Presentation is loading. Please wait.

Presentation is loading. Please wait.

Topic 5: Internal controls and risk assessment

Published byClement Ferguson Modified over 6 years ago

Similar presentations

Presentation on theme: "Topic 5: Internal controls and risk assessment"— Presentation transcript:

1 Topic 5: Internal controls and risk assessment

2 Topic learning outcomes
Define key internal control concepts and explain the audit logic of assessing control risk Understand the key elements of the internal control structure Describe the general objectives of internal control and how the auditor uses them to develop specific control objectives Explain how the auditor undertakes an assessment of control risk and how this assessment impacts upon audit procedures A B C D E Distinguish between key controls and identify those controls that affect the auditor’s assessment of control risk in a computerised system 1

3 Audit strategies and internal control
What level of detection risk (DR) is acceptable given assessed level of control risk (CR) and inherent risk (IR)? Predominantly substantive approach No reliance on controls Low control risk approach To rely on controls must test To assess control risk as high, auditor must expect that substantive procedures alone will provide sufficient appropriate evidence. Areas where substantive procedures alone may not provide sufficient appropriate evidence include routine recording of significant classes of transactions, such as revenue or purchases. These areas often highly automated with little or no manual intervention. IR/CR move in OPPOSITE direction to DR 2 footer

4 Audit strategy and internal control
Per ASA 315.4(c) ‘internal control’ is the process designed and implemented by those charged with governance to provide reasonable assurance regarding: the achievement of the entity’s financial reporting objectives the effectiveness and efficiency of operations, and compliance with laws and regulations The importance of internal control has increased as business entities become larger and more complex 3 footer

5 Internal control – auditor requirements
obtain an understanding of internal control relevant to the audit (ASA ) control risk significantly impacts the risk of misstatement so... consider control risk when identifying and assessing the risks of material misstatement at: the financial report level (ASA315.25a) the assertion level (ASA315.25b) 4 footer

6 Inherent limitations of internal control
An auditor can never rely completely on the internal control system. Inherent limitations arise because of: control breakdowns as a result of the actions of careless, fatigued or deviant staff the possibility of management override the existence of non-routine transactions for which internal controls were not devised. 5 footer

7 Internal control objectives
Risks are identified and minimised Management decision making is effective and business processes efficient Transactions are carried out in accordance with management’s authorisation Laws, rules and regulations are complied with Transactions are promptly and accurately recorded Access to assets is limited in accordance with management’s authorisation 6 footer

8 Management controls B activities undertaken by senior management to mitigate strategic risks to the entity. include: establishing lines of authority and accountability monitoring risk environments defining policies and procedures for dealing with these risks monitoring performance through performance indicators and benchmarking. audit implication – an example Informs the auditors’ assessment of control risks surrounding revenues and inventory valuation. Management monitor main competitors for new product time to market. Leading indicator of potential competitive problems 7 footer

9 B Transaction controls
Generally performed by staff and lower level management. Every transaction goes through the identifiable steps of authorisation, execution and recording. These controls: are generally focused on internal risks and reflect the formal policies and procedures defined by senior management deal primarily with the reliability of accounting information and compliance with rules and regulations control the flow of transactions through the accounting system and safeguard related assets by authorising and recording transactions Audit implications—detailed coverage in next topic 8 footer

10 Elements of internal control
ASA (and Appendix) Control environment: management’s overall attitude Entity’s risk assessment process: identifying and responding to risks Information system: identifying, recording, classifying, presenting all valid transactions Control activities: procedures to ensure management directives are carried out Monitoring of controls: evaluating the design and performance of internal controls, taking corrective action 9 footer

11 Segregation of duties for transactions
A transaction generally passes through four phases: Authorisation: the initial approval for an exchange transaction Execution: commits the entity to the exchange e.g. placing an order Custody: the physical act of accepting, delivering or maintaining the asset Recording: the entry of the transaction data into the accounting system. Ideally, all four phases should be kept separate. 10 footer

