8-1 copyright 2006 mcgraw-hill australia pty ltd revised ppts t/a auditing and assurance services...

8-1Copyright 2006 McGraw-Hill Australia Pty Ltd Revised PPTs t/a Auditing and Assurance Services in Australia 3e by Grant Gay and Roger SimnettSlides prepared by Roger Simnett

Chapter 8

Understanding and Assessing Internal Control


Audit Strategy and Internal Control

• Internal control is the process designed and implemented by those charged with governance, management and other personnel to provide reasonable assurance regarding the achievement of the entity’s objectives concerning financial reporting, the effectiveness and efficiency of operations, and compliance with laws and regulations. Refer AUS 402.42/ASA 315.54 (ISA 315.42).

• It is designed and implemented to address business risks that threaten any of these objectives.

• The importance of internal control has increased as business entities become larger and more complex.

Learning Objective 1:


Auditor’s requirements

• AUS 402.41/ASA 315.52 (ISA 315.41) requires that the auditor obtain an understanding of internal control relevant to the audit.

• At the financial report level the auditor’s assessment of risk of material misstatement is affected by their understanding of the control environment. Refer AUS 406.05/ASA 330.10 (ISA 330.05).

• At the assertion level, the auditor needs to consider control risk in their assessment of the risk of material misstatement. Refer AUS 406.12/ASA 330.19 (ISA 330.12).


Audit strategy

• To reach a conclusion on accuracy and reliability of underlying accounting data, an auditor can:

– Test the accounting data (substantive approach); or– Perform procedures to review and evaluate the internal

control to see whether accounting data was developed under conditions likely to ensure accuracy and reliability (lower assessed level of control risk approach).

– An auditor adopts the best combination of these approaches.


Responsibility for Internal Control

• Achieving satisfactory internal control is initially a management responsibility, although ultimate responsibility rests with the directors.

• To maintain control over operations and accounting data, management needs to adopt, maintain and supervise an appropriate internal control system.



Inherent limitations of internal control

• Internal control cannot assure a reliable financial report because it has inherent limitations. Therefore, an auditor can never rely completely on the internal control.

• Inherent limitations arise because of:– Control breakdowns as a result of the actions of careless,

fatigued or deviant staff;– The possibility of management override; and– The existence of non-routine transactions for which

internal controls were not devised.


Reasonable assurance

• Internal control should be designed to provide reasonable assurance that assets are safeguarded and accounting records are reliable.

• The concept of reasonable assurance recognises that, in some cases, the cost of establishing and maintaining controls can outweigh benefits of adopting controls.


Internal Control Objectives

• Risks are identified and minimised;• Management decision making is effective and business

processes efficient;• Transactions are carried out in accordance with

management’s authorisation;• Laws, rules and regulations are complied with;• Transactions are promptly and accurately recorded;• Access to assets is limited in accordance with

management’s authorisation; and• Asset records are compared with existing assets at

reasonable intervals.



Management controls

• Management Controls are the activities undertaken by senior management to mitigate strategic risks to the entity and to promote the effectiveness of decision making and the efficiency of business activities.

• These include:– Communicating business objectives and goals;– Establishing lines of authority and accountability;– Establishing and enforcing appropriate codes of conduct;– Monitoring risk environments;– Defining policies and procedures for dealing with these

risks; and– Monitoring performance through performance indicators

and benchmarking.


Transaction controls

• These are performed by staff and lower level management. Every transaction goes through the identifiable steps of authorisation, execution and recording.

• These controls:– are generally focused on internal risks and reflect the formal

policies and procedures defined by senior management;– deal primarily with the reliability of accounting information and

compliance with rules and regulations; and– control the flow of transactions through the accounting system

and safeguard related assets by authorising and recording transactions, restricting access to assets and checking for existence of recorded assets.


Characteristics of satisfactory internal control

• Controls to monitor and minimise business risks;• Segregation of incompatible duties and responsibilities;• System of authorisation, recording and procedures to

provide control over assets, liabilities, revenues and expenses;

• Sound business practices in performance of duties and functions; and

• Capabilities commensurate with responsibilities.


Elements of Internal Control

• Control environment;• Entity’s risk assessment process;• Information system;• Control activities; and• Monitoring of controls.



Control environment

• The control environment includes management’s overall attitude, awareness and actions regarding internal control and its importance in the entity.

