You are on page 1of 24

Chapter 6 Internal Control in a Financial Statement Audit

Chapter 6 Internal Control in a Financial Statement Audit

LO 1 Introduction

A. The Importance of Internal Control to Management

Management has the responsibility to design and maintain a system of internal
control that provides reasonable assurance that assets and records are properly
safeguarded, and that the entity's information system generates information
that is reliable for decision making
Management is responsible for providing and maintaining adequate controls
over the entitys assets and records.
Strong internal controls ensure that assets and records are properly

Management needs a control system that generates reliable information to

make informed decisions about issues such as pricing, cost, and profit.

B. The Importance of Internal Control to Auditors

Auditors need assurance about the reliability of the data generated by the
information systems.
The auditor uses risk assessment procedures to:

Obtain an understanding of the entitys internal control then,

Identify key controls and types of potential misstatements then,

Ascertain (Identify) factors that affect the ROMM and

Design tests of controls and substantive procedures

There is an inverse relationship between the reliability of internal control and

the amount of substantive evidence required of the auditor.

The auditors understanding of the internal control is a major factor in

determining the overall audit strategy. Auditors responsibilities for internal
control include:
(1) obtaining an understanding of internal control

Chapter 6 Internal Control in a Financial Statement Audit

(2) assessing control risk.

LO 2 Definition of Internal Control

A. According to COSOs Internal Control-Integrated Framework, internal control
is designed and carried out by an entitys board of directors, management, and
other personnel to provide reasonable assurance about the achievement of the
entitys objectives in the following categories:
1 Reliability, timeliness, and transparency of internal and external, financial
and nonfinancial reporting;

Effectiveness and efficiency of operations, including safeguard of assets;

Compliance with applicable laws and regulations

B. An effective system of internal control allows management to focus on

operations and financial performance goals while maintaining compliance with
relevant laws and minimizing surprises

LO 3 Control Relevant to the Audit

Irrelevant Controls
Controls related to managements planning
Controls related to managements operating decision
Relevant Controls
The controls that are of most direct relevance to financial statement audit are
those that contribute to the reliability, timeliness and transparency of external
financial reporting. These controls help to prevent or detect and correct material
misstatements in the financial statements.
Controls relating to operations and compliance objectives may be relevant when
they have an impact on the data the auditor uses to apply auditing procedures.

LO 4 The Effect of Information Technology on Internal Control

IT technology affects the way transactions are initiated, authorized, recorded,

processed and reported.
IT technology includes a combination of manual and automated controls- It varies
with the nature and complexity of IT system.
Risks depend on the nature and characteristics of the entity's information system.
A lack of control for one data entry point causes rippling effects for others.
Segregation of duties can be managed through security controls for users. A user
should only have access to data entry and modification of duties in which they

Chapter 6 Internal Control in a Financial Statement Audit

Benefits of IT system (It cannot make judgments)

Consistent application of predefined business rules
Enhancement of timeliness, availability, and accuracy
Improve analysis reports of information
Ability to monitor entity performance
Reduction in risks and circumventing controls
Enhancement of segregation of duty and security controls
Risks of IT system
Reliance on the system
Unauthorized access that may cause harm to an entity
Unauthorized changes in master files
Unauthorized changes to systems
Failure to make system chances
Inappropriate manual intervention
Potential loss of data

LO 5 The COSO Framework (CRIME)

Components of Internal Control
a. Internal control as defined by the COSO framework consists of 5 components:
1. The Control environment sets the tone of an organization, influencing the
control consciousness of its people. It is the foundation for all other
components of internal control, providing discipline and structure
2. The entitys Risk assessment process
3. The Information system and related business processes relevant to
financial reporting and communication

Monitoring of controls


Existing control activities

A. Control Environment (Includes the Tone of an organization)

a. The importance of controls to an entity is reflected in the overall attitude
(control consciousness), awareness of and actions of the BOD, management
and owners regarding control. It is the foundation for all other components
providing discipline and structure.
b. Principles that affect the control environment:

Principle 1: The organization demonstrates a commitment to integrity

and ethical values-the effectiveness of an entitys internal controls is

Chapter 6 Internal Control in a Financial Statement Audit

influenced by the integrity and ethical values of the individuals

(management) who create, administer, and monitor the controls

Principle 2: The BoD demonstrates independence from management

and exercises oversight of the development and performance of
internal control- The board and audit committee must take their fiduciary
responsibilities seriously and actively oversee the entity's accounting and
reporting policies and procedures. Factors can impact the effectiveness of
the board or audit committee include the following:
-Experience and stature of members and independence from
-Extent of involvement with and scrutiny of the entity's activities
-Information availability and willingness/ ability to act on
-Extent to which difficult questions are raised and pursued with
-Nature and extent of interactions with internal and external


