APPLICATION DISCUSSION

AUDITING AND ASSURANCE: CONCEPTS AND APPLICATIONS 1

Overview of the Audit Process
Internal
Control
Internal Control
COSO defines internal control as:
• a process, effected by an entity’s board of
directors, management, and other
personnel, designed to provide reasonable
assurance regarding the achievement of
objectives relating to operations,
reporting, and compliance.
COSO
Committee of Sponsoring
Organizations of the Treadway Commission

Published the most widely used framework

of internal control:
Internal Control–Integrated Framework
FIVE COMPONENTS OF
INTERNAL CONTROL
Control
Risk Assessment
Environment

Control Information &

Activities Communication

Monitoring
 Risk Assessment

Involves the process for identifying

and assessing the risks that may
affect an organization from achieving
its objectives. Risk assessment needs
to be conducted before an
organization can determine the
other necessary controls.
 Control Environment
Set of standards, processes and
structures that provides the basis for
carrying out internal control across the
organization. It includes the tone at the
top regarding the importance of
internal control and the expected
standards of conduct. The control
environment has a pervasive impact on
the overall system of internal control.
Control Activities

Actions that have been

established by policies and
procedures. They help ensure
that management’s directives
regarding internal control are
carried out. Control activities
occur at all levels within the
organization.
Information &
Communication

Recognizes that information is

necessary for an organization to
carry out its internal control
responsibilities. Information can
come from internal and external
sources. Communication is the
process of providing, sharing, and
obtaining necessary information.
Information and communication help
all relevant parties understand
internal control responsibilities and
how internal controls are related to
achieving objectives.
 Monitoring

Necessary to determine whether the

controls, including all five
components, are present and
continuing to function effectively.
Two Types of Controls

Entity-
Wide

Transaction
Internal Control
Components &
Principles
Material Weakness
A deficiency, or a combination of
deficiencies, in internal control over
financial reporting, such that there is a
reasonable possibility that a material
misstatement of the company’s annual
or interim financial statements will not
be prevented or detected on a timely
basis.
Examples of Material
Weakness
Examples of Material
Weakness
Significant Deficiency in
Internal Control
A significant deficiency is a deficiency,
or a combination of deficiencies, in
internal control over financial
reporting that is less severe than a
material weakness, yet important
enough to merit attention by those
responsible for oversight of the
organization’s financial reporting.
Application
Q&A
 Scenario
Management has identified the significant accounts and relevant assertions in the process
of procuring goods and recording the related accounts payable and inventory. After
selecting and testing controls designed to mitigate risk of misstatement in these accounts,
management identifies the following control deficiencies:
• Segregation of duties: At one location, the controls are not well designed, as there is not
proper segregation of duties. However, the location is very small, accounting for less
than 1% of purchases.
• Lack of approval: At a second location that handles 62% of the organization’s purchases,
management found that approximately 17% of the purchase orders did not contain proper
approval. The reason for the lack of approval was the rush to procure material in a timely
fashion to meet a contract requirement. This represents an operating deficiency.
 Scenario
In deciding whether to categorize a deficiency as a
significant deficiency or material weakness, what does
the management consider?
 Scenario
Management concludes that the first deficiency (related to segregation of duties) did not rise to
the level of either a significant deficiency or a material weakness. However, management
decides to use this deficiency as a motivation to centralize purchases at headquarters.
The second deficiency (related to lack of approval) is more of a problem. Management
determines this is a significant deficiency based on the following rationale:
• It is a major departure from an approved process.
• It could lead to the purchase of unauthorized goods.
• The unauthorized goods could lead to either (a) inferior products or (b) potential obsolescence.
• Those making the purchases could cause them to be shipped elsewhere (fraudulently) and
could lead to a material misstatement in the financial statements.
 Scenario
Management determines that other controls are in place that test for
inferior products and obsolescence, and that cycle counting of inventory
would discover goods that are shipped to a different location. Accordingly,
management believes that because of these controls, any potential
misstatements in the financial statements would not be material.
Management tests these controls and determines that they are operating
effectively. If these other controls were not in place and operating
effectively, then management would have assessed the control deficiency
as a material weakness.
 Scenario
After determining significant accounts and relevant assertions, the auditor reviews management’s
documentation of its internal control and management’s evaluation and findings related to internal control
effectiveness. The auditor had previously reviewed and tested the control environment and other entity-wide
controls and had evaluated them as effective. The auditor then determined that the following were the
important controls in this process:
• Only authorized goods are purchased from authorized vendors.
• Purchase prices are negotiated by contract or from bids.
• All purchases are delivered to the organization and received by a separate receiving department.
• All purchases are recorded in a timely fashion and are appropriately classified.
• Payments are made only for goods that are received.
• Payments are made consistent with the purchase orders or contracts.
• Payments are made in a timely fashion.
 Scenario
The auditor takes a sample of fifty purchase orders to examine whether
purchases are authorized and processed properly. The auditor’s sample
size is influenced by previous information about the operation of the
control. Although management had also taken a random sample of
purchases and tested the operating effectiveness, the auditor needs to
independently determine that the controls are working (or not working).
The sample is randomly chosen and the auditor traces the transactions
through the system to determine that the objectives identified above are
addressed by controls.
 Scenario
The auditor’s testing of controls identified the same two deficiencies
identified by management. Management viewed the deficiency related to
lack of approval as a significant deficiency because (a) the organization
has a good ethical climate and (b) management’s tests confirmed that all
goods were delivered to the organization. The auditor’s tentative
conclusion is that this deficiency is a material weakness because:
● The location was responsible for ordering 62% of all of the
organization’s products.
● Management’s tests showed a failure rate of over 17%.