Part 4– Evaluating the Design of a control – involves considering
Internal Control whether the control, individually or in combination with other
controls, is capable of effectively preventing or detecting and - If evidence was obtained in the prior year’s audit correcting material misstatement. that indicates a key control was operating effectively, the extent of tests of that control may be Implementation of a Control – means that the control exists reduced this year if the auditor determines that it is and that the controls have been placed in operation. still in place - If no change in controls have occurred since the Compensating Control – controls were last tested: A CPA should test the operating effectiveness of that control once every 3rd - a control that reduces the risk that an year. Note: even if there was no change in control, existing or potential control weakness will it should be tested every other year!!! result in a failure to meet a control - Effective Internal Control Structure: Reduces the objective. need for management to review exception report on - When compensating control exists a a day to day basis. weakness in the system is no longer a concern because the potential for Inherent Limitations of Internal Controls misstatement has been sufficiently reduced. - 1. Management’s usual requirement that the cost Good Control = Low Risk of Misstatement = Less ST of an internal control does not exceed the Bad Control = High Risk of Misstatement = More ST expected benefits to be derived. - The cost of Internal Control should not Understanding of Internal Control exceed its benefits 2. Most internal controls tend to be directed at Required: routine transactions rather than non-routine transactions. 1. Consider factors that affect the risk of material 3. The potential for human error due to misstatement. carelessness, distraction, mistakes of judgment 2. Ascertain whether internal control policies and and the misunderstanding of instructions procedures have been placed in operation. - In the performance of most control 3. Identify the types of potential misstatement that procedures, there are possibilities of errors may occur. arising from mistakes in judgement. 4. Design the nature, timing and extent of audit 4. The possibility of circumvention of internal procedures to be performed. controls through the collusion of a member of management or an employee with parties Walk Through – outside or inside the entity. - Tracing transactions through the accounting 5. The possibility that a person responsible for system. exercising an internal control could abuse that - Done by tracing transactions from their responsibility, for example, a member of initial recording at source to their final management overriding an internal control. destination as a component of an account 6. The possibility that procedures may become balance in the FS. inadequate due to changes in conditions, and - It confirms the auditor’s understanding of compliance with procedures may deteriorate how the accounting systems and control procedure functions. Benefits of Good Internal Control – Test of Controls 1. Reduces cost of an external audit. 2. Reduce employee fraud - are used to test whether controls are operating 3. Availability of reliable data for decision making effectively. purposes and protection of important - TOC are not necessary if the auditor plans to use documents and records. primarily the substantive approach. 4. Some assurance of compliance with SEC - TOC are necessary if the auditor plans to assess regulations. the level of control risk at less than high level. - Example: 1.Examination of signature on Checks Strict Monitoring of BIR – supports strong Internal control. Example Evidence of Compliance w/ Internal Control:1. Records documenting usage of IT AUDITOR’S CONSIDERATION OF INTERNAL CONTROL programs 2. Cancelled Supporting documents Step 1 – Obtain an understanding of clients Internal 3. Signature on authorization forms. Control - TOC Includes: Step 2 – Make a preliminary control risk assessment 1. Inquiry/ Observation of IC w/c leaves no Step 3 – Determine the appropriate response to the audit trail assessed risk 2. Re-performance of internal control Step 4 – Re-assess control risk procedures. Step 5 - Determine the nature, extent and timing of the 3. Inspection of documentary support for substantive testing transactions evidencing authorization.
