lecture notes chapter 8

ACC5AASChapter 8-Understanding and assessing internal control

Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett

8-2222122

Audit strategy and internal control

‘Internal control’ is the process designed and implemented by those charged with governance, management and other personnel to provide reasonable assurance regarding the achievement of the entity’s objectives concerning financial reporting, the effectiveness and efficiency of operations, and compliance with laws and regulations. ASA 315.4


8-3

Auditor’s requirements Auditor’s assessment of risk of material

misstatement is affected by their understanding of the control environment ASA315.25◦ Financial report level

‘. . . Risks that relate pervasively to the financial report as a whole and potentially affect many assertions’(ASA315.A118ff

◦ Assertion level ‘ . . . Assists in determining the nature, timing and

extent of further audit procedures at the assertion level necessary to obtain sufficient appropriate audit evidence’(ASA315.A122ff)


8-4

Audit strategy

The auditor must consider the audit risk for each assertion for each significant account balance, class of transactions and disclosure, and reduce it to an acceptable level.

Internal control is designed and implemented to address business risks that threaten the (ASA315.A51):

◦ reliability of the entity’s financial reporting◦ effectiveness and efficiency of the entity’s operations◦ compliance with applicable laws and regulations.


8-5

Control Risk

Control risk is the risk that a material misstatement could occur in an assertion and not be prevented or detected on a timely basis by the entity’s internal control.

If control risk is assessed at less than high, tests of control need to be performed to gain evidence that specific control activities have been effectively and consistently applied throughout the period under audit. ◦ Tests of control will be discussed in chapter 9.


8-6

Internal control concepts

Responsibility for internal control

Achieving satisfactory internal control is initially a management responsibility, although ultimate responsibility rests with those charged with governance.◦ Preventative controls

Used to prevent undesirable events or errors◦ Detection controls

Used to identify events or errors if they have occurred.


8-7

Inherent limitations of internal control

control breakdowns as a result of the actions of careless or fatigued staff, or intentional collusion

the possibility of management override the existence of non-routine

transactions for which internal controls were not devised.◦ Note: The concept of reasonable assurance

recognises that the cost of management establishing and maintaining controls may outweigh the benefits of adopting controls.


8-8

Internal control objectives Risks are identified and minimised. Management decision making is effective

and business processes efficient. Transactions are carried out in accordance

with management’s authorisation. Laws, rules and regulations are complied with. Transactions are promptly and accurately

recorded. Access to assets is permitted in accordance.

with management’s authorisation. Asset records are compared with existing assets

at reasonable intervals.

Management controls focus on overall effectiveness and efficiency e.g. Establishing lines of authority, monitoring external and internal risks, etc.

Transaction controls deal mostly with the reliability of accounting information e.g. recording transactions, checking for accuracy and the existence of recorded assets, etc.

Auditing and Assurance Services in Australia 5e by Grant Gay and Roger Simnett 1-

Management & transaction controls


8-

10

Characteristics of satisfactory internal control

controls to monitor and minimise business risks. segregation of incompatible duties and

responsibilities. system of authorisation, recording and

procedures adequate to provide control over assets, liabilities, revenues and expenses.

sound business practices such as pre-numbering of transactions and sequence checks.

capabilities commensurate with responsibilities.


8-

11

Components of internal control (IC)

Five elements of IC outlined in ASA315.14-23:

1. control environment2. entity’s risk-assessment process3. information system4. control activities5. monitoring of controls.


8-

12

1. Control environment Includes governance and management’s

overall attitude, awareness and actions regarding IC and its importance in the entity (ASA315.A76ff).

Auditors should consider: ◦ communication and enforcement of integrity

and ethical values◦ commitment to competence◦ participation by those charged with governance◦ management’s philosophy and operating style◦ organisational structure◦ assignment of authority and responsibility◦ human resource policies and practices.


8-

13

2. Entity’s risk assessment process

Entity’s way of identifying and responding to business risks.

Once risks are identified, management needs to consider their significance and how they should be managed.

Management may introduce plans to address specific risks or it may accept a risk on a cost-benefit basis.


8-

14

3. Information system An effective information system

establishes the records and the methods that:◦ Identify and record all valid transactions.◦ Resolve incorrect processing of transactions.◦ Process and account for system overrides.◦ Transfer information from transaction

processing systems to the general ledger.◦ Capture information relevant to financial

reporting for events and conditions other than transactions.

◦ Present the transactions and related disclosures properly in the financial report.


8-

15

Audit trailAn important feature of the information

system is the audit trail. Audit trail:

◦ Individual transactions can be traced through each step of the accounts to their inclusion in the financial report and, similarly, from the financial report the amounts can be vouched or traced back to original source documentation.

