The stages/activities involve in studying and evaluating internal control are:
A. Obtaining an understanding of the entity’s internal control structure.
B. Assessing the preliminary level of control risk.
C. Obtaining evidential matter to support the assessed level of control risk.
D. Evaluating the results of evidential matter.
E. Determining the necessary level of detection risk.
STAGE A. Obtaining an understanding of the entity’s internal control structure. In planning the audit examination, each of the five components of internal control must be studied and understood by the auditor to enable him to (1) identify types of potential misstatements; (2) consider factors that affect the risk of misstatement; and (3) begin to design appropriate testing procedure. Understanding the Control Environment
The auditor should obtain sufficient knowledge of the control environment to understand management’s and the board of director’s attitude, awareness, and actions concerning the control environment. The auditor should concentrate on the substance of management’s policies, procedures, and related actions rather than their form because management may establish appropriate policies and procedures but not act on them.
Understanding Control Procedures
Because some control procedures are integrated in specific components of the control environment and accounting system, as the auditor obtains an understanding of the control environment and accounting system, he is also likely to obtain knowledge about some control procedures. The auditor should consider the knowledge about the presence or absence of the control procedures obtained from the understanding of the control environment and accounting system in determining whether it is necessary to devote additional attention to obtain an understanding of control procedures to plan the audit. Understanding the Accounting and Internal Control Systems
To understand the design of the accounting information system, the auditor determines (1) the major classes of transactions of the entity; (2) how those transaction are initiated; (3) what accounting records exist and their nature; (4) how transactions are processed from initiation to completion, including the extent and nature of computer use; (5) the nature and details of the financial reporting process followed. Typically, this is accomplished and documented by a narrative description of the system or by flowcharting. The operation of the accounting information system is often determined by tracing one or few transactions through the system (called a transaction walk-through). Information controls relating to the accounting system are concerned with achieving objectives such as: Transactions are executed in accordance with management’s general or specific authorization.
All transactions and other events are promptly recorded in the correct amount, in the appropriate accounts and in the proper accounting period so as to permit preparation of financial statements in accordance with an identified financial reporting framework. Access to assets and records is permitted only in accordance with management’s authorization. Recorded assets are compared with the existing assets at reasonable intervals and appropriate action is taken regarding any differences. When obtaining an understanding of the accounting and internal control systems to plan the audit, the auditor obtains knowledge of the design of the accounting and internal control systems.
When the transactions selected are typical of those transactions that pass through the system, this procedure may be treated as part of tests of control. The nature, timing, and extent of the procedures performed by the auditor to obtain an understanding of the accounting and internal control systems will vary with, among other things: The size and complexity of the entity and of its computer system. Materiality considerations.
The type of internal controls involved.
The nature of the entity’s documentation of specific internal controls. The auditor’s assessment of inherent risk.
Ordinarily, the auditor’s understanding of the accounting and internal control systems significant to the audit is obtained through previous with the entity and is supplemented by: a. Inquiries of appropriate management, supervisory and other personnel at various organizational levels within the entity, together with reference to documentation, such as procedures manuals, job descriptions, and flow charts; b. Inspection of documents and records procedure by the accounting and internal control systems; and c. Observation of the entity’s activities and operations, including observation of the organization of computer operations, management personnel and the nature of transaction processing.
The auditor determines the policies, procedures, methods, and records placed in operation by inspecting documents and directly observing the policies and procedures in use. The auditor can examine actual, completed documents and records to bring the contents of the manual to life and better understand them. In addition, the auditor can observe client personnel in the process of preparing them and carrying out their normal accounting and control activities. This further enhances understanding and knowledge that controls have been placed in operation. Documentation of Understanding
The auditor should document the understanding of the entity’s internal control structure elements obtained to plan the audit. The form and extent of this documentation is influenced by the size and complexity of the entity, as well as the nature of the entity’s internal control structure. Generally, the more complex the internal control structure and the more extensive the procedures performed, the more extensive the auditor’s documentation should be.