- Information Gathering Techniques:
1. Inspection – w/ document or trail - If CR is less than High, Document the ff: 2. Observation – w/o document or trail a) Understanding of the entity’s 3. Re-performance internal control structure - Questions answered: b) Conclusion that control risk is less a) How were the controls applied? than high b) Were the necessary controls c) Basis for the conclusion that consistently performed? control risk is less than high. c) By whom were the controls applied? - It is most appropriate that TOC is applied to Responses to Address the Risks of Material Misstatement transactions and controls for the whole period A. Over All - FS LEVEL: under audit. - Transactions – 1. Increase Professional Skepticism- a) the basic components of business Emphasizing to the audit team the need to operations. maintain professional skepticism in b) the primary subject matter of gathering and evaluating audit evidence. internal accounting control. 2. Increase in more Experienced Auditors- c) the building block of Business Assigning more experienced staff or those operations with special skills or using experts. - TOC is omitted when: 3. Increase in Element of Surprise of Audit a) CR is High Procedures - Incorporating additional b) Accounts represent few transactions elements of unpredictability in the selection c) Accounts subject to ineffective controls of further audit procedures. d) Subsequent events - TOC is not omitted when: B. Specific – ASSERTION LEVEL: a) Accounts represent many transactions 1. If CR is High – No test of controls anymore proceed to determining the nature, timing Reliance on the client’s Internal Control – and extent of substantive testing. 2. If CR is Less than High – perform TOC to - The auditor should test controls and use the be sure of the effectiveness of controls results of testing as a basis for determining the Re-Assess Control Risk. nature, extent and timing of substantive tests. - Auditor performs tests on those controls that the SUBSTANTIVE TESTING auditor plans to rely on. - After considering a client’s internal control structure, Risk Assessment Procedures and the auditor has concluded that it is well designed and is functioning as intended, the auditor a) Inquiry will not increase the extent of predetermined b) Inspection substantive tests. c) Observation - If the auditor wants to perform more effective substantive tests, the auditor will perform tests of Methods of Documenting the Study of Internal Control details and less Analytical Procedures. 1. Narratives/write-up - More Effective ST = Increase Test of Details 2. FlowCharts Decrease Analytical Procedure 3. Internal Control Questionnaires - Example: 1. Count and list cash on hand 4. checklist 2. Sending confirmation to banks - Example Evidence: 1. Confirmation of accounts Levels of Risk Assessment receivable from customers. - A. Test of Details (TOD) – (Required) 1. High Control Risk Assessment 1. Substantive Test of Transaction/Test of 2. Less than High Control Risk details of Transactions- Assessment - tests to determine whether the accounting transactions have been properly authorized, High Control Risk Assessment – correctly recorded and summarized in the journals, - Entity’s Internal Control System is and correctly posted to subsidiary ledgers and the missing or not effective (w/ general ledger. material weakness) - involves testing the transactions which give - Evaluating the effectiveness of rise to the ending balance of an account. the entity’s internal control - at Interim system would not be efficient/ - Example: time consuming to test Source Doc. Entries = Completeness - If the assessment of Control Risk Records Asset = Existence/Occurrence is High, no need to test control.
Less Than High Risk Assessment –
OR agreed w/ Debit Completeness entries traced to cash - Entity’s control may be effective. 1. Debit Entries to cash are - If the assessment of Control risk is Less than traced to OR High, controls must be tested to validate 2. Land inspect the site 3. AR inspect sales Existence/Occurrence the assessment. invoice (internal) 4. AR confirm w/ customers (external) CR 2. Substantive Test of Balance/ Test of Details of High Medium Low Balance – High Lowest Lower Medium - involves direct testing of the ending IR Medium Lower Medium Higher balances of an account Low Medium Higher Highest - primary emphasis is on Balance sheet accounts. - At year end Audit Risk - the risk that the practitioner expresses an - Example: -Beg Balance – compared to the inappropriate audit opinion when the subject matter audited balance of the previous year. information is materially misstated. - Confirmation of Ending Balance of CIB, AR Inherent Risk - and AP - Observation of inventory count - Functions of the client and its environment - B. Substantive Analytical Procedure – (Optional) - Reduced when the likelihood of defalcation is Low Includes the ff: such as accounts with least liquidity. a) Agreeing the FS to the underlying a) PPE – Least liquid accounting records b) Cash – most liquid b) Examining material journal entries and c) Held for Trading Securities – 2nd most other adjustments made during the course liquid of preparing the FS. d) Accounts Receivables – 3rd most Liquid - Example: Trend Analysis & Ratio analysis - consideration of Auditor when assessing IR: - Optional as Substantive test a) Nature of the client’s business - Required only during Planning and Completion b) Existence of related parties - Used only when CR is less than High c) Susceptibility to defalcation d) Integrity of Management e) Unusual pressures on Management Dual Purpose Test – Control risk – - TOC & ST at the same time - Tests internal control as well as transactions and - Functions of the client and its environment balances using the same