[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.1 Internal Control and Control Risk Principles of Auditing: An Introduction to International Standards on Auditing - Ch. 7 Rick Stephan Hayes, Roger Dassen, Arnold Schilder, Philip Wallage

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.2 Internal Control is A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations and safeguarding of assets against unauthorized acquisition, use or disposition.

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.3 Internal control is geared to the achievement of objectives in one or more separate overlapping categories: 1 effective operations — relating to effective and efficient use of the entity's resources 2 financial reporting — relating to preparation of reliable published financial statements 3 compliance — relating to the entity's compliance with applicable laws and regulations 4 safeguarding of assets

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.4 Management Control Objectives Effective Operations goal safeguarding of assets (cash, accounts receivable, accounting records) Financial Reporting Need for accurate information because management has a responsibility to see that statements are prepared fairly in accordance with accounting standards. Auditor is interested primarily in financial reporting controls (especially controls over transactions). Compliance Companies must comply with many laws and regulations including company law, tax law and environmental protection regulations.

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.5 Auditor’s Primary Control Consideration and Emphasis To understand an entity’s internal control, the auditor will evaluate the design and implementation of a control. The auditor's primary consideration is whether, and how, a specific control prevents, or detects and corrects, material misstatements in classes of transactions, account balances or disclosures. The heaviest emphasis by auditors is on controls over classes of transactions rather than account balances or disclosures.

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.6 Design and Implementation of Controls To understand the entity’s internal control the auditor will evaluate the design of a control and judge whether it has been implemented. He determines if the control is designed to prevent, detect, or correct transactions that misstate the account balances. Implementation of a control means that the control exists and that the entity is using it.

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.7 Components of Internal Control are Control Environment, Risk Assessment, Control Activities / Control Procedures, Information and Communication and Monitoring.

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.8 Components of Internal Control Illustration 7.1

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.9 Control Environment The control environment means the overall attitude, awareness, and actions of directors and management regarding the internal control system and its importance in the entity.

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.10 Elements Contributing to a Successful Control Environment (1) Communication and enforcement of integrity and ethical values; (2) Commitment to competence; (3) Participation by those charged with governance - independence and integrity of the board of directors; (4) Management's philosophy and operating style - leadership via control by example; (5) Organizational structure; (6) Assignment of authority and responsibility; and (7) Human resource policies and practices.

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.11 Risk Assessment Management assesses risks as part of designing and operating the internal control system to minimize errors and irregularities. Auditors assess risks to decide the evidence needed in the audit. If management effectively assesses and responds to risks, the auditor will typically need to accumulate less audit evidence than when management fails to, because control risk is lower.

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.12 Identify Risks A technique to identify risks involves identifying and prioritizing high risk activities: ¬identify the essential resources of the business and determine which are most at risk; ­identify possible liabilities which may arise; ®review the risks that have arisen in the past; ¯consider any additional risks imposed by new objectives or new external factors; and °seek to anticipate change by considering problems and opportunities on a continuing basis.

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.13 Information and Communication. Information must be relevant and delivered to people who need it in a form and time frame that allows them to carry out their control and other responsibilities.

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.14  The accounting system;  Customer and vendor records  Production system;  Budget information,  Personnel system;  Computer systems software;  Computer applications software Sub- systems

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.15  accounting transactions  correspondence  personnel information  customer and vendor information  entity objectives and standards  procedure manuals  information about external events, activities and conditions Input for Information System

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.16 Output of Information System Qaccounting reports Qbudget reports Qproduction reports Qoperating reports Qcorrespondence Qall the records and files generated by applications software

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.17 Obtain an understanding of the information system and the related business processes relevant to financial reporting in the following areas: The classes of transactions in the entity's operations that are significant to the financial statements. The procedures by which those transactions are initiated, recorded, processed and reported from their occurrence to their inclusion in the financial statements. The related accounting records, supporting information, and specific accounts in the financial statements.

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.18 How the information system captures events and conditions, other than transactions, that are significant to the financial statements. The financial reporting process used to prepare the entity's financial statements, including significant accounting estimates and disclosures Obtain an understanding of the information system and the related business processes relevant to financial reporting in the following areas (continued):

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.19 Control Activities (Control Procedures) There are potentially many control activities, but they generally fall into five categories: Performance reviews; Information processing: proper authorization of transactions and activities, General Controls; Information: accuracy, adequate documents and records, Application controls; Physical control over assets and records; adequate Segregation of duties.

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.20 Control Comments Transaction Records Application Controls General Controls Computer Facility Controls

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.21 Segregation of Duties Segregation of duties entail three fundamental functions which must be separated and adequately supervised:  authorization  recording  custody

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.22 Monitoring  Monitoring is assessing the design of controls and their operation on a timely basis and taking necessary corrective actions.  Ongoing monitoring information comes from several sources: exception reporting on control activities, reports by government regulators, feedback from employees, complaints from customers, and most importantly from internal auditor reports..

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.23 Evaluation of Monitoring When evaluating the ongoing monitoring the following issues might be considered: 4Periodic comparisons of amounts recorded with the accounting system and with physical assets. 4Responsiveness to internal and external auditor recommendations to strengthen internal controls. 4Extent to which training seminars, planning sessions and other meetings provide information on effective operation of controls. 4Effectiveness of internal audit activities 4Extent to which personnel obtain evidence on internal control function

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.24 Design of Internal Control To gain an understanding of the entity’s internal control, the auditor is required to evaluate the design of controls and determine whether they have been implemented. It is especially important to evaluate the design of (1) controls that address significant risks (2) controls for which substantive procedures alone is not sufficient.

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.25 Methods for Obtaining Controls Audit Evidence Obtaining audit evidence about the design and implementation of relevant controls may involve (1) Inquiring of entity personnel. (2) Observing and re-performing the application of a specific control. (3) Inspecting documents and reports, (4) Tracing transactions through the information system

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.26 Thank You for Your Attention Any Questions?