Isa Understanding and Assessing Internal Control

Chapter 8
Understanding and
assessing internal
control
Copyright 2010 McGraw-Hill Australia Pty Ltd

PPTs t/a Auditing and Assurance Services in Australia 4e by Grant Gay and Roger Simnett
Slides prepared by Roger Simnett
8-1
Learning objective 1:
Audit strategy and internal control
Internal control is the process designed and
implemented by those charged with governance,

management and other personnel to provide
reasonable assurance regarding the achievement
of the entitys objectives concerning financial
reporting, the effectiveness and efficiency of
operations, and compliance with laws and
regulations. Refer ASA/ISA 315.4.

8-2
Audit strategy and internal control

(cont.)
As indicated in ASA/ISA 315.A44, internal control is
designed and implemented to address business

risks that threaten any of these objectives:
Reliability of the entitys financial reporting
Effectiveness and efficiency of the entitys
operations; and
Compliance with applicable laws and regulations.
The risk of material misstatement at the financial
report level is affected by auditors understanding of
the control environment (ASA/ISA 315.A106).
8-3
Auditors requirements
ASA/ISA 315.12 requires auditor to obtain an
understanding of internal control relevant to

the audit.
Financial report level: auditors assessment of
risk of material misstatement is affected by
their understanding of the control environment
(ISA/ISA 315.A106).
Assertion level: Auditor needs to consider
control risk in their assessment of risk of
material misstatement (ASA/ISA 315.26).
8-4
Audit strategy
In order to issue an opinion on the financial report,
the auditor must consider audit risk for each

assertion for each significant account balance,
class of transactions and disclosure, and reduce it
to an acceptable level.
ASA/ISA 200.13 and ASA/ISA 200.A37 indicate
that the risk of material misstatement at the
assertion level consists of two components:
inherent risk and control risk.
Inherent risk was discussed in chapter 7.

8-5
Control Risk
Control risk is the risk that a material misstatement
could occur in an assertion and not be prevented or

detected on a timely basis by the entitys internal
control.
If control risk is assessed at less than high, tests of
control need to be performed to gain evidence that
specific control activities have been effectively and
consistently applied throughout the period under
audit.
Tests of control will be discussed in chapter 9.

8-6
Responsibility for internal control
Achieving satisfactory internal control is
initially a management responsibility, although

ultimate responsibility rests with those charged
with governance.
To maintain control over operations and
accounting data, management needs to adopt,

maintain and supervise an appropriate internal
control system.

8-7
Inherent limitations of internal control

Internal control cannot assure a reliable financial
report because it has inherent limitations.

Inherent limitations arise because of:
Control breakdowns as a result of the actions

of careless, fatigued or deviant staff
The possibility of management override
The existence of non-routine transactions for
which internal controls were not devised.
The concept of reasonable assurance recognises
that, in some cases, the cost of management

establishing and maintaining controls can outweigh
the benefits of adopting controls.
8-8
Internal control objectives
Risks are identified and minimised
Management decision making is effective
and business processes efficient

Transactions are carried out in accordance
with managements authorisation
Laws, rules and regulations are complied with
Transactions are promptly and accurately recorded
Access to assets is permitted in accordance
with managements authorisation
Asset records are compared with existing assets
at reasonable intervals.

8-9
Management controls
Definition: The activities undertaken by senior
management to mitigate strategic risks to the entity

and promote effectiveness of decision making and
efficiency of business activities. These include:
Communicating business objectives and goals

Establishing lines of authority and accountability
Establishing and enforcing appropriate codes of conduct
Monitoring risk environments
Defining policies and procedures for dealing with
these risks
Monitoring performance through performance
indicators and benchmarking.

8-10
Transaction controls
Performed by staff and lower level management.
Every transaction goes through the identifiable

steps of authorisation, execution and recording.
These controls:
Are generally focused on internal risks and reflect

the formal policies and procedures defined by senior
management
Deal primarily with the reliability of accounting information
and compliance with rules and regulations
Control the flow of transactions through the accounting
system and safeguard related assets by authorising
and recording transactions, restricting access to
assets and checking for existence of recorded assets.

8-11
Characteristics of satisfactory
internal control
Controls to monitor and minimise business risks.
Segregation of incompatible duties and
responsibilities.
System of authorisation, recording and procedures
adequate to provide control over assets, liabilities,

revenues and expenses.
Sound business practices in performance of duties
and functions.
Capabilities commensurate with responsibilities.
8-12
Elements of internal control (IC)
Five elements of IC outlined in ASA/ISA 315.1423:
1. Control environment
2. Entitys risk assessment process
3. Information system
4. Control activities
5. Monitoring of controls.

