Standards of Fieldwork (“PIE”) Intemal Control The auditor must obtain a sufficient + = understanding of the entity and its environment, sf [eA CPAexcel including its internal control, to assess the risk of material misstatement of the financial statements whether due to fraud or error, and to [ete design the nature, timing, and extent of further audit procedures. Tales gr Reelin Clarified Standards: Performance Clarified Standards: Performance Principle Principle To obtain reasonable assurance, which is a + Identifies and assesses risks of material high, but not absolute, level of assurance, the misstatement, whether due to fraud or auditor: error, based on an understanding the entity + Plans the work and properly supervises any and its environment, including the entity's assistants internal control + Determines and applies appropriate + Obtains sufficient appropriate audit materiality level(s) evidence about whether material misstatements exist Obtain an Understanding of I/C “Transaction Cycles” Basic responsibility — the auditor must Definition — “a group of fairly homogeneous obtain a “sufficient understanding” of internal transactions” control to properly plan the audit (specifically, fe Specific transaction cycles (thisis the focus of a separate section of the course materials): + Revenue/receipts + Expenditure/disbursements. + Payroll + Others: manufacturing inventory, f assets, and financing/investing activitiesDocumenting the Auditor’s Review Question Understanding of Internal Control Basic Responsibility — auditors must document their understanding of internal control relevant to audit planning, There are 3 ways to document that: 1. Flowcharts of major transaction cycles 2. Internal control questionnaires (ICQs) 3. Narrative write-ups (memos) “Walk through” — feedback, not evidence creas Internal Control Concepts 1 I, Review Phase ‘The auditor should obtain an initial understanding of internal controls and document that understanding, ‘A. The auditor obtains an understanding of internal control and the flow of documents related to the entity's transactions primarily through: 1, Inquiry of appropriate personnel; 2. Observation of client activities; 3. Review of documentation -- The auditor reviews relevant documentation, including the client's accounting manuals, prior-year's audit documentation (working papers), etc. B. The auditor's internal control analysis tends to focus on the entity's major transaction cycles. C. "Transaction cycle" -- Defined to be a group of essentially homogeneous transactions, that is, transactions of the same type. D. Implication -- A specific transaction cycle is the highest level of aggregation about which meaningful generalizations of control risk can be made, since control risk is constant within that transaction cycle. Each transaction within a specific transaction cycle is captured, processed, and recorded subject to the same set of internal control policies and procedures. E. Examples of typical transaction cycles -- Typical examples, include the following Revenue/receipts; Expenditures/disbursements; Payroll; RwUNe Financing/investing activities; and 5. Inventory, especially if inventory is manufactured, rather than purchased, F, Document the auditor's understanding -- The auditor should document that understanding of internal control, The extensiveness of the review and documentation varies with the circumstances (e.9., the emphasis on understanding internal controls increases if reliance on internal control is planned): 1, Flow charts of transaction cycles — A graphical depiction of the client's accounting systems for major categories of transactions with emphasis on the origination, processing, and distribution of important underlying accounting documents. a. Advantages -- A fairly systematic approach that is unlikely to overlook important considerations; tailored to client-specific circumstances; fairly easy for others to review and understand; and fairly easy to update from year to year.b. Disadvantages -- Can be rather tedious and time consuming to prepare initially although available commercial software today may eliminate much of that difficulty; the auditor might fail to recognize relevant internal control deficiencies by getting too absorbed in the details of documenting the client's system. To indicate a computer operation/process —> To indicate a document > DB To indicate off-line storage (e.g., filing) —> \s/ 2, Internal control questionnaires (ICQs) -- Questionnaires consisting of a listing of questions about client's control procedures and activities; a "no" answer is usually designed to indicate a control weakness, a, Advantages -- Generic questionnaires can be prepared in advance for clients in various industry categories with every conceivable question, so that no important question related to controls is likely to be omitted; deficiencies are easily identified by a client's "no" response to any question. b. Disadvantages -- Generic questionnaires are not tallored to client-specific circumstances and irrelevant questions are annoying to client personnel; the client personnel responding to the checklist of questions may conceal deficiencies by inaccurate answers without the auditor's knowledge, 3. Narrative write-ups -- A written memo describing the important control-related activities in the transaction cycles under consideration. a, Advantages -- Memos can be tailored to a client's unique circumstances, can be as detailed or general as desired, and are relatively easy to prepare (and easy for reviewers to read it) b. Disadvantages - It is relatively easy to overlook relevant internal control issues (strengths or weaknesses) because the analysis Is fairly unstructured, G. Perform a “walkthrough” -- The auditor may select a few transactions to trace them through the dlient's accounting system. The purpose is merely to get some feedback as to whether the auditor has accurately understood (and documented) the way the client entity is processing transactions. The walkthrough is not considered “evidence” or a form of documentation and should not be confused with "tests of control.” Flashcards Flashcard #1 (F¢7250) What is the purpose of performing a walkthrough? Obtain some feedback as to whether the way the auditor has understood (and documented) the entity's internal controls is consistent with the way the entity is actually processing such transactions. Flashcard #2 (Fc0490)Define transaction cycle. A group of essentially homogeneous transactions, that is, transactions of the same basic type. Flashcard #3 (Fco4s9) List the disadvantages of narratives (memos) to document the auditor's understanding of internal controls. 1. Writing such a memo is rather unstructured, lacking a systematic approach; 2. It may be rather easy to overlook relevant internal control issues. Flashcard #4 (Fcoass) List the advantages of narratives (memos) to document the auditor's understanding of internal controls. Tailored to client; Can be as detailed or as general as desired; Easy to prepare; Easy to read, Flashcard #5 (Fc0487) List the disadvantages of Internal Control Questionnaires (ICQs) to document the auditor's understanding of internal controls. 1. These are generic and not tailored to any client specificall 2. Irrelevant questions may annoy clients; 3. Client might conceal deficiencies by incorrect answers. Flashcard #6 (Fco486) List the advantages of Internal Control Questionnaires (ICQs) to document the auditor's understanding of internal controls. 1. Can have a standard form for many clients; 2. Deficiencies are easily indicated by "no" answers. Flashcard #7 (Fcoas5) List the disadvantages of flowcharts to document the auditor's understanding of internal controls. 1. Tedious and time consuming to initially prepare; 2, Might fail to recognize deficiencies by getting overly absorbed in details. Flashcard #8 (Fcoas4) List the advantages of using flowcharts to document the auditor's understanding of internal controls. 1, Systematic approach with emphasis on important accounting records 2. Tailored to client 3. Fairly easy for others to review and understand 4, Easy to update from year to year, Flashcard #9 (Fco4s3) Identify 3 ways auditors might document their 1. Flowcharts of transaction cycles; understanding of internal controls? 2. Internal control questionnaires; 3. Narrative write-ups (memos). Flashcard #10 (Fco4s2) Identify 3 procedures an auditor might perform to obtain 1. Inquiry of appropriate personnel an understanding of internal controls? 2. Observation of client's activities 3. Review entity's documentation of internal controls, Proficiency Questions Question #1 (290209) An advantage of preparing flow charts of transaction cycles relative to preparing written memoranda that flow charts by nature are less likely to permit overlooking important internal control considerations. True FalseQuestion #2 (90910) A disadvantage of preparing written memoranda relative to using flow charts to document the auditor's understanding of internal control is that such memoranda may be more difficult for supervisors to rey True False Question #3 (ra0911) The primary purpose for obtaining an understanding of internal control is to determine the nature, timing, and extent of further audit procedures, including tests of control and substantive procedures. True False Question #4 (200910) Management is responsible for designing and implementing the system of internal control. True False Question #5 (200905) The auditor primarily obtains the required understanding of internal control by performing tests of control. True False Question #6 (200907) The audi transai F can appropriately document the understanding of internal control by using flow charts of n cycles, completing internal control questionnaires, or by preparing written memoranda. True False Question #7 (290%) ‘An advantage of preparing flow charts of transaction cycles relative to using internal control questionnaires is that the flow charts are tailored to client-specific circumstances. True False Past Exam Questions Question #1 (aicpa.ss110sau0-Av) Which of the following is a management control method that most likely could improve management's ability to supervise company activities effectively? ‘A. Monitoring compliance with internal control requirements imposed by regulatory bodies. B. Limiting direct access to assets by physical segregation and protective devices,C. Establishing budgets and forecasts to identify variances from expectations. D. Supporting employees with the resources necessary to discharge their responsibilities. Question #2 (aicea.950s24auo-au) ‘The primary objective of procedures performed to obt structure is to provide an auditor with an understanding of the internal control Knowledge necessary for audit planning. Evidential matter to use in assessing inherent risk. A basis for modifying tests of controls. oogeP An evaluation of the consistency of application of management's policies. Question #3 (aicea.s41115auD-AU) h of the following documentation is not required for an audi auditing standards? accordance with generally accepted A. Awritten audit plan setting forth the evidence gathering procedures necessary to accomplish the audit's objectives. B. An indication that the accounting records agree or