Acfn 723: Advanced Auditing

Addis Ababa University

College of Business and Economics
Department of Accounting & Finance

• Module Title: Advanced Auditing

• Module Code: ACFN 723
• Credit Value: 2 Cr hours [4.5 ECTS]
• Instructor: Dr. P. Laxmikantham

Acfn 723: Advanced Auditing/PLK

 Chapter 5

Internal Control in a
Financial Statement Audit

Acfn 723: Advanced Auditing/PLK

 Chapter 5 - Contents

Internal Control in Financial Statement Audit

(ISA 230, ISA 240, ISA 300, ISA 459, ISA 500)

• Internal control: An overview

• Obtain an understanding of internal control
• Assessing control risk
• Communication of deficiencies in internal control
• Advanced Module:
– Types of internal control in an IT environment
– Computer assisted audit techniques
– Flowcharting techniques

Acfn 723: Advanced Auditing/PLK

 Internal Control

Management has the responsibility to maintain controls

that provides reasonable assurance that adequate
control exists over the entity’s assets and records.
The Internal Control System should:
- ensure that assets and records are safeguarded
- generate reliable information for decision-making

The auditor needs assurance about the reliability of the

data generated by the information system.

Acfn 723: Advanced Auditing/PLK

 Internal Control
The auditor uses risk assessment procedures to
- obtain an understanding of the entity’s internal control
- identify key controls
- identify the types of potential misstatements
- design tests of controls and substantive procedures

The auditor’s understanding of the internal control is a major

factor in determining the overall audit strategy. The auditor has a
responsibility to:
(1) obtain an understanding of internal control and
(2) assess control risk.

Acfn 723: Advanced Auditing/PLK

COSO’s Internal Control:
Integrated Framework

Objectives

Reliability of Effectiveness Compliance

Financial and Efficiency with Laws and
Reporting of Operations Regulations

Acfn 723: Advanced Auditing/PLK

Controls Relevant to the Audit

Objectives

Reliability of Effectiveness Compliance

Financial and Efficiency with Laws and
Reporting of Operations Regulations

Generally, internal controls pertaining to the preparation

of financial statements for external purposes are
relevant to an audit.
Acfn 723: Advanced Auditing/PLK
Controls Relevant to the Audit

Objectives

Reliability of Effectiveness Compliance

Financial and Efficiency with Laws and
Reporting of Operations Regulations

Controls relating to operations and compliance objectives

may be relevant when they relate to data the auditor uses
to apply auditing procedures.
Acfn 723: Advanced Auditing/PLK
 The Effect of Information
Technology on Internal Control
Potential Benefits and Risks to an Entity’s
Internal Control from IT

Acfn 723: Advanced Auditing/PLK

Components of Internal
Control
Entity’s Risk
Control
Assessment
Environment
Process

Information and
Communication

Control Monitoring
Activities Activities

Acfn 723: Advanced Auditing/PLK

Components of Internal
Control
Components of Internal Control

Acfn 723: Advanced Auditing/PLK

Components of Internal
Control
The Relationship of the Objectives of Internal Control
to the Five Components of Internal Control

Acfn 723: Advanced Auditing/PLK

 Control Environment
Principle 1: The organization demonstrates a commitment to
integrity and ethical values.

Principle 2: Those charged with governance demonstrates

independence from management and exercises oversight of the
development and performance of internal control.

Principle 3: Management establishes, with those charged with

governance oversight, structures, reporting lines, and appropriate
authorities and responsibilities in the pursuit of objectives.

Principle 4: The organization demonstrates a commitment to

attract, develop, and retain competent individuals in alignment
with objectives.

Principle 5: The organization holds individuals accountable for

their internal control responsibilities in the pursuit of objectives.
Acfn 723: Advanced Auditing/PLK
The Entity’s Risk Assessment
Process
The risk assessment process should consider external and
internal events and circumstances that may arise and
adversely affect the entity’s ability to initiate, record, process
and report financial data consistent with management’s
financial statement assertions.

Business risk can arise or change due to the following circumstances:

Changes in the New or revamped

New personnel
operating information
environment Rapid growth systems
New technology

New accounting
Corporate pronouncements New business
restructuring International
models, products
growth
or activities

Acfn 723: Advanced Auditing/PLK

The Entity’s Risk Assessment
Process
Principle 6: The organization specifies objectives with sufficient
clarity to enable the identification and assessment of risks relating
to objectives.

Principle 7: The organization identifies risks to the achievement of

its objectives across the entity and analyzes risks as a basis for
determining how the risks should be managed.

Principle 8: The organization considers the potential for fraud in

assessing risks to the achievement of objectives.

Principle 9: The organization identifies and assesses changes that

could significantly impact the system of internal control.

Acfn 723: Advanced Auditing/PLK

 Control Activities
Principle 10: The organization selects and develops control
activities that contribute to the mitigation of risks to the
achievement of objectives to acceptable levels.
- Performance Reviews
- Information Processing Controls
- Physical Controls
- Segregation of Duties

Principle 11: The organization selects and develops general

control activities over technology to support the achievement of
objectives.