8-13
1. Control environment
Includes governance and managements overall
attitude, awareness and actions regarding IC and

its importance in the entity (ASA/ISA 315.A65).
Auditors should consider:
Communication and enforcement of integrity and ethical

values
Commitment to competence
Participation by those charged with governance
Managements philosophy and operating style
Organisational structure
Assignment of authority and responsibility
Human resource policies and practices.

8-14
2. Entitys risk assessment process

Entitys way of identifying and responding to
business risks.
Once risks are identified, management needs
to consider their significance and how they

should be managed.
Management may introduce plans to address
specific risks or it may accept a risk on a costbenefit basis.

8-15
3. Information system
An effective information system establishes the
records and the methods that:
Identify and record all valid transactions

Resolve incorrect processing of transactions
Process and account for system overrides
Transfer information from transaction processing systems
to the general ledger
Capture information relevant to financial reporting for
events and conditions other than transactions; and
Present the transactions and related disclosures properly
in the financial report.

8-16
Audit trail
An important feature of the information system
is the audit trail.
Audit trail:
Individual transactions can be traced through each

step of the accounts to their inclusion in the financial report and,
similarly, from the financial report the amounts can be vouched or
traced back to original source documentation.
Main elements:
Source documents the initial records of transactions

in the system. Processing usually creates a source document when
a transaction is executed
Journal
Ledger.

8-17
4. Control activities
Policies and procedures established by
management to ensure its directives are carried out.

Can pertain to:
Performance reviews (e.g. comparing actual with budget)

Information processing, in an information technology (IT)
environment comprising general IT controls and application
controls (discussed later this chapter)
Physical controls (e.g. locked storerooms for inventory)
Segregation of duties (the most basic of which is to
have different individuals responsible for handling of assets
and the keeping of records relating to those assets).

8-18
Segregation of duties related to a

transaction
A transaction may be considered to pass through

four phases:
1.
Authorisation the initial authorisation or approval

for an exchange transaction.
2.
Execution the act that commits the entity to the

exchange, such as placing an order.
3.
Custody the physical act of accepting, delivering

or maintaining the asset.
4.
Recording the entry of the transaction data into

the accounting system.
Ideally, all four phases should be kept separate.

8-19
Control activities and assertions

Control activities can be related to financial
report assertions:
Occurrence (e.g. authorisation and approval of

transactions)
Completeness (e.g. accounting for sequence of
transactions)
Accuracy (e.g. checking dollar amounts back to
supporting documentation)
Cut-off (e.g. independent review of transaction recording
around balance date)
Classification (e.g. independent checking of account
coding).

8-20
5. Monitoring of controls
Monitoring of controls:
A process to assess the effectiveness of the performance

of internal control. It involves:
Evaluating the design and operation of controls
Taking corrective action where necessary.
Management may monitor controls through ongoing
activities such as supervisory activities and/or

separate evaluations.
In many entities internal auditors contribute
to the monitoring process.

8-21
Considering internal control in a
financial report audit
For every audit, irrespective of intended reliance on
internal control, an auditor must obtain sufficient

understanding of internal control to plan the audit
and determine tests to be performed.
The nature and extent of an auditors consideration
of internal control varies considerably across audits

and depends on audit strategy.

8-22
Steps in the auditors consideration

of internal control structure

8-23
Steps in the auditors consideration

of internal control structure (cont.)

8-24
Understanding internal control (IC)

The auditor obtains an understanding of ICs to assess
control risk and:
Identify the types of potential misstatements that could occur

and the factors that contribute to the risk that they will occur
Understand the accounting system sufficiently to identify the
client documents, etc., that may be available and ascertain
what data will be used in audit tests
Determine an efficient and effective approach to the audit.
Where the auditor assesses control risk as less than
high, they must consider operating effectiveness and

gather evidence to support this assessment. This
evidence will be obtained through tests of control
(discussed in chapter 9).
8-25
Understanding
the control environment
An auditor gains an understanding of the control
environment by:
Making inquiries of key management personnel
Inspecting documented policies and procedures
Observing activities and operations
Considering past experience with the client.