reconcile with the financial statements. C. A flowchart of each major transaction cycle documenting the origination and processing of important accounting records. D. Aclient engagement letter that summarizes the timing of the auditor's planned field work and identifies the respective responsibilities of the auditor and the entity's management, among other matters. Question #4 aicra.s40s21auo-av) ‘When obtaining an understanding of an entity's internal control procedures, an auditor should concentrate on the substance of the procedures, rather than their form, because ‘The procedures may be operating effectively but may not be documented. Management may establish appropriate procedures but not enforce compliance with them. ‘The procedures may be so inappropriate that no reliance is contemplated by the auditor. gogeP Management may implement procedures whose costs exceed their benefits. Question #5 _aicra.s40518au0-au) An auditor's flowchart of a client's accounting system is a diagrammatic representation that depicts the auditor's Assessment of control risk. Identification of weaknesses in the system. Assessment of the control environment's effectiveness. gogP Understanding of the system. Question #6 (aicra.sa1116au0-Av) An advantage of using systems flowcharts to document information about internal control, instead of using internal control questionnaires, is that systems flowcharts Identify internal control weaknesses more prominently. A B. Provide a visual depiction of clients’ activities. C. Indicate whether control procedures are operating effectively. D. Reduce the need to observe clients' employees performing routine tasks.Question #7 (aicra.s20555AUD-AU) Decision tables differ from program flowcharts in that decision tables emphasize Ease of manageability for complex programs. Logical relationships among conditions and actions. Cost benefit factors justifying the program A B. c. D. ‘The sequence in which operations are performed. Question #8 (aicpa.so114sau0-Av) In planning an audit of certain accounts, an auditor may conclude that specific procedures used to obtain an understanding of an entity's internal control structure need not be included because of the auditor's judgments about materiality and assessments of Control risk. Detection risk. ‘Sampling risk. gog> Inherent risk. Question #9 (aicea.s011430u0-Av) An auditor's primary consi procedures is whether they leration regarding an entity's internal control structure polici Prevent management override. Relate to the control environment. Reflect management's philosophy and operating style. gogP Affect the financial statement assertions. Question #10 (aicra.:207070U0) Obtaining an understanding of an internal control involves evaluating the design of the control and determining whether the control has been Authorized, Implemented Tested, gop Monitored. Proficiency Question Answers Question #1: True Question #2: False Question #3 : True Question #4: True Question #5 : False Question #6 : True Question #7 : True Past Exam Question AnswersQuestion #1 (aicea.s51106AuD-AU) A. The use of budgets and forecasts to compare planned and actual results will enable management to supervise more effectively than the other controls listed. It provides a means for management to establish expectations, to compare them to actual results, and then to follow up in areas where significant differences appeared. Monitoring compliance with regulatory requirements, limiting access to assets, and providing adequate support are important to the successful operation of the business but they do not necessarily help management to supervise more effectively, B. The use of budgets and forecasts to compare planned and actual results will enable management to supervise more effectively than the other controls listed. It provides a means for management to establish expectations, to compare them to actual results, and then to follow up in areas where significant differences appeared. Monitoring compliance with regulatory requirements, limiting access to assets, and providing adequate support are important to the successful operation of the business but they do not necessarily help management to supervise more effectively. C. (Correct!) The use of budgets and forecasts to compare planned and actual results will enable management to supervise more effectively than the other controls listed. It provides a means for management to establish expectations, to compare them to actual results, and then to follow up in areas where significant differences appeared. Monitoring compliance with regulatory requirements, limiting access to assets, and providing adequate support are important to the successful operation of the business but they do not necessarily help management to supervise more effectively D. The use of budgets and forecasts to compare planned and actual results will enable management to supervise more effectively than the other controls listed. It provides a means for management to establish expectations, to compare them to actual results, and then to follow up in areas where significant differences appeared. Monitoring compliance with regulatory requirements, limiting access to assets, and providing adequate support are important to the successful operation of the business but they do not necessarily help management to supervise more effectively. Question #2 (aicea.s50sz4auo-av) ‘A. (Correct!) The auditor is required to gain a sufficient understanding of the entity and its environment, including the internal control structure in order to determine the nature, timing, and extent of the tests to be performed. In reviewing internal control, the