Principle 12: The organization deploys control activities through

policies that establish what is expected and procedures that put
policies into action.

Acfn 723: Advanced Auditing/PLK

 Information and
Communication
Principle 13: The organization obtains or generates and uses
relevant, quality information to support the functioning of internal
control.
- Identify and record all valid transactions
- Classify transactions properly
- Measure the value of transactions properly
- Record transactions in the proper period
- Properly present transactions and disclosures

Principle 14: The organization internally communicates

information, including objectives and responsibilities for internal
control, necessary to support the functioning of internal control.

Principle 15: The organization communicates with external

parties regarding matters affecting the functioning of internal
control.

Acfn 723: Advanced Auditing/PLK

 Monitoring of Controls

Monitoring of controls is a process that

assesses the quality of internal control
performance over time.

Principle 16: The organization selects, develops and performs

ongoing and/or separate evaluations to ascertain whether the
components of internal control are present and functioning.

Principle 17: The organization evaluates and communicates

internal control deficiencies in a timely manner to those parties
responsible for taking corrective action, including senior
management and the board of directors, as appropriate.

Acfn 723: Advanced Auditing/PLK

Planning an Audit Strategy

Audit Risk Model

AR = IR × CR × DR
In applying the audit risk model, the
auditor must assess control risk. The
figure on the next slide presents a
flowchart of the auditor’s decision
process when considering internal
control in planning an audit.
Acfn 723: Advanced Auditing/PLK
Planning an Audit Strategy

Flowchart of the Auditor’s

Consideration of Internal
Control and its Relation to
Substantive Procedures

Acfn 723: Advanced Auditing/PLK

 Substantive Strategy
After obtaining an understanding of internal control, an
auditor may choose to follow a substantive strategy and
set control risk at high for some or all assertions
because of one or all of the following factors:

Controls are
assessed as Testing the
Controls do ineffective. effectiveness
not pertain to
of controls is
an assertion.
inefficient.

Acfn 723: Advanced Auditing/PLK

Reliance Strategy

Obtain
Understanding of
Internal Control

Plan to Rely on
Internal Control and
Assess Control Risk
at a Lower Level
Acfn 723: Advanced Auditing/PLK
 Assertions

Assertions about Classes of Transactions and Events

and Related Control Activities

Acfn 723: Advanced Auditing/PLK

Obtain an Understanding
of Internal Control
The auditor should obtain an understanding of
each of the five components of internal control in
order to plan the audit. This knowledge is used to:

Pinpoint the
Identify types of
factors that affect
potential
the risk of material
misstatements
misstatement

Design tests of
controls and
substantive
procedures

Acfn 723: Advanced Auditing/PLK

Example Information &
Documentation

Excerpt from a
Questionnaire for
Documenting the
Auditor’s
Understanding of the
Control Environment

Acfn 723: Advanced Auditing/PLK

 Obtain an Understanding
of Internal Control

1. Understand the control environment.

2. Understand the entity’s risk assessment process.
3. Understand the information system and
communications.
4. Understand control activities.
5. Understand monitoring of controls.

Acfn 723: Advanced Auditing/PLK

Documenting the Understanding
of Internal Control

Procedure Manuals
and Organizational Flowcharts
Charts

Internal Control
Narrative Description
Questionnaires

Acfn 723: Advanced Auditing/PLK

The Effect of Entity Size
on Internal Control

While the basic concepts of the five

components should be present in all
entities, they are likely to be less formal in a
small or midsize entity than in a large entity.

Acfn 723: Advanced Auditing/PLK

 The Limitations of
an Entity’s Internal Control
Management
Override of
Internal Control

Human Errors
or Mistakes

Collusion

Acfn 723: Advanced Auditing/PLK

Reasons Cited for Why Fraud
Occurred
Reasons Cited for Why Fraud Occurred

Acfn 723: Advanced Auditing/PLK

Assessing Control Risk

Identify specific
controls that will
be relied upon.

Perform tests of
controls

Conclude on the
achieved level of
control risk.

Acfn 723: Advanced Auditing/PLK

Performing Tests of Controls

Inspection of documents
Inquiry of appropriate indicating the
entity personnel performance of the
control

Observation of the Reperformance of the

application of the application of the
control control by the auditor

Acfn 723: Advanced Auditing/PLK

Documenting the Achieved
Level of Control Risk
The auditor’s assessment of control risk and the
basis for the achieved level can be documented
using a structured working paper, an internal control
questionnaire or a memorandum.

Let’s look at an example from EarthWear Clothiers

to see how the control risk for two accounts that
differ in terms of their nature, size and complexity is
documented.

