©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley 10 - 1 Internal Control and Control Risk Chapter 10

©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens/Elder/Beasley Arens/Elder/Beasley 10 - 1

Internal Control and Control RiskInternal Control and Control Risk

Chapter 10Chapter 10

©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens/Elder/Beasley Arens/Elder/Beasley 10 - 10 - 22

3. Compliance with laws and regulations

2. Efficiency and effectiveness of operations

1. Reliability of financial reporting

Internal Control ObjectivesInternal Control Objectives


Five Components of Internal Five Components of Internal ControlControl

Riskassessment

Controlactivities

Information andcommunication Monitoring


The Control EnvironmentThe Control Environment

Integrity and ethical values

Commitment to competence

Board of directors or auditcommittee participation


The Control EnvironmentThe Control Environment

Management’s philosophy and operating style

Organizational structure

Human resource policies and practices


Risk AssessmentRisk Assessment

Identify factors that may increase risk

Assess the likelihood of the risk occurring

Determine actions necessary to manage the risk

Estimate the significance of the risk


Control ActivitiesControl Activities

1. Adequate separation of duties

2. Proper authorization of transactions and activities

3. Adequate documents and records

4. Physical control over assets and records

5. Independent checks on performance


Proper Authorization of Proper Authorization of Transactions and ActivitiesTransactions and Activities

General authorization

Specific authorization


Adequate Documents and Adequate Documents and RecordsRecords

Prenumbered consecutively

Prepared at the time of transaction

Designed for multiple use

Constructed to encourage correct preparation


Physical Control Over AssetsPhysical Control Over Assetsand Recordsand Records

The most important type of protectivemeasure for safeguarding assets andrecords is the use of physical precautions.


Independent Checks on Independent Checks on PerformancePerformance

The need for independent checks arisesbecause internal control tends to changeover time unless there is a mechanismfor frequent review.


Information and CommunicationInformation and Communication

The purpose of an accounting informationand communication system is to…

initiate, record, process, and reportthe entity’s transactions and to maintainaccountability for the related assets.


MonitoringMonitoring

Monitoring activities deal with management’songoing and periodic assessment of thequality of internal control performance…

to determine whether controls are operatingas intended and modified when needed.


Process for Understanding Internal Process for Understanding Internal Control and Assessing Control RiskControl and Assessing Control Risk

Obtain an understanding of

internal control: design and operation

Assess control risk

Design, perform, and evaluate tests of

controls

Decide planned detection risk and substantive tests

Phase 1

Phase 2

Phase 3

Phase 4


Obtain and Document Understanding Obtain and Document Understanding of Internal Controlof Internal Control

Auditing standards require auditors to obtain an understanding of internal control for every audit.

Procedures to obtain an understanding: Design of internal controls Whether placed in operation Uses this information as a basis for the

integrated audit


Methods UsedMethods Used

Narrative

FlowchartInternalcontrol

questionnaire


NarrativeNarrative

1. The origin of every document and record in the system

2. All processing that takes place

3. The disposition of every document and record in the system

4. An indication of the controls relevant to the assessment of control risk


Evaluating Internal Control Evaluating Internal Control OperationOperation

Update and evaluate auditor’s previousexperience with the entity

Make inquiries of client personnel

Examine documents and records

Observe entity activities and operations

Perform walk-throughs of the accounting system


Assess Control RiskAssess Control Risk

Assess whether the financial statementsare auditable.

Determine assessed control risk supportedby the understanding obtained assumingthe controls are being followed.

Use of a control risk matrix to assesscontrol risk.


Control Risk MatrixControl Risk Matrix

Many auditors use the control risk matrixto assist in the control risk assessmentprocess.


Control Risk MatrixControl Risk Matrix

Identify audit objectives

Identify existing controls

Associate controls with related audit objectives

Identify and evaluate control deficiencies,significant deficiencies, and material weaknesses


Evaluating Significant Control Evaluating Significant Control DeficienciesDeficiencies

MaterialWeakness

LIKELIHOOD

SIGNIFICANCE

Material

Immaterial

ProbableRemote


Identify Deficiencies and Identify Deficiencies and WeaknessWeakness

Identify existing controls

Identify the absence of key controls

Consider the possibility of compensating controls

Decide whether there is a significant deficiencyor material weakness

Determine potential misstatements that could result


CommunicationsCommunications

Management letters

Communications to thosecharged with governance


Tests of ControlsTests of Controls

The procedures to test effectiveness of controlsin support of a reduced assessed controlrisk are called tests of controls.


Procedures for Tests of Procedures for Tests of ControlsControls

1. Make inquiries of client personnel

2. Examine documents, records, and reports

3. Observe control-related activities

4. Reperform client procedures


Extent of ProceduresExtent of Procedures

Reliance on evidence from prior year’s audit

Testing of controls related to significant risks

Testing less than the entire audit period


Decide Planned Detection Risk and Decide Planned Detection Risk and Design Substantive TestsDesign Substantive Tests

The auditor uses the results of the control riskassessment process and tests of controls todetermine the planned detection risk andrelated substantive tests.

The auditor links the control risk assessmentsto the balance-related audit objectives.

©2010 Prentice Hall Business Publishing, ©2010 Prentice Hall Business Publishing, Auditing 13/e,Auditing 13/e, Arens/Elder/Beasley Arens/Elder/Beasley 10 - 29

End of Chapter 10End of Chapter 10