AudTheo, Ch8 , Internal Control
Classify the entity's objectives
1. Effeciency and effectiveness of the entity's operations 2. Reliability of financial reporting 3. Compliance with applicable laws and regulations
Obtaining an understanding of internal control consists of:
1. Evaluating the design of the relevant controls - involves determining whether those controls, individually or in combination with other controls, are capable of preventing or detecting and correcting material misstatements 2. Determining if the controls are implemented - involves determining whether the control is placed in operation; implementaton of a controls means the control exists and is being used by the entiy 3. Documenting the system's internal controls and identifying transaction cycles 4. Performing a "walk-through" test to determine whether controls are implemented 5. Identifying controls that are potentially reliable
In elements of control environment, explain "assignment of authority and responsibility"
1. How authority and responsibility are assigned 2. How communication relationships and authorization hierarchy established
Explain, "Internal control is a process"
1. IC is a means to and end, and not the end itself 2. IC is integrated with another business process 3. IC is managed through basic management processes
Essential concepts of internal control
1. IC is a process 2. IC is effected by those charged with governance, management, and other personnel 3. IC is a means or tool used by the management in achieving the entity's objectives 4. IC is expected to provide reasonable assurance regarding the achievement of the entity's objectives
Elements of control environment
1. Communication and enforcement of integrity and ethical values 2. Commitment to competence 3. Participation of those charged with governance 4. Management philosophy and operating style 5. Organizational structure 6. Assignment of authority and responsibility 7. Human resources policies and procedures
Steps in preliminary assessment of control risks. To determine an assessed level of control risk, the auditor:
1. Considers the errors or frauds that could occur and that could cause misstatements in the financial statements 2. Identifies the relevant control activities that are designed to prevent or detect errors or frauds 3. Performs test of controls on the control activities that may prevent or detect errors or frauds
Components of internal control (CRIMC)
1. Control environment 2. Entity's risk assessment process 3. Information system (including relevant business processes related to financial reporting) and communication 4. Control activities 5. Monitoring of control
In the examples of control activties pertaining to information processing, explain the different types of information processing controls
1. Application Controls - controls which apply to the processing of individual applications 2. General-IT Controls - controls which are policies and procedures that relate to many applications, and support the effective functioning of application controls by helping to ensure the continued proper operation of IT systems
Examples of control activities relating to:
1. Authorization 2. Performance reviews 3. Information processing 4. Physical controls 5. Segregation of duties
In the entity's risk assessment process, there is a possibility that business risks may arise or change because of the following reasons:
1. Changes in operating environment 2. New personnel 3. New or revamped information systems 4. Rapid growth 5. New technology 6. New business models, products, or activities 7. Corporate restructuring 8. Expanded foreign operations 9. New accounting pronouncements N: notice that all of them refers to a change or something new
Information system, which includes accounting system, encompasses methods and records that:
1. Identify and record all valid transactions 2. Describe, on a timely basis, the transactions in sufficient detail 3. Measure the value of the transactions 4. Determine the time period in which transactions occured 5. Present properly the transactions and related disclosures in the financial statements N: (1-4) relates to recording (5) relates to presentation
What to consider in the control environment
1. If the management and those charged with governance was able to create and maintain a culture of honesty and ethical behavior 2.If the control environment strengths collectively provide an appropriate foundation to the other components of internal control, and if its weaknesses would not undermine the latter
Define information system
1. Information system includes infrastructure, software, people, process, and data 2. Makes extensive use of Information Technology
Procedures used in obtaining an understanding of the internal control
1. Inquiring of entity personnel 2. Observing the application of specific controls 3. Inspecting records and documents 4. Tracing transactions through the information system relevant to financial reporting (i.e., walkthrough)
Enumerate the test of control procedures
1. Inspection 2. Inquiry 3. Observation 4. Reperformance 5. Walk-through 6. Recalculation
Examples of inherent limitations of internal control
1. Management considers cost-effectivity (cost-benefit consideration) 2. Only anticipates routine transactions and not non-routine or unusual 3. Human error 4. Circumvention of controls through collusion (inside and outside of the organization) 5. Abuse of responsibility by those exercising the control 6. Inadequate procedures due to changes in conditions; and deterioration in compliance
Classification of internal control according method
1. Manual controls - performed by individuals outside the system 2. Automated or Application controls - performed by the computer; blocks or restricts application systems from executing in ways that put data at risk 3. IT-dependent manual controls - similar to manual but requires some level of system involvement
In the assessment of control risk, what are the ratings of the assessment?