8-26
Understanding
the risk assessment process
Auditor needs to determine how management
identifies business risks, estimates their significance,

assesses their likelihood of occurrence, and decides
upon actions to manage them.
Auditor inquires of management about business risks
that management have identified and considers
whether they may result in a material misstatement.
If auditor identifies a risk of material misstatements
that management failed to identify, they need to
consider whether management should have
identified it and, if so, why the process failed.
8-27
Understanding
the information system
Auditor is required to obtain sufficient knowledge of
the information system to understand:
Significant classes of transactions

Initiation of transactions
Records, documents and accounts
Accounting processing
Financial reporting processes
Controls surrounding journal entries.
Being able to follow transaction flows (the audit
trail) is an important technique in understanding

the information system.
8-28
Understanding
the control activities
Procedures include:
Making inquiries of appropriate client personnel
Inspection of documentation
Observation of the entitys activities, operations

and procedures
Walkthrough auditor traces one or a few transactions of

each type through the related documents and accounting
records, observing related processing and control
procedures in operation.

8-29
Understanding monitoring of
controls
Auditor is required to obtain an understanding of
how the entity monitors internal control over financial

reporting and initiates corrective actions.
In many entities, internal auditors contribute to the
monitoring of an entitys activities.
The auditor needs to obtain an understanding of the
sources of the information related to the entitys

monitoring activities and the basis upon which
management considers the information to be
sufficiently reliable.

8-30
Documenting the understanding of

internal control
Internal control questionnaires and checklists.
Narrative memoranda written description
of internal control policies and procedures.

Flowcharts.

8-31
Assessing control risk

After obtaining an understanding of the five
components of internal control, the auditor

assesses control risk for the assertions in the
related account balances, transaction classes
and disclosures.
The auditor must decide whether to assess
control risk for a particular assertion as high

or as less than high.

8-32
Assessment of control risk as high

The auditor may assess control risk as high
because the entitys internal control policies and

procedures in the area:
Are poor and do not support less than a high

assessment
May be effective, but the audit tests would be more

time-consuming than performing direct substantive
tests
Do not pertain to the particular assertion.

8-33
Assessing control risk at less

than high
The auditor may decide to assess control risk as less
than high when it improves audit efficiency.

If the auditor assesses control risk as less than high,
the auditor must obtain sufficient evidence to support
that level.
First, the auditor identifies specific control activities that are

likely to prevent or detect material misstatements.
Next, the auditor performs tests of controls to evaluate the
effectiveness of these control activities.
This process is followed for each account balance or
transaction class that is material to the financial report.

8-34
Tests of controls
Evidence is needed to support the conclusion that
specific policies and procedures that are likely to

prevent or detect misstatements are effective.
The evidence should demonstrate both:
The effectiveness of the design of the policies and

procedures; and
The operating effectiveness of the policies and procedures,
that is, their consistent and proper application.
The evidence necessary to support a specific level of
control risk is a matter of audit judgement.

Tests of controls will be discussed in chapter 9.

8-35
Effect on design of substantive tests

The result of the auditors assessment of control risk
is used in planning substantive tests for the various

assertions within the transaction classes or account
balances.
The higher the level of assessed control risk, the
lower the level of reliance placed on the internal
control and the more assurance the auditor must
obtain from substantive tests.
The impact of effective internal control on the nature,
timing and extent of substantive tests will be
discussed in chapter 10.
8-36
Computerised systems
ASA/ISA 315.18 requires the auditor to have an
understanding of the information system, including

the related business processes.
Many auditors now use what is known as the COBIT
(control objectives for information and related
technology) framework to identify how the business
processes and the IT processes interrelate with
each other.

8-37
The COBIT framework

While COBIT is an IT governance framework, it is also
useful for auditors in obtaining an understanding of IT.

The COBIT framework is organised into four
domains as follows:
Planning and organisationhow the entity directs the

deployment of IT resources and the delivery of services
Acquisition, implementation and maintenancehow the entity
defines and analyses requirements for projects
Delivery and supporthow the entity establishes physical
and logical security to safeguard IT resources
Monitoringhow the entity reviews performance and corrects
deviations from operational and procedural standards.

8-38
The COBIT framework (cont.)

