Evaluation of Internal Control System
Contrast management’s need for internal control with the auditor’s Learning Objective 1 Contrast management’s need for internal control with the auditor’s need to consider internal control when designing an audit.
Internal Controls - Definition "Internal control system" means all the policies and procedures (internal controls) adopted by the management of an entity to assist in achieving management's objective of ensuring, as far as practicable, the orderly and efficient conduct of its business, including adherence to management policies, the safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information.
Key Concepts Management’s Responsibility Reasonable Assurance Inherent Limitations
Client’s Concerns Reliability of financial reporting Efficiency and effectiveness of operations Compliance with applicable laws and regulations
Auditor Concerns Controls related to reliability of financial reporting Controls over classes of transactions (more than on account balances)
Explain the components Learning Objective 2 Explain the components of internal control.
Internal Controls – 2 Components “The Control Environment“: Which means the overall attitude, awareness and actions of directors and management regarding the internal control system and its importance in the entity. Factors affecting include: The function of the board of directors and its committees. Management's philosophy and operating style. The entity's organizational structure and methods of assigning authority and responsibility. Management's control system including the internal audit function, personnel policies and procedures and segregation of duties.
Internal Controls – 2 Components "control procedures" which means those policies and procedures in addition to the control environment which management has established to achieve the entity's specific objectives. “SPAM SOAP”
Adequate Separation of Duties A transaction can be dissected as follows; C = Custody A = Authority R = Recording E = Execution
Proper Authorization of Transactions and Activities General authorization General policies to be followed. Approves all transactions within the limits set by the policy. Specific authorization Relates to the authorization of individual transaction
Adequate Documents and Records Prenumbered consecutively Prepared at the time of transaction Simple enough to ensure understanding Designed for multiple uses Constructed to encourage correct preparation
Physical Control over Assets and Records Physical precautions Controls related to IT equipment, programs, and data files Physical controls Access controls Backup and recovery procedures
Independent Checks on Performance The need for independent checks arise because internal control tends to change over time unless there is a mechanism for frequent review.
The Accounting System "Accounting system" means the series of tasks and records of an entity by which transactions are processed as a means of maintaining financial records. Such systems identify, assemble, analyze, calculate, classify, record, summarize and report transactions and other events.
The Accounting System - Objectives Transactions are executed in accordance with management's general or specific authorization. All transactions and other events are promptly recorded in the correct amount, in the appropriate accounts and in the proper accounting period so as to permit preparation of financial statements in accordance with the Sri Lanka Accounting Standards. Access to assets and records is permitted only in accordance with management's authorization. Recorded assets are compared with the existing assets at reasonable intervals and appropriate action is taken regarding any differences.
Explain methods used to obtain an understanding Learning Objective 3 Explain methods used to obtain an understanding of internal control.
Understanding Internal Control and Assessing Control Risk Obtain Understanding of Internal Control: Design and Operation Assess Control Risk Test Controls Decide Planned Detection Risk and Substantive Tests
Reasons for Sufficiently Understanding Internal Control SLAuS requires the auditor to obtain an understanding of internal control for every audit. Minimum audit planning matters Auditability Potential material misstatements Detection risk Design of test
Procedures to Determine Design and Placement Update and evaluate auditor’s previous experience with the entity. Make inquires of client personnel. Read client’s policy and systems manuals. Examine documents and records. Observe entity activities and operations.
Documentation of the Understanding Narrative (139) Flowchart Internal control Questionnaire (141)
Assess control risk by linking strengths and weaknesses of Learning Objective 4 Assess control risk by linking strengths and weaknesses of internal control to transaction- related audit objectives.
Assess Control Risk Obtain sufficient understanding for planning. Assess whether the entity is auditable. Determine assessed control risk. Assess if a lower control risk could be supported. Determine the appropriate assessed control risk.
Assess Control Risk Identify transaction-related audit objectives. Identify specific controls. Identify and evaluate weaknesses.
Identify and Evaluate Weaknesses Identify existing controls. Identify the absence of key controls. Determine misstatements that could result. Consider compensating controls.
Communication As a result of obtaining an understanding of the accounting and internal control systems and tests of control, the auditor may become aware of weaknesses in the systems. The auditor should make management aware, as soon as practical and at an appropriate level of responsibility, of material weaknesses in the design or operation of the accounting and internal control systems, which have come to the auditor's attention. The communication to management of material weaknesses would ordinarily be in writing.
Describe the process of designing and performing tests of controls. Learning Objective 5 Describe the process of designing and performing tests of controls.
The Need for Test of Controls If the auditor, after obtaining an understanding of the accounting system and control environment, expects to be able to rely on his assessment of control risk to reduce the extent of substantive procedures, he should make a preliminary assessment of control risk for material financial statement assertions, and plan and perform tests of control to support that assessment.
Tests of Controls The procedures to test effectiveness of controls in support of a reduced assessed control risk are called tests of controls.
Procedures for Tests of Controls Make inquiries of client personnel. Examine documents, records, and reports. Observe control-related activities. Reperform client procedures.
Extent of Procedures Reliance on evidence from prior year’s audit Testing less than the entire audit period
Decide Planned Detection Risk and Design Substantive Tests The auditor uses the results of the control risk assessment process and tests of controls to determine the planned detection risk and related substantive tests.
Decide Planned Detection Risk and Design Substantive Tests The level of detection risk relates directly to the auditor's substantive procedures. The auditor's control risk assessment, together with the inherent risk assessment, influences the nature, timing and extent of substantive procedures to be performed to reduce detection risk, and therefore audit risk, to an acceptably low level. Some detection risk would always be present even if an auditor were to examine 100 percent of the account balance or class of transactions because, for example, most audit evidence is persuasive rather than conclusive.
Decide Planned Detection Risk and Design Substantive Tests The auditor should consider the assessed levels of inherent and control risks in determining the nature, timing and extent of substantive procedures required to reduce audit risk to an acceptable level..