Chapter 6 Flashcards
What are the important attributes that an effective Internal Control System ensures?
An entity’s IC process is designed to achieve several objectives related to operational efficiency.
Objectives relevant to auditors generally relate to: (“ASAP”)
Accurate & reliability of financial reporting
Safeguarding of assets (this is no longer in the Brown book!)
Compliance with Applicable laws and regulations
Promote effectiveness and efficiency of operations
What are the components of audit risk?
RMM = IR x CR x DR
Inherent Risk – Susceptibility of an assertion to a material misstatement.
Control Risk – Risk that a material misstatement could occur in an assertion will not be prevented or detected in a timely manner.
Detection Risk – Risk that the auditor will not detect a material misstatement that exists in an assertion.
Internal control consists of five interrelated components—what are those five components and how do they effect the planning of the engagement?
“CRIME”
- Control Activities (PIPS –Performance reviews, Information processing controls, Physical controls, Segregation of duties
- Risk Assessment
- Information & Communication
- Monitoring
- Control Environment (CHOPPER – Commitment to competence, Human resource policies, Organizational structure, Philosophy & operating style of mgt, Providing attention & direction by mgt, Ethical values & integrity, manner of assigning Responsibility)
During the course of the audit, the auditor should assess control risk, or the effectiveness of an entity’s internal controls in preventing or detecting material misstatements in the financial statements. In assessing control risk at maximum, the auditor should be satisfied to the extent that performing substantive test would be effective and more efficient that performing test of controls.
When should an auditor test controls and give example of the type of tests you could perform?
(1) When the auditor plans to reduce the control risk assessment based on his/her expectation that controls are operation effectively and reduce detection risk to appropriate low level.
(2) The auditor may find it impossible to design effective test of details when an entity conducts its business using IT and no documentation of transactions is produced or maintained, other than through the IT system. In this case, the auditor should perform test of controls to obtain audit evidence about the operating effectiveness of the IT system (6-15).
(3) Examples of test of controls may include: • Inquiries of the entity’s personnel • Observation of the application of the control • Inspection of documents, reports, or electronic files • Walk-through • Reviews of reconciliations • Re-performance of the application of the control
If an auditor determines that computer systems are an integral component of the internal control of the entity being audited, how will that affect your planning?
When computer systems are an integral component of the internal control of the entity being audited and internal controls outside of the system (manual controls) are not sufficient to minimize risk, the auditor should obtain and document their understanding of the system controls, assess the effectiveness of the controls’ design, and conduct test to evaluate the effectiveness of the controls. Obtaining an understanding of the system controls includes understanding both general and application controls.
General Controls—the policies and procedures that apply to all or large segments of the entity’s information systems. Objectives are to safeguard data, protect computer application programs, prevent unauthorized access, and ensure continued computer operations in case of unexpected interruptions. The effectiveness of the general controls is a significant factor in determining the effectiveness of application controls.
Application controls—are directly related to individual computerized applications. They help ensure that transactions are valid, properly authorized, completely processed and reported. It includes programmed control techniques and manual follow-up of computer generated reports. Includes input controls, processing controls, and output controls.
