Internal Control in Financial Statement Audit

Topics: Auditing, Internal control, Risk Pages: 9 (3038 words) Published: August 25, 2013
Table of Contents STAGE B: ASSESSING THE PRELIMINARY LEVEL OF CONTROL RISK 2 ASSESSING CONTROL RISK 2 Assessing control risk below the maximum level 5 Assessing Inherent Risk …………………………………………………………………………………………..…………………5 Relationship Between the Assessments of Inherent and Control Risks…………………………..……..……6 Identifying Specific Controls Relevant to Specific Assertions………………………………………………..……..6 Types of Control Activities that Relate to Financial Statement Assertion……………………………..……..7 STAGE C: OBTAINBING EVIDENTIAL MATTER TO SUPPORT THE ASSESSED LEVEL OF CONTROL RISK…….7 Performing Tests of Controls………………………………………………………………………………………………………7 Nature of Tests of Control…………………………………………………………………………………………………….…….9 Timing of Test of Controls…………………………………………………………………………………………………………..9 Extent of Test of Controls…………………………………………………………………………………………………………..9 STAGE D: EVALUATING THE RESULTS OF THE EVIDENTIAL MATTER…………………………………………………..10 Bibliography………………………………………………………………………………………………………………………………………11 STAGE B: ASSESSING THE PRELIMINARY LEVEL OF CONTROL RISK ASSESSING CONTROL RISK .62 Section 326, Evidential Matter, states that most of the independent auditor's work in forming an opinion on financial statements consists of obtaining and evaluating evidential matter concerning the assertions in such financial statements. These assertions are embodied in the account balance, transaction class, and disclosure components of financial statements and are classified according to the following broad categories: Existence or occurrence Completeness Rights and obligations Valuation or allocation (measurement) Presentation and disclosure In planning and performing an audit, an auditor considers these assertions in the context of their relationship to a specific account balance or class of transactions. .63 The risk of material misstatement in financial statement assertions consists of inherent risk, control risk, and detection risk. Inherent risk is the susceptibility of an assertion to a material misstatement assuming there are no related controls. Control risk is the risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timely basis by the entity's internal control. Detection risk is the risk that the auditor will not detect a material misstatement that exists in an assertion. .64 Assessing control risk is the process of evaluating the effectiveness of an entity's internal control in preventing or detecting material misstatements in the financial statements. Control risk should be assessed in terms of financial statement assertions. .65 After obtaining the understanding of internal control, the auditor may assess control risk at the maximum level for some or all assertions because he or she believes controls are unlikely to pertain to an assertion or are unlikely to be effective, or because evaluating the effectiveness of controls would be inefficient. However, the auditor needs to be satisfied that performing only substantive tests would be effective in restricting detection risk to an acceptable level. For example, the auditor may determine that performing only substantive tests would be effective and more efficient than performing tests of controls for assertions related to fixed assets and to long-term debt in an entity where a limited number of transactions are related to those financial statement components, and when the auditor can readily obtain corroborating evidence in the form of documents and confirmations. In circumstances where the auditor is performing only substantive tests in restricting detection risk to an acceptable level and where the information used by the auditor to perform such substantive tests is produced by the entity's information system, the auditor should obtain evidence about the accuracy and completeness of the information. .66 In other circumstances, the auditor may determine that assessing control risk below the maximum level for certain assertions would be effective...

