Internal Control in a Financial Statement Audit

Chapter 6: Internal Control in a Financial Statement Audit

Principles Underlying an Audit – ASB

Purpose

  • To express an opinion on the financial statements prepared by management.
  • Management is responsible for preparing the financial statements and providing the auditor with necessary information to conduct the audit.

Responsibilities

  • Competence and Capability: Auditors should possess the necessary skills and knowledge.
  • Compliance with Ethical Requirements: Auditors must follow ethical guidelines.
  • Maintain Professional Skepticism: Auditors should remain alert to conditions that may indicate possible misstatement.
  • Exercise Professional Judgment: Auditors must apply judgment in all areas of their work.

Performance

  • The audit should provide sufficient appropriate audit evidence supporting reasonable (not absolute) assurance that the financial statements are free of material misstatement.

Reporting

  • Auditors express an opinion through a written report based on evaluation of the audit evidence or may state that an opinion cannot be expressed.

GAAS: Principles Underlying an Audit (ASB)

Performance Factors

  • Sufficient Appropriate Audit Evidence: Ensures financial statements are free from material misstatement.
    • Planning and Supervision: Properly organize the audit process.
    • Materiality Considerations: Address materiality throughout the audit.
    • Risk Assessment: Identify potential risks affecting the financial statements.
    • Understanding Entity and Environment: Including scrutiny of internal controls.
    • Substantive Tests Effectiveness: Determine the necessary effectiveness of tests.
    • Audit Evidence Quality: Ensure sufficient quantity and appropriate quality.

Internal Control Overview

Management Responsibilities

  • Management is charged with designing and maintaining controls that offer reasonable assurance for:
    • Safeguarding the entity's assets and records.
    • Assurance that the information system produces reliable information for decision making.
  • Auditors need assurance regarding the reliability of the information generated by the system.

Auditor's Use of Risk Assessment Procedures

  • The auditor employs risk assessment procedures to:
    • Understand the entity's internal control.
    • Identify key controls essential for mitigating risks.
    • Recognize potential misstatements that could occur.
    • Formulate relevant tests of controls and substance procedures.
  • A comprehensive understanding of internal control is critical in shaping the overall audit strategy.
  • Auditors must:
    • Gain understanding of internal control.
    • Assess control risk.

COSO’s Internal Control – Integrated Framework

Objectives

A robust system of internal control, designed and executed by an organization’s board of directors, management, and personnel, provides reasonable assurance concerning the achievement of objectives in:

  1. Reliability, timeliness, and transparency of internal and external financial and nonfinancial reporting.
  2. Effectiveness and efficiency of operations.
  3. Compliance with laws and regulations.

Components of Internal Control

Below is a structured framing of the five integral components:

Control Environment

  • Definition: Represents the foundation for all other components, comprising the standards, processes, and structures that fortify the internal control system.
  • Significance of Tone at the Top: Established by the board of directors and management.

Principles of Control Environment

  1. Commitment to Integrity and Ethical Values: The organization's stance on integrity must resonate throughout.
  2. Board Independence: The board should function autonomously from management, particularly in oversight matters.
  3. Defined Structures and Responsibilities: Management establishes structures, reporting lines, and authorities with board oversight.
  4. Attracting Competent Individuals: The organization commits to recruiting and retaining skilled personnel.
  5. Accountability for Responsibilities: Each individual should understand their role in upholding internal control integrity.

Risk Assessment Process

  • Overview: Dynamic and iterative process that identifies and analyzes risks to achieving objectives.
  • Management evaluates external and internal changes that may hinder objective attainment.

Principles of Risk Assessment

  1. Objective Specification: Clarity in objectives to facilitate risk assessments.
  2. Risk Identification: Identifying and analyzing risks that threaten objective achievement.
  3. Fraud Consideration: Acknowledging fraud potential within risk assessments.
  4. Impact of Changes: Assess variations that could notably affect internal control systems.

Control Activities

  • Definition: Organizational policies and procedures that ensure directives aimed at mitigating risk are effectively executed.
  • Control activities span across all levels and stages of business processes.

Principles of Control Activities

  1. Risk Mitigation: Selecting and developing control activities that substantially reduce risks concerning objectives.
    • Examples include Performance Reviews, Physical Controls, Segregation of Duties, Information Processing Controls.
  2. Technology Control Activities: Implementing general controls over technology to bolster objective achievement.
  3. Policy Deployment: Control activities manifest through well-defined procedures that translate policies into actions.

Segregation of Duties

  • Importance: Minimizing opportunities for fraud or theft.
  • Key Functions to Separate: At least four distinct functions must be separated within operational duties.

Information and Communication

  • Overview: Information must be precise for effective internal controls.
  • Communication occurs both internally and externally, helping to relay responsibilities and insights regarding internal control efficacy.

Principles of Information and Communication

  1. Relevant Information Utilization: Timely and accurate information supports essential internal control operations.
    • Considerations include:
      • Valid transaction identification and recording.
      • Proper transaction classification and measurement.
      • Accurate transaction timing and presentation.
  2. Internal Communication: Information flow regarding objectives and responsibilities is essential for internal control effectiveness.
  3. External Communication: Interacting with external parties on matters impacting internal control functionalities.

Monitoring of Controls

  • Definition: This involves ongoing evaluations to ascertain control performance.
  • Findings and Deficiencies: Evaluated findings are communicated swiftly to pertinent parties.

Principles of Monitoring Controls

  1. Ongoing Evaluations: Organizations must choose, develop, and perform evaluations to ensure internal control components operate effectively.
  2. Deficiency Communication: Internal control deficiencies must be swiftly communicated to relevant stakeholders for corrective action.

Auditor Understanding of Internal Control

Auditor's Objective

  • Auditors must comprehend each of the internal control components for effective audit planning, leading to:
    • Identifying misstatement types.
    • Highlighting controls aimed at mitigating material misstatement risks.
    • Designing appropriate tests for controls and substantive procedures.

Factors Necessitating IT Specialist Assistance

  • Complexity of IT systems and controls, significant changes, extent of data sharing, e-commerce participation, emerging technologies use, and audit evidence availability.

Auditors Gaining an Understanding of Internal Controls

  • Several methods exist to ascertain internal control, including:
    • Reviewing prior year control procedures.
    • Engaging in conversations surrounding changes.
    • Interviewing personnel for transaction processes.
    • Observing processes in action or utilizing internal audit reviews.

Documentation of Internal Control Understanding

  • Methods include:
    • Procedures manuals and organizational charts.
    • Flowcharts.
    • Internal Control Questionnaires.
    • Narrative descriptions.

Planning an Audit Strategy

Application of Audit Risk Model

  • Assessment of Control Risk: Evaluating identified controls that will influence planned control risk assessments.

Control Risk Assessment Steps

  1. Identify Key Controls: Specify controls relied upon in the audit.
  2. Perform Tests of Controls: Validate effectiveness of identified controls.
  3. Conclude Control Risk Level: Deduce the achieved level of control risk based on tests performed.