MODERN AUDITING 7th Edition - California State University

Download Report

Transcript MODERN AUDITING 7th Edition - California State University 

MODERN AUDITING
7th Edition
William C. Boynton
California Polytechnic State
University at San Luis Obispo
Raymond N. Johnson
Portland State University
Walter G. Kell
University of Michigan
Developed by:
Gregory K. Lowry, MBA, CPA
Saint Paul’s College
John Wiley & Sons, Inc.
CHAPTER 9
UNDERSTANDING INTERNAL CONTROL
Introduction to Internal Control
Components of Internal Control
Obtaining an Understanding of
Internal Control
Documenting the Understanding
Importance of Internal Control
A 1947 publication by the AICPA entitled Internal
Control cited the following factors as contributing to the
expanding recognition of the significance of internal
control:
1. The scope and size of the business entity has become
so complex and widespread that management must
rely on numerous reports and analyses to effectively
control operations.
2. The check and review inherent in a good system of
internal control affords protection against human
weaknesses and reduces the possibility that errors or
irregularities will occur.
3. It is impracticable for auditors to make audits of most
companies within economic fee limitations without
relying on the client’s system of internal control.
Importance of Internal Control
The Foreign Corrupt Practices Act (FCPA) was passed in
1977. Under this Act, management and directors of
Chapter 9 companies subject to reporting requirements of
the Securities Exchange Act of 1934, whether or not they
operate outside the U.S., are required to comply with
antibribery and accounting standards provisions.
10 years later, the National Commission on Fraudulent
Financial Reporting (Treadway Commission)
reemphasized the importance of internal control in
reducing the incidence of fraudulent financial reporting.
Finally, following up the last recommendation of the
Treadway Commission, in 1992 the Committee of
Sponsoring Organizations (COSO) of the Treadway
Commission issued a report entitled Internal Control
— Integrated Framework.
Definition and Components
The COSO defines internal control as follows:
Internal Control is a process, effected by an
entity’s board of directors, management, and
other personnel, designed to provide
reasonable assurance regarding the
achievement of objectives in the following
categories:
1. Reliability of financial reporting.
2. Compliance with applicable laws and
regulations.
3. Effectiveness and efficiency of operations.
Definition and Components
To provide a structure for considering the
many possible controls related to the
achievement of an entity’s objectives, the
COSO report identifies 5 interrelated
components of internal control which are:
1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring
Entity Objectives and Related
Internal Control Relevant to an Audit
Other objectives and related controls may also be
relevant if they pertain to data the auditor uses in
applying audit procedures. Examples include objectives
and related controls that pertain to:
1. Nonfinancial data used in analytical procedures, such
as the number of employees, the entity’s
manufacturing capacity and volume of goods
manufactured, and other production and marketing
statistics.
2. Certain financial data developed primarily for internal
purposes, such as budgets and performance data, used
by the auditor to obtain evidence about the amounts
reported in the financial statements.
Limitations of an Entity’s
Internal Control
AU 319.16-.18, Consideration of Internal Control
in a Financial Statement Audit, identifies the
following inherent limitations that explain why
internal control, no matter how well designed and
operated, can provide only reasonable assurance
regarding achievement of an entity’s control
objectives.
1. Mistakes in judgment.
2. Breakdowns.
3. Collusion.
4. Management override.
5. Cost versus benefits.
Roles and Responsibilities
The COSO report concludes that everyone in an
organization has some responsibility for, and is
actually a part of, the organization’s internal
control. Several responsible parties and their
roles are as follows:
1. Management. It is management’s
responsibility to establish effective internal
control.
2. Board of directors and audit committee.
Board members, as part of their general
governance and oversight responsibilities,
should determine that management meets
its responsibilities for establishing and
maintaining internal control.
Roles and Responsibilities
3. Internal auditors. Internal auditors should
periodically examine and evaluate the adequacy
of an entity’s internal control and make
recommendations for improvements, but they do
not have primary responsibility for establishing
and maintaining internal control.
4. Other entity personnel. The roles and
responsibilities of all other personnel who provide
information to, or use information provided by,
systems that include internal control, should
understand they have a responsibility to
communicate any problems with noncompliance
with controls or illegal acts of which they become
aware to a higher level in the organization.
