internal audit part 2

audit

what is the third step in the audit process

asses the risk of misstatement and design audit procedures

risk assessment procedures

to obtain an understanding of internal control, combined with the auditors’ other evidence, allows them to assess the risk of material misstatement.

what are the three results of the risk assessment to further the audit process

nature, timing, extent

The auditors make decisions about the further audit procedures that include the proper combination of…

tests of controls which allow a lower assessment of control risk) and substantive procedures (which restrict detection risk).

When considering the internal control structure, an auditor should be aware of the concept of

reasonable assurance, which recognizes that the cost of internal control should not exceed the benefits expected to be derived from internal control.

control environment elements

Integrity and ethical values

Management’s philosophy and operating style

Organizational structure

Assignment of authority and responsibility

Human resource policies and practices

Competence of personnel

control activities

Perform Reviews

Transaction Control Activities

Physical Controls

Segregation of duties

Controls over Accounting Estimates

Fidelity Bonds

accounting information systems

Identify and record all valid transactions

Permit proper classification

Measure transaction value

Determine proper accounting period

Present properly in financial statements

chart of accounts

A classified listing of all accounts in use, accompanied by a detailed description of the purpose and content of each.

manual of accounting policies and procedures

States clearly in writing the methods of treating transactions.

transaction cycle

the policies and the sequence of procedures for processing a particular type of transaction

monitoring

ongoing and. periodic

ongoing monitoring

Involves the day-to-day review of control activities through routine processes like data analytics, system reports, and management oversight to identify potential issues as they arise. internal

periodic assessments

Regular, more comprehensive assessments of the internal control system are conducted to evaluate its effectiveness in mitigating key risks, often involving detailed testing and analysis. (External)

precision of review control is affected byThe level of aggregation of the data

The level of aggregation of the data

The frequency and consistency with which the review is performed.

The predictability of the expectations developed by management.

The criteria used to determine when and item or relationship is investigated

procedures for assessing internal control risk

Inquiring of entity personnel. (Not sufficient by itself!)

Observing the application of specific controls.

Inspecting documents and reports.

Tracing documents through information system relevant to financial reporting.

Vouching from the financial records back to the source documents.

Confirming transactions with third parties.

documenting the understanding of internal control

flowcharts

narratives

questionnaires

types of walkthrough

process, shadow, transaction

assessing control risk at less tan the maximum

auditor believes a company's internal controls are effective enough to rely on them to some degree, allowing them to perform fewer substantive procedures during an audit, and instead focus on testing the specific controls that mitigate the risk of material misstatement

To assess control risk below maximum, an auditor must gather evidence that the identified internal controls are designed and operating effectively by performing

tests of control

nature of test of controls

Inquiries of appropriate client personnel.

Inspection of documents and reports.

Observation of the application of controls.

Reperformance of the controls.

timing of test of controls

If the auditors test the operation of controls at a particular time, their audit evidence generally relates only to that time

extent of test of controls

to increasing the evidence from a test of control is to increase the extent of the test

in testing management review controls

the auditors generally examine a sample of review or exception reports, reperform selected reviews, and determine that the exceptions or unusual items were appropriately investigated and resolved.

A decision to perform tests of controls is based on

the auditor’s consideration of whether controls are likely to be operating effectively and whether testing those controls is likely to be cost effective.

lower assessed level of control risk

is appropriate only when the auditors have evidence on the operating effectiveness obtained by performing tests of controls.

deficient in internal control

less than a significant deficiency

significant deficiency

material weakness

deficiency in internal control

exists when the design or operation of a control does not allow management or employees in the normal course of performing their assigned functions to prevent or detect material misstatements on a timely basis.

significant deficiency

deficiency in control over financial reporting (or combination of deficiencies that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting. 

material weakness

deficiency in control over financial reporting (or a combination of deficiencies) such that there is a reasonable possibility that a material misstatement of the company’s financial statements will not be prevented or detected on a timely basis.

service organization

provide processing services to companies (user entities) that decide to outsource a portion of their processing

SOC

service organization control

SOC 1

A report on management’s description of a service organization’s system and the suitability of the design of controls.

SOC 2

A report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.