Bibliography: ……………………………………………………………………………………………………………………………………11 STAGE B: ASSESSING THE PRELIMINARY LEVEL OF CONTROL RISK ASSESSING CONTROL RISK .62 Section 326, Evidential Matter, states that most of the independent auditor 's work in forming an opinion on financial statements consists of obtaining and evaluating evidential matter concerning the assertions in such financial statements. These assertions are embodied in the account balance, transaction class, and disclosure components of financial statements and are classified according to the following broad categories: Existence or occurrence Completeness Rights and obligations Valuation or allocation (measurement) Presentation and disclosure In planning and performing an audit, an auditor considers these assertions in the context of their relationship to a specific account balance or class of transactions. .63 The risk of material misstatement in financial statement assertions consists of inherent risk, control risk, and detection risk. Inherent risk is the susceptibility of an assertion to a material misstatement assuming there are no related controls. Control risk is the risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timely basis by the entity 's internal control. Detection risk is the risk that the auditor will not detect a material misstatement that exists in an assertion. .64 Assessing control risk is the process of evaluating the effectiveness of an entity 's internal control in preventing or detecting material misstatements in the financial statements. Control risk should be assessed in terms of financial statement assertions. .65 After obtaining the understanding of internal control, the auditor may assess control risk at the maximum level for some or all assertions because he or she believes controls are unlikely to pertain to an assertion or are unlikely to be effective, or because evaluating the effectiveness of controls would be inefficient. However, the auditor needs to be satisfied that performing only substantive tests would be effective in restricting detection risk to an acceptable level. For example, the auditor may determine that performing only substantive tests would be effective and more efficient than performing tests of controls for assertions related to fixed assets and to long-term debt in an entity where a limited number of transactions are related to those financial statement components, and when the auditor can readily obtain corroborating evidence in the form of documents and confirmations. In circumstances where the auditor is performing only substantive tests in restricting detection risk to an acceptable level and where the information used by the auditor to perform such substantive tests is produced by the entity 's information system, the auditor should obtain evidence about the accuracy and completeness of the information. .66 In other circumstances, the auditor may determine that assessing control risk below the maximum level for certain assertions would be effective and more efficient than performing only substantive tests. In addition, the auditor may determine that it is not practical or possible to restrict detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions. In such circumstances, the auditor should obtain evidential matter about the effectiveness of both the design and operation of controls to reduce the assessed level of control risk. .67 In determining whether assessing control risk at the maximum level or at a lower level would be an effective approach for specific assertions, the auditor should consider— The nature of the assertion. The volume of transactions or data related to the assertion. The nature and complexity of the systems, including the use of IT, by which the entity processes and controls information supporting the assertion. The nature of the available evidential matter, including audit evidence that is available only in electronic form. .68 In circumstances where a significant amount of information supporting one or more financial statement assertions is electronically initiated, recorded, processed, or reported, the auditor may determine that it is not possible to design effective substantive tests that by themselves would provide sufficient evidence that the assertions are not materially misstated. For such assertions, significant audit evidence may be available only in electronic form. In such cases, its competence and sufficiency as evidential matter usually depend on the effectiveness of controls over its accuracy and completeness. Furthermore, the potential for improper initiation or alteration of information to occur and not be detected may be greater if information is initiated, recorded, processed, or reported only in electronic form and appropriate controls are not operating effectively. In such circumstances, the auditor should perform tests of controls to gather evidential matter to use in assessing control risk. .69 Examples of situations where the auditor may find it impossible to design effective substantive tests that by themselves would provide sufficient evidence that certain assertions are not materially misstated include the following: An entity that conducts business using IT to initiate orders for goods based on predetermined decision rules and to pay the related payables based on system-generated information regarding receipt of goods. No other documentation of orders or goods received is produced or maintained. An entity that provides electronic services to customers (for example, an Internet service provider or a telephone company) and uses IT to log services provided to users, initiate bills for the services, process the billing transactions, and automatically record such amounts in electronic accounting records that are used to produce the financial statements. .70 Assessing control risk below the maximum level involves— Identifying specific controls relevant to specific assertions. Performing tests of controls. Concluding on the assessed level of control risk. Assessing Inherent Risk In developing the overall audit plan, the auditor should assess inherent risk at the financial statement level. In developing the audit program, the auditor should relate such assessment to material account balances and classes of transactions at the assertion level, or assume that inherent risk is high for the assertion. To assess inherent risk, the auditor uses professional judgment to evaluate numerous factors, examples of which are: At the Financial Statement Level • The integrity of management. • Management experience and knowledge and changes in management during the period, for example, the