For each of these four COBIT domains, the auditor
would typically look at three elements:

Technologycomputer applications, hardware,
databases, capacity to transfer data, backup and
recovery processes
People personnel involved in running the
business processes
Proceduresthe policies, guidelines, training and
documentation in relation to the four domains.
By understanding the three elements of the four
COBIT, the auditor can understand the entitys
information system.
8-39
The COBIT framework - threats

The COBIT framework identifies seven categories
of threats to the computer information requirements

of the entity as follows:
Availability
Confidentiality
Integrity
Effectiveness
Efficiency
Compliance
Reliability.
8-40
Levels of control in computerised

systems
Two main categories:
1. User controls
Those controls established and maintained

by departments whose processing is performed
by computer.
2. IT controls
Those controls established and maintained

at the location of the computer, for example
in data-processing departments.

8-41
General and application controls

IT controls can be further divided into general
and application controls. General controls are

those controls that relate to a number of
application systems; application controls relate
to a particular application.
User controls are always application controls.

8-42
General controls
General controls are manual and computer
controls that relate to all or many computerised

accounting applications. These provide
a reasonable level of assurance that overall
objectives of internal control are achieved.
General controls include:
Segregation of duties
Control over programs
Control over data.

8-43
Segregation of duties within IT

8-44
Control over programs

Major risk relates to unauthorised use of programs
or changes to programs.
Controls of interest to auditor include controls over:
Development or acquisition of new programs
Changes to existing programs
Access to programs; and
The use of specialised systems software.
Modifications or access should be appropriately
authorised, approved and tested.

8-45
Control over data

Control procedures in user departments
to ensure restricted access (e.g. key passes,

locks).
Control procedures in IT departments at input and
processing stage.
Restriction of access to data files (e.g. password).
Use of librarian function or software.

8-46
Other general controls
These include controls that back up hardware,
software and files and ensure recovery when

computer is installed or particular files or
programs are damaged.
These do not normally have an effect on
the auditors control risk assessment.

8-47
Application controls
Application controls (defined in ASA/ISA 315.A97)
are manual or automated procedures that operate

at a business process level and therefore apply to
the processing of individual applications.
The reliance that can be placed on application
controls often depends on the reliability of the
general controls.
Application controls contribute to achievement of
specific control objectives that the auditor
considers in tests of controls.
8-48
User controls
Control totals: detect errors in input or processing.
Generally, there are three types:
Financial totals
Record totals
Hash totals.
Review and reconciliation of data by users.

Formal error correction and resubmission
procedures.
Authorisation controls help ensure that only valid
transactions and batches of transactions are
processed.
8-49
IT application controls
Usually classified into the following categories:
Input controls
File controls
Processing controls
Output controls.

8-50
Input controls
Control totals
Key verification
Key entry validation
Programmed controls:
Check digits
Limit or reasonableness tests
Field tests
Valid code tests.

8-51
File controls
Include:
Internal file labels computer-readable data that identifies

content of file
External file labels printed or handwritten labels attached

to disk or tape.

8-52
Processing controls
Programmed control procedures include:
Use of programmed control activities such as

reasonableness or limit tests and use of redundant
program calculations
Checking numerical sequence of records
Comparing related fields.
Run-to-run control totals:
Control totals accumulated during processing are

compared to input totals and previous computerrun totals.

8-53
Output controls
These include:
Restricted distribution
Automatic dating of reports
Page numbering
End-of-report messages.

8-54
Relationship between general

and application controls
Auditor should start by examining general controls.
If general controls are unreliable, an auditor has little
confidence in programmed application controls and

reduced confidence in manual application controls
auditor takes more substantive approach to the audit.
If general controls are reliable, an auditor makes a
preliminary evaluation of application controls. If

reliance on application controls is then planned, a
more detailed evaluation of these controls is made
auditor determines appropriate degree of testing of
controls and substantive testing.
8-55
Control systems in different environments
Database: Computer-readable file of records that is used by

many accounting applications. In order to handle processing
of data, a system software program called a database
management system (DBMS) with many built in controls is
used.
Stand-alone PCs: Can cause distinction between general

and application controls to be blurred and controls to be less
structured. Thus, control risk commonly assessed as high.
LANS and other networks: Networking means that

processing is distributed to PCs at many locations. Can
cause problems with security and control procedures as they
are more dispersed, increasing control risk.

8-56
Computer service organisations

A computer service organisation is a centre
or service entity that performs computer

applications for another company.
A common application processed through the
service entity is payroll.

ASA/ISA 402.10 requires the auditor to evaluate the
design and implementation of relevant controls at

the user entity that relate to services provided by
the service organisation.
8-57
Considering the work of an internal
auditor
An effective internal audit function can significantly
strengthen the monitoring of control.