auditor first considers the design of controls relevant to a financial statement audit and whether such controls are in operation, Control risk is then assessed for the various financial statement assertions. Based upon the understanding of the internal control and the assessed control risk, the auditor can determine the auditing procedures to be performed. B. Obtaining an understanding of internal control provides an auditor with information relevant to assessing control risk, not inherent risk. Inherent risk is the susceptibility of an assertion to a material misstatement, without considering internal controls. It would be assessed by examining such factors as the nature of the account, technological developments, and the state of the industry. C. Tests of controls are performed in order to support a reduction in assessed control risk. While the specific tests of controls to be performed would be based at least in part upon an initial understanding of the internal control structure, the primary objective of performing procedures to gain an understanding would not be to provide a basis for modifying tests of controls. D. The primary objective of procedures performed to obtain an understanding of internal control is to provide an auditor with the knowledge necessary for audit planning. They would not provide an evaluation of the consistency of application of management's policies. Such an evaluation would be obtained via the performance of tests of controls. Further, the auditor would only be concerned with those management policies (internal controls) that were relevant to a financial statement audit. Question #3 aicpa.ss1115av0-Au) A. Awritten audit program (referred to as the audit plan) is required by GAAS. B, The auditor must document the reconciliation or agreement of the accounting records with the financial statements, C. (Correct!) Auditors are required to document their understanding of the entity's internal control. However, there are several ways that understanding might be documented and the auditor is not limited to the preparation of flowcharts. D. The auditor is required to establish a written understanding with the client regarding the services to be performed for the audit engagement. Question #4 (aicpr.ssosz1avo-Av) A. The auditor is concerned about the effectiveness of the control and its ability to prevent or detect material misstatements in the financial statements. If the procedures are operating effectively, even though they are not documented, the auditor's objectives are served. Note, however, that if the controls are not documented, the auditor may be unaware of them. B. (Correct!) Internal controls may have been placed in operation, yet may not be effective because they are not properly acted upon. The auditor is concerned about the effectiveness of the control and its ability to prevent or detectmaterial misstatements in the financial statements. As a result, the auditor must focus on the substance of the control rather than the form, C. The auditor needs to obtain an understanding of the internal control system in order to plan the audit. In gaining the understanding, the auditor will determine which procedures are relevant to specific financial statement assertions (i.e., are appropriate) and will consider whether to rely on such procedures. The auditor does not gain an understanding because some procedures are inappropriate but in order to determine whether they are appropriate. D. The auditor is not specifically concerned as to whether the costs of implemented procedures exceed their benefits. Rather the auditor is required to gain an understanding of the internal controls in order to plan the audit. If the auditor believes that the costs of certain controls exceed their benefits, recommendations pertaining to those controls may be made in the management letter. Question #5 (aicpa.ssosisauo-av) ‘A. The auditor's assessment of control risk is a judgment call that would not customarily be pictorially presented in a flowchart. The auditor must document the basis for his/her conclusions about the assessed level of control risk. The nature and extent of such documentation are dependent upon the entity, its control structure, and the control assessment. B. A flowchart is a pictorial representation that utilizes a standard set of symbols to demonstrate the transaction processing procedures and accompanying data flow in an information system. It enables the auditor to summarize his/her understanding of the system in a clear, concise, and logical manner. While it allows the auditor to identify weaknesses in the system, such identification would not be the primary purpose of the flowchart. C. The auditor's assessment of the control environment’s effectiveness is a judgment call that would not customarily be pictorially presented in a flowchart, The auditor must document the basis for his/her conclusions about the effectiveness of the control environment and the related assessment of control risk, The nature and extent of such documentation are dependent upon the entity, its control structure, and the control assessment. D, (Correct!) A flowchart is a pictorial representation that utilizes a standard set of symbols to demonstrate the transaction processing procedures and accompanying data flow in an information system. It enables the auditor to summarize his/her understanding of the system in a clear, concise, and logical manner, Question #6 (aicra.931116auD-Au) A. Both internal control questionnaires and systems flowcharts may be used to identify internal control weaknesses. Internal control questionnaires probably display such weaknesses