Acfn 723: Advanced Auditing/PLK

 An Example of Assessing
Control Risks and Its Effects
An Example of
How Account
Characteristics
Affect the
Auditor’s
Understanding of
Internal Control,
Control Risk
Assessment and
Planned
Substantive
Procedures

Acfn 723: Advanced Auditing/PLK

 An Example of Assessing
Control Risks and Its Effects
(continued)

Acfn 723: Advanced Auditing/PLK

 Performing
Substantive Procedures
Audit Strategies for the Nature, Timing and Extent of Substantive
Procedures Based on Different Levels of Detection Risk for Inventory

Acfn 723: Advanced Auditing/PLK

Timing of Audit Procedures

Interim

Year End

Let’s look at the EarthWear Clothiers example

again to see the timing of its audit procedures.

Acfn 723: Advanced Auditing/PLK

Timing of Audit Procedures

A Timeline for Planning and Performing the Audit of

EarthWear Clothiers

Acfn 723: Advanced Auditing/PLK

Interim Audit Procedures

1. Assertion being tested not significant

Interim Tests of 2. Control has been effective in prior
Controls audits
3. Efficient use of staff time

1. Control environment
2. Availability of information at a later date
3. The purpose of the substantive
procedure
Interim 4. The assessed risk of material
Substantive misstatement
Procedures 5. The nature of the transactions or
balances and relevant assertions
6. The ability of the auditor to perform
appropriate procedures to cover the
remaining period
Acfn 723: Advanced Auditing/PLK
 Auditing Accounting Applications
Processed by Service Organizations

In some instances, an entity may have some or all

of its accounting transactions processed by an
outside service organization.

Because the entity’s

transactions are
subjected to the controls It is not uncommon for service
of the service organizations to have an auditor
organization, one of the issue one of two types of
reports on their operations.
auditor’s concerns is the
internal control system
in place at the service
organization.

Acfn 723: Advanced Auditing/PLK

 Auditing Accounting Applications
Processed by Service Organizations

Type 1 Report
Describes the service organization's
controls and assesses whether they are
suitably designed to achieve specified
internal control objectives.

Type 2 Report
Goes further by providing assurance on
the operating effectiveness of the service
organization’s controls based on the
auditor’s tests of controls.

An auditor may reduce control risk below high only

on the basis of a service auditor’s type 2 report.
Acfn 723: Advanced Auditing/PLK
Communication of Deficiencies
in Internal Control
(1) A control designed, implemented or
operated in such a way that it is unable to
prevent, or detect and correct, misstatements
Deficiency in the financial statements on a timely basis;
or
(2) a control necessary to prevent, or detect
and correct, misstatements in the financial
statements on a timely basis is missing.

A significant deficiency in internal control is a

deficiency or combination of deficiencies in
Significant internal control that, in the auditor’s
Deficiency professional judgement, is of sufficient
importance to merit the attention of those
charged with governance.

Acfn 723: Advanced Auditing/PLK

Communication of Deficiencies
in Internal Control

Auditing standards (ISA 265) require

that the auditor communicates in
written significant control deficiencies
to those charged with governance and
management.
Communication
The auditor should also communicate
to management other control
deficiencies judged to be of sufficient
importance to merit management’s
attention.

Acfn 723: Advanced Auditing/PLK

Examples of Indicators of
Significant Deficiencies
Examples of Indicators of Significant Deficiencies in Internal Control

Acfn 723: Advanced Auditing/PLK

Types of Controls in an IT
Environment

General Application
Controls Controls

1. Data center and network

operations 1. Data capture controls
2. System software 2. Data validation controls
acquisition, change and 3. Processing controls
maintenance 4. Output controls
3. Access security 5. Error controls
4. Application system
acquisition, development
and maintenance
Acfn 723: Advanced Auditing/PLK
Types of Controls in an IT
Environment
Common Data Validation Controls

Acfn 723: Advanced Auditing/PLK

Computer-Assisted Audit
Techniques

Computer-assisted audit techniques

(CAATs) include:
• Generalized audit software.
• Custom audit software.
• Test data.

Acfn 723: Advanced Auditing/PLK

Generalized Audit Software

Functions Performed by Generalized Audit Software

Acfn 723: Advanced Auditing/PLK

Custom Audit Software
Custom audit software is generally written by auditors
for specific audit tasks. It may be required when the
entity’s computer system is not compatible with the
auditor’s generalized audit software.

Custom software:
(1) Is expensive to develop.
(2) Requires extended development time.
(3) May require extensive modification if
the entity changes its accounting
application programs.

Acfn 723: Advanced Auditing/PLK

 Test Data

Test data are developed by the auditor to

test the application controls in the entity’s
computer programs. The technique can be
used to check: (1) data validation controls
and error detection routines, (2)
processing logic controls, (3) arithmetic
calculations, and (4) the inclusion of
transactions in records, files and reports.

Acfn 723: Advanced Auditing/PLK

Flowcharting Symbols

Flowcharting Symbols

Acfn 723: Advanced Auditing/PLK