Principle 3: Management establishes, with the board oversight,

structures, reporting lines, and appropriate authorities and
responsibilities in the pursuit of objectives - An entity's organizational
structure defines how authority and responsibility are delegated and
monitored. The appropriateness of an entity's organizational structure
depends on:

size of activities

nature of activities

external influences (eg. regulation)


Principle 4: The organization demonstrates a commitment to attract,

develop, and retain competent individuals in alignment with
objectives- The quality of internal control directly relates to the personnel
operating the system. The entity should have personnel policies for: hiring,
orienting, training, evaluating, counseling, promoting, compensating,
planning succession, and taking remedial action. Management should
specify competence level for a particular job and translate it into the job


Principle 5: The organization holds individuals accountable for their

internal control responsibilities in the pursuit of objectives.

Chapter 6 Internal Control in a Financial Statement Audit

Management and the board are responsible for establishing

mechanisms to communicate and hold individuals accountable for
performance of internal control responsibilities across the
organization and for implementing corrective action as necessary.

Management and the board establish incentives and rewards for

reflecting standards of conduct. Incentives should align with shortterm and long-term objectives

B. The entitys risk assessment process

a. An entitys risk assessment process is its process for identifying and
responding to business risks. This process includes how management
identifies risks relevant to the preparation of financial statements. For each
identified risk, management must:

Estimate their significance

Assesses the likelihood of their occurrence and

Decides on how to manage them.

b. The risk assessment process should consider external and internal events and
circumstances that may arise and adversely affect the entitys ability to
initiate, authorize, record, process and report financial data consistent with
the assertions of management in the F/S.
c. Once risks have been identified, management should consider their
significance, the likelihood of their occurrence and how they should be

6. Principle 6: The organization specifies objectives with sufficient clarity to

enable the identification and assessment of risks relating to objectives.
-Internal control objectives are organized into three categories in the COSO
Framework: operations, compliance, and reporting.
-In the area of external reporting, management must ensure:
-specified objectives including reporting consistent with GAAP when
-in light of materiality considerations
-include faithful reflection of underlying transactions and events,
including important qualitative characteristics (relevance and faithful

Chapter 6 Internal Control in a Financial Statement Audit

7. Principle 7: The organization identifies risks to the achievement of its objectives

across the entity and analyzes risks as a basis for determining how the risks should
be managed.
-An entity's risk assessment process should consider the possibility of events that
threaten the achievement of objectives.
-The entity needs to establish its tolerance for accepting risks and its ability to
operate within those risk levels
8. Principle 8: The organization considers the potential for fraud in assessing risks
to the achievement of objectives.
-Assessment of fraud risk includes incentives and pressure, opportunity, and
9. Principle 9: The organization identifies and assesses changes that could
significantly impact the system of internal control.

Existing Control Activities (approvals, authorizations, verifications, reconciliations, etc)

a. Control activities are the policies and procedures that help ensure that
managements directives are carried out and are implemented to address risks
identified in the risk assessment process.

10. Principle 9: The organization selects and develops control activities that
contribute to the mitigation of risks to the achievement of objectives to acceptable
b. Control activities are commonly categorized into the following four types:


Performance reviews
A strong accounting system should have controls that independently
check the performance of the individuals or processes in the system.


Physical controls includes

physical security of assets, including adequate safeguards such as
secured facilities over access to assets and records
authorization for access to computer programs and data files
periodic counting and comparison (reconciliation) with amounts
shown on control records (e.g. comparing the results of cash, security
and inventory counts with accounting records)

Chapter 6 Internal Control in a Financial Statement Audit



Segregation of duties

AUTHORIZATION of transactions vs. RECORDING of

transactions vs. CUSTODY of the related assets.

independent performance of each of these functions reduces the

opportunity for any one person to be in a position to both
perpetrate and conceal errors or fraud in the normal course of his
or her duties

Information processing controls (including authorization and document

based controls)
These controls check accuracy, completeness and authorization of
transactions. There are two broad categories of information system

General controls - relate to the overall

information processing environment and
include controls over data center and
network operations.