1. Internal Accounting Control Questionnaire
Internal accounting control questionnaire contains a series of questions designed to detect control weaknesses. Most questionnaires are designed to yield “yes”, “no”, or “not applicable” answers to the questions. A “yes” answer generally indicates a satisfactory degree of internal accounting control while a “no” answer indicates a possible weakness in control or at least indicates that further investigation is required. If the weakness is material, them it should be reported to a senior management, the board of directors, and the audit committee. “Material weakness is one in which the procedures or degree of compliance with the procedures fail to provide reasonable assurance that material errors or irregularities would be prevented or promptly detected during the accounting process.” In completing the internal control questionnaire, the auditor should consider the following critical aspects:
1. Is the system of internal control sound?
2. If it is not reliable, what errors might occur?
3. What alternative audit procedures should be adopted if the system is unreliable? Advantages
They provide audit assurance that attention is given to presence or absence of all controls listed and that certain features of the system are not overlooked. They provide a means of obtaining uniform documentation of internal control system reviewed. They provide inexperienced audit staff members with guidance in performing internal control reviews. They facilitate the early detection of potential weaknesses in the system. Disadvantages
Auditor may view the questionnaire device for accomplishing an automatic evaluation of internal control. Controls listed on questionnaire may not suit the particular circumstances of a specific audit. The auditor may overlook pertinent control not included in the questionnaires. 2. Flowcharts
Flowchart is a symbolic diagram of a specific part of an internal accounting control system indicating the sequential flow of data and/or authority. An internal control flowchart uses standardized symbols, interconnecting lines, and annotations to represent information, document, and document flow. It provides a pictorial overview of a client’s internal control activities. It illustrates the interaction of individuals, records, and control related to a particular department or class of transactions. Internal control flowcharts generally reflect the segregation of duties by using a column across the top to reflect different departments and the flow of documents and the flow of documents from left to right. Advantages
Easily understood. Since flowcharts provide a visual description supplemented by a written narrative, they are more easily understood. Better overall picture or complex system. A complex system may be reduced to a one or two-page flowchart which might otherwise require a 15-page internal control questionnaire or a 10-page narrative memo. Parallels EDP documentation. EDP systems are commonly documented with flowcharts which make it easier for EDP purchase personnel to relate to the auditors. It is easy to update.
Higher level of knowledge and training are required to prepare a good flowchart of a complex system. Flowcharts take more time to prepare and require more knowledge. It is more difficult to spot internal control weakness.
The ff. questions should be answered before a flowchart is prepared:
1. Who performs the various functions in the routine?
2. Why are these functions performed?
3. What work is performed, and is the work considered input or output?
4. When are the functions performed and in what sequence?
5. How are the functions performed and in what sequence?
Conference with senior management, supervisors, and employees using the above checklist should be conducted by the independent auditor before flowcharting the routine. In addition, copies of all forms, documents and reports used in the routine to be flowcharted should be obtained. A primary purpose of the internal control flowchart is to communicate effectively. The ff. techniques should assist in meeting this goal: Standardized symbols. Auditors use a uniform set of symbols developed by the American National Standards Institute (ANSI). Flowlines. The flow of documents should be from top to bottom and left to right. Arrowheads may be used on all lines and should be used when the flow is not standard or is bi-directional.
Documents. When a document is created, its source should be indicated. Multiple-document symbols are required when multiple copies of the document are prepared. The disposition of every copy or each document should be shown. Processing. Processing symbols are used to identify any procedures applied to documents such as their being filed. Annotations. Comments and explanations should be used to make the flowchart easier to understand or more complete. The ff. guidelines may be useful in preparing a flowchart:
Determine the class of transactions or transaction cycle to be flowcharted. Obtain an understanding of internal control by making inquiries of client personnel, observing employee activities, and examining documents, records,
and policies and procedures manuals. Organize the flowchart into columns, using a different column for each department, function, or individual. Draw a sketch of the flowchart. Draw the flowchart and insert comments and annotations.
Test the flowchart for completeness by following a few transactions through the chart.