inexperience of management may affect the preparation of the financial statements of the entity. • Unusual pressures on management, for example, circumstances that might predispose management to misstate the financial statements, such as the industry experiencing a large number of business failures or an entity that lacks sufficient capital to continue operations. • The nature of the entity’s business, for example, the potential for technological obsolescence of its products and services, the complexity of its capital structure, the significance of related parties and the number of locations and geographical spread of its production facilities. • Factors affecting the industry in which the entity operates, for example, economic and competitive conditions as identified by financial trends and ratios, and changes in technology, consumer demand and accounting practices common to the industry. At the Account Balance and Class of Transactions Level • Financial statement accounts likely to be susceptible to misstatement, for example, accounts which required adjustment in the prior period or which involve a high degree of estimation. • The complexity of underlying transactions and other events which might require using the work of an expert. • The degree of judgment involved in determining account balances. • Susceptibility of assets to loss or misappropriation, for example, assets which are highly desirable and movable such as cash. • The completion of unusual and complex transactions, particularly at or near period end. • Transactions not subjected to ordinary processing. Relationship Between the Assessments of Inherent and Control Risks Management often reacts to inherent risk situations by designing accounting and internal control systems to prevent or detect and correct misstatements and therefore, in many cases, inherent risk and control risk are highly interrelated. In such situations, if the auditor attempts to assess inherent and control risks separately, there is a possibility of inappropriate risk assessment. As a result, audit risk may be more appropriately determined in such situations by making a combined assessment. Identifying Specific Controls Relevant to Specific Assertions .71 The auditor’s understanding about internal control should be used to identify the types of potential misstatements that could occur and to consider factors that affect the risk of material misstatement. In assessing control risk, the auditor should identify the controls that are likely to prevent or detect material misstatement in specific assertions. In identifying controls relevant to specific financial statement assertions, the auditor should consider that the controls can have either a pervasive effect on many assertions or a specific effect on an individual assertion, depending on the nature of the particular internal control component involved. For example, the conclusion that an entity 's control environment is highly effective may influence the auditor 's decision about the number of an entity 's locations at which auditing procedures are to be performed or whether to perform certain auditing procedures for some account balances or transaction classes at an interim date. Either decision affects the way in which auditing procedures are applied to specific assertions, even though the auditor may not have specifically considered each individual assertion that is affected by such decisions. .72 Conversely, some control activities may have a specific effect on an individual assertion embodied in a particular account balance or transaction class. For example, the control activities that an entity established to ensure that its personnel are properly counting and recording the annual physical inventory relate directly to the existence assertion for the inventory account balance. .73 Controls can be either directly or indirectly related to an assertion. The more indirect the relationship, the less effective that control may be in reducing control risk for that assertion. For example, a sales manager 's review of a summary of sales activity for specific stores by region ordinarily is indirectly related to the completeness assertion for sales revenue. Accordingly, it may be less effective in reducing control risk for that assertion than controls more directly related to that assertion, such as matching shipping documents with billing documents. .74 General controls relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. The auditor should consider the need to identify not only application controls directly related to one or more assertions, but also relevant general controls. Types of Control Activities that Relate to Financial Statement Assertion Assertion Related Control Activities A/B. Existence/ Occurrence C. Completeness D. Rights and obligations E. Valuation or allocation (measurement) F. Presentation and disclosure Procedures that require documentation, approvals, authorization, verification and reconciliation Procedures that ensure that all transactions that occur are recorded such as accounting for a numerical sequence. Procedures that ensures that the entity has a right to assets or an obligation to pay arising from a transaction. Procedures that ensure that a proper price is charged and that a mathematical accuracy are present in recording and in developing the accounting records and financial statements. Procedures that indicates that a review has been made to ascertain that a transaction has been recorded in the proper account and that the financial statement disclosure have been reviewed by a competent personnel. STAGE C: OBTAINBING EVIDENTIAL MATTER TO SUPPORT THE ASSESSED LEVEL OF CONTROL RISK Performing Tests of Controls .75 Procedures directed toward evaluating the effectiveness of the design of a control are concerned with whether that control is suitably designed to prevent or detect material misstatements in specific financial statement assertions. Procedures to obtain such evidential matter ordinarily include inquiries of appropriate entity personnel; inspection of documents, reports, or electronic files; and observation of the application of specific controls. For entities with complex internal control, the auditor should consider the use of flowcharts, questionnaires, or decision tables to facilitate the application of procedures directed toward evaluating the effectiveness of the design of a control. .76 Procedures to obtain evidential matter about the effectiveness of the operation of a control are referred to as tests of controls (paragraphs .90 through .104 of this section discuss characteristics of evidential matter to