Chapter 6: Internal Control in a Financial Statement Audit

Physical Controls

- Physical security of assets, including adequate safeguards, such as secure facilities to protect against theft of assets o records. - Authorization requirements for access to computer programs and data files. - Periodic counting and comparison with amounts shown on control records (e.g., comparing the results of cash, security, and inventory counts with accounting records). If physical controls over access to records and data are weak or suspect, this has a direct impact on the auditor's assessment of control risk. The implications of an increased control risk assessment on the financial statement audit are discussed later in this chapter.

Understanding the Information System and Communications

- The classes of transactions in the entity's operations that are significant to the financial statements. - The control procedures by which transactions are initiated, authorized, recorded, processed, and reported, from their occurrence to their inclusion in the financial statements. - The related accounting records, whether electronic or manual, supporting information, and specific accounts in the financial statements that are involved in initiating, recording, processing, and reporting transactions. - How the information system captures other events and conditions that are significant to the financial statements. - The financial reporting process used to prepare the entity's financial statements, including significant accounting estimates and disclosures. The auditor must learn about each business process that affects significant account balances in the financial statements. This includes understanding how transactions are initiated and authorized, how documents and records are generated, and how the documents and records flow to the general ledger and financial statements. Understanding the information system also requires knowing how IT is involved in data processing.

Reliance Strategy

A reliance strategy means that the auditor intends to rely on the entity's controls. If a reliance strategy is followed, the auditor may need a more detailed understanding of internal control to develop a preliminary or "planned" assessment of control risk. The auditor will then plan and perform tests of controls. The auditor uses the test results to assess the achieved" level of control risk. If the test results indicate that achieved control risk is higher than planned, the auditor will normally increase the planned substantive procedures and document the revised control risk assessment. If tests of controls support the planned level of control risk, no revisions of the planned substantive procedures are required. The level of control risk is documented, and substantive procedures are then performed.

Symbols

A standard set of symbols is used to represent documents and processes. Figure 6-6 presents examples of the more commonly used symbols, although slight variations exist in practice. Note that the symbols are divided into three groups: input/output symbols, processing symbols, and data flow and storage symbols.

Performance Reviews

A strong accounting system should have controls that independently check the performance of the individuals or processes in the system. For example, senior management should review actual performance versus budgets, forecasts, prior periods, and competitors. Similarly, managers running functions or activities should periodically check the quality of subordinates' work and review performance reports for units and personnel under their supervision. A manager might periodically review or reperform a subordinate's account reconciliation. Lastly, personnel with management or oversight responsibility should review and analyze relationships among both financial and nonfinancial data (e.g. key performance indicators), investigate any unusual items, and take corrective actions when necessary. The use of data analytics by management can be useful for these purposes.

Substantive Strategy

A substantive audit strategy means that the auditor has decided not to rely on the entity's controls and instead use substantive procedures as the main source of evidence about the assertions in the financial statements. However, as Figure 6-2 shows, a substantive strategy still requires the auditor to have a sufficient understanding of the entity's internal controls to know whether they are properly designed and implemented. This knowledge includes an understanding of the five components of internal control (discussed previously). The auditor may decide to follow a substantive strategy for some or all assertions because of one or all of the following factors: - The implemented controls do not pertain to the assertion the auditor is considering. - The implemented controls are assessed as ineffective. - Testing the operating effectiveness of the controls would be inefficient.

Organization and Flow

A well-designed flowchart typically starts in the upper left part of the page and proceeds to the lower right part of the page. When it is necessary to show the movement of a document or report back to a previous function, an on-page connector should be used so that lines and arrows do not cross. When the flowchart continues to a subsequent page, the movement of documents or reports can be handled by using an off-page connector. Flow arrows show the movement of documents, records, or information. When processes or activities cannot be fully represented by flowchart symbols, the auditor should supplement the flowchart with written comments. This can be accomplished by using the annotation symbol or just writing the comment directly on the flowchart. A flowchart is typically designed along the lines of the entity's departments or functions. It is thus important to indicate the delineation of activities between the departments or functions.