3. Narrative Description
A narrative is a written description of a particular phase or phases or a control system. Although useful for describing simple systems, narratives may be adequate when a system is complicated or frequently revised. If the systems are extensive and/or complex, separate narratives may be prepared for a smaller groups of control which relate to specific classes of transactions or accounts. Some auditor prepare narrative descriptions to accompany internal control questionnaire or flowcharts in order to provide information not otherwise included. Advantages:
Narrative is flexible and may be tailor-made for engagement. Requires a detailed analysis and thus forces auditor to understand functioning of the system. Disadvantages:
Auditor may not have the ability to describe the system correctly and concisely. This may require more time and careful study.
Auditor may overlook important portions of internal control system. A poorly written internal accounting control narrative can lead to a misunderstanding of the system thus resulting in the improper design and application of compliance tests.
4. Internal Control Checklist
This contains a detailed enumeration of the methods and practices which characterize good internal control or of item to be considered in reviewing internal control.
5. Decision tables
In this approach, the system is depicted as decision points. Advantages and disadvantages are similar to those of the flowchart approach.
STAGE B. ASSESSING THE PRELIMINARY LEVEL OF CONTROL RISK
After obtaining an understanding of the accounting and internal control systems, the auditor should make a preliminary assessment of control risk, at the assertion level, for each material account balance or class of transactions. The preliminary assessment of control risk is the process where the auditor evaluates the effectiveness of a client’s internal control policies and procedures in preventing or detecting material misstatements in the financial statement assertions, namely: (1)/(2) Existence/ Occurrence. Procedures that require documentation, approvals, authorization, verification, and reconciliations. (3) Completeness. Procedures that ensure that all transactions that occur are recorded such as accounting for numerical sequence of documents. (4) Right and obligations. Procedures that ensure that the entity has a right to asset or an obligation to pay arising from the transaction. (5)/(6) Valuation/ Measurement. Procedures that ensure that a proper price is charged and that mathematical accuracy are present in recording and in developing the accounting records and financial statement. (7) Presentation and Disclosure.
Procedures that indicate that a review has been made to ascertain that a transaction has been recorded in the proper account and that financial statement disclosure have been reviewed by competent personnel. The process of arriving at the auditor’s assessment of control risk is an iterative process that is refined as the auditor’s obtain more and more evidence about the effectiveness of various internal control policies and procedures. After obtaining the understanding of the internal control structure, the auditor may assess control risk at the maximum level. The term maximum level is used in this section to mean the greatest probability that a material misstatement that could occur in a financial statement assertion will not be prevented or detected on a timely basis by an entity’s internal control structure. Control risk may be assessed in quantitative terms, such as percentages, or in nonquantitative terms that range, for example, from a maximum to a minimum.
Assessing control risk at below the maximum level involves- Identifying specific internal control structure policies and procedure relevant to specific assertions that are likely to prevent or detect material misstatements in those assertions. Performing tests of control to evaluate the effectiveness of such policies and procedures. The preliminary assessment of control risk for a financial statement assertion should be high unless the auditor: a. Is able to identify internal controls relevant to the assertion which are likely to prevent or detect, and correct a material misstatement; and b. Plans to perform tests of control to support the assessment. Assessing Inherent Risk
In developing the overall audit plan, the auditor should assess inherent risk at the financial level. In developing the audit program, the auditor should relate such assessment to material account balances and classes of transactions at assertion level, or assume that inherent risk is high for the assertion. To assess inherent risk, the auditor uses professional judgement to evaluate numerous factors, examples of which are: At the Financial Statement Level
The integrity of management.
Management experience and knowledge and changes in management during the period. Unusual pressure on management.
The nature of the entity’s business.
Factors affecting the industry in which the entity operates. At the Account Balance and Class of Transactions Level
Financial statement accounts likely to be susceptible to misstatement. The complexity of underlying transactions and other events which might require using the work of an expert. The degree of judgment involved in determining account balances. Susceptible of asset to loss or misappropriation.
The completion of unusual and complex transactions.
Transactions not subjected to ordinary processing.
