Chapter 6

Internal Control in a Financial

Statement Audit

McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Internal ControlManagement has the responsibility to maintain controls that provides reasonable assurance that adequate control exists over the entity’s assets and records.

The Internal Control System should:

-ensure that assets and records are safeguarded

-generate reliable information for decision making

The auditor needs assurance about the reliability of the data generated by the information system.

LO# 1

6-2

Internal Control

The auditor uses risk assessment procedures to

-obtain an understanding of the entity’s internal control

-identify the types of potential misstatements

-ascertain factors that affect the risk of material misstatement

-design tests of controls and substantive procedures

The auditor’s understanding of the internal control is a major factor in determining the overall audit strategy. The auditor has a responsibility to:

(1) obtain an understanding of internal control and

(2) assess control risk.

LO# 1

6-3

COSO’s Internal Control – Integrated Framework

Reliability of Financial Reporting

Effectiveness and Efficiency of Operations

Compliance with Laws and Regulations

Objectives

LO# 2

6-4

Controls Relevant to the Audit

Generally, internal controls pertaining to the preparation of financial statements for external purposes are

relevant to an audit.

Reliability of Financial Reporting

Effectiveness and Efficiency of Operations

Compliance with Laws and Regulations

Objectives

LO# 3

6-5

Controls Relevant to the Audit

Controls relating to operations and compliance objectives may be relevant when they relate to data the

auditor uses to apply auditing procedures.

Reliability of Financial Reporting

Effectiveness and Efficiency of Operations

Compliance with Laws and Regulations

Objectives

LO# 3

6-6

Components of Internal Control

Control Environment

Entity’s Risk Assessment

Process

Information System and Related Business Processes

Relevant to Financial Reporting and Communication

Control Activities

Monitoring of Controls

LO# 5

6-7

Components of Internal ControlLO# 5

6-8

Control EnvironmentLO# 5

Principle 1: The organization demonstrates a commitment to integrity and ethical values.

Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

Principle 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

6-9

The Entity’s Risk Assessment Process

The risk assessment process should consider external and internal events and circumstances that may arise and adversely affect the entity’s ability to initiate, record, process, and report

financial data consistent with management’s financial statement assertions.

Changes in the operating

environment

New personnel New or revamped information

systemsRapid growth

New technologyNew business

models, products, or activities

Corporate restructuring

International growth

New accounting pronouncements

Business risk can arise or change due to the following circumstances:

LO# 5

6-10

The Entity’s Risk Assessment Process

LO# 5

Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

Principle 8 The organization considers the potential for fraud in assessing risks to the achievement of objectives.

Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control.

6-11

Control Activities

LO# 5

Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

- Performance Reviews- Physical Controls- Segregation of Duties- Information Processing Controls

Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives.

Principle 12: The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

6-12

Information and Communication

LO# 5

Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

- Identify and record all valid transactions- Classify transactions properly- Measure the value of transactions properly- Record transactions in the proper period- Properly present transactions and disclosures

Principle 14: The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

Principle 15: The organization communicates with external parties regarding matters affecting the functioning of internal control.

6-13

Monitoring of Controls

Monitoring of controls is a process that assesses the quality of internal control

performance over time.

LO# 5

Principle 16: The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

Principle 17: The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

6-14

Planning an Audit Strategy

Audit Risk Model

AR = IR × CR × DR

In applying the audit risk model, the auditor must assess control risk. The figure on the next slide presents a flowchart of the auditor’s decision process when considering internal control in planning an audit.

LO# 6

6-15

LO# 6

Planning an Audit StrategyFigure 6-3 Flowchart of the Auditor’s Consideration of Internal Control and Its Relation to

Substantive Procedures

6-16

Substantive Strategy

After obtaining an understanding of internal control, an auditor may choose to follow a substantive strategy and set

control risk at the maximum for some or all assertions because of one or all of the following factors:

Controls do not pertain to an assertion.

Controls are assessed as ineffective.

Testing the effectiveness of controls is

inefficient.

LO# 6

6-17

AssertionsLO# 6

6-18

Obtain an Understanding of Internal Control

Identify types of potential

misstatement

Design tests of controls and substantive procedures

Pinpoint the factors that affect the risk of material

misstatement

The auditor should obtain an understanding of each of the five components of internal control in order to plan

the audit. This knowledge is used to:

LO# 7

6-19

Documenting the Understanding of Internal Control

Procedure Manuals and Organizational

ChartsFlowcharts

Internal Control Questionnaires

Narrative Description

LO# 8

6-20

Example Information & DocumentationLO# 7

6-21

The Limitations of an Entity’s Internal Control

Override of Internal Control by Management

Human Errors or Mistakes

Collusion

LO# 8

6-22

Assessing Control RiskIdentify specific

controls that will be relied

upon.

Perform tests of controls.

Conclude on the achieved level of control risk.

LO# 9

6-23

Performing Substantive Procedures

LO# 11

6-24

Timing of Audit Procedures

Interim

Year End

Let’s look at the EarthWear Clothiers example again to see the timing of their audit

procedures.

LO# 12

6-25

Timing of Audit ProceduresA Timeline for Planning and Performing the Audit of EarthWear Clothiers

LO# 12

6-26

Interim Audit Procedures

Interim Tests of Controls

1. Assertion being tested not significant2. Control has been effective in prior audits3. Efficient use of staff time

Interim Substantive Procedures

1. Assertion probably has low control risk2. May increase the risk of material

misstatements 3. Still requires some year-end testing

LO# 12

6-27