Application controls -apply to the processing

of individual applications and help ensure
the occurrence (validity), completeness and
accuracy of transaction processing

11. Principle 11: The organization selects and develops of general control activities
over technology to support the achievement of objectives
-General controls: relate to the overall information processing environment and
include controls over data center and network operations; system software
acquisition, change and maintenance; access security; and application system
acquisition, development, and maintenance.
-Application controls: apply to the processing of individual applications and help
ensure the occurrence (validity), completeness, and accuracy of transaction
12. Principle 12: The organization deploys control activities through policies that
establish what is expected and procedures that put policies into action.
-policy: rule or guideline that calls for certain activities to take place in certain
-procedure: is the review itself, performed in a timely manner and with attention

Chapter 6 Internal Control in a Financial Statement Audit

given to factors set forth in policy, such as the nature and volume of purchases,
and their relation to furthering the entity's objectives.
D. Information System and Communication
a. Information is necessary for the entity to carry out internal control
responsibilities that support the achievement of its objectives

13. Principle 13: The organization obtains or generates and uses relevant, quality
information to support the functioning of internal control.

-The information system relevant to the financial reporting objectives includes the
accounting system and consists of the procedures and records established to
initiate, authorize, record, process, and report and entity's transactions and to
maintain accountability for the related assets and liabilities. An effective
accounting system gives appropriate consideration to establishing methods and
records that will:

Identify and record all valid transactions

Describe on a timely basis the transactions in sufficient detail to permit

proper classification of transactions for financial reporting

Measure the value of transactions in a manner that permits recording their

proper monetary value in the financial statement (F/S).

Determine the time period in which transactions occurred to permit

recording of transactions in the proper accounting period

Properly present the transactions and related disclosures in the financial


14. Principle 14: The organization internally communicates information, including

objectives and responsibilities for internal control, necessary to support the
functioning of internal control.

15. Principle 15: The organization communicates with external parties regarding
matters affecting the functioning of internal control.

E. Monitoring of Controls

Chapter 6 Internal Control in a Financial Statement Audit

a. In 2009, COSO issued guidance on monitoring internal control system, which

is a process that assesses the quality of internal control performance over
b. To provide reasonable assurance that an entitys objectives will be achieved,
management should monitor controls to determine whether they are operating
c. Since risks change over time, management needs to monitor whether controls
need to be redesigned when risks change.

16. Principle 16: The organization selects, develops, and performs ongoing and/or
separate evaluations to ascertain whether the components of internal control are
present and functioning.

17. Principle 17: The organization evaluates and communicates internal control
deficiencies in a timely manner to those parties responsible for taking corrective
action, including senior management and the board of directors, as appropriate.

LO 6 Planning an Audit Strategy

A. The audit risk model states that AR=RMM DR where RMM = IR CR. The
auditors assessment of RMM must consider the level of CR in applying the risk
B. How the auditor determines the appropriate level of CR:
1st step: Using the information gathered by performing risk assessment
procedures to evaluate the design of controls and to determine whether
the controls have been implemented.
2 step: decide whether or not the auditor rely on the controls.
If the auditors risk assessment procedures indicate that the controls are
not properly designed or not implemented, the auditor will not rely on the
control. The auditor will set control risk at maximum and use substantive
procedures to reduce the risk of material misstatement to acceptably low
If the auditors risk assessment procedures indicate that the controls are
properly designed or implemented, the auditor will rely on the control.
Then, tests of controls are required to be performed to obtain audit