1. Maximum or high level - the entity's accounting and internal control system are not effective; evaluating the effectivenes of the entity's accounting and internal control system would not be efficient 2. Below maximum or less that high - the auditor is able to identify internal controls relevant to the assertion which are likely to prevent or detect and correct misstatements, and plans to perform tests of control to support the assessment; auditors judgement is that substantive procedures alone do not provide sufficient appropriate audit evidence.
Documentation of auditor's understanding of internal control
1. Narrative memorandum - a written description of a particular phase or phases of an accounting system 2. Flowchart or Data Flow Diagram - consists of interrelated symbols that diagrams the flow of transactions and events through a system. Flowcharts capture the complexity of the systems, allowing the auditors to focus sharply on key controls within the system. 3. Internal Control Questionnaire (ICQ) - consists of a series of questions designed to detect control deficiencies 4. Checklist
What is the sequence of the internal control consideration?
1. Obtain an understanding of the internal control 2. Preliminary assessment of control risk 3. Determine the overall response to assessed risks 4. Perform test of controls 5. Reasses control risk 6. Final assessment of control risk 7. Determine the nature, timing, and extent of substantive tests necessary to restrict detection risk to an acceptable level
Classification of internal control according to function
1. Preventive controls - before occurence of fraud or error; most effective; prevents fraud or error from happening 2. Detective controls - after occurence of fraud or error; note error and fraud 3. Corrective controls - after detecting fraud or error; remedy problems
In obtaining an understanding of the internal control, explain the steps in identifying transaction cycles
1. Review account components for homogeneity 2. Identify representative cycles 3. Flowchart each cycle, supplementing with narratives or questionnaires as necessary. 4. Trace one or a few representative transactions through each cycle (a transaction walkthrough) 5. Revise flowcharts if necessary
In the examples of control activties relating to authorization, what are the different types of authorization? Explain
1. Specific authorization - authorization is required every time the transaction is proposed. This is is for unusual, material, or infrequent transactions 2. General authorization - personnel follows policies and procedures in determining if the proposed transacton or project is authorized in general
Define Control Environment
1. attitude, awareness, and actions of management and those charged with governance about internal controls and its importance 2. includes governance and management functions 3. sets the tone of the organization, influencing control consciousness of the people 4. foundation of effective internal control
Classification of internal control according to objective (FOC)
1. financial reporting controls - achieve reliability of financial reporting objective 2. operational effectiveness controls - achieve operational effectiveness objective 3. compliance controls - achieve compliance objective N: in reference to classification of entity's objectives
In considering the entity's risk assessment process, the auditor obtains an understanding whether the entity has a process for:
1. identifying business risks that are relevant to the financial reporting objectives (identify) 2. estimating the significance of the risks (significance) 3. assessing the likelihood the risks will occur (likelihood) 4. deciding about actions to address those risks (address)
In the examples of control activties, explain performance review
1. review and analysis of actual results vs budgets, forecast, and prior results 2. relating different sets of data to one another, together with the analyses of the relationships 3. investigative and corrective actions
Classification of internal control (FOM)
According to: 1. Objective 2. Function 3. Method
In considering the internal control, explain the step "Preliminary assessment of control risks"
After obtaining an understanding of the accounting and internal control system, the auditor makes a preliminary assessment of control risks, at the assertion level, for each material account balance and class of transactions. The preliminary assessment of control risk is the process of evaluating the effectiveness of an entity's accounting and internal control system in preventing or detecting and correcting material misstatements. There will always be some control risk because of the inherent limitations of any accounting and internal control systems.
How do you achieve optimum segregation of duties or responsibilities?