Definition of Internal Control

According to COSO's Internal Control-Integrated Framework, a system of internal control is designed and carried out by an entity's board of directors, management, and other personnel to provide reasonable assurance about the achievement of the entity's objectives in the following categories: (1) reliability, timeliness, and transparency of internal and external financial and nonfinancial reporting: (2) effectiveness and efficiency of operations, including safeguarding of assets; and (3) compliance with applicable laws and regulations. According to COSO, the purpose of its Framework is to help management better achieve the organization's objectives and provide boards of directors an added ability to oversee internal control. An effective system of internal control allows management to focus on operations and financial performance goals while maintaining compliance with relevant laws and minimizing surprises

Concluding on the Achieved Level of Control Risk

After the planned tests of controls have been completed, the auditor should reach a conclusion on the achieved level of control risk. The auditor uses the combination of the achieved level of control risk and the assessed level of inherent risk to determine the level of detection risk that is needed in order to bring audit risk to an acceptably low level. In turn, the level of detection risk is used to determine the nature, timing, and extent of substantive tests

Communication of Internal Control-Related Matters

Although a financial statement audit for private companies does not include an audit of the entity's system of internal control, the auditor may discover deficiencies in the entity's internal controls during the audit. A control deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance. Significant deficiencies and material weaknesses may be identified as part of the auditor's consideration of the five components of internal control or through a root cause analysis of accounting misstatements discovered by the auditor's substantive procedures. Table 6-7 presents examples of circumstances that might indicate a control deficiency, significant deficiency, or material weakness

Interim Tests of Controls

An auditor might test controls at an interim date because the assertion being tested may not be significant, the control has been effective in prior audits, or it may be more efficient to conduct the tests at that time. A reason why it may be more efficient to conduct interim tests of controls is that staff accountants may be less busy than at yearend. Additionally, if the controls are found not to be operating effectively, testing them at an interim date gives the auditor more time to reassess the control risk and modify the audit plan. It also gives the auditor time to inform management so that likely misstatements can be located and corrected before the rest of the audit is performed, and so that deficiencies in the controls can be identified and remediated before year-end. An important question the auditor must address is the need for additional audit work in the period following the interim testing period.

Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

An entity's organizational structure defines how authority and responsibility are delegated and monitored. It provides the framework within which the entity's activities for achieving entity-wide objectives are planned, executed, controlled, and reviewed. The appropriateness of an entity's organizational structure depends on its size and the nature of its activities, as well as such external influences as regulation. This control environment principle includes assignment of authority and responsibility for operating activities and establishment of reporting relationships and authorization hierarchies, as well as setting of policies regarding acceptable business practices, knowledge and experience of key personnel, and resources provided for carrying out duties. It also includes policies and communications directed at ensuring that all personnel understand the entity's objectives, know how their individual actions interrelate with and contribute to those objectives, and recognize how and for what they will be held accountable. An entity can use a number of controls to meet the requirements of this control environment principle. For example, the entity can have a well-specified organizational chart that indicates lines of authority and responsibility. Further, management and supervisory personnel should have job descriptions that include their control-related responsibilities.

The Entity's Risk Assessment Process

An entity's risk assessment process identifies and responds to business risks in relation to achieving business objectives. Thus, a precondition to risk assessment is the establishment of objectives. The aspect of an entity's risk assessment process that is most directly relevant to auditors is how management identifies risks relevant to the preparation of financial statements, and then estimates their significance, assesses the likelihood of their occurrence, and decides on how to manage them. For example, the entity's risk assessment process may address risks involved in significant estimates recorded in the financial statements. The risk assessment process, as it relates to the external financial reporting objective, should consider external and internal events and circumstances that may arise and adversely affect the entity's ability to initiate, authorize, record, process, and report financial data consistent with management's financial statement assertions. Once risks have been identified. management should consider their significance, the likelihood of their occurrence, and how they should be managed. In some instances, management may decide to accept the consequences of a possible risk because the costs to remediate may exceed the benefit.

Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

An entity's risk assessment process should consider the possibility of events that threaten the achievement of objectives This process is supported by a variety of activities, techniques, and mechanisms. As part of its system of internal control, management develops and implements controls relating to the conduct of risk identification activities. Management considers risks at all levels of the entity and takes the necessary actions to respond. An entity's risk assessment considers factors that influence the severity, velocity, and persistence of the risk: likelihood of the loss of assets; and related impacts on operations, reporting, and compliance activities. The entity also needs to establish its tolerance for accepting risks and its ability to operate within those risk levels.

Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

An information system consists of infrastructure (physical and hardware components), software, people, procedures (manual and automated), and data. The information system relevant to the financial reporting objective includes the accounting system and consists of the procedures (automated or manual) and records established to initiate, authorize, record, process, and report an entity's transactions and to maintain accountability for the related assets and liabilities. An effective accounting system gives appropriate consideration to establishing methods and records that will: - Identify and record all valid transactions. - Describe on a timely basis the transactions in sufficient detail to permit proper classification for financial reporting. - Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements. - Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period. - Properly present the transactions and related disclosures in the financial statements.

