Auditing Theory Operational effectiveness and efficiency
Chapter 11 Compliance with applicable laws and
Consideration of Internal Control in a regulations Financial Statement Audit Determinants of achievement of objectives Reliable FR Compliance Operations E&E Applicable PSA Internal/ within entity’s control Management’s decisions, PSA 315 “Identifying and Assessing Risks of Material competitor’s actions, Misstatements through Understanding the Entity and other external factors Its Environment” Accounting and internal control system Internal control system Audit risk on components: I C D ALL policies and procedures (internal controls) adopted by management to assist in achieving Widely-accepted concept: internal control is important objectives: in generating reliable financial info Orderly and efficient conduct of business If audit deems IC as effective, he may decrease amount Adherence to management policies of audit evidence to be accumulated. Safeguarding of assets Prevention and detection of F&E Inadequate IC may preclude conduct of effective audit. Accuracy and completeness of accounting records Nature of Internal Control Timely preparation of FS As an entity grows and more people are employed, mechanisms need to be introduced to keep their Internal control structures VARY depending on: performance in check Size of the business Nature of operations Smaller entities have weaker internal control that can Objectives of organization be compensated through active participation of owner in operations Elements of internal control E R I C M
Internal control A. Control Environment
Process – a means, not an end Overall attitude, awareness, actions of directors Designed and effected by: and management re: IC system and its Management – establishment of control importance to the entity environment & maintenance of P&P Culture TCWG – ensure integrity through The foundation for effective IC oversight Factors reflected in control env.: Other personnel – perform respective Function of BOD and its committees functions Communication of INTEGRITY and Provides REASONABLE assurance – due to ETHICAL values (policy statements, code limitations: of conduct, management’s example) Costs should not exceed benefits Commitment to COMPETENCE Directed at routine transactions Participation by TCGW – entity must Human error have an AUDIT COMMITTEE; control Circumvention through collusion consciousness; must be involved in Management overriding IC scrutiny, interaction with I/E auditors, Inadequacy of procedures due to whistleblowers, review of internal changes; deterioration of compliance control About achieving objectives: Management’s philosophy and operating style – Reliable financial reporting (most conservatism, aggression, attitude towards: relevant objective to auditor as he is Business risk only concerned with those relevant to Financial reporting FS assertions) Meeting budget, profit, goals Organizational structure and assignment of Objective of studying internal control authority – overall framework for planning, 1. Plan the audit directing, and controlling operations 2. Assess control risk Management’s control system: a. Consider the design of controls Internal audit f(x) b. Whether they have been implemented Personnel P&P c. Effectiveness, if in use – perform tests Segregation of duties to determine if they are applied (NOT Human Resources Policies and Procedures – required in obtaining understanding of selection of honest and competent personnel IC to plan an audit) does not ensure that errors/irregularities will not occur; people are the most important Design – controls that HAVE BEEN established element of IC Effectiveness – refers to HOW controls FUNCTIONS
B. Entity’s Risk Assessment Process To assess RISK below max 100%
Identify specific controls that are likely to Business risk – risk that business objectives will not be prevent/ detect misstatement attained as a result of I/E factors s.a technological developments, changes in customers demand and other economic changes; management should adapt P&P to Consideration of Internal Control mitigate such risk; for audit, only those relating to prep ODAPD of reliable FS are relevant 1. Obtain understanding of IC: a. Evaluate design – consider capability of C. Information and Communications System preventing, detecting, correcting MM; - Timely info must be provided by effective IC - Communication: providing an understanding of For initial understanding: roles on internal control for reliable FRF; Inquiries electronic, oral, through management’s actions Inspection of documents Observation of processes D. Control Activities P I P S - P&P that help ensure that management b. Implementation – control exists and directives are carried out have been placed in operation; - Performance reviews: analyses of relationships accomplished through a walkthrough between data; e.g. actual performance vs (tracing a transaction through the entire budget, prior-period performance accounting system; confirms auditor’s - Information processing: checks accuracy, understanding of functions; both completeness,authorization of transactions; inspection and observation) computer: general and application controls - Physical controls: physical security of assets, Use of understanding: adequate safeguards, authorization for access, Identification of potential periodic counting misstatements - Segregation of duties: difficult to perpetrate Considering factors that affect RMM fraud Design NTE of audit procedures
E. Monitoring 2. Documenting understanding of accounting and
- Assessing quality of internal control internal control - Ongoing monitoring: built-in; for recurring activities; e.g. bank reconciliation Commonly used forms: - Separate evaluations: non-routine monitoring; Narrative description – memorandum e.g. functions performed by internal auditor for simple IC Flowchart – diagrammatic representation of IC system Internal control questionnaire providing 5. Documenting assessed level of CR management’s responses to questions about IC Control risk Conclusion High level CR is at a high level 3. Assessment of Control Risk Less than high level CR is at less than high level + basis for that assessment 4. Perform Tests of Controls – must be performed (tests of controls) irrespective of how effective controls appear; obtain evidence about effectiveness of: *auditor cannot assess CR a. Design of accounting and IC at less than high level w/o b. Operation of IC ToC *Auditor only tests controls he plans to rely upon *greater reliance on IC = more extensive TC Communication of internal control weaknesses - Report to appropriate level of management Nature of tests of control - Communication ordinarily in writing: (1) Inquiry – searching info about effectiveness management letter from persons inside or outside - Done at earliest opportunity (2) Observation – looking at process performed by OTHERS *Auditors are NOT REQUIRED to search for internal (3) Inspection – examination of documents to control weaknesses, but must communicate ones that provide evidence of reliability come to his attention (4) Reperformance – repeating activity performed by client to determine whether correct results were obtained
Usually during interim period Obtain further evidence for remaining period Factors: results of interim tests, length of remaining period, whether changes have occurred
Extent of tests of control
Sample size/ number of items should be determined
Using the results of tests of control
Evaluation reached: assessed level of control risk Use CR with IR to determine detection risk CR and IR are inversely related to DR
Operating effectiveness vs. implementation
Effectiveness Implementation Auditor obtains evidence Auditor determines that controls operate existence of relevant effectively controls REPORTABLE CONDITIONS - Matters coming to the auditor’s attention that he believes should be reported to the AUDIT COMMITTEE - Represent deficiencies in design and implementation of IC
1. Sole purpose of audit was to report on FS and
not to provide assurance that internal controls are effective 2. Definition of reportable conditions 3. Restriction of distribution ( info solely for audit committee, management, others within the organization
If RC is of such magnitude as to be a material weakness,