Auditing 81.3550
Internal Control Studies & Risk
Assessment
Chapter 9
Highlights
• What is internal control?
• Why is it important?
• How do auditors study, evaluate and
document an organization’s internal control
processes?
• What types of tests are used?
• Understanding the two basic audit
approached commonly used
What is internal control?
Internal control consists of the policies &
procedures established & maintained by
management to assist in orderly & efficient
conduct of business.
•Need to keep in mind the cost vs. benefit of
internal control processes and procedures
Internal Control
Internal control is a process designed to
provide reasonable assurance regarding the
achievement of management’s objectives
regarding:
• reliability of controls
• optimizing use of resources
• safeguarding of assets
• preventing & detecting fraud & error
Steps in audit planning
preplan
obtain
background
information
set
materiality, and
assess acceptable
audit risk and
inherent risk
obtain
information
about
client’s legal
obligations
understand
internal control
and assess
control risk
perform
preliminary
analytical
procedures
Why is an
understanding of internal
control important?
Copyright  2003 Pearson Education Canada Inc.
9-9
Why is an
understanding
of internal
control
important?
Second Examination Standard:
A sufficient understanding of internal
control should be obtained to plan the audit.
Copyright  2003 Pearson Education Canada Inc.
9 - 10
Audit Risk has 3 components
which combine to make the
audit risk model:
audit
inherent
=
x
risk
risk
control
detection
x
risk
risk
the
risk that material
misstatements will not be
prevented or
detected by
internal controls
Copyright  2003 Pearson Education Canada Inc.
9 - 11
Key Internal Control Concepts
- internal control is the client’s responsibility and should be designed to help
the client attain goals
- internal control should provide reasonable but not absolute assurance;
cost/benefit must be considered
- internal control has inherent limitations (e.g., misunderstandings, mistakes, fatigue, carelessness, collusion,
management override)
Copyright  2003 Pearson Education Canada Inc.
9 - 14
Components of
Internal Control
the control
environment
Control Environment
The control environment is the
actions, policies, and procedures
that reflect management’s
attitude regarding controls and
their importance.
Elements of the Control
Environment
• Management Philosophy and Operating
Style:
– Approach to monitoring and responding to risk
– Attitude and actions around financial reporting
– Emphasis on meeting goals both financial and
operational
– Honesty and type of business behaviours
exhibited and encouraged
Elements of the Control
Environment
• Board of Directors
and Audit
Committee:
– How active of a role does
the committee take in
running the company?
– Audit Committees
dealings and interest in
the auditors and their
work
Elements of The Control
Environment
• Organizational Structure
– Clearly defined lines of responsibility and
authority
Elements of The Control
Environment
• Methods used in the assignment of authority
and responsibly
What are the formal methods that management uses
to communicate internal controls to employees?
Job
Description
Memo:
Company
Policies
Employee
Handbook
Elements of The Control
Environment
• Management Control Methods
Do management’s
methods send a clear
message about the
importance of control?
Do management’s methods
serve to detect
misstatements?
Elements of The Control
Environment
• Systems Development Methodology
– Who can make modifications?
– What testing is done?
Does management have a
methodology for developing
and modifying systems and
procedures?
Elements of The Control
Environment
• Personal Policies and Practices
Management should ensure that competent,
trustworthy, motivated personnel are
employed to meet client goals and objectives.
Employees are the critical
component of effective internal
control.
Elements of The Control
Environment
• Management reactions to external
influences
• Should be aware of these influences and
prepared to react properly
Is management aware of external
influences such as changes in the
economy and technology?
Elements of The Control
Environment
• Internal Audit
•Does an internal audit
department exist?
•Does it effectively
monitor control policies
and procedures, and
enhance operational
effectiveness and
efficiency?
•Who does the internal
audit department report
to?
Components of
Internal Control
control
systems
Accounting
Systems
+
Control Procedures
Components of Internal
Control
accounting
systems
Accounting systems have several
subcomponents - classes of
transactions
Components of Internal
Control
control
procedures
Control procedures are policies and
procedures, in addition to those related to
other components, established to enable
the entity to address risks in the
achievement of their objectives.
Categories of Control
Procedures
• Appropriate segregation of duties
– Separate custody of assets from accounting
– Separate custody of assets from
authorization of transactions
– Separate operational responsibility from
record keeping
– Adequate segregation of duties within EDP
– Reconciliation – i.e. separate from
transaction data entry clerk
Categories of Control
Procedures
• Can be difficult in
smaller companies due
to the costs involved
• Fewer employees
make segregation
tough
Categories of Control
Procedures
...we’re agreed.
We’ll be rich beyond our wildest
dreams!
• Segregation of duties
designed to help
prevent loss but
difficult if there is
collusion
• Collusion is the defeat
of adequate
separation of duties
wherein employees
cooperate to
perpetrate fraud.
Why is collusion
particularly troublesome
for auditors?
Competent,
untrustworthy,
motivated
personnel often
know how to
conceal their fraud.
Categories of Control
Procedures
• Proper authorizations of transactions and
activities
– general authorization - management
establishes authorization policies
– specific authorization - management makes
authorizations on a case-by-case (ie all A/P requests)
accounts
payable
policies &
procedures
cash
receipts
policies &
procedures
personnel
policies &
procedures
Categories of Control
Procedures
• Adequate Documents and Records
•should provide reasonable assurance that all
assets are properly controlled and all transactions
are correctly recorded.