more prominently in that every "No" answer is a weakness. B. (Correct!) Systems flowcharts are "pictures" of processing activities. They provide a visual depiction of clients! activities. Internal control questionnaires provide responses to specific questions about internal control activities. They do not necessarily provide a description about the full scope of the processing activities. C. Neither internal control questionnaires nor systems flowcharts can tell the auditor whether controls are operating effectively. The auditor would have to observe or test such controls to obtain this information. D. Neither internal control questionnaires nor systems flowcharts would reduce the need to observe client employees Performing routine tasks. This is a test performed to help ascertain whether effective internal controls are in place. Question #7 aicra.s20sssauo-Av) ‘A. A decision table presents in tabular form the conditions and alternative actions related to making a particular decision. It emphasizes logical relationships (decision rules) among the conditions and actions. It does not make managing complex programs easier. B. (Correct!) A decision table presents in tabular form the conditions and alternative actions related to making a particular decision. It emphasizes logical relationships (decision rules) among the conditions and actions. C. A decision table presents in tabular form the conditions and alternative actions related to making a particular decision. It emphasizes logical relationships (decision rules) among the conditions and actions. It does not emphasize cost-benefit, factors. D. A decision table presents in tabular form the conditions and alternative actions related to making a particular decision. It emphasizes logical relationships (decision rules) among the conditions and actions. Program flowcharts emphasize the sequence in which operations are performed Question #8 (aicpa.so1s44au0-Av) A. The control risk assessment occurs after an understanding of internal controls is obtained. It could not be used, therefore, to justify skipping the procedures used to obtain an understanding of internal control. B. Detection risk is the risk that the auditor will not detect a material misstatement. The auditor does not assessdetection risk; the auditor controls detection risk through the selection of the auditing procedures to be performed. C. Sampling risk is the risk that the sample drawn is not representative of the population. Sampling is performed to obtain samples for tests of controls and substantive tests. Both would be performed after obtaining an understanding of internal control. Sampling risk, therefore, would not be used to justify skipping the procedures used to obtain an understanding of internal control. D, (Correct!) If the auditor has concluded that an account is immaterial and that inherent risk is low, the auditor might decide to skip the procedures used to obtain an understanding of the related internal controls because the risk of a material misstatement occurring is low. This is really a rather tricky question because GAAS require the auditor to obtain an understanding of the internal control structure sufficient to plan the audit. In the case of immateriality combined with low inherent risk, the auditor does not need to understand the internal controls specifically related to the account in order to plan the audit. Question #9 (aices.s011434u0-av) ‘A. The ability of management to override the existing internal control system is an inherent limitation of every internal control structure, The auditor's primary consideration, therefore, of an internal control structure's policies and procedures would not be whether they prevent management override. The primary concern is whether the controls affect the financial statement assertions. B. The auditor does consider the effectiveness of the control environment but it is not the primary consideration pertaining to internal control. The auditor's objective is to issue an opinion on the financial statements, As a result, the auditor is primarily concerned about controls that impact the financial statement assertions. C. Although the auditor will consider management's philosophy and operating style and their potential impact on the internal control structure, that would not be the primary consideration related to internal controls. The auditor's objective is to issue an opinion on the financial statements. As a result, the auditor is primarily concerned about controls that impact the financial statement assertions. D. (Correct!) The auditor is primarily interested in whether an entity's internal controls affect the financial statement assertions. Specifically, the auditor is interested in the policies and procedures that pertain to an entity's ability to record, process, summarize, and report financial data consistent with the assertions embodied in the financial statements. Question #10 (icea.:207070u0) A. Obtaining an understanding of the "design" of internal control does not encompass verifying whether control procedures have been properly "authorized." B, (Correct!) Obtaining an understanding of an entity's internal controls over financial reporting Involves evaluating the design of relevant controls and determining whether they have been implemented (sometimes referred to as "placed into operation"). C. Obtaining an understanding of the "design" of internal control does not encompass verifying whether control procedures have been "tested." D. Obtaining an understanding of the "design" of internal control does not encompass verifying whether control procedures have been properly "monitored."