Chapter 6 Internal Control in a Financial Statement Audit

evidence that the controls are operating effectively. The auditor will make
an assessment of control risk based on the results of the tests of controls.
Two audit strategy help you to identify HOW the auditor uses the
understanding and assessment of internal control to determine the nature,
timing, and extent of audit procedures:
1) A substantive strategy:
Means that the auditor has decided not to rely on the entitys
controls and instead use substantive procedures as the main source
of evidence about the assertions in financial statements.
The following factors may make the auditor decide to follow a
substantive strategy for some or all assertions:
- The implemented controls do not pertain to the assertion the
auditor is considering.
- The implemented controls are assessed as ineffective.
- Testing the operating effectiveness of the controls would be
Auditing standards point out that the auditor needs to be satisfied
that performing only substantive procedures would be effective in
restricting detection risk to an acceptable level. For example, the
auditor may determine that performing tests of controls for an
entity that has a limited number of long-term debt transactions
because corroborating evidence can be obtained by examining the
loan agreements and confirming relevant information.
2) A reliance strategy:
Means that the auditor intends to rely on the entitys controls.
Need more detailed understanding of internal control to develop a
preliminary or planned assessment of control risk.
Then, plan and perform test of controls.
Using the test results to assess the achieved level of control risk.
The test results indicate that achieved control risk is higher than
planned; the auditor will increase the planned substantive
procedure substantive procedures and document the revised control
risk assessment. If the planned level of control risk is supported, no
revisions of the planned substantive procedures are required.
The level of control risk is documented, and substantive procedures are
then performed. Keep in mind that there may be different degrees of
control reliance for different business processes or assertion within a
Keep in mind there is no single strategy for the entire audit.

Chapter 6 Internal Control in a Financial Statement Audit

Form a practical standpoint, the level of control risk is normally set in

terms of the assertions about classes of transactions and events for the
period under audit. (see Table 6-4 below)

3rd step: It is important to understand that auditing standards require some

substantive evidence for all significant accounts and assertion. Thus, a
reliance strategy reduces but does not eliminate the need to gather
substantive evidence.
Table 6-4 presents the assertions related to transactions and events that were discussed in
chapter 5 and control activities that are normally in place for and tracking of
prenumbered documents is a control procedure typically found in each business process
to ensure occurrence and completeness.

FIGURE 6-3 Flowchart of the Auditors Consideration of Internal Control and Its
Relation to Substantive Procedures


Chapter 6 Internal Control in a Financial Statement Audit


Chapter 6 Internal Control in a Financial Statement Audit

LO 7 Understanding Internal Control

A. Overview:
a. Understanding of the five components of Internal Controls includes
knowledge about design and whether relevant controls have been put in place.
The auditor is required to:
Identify the types of potential misstatement.
Pinpoint the factors that affect the risk of material misstatement.
Design tests of controls and substantive procedures
b. Determining if IT specialist needed, the following factors should be
The complexity of the entitys IT systems and controls and the manner in
which they are used in conducting the entitys business.
The significance of changes made to existing systems, or the
implementation of new systems.
The extent to which data are shared among systems.
The extent of the entitys participation in electronic commerce.
The entitys use of emerging technologies.
The significance of audit evidence that is available only in electronic form.
c. The ways that the IT specialists help auditor engagement team:
Inquire of the entitys IT personnel about how data and transactions are
initiated, authorized, recorded, processed, and reported
And about how IT controls are designed
Inspect the systems documentation
Observe the operation of IT controls
Plan and perform tests of IT controls.
d. The auditor should have sufficient IT-related knowledge to communicate the
assertions to the IT specialist, to evaluate whether the specified procedures,
and to evaluate the results of the audit procedures completed by the IT
e. The auditor may use the following audit procedures to understand a clients
internal control:. Three examples are:
Inquiry of appropriate management, supervisory, and staff personnel.
Inspection of entity documents and reports.
Observation of entity activities and operations.

B. Understanding the control environment (because it will directly impact the


Chapter 6 Internal Control in a Financial Statement Audit

achievement of the objectives of the IC system):

a. The auditor should gain sufficient knowledge about the control environment
to understand management's and the board's attitudes, awareness, and actions
concerning the control environment.
b. Auditor uses questionnaire to obtain an understanding of the Control
C. Understanding the entity's risk assessment process:
a. Auditor should understand
How management considers risk relevant to financial reporting
How management deal with those risks
It helps determine the magnitude of control risk
D. Understanding the Information System and Communications
a. The auditor should gain enough information of the IS to understand the
The classes of transactions in the entitys operations that is significant to
the financial statements.
The control procedures by which transactions are initiated, authorized,
recorded, processed, and reported, from their occurrence to their inclusion
in the financial statement.
The related accounting records, whether electronic or manual, supporting
information and specific accounts in the financial statement that are
involved in initiating, recording, processing, and reporting transactions.
How the information system captures other events and conditions that are
significant to the financial statements.
The financial reporting process used to prepare the entitys financial
statements, including significant accounting estimates and disclosures.
b. The auditor needs to study each business process that affects significant
account balances in the financial statements, which includes knowing how
transactions are done, how documents and records are created and moved
through the general ledger, and the financial statement.

The auditor must understand the control procedures related to the planning of
the financial statement and the disclosures.

