Principles of Audit Chapter 12
To obtain and document understanding of internal control auditors use the following techniques:
-Narrative -Flowcharts -Internal Control Questionnaire
The four steps in understanding controls
-Obtain and document understanding of internal control -Assess control risk -Design, perform, and evaluate tests of controls -Decide planned detection risk and substantive tests
The extent of tests of controls is also dependent on the following:
-Reliance on evidence from the prior year's audit -Testing of controls related to significant risks -Testing less than the entire audit period
Auditors use the following methods to evaluate implementation:
-Update and evaluate auditor's previous experience with the entity -Make inquiries of client personnel -Examine documents and records -Observe entity activities and operations -Perform walkthroughs of the accounting system
Auditing Standards define three levels of absence of internal controls:
1. Control Deficiency 2. Significant Deficiency 3. Material Weakness
Identifying Deficiencies, Significant Deficiencies, and Material Weakness involves the following process:
1. Identifying existing controls 2. Identifying the absence of key controls 3. Consider the possibility of compensating controls 4. Decide whether there is a significant deficiency or material weakness
There is a significant overlap between tests of controls and procedures to obtain an understanding. However, there are two primary differences:
1. In obtaining an understanding of internal control, the procedures are applied to all controls identified during that phase. Tests of controls are applied only when the assessed control risk has not been satisfied 2. Procedures to obtain an understanding are performed on only one or few transactions. Tests of controls are performed on larger samples and often at more than one time
Procedures for Tests of Controls
1. Make inquiries of appropriate client personnel 2. Examine documents, records, and reports 3. Observe control-related activities 4. Re perform client procedures
A narrative is a written description of the client's internal controls including:
1. The origin of every document and record in the system 2. All processing that takes place 3. The disposition of every document and record in the system 4. An indication of the controls relevant to the assessment of control risk
Significant Deficiency
A deficiency that is less severe than a material weakness, but important enough to merit attention
Qualified or Disclaimer of Opinion
A scope limitation exists
Identify and Evaluate Control Deficiencies, Significant Deficiencies, and Material Weaknesses
Auditors must evaluate whether key controls are absent in the design of internal control over financial reporting
Flowchart
Diagram of the client's documents flow in the organization
Material Weakness
Exists if a significant deficiency, or combination of significant deficiencies, result in a reasonable possibility that internal control will not prevent or detect material financial statement misstatement
Evaluating Internal Control Implementation
In addition to understanding the design of the internal controls, the auditor must also evaluate whether the designed controls are implemented
Reliance on Service Center Auditors
It has become increasingly common for service centers to engage their own CPA firm to obtain the understanding necessary for an audit and issue a report to be used by the auditors of their customers
Section 404 Reporting Requirements
The auditor is required to issue an audit report on internal control over financial reporting for public companies
Determine Assessed Control Risk Supported by the Understanding Obtained
The auditor makes a preliminary assessment of control risk based on entity-level control risks as well as IT controls
Adverse Opinion
The auditor will express an adverse opinion on the effectiveness of internal control over financial reporting when one or more material weaknesses exist
Unqualified Opinion
The auditor will issue an unqualified opinion on internal control over financial reporting when there are no identified material weaknesses as of the end of the fiscal year and there have been no restrictions on the scope of the auditor's work
Control Deficiency
The design or implementation of internal controls does not permit company personnel to prevent or detect misstatement
Purpose of Tests of Controls
To rest the effectiveness of controls in support of a reduced control risk for the audit
Understanding Internal Controls on Outsources Systems
When clients use service centers for processing transactions, the auditor may need to obtain an understanding of the controls of the service center
Narrative
Written description of client's internal controls
Extent of procedures ________________
depends on preliminary assessed control risk
Management letters are __________ required by auditing standards,but auditors usually provide them when less significant internal control-related issues exist
not
If the auditor wants a lower control risk, more extensive tests of controls are applied, both in ________ and _______ of tests
number; extent