• Refer AUS 402.67/ASA 315.80 (ISA 315.67).


Auditors’ understanding of control environment

• Auditors should consider: – Communication and enforcement of integrity and ethical

values;– Commitment to competence;– Participation by those charged with governance;– Management philosophy and operating style;– Organisational structure;– Assignment of authority and responsibility; and– Human resource policies and practices.


Entity’s risk assessment process

• An entity’s risk assessment process is its way of identifying and responding to business risks.

• Once risks are identified, management needs to consider their significance and how they should be managed.

• Management may introduce plans to address specific risks or it may accept a risk on a cost-benefit basis.


Information system

• Consists of methods and records established to:– Identify, assemble, analyse, classify, record and report

exchange transactions and relevant events and conditions; and

– Maintain accountability for an entity’s assets, liabilities, revenues and expenditures.


Effective information systems

• An effective information system establishes records and methods that:

– Identify and record all valid transactions;– Describe on a timely basis the transactions in sufficient

detail to permit proper classification for financial reporting;– Measure the value of transactions in a manner that

permits recording of their proper monetary value in the financial report;

– Determine the period in which transactions occurred, to permit recording of transactions in the proper accounting period; and

– Present the transactions and related disclosures properly in the financial report.


Audit trail

• Audit Trail: – Individual transactions can be traced through each step of

the accounts to their inclusion in the financial report and, similarly, from the financial report the amounts can be vouched or traced back to original source documentation.

• Main elements:– Source documents: the initial record of transactions in the

system. Processing usually creates a source document when a transaction is executed;

– Journal; and– Ledger.


Control activities

• Include both policies and procedures that management has established to ensure its directives are carried out.

• Control activities may be categorised as policies and procedures that pertain to:

– performance reviews;– information processing;– physical controls; and– segregation of duties.


Control activities (cont.)

• Performance review control activities independently check the performance of individuals or process (eg. comparing actual performance with budget).

• Information processing control activities comprise application controls and general IT controls. Application controls apply to processing of individual applications while general controls are policies and procedures that apply to many applications.

• Physical control activities include measures such as locked storerooms for inventory and fireproof safes for cash and securities on hand.


Segregation of duties

• Is an integral part of the plan of organisation. A person should not be in a position to both perpetrate and conceal errors or fraud in the normal course of duties.

• The most basic segregation of duties is to have different individuals or departments responsible for custody of assets and the keeping of records relating to those assets.


Transaction process

• A transaction may be considered to pass through four phases:1. Authorisation: the initial authorisation or approval for an

exchange transaction;

2. Execution: the act commits the entity to the exchange, such as placing an order;

3. Custody: the physical act of accepting, delivering or maintaining the asset; and

4. Recording: the entry of the transaction data into the accounting system.

• Ideally, all four phases should be kept separate.


Evaluating control activities

• The auditor will be interested in control activities related to the following assertions :

– Occurrence e.g. authorisation and approval of transactions

– Completeness e.g. accounting for sequence of transactions

– Accuracy e.g. checking dollar amounts back to supporting

documentation– Cutoff

e.g. independent review of transactions around balance data of account coding.

– Classification e.g. independent checking of account coding.


Monitoring of controls

• Monitoring of controls: – A process to assess the effectiveness of the performance

of internal control. Involves: Evaluating the design and operation of

controls; and Taking corrective action where necessary.

• Management may monitor controls through ongoing activities such as supervisory activities and/or separate evaluations.

• In many entities internal auditors contribute to monitoring process.


Internal auditor as an aid to monitoring

• Internal audit function: – An individual, group or department within an entity that

acts as a separate, higher level of control to determine that the internal control is functioning effectively.

May make special inquiries at management’s direction or generally review operating practices to promote increased efficiency.

• Effective internal audit function can significantly strengthen the monitoring of control.


Internal audit and external audit

• Internal audit may effect external audit:

1. The internal audit function is a higher level, important part of the internal control.

2. The internal auditors may have documentation of the internal control. These documents may help the external auditor obtain an understanding of internal control.

3. The internal auditors may provide direct assistance to the independent auditor by making substantive tests or tests of controls.

• Many internal audit departments have also become involved in assessing business risks, which may be useful to the external auditor.