Roles and Responsibilities
5. Independent auditors. As a result of
procedures in an audit of financial
statements, an external auditor may discover
deficiencies in internal control that he or she
communicates to management, the audit
committee, or the board, together with
recommendations for improvement.
6. Other external parties. Legislators and
regulators establish minimum statutory and
regulatory requirements for the
establishment of internal controls by certain
entities.
Control Environment
The control environment sets the tone of an
organization, influencing the control
consciousness of its people. Numerous factors
comprise the control environment in an entity.
Among these are the following (AU 319.25):
1. Integrity and ethical values
2. Commitment to competence
3. Board of directors and audit committee
4. Management’s philosophy and operating style
5. Organizational structure
6. Assignment of authority and responsibility
7. Human resource policies and practices
Risk Assessment
Risk assessment for financial
reporting purposes is an entity’s
identification, analysis, and
management of risks relevant to
the perception of financial
statements that are fairly
presented in conformity with
generally accepted accounting
principles (AU 319.28).
Risk Assessment
Management’s risk assessment should also include
special consideration of the risks that can arise
from changed circumstances described in AU
319.29:
1. Changes in operating environment
2. New personnel
3. New or revamped information systems
4. Rapid growth
5. New technology
6. New lines, products, or activities
7. Corporate restructurings
8. Foreign operations
9. Accounting pronouncements
Information and Communication
The information and communication system
relevant to financial reporting objectives,
which includes the accounting system,
consists of the methods and records
established to identify, assemble, analyze,
classify, record, and report entity
transactions (as well as events and
conditions) and to maintain accountability
for the related assets and liabilities.
Communication involves providing a clear
understanding of individual roles and
responsibilities pertaining to internal
control over financial reporting (AU 319.34).
Information and Communication
Transactions consist of exchanges of assets and
services between an entity and outside parties, as
well as the transfer or use of assets and services
within an entity. An effective accounting system
should:
1. Identify and record only the valid transactions of
the entity that occurred in the current period
(existence or occurrence assertion).
2. Identify and record all valid transactions of the
entity that occurred in the current period
(completeness assertion).
3. Ensure that recorded assets and liabilities are the
result of transactions that produced entity rights
to, or obligations for, those items (rights and
obligations assertion).
Information and Communication
4. Measure the value of transactions in a manner
that permits recording their proper monetary
value in the financial statements (valuation or
allocation assertion).
5. Capture sufficient detail of all transactions to
permit their proper presentation in the financial
statements, including proper classification and
required disclosure (presentation and disclosure
assertion).
Control Activities
Control activities are those policies
and procedures that help ensure that
management directives are carried out.
They help ensure that necessary
actions are taken to address risks to
achievement of the entity’s objectives.
Control activities have various
objectives and are applied at various
organizational and functional levels
(AU 319.32).
Traditional Segregation of Duties
Figure 9-1
IT Functions Requiring Segregation
Figure 9-2
Reconstruction of Data Files
Figure 9-3
Monitoring
Monitoring is a process that assesses the quality
of internal control performance over time. It
involves assessing the design and operation of
controls on a timely basis and taking necessary
corrective actions (AU 319.38).
1. Monitoring can occur through ongoing
activities.
2. Monitoring can also occur through separate
periodic evaluations.
3. Management and the audit committee should
be conscious of IT risks and monitor the
performance of internal control in the IT
environment.
Monitoring
4. Accounting officers should be conscious of IT
risks and monitor these risks on an ongoing
basis.
5. The audit committee might charge internal
audit with periodic reviews of IT risks and
controls.
6. Management may receive information from
regulators, such as bank examiners, and
external auditors about weaknesses and
recommended improvements.
Applications of Components to
Small and Midsize Entities
AU 319.15 identifies the following factors to be
considered in deciding on how to implement each
of the 5 components:
1. The entity’s size
2. Its organization and ownership characteristics
3. The nature of its business
4. The diversity and complexity of its operation
5. Its methods of processing data
6. It’s applicable legal and regulatory
requirements
Components of Internal Control
Figure 9-4
Component
Control
Environment
Description
Relative to
Financial
Reporting
Sets the tone
for an
organization;
influences
control
consciousness
of its people, is
the foundation
for all other
components of
internal
control.
Key
Factors
Control environment
factors:
 Integrity and ethical
values.
 Commitment to
competence.
 Board of directors
and audit committee.