Application Controls

Application controls apply to the processing of individual accounting applications, such as sales or payroll, and help ensure the completeness and accuracy of transaction processing, authorization, and validity. Although application controls are typically discussed under the categories of input, processing, and output controls, changes in technology have blurred the distinctions among input, processing, and output. For example, many of the data validation checks that were once performed as part of production programs are now accomplished with sophisticated editing routines and intelligent data-entry equipment. As a result, application controls are discussed under the following categories: - Data capture controls. - Data validation controls. - Processing controls. - Output controls. - Error controls.

Understanding Control Activities

As the auditor learns about the other components of internal control, he or she is also likely to obtain information about control activities. For example, in examining the information system that pertains to accounts receivable, the auditor is likely to see how the entity grants credit to customers. The extent of the auditor's understanding of control activities is a function of the audit strategy adopted. When the auditor decides to follow a substantive strategy, little work is done on understanding specific control activities. When a reliance strategy is followed, the auditor has to understand the control activities that relate to assertions for which a lower level of control risk is expected. Auditors normally use walkthroughs to develop an understanding of control activities

Assessing Control Risk

Assessing control risk is the process of evaluating the effectiveness of an entity's internal control in preventing, or detecting and correcting, material misstatements in the financial statements. As discussed earlier, the auditor can set control risk at high (a substantive strategy) or at a lower level (a reliance strategy). As shown in Figure 6-2, when the auditor sets control risk at high, he or she documents that control risk assessment and performs substantive procedures. The discussion in this section focuses on the situation where the auditor plans to follow a reliance strategy. To set control risk below high (e.g., at moderate or low), the auditor must: - Identify specific controls that will be relied upon. - Perform tests of the identified controls. - Conclude on the achieved level of control risk given results of testing.

Documenting the Understanding of Internal Control

Auditing standards require that the auditor document his or her understanding of the entity's internal control components. A number of tools are available to the auditor for documenting the understanding of internal control. These include: - The entity's procedures manuals and organizational charts. - Internal control questionnaires. - Flowcharts. - Narrative description.

Interim Substantive Procedures

Conducting substantive procedures only at an interim date may increase the risk that material misstatements are present in the financial statements. The auditor can control for this potential problem by considering when it is appropriate to examine an account at an interim date and by performing selected audit procedures for the period between the interim date and year-end. The auditor should consider the following factors when deciding whether substantive procedures are to be performed at an interim date: - The control environment and other relevant controls. - The availability of information at a later date that is necessary for the auditor's procedures (eg., information stored electronically for a limited period of time). - The purpose of the substantive procedure. - The assessed risk of material misstatement. - The nature of the class of transactions or account balance and relevant assertions. - The ability of the auditor to perform appropriate substantive procedures or substantive procedures combined with tests of controls to cover the remaining period in order to reduce the risk that a misstatement that may exist at the period-end will not be detected. For example, if the entity's accounting system has control weaknesses that result in a high level of assessed control risk, it is unlikely that the auditor would conduct substantive procedures at an interim date. In this instance, the auditor has little assurance that the accounting system will generate accurate information during the remaining period.

Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

Control activities help ensure that risk responses that are intended to address and mitigate risks are carried out. Management considers how the environment, complexity, nature, and scope of its operations, as well as the specific characteristics of its organization, affect the selection and development of control activities. Based on its risk assessment, management determines which relevant business processes require control activities. Control activities may include a mix of manual and automated controls, as well as a mix of preventive and detective controls. Management considers control activities at various levels in the entity and segregates incompatible duties. Where such segregation is not practical, alternative control activities are implemented to compensate to the extent possible. Control activities are commonly categorized into the allowing four types: - Performance reviews (sometimes called "independent checks" or "management review controls"). - Physical controls. - Segregation of duties. - Information processing controls, including authorization and document-based controls.