The procedures used to enter transactions totals into the general ledger,
The procedures used to initiate, authorize, record, and process journal
entries in the general ledger.
Other procedures used to record recurring and nonrecurring adjustments to

Chapter 6 Internal Control in a Financial Statement Audit

the financial statements.

E. Understanding Control Activities
a. Auditor use walkthroughs to develop an understanding of control activities
b. Auditor decides to work more on control activities if:
Follows a reliance strategy
The control activities that relate to assertion for which a lower level of
control risk is expected
c. Auditor work less on control activities if:
Follows a substantive strategy
Sets control risk at the maximum
Believes the internal controls are unlikely to be effective
F. Understanding of monitoring of controls:
a. Understand major types of activities to monitor IC such as source of
documents to support activities; and how the latter are used to initiate
corrective actions to IC.

LO 8 Obtain an Understanding of Internal Control

A. Documenting the Understanding of Internal Control can be achieved by using any
combination of the following methods.
a. Procedures Manuals and Organizational Charts
Help the auditor document understanding of the internal control system
Manuals include documentation of accounting systems and related control
Organizational chart presents the designated lines of authority and responsibility
b. Internal Control Questionnaire

Provides a systematic and comprehensive way to evaluate internal control

Used in areas with relatively complex internal control structure

Contains questions about the factors or characteristics of the five internal

control components;

The control environment,

The entitys risk assessment process,
The IT system and related business processes,
Control activities, and

Chapter 6 Internal Control in a Financial Statement Audit

Monitoring of control.
c. Flowcharts

Provides a diagrammatic (visual depiction) representation of the entitys

internal control system making it easier for the auditor to perform

Outlines the configuration of the system in terms of functions, documents,

processes, and reports

Facilitates an analysis of the system strengths and weaknesses

d. Narrative Description = Memo

Provides a simple, written memorandum that documents the understanding

of internal control

Used for entities with simple internal control system

B. The Effect of Entity Size on Internal Control

a. Large entities implement the components in the fashion described (ex.
Written code of conduct)
b. Middle and small entities: use less formal or alternative approaches (ex.
Developing culture that emphasizes integrity, ethics through example of the
owner-manager) because they have:

Effective communication channels due to the size; better control as the

manager is involved in day-to-day activities; less hierarchy, better
managements visibility; effective monitoring as the manager gets
involved in the operations

C. The Limitations of an Entitys Internal Control

a. An internal control system should be designed and operated to provide
reasonable assurance that an entitys objectives are being achieved. The
concept of reasonable assurance recognizes that the cost of an entitys internal
control system should not exceed the benefits that are expected to derived.
Balancing the cost of controls with related benefits requires considerable
estimation and judgment from management.
b. Limitations

Chapter 6 Internal Control in a Financial Statement Audit

Major causes of fraud Inadequate internal control and compliance, and

management override of internal control

Management Override of Internal Control

Ex. Management can make a lower-level employee to record entities in

the accounting records that are not consistent with the substance of the

Ex. Manager can enter into side agreements with customers to alter the
terms and conditions of the sales contract.

Human Errors and Mistakes on Judgment



Another major cause of fraud

Can destroy segregation of duties

LO 9 Assessing Control Risk

A. Assessing control risk
The process of evaluating the effectiveness of an entitys internal control in
preventing, or detecting and correcting, material misstatements in the financial
statements. (Can be performed concurrently with understanding an entitys
Control risk at maximum = substantive strategy
Control risk at a lower level = reliance strategy
Set control risk below maximum
Identify specific controls relevant to specific assertions
Perform test of controls
Conclude on the achieved level of control risk
B. Identifying Specific controls that will be relied upon
The auditors understanding of internal control is used to identify the controls
that are likely to prevent, or detect and correct, material misstatements in
specific assertions.
Some of the controls the auditor will rely upon have a pervasive effect on
many assertions. (E.g. the conclusion that an entitys control environment

Chapter 6 Internal Control in a Financial Statement Audit

is highly effective may influence the auditors decision about which

auditing procedures are to be performed.)
Some controls only affect an individual assertion contained in a financial
statement account. (E.g. a credit check performed on a customers order
specifically related to the valuation assertion for the accounts receivable

LO 10 Performing Testing of Control

Performing Tests of Controls:
Test of controls are performed in order to provide evidence to support the lower level
of control risk. Procedures that are used for T.O.C include inquiry, inspection of
documents, observation, re-performance or combinations of those procedures (i.e.
walkthroughs). (Note the audit procedures that are NOT here such as confirmations,
footing and many more. Think about why.) The auditor is going to choose controls
to test based on their importance in preventing or detecting a material misstatement.
The auditor will need to look at both their design and operating effectiveness.