Relationship between the Assessment of Inherent and Control Risks Management often reacts to inherent risk situations by designing accounting and internal control systems to prevent or detect, and correct misstatements and therefore, in many cases, inherent risk and control risk are highly interrelated. In such situations, if the auditor attempts to assess inherent risk and control risks separately, there is a possibility of inappropriate risk assessment. As a result, audit risk may be more appropriately determined in such situations by making a combined assessment. Identification of Specific Internal Control Policies to Specific Assertions Auditors are interested in control activities because they assist in establishing the validity of financial statement assertions. Controls that enhance the reliability of the financial statements may be preventive controls or detection controls.
Preventive controls avoid errors and irregularities while detection controls recognizing that error will occur even under ideal conditions provide for a “double-check” to locate significant occurrences after the fact. If an entity’s controls are found to be effective, the auditor may reduce the selected auditing procedures to test a group of assertions. Control activities may provide direct evidence about the many assertions. In identifying internal control structure policies and procedures relevant to specific financial statement assertions, the auditor should consider that the policies and procedures can have either a pervasive effect on many assertions or a specific effect on an individual assertion, depending on the nature of the particular internal control structure element involved. Conversely, some control procedures often have a specific effect on an individual assertion embodied in a particular account balance or transaction class. The objective of procedures performed to obtain understanding of the internal control structure is to provide the auditor with knowledge necessary for audit planning.
The objective of test of controls is to provide evidential matter to use in assessing control risk. When the auditor concludes that procedures performed to obtain the understanding of the internal control structure also provide evidential matter for assessing control risk, he should consider the degree of assurance provided by that evidential matter. Although such evidential matter may not provide sufficient assurance to support an assessed level of control risk that is below the maximum level of certain assertions, it may do so for other assertions and thus provide a basis for modifying the nature, timing, or extent of the substantive tests that the auditor plans for those assertions.
STAGE C. OBTAINING EVIDENTIAL MATTER TO SUPPORT THE ASSESSED LEVEL OF CONTROL RISK
The auditor obtains evidential matter to enable him to determine the proper level of control risk by performing test of controls or compliance tests on selected policies and procedures. Compliance procedures are designed to obtain reasonable assurance that those internal controls on which tests requiring inspection of documents supporting transactions to gain evidence that controls have operated properly and inquiries about and observation of controls which leave no audit trail. Test of Controls
Procedures directed toward either the effectiveness of the design or operations of an internal control structure policy or procedure are referred to as tests of controls. Tests to obtain such evidential matter ordinarily include procedures such as inquiries of appropriate entity personnel, inspection of documents and reports, and observations of the application of specific internal control structure policies and procedures. Tests of control are performed to obtain audit evidence about the effectiveness of the: a. Design of the accounting and internal control systems, that is, whether they are suitably designed to prevent or detect and correct material misstatements; and b. Operation of the internal controls throughout the period. The auditor should obtain audit evidence through tests of controls to support any assessment of control risk which is less than high. The lower the assessment of control risk, the more support the auditor should obtain that accounting and internal control systems are suitably designed and operating effectively.
When obtaining audit evidence about the effective operation of internal controls, the auditor considers how they were applied, the consistency with which they were applied during the period and by whom they were applied. The concept of effective operation recognizes that some deviations may have occurred. Deviations from prescribed controls may be caused by such factors as changes in key personnel, significant seasonal fluctuations in volume of transactions and human error. In computer information system environment, the objectives of tests of controls do not change from those in a manual environment; however, some audit procedures may change. The auditor may find it necessary, or may prefer, to use computer-assisted audit techniques.
STAGE D. EVALUATING THE RESULTS OF THE EVIDENTIAL MATTER
Based on the results of the tests of controls, the auditor should evaluate whether the internal controls are designed and operating as contemplated in the preliminary assessment of control risk. The evaluation of deviations may result in the auditor concluding that the assessed level of control risk needed to be revised. In such cases, the auditor would modify the nature, timing, and extent of planned substantive procedures. The conclusion reached as a result of assessing control risk is referred to as the assessed level of control risk. In determining the evidential matter necessary to support a specific assessed level of control risk below the maximum level, the auditor should consider the characteristics of evidential matter about the control risk.