Considering Internal Control in a Financial Report Audit

• For every audit, irrespective of intended reliance on internal control, an auditor must obtain sufficient understanding of internal control to plan the audit and determine tests to be performed.

• The nature and extent of an auditor’s consideration of internal control varies considerably across audits and depends on audit strategy.



Steps in the auditor’s consideration of internal control structure

•Obtain an understanding of the

control environment


risk assessment process


information system


control activities


monitoring of internal control


Understanding internal control

• The auditor obtains an understanding of internal controls to:

– Identify the types of potential misstatements that could occur and the factors that contribute to the risk that they will occur;

– Understand the accounting system sufficiently to identify the client documents etc. that may be available and ascertain what data will be used in audit tests; and

– Determine an efficient and effective approach to the audit.


Operating effectiveness

• Operating effectiveness:– The manner in which entity personnel apply the policies

that are in place.– Obtaining an understanding of an entity’s control is not a

sufficient test of operating effectiveness, unless there is some automation that provides for the consistent application of the operation of the control.

– An auditor who decides to reduce the assessed level of control risk to less than high must consider operating effectiveness and gather evidence to support this assessment.

– Evidence will be obtained through tests of control.


Procedures for understanding the control environment

• An auditor gains an understanding of the control environment by:

– Making enquiries of key management personnel;– Inspecting documented policies and procedures;– Observing activities and operations; and– Considering past experience with client.


Procedures for understanding the risk assessment process

• An auditor needs to determine how management identifies business risks relevant to the financial report, estimate the significance of the risks, assess their likelihood of occurrence, and decides upon actions to manage them.

• An auditor will inquire of management about business risks that management have identified and consider whether they may result in a material misstatement.

• If an auditor identifies risk of material misstatements during the audit that management failed to identify, they need to consider whether management should have identified it and, if so, why the process failed.


Procedures for understanding the information system

• An auditor is required to obtain sufficient knowledge of information system to understand:

– Significant classes of transactions;– Initiation of transactions;– Records, documents and accounts;– Accounting processing; and– Financial reporting procedures.


Procedures for understanding the control activities

• An auditor is required to obtain an understanding

sufficient to develop an audit plan.• Procedures include:

– Inquiry of appropriate client personnel;– Inspection of documentation;– Observation of the entity’s activities, operations and

procedures; and– Walkthrough – an auditor traces one or a few transactions

of each type through the related documents and accounting records, observing related processing and control procedures in operation.


Procedures for understanding monitoring of controls

• The auditor is required to obtain an understanding of how the entity monitors internal control over financial reporting and initiates corrective actions.

• In many entities internal auditors contribute to the monitoring of an entity’s activities.

• The auditor needs to obtain an understanding of the sources of the information related to the entity’s monitoring activities and the basis upon which management considers the information to be sufficiently reliable.


Procedures to document the understanding of internal control

• Internal control questionnaires and checklists;• Narrative memoranda – written description of internal

control policies and procedures; and• Flowcharts.


Assessing control risk

• After obtaining an understanding of the components of internal control, the auditor assesses control risk for the assertions in the account balance, transaction class and disclosure.

• The auditor must decide whether to assess control risk for a particular assertion at high or at less than high.


Assessment of control risk at high

• Control risk will be assessed at high because the entity’s internal control policies and procedures in the area:

– Are poor and do no support less than a high assessment;– May be effective, but the audit tests to gather evidence of

their effectiveness would be more time consuming than performing substantive tests; or

– Do not pertain to the particular assertion.


Assessing control risk at less than high

• An auditor must support assessment where control risk is assessed at less than high:

– First, the auditor identifies specific control activities relevant to particular assertions that are likely to prevent or detect material misstatements in those assertions.

– Next, the auditor performs tests of controls to evaluate the effectiveness of these control activities. This process is followed for each account balance or transaction class that is material to the financial report. This is discussed in Chapter 9.


Levels of Control in Computerised Systems

• Two main categories:– User controls:

Those controls established and maintained by departments whose processing is performed by computer.

– IT controls: Those controls established and maintained at the location of

the computer, for example in data-processing departments.



General and application controls

• IT controls can be further divided into general and application controls. General controls are those controls that relate to a number of application systems; application controls relate to a particular application.

• User controls are always application controls, given their purpose.


General controls

• General controls are manual and computer controls that relate to all or many computerised accounting applications. These provide a reasonable level of assurance that overall objectives of internal control are achieved.

