Transcript Learning Objectives LO5 Document an accounting system to identify key controls and weaknesses in order to assess control risk. LO6 Write key control tests.

1
Learning Objectives
LO5 Document an accounting system to identify
key controls and weaknesses in order to assess
control risk.
LO6 Write key control tests for an audit
program.
LO7 Outline the auditor’s responsibility when
internal control evaluation work detects or
indicates a significant control deficiency or a
high risk of fraudulent misstatement.
2
Application Control Activities
Specific procedures used in each accounting
process to meet the relevant control objectives.
LO5
3
Documentation of Control
Elements
Documentation of the control structure shows
the audit team’s understanding of internal
controls and the basis of decisions reached.

A number of tools are available to the auditor
for documentation:
 internal

control questionnaires,
formal interview using a checklist,
 narratives,
and
 flowcharts.
LO5
4
Internal Control Questionnaire
(ICQ) and Narrative
The most efficient means of gathering evidence
about internal control is to conduct a formal
interview with knowledgeable managers.

The ICQ is a form of checklist covering the
control objectives.
 Use
of an ICQ assists the auditor in covering all
the important points.
 An ICQ is designed so that a response of “no”
typically indicates a control weakness.
LO5
5
Accounting and Control
System Flowcharts
A picture is worth a thousand words.

Flowcharts can enhance auditors’ evaluations
and updating a flow chart is relatively easy.
 Initial
preparation of a flow chart is time
consuming. In some cases, control conscious
businesses will have already prepared the flow
charts.
LO5
6
Flowchart Guidelines





Standardized flow chart symbols should be used.
Flowcharts should be drawn with a ruler and
template, or by computer software.
The flowchart should progress from top to bottom,
from left to right wherever possible.
All relevant information should be on the flowchart,
including explanations.
Columns can be used for the various departments to
demonstrate segregation of responsibilities.
LO5
7
Stopping Risk Assessment
Work
Auditors may decide to stop evaluation work in
Phase 1 for two reasons:

Control is too poor to justify reliance.
 Control
risk is set at maximum.
 Goal is audit effectiveness.

Cost/benefit of reliance is not justified, although
control is good.
 Goal
is audit efficiency.
LO5
8
Phase 2 – Assessing the
Control Risk
Following Phase 1, the auditor should
make a preliminary assessment of
control risk. This involves:





identifying specific control objectives,
identifying points in the flow of transactions where
misstatements could occur,
identifying specific control procedures in place,
identifying the control procedures that must function
to prevent or detect the misstatements, and
evaluating the design of control procedures to
determine if it will be effective to test these controls.
LO5
9
Assessing the Control Risk
A useful assessment technique is to analyze control
strengths and weaknesses.
 Strengths are controls that should prevent,
detect, or correct errors. Control strengths will
be further tested.
 Weaknesses are the lack of controls that would
allow material misstatements to get by
undetected.
 A bridge working paper can be used to connect
the control evaluation to subsequent
procedures.
LO5
10
Control Risk in Complex IT and
Ecommerce Environments
Business Internet and IT use have an impact on
control risk.


Many business models incorporate the Internet.
Auditors are concerned with the security of IT
processing
LO5
11
Ecommerce Control Aspects
For an auditee that engages in ecommerce, the
following aspects of internal control are
particularly relevant:



Security
Transaction integrity
Process alignment
LO5
12
Security
External access to the auditee’s information
system though the internet creates security
risks.

Control environment should address this
increased risk.
LO5
13
Transaction Integrity
Risks related to the recording and processing of
ecommerce transactions include the
completeness, accuracy, timeliness, and
authorization of information in the financial
records.

Control activities related to transaction integrity
are required.
LO5
14
Process Alignment
Process alignment refers to the integration of IT
systems so that they operate as one system.


Control objectives for manual and IT-based
systems are the same.
The points in the system where misstatements
might occur are at input, processing, and
output.
LO5
15
Input
Inputs include:




Activities related to source data preparation.
Manual procedures applied to source data.
Source data are converted into computerreadable form.
Input files are identified for use in processing.
LO5
16
Processing
Processing activities include:



Information being transferred from one program
to another.
Computer –readable files are used to supply
additional information.
Transactions are initiated by the computer
LO5
17
Output
Output activities include:




Output files are created / master files are
updated.
Master files are changed outside the normal
flow of transactions.
Output reports or files are produced.
Errors identified by control procedures are
corrected.
LO5
18
Manual and IT Controls over
Information Processing
Use of IT systems for financial reporting will
include manual elements.

Controls over manual processed also need to
be considered.
LO5
19
Assessing the Control Risk
The information gathered about the client’s
control environment, the accounting system
and the control procedures should enable
the auditor to reach one of three
conclusions.

The auditor is required to make the control
evaluation for classes of transactions and account
balances at the assertion level.

Control risk for some assertions regarding a given
balance might be low, and for other assertions
regarding the same balance, the control risk might
be high.
LO5
20
Phase 2 - Conclusions
1.
2.
3.
Control risk may be assessed low, and it seems
efficient and cost-effective to test controls
leading to a combined approach.
Control risk may be assessed low, but it would
not be cost-effective or efficient to test those
controls. Substantive procedures will provide
evidence cheaper than a combined approach.
Control risk is assessed high, the auditor will
concentrate on substantive procedures and not
test controls.
LO5