Main elements:◦ Source documents—the initial records of transactions

in the system. Processing usually creates a source document when a transaction is executed

◦ Journal◦ Ledger.


8-

16

4. Control activities Policies and procedures established by

management to ensure its directives are carried out.

Can pertain to:◦ performance reviews (e.g. comparing actual with

budget)◦ information processing, in an information technology

(IT) environment comprising general IT controls and application controls (discussed later this chapter)

◦ physical controls (e.g. locked storerooms for inventory)◦ segregation of duties (the most basic of which is to

have different individuals responsible for handling of assets and the keeping of records relating to those assets).


8-

17

Control activities and assertions Control activities can be related to

financial report assertions:◦ occurrence (e.g. authorisation and approval of

transactions)◦ completeness (e.g. accounting for sequence of

transactions)◦ accuracy (e.g. checking dollar amounts back to

supporting documentation)◦ cut-off (e.g. independent review of transaction

recording around balance date)

◦ classification (e.g. independent checking of account coding).


8-

18

5. Monitoring of controls Monitoring of controls:

◦ A process to assess the effectiveness of the performance of internal control. It involves: evaluating the design and operation of controls taking corrective action where necessary.

Management may monitor controls through ongoing activities such as supervisory activities and/or separate evaluations.

In many entities internal auditors contribute to the monitoring process.


8-

19

Steps in the auditor’s consideration of internal control


Steps in the auditor’s consideration of internal control (cont.)

8-201-


8-

21

Understanding the control environment

An auditor gains an understanding of the control environment by:◦ making inquiries of key management

personnel

◦ inspecting documented policies and procedures

◦ observing activities and operations.


8-

22

Understanding the risk assessment process

Auditor needs to determine how management identifies business risks, estimates their significance, assesses their likelihood of occurrence and decides upon actions to manage them.

If auditor identifies a risk of material misstatements that management failed to identify, they need to consider whether management should have identified it and, if so, why the process failed.


8-

23

Understanding the information system Auditor is required to obtain sufficient

knowledge of the information system to understand:◦ significant classes of transactions◦ initiation of transactions◦ records, documents and accounts◦ accounting processing◦ financial reporting processes◦ controls surrounding journal entries.

Being able to follow transaction flows (the audit trail) is an important technique in understanding the information system.


8-

24

Understanding monitoring of controls Auditor is required to obtain an understanding

of how the entity monitors internal control over financial reporting and initiates corrective actions.

In many entities, internal auditors contribute to the monitoring of an entity’s activities.

The auditor needs to obtain an understanding of the sources of the information related to the entity’s monitoring activities and the basis upon which management considers the information to be sufficiently reliable.


8-

25

Documenting the understanding of internal control

internal control questionnaires and checklists.

narrative memoranda—written description of internal control policies and procedures.

flowcharts.


8-

26

Assessing control risk

After obtaining an understanding of the five components of internal control, the auditor assesses control risk for the assertions in the related account balances, class of transactions or events and disclosures.

The auditor must decide whether to assess control risk for a particular assertion as high or as less than high.


8-

27

Assessment of control risk as high

The auditor may assess control risk as high because the entity’s internal control policies and procedures in the area:◦ are poor and do not support less than a

high assessment◦ may be effective, but the audit tests

would be more time-consuming than performing direct substantive tests

◦ do not pertain to the particular assertion.


8-

28

Assessing control risk at less than high

The auditor may decide to assess control risk as less than high when it improves audit efficiency.

If the auditor assesses control risk as less than high, the auditor must obtain sufficient evidence to support that level.◦ First, the auditor identifies specific control activities that

are likely to prevent or detect material misstatements.◦ Next, the auditor performs tests of controls to evaluate

the effectiveness of these control activities. This process is followed for each account

balance or transaction class that is material to the financial report.


8-

29

Effect on design of substantive tests

Auditor’s assessment of control risk is used in planning substantive tests for the various assertions within the transaction classes or account balances.

The higher the level of assessed control risk, the lower the level of reliance placed on the internal control and the more assurance the auditor must obtain from substantive tests.

The impact of effective internal control on the nature, timing and extent of substantive tests will be discussed in chapter 10.


8-

30

Computerised systems ASA315.18 requires the auditor to have an

understanding of the information system, including the related business processes.

Many auditors now use what is known as the COBIT (control objectives for information and related technology) framework to identify how the business processes and the IT processes interrelate with each other.


8-

31

The COBIT framework While COBIT is an IT governance framework, it is

also useful for auditors in obtaining an understanding of IT.

The COBIT framework is organized into four ‘domains’ as follows:◦ planning and organization—how the entity directs the

deployment of IT resources and the delivery of services◦ acquisition, implementation and maintenance—how the

entity defines and analyses requirements for projects◦ delivery and support—how the entity establishes

physical and logical security to safeguard IT resource.◦ monitoring—how the entity reviews performance and

corrects deviations from operational and procedural standards.