Data Capture Controls

Data capture controls must ensure that (1) all transactions are recorded in the application system; (2) transactions are recorded only once; and (3) rejected transactions are identified, controlled, corrected, and reentered into the system. Thus, data capture controls are concerned primarily with occurrence, completeness, and accuracy assertions. For example, checking

Data Center and Network Operations Controls

Data center and network operations controls include controls over computer and network operations, data preparation, work flow control, and library functions. Important controls over computer and network operations should prevent unauthorized access to the network programs, files, and systems documentation by computer operators. In IT systems, traditional controls such as rotation of operator duties and mandatory vacations should be implemented. The operating systems log, which documents all program and operator activities, should be regularly reviewed to ensure that operators have not performed any unauthorized activities. Entities should also regularly update anti-virus software throughout the system. Controls over data preparation include proper entry of data into an application system and proper oversight of error correction. Controls over work flow include scheduling of application programs, proper setup for programs, and use of the correct data files. The library function needs controls to ensure that (1) the correct files are provided for specific applications, (2) files are properly maintained, and (3) backup and recovery procedures exist

Flowcharts

Flowcharts provide a diagrammatic representation, or "picture," of the entity's accounting system. The flowchart outlines the configuration of the system in terms of functions, documents, processes, and reports. This documentation facilitates an auditor's analysis of the system's strengths and weaknesses. Figure 6-3 presents a simple example of a flowchart for the order entry portion of a revenue process. Flowcharts are also used to document the auditor's understanding of an entity's internal control over financial reporting. Subsequent chapters go into more depth on the processes, controls, and documentation of business processes, such as the revenue process, the acquisition and payment process, and so on. Module 2 to this chapter provides detailed coverage of flowcharting techniques. Flowcharts are used extensively in this book to represent accounting systems.

General Controls

General controls are sometimes referred to as supervisory, management, or information technology controls. Application controls apply to the processing of specific computer applications and are part of the computer programs used in the accounting system (for example. revenues or purchasing).

Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives.

General controls relate to the overall information processing environment and include controls over data center and network operations; system software acquisition, change, and maintenance; access security, and application system acquisition, development, and maintenance. For example, an entity's controls for developing new programs for existing accounting systems should include adequate documentation and testing before implementation. In addition, development of new systems and changes to existing ones are controlled, as is access to data, files, and programs. Application controls apply to the processing of individual applications and help ensure the occurrence (validity). completeness, and accuracy of transaction processing. Data entered are subject to online edit checks or matching to approved control files. For example, a customer's order is accepted only after reference to an approved customer file and credit limit. General and application controls are covered in more detail in Advanced Module I at the end of this chapter. Control activities involve policies and procedures that help mitigate risks that endanger the achievement of objectives. This concept is articulated in the third principle underlying the Control Activities component of the COSO cube:

Obtain an Understanding of Internal Control

In deciding on the nature and extent of the understanding of internal control needed for the audit, the auditor should consider the complexity and sophistication of the entity's operations and systems, including the extent to which the entity relies on manual controls or on automated controls. The auditor may determine that the engagement team needs an IT specialist. In determining whether an IT specialist is needed, the following factors should be considered: - The complexity of the entity's IT systems and controls and the manner in which they are used in conducting the entity's business. - The significance of changes made to existing systems, or the implementation of new systems. - The extent to which data are shared among systems. - The extent of the entity's participation in electronic commerce. - The entity's use of emerging technologies. - The significance of audit evidence that is available only in electronic form. The IT specialist can be used to assist the engagement team in a number of ways. For example, the IT specialist can inquire of the entity's IT personnel about how data and transactions are initiated, authorized, recorded, processed, and reported, and how IT controls are designed; inspect the system's documentation; observe the operation of IT controls: and plan and perform tests of IT controls. Given the increasing use of electronic records and data analytics, it is increasingly important for the auditor to have sufficient IT-related knowledge to communicate the assertions to the IT specialist, to evaluate whether the specified procedures meet the auditor's objectives, and to evaluate the results of the audit procedures completed by the IT specialist. To properly understand an entity's internal control over financial reporting, an auditor must understand how the entity has designed and implemented the principles within each of the five components of internal control. The auditor may use the following audit procedures to obtain an understanding of an entity's internal control: - Inquiry of appropriate management, supervisory, and staff personnel. - Inspection of entity documents and reports. - Observation of entity activities and operations. - Tracing transactions through the information system

Management Override of Internal Control

In some cases, an entity's controls may be overridden by management. For example, a senior-level manager can require a lower-level employee to record entries in the accounting records that are not consistent with the substance of the transactions and that violate the entity's controls. The lower-level employee may record the transaction, even though it violates the entity's control policies, out of fear of losing his or her job. In another example, management may enter into concealed side agreements with customers that alter the terms and conditions of the entity's standard sales contract in ways that should preclude revenue recognition.

