Chapter Six
Internal Control in a
Financial Statement
Audit
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Internal Control
Management has the responsibility to maintain controls that
provides reasonable assurance that adequate control exists
over the entity’s assets and records.
The Internal Control System should:
-ensure that assets and records are safeguarded
-create an environment in which efficiency and
effectiveness are encouraged and monitored
-generate reliable information for decision-making
The auditor needs assurance about the reliability of the data
generated by the information system.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Internal Control
The auditor uses risk assessment procedures to
-obtain an understanding of the entity’s internal control
-identify the types of potential misstatements
-ascertain factors that affect the risk of material
misstatement
-design tests of controls and substantive procedures
The auditor’s understanding of the internal control is a
major factor in determining the overall audit strategy.
The auditor has a responsibility to:
(1) obtain an understanding of internal control and
(2) assess control risk.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Internal Control
Objectives
Reliability of
Financial
Reporting
Effectiveness &
Efficiency of
Operations
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Compliance
with Laws &
Regulations
Controls Relevant to the Audit
Objectives
Reliability of
Financial
Reporting
Effectiveness
& Efficiency
of Operations
Compliance
with Laws &
Regulations
Generally, internal controls pertaining to the
preparation of financial statements for external
purposes are relevant to an audit.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Controls Relevant to the Audit
Objectives
Reliability of
Financial
Reporting
Effectiveness
& Efficiency
of Operations
Compliance
with Laws &
Regulations
Controls relating to operations and compliance
objectives may be relevant when they relate to data the
auditor uses to apply auditing procedures.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
The Effect of Information Technology on
Internal Control
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Components of Internal Control
Entity’s Risk
Assessment
Process
Control
Environment
Information System and
Related Business Processes
Relevant to Financial Reporting
& Communication
Control
Activities
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Monitoring of
Controls
Components of Internal Control
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Components of Internal Control
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
The Effect of Information Technology on
Internal Control
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
The Entity’s Risk Assessment Process
The risk assessment process should consider external and
internal events and circumstances that may arise and
adversely affect the entity’s ability to initiate, record, process
and report financial data consistent with the assertions of
management in the financial statements.
Client business risk can arise or change due to the following
circumstances:
Changes in the
operating
environment
New personnel
Rapid growth
New or revamped
information
systems
New technology
Corporate
restructuring
Expanded
international
growth
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
New accounting
pronouncements
New business
models, products,
or activities
Information Systems and
Communication
An effective accounting system gives appropriate
consideration to establishing methods and records that
will:
1. Identify and record all valid transactions.
2. Describe on a timely basis the transactions in sufficient detail to
permit proper classification of transactions for financial
reporting.
3. Measure the value of transactions in a manner that permits
recording their proper monetary value in the financial statements.
4. Determine the time period in which transactions occurred to
permit recording of transactions in the proper accounting period.
5. Properly present the transactions and related disclosures in the
financial statements.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Control Activities
Control activities are the policies and procedures
that help ensure that management’s directives are
carried out. Those control activities that are
relevant to the audit include:
Performance
reviews
Physical
controls
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Information
processing
Segregation
of duties
Monitoring of Controls
Monitoring of controls is a process
that assesses the quality of internal
control performance over time.
Internal
Auditors
An effective internal audit
function has clear lines of
authority and reporting,
qualified personnel, and
adequate resources to enable
these personnel to carry out
their assigned duties.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Planning an Audit Strategy
Audit Risk Model
AR = IR × CR × DR
In applying the audit risk model, the
auditor must assess control risk. The
figure on the next slide presents a
flowchart of the auditor’s decision
process when considering internal
control in planning an audit.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Planning an Audit Strategy
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Substantive Strategy
After obtaining an understanding of internal control, an
auditor may choose to follow a substantive strategy and
set control risk at the maximum for some or all
assertions because of one or all of the following factors:
Controls do not
pertain to an
assertion.
Controls are
assessed as
ineffective.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Testing the
effectiveness
of controls is
inefficient.
Reliance Strategy
Obtain
Understanding of
Internal Control
Plan to Rely on
Internal Control and
Assess Control Risk
Below Maximum
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Assertions
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Obtain an Understanding
of Internal Control
The auditor should obtain an understanding of
each of the five components of internal control in
order to plan the audit. This knowledge is used
to:
Pinpoint the
factors that affect
the risk of material
misstatement
Identify types of
potential
misstatements
Design tests of
controls and
substantive
procedures
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Example Information & Documentation
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Obtain an Understanding
of Internal Control
1. Understand the control environment.
2. Understand the entity’s risk assessment
process.
3. Understand the information system and
communications.
4. Understand control activities.
5. Understand monitoring of controls.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
Documenting the Understanding
of Internal Control
Procedure Manuals
and Organisational
Charts
Narrative Description
Internal Control
Questionnaires
Flowcharts
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin
The Effect of Entity Size
on Internal Control
While the basic concepts of the five
components should be present in all
entities, they are likely to be less formal in a
small or midsize entity than in a large entity.
© The McGraw-Hill Companies 2010
McGraw-Hill/Irwin