Design and Use of Documents, Input
Screens, and Electronic Transactions
• Documents should be
prenumbered and
accounted for
• Documents should be
complete soon after
the transaction
• Documents should be
understandable,
correctly designed
including routing and
authorizations
• Documents should be
designed for
multipurpose
Categories of Control
Procedures
• Adequate safeguards over access to and use of
assets and records
• Examples include physical: locking rooms,
fenced areas, fireproof safes, safe deposit
boxes, security guards;
access; backup files and recovery
Categories of Control
Procedures
• Independent verification
of performance and the
accuracy of recorded
amounts
• Controls may change or be
forgotten about if not
followed up on or performed
• Segregation of duties
between required
What are the elements of
internal control?
the control
environment
accounting
systems
control procedures
Copyright  2003 Pearson Education Canada Inc.
9 - 77
Control
Examination
Overview
Obtain an understanding
of internal control.
HOW?
Copyright  2003 Pearson Education Canada Inc.
9 - 78
Control
Examination
Overview
Obtain an understanding
of internal control.
- review prior year’s
working papers
- interview prior year
auditors
- interview client
personnel
- study client policies and
procedures
- study client documents,
records, information and
communication system
Copyright  2003 Pearson Education Canada Inc.
9 - 79
Control
Examination
Overview
How do auditors
document their understanding of internal
control?
Copyright  2003 Pearson Education Canada Inc.
9 - 80
Control
Examination
Overview
How do auditors
document their understanding of internal
control?
- narratives
- flowcharts
- internal control
questionnaires
What is an
internal control
questionnaire?
Copyright  2003 Pearson Education Canada Inc.
9 - 82
Internal Control Questionnaire
- a series of questions about internal
controls and their application to groups
of accounts and cycles
- generally, a “no” answer indicates an
internal control weakness
What are the
advantages provided by
an IC questionnaire?
Copyright  2003 Pearson Education Canada Inc.
9 - 85
Internal Control Questionnaire
What are the
advantages provided by
an IC questionnaire?
- can be designed to cover most aspects
of internal control
- is relatively applicable from one engagement to another
- when complete, can be quickly reviewed for weaknesses
Copyright  2003 Pearson Education Canada Inc.
9 - 86
Internal Control Questionnaire
What are the
disadvantages of using
an IC questionnaire?
- concentrates on pieces of internal control rather than the system as a whole
- has questionable reliability; oral client responses should be supported
by other evidence
- may be too standardized for some
clients, especially smaller clients
Copyright  2003 Pearson Education Canada Inc.
9 - 88
Control
Examination
Overview
Are
financial statements
auditable?
Copyright  2003 Pearson Education Canada Inc.
9 - 89
Control
Examination
Overview
Are
financial statements
auditable?
When would the
answer be NO?
- management lacks
integrity
- significantly deficient
accounting records or
internal controls
Copyright  2003 Pearson Education Canada Inc.
9 - 91
Control
Examination
Overview
Assess control risk, based
on understanding.
Copyright  2003 Pearson Education Canada Inc.
9 - 92
Control
Examination
Overview
Assess the cost/benefit of
further enhancing understanding of internal control.
Copyright  2003 Pearson Education Canada Inc.
9 - 93
Control
Examination
Overview
max.
support
low
Assess
control
risk.
- maximum:
poor controls indicate
a very risky situation
or more efficient to do
100% substantive audit
Copyright  2003 Pearson Education Canada Inc.
9 - 95
Assess
control
risk.
Control
Examination
Overview
max.
support
low
- maximum:
poor controls indicate
a very risky situation or
not efficient
- supportable:
risk is at a level
supported by
understanding obtained
Copyright  2003 Pearson Education Canada Inc.
9 - 96
Assess
control
risk.
Control
Examination
Overview
max.
support
low
- supportable:
risk is at a level
supported by
understanding obtained
- low:
effective controls indicate a lower level of risk
that could be supported
Copyright  2003 Pearson Education Canada Inc.
9 - 97
Control
Examination
Overview
Plan & perform tests of controls.
Copyright  2003 Pearson Education Canada Inc.
9 - 98
Control
Examination
Overview
Decide
whether the initial
internal control assessment
was appropriate.
Copyright  2003 Pearson Education Canada Inc.
9 - 99
Control
Examination
Overview
Based on appropriate
level of detection risk,
perform substantive tests.
Copyright  2003 Pearson Education Canada Inc.
9 - 100
When should weaknesses be
reported to the client?
When there are significant deficiencies
in the design or operation of internal
control.
GAAS requires the auditor to
communicate(oral or written) with the
audit committee regarding the significant
deficiencies.
Two Basic Audit Approaches
• Substantive Approach
– Used when decide not to
rely on internal controls
or not cost effective to do
so
– CR=Max, DR=Low
– No test of controls
required
– Extent of evidence
will be high
• Combination Approach
– Used when auditor can
rely on internal controls
for a specific assertion
– CR=below Max,
DR=Med-High
– Extent of evidence will be
medium to low
– Need to not only
understand IC system but
also do test of controls to
support assessment level
below max