Components of Internal Control

Internal control as defined by the COSO Framework consists of five components: - Control Environment - Entity's Risk Assessment Process. - Control Activities - Information and Communication. - Monitoring Activities. Table 6-2 defines each of the components, while Figure 6-1 shows how the categories of objectives of internal control, including safeguarding of assets, relate to the five components. A direct relationship exists between objectives which reflect what an entity is striving to achieve), components (which represent what the entity needs to do in order to achieve the objectives), and the structure of the entity (the operating units, legal entities, and other). The relationship can be depicted in the form of a cube, as illustrated in Figure 6-1. As mentioned previously, the auditor is mainly concerned with how the five components, evaluated individually and in terms of how they operate together, affect the External financial reporting objective.

Internal Control

Internal control plays an important role in how management meets its stewardship or agency responsibilities. Management has the responsibility to design and maintain a system of internal control that provides reasonable assurance that assets and records are properly safeguarded, and that the entity's information system generates information that is reliable for decision making. If the information system does not generate reliable information, management may be unable to make informed decisions about issues such as product pricing, cost of production, and profit information, and external reports may not be useful to investors and other stakeholders

Internal Control Questionnaires

Internal control questionnaires are one of many types of questionnaires used by auditors. Questionnaires provide a systematic means for the auditor to investigate various areas such as internal control. An internal control questionnaire is generally used for entities with a relatively complex internal control structure. It contains questions about the important factors or characteristics of the five internal control components. Such questionnaires are often embedded as templates within a firm's audit software. Exhibit 6-1 provides an example of the use of such questionnaires. The auditor's responses to the questions included in the internal control questionnaire provide the documentation for his or her understanding

Segregation of Duties

It is important for an entity to segregate the custody of assets, authorization of transactions, and recording of transactions. (Tip: To help you remember the important aspects of segregation of duties, use the acronym CAR-C for Custody, A for Authorization, and R for Recording). Performance of each of these functions by different people reduces the opportunity for any one person to be in a position to perpetrate and conceal errors or fraud in the normal course of his or her duties, and at the same time benefit by obtaining an asset. For example, if an employee receives cash payments on account from customers and has access to the accounts receivable subsidiary ledger, it is possible for that employee to misappropriate the cash and cover the shortage in the accounting records. Stop and Think: Why is it important that different individuals perform the duties of custody, authorization, and recording? What could happen, for example, if an individual were responsible for authorizing sales returns and for recording the receipt of the returned inventory? Such a situation would clearly violate segregation of duties principles. An employee with both duties could, for example, issue a sales return memorandum to a friend or relative and then write off the receivable balance and record receipt of the inventory, even if the inventory were never returned.

Principle 5: The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Management and the board of directors are responsible for establishing mechanisms to communicate and hold individuals accountable for performance of internal control responsibilities across the organization and for implementing corrective action as necessary. Management and the board of directors also establish performance measures, incentives, and rewards appropriate for responsibilities at all levels of the entity, reflecting reasonable expectations for performance and standards of conduct in light of both short-term and longer-term objectives. It is also important that incentives and rewards be aligned with the fulfillment of internal control responsibilities. Finally, management and the board of directors should evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence, and provide rewards or exercise disciplinary action as appropriate.

Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

Objectives specific to external financial reporting include the preparation of financial statements for external purposes. In the area of external financial reporting, management must ensure that specified objectives include reporting that is consistent with generally accepted accounting principles that are appropriate in the circumstances. Management establishes external financial reporting objectives in light of materiality considerations. Finally, external financial reporting objectives include faithful reflection of underlying transactions and events, including important qualitative characteristics. Fundamental qualitative characteristics include (a) relevance-information that is capable of making a difference in user decisions-and (b) faithful representation-information that is complete, neutral, and free from error. Other important qualitative characteristics include comparability, verifiability, timeliness, and understandability

Output Controls

Output includes reports, checks, documents, and other printed or displayed information. Controls over output from computer systems are important application controls. The main concern here is that computer output may be distributed or displayed to unauthorized users. A number of controls should be present to minimize the unauthorized use of output. A report distribution log should contain a schedule of when reports are prepared, the names of individuals who are to receive the report, and the date of physical or electronic distribution. Some type of transmittal sheet indicating the intended recipients' names and addresses should be attached to each copy of the output. A release form may be part of the transmittal sheet and should be signed by the individual acknowledging receipt of the report. The data control group should be responsible for reviewing the output for reasonableness and reconciling the control or batch totals to the output. The user departments should also review the output for completeness and accuracy because they may be the only ones with sufficient knowledge to recognize certain types of errors. From the auditor's perspective, a flowchart 1S a diagrammatic representation of the entity's accounting system. The information systems literature typically discusses three types of flowcharts: document flowcharts, systems flowcharts, and program flowcharts. A document flowchart represents the flow of documents among departments in the entity. A systems flowchart extends this approach by including the processing steps. including computer processing, in the flowchart. A program flowchart illustrates the operations performed by the computer in executing a program. Flowcharts that are typically used by public accounting firms combine document and systems flowcharting techniques. Such flowcharts show the path from the origination of the transactions to their recording in the accounting journals and ledgers. While there are some general guidelines on preparing flowcharts for documenting accounting systems, the reader should understand that public accounting firms often modify these techniques and symbols to correspond with their firm's audit approaches and technologies.

