1 / 36

Internal Control and Control Risk

Internal Control and Control Risk. Week 6. Five Components of Internal Control. Control environment. Risk assessment. Information and communication. Control activities. Monitoring. The Control Environment. Integrity and ethical values. Commitment to competence.

izzy
Download Presentation

Internal Control and Control Risk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internal Controland Control Risk Week 6

  2. Five Componentsof Internal Control Control environment Risk assessment Information and communication Control activities Monitoring

  3. The Control Environment Integrity and ethical values Commitment to competence Board of directors or audit committee participation Management’s philosophy and operating style

  4. The Control Environment (Contd.) Organizational structure Assignment of authority and responsibility Human resources policies and practices

  5. Risk Assessment Identify factors affecting risk. Assess significance of risks and likelihood of occurrence. Determine actions necessary to manage risk.

  6. Control Procedures 1. Adequate segregation of duties 2. Proper authorization of transactions and activities 3. Adequate documents and records 4. Physical control over assets and records 5. Independent checks on performance

  7. Custody of assets Accounting from Authorization/ recording of transactions The custody of related assets from Operational responsibility Record-keeping responsibility from IT duties User departments from Adequate Separationof Duties

  8. Proper Authorization of Transactions and Activities General authorization Specific authorization

  9. Adequate Documentsand Records Prenumbered consecutively Prepared at the time of transaction Simple enough to ensure understanding Designed for multiple use Constructed to encourage correct preparation

  10. Physical Control overAssets and Records The most important type of protective measure for safeguarding assets and records is the use of physical precautions.

  11. Independent Checkson Performance/Performance Review The need for independent checks arises because internal control tends to change over time unless there is a mechanism for frequent review.

  12. Information and Communication The purpose of an accounting information and communication system is to… initiate, record, process, and report the transactions and to maintain accountability for the related assets.

  13. Monitoring Monitoring activities deal with management’s ongoing and periodic assessment of the quality of internal control performance… to determine whether controls are operating as intended and modified when needed.

  14. Effect of Entity Size on Internal Control – Small/mid-sized entities • May not have resources to adopt adequate control systems • Control environment: Few/single owners, directly involved with daily operations, potential of overriding controls • No written code of conduct, less formal risk assessment, control procedures & info/ communication components

  15. Effect of Entity Size on Internal Control (Contd.) • Alternative approach: • Control environment/control procedures : develop culture emphasizing integrity/ethical behaviour through oral communication/example of owner-manager • Risk assessment process: Owner-manager’s involvement in daily operations  highly effective control that identifies risks affecting the entity.

  16. Effect of Entity Size on Internal Control (Contd.) • Info/communication channels: fewer levels in organisational hierarchy, greater visibility of mgt • Monitoring: mgt’s close involvement in operations

  17. Limitations on Internal Control • Management override • Personnel errors/mistakes • Collusion

  18. Substantive strategy Understanding Internal Control and Planning Audit Strategy Obtain understanding of internal control and make a preliminary assessment of control risk Choose an audit strategy for a cycle/ specific assertion Reliance strategy

  19. Consideration of the Internal Control in Planning an Audit • The auditor can choose from two audit strategies: • no-reliance/substantive strategy • reliance strategy • No one audit strategy for entire audit. • Auditor establishes a strategy for individual accounting cycles/specific audit objectives/assertions.

  20. Substantive Strategy • An auditor uses a substantive strategy because of one or all of the following factors: • The controls do not pertain to an assertion. • The controls are assessed as ineffective. • Evaluating the effectiveness is inefficient.

  21. Reliance Strategy • An auditor’s decision to follow a reliance strategy involves: • Identifying specific internal controls relevant to specific assertions that are likely to prevent or detect material misstatements. • Testing of controls to evaluate their effectiveness.

  22. Internal control objectives Related audit objectives Validity/existence Validity/existence Valuation Authorisation Classification Timeliness Completeness Posting & summarisation Valuation Cut-off Classification Accuracy, disclosure Ownership Completeness Internal Control Objectives -Related Audit Objectives

  23. Understanding Internal Controls (Both strategies - Step 1) • The auditor’s knowledge from understanding internal control is used to: • Identify the types of potential misstatements. • Determine control risk, which in turn affects detection risk. • Assist in the design of substantive tests.

  24. Understanding Internal Controls (Both strategies - Step 1) • In deciding on the nature and extent of the understanding of the internal control, the auditor should consider the following items: • Knowledge from previous audits. • Understanding of the entity's industry. • Assessments of inherent risk. • Judgments about materiality. • The complexity and sophistication of the entity's operations and systems.

  25. Understanding the Components of Internal Control • The auditor must understand the five components of internal control: • The control environment • Risk assessment • Control activities • Information and communication • Monitoring

  26. Audit Procedures • The auditor uses the following audit procedures to obtain an understanding of internal control: • Inquiry of appropriate management, supervisory, and staff personnel. • Inspection of entity documents and reports. • Observation of the entity's activities and operations.

  27. Documentation of Internal Controls (Both strategies – Step 2) Procedures manuals & Orgn charts Flowchart Internal control questionnaire Narrative

  28. Tests of Controls(Reliance strategy – Step 3) • = Audit procedures directed towards either the effectiveness of the design or operation of an internal control policy or procedure • Inquiry of appropriate client personnel. • Inspections of documents, reports, and electronic media indicating the performance of the control. • Observation of the application of the control. • Reperformance of the application of the control by the auditor.

  29. Documenting the Assessed Level of Control Risk(Reliance strategy – Step 4) • Evaluate control risk • if substantive strategy  CR maximum • if reliance strategy  must evaluate results of test of controls = assessed CR • if TOC are consistent with planned CR assessment  no revision in planned substantive procedures • if not  modify nature, extent, timing of planned substantive procedures

  30. Nature: audit tests for all audit objs, using all audit procedures Timing: mostly at year end Extent: Extensive testing Nature: corroborative audit tests, e.g. physical exam, AP, STOT Timing: interim & year end Extent: Limited testing Performing Substantive Tests(Reliance strategy – Step 5) • Relates to detection risk  AAR = IR x CR x PDR • cannot eliminate substantive procedures completely. High detection risk Low detection risk

  31. Timing of Audit Procedures • Auditing procedures can be conducted at: • an interim date, or • at year end

  32. Interim Tests of Controls • The auditor should consider the following factors in determining the nature and extent of audit work for the remaining period (pre-final) for tests of controls: • Significance of the internal control objective • Evaluation of the design and operation of the control • Results of tests of controls • Length of the remaining period • Planned substantive tests

  33. Interim Substantive Procedures • The level of control risk. • Changing business conditions or circumstances that may cause management to misstate financial statements in the remaining period. • Control procedures are present for insuring that the account is properly analyzed and adjusted, including proper cutoff procedures. • The auditor’s ability to investigate the remaining period.

  34. Communication of Internal Control – Related Matters • ISA 260, “Communication of Audit Matters with those Charged with Governance” • auditor to communicate, as soon as practicable, material weaknesses in the design/ operation of the accounting/internal control systems

  35. Internal control weaknesses Significant deficiencies in the design or operation of the internal control which could adversely affect the organization's ability to record, process, summarize, and report financial data consistent with management's assertions.

  36. Communicate Internal Control Deficiencies and Related Matters Audit committee communications Management letters

More Related