Audit: Internal Control
auditor's main concerns with IC
to identify the types of potential misstatements; ascertain factors that affect the risk of MMs, and design tests of controls and substantive procedures
why must an auditor obtain an understanding of IC
to plan the audit and to: - identify types of potential MM - pinpoint the factors that affect risk of MM - design tests of controls & substantive procedures
COSO framework
tool used for assessing effectiveness of IC
monitoring
updating of the system on a periodic basis
auditor perspective of IC
need assurance that data from acg system is reliable; understanding IC is a major factor in determining overall audit strategy
management perspective of IC
need reliable acg systems to make sound business decisions and to meet responsibilities of safreguarding assets
auditor's primary consideration regarding an entity's IC is:
affect the fin st assertions
tools that can document understanding of IC
- entity's procedures manuals & org charts - internal control questionnaires - flowcharts - narrative descriptions
assessing control risk below high involves:
- identifying specific controls to rely on - performing tests of controls - analyzing the achieved level of control risk after performing tests of controls
internal control provides reasonable assurance that:
- records are maintained - transactions are recorded - unauthorized acq, use, or disposition of the compnay's assets are promptly detected/prevented
factors that affect the control environment
1. integrity and ethical values 2. commitment to competence 3. participation of those charged with governance 4. mgmt's philosophy and operating style 5. org structure 6. assignment of auth & responsibilities 7. HR policies & practices
how to implement the monitoring component of COSO
as an ongoing process, as a separate evaluation, if its conducted by internal audit staff it can reduce external audit costs
auditor responsible for IC
assess control risk to plan audit of fin st; express opinion on IC
substantive strategy
auditor has decided to NOT rely on entity's controls and instead uses substantive procedures as main source of evidence; control risk @ max
reliance strategy
auditor intends to rely on entity's controls; more detailed understanding/documentation of IC
an auditor may set control risk at high for some assertion if he
believes the internal controls are unlikely to be effective
5 components of internal control
control environment, entity's risk assessment, control activities, info and communication, monitoring activities
control environment
most important; integrity, ethical values, and competence of the entity's people; atmosphere in which controls are actually conducted
when control risk is high
don't rely on controls and increase substantive tests
info and communication
how the org manages the processes of control system; communicate to the right people
control activities
how the organization addresses what could go wrong; policies and procedures
mgmt's incentives for est/maintaining strong IC
it helps them to make informed business decisions
inherent limitations of IC
mgmt override, personnel errors, collusion
definition of internal control
process, effected by an entity's BoD, mgmt, and other personnel, designed to proivde reasonable assurance regarding the achievement of objectives in the reliability of fin reporting
risk assessment
recognition of what could go wrong
when control risk is low
rely on controls and reduce substantive tests
AS 5 (SOX 404)
requires an auditor to express an opinion on IC
second standard of fieldwork
requires that auditor assess control risk to plan the audit
management responsibility for IC
responsible for creating, evaluating, testing, maintaining, documenting, and reporting on IC
significant deficiencies represent
significant deficiencies in design or operation of IC
regardless of assessed level of control risk, an auditor would perform some:
substantive procedures to restrict detection risk for significant transaction classes