12 Control activities and assertions
What do you notice about all these assertions? Assertion Focus Examples Occurrence authorisation and approval of transactions set price lists, credit limits for sales Completeness accounting for sequence of transactions Pre-numbered documents, matching related source documents Accuracy calculations related to transactions Debits/credits, control totals Cut-off date of transactions subsequent payments review All to do with transactions At the end of the day we want to tie these control activities to assertions. Occurrence – general authorisation applies to high volume, recurring transactions e.g. Credit limits for credit sales – if a potential sale on credit exceeds the amount then approval is required Completeness—focusing on sequencing makes sure transactions aren’t missed. Could do this by checking pre-numbered documents but also, could also match related source documents such as purchase order and GRN with vendor invoice to confirm that goods ordered and received are recorded as accounts payable Accuracy—double entry book keeping is a built in error detection system, control totals - checking dollar amounts back to supporting documentation with control totals e.g. 5 documents totalling $1,200 cash payments, system needs to report that 5 documents and $1,200 was processed – if one is entered in error there would be a variance Cut-off—e.g. independent review of transactions around balance date of account coding 11 footer

13 C Understanding the internal control structure 12 footer

14 1. Understanding the control environment
An auditor gains an understanding of the control environment by: making inquiries of key management personnel inspecting documented policies and procedures observing activities and operations considering past experience with the client 13 footer

15 2. Understanding the risk assessment process
inquire of management about how they identify and address significant business risks (ASA ) focus is on those likely to result in a material misstatement. If an auditor identifies a risk of material misstatement during the audit that management failed to identify, must consider whether management should have identified it and, if so, why the process failed (ASA ) 14 footer

16 3. Understanding the information system
C 3. Understanding the information system (ASA ) an auditor is required to obtain sufficient understanding of the key aspects of the information system such as: significant classes of transactions initiation of transactions records, documents and accounts accounting processing financial reporting procedures being able to follow transaction flows (the audit trail) is an important technique in understanding the information systems. 15 footer

17 4. Understanding control activities
Procedures include: inquiry of appropriate client personnel inspection of documentation observation of the entity’s activities, operations and procedures walk-through 16 footer

18 5. Understanding monitoring of controls
(ASA ) auditor needs to understand the major activities that the client uses to monitor internal control over financial reporting (ASA ) auditor needs to understand the sources of the information related to the entity’s monitoring activities and the basis upon which management considers the information to be sufficiently reliable. E.g. information from external parties such as customer complaints and comments from regulatory bodies 17 footer

19 Documenting an understanding of internal control
Internal control questionnaires and checklists Narrative memoranda: written description of internal control policies and procedures Flowcharts – diagrams of information systems and control activities Flowcharts on p. 352 and 353 18 footer

20 Assessing control risk
D After obtaining an understanding of internal control, the auditor assesses control risk for the assertions in the related account balances and transaction classes. High if: Controls are shot OR Controls effective, but the audit tests to gather evidence of their effectiveness would be more time consuming than performing substantive tests; or Do not pertain to the particular assertion If less than high: Auditor identifies specific control activities relevant to particular assertions that are likely to prevent or detect material misstatements in those assertions. Auditor then performs tests of controls for each account balance or transaction class to evaluate the effectiveness of these controls 19 footer