8-

32

The COBIT framework—threats The COBIT framework identifies seven

categories of threats to the computer information requirements of the entity as follows:◦ availability◦ confidentiality◦ integrity◦ effectiveness◦ efficiency◦ compliance◦ reliability.


8-

33

Levels of control in computerised systems

Two main categories:

1. User controls—those controls established and maintained by departments whose processing is performed by computer.

2. IT controls—those controls established and maintained at the location of the computer, for example in data-processing departments.


8-

34

Use of CAATS (computer assisted audit techniques) in identifying controls

CAATs are used to help identify IT application controls

CAATs are used to perform a ‘walk-through’ of a computer system. The auditor traces one or more transactions of each type through the system, identifying the related controls over the transaction

Copies of the relevant data on a copy of the production software, run on a system that is separate from the actual accounting system, is used to ensure that the data in the system is not compromised


8-

35

General and application controls IT controls can be further divided

into general and application controls. ◦ general controls are those controls that

relate to a number of application systems

◦ application controls relate to a particular application.

User controls are always application controls.


8-

36

General controls ASA315.A104 General controls relate to all or many

computerised accounting applications. E.g. controls over changes to application software

General controls include:◦ segregation of duties◦ control over programs◦ control over data.


8-

37

Application controls ASA315.A105 Application controls are manual or

automated procedures that operate at a business process level and therefore apply to the processing of individual applications.

The reliance that can be placed on application controls often depends on the reliability of the general controls.

Application controls contribute to achievement of specific control objectives that the auditor considers in tests of controls.


8-

38

User controls Control totals: detect errors in input or

processing. Generally, there are three types:◦ financial totals◦ record totals◦ hash totals.

Review and reconciliation of data by users. Formal error correction and resubmission

procedures. Authorisation controls help ensure that only

valid transactions and batches of transactions are processed.


8-

39

IT controls

Usually classified into the following categories:◦ input controls

◦ file controls

◦ processing controls

◦ output controls.


8-

40

Relationship between general and application controls Auditor should start by examining general

controls. If general controls are unreliable, an auditor has

little confidence in programmed application controls and reduced confidence in manual application controls → auditor takes more substantive approach to the audit.

If general controls are reliable, an auditor makes a preliminary evaluation of application controls. If reliance on application controls is then planned, a more detailed evaluation of these controls is made → auditor determines appropriate degree of testing of controls and substantive testing.


8-

41

Considering the work of aninternal auditor

An effective internal audit function can significantly strengthen the monitoring of control.

ASA 610.A1 recognizes that internal auditing may be useful to the external auditor as it may affect audit risk and therefore the nature, timing and extent of audit procedures.

Extent of reliance is dependent on evaluation of internal audit function by external auditor.◦ Note: ASA610.6ff ‘Relationship between ASA315 &

ASA 610’


8-

42

Differences between an internal and an external auditor While recognising the similarities between the

external and internal audit functions, it is important to bear in mind the fundamental differences between them.

The following major differences can be identified: 1. objectives2. independence3. qualifications.

For external audit, above elements regulated by legislation, for internal audit above elements determined by those charged with governance.


8-

43

External auditor evaluates the internal audit

ASA610.15ff requires that when determining whether the work of the internal audit is likely to be adequate for external audit purposes, the external auditor must evaluate the internal audit’s:1. Objectivity—the internal audit’s status in the entity.2. Technical competence—whether internal auditing

personnel have adequate technical training and proficiency.

3. Due professional care—whether internal auditing is properly planned, documented, supervised and reviewed.

4. Effectiveness of communication —whether there will be effective communication between internal audit and external auditor.


8-

44

General evaluation The external auditor is required to undertake a

general evaluation of the internal audit function as part of the review of the client’s internal control.

ASA610.21-25 requires that an external auditor who relies on specific internal audit work to support an assessment of control risk must evaluate and test that work to ensure that it is adequate for external audit purposes.

Purpose of review is to determine whether the work of internal audit is appropriate and to ascertain whether adequate standards have been applied.

Internal auditing further considered in Ch. 14.


8-

45

Summary The study and evaluation of internal control is an

important aspect of a financial report audit. The auditor must obtain a sufficient understanding

of the entity’s internal control, including the internal audit function if applicable.

The auditor’s understanding of the internal control must be documented in the audit working papers through completed flowcharts, questionnaires and/or narrative descriptions.

The auditor then needs to perform tests of controls, assess control risk for each significant financial report assertion and document this assessment.

The external auditor may use the work of internal auditors.

lecture notes chapter 8

Documents