test procedures - consideration of Auditor when assessing CR: - Performance of TOC and TOD of transactions a) Frequency and intensity of top simultaneously to increase efficiency. management review. - Example: Obtain or prepare reconciliation statements of bank accounts as of the balance sheet REPORTABLE CONDITIONS date. - Are matters that come to an auditor’s attention DETECTION RISK which should be communicated to an entity’s audit committee because they represent significant - Function of effectiveness of an auditing procedure deficiencies in the design or operation of the internal and its application control structure. - Arises partly from uncertainties that exist when the - Significant deficiency in Internal Control – a auditor does not examine 100 of the population deficiency or combination of deficiencies in internal - Arises partly because of other uncertainties that control that, in the auditor’s professional judgement. exists even if the auditor were to examine 100 Is of sufficient importance to merit the attention of percent of the population those charged with governance. - Exist dependent to the auditor of the FS. - Deficiencies in Internal Control: communicated by - the auditor to Management and those charged with governance and/or Audit committee Level of DR Nature of ST Timing of ST Extent of ST Lower More Year End More - All material weaknesses are reportable conditions Acceptable Effective Extensive - Deficiency in Internal Control Exists when: level of DR a) A control is designed, implemented or Higher Less Interim Less operated in such a way that it is unable to Acceptable Effective Effective prevent or detect and correct Level of DR misstatements in the FS on a timely basis b) A control necessary to prevent or detect Audit Risk Model – used for planning purposes in and correct misstatements in the FS on determining how much evidence to accumulate. timely basis is missing. - The development of constructive suggestions to AR= IR x CR x DR clients for improvements in internal control is a desirable by-product of an Audit Engagement. i Can be controlled by the auditor - Restriction on the distribution of the report: should also be included when reporting on the conditions Functions of the client and its environment relating to an entity’s internal control structure. Cannot be controlled by the auditor
- IR + CR are inversely related to the Acceptable level of DR
(ADR) - DR is the dependent variable - Completeness – All transactions and events that should have been recorded have been recorded. AUDIT EVIDENCE - Accuracy – Amounts and other data relating to recorded transactions and events have been Sufficient Appropriate Evidence – recorded appropriately. - Depends on the professional judgement of the - Classification – Transactions and events have been auditor. recorded in the proper accounts. - A given set of audit procedures may provide - Occurrence – Transaction and events that have been audit evidence that is relevant to certain recorded have occurred and pertain to the entity. assertions but not to others. - The auditor often obtains evidence from ASSERTIONS ABOUT PRESENTATION AND DISCLOSURE different sources or of a different nature that is relevant to the same assertion. 1. Completeness - Obtaining audit evidence relating to a particular 2. Occurrence & Rights and obligation assertion is not a substitute for obtaining audit 3. Classification & understandability evidence regarding another assertion 4. Accuracy & Valuation and Allocation - Reliability of Evidence: 1. Audit evidence is generally more Examples: reliable when it exists in documentary - Completeness – All disclosures that should have form as compared to evidence been included in the FS have been included. consisting of oral representation from - Occurrence & Rights and obligation – Disclosed the client. events, transactions and other matters have 2. Audit evidence is generally more occurred and pertain to the entity. reliable when obtained directly by the - Classification & understandability – Financial auditor as compared to audit evidence information is appropriately presented and obtained indirectly (second hand described, and disclosures are clearly expressed. knowledge) or by inference. - Accuracy & Valuation and Allocation – Financial and 3. Audit evidence is generally more other information are disclosed fairly and at reliable when it is obtained from appropriate amounts. independent sources outside the entity as compared to audit evidence Inquiry – obtained from within the entity. - an audit procedure that is used extensively 4. Audit evidence that is generated throughout the audit but does not for itself, provide internally under conditions of good sufficient appropriate evidence. internal control meet the required - Is useful in most part of the audit appropriateness of evidence - Is rarely sufficient by itself mentioned in PSA 500 - Requires gathering of corroborative evidence ASSERTIONS Observation – is limited to what the auditor sees. 1. Existence/Occurrence Inspection – 2. Rights and Obligations 3. Completeness - involves physical examination of tangible assets 4. Valuation & Allocation - Inspection is a sufficient form of evidence when the auditor wants to determine the ff: Examples: a) Existence of assets - Valuation & Allocation – Assets, liabilities and equity b) Quantity and description of assets interests are included in the FS at appropriate c) Condition or quality of assets amounts and any resulting valuation or allocation Confirmation – adjustments are appropriately recorded. - Existence/Occurrence– Assets, liabilities and equity - is the process of obtaining a representation of interests exist. information or of an existing condition directly from - Completeness – All assets, liabilities and