Flashcards in Internal control Deck (21):
Procedures used to obtain evidence about the design and implementation of internal control include:
1.inquiry of entity personnel
2.observation of the application of controls
3.inspection of docs and reports
4.observation of the entity's premises and plant facilities.
Many entities use outside organizations (service organizations) to process some portion of their accounting transactions (e.g ADP and paychex are service organization that provide processing for payroll checks and reports)
A service organization's services are considered to be part of a user entity's info system when those services affect the initiation, execution, processing, or reporting of the user company's transactions. In such cases, the controls placed in operation by the service organization are considered to be part of the user organization's info system.
Segregation of duties (ARC)
1. Authorization (transaction)
2.Record keeping (transaction)
3.Custody of related assets.
1. set the tone of an organization, influencing the control consciousness of its employees.
2.provides discipline and structure as the foundation for all other component of internal control.
3.originates with, and is generated by , management and those charged with governance.
the control environment includes such factors as:
1. communication and enforcement of integrity and ethical values of the people who create, administer and monitor internal control
2.commitment to competence
3. participation of those charged with governance.
4. management's philosophy and operating style
6.assignment of authority, responsibility and accountability
7.human resource policies and practice.
The cost-benefit relationship is
the primary criterion that should be considered in designing internal control.
Establishing and maintaining internal control is the responsibility of MANAGEMENT, not the internal auditor.
Attribute tests, compliance test, and tests of controls are all test that assist the auditor in assessing control risk and determining the final assessed risk of material misstatement
An auditor uses the knowledge provided by the understanding of internal control and the final assessed risk of material misstatement primarily to determine the nature, timing and extent of SUBSTANTIVE TESTS to be performed.
Five component of internal control are
Control environment: the overall tone of the organization
Risk assessment:management's identification of risk
Info and communication system: a means of recording transcations and communicating responsibilities
Monitoring:assessment of internal control over time
Existing control activities:control policies and procedures.
A service organization's services are part of an entity's info system if they affect the initiation, processing, or reporting of the entity's transactons
Services performed by another organization are NOT considered to be part of the client's info system if the service provided are LIMITED to executing transactions that are specifically authorized by the client.
IT risk include:
1. potential reliance on inaccurate system
2.unauthorized access to data
3.unauthorized changes to data
4.failure to make required changes or updates
5.inappropriate manual intervention
6.potential loss of data
Inherent imitation of internal control include:
1. management override of internal control
2.human error, which may include error in the design or use of automated controls
3. deliberate circumvention of controls by collusion of two or more people.
In every audit, the auditor should obtain sufficient understanding of the
design of relevant internal controls pertaining to financial reporting in each of the five internal control components. C.R.I.M.E
An auditor should obtain sufficient knowledge of an entity's info system to financial reporting to understand the process
used to prepare significant accounting estimates.
Knowledge about the design and implementation of relevant internal control should be used to
identify types of misstatement that could occur.
The auditor is NOT required to assess operating EFFECTIVENESS during the PLANNING stage of audit.
In considering whether the SERVICE AUDITOR'S report is satisfactory for the USER AUDITOR
The user auditor should make INQUIRES concerning the service auditor's reputation.
Obtaining an understanding of an internal control invovles
evaluating the DESIGN of the control and determining whether the control has been IMPLEMENTED
Test of controls are performed when
a. the auditor's risk assessment is based on the assumption that controls are operating EFFECTIVELY
b.when substantive procedures alone are INSUFFICIENT (
i.e. when the entity makes extensive use of info technology.)
Tests of the operating effectiveness of control include the following: inquires, observation, inspection and reperformance
To obtain audit evidence about control risk, an auditor ordinarily selects tests from a variety of techniques, including inquiry, observation, inspection and reperformance.
The auditor should use a combination of procedures to obtain sufficient evidence of operating effectiveness
a. inquiry alone is NOT sufficient
b. observation is generally pertinent only at the point in time when it is made
As the planned level of reliance on the operating effectiveness of a control increases, the auditor should obtain MORE reliable or more extensive audit evidence.
The objective of test of DETAILS used as tests of controls is to evaluate whether an internal control operating effectively.
The objective of tests of details of transactions performed as substantive tests is to detect material misstatement in the F.S
Inquiry alone generally will NOT support a conclusion for a lower assessed level of control risk
a. observation by the auditor provides More assurance than audit evidence obtained by inquiry alone
b. Prior audits may be considered by the auditor in assessing control risk in the current audit
c. an audit of F.S is a cumulative process.
For certain relevant assertions and risks, ONLY SUBSTANTIVE PROCEDURES will be performed. This occurs when control risk is assess at MAXIMUM because
1. there are NO effective control relative to the specific assertion
2. the implemented controls are assessed as ineffective or
3. it would NOT be efficient to test the operating effectiveness of controls.
For 1+2, it means there were NO strong controls to rely upon
For 3, COST/BENEFIT relationship, which means DO NOT test "controls" if ineffective at reducing substantive testing ( IF it would take less TIME or be more efficient to perform substantive tests than it would to perform tests of controls, and it there is no other reason to test controls(i.e if there is not a high degree of electronic processing) the auditor WOULD NOT be likely to test control.
As part of understanding internal control, an auditor is NOT required to obtain knowledge about the operating effectiveness of control
an auditor required to
1. consider factors that affect the risk of material misstatement
2. identify the types of potential misstatement that can occur
3. ascertain whether internal control has been implemented
4. evaluating the design of the control