Performing Tests of Controls

Tests of controls are performed in order to provide evidence to support the lower level of control risk when using a reliance strategy. Tests of controls directed toward the effectiveness of the design of a control are concerned with evaluating whether that control is suitably designed to prevent, or detect and correct, material misstatements. Tests of controls directed toward operating effectiveness are concerned with assessing how the control was applied, the consistency with which it was applied during the audit period, and by whom it was applied. Procedures that are used for tests of controls are listed below with examples of how the auditor might apply each. These four categories represent the four types of tests of controls that auditors choose from in designing a program for testing controls-you would be wise to commit them to memory

Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives.

The assessment of fraud risk considers the possibility of fraudulent reporting, loss of assets, and corruption resulting from various types of fraud and misconduct. The assessment of fraud risk includes consideration of incentives and pressures; opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entity's reporting records, or other inappropriate acts; and how management and other personnel might rationalize or justify inappropriate actions

Understanding the Control Environment

The auditor should gain sufficient knowledge about the control environment to understand management's and the board of directors' attitudes, awareness, and actions concerning the control environment.

Understanding the Entity's Risk Assessment Process

The auditor should obtain sufficient information about the entity's risk assessment process to understand how management considers risks relevant to financial reporting objectives and decides on appropriate actions to address those risks. For example, suppose an entity operates in the oil industry, where there is always some risk of environmental damage. The auditor should obtain sufficient knowledge about how the entity manages its environmental risks, because environmental accidents can result in costly litigation against the entity, as illustrated by the British Petroleum spill in the Gulf of Mexico in 2010

ldentifying Specific Controls That Will Be Relied Upon

The auditor's understanding of internal control is used to identify the controls that are likely to prevent, or detect and correct, material misstatement in specific assertions. Some of the controls the auditor will rely on can have a pervasive effect on many assertions. For example, the conclusion that an entity's control environment is highly effective may influence the auditor's decision about the number of an entity's locations at which auditing procedures are to be performed. Alternatively, some controls only affect an individual assertion contained in a single financial statement account. For example, a credit check might be performed on a customer's order. Such a control is specifically related to the valuation assertion for the accounts receivable balance

Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

The board of directors and the audit committee significantly influence the control consciousness of the entity. The board of directors and the audit committee must take their fiduciary responsibilities seriously and actively oversee the entity's accounting and reporting policies and procedures. Factors that can impact the effectiveness of the board or audit committee include the following: - Experience and stature of members and independence from management. - Extent of involvement with and scrutiny of the entity's activities. - Information availability and willingness/ability to act on information. - Extent to which difficult questions are raised and pursued with management. - Nature and extent of interactions with internal and external auditors.

Controls Relevant to the Audit

The controls that are of most direct relevance to a financial statement audit are those that contribute to the reliability, timeliness, and transparency of external financial reporting. These controls are relevant to an audit because they help to prevent, or detect and correct, material misstatements in the entity's financial statements. In addition, larger public companies are required to engage an external auditor to express an opinion as to the effectiveness of their systems of internal control over financial reporting. Controls relating to operations, compliance, and other types of reporting may be relevant when they have an impact on data the auditor uses to apply audit procedures. For example, the internal controls that relate to operating data may be important because such data may be utilized by the auditor for performing analytical procedures or data analytics. However, many controls that relate to management's planning or operating decisions may not be relevant to the auditor.

Principle 1: The organization demonstrates a commitment to integrity and ethical values.