equity a third party. interests that should have been recorded have been - Used to verify bank balances and Accounts recorded. Receivables - Right and Obligation- The entity hold or controls the - The most relevant form of evidence with regard to rights to assets, and liabilities are the obligation of assertions about accounts receivable when the the entity. auditor has concerns about the receivables existence. - Confirmation Request Letter – ASSERTIONS ABOUT CLASSES OF TRANSACTIONS - Signed by the appropriate level of management 1. Cut – Off - Always sent under the control of the auditor 2. Completeness Negative Confirmation Request – 3. Accuracy a) used when a large number of small 4. Classification balances is involved. b) used when few errors are is expected Examples: c) auditor has no reason to believe that - Cut – Off – Transaction and events have been respondents will disregard negative recorded in the correct accounting period confirmation request d) used when the assessed level of inherent - Misstatement may not be the objective of some and control risk are low frauds e) customer will answer only if there is - The auditor do not make legal determination of difference whether fraud has actually occurred. Positive Confirmation Request – 2 Types of Fraud a) customer will answer whether there is a) Fraudulent Financial Reporting difference or not. b) Misappropriation of assets or Employee b) Where no response was received, the fraud auditor should contact the recipient to - Court of Law – determines/declare if there is actual elicit a response, and perform alternative fraud. procedures as necessary. - Audit procedures that are effective for detecting an unintentional misstatement may be ineffective for Recalculation – a procedure that aids auditor in obtaining an intentional misstatement that is concealed evidence regarding the mathematical accuracy of accounting through collusion. records and other information. - Collusion – 2 incompatible functions joined Re-performance – refers to an auditor’s independent to do fraud. execution of procedures or controls that were originally - Professional Skepticism – Is necessary for the performed as part of the entity’s internal control. auditor to identify and properly evaluate: a) Matters that increase the risk of a material Analytical Procedures – involves the evaluation of financial misstatement in the FS resulting from fraud information through a study of plausible relationships among or error. both financial and non-financial data. b) Circumstances that makes the auditor suspect that the FS are materially misstated Initial Audit – first time to audit a client c) Evidence obtained that brings into question - For initial audit engagement, the auditor should the reliability of management obtain evidence that: representations. a) The opening balances do not contain - When the application of planned audit procedure misstatements that materially affect the indicates the possible existence of fraud and error, current period’s FS the auditor should consider the potential effect on b) The prior period’s closing balances have the FS. been correctly brought forward to the - When an identified misstatement may be indicative current period or have been restated to the of fraud, the auditor considers the implication of the correct amount, if necessary. misstatement in relation to other aspects of the c) Appropriate accounting policies are audit, particularly the reliability of management consistently applied or changes in representations accounting policies have been properly - According to PSA 240 - in planning the audit, the accounted for and adequately disclosed. auditor should discuss with other members of the audit team the susceptibility of the entity to material FRAUD & ERROR misstatements in the FS resulting from fraud or error, Planning discussions would involve the ff: Intention – the distinguishing factor between fraud and error a) Where errors may be more likely to occur b) How fraud might be perpetrated Error – c) Decisions made on which members of the - The unintentional misstatement in the FS, including team will conduct certain inquiries or audit the omission of an amount or disclosure procedures - Auditor’s responsibility regarding detection of - When Planning the Audit: the auditor should make material errors and irregularities: inquiries of management in order to: -Extended auditing procedures are required to a) Obtain an understanding of management’s detect material errors and irregularities if the assessment of the risk that the FS may be auditor’s examination indicates that they may exist. materially misstated as a result of fraud. - Examples: b) Obtain an understanding of the accounting a) Misinterpretation by management of facts that and internal control systems management existed when the FS were prepared. has put in place to address fraud risks and b) Mathematical or clerical mistakes in the to prevent and detect error. underlying records and accounting data. c) Determine whether management is aware c) Incorrect accounting estimates arising from of any known fraud that has affected the oversight or misstatement entity or suspected fraud that the entity is d) Mistake in the application accounting policies. investigating. d) Determine whether management has Fraud - the act of any of the ff: discovered any material errors. - Documentation: the auditor should document the ff: a) Management and Employees a) Fraud risk Factors identified as being b) Those Charged with Governance present during the auditor’s assessment c) Third Party process - Intentional act by one or more individuals involving b) The auditor’s response to any such factors the use of deception to obtain unjust or illegal identified. advantage. c) Fraud risk factors identified during the - Although fraud is a broad legal concept, the auditor performance of the audit that cause the is concerned with fraudulent acts that cause a auditor to believe that additional audit material misstatement in the FS procedures are necessary and the a) An audit cannot be expected to detect non- auditor’s response to them. compliance with all laws and regulations. - Communication of a misstatement resulting from b) Non-compliance includes personal fraud or a suspected fraud or error to the misconduct of entity management or appropriate level of management on a timely basis is employees that are related to the entity’s important because it enables management to take business activities. action as necessary. c) Detection of non-compliance, regardless of - If an auditor has suspicion of occurrence of fraud, materiality, requires consideration of the the auditor should: implications for the integrity of a) Consider the implication of fraud in management or employees. relation to other aspects of the audit, - Illegal Acts: particularly the reliability of - An auditor’s responsibility to detect illegal acts that management’s representation have a direct and material effect on the FS is the b) The auditor should communicate to same as an auditor’s responsibility for errors and management about fraud that brings fraud. material potential effect on FS (note: - Expected of the auditor in determining non- even suspected fraud is reported) compliance by an entity: c) Unless circumstances clearly indicate a) Whether an act constitutes non- that fraud is an isolated occurrence, compliance is a legal determination that is the auditor adjust the nature, timing ordinarily outside the auditor’s professional and extent of substantive procedure. competence. d) If the auditor believes the indicated b) The auditor’s training, experience and fraud could have a material effect on understanding of the entity and its industry the FS, he should perform can provide a basis for recognition that appropriate modified procedures. some acts coming to the auditor’s attention - Circumstances that brings into question the may constitute non-compliance with laws auditor’s ability to continue performing the audit: and regulation a) The entity does not take the remedial c) The determination as to whether a action regarding fraud that the auditor particular act constitute or is likely to considers necessary in the circumstances constitute noncompliance is generally b) The auditor’s consideration of the risk of based on the understanding of the auditor material misstatement resulting from but ultimately can only be determined by a fraud and the results of audit tests court of law. indicate a significant risk of material and d) In order to plan the audit, the auditor pervasive fraud. should obtain a general understanding of c) The auditor has significant concern about the legal and regulatory framework the competence or integrity of applicable to the entity and the industry management or those charged with and how the entity is complying with the governance. framework. - An FS audit can provide reasonable assurance that direct and indirect effect illegal acts that are Fraud Risk factors – material to FS will be detected. - Auditor’s audit cannot reasonably be expected to - Indicate the possible presence of fraud and they bring all illegal acts by the client to the auditor’s often have been present in circumstances where attention because illegal acts by the client often frauds have occurred. relates to operating aspects rather accounting - Fraud risk Factors cannot easily be ranked in order of aspects. importance or combined into effective predictive - When an auditor becomes aware of information models. concerning a possible non-compliance, the - The auditor exercises professional judgement when auditor should: considering fraud risk factors individually or in a) Obtain an understanding of the nature combination and whether there are specific controls of the act and the circumstances in that mitigate the risk. which it has occurred, and evaluate the - The size, complexity and ownership characteristics of possible effect on the FS. the entity have a significant influence on the - Documenting Non-Compliance: the auditor should consideration of relevant fraud risk factors. document the finding and discuss them with the ff: a) Client Management – (priority) Matters to consider when communicating the affairs of a b) Client’s Legal Counsel client to a proposed successor auditor c) Auditor’s own lawyer 1. Whether client’s permission has been obtained - An auditor who finds that the client has committed 2. Relevant professional and legal responsibilities an illegal act: applicable in the Philippines 1. Withdraw (if you can) / Disclaim (if you cannot withdraw) Non- Compliance – - when there is doubt on client’s integrity. - client refuses to accept the auditor’s - Refers to the acts of omission or commission by the report as modified for illegal act. entity being audited which are contrary to prevailing 2. Qualified / Disclaimer - (QD) laws and regulation. -Auditor is precluded from obtaining - Auditor’s responsibility of evaluating non- sufficient competent evidence about the illegal act. compliance by the entity: -Auditor cannot reasonably estimate the effect of the illegal act on the FS - If illegal act cannot be quantified 3. Qualified / Adverse - (QA) -Illegal act has an effect on the FS that is both material and direct. - If illegal act is material (can be quantified) - Consider seeking legal advice on orderly withdrawal - If the auditor suspects that the members of senior management, including members of the board are involved in non- compliance to laws and regulations, and he believes his report may not be acted upon.( Disclaim if cannot withdraw)