9.

401 Auditing

Chapter 9
The Study of Internal Control and
Assessment of Control Risk
Generally Accepted Auditing
Standard
 5100.02 (ii) A sufficient understanding of
internal control should be obtained to plan the
audit. When control risk is assessed below
maximum, sufficient appropriate audit evidence
should be obtained through tests of controls to
support the assessment. [Oct. 1992]
Internal Control
consists of the
policies and procedures
established and maintained by
management
to assist in achieving its objectives
Those objectives are…
1) Effectiveness and efficiency of operations
 safeguarding of assets
 Prevention and detection of fraud
2) Reliability of financial reporting
3) Compliance with applicable laws,
regulations and policies
As far as is practical. Mgmt can and should
consider consequences and risks of non-
control and costs of control
implementation.
 Factors Affecting Internal Control
 The entity’s size
 The entity’s organization and ownership
characteristics
 The nature of the entity’s business
 The diversity and complexity of the entity’s
operations
 The entity’s methods of transmitting,
processing, maintaining, and accessing
information
 Applicable legal and regulatory requirements
 Criteria of Control (COCO)
Board of the CICA
Purpose
Monitoring & Commitment
Learning
Action Capability

 A person performs a task guided by an understanding of its

purpose (the objective to be achieved) and supported by capability
(information, resources, supplies, and skills). The person will need
a sense of commitment to perform the task well over time. The
person will monitor his or her performance and the external
environment to learn about how to do the task better and about
changes to be made. The same is true of any team or work group
Elements of Internal Control
 Elements of internal control include:
 Control environment
 General computer control systems and

procedures
 Accounting System

 Accounting System Control Procedures

 Control Environment
 the collective effect of various factors on establishing, enhancing or
reducing the effectiveness of internal control policies and procedures
 . Such factors include:
 Management Philosophy and Operating Style;

 The functioning of the board of directors and internal control,

particularly the audit committee;

 Organizational Structure;

 Methods of Assigning Authority and Responsibility;

 Management Monitoring Methods; Internal Audit; and Personnel

Policies and Practices

 Management reaction to external Influences

 Systems Development Methodology

 Control Environment
 Reflects the overall attitude, awareness, commitment and
actions of management concerning the importance of
internal control and its emphasis in the entity.
 Strengths and weaknesses in control environment factors
are likely to have a pervasive effect on the financial
statements.
 An effective control environment interacts with control

systems. It may reduce the impact that the absence of

certain control systems might otherwise have. It also
strengthens the impact of controls in place.
 An ineffective control system may impair the

effectiveness of control systems.

General computer control
systems
 Establish controls over info system
processing activities
 Affect multiple classes of transactions
 General computer control systems
General Control Means…
System
Org and Mgmt controls -policies and procedures are
established
-programmer and operator functions
separate
Systems acquisition, -policies and procedures to ensure
development and systems are authorized, efficient and
maintenance controls function according to objectives
Operations and -system should be available and
Information Systems used for authorized purposes
Support (=training, documentation,
controlled access, backup and
The Accounting System
= the policies and procedures involving the
 Collection

 Transcribing

 Processing

 And reporting of data

Accounting System Control
Procedures
= policies and procedures that enhance the reliability
of accounting data
 Occurrence

 Completeness

 Accuracy (valuation), Posting

 Classification

 Timing

-often involves “checks”, “reconciles”, “compares”,

“verifies”, “ensures”…..
Segregation of duties
 Ensures that no-one is in a position to
commit or profit from an error/fraud and
cover it up.
 To work, these duties MUST be separate:
 Authorization of transaction

 Custody of assets (including cheques,

cash, inventory etc.)

 Recording of transaction

 Periodic reconciliation
Other Controls
 Proper Authorization (general or specific)
 Adequate documents
 Prenumbered or sequentially numbered +

follow-up of missing items

 Prepared on a timely basis

 Sufficiently simple, easy to fill out

Other Controls
 Safeguards over access to and use of assets
 Safeguards over access to and use of records
 Physical and logical

 Independent verification of performance and

accuracy of recorded amounts
 Inventory counts, bank recs.

