Professional Documents
Culture Documents
APPLICATIONS 1
Chapter 2 – Audit Planning and Internal Controls
Considerations – Part 2
Question 1
Understand the components of internal control and the entity’s flows of transactions
We are required to obtain an understanding of internal control relevant to the audit. Relevant
controls
may exist within each of the following components of internal control:
• The control environment;
• The entity’s risk assessment process;
• The information system, including the related business processes, relevant to financial
reporting, and communication;
• Control activities; and
• Monitoring of controls.
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2
The control environment can be described as the attitudes, awareness, and actions
of management and those charged with governance concerning the entity’s internal
control and its importance in the entity.
The auditor shall obtain an understanding of whether the entity has a process for:
(a) Identifying business risks relevant to financial reporting objectives;
(b) Estimating the significance of the risks;
(c) Assessing the likelihood of their occurrence; and
(d) Deciding about actions to address those risks.
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2
The information system, including the related business processes, relevant to financial
reporting, and communication
An entity’s information system, including the related business processes, relevant
to financial reporting and communication, supports the identification, capture,
and exchange of information in a form and time frame that enables individuals to
carry out their financial reporting responsibilities. An information system may
consist of infrastructure (physical and hardware components), software, people,
procedures, and data. Many information systems make extensive use of
information technology (IT).
Control activities
Control activities are the policies and procedures that help ensure that
management directives are carried out. Control activities, whether within IT or
manual systems, have various objectives and are applied at various
organizational and functional levels. Examples of specific control activities include
those relating to the following:
• Authorization.
• Performance reviews.
• Information processing.
• Physical controls.
• Segregation of duties.
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2
Monitoring of controls
Monitoring of controls refers to the entity’s process for assessing the effectiveness
of internal control relevant to financial reporting over time, including:
• The sources of the information related to monitoring activities
• The basis upon which management considers the information to be sufficiently
reliable for their purposes
• How management initiates remedial actions regarding deficiencies in controls.
Controls may vary due to the nature, approach, and type of the control implemented by the entity
to address a risk of material misstatement. Differences in the nature, approach, and type of a
control results in an individual control being more or less reliable, and impacts:
• Procedures performed and timing of testing necessary to support our evaluation of the design of a
control
• Determination of implementation; and
• Our determination of the risk associated with the control
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2
Nature: The nature of how the control is performed, i.e., manual or automated
Approach: The approach management implemented to address the assessed risks, i.e., preventive
or detective
Type: The type of control activity being performed, i.e., verifications, authorization and approvals,
physical controls and counts, controls over IUC, reconciliations, and controls with a review
element.
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2
The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence
as to the operating effectiveness of relevant controls if:
(a)The auditor’s assessment of risks of material misstatement at the assertion level includes an
expectation that the controls are operating effectively (that is, the auditor intends to rely on the
operating effectiveness of controls in determining the nature, timing and extent of substantive
procedures); or
(b)Substantive procedures alone cannot provide sufficient appropriate audit evidence at the
assertion level.
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2
Evaluating the design of a control involves considering whether the control, individually or in
combination with other controls, is capable of effectively preventing, or detecting and correcting,
material misstatements. The effectiveness of the design of a control depends on the degree to which
the control can mitigate the related risk(s) of material misstatement.
As a result, it is important in evaluating the design of a control to consider the related risk(s) of
material misstatement the control is intended to address.
BREAK
Chapter 2 - Audit Planning and Internal Controls Considerations Part 2