The effectiveness of an entity's internal controls is heavily influenced by the integrity and ethical values of management personnel, who are responsible to create, administer, and monitor the entity's system of controls. Management's philosophy and operating style can significantly affect the quality of internal control through the establishment of an appropriate "tone at the top. A well-controlled entity establishes and evaluates adherence to ethical and behavioral standards that are communicated to employees and reinforced by day-to-day practice. For example, management should remove incentives and opportunities that might lead personnel to engage in dishonest, illegal. or unethical acts. Examples of such incentives are pressures to meet unrealistic performance targets and performance-dependent rewards. Examples of opportunities include an ineffective board of directors, a weak internal audit function, and lack of control activities that might detect improper behavior. Management can best communicate integrity and ethical behavior within an entity by example and through the use of policy statements, codes of conduct, and training. Management must promptly address deviations from standards of conduct. Characteristics that may signal important information to the auditor about management's integrity and ethical values include management's approach to taking and monitoring business risks and management's attitudes and actions toward financial reporting-for example, whether management tends to be conservative or aggressive when selecting from alternative accounting principles

Collusion

The effectiveness of segregation of duties lies in individuals' performing only their assigned tasks or in the performance of one person being checked by another. There is always a risk that collusion between individuals will destroy the effectiveness of segregation of duties. Collusion is cited many times as a source of fraud within companies. For example, an individual who receives cash receipts from customers can collude with the one who records those receipts in the customers' records to steal cash from the entity.

The Effect of Information Technology on Internal Control

The extent of an entity's use of information technology (IT) can affect internal control because IT affects the way transactions are initiated, authorized, recorded, processed, and reported. Controls in most information systems consist of a combination of sometimes interdependent automated and manual controls. Manual controls often use information produced by IT, and they are often used to monitor the functioning of, and errors and exceptions identified by, automated controls. An entity's mix of manual and automated controls varies with the nature and complexity of the entity's use of IT.

Human Errors or Mistakes

The internal control system is only as effective as the personnel who implement and perform the controls. Breakdowns in internal control can occur because of human failures such as simple errors or mistakes. For example, errors may occur in designing, maintaining, or monitoring automated controls. If IT personnel do not completely understand how a revenue system should process sales transactions. they may make software programming errors in modifying or updating the system.

Substative Procedures

The last step in the decision process under either strategy is performing substantive procedures. Note that auditing standards require some substantive testing for all significant account balances or classes of transactions. As discussed in Chapter 5, substantive procedures include substantive analytical procedures and tests of details. Table 6-6 presents two examples of how the nature, timing, and extent of substantive procedures may vary for two different entities as a function of the detection risk level for the inventory account, which is part of the purchasing process. Assume that audit risk is set low for both entities but that entity 1 has a high level of risk of material misstatement (inherent risk and control risk), while entity 2 has a low level of risk of material misstatement. The use of the audit risk model results in setting detection risk at low for entity I and high for entity 2. For entity 1, to achieve a low detection risk the auditor must (1) obtain more reliable types of substantive evidence, such as confirmation and reperformance; (2) conduct most of the substantive audit work at year-end (as such tests are usually considered to be stronger than tests done at an interim date); and (3) make the tests more extensive (larger sample size). This is because the auditor must fill the assurance bucket almost entirely with substantive evidence. In contrast, entity 2 has a high detection risk, which means that (1) less reliable types of evidence, such as analytical procedures, can be obtained: (2) most of the audit work can be conducted at an interim date; and (3) tests of the inventory account would involve a smaller sample size. Another major difference between the two strategies involves the physical examination of the inventory on hand. For the low-detection-risk strategy, physical inventory would be examined at year-end because the control risk was assessed to be high. For the high-detection-risk strategy, the auditor can examine the physical inventory at an interim date because the control risk assessment indicates little risk of material misstatement.

Monitoring of Controls

The monitoring component has received increased attention in recent years. Monitoring of controls is intended to assess the quality of internal control performance over time. To provide reasonable assurance that an entity's objectives will be achieved, management should monitor controls to determine whether they are operating effectively. Since risks change over time, management should monitor whether controls need to be redesigned when risks change

Planning an audit strategy

The next step for the auditor is to decide whether or not to rely on the entity's controls for assurance about management's financial statement assertions. When the auditor's risk assessment procedures indicate that the controls are not properly designed or not implemented, the auditor will not rely on the controls. In this instance, the auditor will set control risk at the maximum and use substantive procedures to reduce the risk of material misstatement to an acceptably low level (i.e., the assurance bucket is filled almost entirely with substantive evidence). When the auditor's risk assessment procedures suggest that the controls are properly designed and implemented, the auditor will likely rely on the controls. If the auditor intends to rely on the controls, tests of controls are required to be performed to obtain audit evidence that the controls are operating effectively. The auditor will make an assessment of control risk based on the results of the tests of controls.

Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

The quality of internal control is directly related to the quality of the personnel operating the system. The entity should have sound personnel policies for hiring, orienting, training, evaluating, counseling, promoting, compensating, planning for succession, and taking remedial action. For example, an entity can demonstrate its commitment to hiring competent and trustworthy people by establishing standards that emphasize seeking the most qualified individuals. with emphasis on educational background, prior work experience, and evidence of integrity and ethical behavior. Competence relates to the knowledge and skills necessary to accomplish the tasks that define an individual's job. Management should specify the competence level for a particular job and translate it into a job description that details the specific knowledge and skills required. Research has shown personnel-related issues to be a major cause of accounting error

Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control.

The risk identification process includes consideration of possible changes in the internal or external environment because changes can introduce or change the risks to the entity's objectives. Thus, the entity considers the impact of changes to the regulatory, economic, and physical environment in which the entity operates, as well as new or dramatically altered business lines, rapid growth, changing reliance on foreign geographies, and new technologies. The organization also considers changes in management and resulting changes in attitudes and philosophies with respect to the system of internal control.

The Effect of Entity Size on Internal Control

The size of an entity may affect how the various components of internal control are implemented. While large entities may be able to implement the components in the fashion just described, small to midsize entities sometimes use alternative approaches and still achieve effective internal control. For example, a large entity may have a written code of conduct, while a small or midsize entity may not. However, a small entity may achieve a similar objective by developing a culture that emphasizes integrity and ethical behavior through oral communication and the example of the owner manager

Information Processing Controls

The two broad categories of information systems controls are general controls and application controls.

Processing Controls

These are controls that ensure proper processing of transactions. In some information systems, many of the controls discussed under data validation may be performed as part of data processing. General controls play an important role in providing assurance about the quality of processing controls. If the entity has strong general controls (such as application systems acquisition, development, and maintenance controls; Library controls; personnel practices; and separation of duties), it is likely that programs will be properly written and tested, correct files will be used for processing, and unauthorized access to the system will be limited

Data Validation Controls

These controls can be applied at various stages, depending on the entity's IT capabilities, and are mainly concerned with the accuracy assertion. When source documents are batch-processed, the data are taken from source documents and transcribed to data storage. The data are then validated by an edit program or by routines that are part of the production programs. When the data are entered directly into offline storage through an intelligent terminal or directly into a validation program with subsequent (delayed or real time) processing into the application system, each individual transaction should be subjected to a number of programmed edit checks. Table 6-8 lists common validation tests. For example, a payroll application program may have a limit test that subjects any employee payroll transaction involving more than 80 hours worked to review before processing. Some entities use turnaround documents to improve data accuracy. Turnaround documents are output documents from the application that are used as source documents in later processing. For example, a monthly statement sent to a customer may contain two parts; one part of the monthly statement is kept by the customer, while the other part is returned with the payment. The latter part of the statement contains encoded information that can be processed using various input devices. By using a turnaround document, the entity does not have to reenter the data, thus avoiding data capture and data validation errors.

Access and Security Controls

These general controls are concerned with (1) physical protection of computer equipment, software, and data and (2) loss of assets and information through theft or unauthorized use. Security controls include locating the computer facilities in a separate building or in a secure part of a building. They also include limiting access to the computer facilities through the use of locked doors with authorized personnel being admitted through use of a conventional key an authorization card, or physical recognition. Security must also be maintained within the computer facility. For example, programmers must not be allowed access to the computer room; this restriction will prevent them from making unauthorized modifications to systems and application programs.

Auditing Accounting Applications Processed by Service Organizations

When a service organization provides accounting services to an entity, those services are considered part of the entity's information system and relevant to financial reporting if these services affect the entity's accounting records. The significance of the controls of the service organization to those of the entity depends primarily on the nature and materiality of the transactions it processes for the entity and the degree of interaction between its activities and those of the entity. For example, if the entity initiates transactions and the service organization executes and does the accounting processing of those transactions, there is a high degree of interaction. Because the entity's transactions are subjected to the controls of the service organization, one of the auditor's concerns is the internal control system in place at the service organization. Thus, the auditor's understanding of the entity's internal control components may include controls placed in operation by the entity and the service organization. After obtaining an understanding of internal control, the auditor identifies controls that are applied by the entity or the service organization that might allow an assessment of reduced control risk. The auditor may obtain evidence to support the lower assessment of control risk by testing the entity's controls over the activities performed by the service organization or by testing controls at the service organization.