Internal Control Evaluation in FS Audit

Steps in auditor’s approach in the study and evaluation of client’s

internal control

1. Obtain an understanding of the client’s internal control structure.

2. Make a preliminary assessment of control risk
3. Determine the appropriate response to the assessed risks
4. Reassess control risk
5. Determine the nature, extent and timing of substantive tests
Step 2 – Make a Preliminary Assessment of
Control Risk
In assessing control risk, the auditor:
1. Considers the errors or irregularities that could occur and that could
result in material misstatements in the financial statements
2. Identifies relevant control procedures designed to prevent the
errors or irregularities
3. Performs tests of controls on the control procedures to be relied on
in designing substantive tests.
For each major transaction cycle, an auditor
considers the errors or irregularities that could
occur in an entity’s control structure and then
identifies control procedures that could serve
either to prevent or to detect the errors or
irregularities.
Pointers when assessing control risk
Control Environment
1. The existence of a satisfactory control environment is not an
absolute deterrent to fraud
2. The control environment in itself does not prevent, or detect and
correct material misstatements
Risk Assessment Process
3. Note how management performs the risk assessment process
4. Consider the existence of material weaknesses in internal control
Information System and Communication
1. There is the possibility of inappropriate override of controls over journal
entries
2. Check the resolution of incorrectly processed transactions
3. Focus on communications with the audit committee, and with regulatory
authorities.
Control activities
4. The auditor’s primary consideration is whether, and how, a specific control
activity, prevents or detects and corrects, material misstatements
5. Consider the risks associated with information technology (IT).
Monitoring of Controls
6. In many entities, internal auditors or personnel performing similar functions
contribute to the monitoring of an entity’s activities.
Auditor must decide whether to assess control risk for a particular
assertion at HIGH or at LESS THAN HIGH

• HIGH control risk assessment

There is a likelihood that significant misstatements exist in the FS
 Entity’s internal control policies and procedures in the area are poor or
inadequate and cannot be relied upon, for all or certain audit objectives.
Auditor’s belief that control structure policies and procedures have not been
effectively designed or have not operated effectively
• LESS THAN HIGH control risk assessment
The auditor identifies specific control activities that are in place and relevant to
particular assertions that are likely to prevent or detect material misstatements in
those assertions, and must test whether those policies and procedures are
designed and operating effectively
Effect of policies and procedures varies with particular control structure element.
END NG STEP 2
Test of controls
• Are used to test either the effectiveness of the design or operation of
a client’s internal control policy or procedure in support of a “less
than high” control risk assessment.
• An audit procedure designed to evaluate the operating effectiveness
of controls in preventing, or detecting and correcting, material
misstatements at the assertion level. (PSA 330 definition)
Nature of Test of Control (PSA 330 redrafted)
In designing and performing tests of controls, the auditor shall:
1. Perform other audit procedures in combination with inquiry to obtain audit
evidence about the operating effectiveness of the controls, including:
• How the controls were applied at relevant times during the period under audit.
• The consistency with which they were applied.
• By whom or by what means they were applied. (Ref: Para. A26-29)
2. Determine whether the controls to be tested depend upon other control
(indirect controls), and if so, whether it is necessary to obtain audit evidence
supporting the effective operation of those indirect controls. (Ref: Para. A30-
31)
Nature of Tests of Control
The tests generally consist of one, or a combination of the following
procedures:
1. Inquiry of client personnel
2. Observation of the application of policies and procedures
3. Inspection (i.e., examination of documents)
4. Reperformance or recalculation