• General controls include:– Segregation of duties;– Control over programs; and– Control over data.


Segregation of duties within it


Control over programs

• Includes control over:– Development or acquisition of new programs;– Changes to existing programs;– Access to programs; and– Specialised systems software.– Modifications or access should be appropriately

authorised, approved and tested.


Control over data

• Control procedures in user departments to ensure restricted access (e.g. key passes, locks);

• Control procedures in CIS departments at input and processing stage;

• Restriction of access to data files (e.g. password); and• Use of librarian function or software.


Other general controls

• These include controls that back up hardware, software and files and ensure recovery when computer is installed or particular files or programs are damaged.

• These do not normally have an effect on the auditor’s control risk assessment.


Application controls

• Relate to individual computerised accounting applications (e.g. debtors);

• Contribute to achievement of specific control objectives considered by auditor in tests of controls; and

• Can be programmed and located in either the user departments or IT department.


User department application controls

• Control totals:– Financial totals– Record totals– Hash totals

• Review and reconciliation of data• Error correction and resubmission procedures• Authorisation of each transaction and batch of

transactions.


IT application controls

• Usually classified in the following categories:– Input controls;– File controls;– Processing controls; and– Output controls.


Input controls

• Control totals;• Key verification;• Key entry validation; and• Programmed controls:

– Check digit– Limit or reasonableness test– Field test– Valid code test.


File controls

• Include:– Internal file labels — computer-readable data that

identifies content of file.– External file labels — printed or handwritten labels

attached to disk or tape.


Processing controls

• Programmed control procedures:– Checking numerical sequence of records– Comparing related fields

• Run-to-run control totals.


Output controls

• These include:– Restricted distribution;– Automatic dating of reports;– Page numbering; and– End-of-report messages.


Relationship between general and application controls

• The auditor should start by looking at general controls.• If general controls are unreliable, an auditor has little

confidence in programmed application controls and reduced confidence in manual application controls → auditor takes more substantive approach to the audit.

• If general controls reliable, auditor makes preliminary evaluation of application controls. If reliance on application controls is then planned, a more detailed evaluation of these controls is made → auditor determines appropriate degree of testing of controls and substantive testing.


Control systems in different environments:DATABASE SYSTEMS

• A database is a computer-readable file of records that is used by many accounting applications.

• In order to handle processing of data, a system software program called a database management system (DBMS) is used.

• Guidance on auditing database systems is contained in AGS 1022/IAPS 1003.


Stand-alone PC systems

• In such systems the distinction between general and application controls might be blurred and controls might be less structured. Thus, control risk might be assessed at maximum level.

• Guidance on auditing stand-alone PC systems is contained in AGS 1018/ IAPS 1001.


LANs and other networks

• Networking PCs means that processing is distributed to PCs at many locations.

• This can cause problems with security and control procedures as they are more dispersed

• In most cases control risk has risen significantly.


Computer service bureau

• A computer service bureau is a centre or service entity that performs computer applications for another company.

• A common application processed through a service entity is payroll.

• AUS 404/ASA 402 (ISA 402) provides an auditor with guidance on audit implications of using a computer service entity.


Considering the Work of an Internal Auditor

• An effective internal audit function can significantly strengthen the monitoring of control.

• AUS 604/ASA 610 (ISA 610) recognises that an external auditor is able to use the work of an internal auditor to assist in an audit engagement.

• Extent of reliance is dependent on evaluation of internal audit function by external auditor.



Differences between an internal and an external auditor

• Differences are:– Objectives– Independence– Qualifications

• For an external audit, elements are regulated by legislation.

• For an internal audit, elements are determined by management.


Evaluating internal audit

• In evaluating internal audit, external auditors should consider:

– Organisational status;– Scope of internal auditing;– Technical competence; and– Due professional care.


Using the services of internal audit

• The overall responsibility for audit engagement remains with an external auditor.

• The external auditor is required to undertake general evaluation as part of review of internal controls.

• If the external auditor plans to rely on internal audit, they should carefully review internal auditor’s working papers and procedures to ensure testing is sufficient to meet their requirements, and that conclusions outlined in working papers are appropriate.

8-1 copyright 2006 mcgraw-hill australia pty ltd revised ppts t/a auditing and assurance services...

Documents