 Input or output checks (eg. Check digits,

reasonableness limits)
 Comparison of documents, quantities, prices
Acquiring Understanding of IC
 At minimum, auditor must acquire
understanding of:
 Control environment

 General computer control systems and

procedures
 Accounting System
 Purpose of Understanding IC
1) Assess auditability (depends on mgmt integrity,
adequacy of record and general controls)
2) Familiarity with client to facilitate audit:
 Major classes of transactions
 How they’re initiated
 What records and documents exist
 How transactions are processed and
reported
Therefore, helps auditor design tests and
identify potential misstatements
3) Assess Preliminary Control Risk
Further Investigation of IC
 If auditor believes reliance on IC (ie.
CR<100%) may be possible AND efficient,
investigate further the control procedures in
place
 Make preliminary assessment of Control
Risk
Preliminary Assessment of CR
1) Identify transaction audit objective
(existence/occurrence, completeness etc.)
2) Identify specific controls
 remember effects of control environment
and general computer controls
3) Identify and evaluate weaknesses
o Determine potential misstatements that
could occur and effect on audit
o Consider compensating controls
How to investigate IC
Update and evaluate previous working papers
Inquiries of Client Personnel
Read client policy and systems manuals
Examine documents and records: perform
transaction walk-through
Observe activities and operations
Documenting the Understanding of the Internal
Control

A number of tools are available to the auditor

for documenting the understanding of the
internal control including:
 Copies of the entity's procedures manuals and
organizational charts
 Narrative descriptions
 Internal control questionnaires
 Flowcharts
 Further Investigation of IC
 If preliminary CR<100%, perform tests of controls
on KEY CONTROLS to ensure:
 Control was operating as described, with

sufficient effectiveness, throughout period of

reliance
 Tests may include:
 Inquiry of personnel (requires corroboration)

 Examine documents, records, reports

 Observe activities (eg. Segregation of duties, test

data)
 Reperform procedures if possible

 If control is computerized, test and ensure controls

exist over changes to program
 Direction of the Test of Controls
Audit Procedures
File of File of
shipping recorded sales
documents (sales journal)
Vouch to
Validity shipping documents Sample
Evidence
direction selection

Completeness Sample Trace to recorded sales

Evidence
Direction selection
Further Investigation of IC
 Revise preliminary control risk with results
of tests of controls
 Calculate detection risk and design
substantive procedures
 Combined approach = reliance on both IC

and substantive procedures

 Substantive approach = no reliance on IC

as either unjustified or inefficient

 Audit Cost Trade - off
Audit Cost Tradeoff

Year end audit work

cost
Audit cost

Internal control
evaluation cost
Total Cost

High Medium Low

Control Risk Assessment

Communications with the Client

 Systems improvements are communicated to the

client by the management letter, which is written at
the end of field work
 Section 5220 requires communication of all
significant internal control weaknesses
 Section 5750 “Communication of Matters Identified
During the Financial Statement Audit” eg. Fraud or
illegal acts
 5220 and 5750 don’t have to be in writing
Communicating Internal Control Weaknesses
Reportable conditions
 Absence of appropriate segregation of duties

 Absence of appropriate reviews

and approvals of transactions

 Evidence of failure of control

procedures
 Evidence of intentional

management override
 Evidence of willful wrong doing

by employees or management, including manipulation,

falsification or alteration of accounting records
 Material Weaknesses
A material weakness in internal control is defined as a
reportable condition in which the design or operation of
one or more of the specific internal control elements
does not reduce to a relatively low level the risk that
errors or irregularities in amounts that would be material
in relation to the financial statements being audited may
occur and not be detected within a timely period by
employees in the normal course of performing their
assigned functions (AU 325.15).
Limitations of Internal Control
 Human failures such as simple errors or mistakes
 Management override
 Collusion
 Cost/benefit
 Unusual transactions

Because of these limitations, as long as the

item is material, it is generally necessary to
do at least some substantive testing.