Evaluation of Internal ControlSystem

Learning Objective 1

Contrast management’s need for

internal control with the auditor’s

need to consider internal control

when designing an audit.

InherentLimitations

ReasonableAssurance

Management’sResponsibility

Key Concepts

Client’s Concerns

Compliance with applicable laws and regulations

Reliability of financial reporting

Efficiency and effectiveness of operations

Auditor Concerns

Controls over classes of transactions

Controls related to reliability of financial reporting

Learning Objective 2

Explain the components

of internal control.

The Control Environment

Integrity and ethical values

Commitment to competence

Board of directors or auditcommittee participation

Management’s philosophyand operating style

The Control Environment

Organizational structure

Assignment of authorityand responsibility

Human resourcespolicies and practices

Risk Assessment

Identify factors affecting risk.

Assess significance of risksand likelihood of occurrence.

Determine actions necessaryto manage risk.

Control Activities

1. Adequate separation of duties

2. Proper authorization of transactions and activities

3. Adequate documents and records

4. Physical control over assets and records

5. Independent checks on performance

Adequate Separationof Duties

Custody of assets Accounting

Authorizationof transactions

The custody ofrelated assets

Operationalresponsibility

Record-keepingresponsibility

IT Duties User departments

Proper Authorization of Transactions and Activities

General authorization

Specific authorization

Adequate Documentsand Records

Prenumbered consecutively

Prepared at the time of transaction

Designed for multiple uses

Constructed to encourage correct preparation

Simple enough to ensure understanding

Physical Control overAssets and Records

Physical precautions

Controls related to IT equipment,programs, and data files

Physicalcontrols

Accesscontrols

Backup andrecovery

procedures

Independent Checkson Performance

The need for independent checksarise because internal control tendsto change over time unless there isa mechanism for frequent review.

Information and Communication

The purpose of an accounting informationand communication system is to…

initiate, record, process, and report thetransactions and to maintain accountability

for the related assets.

Monitoring

Management’s ongoing and periodic assessmentof the quality of internal control performance …

to determine whether controls are operatingas intended and modified when needed.

Learning Objective 3

Explain methods used to

obtain an understanding

of internal control.

Understanding Internal Controland Assessing Control Risk

Obtain Understanding of Internal Control:Design and Operation

Assess Control Risk Test Controls

Decide Planned Detection Riskand Substantive Tests

Reasons for Sufficiently Understanding Internal Control

SLAuS requires the auditor toobtain an understanding of internal

control for every audit.

Minimum auditplanning matters

• Auditability• Potential material

misstatements• Detection risk• Design of test

Procedures to DetermineDesign and Placement

Update and evaluate auditor’s previousexperience with the entity.

Make inquires of client personnel.

Read client’s policy and systems manuals.

Examine documents and records.

Observe entity activities and operations.

Documentation ofthe Understanding

NarrativeNarrative

FlowchartFlowchartInternalcontrol

questionnaire

Internalcontrol

questionnaire

Learning Objective 4

Assess control risk by linking

strengths and weaknesses of

internal control to transaction-

related audit objectives.

Assess Control Risk

Obtain sufficient understanding for planning.

Assess whether the entity is auditable.

Determine assessed control risk.

Assess if a lower control risk could be supported.

Determine the appropriate assessed control risk.

Assess Control Risk

Identify transaction-related audit objectives.

Identify specific controls.

Identify and evaluate weaknesses.

Identify and Evaluate Weaknesses

Identify existing controls.

Identify the absence of key controls.

Determine misstatements that could result.

Consider compensating controls.

The Control Risk Matrix

Auditors use the control risk matrix toidentify both controls and weaknesses

and to asses control risk.

Communication

Reportable conditions letter

Management letters

Audit committee communications

Learning Objective 5

Describe the process of designing

and performing tests of controls.

Tests of Controls

The procedures to test effectivenessof controls in support of a reduced

assessed control risk are calledtests of controls.

Procedures forTests of Controls

Make inquiries of client personnel.

Examine documents, records, and reports.

Observe control-related activities.

Reperform client procedures.

Extent of Procedures

Reliance on evidence from prior year’s audit

Testing less than the entire audit period

Decide Planned Detection Riskand Design Substantive Tests

The auditor uses the results of the control riskassessment process and tests of controls todetermine the planned detection risk and

related substantive tests.

The auditor links the control risk assessmentsto the balance-related audit objectives.