Basic Types of InternalControl Activities/Procedures
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
22/27
Client_________________________________________________________________Audit Date _________________________
Auditor ______________ Date Completed____________ Reviewed by ___________ Date Completed______________________
Objective (italic) and question Answer Remarks
Sales Yes No N/A
A. Recorded sales are for shipments actually made to non-fictitiouscustomers1. Is the recording of sales supported by authorised shipping
documents and approved customer orders?
B. Sales transactions are properly authorised.1. Is the customer's credit approved by a responsible official?2. Is a prenumbered written shipping order required for any
merchandise to leave the premises?3. Is an authorised price list used?
C. Existing sales transactions are recorded.1. Is a recoed of shipments maintained?2. Is the shipping document controlled from the office in a manner
that helps ensure that all shipments are billed?3. Are shipping documents prenumbered and accounted for?4. Are sales invoices prenumbered and accounted for?
D. Recorded sales are for the amount of goods ordered and arecorrectly billed and recorded.1. Is there independent comparison of the quantity on the
shipping document to sales2. IS there internal verification, extensions, pricing, and footing of
sales invoices?
3. Are monthly statements sent to customers?
E. Sales transactions are properly classified.1. Is there independent comparison of dates on shipping
documents to dates recorded?
F. Sales are recorded on a timely basis.1. Is there independent comparison of dates on shipping
documents to dates recorded?
G. Sales transactions are properly included in the subsidiary recordsand correctly summarised.1. Are journals independently footed and traced to the general
ledger and subsidiary records?2. Is there a monthly reconciliation of the accounts receivable
subsidiary records to the general ledger?
Pam Dilley examinesunderlying documentation
By Chulick
Prenumbered but not accountedfor additional substantivetesting required
By Pam Dilley, controlled byChulickBy Pam Dilley
All sales are on account andthere is only one sales account
There is a weakness in thesystem and additionalsubstantive testing required
Partial Internal Control Questionnaire for SalesWhat are the controls, and who is involved.
22
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
23/27
Monitoring of Controls (ASA 315.22-23 and A98-A104)
Auditor obtains an understanding of:- major activities the entity uses to monitor internal control over financial reporting,
including corrective actions
Monitoring is the process by which the entity monitors the
quality of internal controls over time Involves assessing the design and operation of controls on a
timely basis and taking the necessary corrective actions
Ongoing monitoring activities could include:
- internal audit- continual management review of exception and operation
reports
- review/response to customer complaints
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
24/27
The auditors emphasis is on identifying and
obtaining an understanding of control activities that
address the areas of significant risk, i.e. areas
where the auditor considers that material
misstatements are more likely to occur (i.e. IC
relevant to the audit as per ASA 315.A89).
i.e. mitigating controls
Internal Control Assessment(ASA 315.29 and A124-A126)
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
25/27
Lecture Discussion Question
For the following general business risks outline an internal control thatwould address/mitigate the identified significant risk:
(i) inventory being stolen
(ii) risk of non-collectability of individual customer (debtors/tradereceivables) balances
(iii) suppliers are being paid twice
(iv) employees are being paid for hours not actually worked?
-
8/22/2019 ACCT3014 Lecture04 s12013 Unload
26/27
Lecture Discussion Question
You are about to Audit Woolworths: Woolworths has more than 3,000 storesacross Australia, that span food, liquor, petrol, general merchandise, homeimprovement and hotels. Woolworths is a proud, home-grown Australianbusiness, employer of more than 195,000 people and committed businesspartner of many thousand local farmers, producers and manufacturers.
In your BR Approach for the following identified risks in Woolworths ,Determine a PRACTICAL Internal Control procedure that would
mitigate the risk:
Overpayment of overtime to casual employees
Inventory being stolen especially from loading docks and shelves
Payments being made twice to the same supplier(especially diary products)
A number of Terminated Full Time Employees are still being paid for afortnight after they have left Woolworths
http://www.woolworths.com.au/wps/wcm/connect/website/woolworths/about+us/contact+us -
8/22/2019 ACCT3014 Lecture04 s12013 Unload
27/27
What's on Next Week
The Easter Break-Enjoy it!Next Lecture: Tuesday 9 April, Angela is back Important topics to be covered:
Materiality
Audit Evidence, linking to ASSERTIONS and Procedures!
The reliability of audit evidence is influenced by its source and nature.For example, management may use a broker quote to support a fair
value measurement; however, when the quote is obtained from theinstitution that initially sold the instrument, this evidence may be lessobjective and may need to be supplemented with evidence from one
or more other brokers
www.ifac.org/download/staff_audit_practice_alert.pdf