1、Internal Control and Control Risk,Chapter 9,Learning Objective 1,Contrast managements need for internal control with the auditors need to consider internal control when designing an audit.,Inherent Limitations,Reasonable Assurance,Managements Responsibility,Key Concepts,Clients Concerns,Compliance w
2、ith applicable lawsand regulations,Reliability of financial reporting,Efficiency and effectiveness of operations,Auditor Concerns,Controls over classes of transactions,Controls related to reliability of financial reporting,Sales Transaction-Related Audit Objectives,Sales Transaction-Related Audit Ob
3、jectives,Objective General Form,Related Audit Objectives,Transactions are properly classified (classification).,Sales transactions are properly classified.,How Frauds Have Been Discovered,Notification by employee,Internal controls,Internal auditor,Customer notification,Accidental discovery,Managemen
4、t investigation,How Frauds Have Been Discovered,Anonymous reporting,Hot line notification,Employee investigation,Government notification,External auditor,Other sources,Learning Objective 2,Describe how information technology affects internal control.,Effect of Information Technology on Internal Cont
5、rol,Information Technology,Risks Associated With the Use of Information Technology,Programmed errors,Processing incorrect data,Unauthorized access,Learning Objective 3,Explain the five components of internal control.,Control Environment,Five Components of Internal Control,Risk Assessment,Control Act
6、ivities,Information and Communication,Monitoring,The Control Environment,Integrity and ethical values,Commitment to competence,Board of directors or audit committee participation,Managements philosophy and operating style,The Control Environment,Organizational structure,Assignment of authority and r
7、esponsibility,Human resources policies and practices,Risk Assessment,Identify factors affecting risk.,Assess significance of risks and likelihood of occurrence.,Determine actions necessary to manage risk.,Control Activities,1. Adequate separation of duties,2. Proper authorization of transactions and
8、 activities,3. Adequate documents and records,4. Physical control over assets and records,5. Independent checks on performance,Adequate Separation of Duties,Proper Authorization of Transactions and Activities,General authorization,Specific authorization,Adequate Documents and Records,Prenumbered con
9、secutively,Prepared at the time of transaction,Designed for multiple uses,Constructed to encourage correct preparation,Simple enough to ensure understanding,Physical Control over Assets and Records,Physical precautions,Controls related to IT equipment, programs, and data files,Independent Checks on
10、Performance,The need for independent checks arise because internal control tends to change over time unless there is a mechanism for frequent review.,Information and Communication,The purpose of an accounting information and communication system is to,initiate, record, process, and report the transa
11、ctions and to maintain accountability for the related assets.,Monitoring,Managements ongoing and periodic assessment of the quality of internal control performance ,to determine whether controls are operating as intended and modified when needed.,Learning Objective 4,Explain methods used to obtain a
12、n understanding of internal control.,Understanding Internal Control and Assessing Control Risk,Obtain Understanding of Internal Control: Design and Operation,Assess Control Risk,Test Controls,Decide Planned Detection Risk and Substantive Tests,Reasons for Sufficiently Understanding Internal Control,
13、SAS 55 (as amended by SAS 78 and 594 plus AU319) requires the auditor to obtain an understanding of internal control for every audit.,Minimum audit planning matters,AuditabilityPotential materialmisstatementsDetection riskDesign of test,Procedures to Determine Design and Placement,Update and evaluat
14、e auditors previous experience with the entity.,Make inquires of client personnel.,Read clients policy and systems manuals.,Examine documents and records.,Observe entity activities and operations.,Documentation of the Understanding,Narrative,Flowchart,Internal control questionnaire,Learning Objectiv
15、e 5,Assess control risk by linking strengths and weaknesses of internal control to transaction- related audit objectives.,Assess Control Risk,Obtain sufficient understanding for planning.,Assess whether the entity is auditable.,Determine assessed control risk.,Assess if a lower control risk could be
16、 supported.,Determine the appropriate assessed control risk.,Assess Control Risk,Identify transaction-related audit objectives.,Identify specific controls.,Identify and evaluate weaknesses.,Identify and Evaluate Weaknesses,Identify existing controls.,Identify the absence of key controls.,Determine m
17、isstatements that could result.,Consider compensating controls.,The Control Risk Matrix,Auditors use the control risk matrix to identify both controls and weaknesses and to asses control risk.,Communication,Reportable conditions letter,Management letters,Audit committee communications,Learning Objec
18、tive 6,Describe the process of designing and performing tests of controls.,Tests of Controls,The procedures to test effectiveness of controls in support of a reduced assessed control risk are called tests of controls.,Procedures for Tests of Controls,Make inquiries of client personnel.,Examine docum
19、ents, records, and reports.,Observe control-related activities.,Reperform client procedures.,Extent of Procedures,Reliance on evidence from prior years audit,Testing less than the entire audit period,Relationship of Assessed Control Risk and Extend of Procedures,Assessed Control RiskHigh Level: Lowe
20、r Level:Obtaining an Tests of Type of Procedure Understanding Only Controls,Inquiry Yes extensive Yes some Documentation Yes with transaction Yes usingwalk-through sample Observation Yes with transaction Yes multiplewalk-through times Reperformance No Yes sampling,Decide Planned Detection Risk and Design Substantive Tests,The auditor uses the results of the control risk assessment process and tests of controls to determine the planned detection risk and related substantive tests.,The auditor links the control risk assessments to the balance-related audit objectives.,End of Chapter 9,