An entity's management, custodial, accounting, and monitoring functions should be performed by different employees. Management - Authorization Custodial - Execution Accounting - Recording Monitoring - Independent checks on performance
In elements of control environment, explain "participation of those charged with governance"
Attributes of TCWG such as: 1. Independence from management 2. Experience and stature 3. Extent of involvement and information they receive, and scrutiny of activities 4. Appropriatess of their actions, including the degree to which difficult questions are raised and pursued with the management, and their interaction with internal and external auditors
In elements of control environment, explain "management philosophy and operating style"
Attributes of management such as: 1. Approach to managing and taking business risks 2. Attitudes and actions toward financial reporting 3. Attitudes toward information processing and accounting functions and personnel
In considering the internal control, in the step "Reassees control risk", what is the effect of the reassessment of control risk on the audit approach if the control risk assessment remains at less than high? Give the audit approach and effect on substantive test
Audit Approach - Reliance or Systems Approach Effect on substantive tests -Less effective procedures -Interem testing may be appropriate -Smaller sample size N: The word "remain" is used because test of controls and reassessment of control risks only apply when the assessment of control risk is at less than high.
In considering the internal control, in the step "Reassees control risk", what is the effect of the reassessment of control risk on the audit approach if the control risk assessment changes to high? Give the audit approach and effect on substantive test.
Audit Approach -Switch to No Reliance or Substantive Approach Effect on Substantive Test -More effective procedures -tests move to nearer or at the year-end -Bigger sample size
In the examples of control activties, explain authorization
Authorization and execution of transactions - responsible personnel acting within the scope of their prescribed authority and responsibilities should authorize all transactions
In elements of control environment, explain "communication and enforcement of integrity and ethical values"
Integrity and ethical values influence the effectivenes of the design, administration and monitoring of controls
Define internal control
Internal control is a process designed, implemented, and maintained by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entity's objectives.
In considering the internal control, explain the step "Reassess control risk"
Based on the results of the test of controls, evaluate if the internal controls are designed and operating as contemplated in the preliminary assessment of control risk. The evaluation of deviations may cause the auditor in concluding that the assessed level of control risk needs to be revised. In such cases, the auditor would modify the nature, timing, and extent of planned substantive procedures.
In considering the internal control, explain the step "Final Assessment of Control Risk"
Before the conclusion of the audit, based on the results of the substantive procedures and other audit evidence obtained by the auditor, the auditor should consider if the assessment of control risk is confirmed.
In the internal control component, "Information systems, including related business processes relevant to financial reporting, and communications", explain communication system
Communication provides an understanding of the individual roles and responsibilities pertaining to internal control over financial reporting. It includes the extent to which the personnel understand how their activities in the financial reporting system relate to the work of others, and the means of reporting exceptions to a higher level within the entity. To operate effeciently, the entity needs to identify, capture, and communicate internal and external information in a form and time frame that enables people to discharge their assigned responsibilities.
Relationship between the entity's objectives and internal control
Direct relationship
In elements of control environment, explain "organizational structure"
Framework within which an entity's activities for achieving its objectives are planned, executed, controlled, and reviewed
Explain, "Internal control is expected to provide reasonable assurance regarding the achievement of the entity's objectives"
IC can only achieve reasonable assurance and not absolute assurance because of inherent limitations
Explain, "Internal control is effected by those charged with governance, management, and other personnel"
IC is accomplished by people at every level of the organization, thus every personnel should perform their responsibilities and functions.
In considering the internal control, enumerate the documentation requirements
If the assessment of control risk is: 1. High -Understanding of internal controls -Control risk assessment 2. Less than high -Understanding of internal controls -Control risk assessment -Basis for the control risk assessment
In considering the internal control, explain the step "Determine the overall reponse to assessed risks"
In order to reduce audit risk to an acceptably low level, the auditor should determine overall reponses to assessed risks at the financial statement level, and should design and perform further audit procedures to respond to assessed risk at the assertion level. Such responses include if preliminary control risk assessment is: 1. Maximum or High Level - the auditor relies primarily on substantive tests 2. Below Maximum or Less than High - the auditor performs test of controls
In the examples of control activties, explain information processing
Information processing should include controls that ensure that the transactions are valid, properly authorized, and completely and accurately recorded.r
In considering the internal control, explain the step "Determine the nature, timing, and extent of substantive tests necessary to restrict detection risk to an acceptably low level"
Irrespective of the assessed risk of material misstatement, the auditor should design and perform substantive procedures for each material classes of transactions, account balances, and disclosures.
In elements of control environment, explain "commitment to competence"
Management attempts to answer the question, "what is the required competence level for a specific job?" and how would this translate into required skills and knowledge.
In the internal control component, "monitoring of controls," what are the types of monitoring?