 Management’s
philosophy and
operating style.
 Organizational
structure.
 Assignment of
authority and
responsibility.
 Human resource
policies and
procedures.
Important
IT
Factors
 Involvement of
management in
setting policies for
developing,
modifying, and using
computer programs
and data.
 Form of
organizational
structure of data
processing.
 Methods of assigning
authority and
responsibility over
computer systems
documentation,
including procedures
for authorizing
transactions and
approving systems
changes.
Component
Risk
Assessment
Description
Relative to
Financial
Reporting
Entity’s
identification,
analysis, and
management
of risks
relevant to the
preparation of
financial
statements
that are fairly
presented in
conformity to
GAAP.
Key
Factors
Process should
consider:
 Relationship of risks
to specific financial
statements
assertions and the
related activities of
recording,
processing,
summarizing, and
reporting financial
data.
 Internal and external
events and
circumstances.
 Special consideration
of changes in
circumstances.
Similar to auditor’s
assessment of inherent
risk.
Important
IT
Factors
Assessment of risk:
 Transaction trail may
be available for only
a short period of
time.
 Reduced
documentary
evidence of
performance of
controls.
 Files and records
usually cannot be
read without a
computer.
 Decreased human
involvement in
computer processing
can obscure errors
that might be
observed in manual
systems.
 IT system
vulnerability to
physical disaster,
unauthorized
manipulation, and
mechanical
malfunction.
 IT systems may
reduce traditional
segregation of duties.
 Changes in systems
are more difficult to
implement and
control.
Component
Information
and
Communication
Description
Relative to
Financial
Reporting
The
information
system
includes the
accounting
system and
consists of the
methods and
records
established to
identify,
assemble,
analyze,
classify,
record, and
report entity
transactions
and maintain
accountability
for related
assets and
liabilities;
communication
involves
providing a
clear
understanding
of individual
roles and
responsibilities
pertaining to
internal
control over
financial
reporting.
Key
Factors
Focus of accounting
system is on
transactions:
 Effective accounting
system should result
in the handling of
transactions in a
way that prevents
misstatements in
management’s
financial statement
assertions.
 System should
provide a complete
audit or transaction
trail.
Includes policy
manuals, charts of
accounts, and
memoranda.
Important
IT
Factors
 Transaction may be
initiated by
computer.
 Audit trail may be in
electronic form.
 How data is
converted from
source documents to
machine-sensible
form.
 How computer files
are accessed and
updated.
 Computer processing
involvement from
initiation of
transaction to
inclusion in financial
statements.
 Computer
involvement in
reporting process
used to prepare
financial statements.
Component
Control
Activities
Description
Relative to
Financial
Reporting
Policies and
procedures
that help
ensure that
management
directives are
carried out
and that
necessary
actions are
taken to
address risks
to achievement
of entity
objectives;
have various
objectives and
are applied at
various
organizational
and functional
levels.
Key
Factors
Important
IT
Factors
Categories:
General controls:
 Segregation of duties.
 Information
processing controls:
 General controls.
 Application
controls.
 Physical controls.
 Performance reviews.
 Organization and
operation control.
 Systems development
and documentation
control.
 Hardware and system
software controls.
 Access controls.
 Data and procedural
controls.
Application controls:
 Input.
 Processing.
 Output.
Component
Monitoring
Description
Relative to
Financial
Reporting
Processes by
appropriate
personnel that
assess the
quality of
internal
control over
time; includes
assessment
and design,
whether
operating as
intended, and
whether
modified as
appropriate for
changed
conditions.
Key
Factors
Can occur through:
 Ongoing activities.
 Separate period
evaluations.
May include input
from:
 Internal sources
such as
management and
internal auditors.
 External sources
such as customers,
suppliers, regulators,
and external
auditors.
Important
IT
Factors
IT may be monitored in
a similar fashion to
other internal controls.
Obtaining an Understanding of
Internal Control
The auditor’s methodology for meeting the
second standard of fieldwork involves 3 major
activities:
1. Obtaining a sufficient understanding of the
components of internal control to plan the
audit.
2. Assessing control risk for each significant
assertion contained in the account balance,
transaction class, and disclosure
components of the financial statements.
3. Designing substantive tests for each
significant financial statement assertion.
Obtaining an Understanding of
Internal Control
Obtaining an understanding involves
performing procedures to:
1. Understand the design of policies
and procedures related to each
component of internal control.