Generally, however the lower the assessed level of control risk, the greater the assurance the evidential matter must provide that the internal control structure policies and procedures relevant to an assertion are designed and operating effectively. Ordinarily, the auditor’s observation provides more reliable audit evidence than merely making inquiries. However, audit evidence obtained by some tests of controls, such as observation, pertains only to the point in time at which the procedures was applied. The auditor may decide, therefore, to supplement these procedures with other tests of control capable of providing audit evidence about other period of time. In determining the appropriate audit evidence to support a conclusion about control risk, the auditor may consider the audit evidence obtained in prior audits.
In a continuing engagement, the auditor will be aware of the accounting and internal control systems through work carried out previously but will need to update the knowledge gained and consider the need to obtain further audit evidence of any changes in control. The auditor in addition, should consider whether the internal controls were in use throughout the period. An audit of financial statements is a cumulative process; as the auditor assesses control risk, the information obtained may cause him to modify the nature, timing, or extent of the planned tests of controls for assessing control risk. The evaluation is based on the effectiveness of the entity’s control structure in preventing and/pr detecting material misstatements, as determined by the tests of controls.
STAGE E. DETERMINING THE NECESSARY LEVEL OF DETECTION RISK
The auditor uses the acceptable level of detection risk to determine the nature, timing, and extent of the auditing procedures to be used to detect material misstatements in the financial statement assertions, auditing procedures designed to detect such misstatements are referred to in this section as substantive tests. The level of detection risk relates directly to the auditor’s substantive procedures. The auditor’s control risk assessment, together with the inherent risk assessment, influence the nature, timing, and extent of the substantive procedures to be performed to reduce risk, and therefore audit risk, to an acceptably low level. In this regard the auditor would consider:
a. The nature of substantive procedures, for example, using tests directed toward independent parties outside the entity rather than tests directed toward parties or documentation within the entity, or using tests of details for a particular audit objectives in addition to analytical procedures; b. The timing of substantive procedures, for example, performing them at period rather than at an earlier date; and c. The extent of substantive procedures, for example, using a larger sample size. As the acceptable level of detection risk decrease, the assurance provided from substantive tests should increase. Consequently, the auditor may do one or more of the ff
Change the nature of substantive tests from a less effective to a more effective procedures, such as using tests directed toward parties or documentation within the entity Change the timing of substantive tests, such as performing them at year-end rather than at interim date. Change the extent of substantive tests, such as using a larger sample size. There is an inverse relationship between the detection risks and the combined level of inherent and control risks. The substantive tests that the auditor performs consist of tests of details of transactions and balances, and analytical procedures. The objective of tests of details of transactions performed as substantive tests is to detect material misstatements in the financial statements. The auditor should recognize, however, that careful consideration should be given to the design and evaluation of such tests to ensure that both objectives will be accomplished.
Audit Risk in the Small Business
The auditor needs to obtain the same level of assurance in order to express an unqualified opinion on the financial statements of both small and large entities. However, many internal controls which would be relevant to large entities are not practical in the small business for example is the segregation of duties. In circumstances where segregation of duties is limited and audit evidence of supervisory control is lacking, the audit evidence necessary to support the auditor’s opinion on the financial statements may have to be obtained entirely through the performance of substantive procedures. How Adequacy or Inadequacy of Internal Control Affects Audit Procedures The primary reason for studying and evaluating internal control is to provide a basis for relying upon the system and for determining the extent of year-end substantive tests to be performed.
There is an inverse relationship between the effectiveness of internal control and the extent of detailed audit procedures; more effective system requires less detailed testing. Strengths and weaknesses identified during the evaluation of internal accounting control and tests of compliance will affect the nature, timing, and extent of audit procedures. The audit is not specifically designed to search for errors or irregularities, although during the study and evaluation of internal accounting control system and the performance of substantive tests, errors, or irregularities may be discovered. The auditor must consider the audit implication when errors or irregularities are likely to exist. Documentation of the Assessed Level of Control Risk
The auditor should document in the working papers.
a. The understanding obtained of the entity’s accounting and internal control systems;
b. The assessment of control risk. When control risk is assessed at less than high, the auditor would also document the basis for the conclusions.