ASA/ISA 610.A1 recognises that internal auditing
may be useful to the external auditor as it may
affect audit risk and therefore the nature, timing
and extent of audit procedures.
Extent of reliance is dependent on evaluation
of internal audit function by external auditor.

8-58
Differences between an internal

and an external auditor
While recognising the similarities between the external
and internal audit functions, it is important to bear in

mind the fundamental differences between them.
The following major differences can be identified:
Objectives
2. Independence
3. Qualifications.
1.
For external audit, above elements regulated by
legislation, for internal audit above elements

determined by those charged with governance.
8-59
External auditor evaluates the

internal audit
ASA/ISA 610.9 requires that when determining
whether the work of the internal audit is likely to be

adequate for external audit purposes, the external
auditor must evaluate the internal audits:
1.
2.
3.
4.
Objectivity the internal audits status in the entity.

Technical competence whether internal auditing
personnel have adequate technical training and proficiency.
Due professional care whether internal auditing is
properly planned, documented, supervised and reviewed.
Effectiveness of communication whether there will be
effective communication between internal audit and
external auditor.

8-60
General evaluation
The external auditor is required to undertake a
general evaluation of the internal audit function as

part of the review of the clients internal control.
ASA/ISA 610.11 requires that an external auditor
who relies on specific internal audit work to support
a preliminary assessment of control risk must
evaluate and test that work to ensure that it is
adequate for external audit purposes.
Purpose of review primarily to determine that the
work of internal audit is appropriate and to
ascertain whether adequate standards have been
applied.
Internal auditing further considered in chapter 14.
8-61

Isa Understanding and Assessing Internal Control

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Isa Understanding and Assessing Internal Control

Загружено:

Авторское право:

Доступные форматы

Chapter 8

Copyright 2010 McGraw-Hill Australia Pty Ltd

implemented by those charged with governance,

Copyright 2010 McGraw-Hill Australia Pty Ltd

Audit strategy and internal control

designed and implemented to address business

understanding of internal control relevant to

the auditor must consider audit risk for each

Copyright 2010 McGraw-Hill Australia Pty Ltd

could occur in an assertion and not be prevented or

Copyright 2010 McGraw-Hill Australia Pty Ltd

initially a management responsibility, although

accounting data, management needs to adopt,

Copyright 2010 McGraw-Hill Australia Pty Ltd

Inherent limitations of internal control

report because it has inherent limitations.

Control breakdowns as a result of the actions

The concept of reasonable assurance recognises

that, in some cases, the cost of management

and business processes efficient

Copyright 2010 McGraw-Hill Australia Pty Ltd

management to mitigate strategic risks to the entity

Communicating business objectives and goals

Copyright 2010 McGraw-Hill Australia Pty Ltd

Every transaction goes through the identifiable

Are generally focused on internal risks and reflect

Copyright 2010 McGraw-Hill Australia Pty Ltd

adequate to provide control over assets, liabilities,

Copyright 2010 McGraw-Hill Australia Pty Ltd

attitude, awareness and actions regarding IC and

Communication and enforcement of integrity and ethical

Copyright 2010 McGraw-Hill Australia Pty Ltd

2. Entitys risk assessment process

to consider their significance and how they

specific risks or it may accept a risk on a costbenefit basis.

records and the methods that:

Identify and record all valid transactions

Copyright 2010 McGraw-Hill Australia Pty Ltd

Individual transactions can be traced through each

Source documents the initial records of transactions

Copyright 2010 McGraw-Hill Australia Pty Ltd

management to ensure its directives are carried out.

Performance reviews (e.g. comparing actual with budget)

Copyright 2010 McGraw-Hill Australia Pty Ltd

Segregation of duties related to a

A transaction may be considered to pass through

Authorisation the initial authorisation or approval

Execution the act that commits the entity to the

Custody the physical act of accepting, delivering

Recording the entry of the transaction data into

Ideally, all four phases should be kept separate.

Copyright 2010 McGraw-Hill Australia Pty Ltd

Control activities and assertions

Occurrence (e.g. authorisation and approval of

Copyright 2010 McGraw-Hill Australia Pty Ltd

A process to assess the effectiveness of the performance

Evaluating the design and operation of controls

Taking corrective action where necessary.

Management may monitor controls through ongoing

activities such as supervisory activities and/or

to the monitoring process.

internal control, an auditor must obtain sufficient

of internal control varies considerably across audits