2. Determine whether the policies and
procedures have been placed in
operation.
Obtaining an Understanding of
Internal Control
AU 319.19 indicates that the
understanding of internal control should
be used to:
1. Identify types of potential
misstatements.
2. Consider factors that effect the risk of
material misstatement.
3. Design substantive tests to provide
reasonable assurance of detecting the
misstatements related to specific
assertions.
Procedures to Obtain an
Understanding
AU 319.41 suggests that the procedures
to obtain an understanding consist of:
1. Reviewing previous experience with
the client
2. Inquiring of appropriate management,
supervisory, and staff personnel
3. Inspecting documents and records
4. Observing entity activities and
operations
Documenting the Understanding
Documenting the understanding of
internal control is required in all
audits. AU 319.44 states that the
form and extent of documentation
is influenced by the size and
complexity of the entity, and the
nature of the entity’s internal
control. There are 4 forms of
documentation commonly used by
auditors.
Questionnaires
A questionnaire consists of a
series of questions about
internal control that the
auditor considers necessary to
prevent material
misstatements in the financial
statements.
Flowcharts
A flowchart is a schematic
diagram using standardized
symbols, interconnecting flow
lines, and annotations that
portray the steps involved in
processing information
through the accounting
system.
Decision Tables
A decision table is a matrix used to
document the logic of a computer
program. Decision tables usually have 3
key components:
1. conditions related to accounting
transactions,
2. actions taken by the computer
program,
3. decision rules that are used with like
conditions with subsequent actions.
Narrative Memoranda
A narrative memorandum
consists of written comments
concerning the auditor’s
consideration of internal
controls.
Information Technology and
Internal Control
Appendix 9A
The auditor should be familiar
with the following components
of an IT system:
1. Hardware
2. Software
3. Data organization and
processing methods
Batch Entry/Batch Processing
Figure 9A-2
On-Line Entry/Batch Processing
Figure 9A-3
Benefits and Risks of IT Systems
In order to understand internal control in a
computer environment, it is important to
understand the benefits and risks of IT systems.
The major benefits of IT systems over manual
systems include the following:
1. IT systems can provide greater consistency in
processing than manual systems because they
uniformly subject all transactions to the same
controls.
2. More timely computer-generated accounting
reports may provide management with more
effective means of analyzing, supervising, and
reviewing the operations of the company.
Benefits and Risks of IT Systems
Important risks of IT systems over manual systems
include the following:
1. The IT system may produce a transaction trail
that is available for audit for only a short period
of time.
2. There is often less documentary evidence of
the performance of control procedures in
computer systems.
3. Files and records in IT systems are usually in
machine-sensible form and cannot be read
without a computer.
4. The decrease of human involvement in computer
processing can obscure errors that might be
observed in manual systems.
Benefits and Risks of IT Systems
5. IT systems may be more vulnerable to physical
disaster, unauthorized manipulation, and
mechanical malfunction than information in
manual systems.
6. Various functions may be concentrated in IT
systems, with a corresponding reduction in the
traditional segregation of duties followed in
manual systems.
7. Changes in the system are often more difficult to
implement and control in IT systems than in
manual systems.
Overview of Computer Controls
Figure 9A-5
Comprehensive Flowcharting Illustration
Appendix 9B
Most auditors prepare flowcharts for each
material class of transactions. Most flowcharts
include:
1. The flow of transactions from initiating the
transactions to their summarization in the
general ledger.
2. The key functions included in the flowchart.
3. The documentary audit trail.
4. Key reports produced by the accounting
system.
5. Computer programs and files where information
is stored.
System Flowchart — Cash Receipts
Transactions
Figure 9B-2
CHAPTER 9
UNDERSTANDING INTERNAL CONTROL
Copyright
Copyright 2001 John Wiley & Sons, Inc. All rights
reserved. Reproduction or translation of this work
beyond that permitted in Section 117 of the 1976
United States Copyright Act without the express
written permission of the copyright owner is
unlawful. Request for further information should
be addressed to the Permissions Department, John
Wiley & Sons, Inc. The purchaser may make backup
copies for his/her own use only and not for
distribution or resale. The Publisher assumes no
responsibility for errors, omissions, or damages,
caused by the use of these programs or from the
use of the information contained herein.