Figure 11.2 Relationship of Effectiveness of Internal Control and Substantive Tests Controls initially considered effective
Controls initial not considered effective or not cost efficient Reduce control risk
Assess control risk at maximum (100%)
Reduce acceptable risk of overreliance on internal control
Acceptable risk of overreliance on internal control- 100% (maximum) Perform tests of control (inquiries, inspection, observation, and reperformance) Perform no tests of controls
Increase detection risk
Decrease detection risk
Reduce planned substantive test
1. Use less persuasive substantive tests.
2. Perform the substantive tests at interim date.
3. Decrease extent of substantive test by selecting a smaller sample size. Perform extensive substantive testing
1. Use more effective substantive tests.
2. Perform substantive tests at year-end
3. Increase extent of substantive tests by selecting a larger sample size.
Communication of Performance, Improvements and Observations in Internal Control Management. As a result of obtaining an understanding of the accounting and internal control systems and tests of controls, the auditor may become aware of weaknesses in the systems. The auditor should make the management aware, as soon as practical and at an appropriate responsibility, of material weaknesses in the design or operation of the accounting and internal control systems, which have come to the auditor’s attention. The communication to management of material weaknesses would ordinarily in writing.
Management letter may be made that will contain constructive suggestions or improvements in internal control or other suggestions for increased efficiency in operations. This letter is considered a by-product rather than the aim of the audit and is often completed sometimes after the completion of the field work. If however, the auditor identifies material weaknesses, he has a professional responsibility to communicate them to both senior management and the board of directors. The auditor should issue a written report at the earliest possible that it is documented in the work papers. Reportable Conditions
Specifically, these are the matters coming to the auditor’s attention that, in his judgement, should be communicated to the audit committee because they represent significant deficiencies in the design or operation of the internal control structure, which could adversely affect the organization’s ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements. Examples of reportable conditions are as follows: Deficiencies in internal control structure design
Inadequate overall internal control structure design
Absence of appropriate segregation of duties consistent with appropriate control objectives. Absence of appropriate reviews, and approvals of transactions, accounting entries, or systems output. Inadequate procedures for appropriately assessing and applying accounting principles. Inadequate provisions for the safeguarding of assets.
Absence of other internal control techniques considered appropriate for the type and level of transaction activity. Evidence that a system fails to provide complete and accurate output that is consistent with objectives and current needs because of design flaws. Failures in the operation of the internal control structure
Evidence of failure of identified controls in preventing or detecting misstatements of accounting information Evidence that a system fails to provide complete and accurate output consistent with the entity’s control objectives because of the misapplication of control procedures. Evidence of failure to safeguard assets from loss, damage, or misappropriation. Evidence of intentional override of the internal control structure by those in authority to the detriment of the overall objectives of the system. Evidence of failure to perform tasks that are part of the internal control structure, such as reconciliation not prepared or not timely prepared. Evidence of willful wrongdoing by employees or management.
Evidence of manipulation, falsification, or alteration of accounting records or supporting documents. Evidence of intentional misapplication of accounting principles. Evidence of misrepresentation by client personnel to the auditor. Evidence that employees or management lack the qualifications and training to fulfill their assigned functions. Others
Absence of sufficient level of control consciousness within the organization Failure to follow up and correct previously identified internal control structure deficiencies. Evidence of significant or extensive undisclosed related party transactions. Evidence of undue bias or lack of objectivity by those responsible for accounting decisions. Reporting- Form and Content
Conditions noted by the auditor that are considered reportable under this section or that are the result of agreement with the client should be reported, preferable in writing. If the information is communicated orally, the auditor should document the communication by appropriate memoranda or notations in the working papers. Any report issued on reportable conditions should:
Indicate that a purpose of the audit was to report on the financial statements and not to provide assurance on the internal control structure. Include the definition of reportable conditions. Include the restriction on distribution as discussed in the previous paragraph. If no reportable conditions are found, an auditor may not issue a letter stating that. Such a letter may mislead users by implying a greater level of assurance about the lack of any significant deficiencies than the auditor could really provide. However, an auditor may issue a letter indicating that no material weaknesses were found during the course of an audit.