Example
An auditor inquiries about a
sales manager’s review and
investigation of a report of
invoices with unusually high
or low gross margins.
Merely asking the sales
manager whether he or she
investigates discrepancies is
likely to be inadequate.
• How is report reviewed?
• Are there particular situations to which the
manager’s attention is directed?
• Is every report reviewed?
• How long does the review take?
• How are the items on the report investigated?
• Are all items investigated?
• What sorts of problems cause these exceptions?
• Are those problems recurring?
• Are those problems being eliminated?
• How is it ensured that every report is received?
• Are the reports ever not produced, or do reports
ever have to entries on them?
• How often are the reports reviewed?
• Were there any periods in which these reports
were not received?
• The auditor can acquire relevant information by making appropriate
inquiries; however, inquiry alone generally does not provide sufficient
evidence to support a conclusion about whether a specific control activity is
effective. Accordingly, if the auditor believes a control activity may have
significant effect in supporting a less-than-high control risk assessment for a
specific audit objective, he or she usually should perform tests in addition to
inquiry to obtain sufficient evidence that the control is operating effectively.
• Tests based on observation, inquiry, and examination of documents and
records often provide sufficient evidence about the operating effectiveness
of a control. That is, these tests provide evidence of how the control was
applied, whether it was applied consistently throughout the period, and the
person(s) who applied it. However, in some instances, the auditor also may
have to reperform the application of a control to obtain adequate evidence
that is operating effectively.
Example
A bank’s control designed to ensure the completeness and
accuracy of updating a standing data file of interest rates
may entail comparing authorized changes in interest rates
with the date on the file after the changes have been
inputted. That control may be so significant to the
accuracy of interest charged to loan customers that the
auditor may wish tor reperform the comparison a few
times to gain additional evidence that it is operating as
prescribed.
Control Deviations
• When performing tests of controls, an auditor may find differences
between what was expected, based on the documentation obtained,
and what actually occurred. For example:
• A vendor’s invoice may have been paid without the accounts payable
manager’s initials of approvals.
• Such differences are appropriately called – exceptions, deviations, or
occurrences, rather than errors, because an exception does not
necessarily mean that an error had been made in the accounting
records. Thus, the fact that a vendor’s invoice lacks approving initials
does not necessarily mean that the invoice should not have been paid.
Timing of Test of Controls
• The timing of tests of controls depends on the auditor’s objective and
determines the period of reliance om those controls. If the auditor tests of
controls at a particular time, the auditor only obtains audit evidence that the
control operated effectively at that time. However, if the auditor tests controls
throughout a period he obtains audit evidence of the effectiveness of the
operation of the controls during the period.
• When the auditor obtains audit evidence about the operating effectiveness of
controls during an interim period, the auditor should determine what
additional audit evidence should be obtained for the remaining period.
Another important thing matter is how much to rely on tests of prior periods
as evidence that controls are effectively designed and continue to operate
effectively during the current audit period.
Extent of Test of Controls
• The more the auditor relies on the operating effectiveness of controls
in the assessment of risk, the greater is the extent of the auditor’s test
of controls. In addition, as the rate of expected deviation from a
control increases, the auditor increases the extent of testing of the
control.
• The auditor designs tests of controls to obtain sufficient appropriate
audit evidence that the controls operated effectively throughout the
period of reliance.
Considerations in Determining the Extent of Test of
Controls
1. The frequency of the performance of the control by the entity during the period.
2. The length of time during the audit period that the auditor is relying on the
operating effectiveness of the control.
3. The relevance and reliability of the audit evidence to be obtained in supporting
that the control prevents, or detects and corrects, material misstatements at the
assertion level.
4. The extent to which audit evidence is obtained from tests of other controls
related to the assertion.
5. The extent to which the auditor plans to rely on the operating effectiveness of
the control in the assessment of risk.
6. The expected deviation from the control.
END OF TEST OF
CONTROLS
Step 5 – Determine the Nature, Extent and
Timing of Substantive Tests
• Irrespective of the assessed risk of material misstatement, the
auditor should design and perform substantive procedures for
each material class of transactions, account balance, and
disclosures.
• The assessed level of control risk for an assertion has a direct
effect on the design of substantive tests. The lower the assessed
level of control risk, the less evidence the auditor needs from
substantive tests. The auditor’s control risk assessment
influences the nature, extent and timing of substantive
procedures to be performed.
Possible Modifications to the Substantive
Test Audit Program
As the assessed level of control risk decreases, the auditor may modify
substantive tests in the following ways:
1. Changing the nature of substantive tests (e.g., using analytical review
rather than detailed substantive testing)
2. Changing the timing of substantive tests, such as performing them at
an interim date rather than at year-end
3. Changing the extent of substantive tests, such as selecting a small
sample size.
**Regardless of assessed level of control risk, the auditor should perform
some substantive test for significant account balances and transaction
classes.**
END OF STEP 5
Enterprise Risk Management – Integrated
Framework
• Enterprise Risk Management (ERM) is the practice of planning, coordinating,
executing and handling the activities of an organization in order to minimize
the impact of risk on investment and earnings. ERM extends the approach to
incorporate not only risks connected with unexpected losses, but also
strategic, financial and operational risks.
• ERM also may be identified as a risk-based process that is used to manage an