Monitoring can be accomplished through ongoing monitoring activities, separate evaluations, or a combination of both: 1. Ongoing monitoring - ongoing monitoring activities are often built into the entity's normal recurring activities and include regular management and supervisory activities. 2. separate evaluations - this is done periodically, this will vary in scope and frequency depending on the assessment of risks, effectiveness of ongoing evaluations, and other management considerations
In the internal control component, explain "monitoring of controls"
Monitoring is the process of assessing the quality of internal control performance overtime. It involves assessing the design and operations of controls on a timely basis and taking corrective actions. Monitoring is done to ensure that controls continue to operate effectively.
Considering the communication system
Obtain an understanding of how the entity communicates the financial reporting roles and responsibilities and significant matters relating to financial reporting, including: 1. Communication between management and those charged with governance 2. External communication, such as those with regulatory authorities
In the examples of control activties, explain physical controls
Physical controls encompass physical security of assets, such as: 1. Physical security of assets, including adequate safeguards such aa secured facilities over access to records 2. Authorization for access of computer programs and data files 3. Periodic counting and comparison of amounts shown on control records
In elements of control environment, explain "human resources policies and procedures"
Policies and practices with regards to recruitment, orientation, training, evaluation, counseling, promotion, compensation, and remedial actions
In the examples of control activties, explain segregation of duties
Segrgation of duties is intended to reduce the opportunities of any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of the person's duties
Define transaction cycle
Series of related functions, all of which must be captured within the accounting system
In considering the internal control, explain the step "Perform test of controls"
Test of controls are audit procedures designed to evaluate the operating effectiveness of the internal controls that are likely to detect or prevent material misstatements in support of a reduced assessed level of control risk. It is concerned with the: 1. Design of the accounting and internal control system 2. Implementation of the accounting and internal control system 3. Operating effectiveness of the accounting and internal control system
Considering the control activities
The auditor needs to obtain an understanding of: 1. The control activities that are relevant to the audit, being those the auditor judges it necessary to understand in order to assess the risks of material misstatement at the assertion level and design further audit procedures response to assessed risks 2. How the entity has responded to risks arising from IT
Under PSA 330: The Auditor's Responses to Assessed Risks, explain the requirement for "Overall Response"
The auditor shall design and implement overall responses to address the assessed risks of material misstatement at the financial statement level. The overall response includes: 1. Emphasize the characteristic of professional skepticisim to the emloyees 2. Determine the need for more experienced employees or those with special skills, and expert 3. Determine the need for more supervision 4. Incorporate more element of unpredictability in the further audit procedures 5. Modify nature, timing, and extend of audit procedures
In considering the internal control, explain the step "Obtain an understanding of the internal control"
The auditor shall obbtain an understanding of the policies and procedures within the accounting and internal control systems that are relevant to the financial statement assertions. The understanding of the relevant aspects of the accounting and control systems, together with the inherent and control risk assessments and other considerations will enable the auditor to: 1. Identify the types of potential material misstatements that could occur in the financial statements 2. Consider factors that affect the risk of material misstatements 3. Design appropriate audit procedures
Considering the information system
The auditor shall obtain an understanding of the information systems, including related business practices relevant to financial reporting, including the following areas: 1. Classes of transaction that are relevant to the financial statements 2. Processes by which (1) are initiated, recorded, processed, and corrected (in IT and manual systems) 3. Related accounting records, supporting information, and specific accounts (manual and electronic form) 4. How the information system captures the events and conditions other than the transactions (or 1 above) 5. Financial reporting process used to prepare financial statements 6. Control surrounding journal entries, including unusual transactions
Considering the monitoring of controls
The entity obtains an understanding of: 1. The major activities that the entity uses to monitor its internal controls over financial reporting, including those related to those control activities relevant to the audit, and how the entity initiates corrective actions to its controls 2. The sources of the information used in the entity's monitoring activities, and the basis upon which the management considers the information to be sufficiently reliable for the purpose
In the internal control component, "Information systems, including related business processes relevant to financial reporting, and communications", define related business processes
The entity's related business processes are the activities designed to: 1. Develop, purchase, produce, sell, and distribute an entity's products and services 2. Ensure compliance with laws and regulations 3. Record information, including accounting and financial reporting information
In the internal control component, "Information systems, including related business processes relevant to financial reporting, and communications", define open communication channels
help ensure that communications are reported and acted on
In components of internal control, explain "entity's risk assessment process"
is a process that determines how the entity identifies and responds to business risk and the results thereof