Professional Documents
Culture Documents
2. Commitment to competence
Management’s consideration of the competence levels for specific jobs and how those
translate into requisite skills and knowledge
5. Organizational structure
Understanding the client’s organizational structure provides the auditor with an
understanding of how the client’s business functions and implements controls.
B. Risk Assessment
Client management’s identification and analysis of risks relevant to the preparation
of the financial statements in accordance with GAAP.
Client Management’s Risk Assessment
Client management assesses risk as part of designing and operating
internal controls to minimize errors and fraud. Three steps involve:
i. Identify factors that may increase risk
ii. Determine significance of risk and likelihood of occurrence
iii. Develop specific actions to reduce risk to an acceptable level.
Sources of Risks
Internal sources of risk
• Changes in management responsibilities
• Changes in internal information technology
• Poorly conceived business model
External sources of risks
• Economic recessions decrease product or service demand
• Increase in competition
• Changes in regulation that make the business model unsustainable
• Changes in the reliability of source goods that reduce profitability
C. Control Activities
Policies and procedures that client management has established to
meet its objectives for financial reporting.
The Control Activities:
• Ensure that management’s directives regarding controls are accomplished
• Performed within processes
• Performed at all levels of an organization
E. Monitoring
Client management’s ongoing and periodic assessment of the quality of internal
control performance to determine whether controls are operating as intended
and modified when needed.
• Process that provides feedback on effectiveness of each of the five components of
internal control
• For its accomplishment, managers select either of the following or a combination
of both
– Mix of ongoing evaluations
– Separate evaluations
• Requires that identified deficiencies in internal control be communicated to the
personnel concerned with follow-up action taken
• For many companies, especially larger ones, an internal audit department is
essential for effective monitoring.
• To maintain internal audit independence, it is imperative that they be
independent of operating and accounting departments; and that they report to a
high level of authority, preferably the audit committee of the board of directors.
Entity-Wide Controls
Operate across an entity and affect multiple processes, transactions,
accounts, and assertions
Controls related to control environment
Controls over management override
Organizations’ risk assessment process
Centralized processing and controls
Controls to monitor results of operations
Controls over period-end financial reporting process
Policies that address business control and risk management practices
Transaction Controls
Control activities implemented to mitigate transaction processing risk
Affect certain processes, transactions, accounts, and assertions
Do not have an entity-wide effect