enterprise, integrate internal control principles and perform strategic
planning. ERM is innovative in that it is geared toward managing the growing
requirements of numerous stakeholders who need to realize the broad range
of risks faced by complex organizations, helping ensure proper management.
Reference https://www.techopedia.com/definition/29096/enterprise-risk-management-erm
Enterprise Risk Management – Integrated
Framework
• Issued by COSO in 2004
• In response to a need for principles-based guidance to help entities
design and implement effective enterprise-wide approaches to risk
management
• Defines essential enterprise risk management components, discusses
key ERM principles and concepts, suggests a common ERM language,
and provides clear direction and guidance for enterprise risk
management.
Eight components of new COSO framework
1. Internal control environment
2. Objective setting
3. Event identification
4. Risk assessment
5. Risk response
6. Control activities
7. Information and communication
8. Monitoring.
Value is maximized when management sets strategy and objectives to
strike an optimal balance between growth and return goals and related
risks, and efficiently and effectively deploys resources in pursuit of entity's
objectives. Enterprise risk management encompasses:
• Aligning risk appetite and strategy – Management considers the entity's
risk appetite in evaluating strategic alternatives, setting related
objectives, and developing mechanisms to manage related risks.
• Enhancing risk response decisions – Enterprise risk management
provides the rigor to identify and select among alternative risk
responses - risk avoidance, reduction, sharing, and acceptance.
• Reducing operational surprises and losses – Entities gain enhanced
capability to identify potential events and establish responses, reducing
surprises and associated costs or losses.
• Identifying and managing multiple and cross-enterprise risks – Every
enterprise faces a myriad of risks affecting different parts of the
organization, and enterprise risk management facilitates effective
response to the interrelated impacts, and integrated responses to
multiple risks.
• Seizing opportunities – By considering a full range of potential events,
management is positioned to identify and proactively realize
opportunities.
• Improving deployment of capital – Obtaining robust risk information
allows management to effectively assess overall capital needs and
enhance capital allocation.
END OF ERM
Nature of Audit Evidence
• Audit evidence is cumulative in nature and is primarily obtained from
audit procedures performed during the course of the audit. It may,
however, also include information obtained from other sources such
as previous audits (provided the auditor has determined whether
changes have occurred since the previous audit that may affect its
relevance to the current audit) or a firm's quality control procedures
for client acceptance and continuance. In addition to other sources
inside and outside the entity, the entity’s accounting records are an
important source of audit evidence
Accounting Records and Other Information
ACCOUNTING RECORDS
• The records of initial entries
• Supporting records
• Checks and records of electronic fund
transfers
• Invoices
• Contracts
• The general and subsidiary ledger
• Journal Entries
• Other adjustments to the financial statements
that are not reflected in formal journal entries
• Records such as worksheets
• Spreadsheets supporting cost allocations,
computations, reconciliations and disclosures.
OTHER INFORMATION
• Minutes of meetings
• Confirmations from third parties
• Analysts’ report
• Comparable data about competitors
(benchmarks)
• Controls manuals
• Information obtained by the auditor from
such audit procedures as inquiry, observation,
and inspection
• Other information developed by, or available
to, the auditor that permits the auditor to
reach conclusions through valid reasoning.
• The entries in the accounting records are often initiated, recorded,
processed and reported in electronic form. In addition, the accounting
records may be part of integrated systems that share data and support
all aspects of the entity’s financial reporting, operations and
compliance objectives.
• Other information – audit evidence which is not classified as
accounting records
• Corroborating evidence – refers to evidence which complements or
supports an assertion which is already supported by another types of
corroborating evidence.
Examples of Corroborating Evidence
1. Authoritative documents – such as truck titles, vendors' invoices, official receipt
2. Internal controls- the result of the auditor's evaluation of the client's internal control
structure.
3. Calculations by auditor - such as calculation of depreciation expense, tax liabilities
4. Physical existence-is determined by observation and count.
5. Analytical review procedures – such as interrelationships between interest expense and
interest payable, unusual items, etc. provide assurance as to the absence of material
irregularities or errors.
6. Confirmation replies - received from third parties.
7. Representation letters - received from clients' management.
8. Subsequent events - confirm the status of estimates and assertions at the financial
statement date.
Relationship of Audit Evidence to Management
Assertions
• Audit evidence is gathered as a basis for
expressing an opinion on whether the assertion
of management are fairly stated.
• A given set of audit procedures may provide
audit evidence that is relevant to certain
assertions, but not others.
END OF NATURE OF
AUDIT EVIDENCE
Evaluating Audit Evidence
• The auditor ordinarily obtains more assurance from consistent audit
evidence obtained from different sources or of a different nature than from
items of audit evidence considered individually.
• In addition, obtaining audit evidence from different sources or of a different
nature may indicate that an individual item of audit evidence is not reliable.
• For example, corroborating information obtained from a source
independent of the entity may increase the assurance the auditor obtains
from a management representation. Conversely, when audit evidence
obtained from one source is inconsistent with that obtained from another,
the auditor determines what additional audit procedures are necessary to
resolve the inconsistency
END OF EVALUATING
EVIDENCE
Nature, Timing and Extent of Procedures
• The nature and timing of the audit procedures to be
used may be affected by the fact that some of the
accounting data and other information may be
available only in electronic form or only at certain
points or periods in time. Source documents, such as
purchase orders, bills of lading, invoices, and checks,
may be replaced with electronic image processing
systems.
END