21 Control in computerised systems
Two main categories: User controls: established and maintained by departments whose processing is performed by computer. IT controls: established and maintained at the location of the computer. Two types: General: relate to a number of application systems Application: relate to a particular application segregation of duties, control over programs, control over data controls totals, processing controls, output controls Two main categories of levels of controls (distinction is based on location – IT controls are maintained at the location of the computer): User controls: user departments are responsible for establishing and maintaining control over the information from their department which is processed by computer e.g. payroll department may determine gross payroll and number of cheques to be prepared before processing and then compare the computer output received from the IT department with those totals. IT controls: those controls established and maintained at the location of the computer, for example in data-processing departments. Key general controls (e.g. Controls over the development of and changes to application software affect all accounting applications) Segregation of duties – in IT separate those with access and those with an understanding of systems Control over programs - Development or acquisition of new programs, Changes to existing programs, Access to programs, Specialised systems software. Any modifications should be appropriately authorised, approved and tested Control over data - Control procedures in user departments to ensure restricted access (e.g. key passes, locks), Control procedures in CIS departments at input and processing stage, Restriction of access to data files (e.g. password) Key application controls: (e.g. a programmed control for validating customers’ account numbers affects only the sales system) Control totals: Financial totals, Record totals, Hash totals IT application controls. Usually classified into the following categories: Input controls (such as key verification), File controls, Processing controls (checking numerical sequence of records), Output controls (numerical sequence of records). Review and reconciliation of data, Error correction and resubmission procedures, Authorisation of each transaction and batch of transactions 20 footer

22 General and application controls: the relationship
If general controls are unreliable, an auditor has little confidence in programmed application controls and reduced confidence in manual application controls → auditor takes more substantive approach to the audit If general controls reliable, auditor makes preliminary evaluation of application controls. If reliance on application controls is then planned, a more detailed evaluation of these controls is made → auditor determines appropriate degree of testing of controls and substantive testing 21 footer

23 Control systems in different environments
Database: computer-readable file of records used by many accounting applications. In order to handle processing of data, a system software program called a database management system (DBMS) is used. Many controls built in Thus, may be able to rely on controls Stand-alone PCs: Can cause distinction between general and application controls to be blurred and controls to be less structured. Thus, control risk commonly assessed as high 22 footer

24 Learning outcomes update
Define key internal control concepts and explain the audit logic of assessing control risk Understand the key elements of the internal control structure Describe the general objectives of internal control and how the auditor uses them to develop specific control objectives Explain how the auditor undertakes an assessment of control risk and how this assessment impacts upon audit procedures A B C D E Distinguish between key controls and identify those controls that affect the auditor’s assessment of control risk in a computerised system 23

Download ppt "Topic 5: Internal controls and risk assessment"

Similar presentations

Auditing Concepts.

Auditing Concepts.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Purchases & Cash Disbursements Transactions By David N. Ricchiute

Purchases & Cash Disbursements Transactions By David N. Ricchiute
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
CHAPTER 10 UNDERSTANDING INTERNAL CONTROLS Fall 2007

CHAPTER 10 UNDERSTANDING INTERNAL CONTROLS Fall 2007
CHAPTER 9 UNDERSTANDING INTERNAL CONTROLS Winter 2004

CHAPTER 9 UNDERSTANDING INTERNAL CONTROLS Winter 2004
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Financial Audit Autonomous Bodies Internal Control and Risk Assessment Session 1.8 1 Internal Control and Risk Assessment.

Financial Audit Autonomous Bodies Internal Control and Risk Assessment Session Internal Control and Risk Assessment.
Chapter 8 Understanding and assessing internal control

Chapter 8 Understanding and assessing internal control
Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett.

Copyright  2003 McGraw-Hill Australia Pty Ltd PPTs t/a Auditing and Assurance Services in Australia by Gay & Simnett Slides prepared by Roger Simnett.
1 Designing Substantive Procedures The auditor “must plan and perform the audit to reduce the audit risk to an acceptably low level that is consistent.

1 Designing Substantive Procedures The auditor “must plan and perform the audit to reduce the audit risk to an acceptably low level that is consistent.
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.

Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Chapter 5 Internal Control over Financial Reporting

Chapter 5 Internal Control over Financial Reporting
Considering Internal Control

Considering Internal Control
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
9 - 1 ©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 9.

9 - 1 ©2003 Prentice Hall Business Publishing, Essentials of Auditing 1/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 9.

Similar presentations

Ads by Google