Test of controls directed toward the design effectiveness: evaluating whether

that control is suitably designed to prevent, or detect and correct material

Test of controls directed toward the operating effectiveness: assessing how the
control was applied, the consistency with which it was applied during the
audit period, and by whom it was applied. The operating effectiveness can be
affected by whether the control is manual or automated. Manually performed
controls may be subject to human errors and mistakes; while automated
controls (if properly designed) should operate more consistently and hence,
does not need to test as many instances.

Types of Tests of Controls


Inquiry of appropriate entity personnel.

Inquiry of credit manager about the

policies for writing off uncollectible

Inspection of documents, reports, or

electronic files indicating the
performance of the control.

Inspect bank reconciliations prepared

by the internal auditors.

Observation of the application of the


Observe how controls are applied to

the handing of cash to ensure that
there is proper segregation of duties.

Reperformance of the application of

the control by the auditor.

Reperform the authorization control

used for granting credit.

Chapter 6 Internal Control in a Financial Statement Audit

Concluding on the Achieved Level of Control Risk:

After T.O.C, the auditor should reach a conclusion on the achieved level of control
risk. Using the achieved level of control risk together with the assess level of
inherent risk to determine the level of detection risk use the level of detection risk
to determine the nature, timing, and extent of substantive tests.
If T.O.C is consistent with the planned assessment of control risk, no revision in the
nature, timing or extent of substantive procedures is necessary. Otherwise, a revision
is needed.
Documenting the Achieved Level of Control Risk
The auditor should document the achieved level of control risk for the controls
evaluated, using a structured working paper, an internal control questionnaire, or a

(Example of how account characteristics affect the auditors understanding of internal

control, control risk assessment and planned substantive procedures is described in table
6-5, p207)

LO 11 Substantive Procedures
A. Consist in the last step in the decision process in Audit Strategy. Substantive
Procedures include substantive analytical procedures and test of details
B. The nature, extent and timing of substantive procedures may vary for two
different entities as a function of the detection risk level for the inventory account,
which is part of the purchasing process. In the following examples both client
audit risk is set low

Client one: High RMM, detection risk is low. To achieve a low detection risk
the audit must

Obtain more reliable types of evidence (confirmation and reperformance)

Conduct most of the audit work at year end

Make the test more extensive (larger sample size)

Must fill the Assurance Buckets almost with Substantive Evidence


Chapter 6 Internal Control in a Financial Statement Audit

Client two: low RMM, detection risk is high which means:

Less reliable types of evidence can be used

Most of the audit work can be conducted at an interim date

Test of the inventory account would involve a smaller sample size

A major difference between these two strategies involves the physical

examination of the inventory on hand.

Low detection risk strategy: examined at year end because the control risk was
assessed to be high

High detection risk strategy: examined at an interim date because the control
risk assessment indicates little RMM.

LO 12 Timing of Audit Procedures

The interim tests of controls are conducted sometime during the time frame 7/3111/30.
A. Interim Test of Controls
a. Test controls at interim date because:
Assertion being tested may not be significant
The control has been effective in prior audits

Chapter 6 Internal Control in a Financial Statement Audit

Efficient to conduct the tests at that time

b. If the controls are not operating effectively it gives the auditor time to reassess
control risk and modify audit plan.
c. The auditor can also inform management so misstatements can be located.
d. Additional work after the interim period, should address:
Significance of assertion
The evaluation of design and operations of the relevant controls
Results of test of controls
The length of the remaining period
The planned substantive procedures in determining the nature and extent
of audit work for the remaining of period
B. Interim Substantive Procedures
a. Conducting substantive procedures at interim date may increase ROMM, but
can control this by:
Considering when it is appropriate to examine an account at an interim
date and by performing selected audit procedures for the period between
the interim date and year end
b. Consider these factors:
Control environment
Availability of information at a later date
Purpose of Substantive procedures
Assessed ROMM
Nature of the class of transactions or account balances
Ability to perform substantive procedures to cover the remaining period to
reduce ROMM
c. Some additional substantive procedures are ordinarily conducted in the
remaining period.
d. If a misstatement detected, must revise the planned procedures for the
remaining period or additional ones at year end.

