Chapter Six

Internal Control in a
Financial Statement
Audit

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Internal Control
Management has the responsibility to maintain controls that
provides reasonable assurance that adequate control exists
over the entity’s assets and records.
The Internal Control System should:
-ensure that assets and records are safeguarded
-create an environment in which efficiency and
effectiveness are encouraged and monitored
-generate reliable information for decision-making
The auditor needs assurance about the reliability of the data
generated by the information system.

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Internal Control
The auditor uses risk assessment procedures to
-obtain an understanding of the entity’s internal control
-identify the types of potential misstatements
-ascertain factors that affect the risk of material

misstatement
-design tests of controls and substantive procedures
The auditor’s understanding of the internal control is a
major factor in determining the overall audit strategy.
The auditor has a responsibility to:
(1) obtain an understanding of internal control and
(2) assess control risk.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Internal Control
Objectives

Reliability of
Financial
Reporting

Effectiveness &
Efficiency of
Operations

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin

Compliance
with Laws &
Regulations



Controls Relevant to the Audit
Objectives

Reliability of
Financial
Reporting

Effectiveness
& Efficiency
of Operations

Compliance
with Laws &
Regulations

Generally, internal controls pertaining to the
preparation of financial statements for external
purposes are relevant to an audit.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Controls Relevant to the Audit
Objectives

Reliability of
Financial
Reporting

Effectiveness

& Efficiency
of Operations

Compliance
with Laws &
Regulations

Controls relating to operations and compliance
objectives may be relevant when they relate to data the
auditor uses to apply auditing procedures.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


The Effect of Information Technology on
Internal Control

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Components of Internal Control
Entity’s Risk
Assessment
Process

Control
Environment

Information System and

Related Business Processes
Relevant to Financial Reporting
& Communication

Control
Activities

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin

Monitoring of
Controls


Components of Internal Control

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Components of Internal Control

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


The Effect of Information Technology on
Internal Control

© The McGraw-Hill Companies 2010

McGraw-Hill/Irwin


The Entity’s Risk Assessment Process
The risk assessment process should consider external and
internal events and circumstances that may arise and
adversely affect the entity’s ability to initiate, record, process
and report financial data consistent with the assertions of
management in the financial statements.
Client business risk can arise or change due to the following
circumstances:
Changes in the
operating
environment

New personnel
Rapid growth

New or revamped
information
systems

New technology
Corporate
restructuring

Expanded
international
growth


© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin

New accounting
pronouncements

New business
models, products,
or activities


Information Systems and
Communication
An effective accounting system gives appropriate
consideration to establishing methods and records that
will:
1. Identify and record all valid transactions.
2. Describe on a timely basis the transactions in sufficient detail to
permit proper classification of transactions for financial
reporting.
3. Measure the value of transactions in a manner that permits
recording their proper monetary value in the financial statements.
4. Determine the time period in which transactions occurred to
permit recording of transactions in the proper accounting period.
5. Properly present the transactions and related disclosures in the
financial statements.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin



Control Activities
Control activities are the policies and procedures
that help ensure that management’s directives are
carried out. Those control activities that are
relevant to the audit include:
Performance
reviews

Physical
controls
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin

Information
processing

Segregation
of duties


Monitoring of Controls
Monitoring of controls is a process
that assesses the quality of internal
control performance over time.

Internal
Auditors

An effective internal audit
function has clear lines of

authority and reporting,
qualified personnel, and
adequate resources to enable
these personnel to carry out
their assigned duties.

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Planning an Audit Strategy

Audit Risk Model
AR = IR × CR × DR
In applying the audit risk model, the
auditor must assess control risk. The
figure on the next slide presents a
flowchart of the auditor’s decision
process when considering internal
control in planning an audit.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Planning an Audit Strategy

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin



Substantive Strategy
After obtaining an understanding of internal control, an
auditor may choose to follow a substantive strategy and
set control risk at the maximum for some or all
assertions because of one or all of the following factors:

Controls do not
pertain to an
assertion.

Controls are
assessed as
ineffective.

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin

Testing the
effectiveness
of controls is
inefficient.


Reliance Strategy
Obtain
Understanding of
Internal Control
Plan to Rely on
Internal Control and
Assess Control Risk

Below Maximum
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Assertions

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Obtain an Understanding
of Internal Control
The auditor should obtain an understanding of
each of the five components of internal control in
order to plan the audit. This knowledge is used
to:
Pinpoint the
factors that affect
the risk of material
misstatement

Identify types of
potential
misstatements

Design tests of
controls and
substantive
procedures

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Example Information & Documentation

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Obtain an Understanding
of Internal Control
1. Understand the control environment.
2. Understand the entity’s risk assessment
process.
3. Understand the information system and
communications.
4. Understand control activities.
5. Understand monitoring of controls.

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


Documenting the Understanding
of Internal Control
Procedure Manuals
and Organisational
Charts


Narrative Description

Internal Control
Questionnaires

Flowcharts

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin


The Effect of Entity Size
on Internal Control
While the basic concepts of the five
components should be present in all
entities, they are likely to be less formal in a
small or midsize entity than in a large entity.

© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin