Every audit firm has its approach for understanding a client’s internal control structure. Some firms use a standardized internal control questionnaire to evaluate controls that are in place whereas other firms do not rely on internal controls at all and plan their audits as if there are no controls in place or consider controls as not effective. Evaluate each of these approaches to assess a client’s internal controls from an external auditor’s perception. Include in your evaluation: What effect, if any, does the size of the organization have on the decision? What are the auditing standard requirements for obtaining an understanding of internal controls? What are the differences, if any, in understanding internal controls for a public company versus a non-public company? Prepare a report evaluating each approach. Also include your opinion on which approach is better and why. Your report should meet the following criteria: Be 3-4 pages in length, not including the title and references pages. Demonstrate your comprehension of the course material. Use professional business language.
What are Internal Controls?
Internal controls are policies and procedures put in place by
management to ensure that company financial statements represent
true & fair position.
Example of Internal Control-BRS: Bank reconciliation statement is
key internal control measure used by auditors to check the
truthiness of Bank balances in Financials. A bank reconciliation is
a document that matches the cash balance on the company’s books to
the corresponding amount on its bank statement. Reconciling the two
accounts help auditor in getting to know if any fake sales are not
booked to inflate sales or any checks are written which are
fictitious.
The objective of the auditor is to identify and assess the risk of
material misstatement, whether due to fraud or mistakes. It
includes understanding the entity and its environment and the
entity’s internal controls in order to design the proper audit
procedures to achieve the desired level of assurance
Limitations of Internal Controls
Although management puts in place internal controls to ensure that
the financial statements are more reliable and less prone to error,
there are still limitations, such as corruption of top management.
No matter what internal control is in place, if management
overrides it and decides to input something else, there is no way
to stop the practice. Also, internal controls are designed to
address normal transactions and not unusual transactions. And
finally, there is the risk of human error due to employees making
mistakes during busy periods when transaction volumes are
significantly higher.
ELEMENT OF INTERNAL CONTROL
1. Control Environment
The control environment at the top refers to the attitudes,
awareness, and actions of management and those charged with
governance towards internal controls. For example, with a less
committed and relaxed tone, lower level employees are less likely
to properly follow the internal controls in place.
2. Entity Risk Assessment
The entity’s risk assessment relates to how the management evaluate
and responds to business risks.
3. Information Systems & Communication
The information systems component refers to how the company
captures, processes, reports, and communicates transaction
information
4. Control Activities
Control activities refer to the specific detailed level policies
and procedures such as review of company performance through
variance analysis, physical and logical controls, and segregation
of duties.
Segregation of duties is an important internal control that
prevents a lot of problems, one of which is fraud.
5. Monitoring
Monitoring controls deal with management’s ongoing and periodic
assessment of the quality of the internal controls to determine
which controls need modification. Generally Internal auditors
manages this task.
The Auditor’s Role in the Internal Control Process
Once the auditor gains an understanding of the client’s system of
internal controls, the auditor must assess control risk. Control
risk is the risk that the client’s system of internal controls will
fail to prevent or detect and correct an error. If a client’s
system of internal controls is assessed below maximum, the auditor
must test the internal controls to ensure that they are functioning
in accordance with the auditor’s understanding.
Testing of internal controls includes making inquiries to
management and employees, inspecting source documents, observing
inventory counts, and actually re-performing client procedures.
Finally, the auditor will perform more substantive procedures to
reach its desired level of overall risk according to the audit
strategy.
Type of Audit Strategies:
1. Combined Audit Approach – Includes tests of controls and
substantive testing (this means that control risk is assessed to be
below maximum)
2. Purely Substantive Audit Approach – No tests of controls are
performed and only substantive tests are done (this means that
control risk is assessed to be maximum)
Type-1: Under Combined Audit approach, Auditors do not consider the
controls client adequate & perform each & every Test to
find the effectiveness of internal controls. They identify the
critical areas based on business environment & perform each
& every Test of controls.