consider when performing tests of controls). Tests of controls directed toward the operating effectiveness of a control are concerned with how the control (whether manual or automated) was applied, the consistency with which it was applied during the audit period, and by whom it was applied. These tests ordinarily include procedures such as inquiries of appropriate entity personnel; inspection of documents, reports, or electronic files, indicating performance of the control; observation of the application of the control; and reperformance of the application of the control by the auditor. In some circumstances, a specific procedure may address the effectiveness of both design and operation. However, a combination of procedures may be necessary to evaluate the effectiveness of the design or operation of a control. .77 In designing tests of automated controls, the auditor should consider the need to obtain evidence supporting the effective operation of controls directly related to the assertions as well as other indirect controls on which these controls depend. For example, the auditor may identify a “user review of an exception report of credit sales over a customer’s authorized credit limit” as a direct control related to an assertion. In such cases, the auditor should consider the effectiveness of the user review of the report and also the controls related to the accuracy of the information in the report (for example, the general controls). .78 Because of the inherent consistency of IT processing, the auditor may be able to reduce the extent of testing of an automated control. For example, a programmed application control should function consistently unless the program (including the tables, files, or other permanent data used by the program) is changed. Once the auditor determines that an automated control is functioning as intended (which could be done at the time the control is initially implemented or at some other date), the auditor should consider performing tests to determine that the control continues to function effectively. Such tests might include determining that changes to the program are not made without being subject to the appropriate program change controls, that the authorized version of the program is used for processing transactions, and that other relevant general controls are effective. Such tests also might include determining that changes to the programs have not been made, as may be the case when the entity uses packaged software applications without modifying or maintaining them. .79 To test automated controls, the auditor may need to use techniques that are different from those used to test manual controls. For example, computer-assisted audit techniques may be used to test automated controls or data related to assertions. Also, the auditor may use other automated tools or reports produced by IT to test the operating effectiveness of general controls, such as program change controls, access controls, and system software controls. The auditor should consider whether specialized skills are needed to design and perform such tests of controls. According to PSA 400, auditor should obtain audit evidence through tests of control to support any assessment of control risk which is less than high. The lower the assessment of control risk, the more support the auditor should obtain that accounting and internal control systems are suitably designed and operating effectively. Nature of Tests of Control Inquiry consists of searching for the appropriate information about the effectiveness of internal control from knowledgeable persons inside or outside the entity. Observation refers to looking for the process being performed by others. For example the auditor may observe the payroll payoff procedures or the performance of internal control procedures that leaves no evidence. Inspection involves the examination of documents and records to provide evidence of reliability depending on nature and source and the effectiveness of internal control over their processing. Reperformance involves repeating the activity performed by the client to determine whether proper results were obtained. Timing of Test of Controls Auditors usually perform tests of controls during an interim visit in advance of period end. However, auditors cannot rely on the results of such tests without considering the need to obtain further evidence relating to the remainder of the period. This evidence may be obtained by performing test of control for the remaining period or by reviewing whether there are chances of affecting the entity’s internal control system. In determining whether or not to test the remaining period, the following factors must be considered; The result of the interim test. The length of the remaining period. Whether changes have occurred in the accounting and internal control systems during the remaining period. Extent of Test of Controls The auditor cannot possible examine all transactions related to certain control procedures. In an audit, the auditor should determine the size of a sample sufficient to support the assessed level of control risk. STAGE D: EVALUATING THE RESULTS OF THE EVIDENTIAL MATTER Based on the results of the test of control, ate auditor should evaluate whether the internal controls are designed and operating as intended. The conclusion reached as a result of this evaluation is called the assessed level of control risk. The auditor uses the assessed level of control risk (together with the assessed level of inherent risk) to determine the acceptable level of detection risk. There is an inverse relationship between detection risks and the combined level of inherent and control risk. For example, if the combined assessed level of inherent risk and control risk is high, detection risk needs to be low to reduce audit risk to an acceptable low level. In this regard, the auditor may consider modifying The nature of substantive test from less effective to more effective procedures. The timing of substantive test by performing them at a year-end than at interim. The extent of substantive tests from smaller to larger sample size.
Continue Reading

Please join StudyMode to read the full document

You May Also Find These Documents Helpful

  • Information Technology, Internal Control, and Financial Statement Audits Essay
  • internal control Essay
  • Evaluating Internal Controls Essay
  • Audit and Internal Control Essay
  • Internal Control and Audit Software Essay
  • Essay about Audit
  • Essay on Section 404 Audits of Internal Control and Control Risk
  • Internal control Essay

Become a StudyMode Member

Sign Up - It's Free