chapter 6 - internal control in a financial statement audit
what are management's incentives for establishing and maintaining strong internal control? what are the auditor's main concerns with internal control?
6-1 From management's perspective, the internal control provides a way to meet its stewardship or agency responsibilities. Management also needs a control system that generates reliable information for decision-making purposes. The importance of internal control to the auditor is rooted in the second standard of fieldwork. The controls that are relevant to the entity's ability to initiate, record, process, and report financial data consistent with management's assertions are the auditor's main concern. The auditor needs assurances about the reliability of the data generated within the entity's internal control system in terms of how it affects the fairness of the financial statements and how well the assets and records of the entity are safeguarded. The auditor uses this understanding of internal control to identify the types of potential misstatements, ascertain factors that affect the risk of material misstatement, and design tests of controls and substantive procedures.
What are the requirements under auditing standards for documenting the assessed level of control risk?
6-11 The auditor should document the achieved level of control risk for the controls evaluated.
What factors should the auditor consider when substantive producedures are to be completed at an interim date? If the auditor conducts substantive procedures at an interim date, what audit procedures would normally be completed for the remaining period?
6-12 The auditor might consider conducting substantive tests at an interim date for a number of reasons. For example, the client may want the auditor to confirm accounts receivable before year-end because of demands on the client's staff at year-end. Alternatively, the auditor may wish to conduct substantive tests at an interim date to minimize staff overtime at year-end. The auditor should consider the following factors when substantive tests are to be completed at an interim date: • The control environment and other relevant controls. • The availability of information at a later date that is necessary for the auditor's procedures (e.g., information stored electronically for a limited period of time). • The purpose of the substantive procedure. • The assessed risk of material misstatement. • The nature of the class of transactions or account balance and relevant assertions. • The ability of the auditor to perform appropriate substantive procedures or substantive procedures combined with tests of controls to cover the remaining period in order to reduce the risk that misstatement may exist at the period-end will not be detected. When the auditor conducts substantive tests of an account at an interim date, additional substantive tests might include comparing the year-end account balance with the interim account balance, conducting some analytical procedures, and/or reviewing related journals and ledgers for large or unusual transactions during the remaining period.
What is the auditor's responsibility for communicating deficiencies in internal control?
6-13 For private companies, auditing standards require that the auditor report to those charged with governance (e.g., audit committee) any control deficiencies discovered by the auditor that are serious enough to be considered a significant deficiency or a material weakness.
What are the potential benefits and risks to an entity's internal control from information technology?
6-2 The potential benefits and risks to an entity's internal control from information technology include (see Table 6-1): Benefits: • Consistent application of predefined business rules and performance of complex calculations in processing large volumes of transactions or data. • Enhancement of the timeliness, availability, and accuracy of information. • Facilitation of additional analysis of information. • Enhancement of the ability to monitor the performance of the entity's activities and its policies and procedures. • Reduction in the risk that controls will be circumvented. • Enhancement of the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems. Risks: • Reliance on systems or programs that inaccurately process data, process inaccurate data, or both. • Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions. • Unauthorized changes to data in master files. • Unauthorized changes to systems or programs. • Failure to make necessary changes to systems or programs. • Inappropriate manual intervention. • Potential loss of data.
What are the major differences between a substantive strategy an a reliance strategy when the auditor considers internal control in planning an audit?
6-5 A substantive audit strategy means that the auditor has made a decision not to rely on the entity's controls and to audit the related financial statement accounts directly. Control risk is set at the maximum when a substantive audit strategy is followed. With a reliance strategy, the auditor relies on the entity's controls and sets control risk below the maximum. A reliance strategy requires a more detailed understanding and documentation of internal control than does a substantive strategy. The auditor also plans and performs tests of controls to support the lower assessed level of control risk.
Why must the auditor obtain an understanding of internal control?
6-6 In addition to planning the audit of the financial statements, the auditor's understanding of the entity's internal control is used to (1) identify the types of potential misstatements, (2) pinpoint factors that affect the risk of material misstatement, and (3) design tests of controls and substantive procedures.
What is meant by the concept of reasonable assurance in terms of internal control? What are the inherent limitations of internal control?
6-7 The concept of reasonable assurance recognizes that the cost of an entity's internal control system should not exceed the benefits that are expected to be derived from the system. Thus, an internal control system will not detect every error that might occur because it would be too costly to design such a system. Management override of internal control, personnel errors or mistakes, and collusion are inherent limitations of internal control.
what are the factors that affect the control environment?
Factors that affect the control environment include (see Table 6-3): • Communication and enforcement of integrity and ethical values. • A commitment to competence. • Participation of those charged with governance (i.e., board of directors or audit committee). • Management's philosophy and operating style. • Organizational structure. • Assignment of authority and responsibility. • Human resource policies and practices.
Describe the five components of internal control
Internal control is composed of five components: 1. Control Environment: The control environment sets the tone of the organization, influencing the control consciousness of its people. It is the foundation of all other components of internal control, providing discipline and structure. 2. The Entity's Risk Assessment Process: The process for identifying and responding to business risks and the results thereof. For financial reporting purposes, the entity's risk assessment process includes how management identifies risks relevant to the preparation of financial statements that are fairly presented in conformity with generally accepted accounting principles, estimates their significance, assesses the likelihood of their occurrence, and decides upon actions to manage them. 3. The Information System and Related Business Processes Relevant to Financial Reporting and Communication: An information system consists of infrastructure (physical and hardware components), software, people, procedures (manual and automated), and data. The information system relevant to the financial reporting objective includes the accounting system and consists of the procedures (whether automated or manual) and records established to initiate, authorize, record, process, and report an entity's transactions and to maintain accountability for the related assets and liabilities. Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. 4. Control Activities: Control activities are the policies and procedures that help ensure that management directives are carried out, for example, that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities, whether automated or manual, have various objectives and are applied at various organizational and functional levels. 5. Monitoring of Controls: The monitoring of controls is a process used to assess the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions.
