chapter 6 · pdf filechapter 6 internal control ... data capture controls 2. data validation...
TRANSCRIPT
Chapter 6
Internal Control in a Financial
Statement Audit
McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Internal Control
The auditor uses risk assessment procedures to
-obtain an understanding of the entity’s internal control
-identify the types of potential misstatements
-ascertain factors that affect the risk of material
misstatement
-design tests of controls and substantive procedures
The auditor’s understanding of the internal control is a
major factor in determining the overall audit strategy. The
auditor has a responsibility to:
(1) obtain an understanding of internal control and
(2) assess control risk.
LO# 1
6-2
COSO’s Internal Control –
Integrated Framework
Reliability of
Financial
Reporting
Effectiveness
and Efficiency
of Operations
Compliance
with Laws and
Regulations
Objectives
LO# 2
6-3
The Effect of Information
Technology on Internal Control
LO# 4
6-4
Components of Internal Control
LO# 5
6-5
LO# 6
Planning an Audit Strategy Figure 6-3 Flowchart of the Auditor’s Consideration of Internal Control and Its Relation to
Substantive Procedures
6-6
Obtain an Understanding
of Internal Control
Identify types of
potential
misstatement
Design tests of
controls and
substantive
procedures
Pinpoint the
factors that affect
the risk of material
misstatement
The auditor should obtain an understanding of each of
the five components of internal control in order to plan
the audit. This knowledge is used to:
LO# 7
6-7
Documenting the Understanding
of Internal Control
Procedure Manuals
and Organizational
Charts
Flowcharts
Internal Control
Questionnaires Narrative Description
LO# 8
6-8
The Limitations of an Entity’s
Internal Control
Override of
Internal Control
by Management
Human Errors
or Mistakes
Collusion
LO# 8
6-9
Assessing Control Risk
Identify
specific
controls that
will be relied
upon.
Perform tests
of controls.
Conclude on the
achieved level
of control risk.
LO# 9
6-10
Interim Audit Procedures
Interim Tests of
Controls
1. Assertion being tested not significant
2. Control has been effective in prior audits
3. Efficient use of staff time
Interim
Substantive
Procedures
1. Assertion probably has low control risk
2. May increase the risk of material
misstatements
3. Still requires some year-end testing
LO# 12
6-11
Auditing Accounting Applications
Processed by Service Organizations
In some instances, a client may have some or all of its
accounting transactions processed by an outside service
organization.
Because the client’s
transactions are subjected to
the controls of the service
organization, one of the
auditor’s concerns is the
internal control system in
place at the service
organization.
It is not uncommon for service
organizations to have an auditor
issue one of two types of
reports on their operations.
LO# 13
6-12
Communication of Internal Control-
Related Matters
Significant
Deficiency
Material
Weakness
A Significant deficiency is a deficiency, or a
combination of deficiencies, in internal control
that is less severe than a material weakness, yet
important enough to merit attention by those
charged with governance.
A material weakness is a deficiency, or
combination of deficiencies, in internal control,
such that there is a reasonable possibility that a
material misstatement of the financial
statements will not be prevented, or detected
and corrected.
LO# 14
6-13
Types of Controls in an IT
Environment
General
Controls
1. Data center and network
operations
2. System software
acquisition, change, and
maintenance
3. Access security
4. Application system
acquisition, development,
and maintenance
Application
Controls
1. Data capture controls
2. Data validation controls
3. Processing controls
4. Output controls
5. Error controls
LO# 15
6-14
Flowcharting Symbols
LO# 16
6-15
End of Chapter 6
6-16