LO 13 Auditing Accounting Applications Processed by Service Organizations

A. When a service organization provides accounting services to an entity, those
services are considered part of the entity's information system and relevant to
financial reporting.
B. Auditors Concerns
Because the entity's transactions are subjected to the controls of the service
organization, one auditor concern is the internal control system at the service
Significance of Control of service relies on the nature and materiality of
the transactions and the degree of interaction the transactions activities and
the clients activities [example: if client initiates transactions and service

Chapter 6 Internal Control in a Financial Statement Audit

organizations executes and does ACCT. processing of transactions = Large

degree of interaction]

After obtaining an understanding of internal control, the auditor identifies

controls that are applied by the entity or the service organization that
might allow an assessment of reduced control risk.

C. Service Organizations:
Mortgage bankers: service mortgages

Trust departments: invest or hold assets for employee benefit plans

IT service Center (most freq): process payroll and related accounting


D. The auditors need to understand the clients internal control components in order
to identify controls that are applied by the client or the service organization that
will allow an assessment of reduced control risk.
Type I and Type II Reports
Since service organizations process data for many customers, most of the time
auditor issues an attestation report on their operations. A service organizations
auditor can issue one of two types of reports.
Type I is a report on managements description of a service organizations system
and the suitability of the design of controls at a specific point of time.
Managements description on the system
Written assertion by management that the description fairly represents the
The controls are suitable to achieve managements controls by a certain
Type II is a report on managements description of a service organizations
system and the suitability of the design and operating effectiveness of control.
Managements description on the system
Written assertion by management that the description fairly represents the
The controls are suitable to achieve managements controls by a certain
Reports Content
Independent service auditor's report
(i.e. opinion)

Type I

Type II

Chapter 6 Internal Control in a Financial Statement Audit

Service organization's description of

Information provided by the
independent service auditor; includes
a description of the service auditor's
tests of operating effectiveness and
the results of those tests
Other information provided by the
service organization (e.g. glossary of







E. An auditor may reduce control risk below the max only on the basis of a service
auditors report that includes test of the controls.
F. Although a financial statement audits of private companies do not include audit of
entity's entire system of internal control, the auditor may discover deficiencies in
the entity's internal controls during the audit.

LO 14 Communicating of Internal Control-Related Matters

A. Under the Sarbanes-Oxley Act of 2002 management of public companies must
prepare an assertion on the internal control and the auditor must issue an opinion
on the effectiveness of the internal control. For private companies theres no need
to audit their internal control but the auditor will find deficiencies during the
A control deficiency in the internal control exists when the operation of
control does not allow management or employees to perform their assigned
A material weakness is a combination of deficiencies when there is a
reasonable possibility that material misstatement of the financial statements
will not be prevented, detected and corrected.
A significant deficiency is a combination of deficiencies that is less severe
than material weakness but important enough to get the attention of those in
B. Examples of circumstances that may be control deficiencies, significant
deficiencies, or material weakness:
Deficiencies in the design of controls
Inadequate design of internal control over the preparation of the financial
statements being audited.
Inadequate design of internal control over a significant account or process.
Inadequate documentation of the components of internal control.
Insufficient control consciousness within the organization, for example, the
tone at the top and the control environment.

Chapter 6 Internal Control in a Financial Statement Audit

Absent or inadequate segregation of duties within a significant account or

Absent or inadequate controls over the safeguarding of assets.
Inadequate design of information technology general and application controls.
Employees or management who lack the qualifications and training to fulfill
their assigned functions
Inadequate design of monitoring controls
The absence of an internal process to report deficiencies in internal control to
management on a timely basis.

Failures in the operation of internal control

Failure in the operation of effectively designed controls over a significant
account or process.
Failure of the information and communication component of internal control
to provide complete and accurate output because of deficiencies in timeliness,
completeness, or accuracy.
Failure of controls designed to safeguard assets from loss, damage, or
Failure to perform reconciliations of significant accounts
Undue bias or lack of objectivity by those responsible for accounting
Misrepresentation by client personnel to the auditor ( an indicator of fraud).
Management override of controls.
Failure of an application control caused by a deficiency in the design or
operation of an IT general control.
An observed deviation rate that exceeds the number of deviations expected by
the auditor in a test of operation effectiveness of a control.