This audit approach used by auditors to verified the event and
transactions in the financial statements by cover the larges volume
of them. The principle of substantive audit approach is that when
auditors cover the larges volumes with high value of financial
transactions and event in financial statements, there is less risks
that material misstatements is uncovered. There are two main
principles that involved with substantive audit approach. First,
auditors review client internal control system that involved with
financial reporting system or the areas being audited. For example,
internal control on financial reporting, internal control on cash
collection, payment to
customers, and procurement etc. They doing this by documenting all
key controls areas, procedures, and related procedures. Once the
understanding of internal control is done, auditor need to validate
the key control to ensure that all key control areas are working
properly and no overrides from managements. At the end of
validating key control, audit will then concluded whether those key
control ares are reliable or not. If they are reliable, that mean
the risks of misstatements that could not detect by control are
low. And if the controls are not reliable, then the risks of
misstatement that might not detected by internal control over
financial reporting are high. The substantive audit testing is
really depend on the conclusion of internal control testing.
Technically, if the controls are concluded by auditors as strong,
then auditors will not do much works on substantive testing. That
mean less of samples will be tested and verified. However, in some
situation, auditors might not test the client internal control
based their knowledge about the clients internal control concluded
to be unreliable. In this situation, auditors will decided not to
test the key controls and they jump to substantive test. Because
control over financial reporting are not reliable, to minimize the
risks of material misstatements, auditors need to have a large
sample sizes and it could be reach to 100%. No matter how strong
internal controls over financial reporting are, auditor could not
rely 100% on those internal controls by ignore substantive test.
Substantive review still need to be done by auditor.
Type-2: Under Purely substantive Audit approach, Auditors consider
that client have mechanism of effective internal controls &
they perform substantive checks. Under this approach Auditors
generally rely on checklist as per management standards on Internal
control, policies & procedures & test the internal controls
based on evidences & reviews.
This approach is used by auditors when they have confidence in
Internal controls of business. Auditors divides the business into
all complete set of activities like sales,
purchase,Treasury,planning etc.
And then based on their understanding auditors prepares set of
questions for testing of control.
For example: To check the validity of Other receivables in
financial, Auditor will check the monthly review mechanism of
entity & sign off done by makes & checker. This ensure that
entity has control over its balance sheet items & they perform
regular review, so there is no risk of mis statment.
CHOICE OF STARTEGY
There are various factors which affect the auditor’s decision of
choosing between different strategies namely size of organization,
Management attitude toward internal controls.
Generally if size of organization is larger then these are equipped
with Internal control policies & procedure. For example
detailed policies on Inventory valuation, reporting of slow moving
Inventory, Procurement policies etc. So all the key areas prone to
mis statement are backed up by processes. Therefore Auditors prefer
Test of Control approach to check the risk of mis statement in
Finaical & other reporting areas.But if during the Audit it is
observed that controls are not at all effective or not existing
then Auditor may change its approach to give his opinion on
Internal control.
AS 2201: An Audit of Internal Control Over Financial Reporting
That Is Integrated with An Audit of Financial Statements
Introduction
1. This standard establishes requirements regarding the process of
identifying and assessing risks of material misstatement1/ of the
financial statements.
2. The objective of the auditor is to identify and appropriately
assess the risks of material misstatement, thereby providing a
basis for designing and implementing responses to the risks of
material misstatement.
Performing Risk Assessment Procedures
2. The auditor should perform risk assessment procedures that are
sufficient to provide a reasonable basis for identifying and
assessing the risks of material misstatement, whether due to error
or fraud,3/ and designing further audit procedures.4/
. Risks of material misstatement can arise from a variety of
sources, including external factors, such as conditions in the
company's industry and environment, and company-specific factors,
such as the nature of the company, its activities, and internal
control over financial reporting. For example, external or
company-specific factors can affect the judgments involved in
determining accounting estimates or create pressures to manipulate
the financial statements to achieve certain financial targets.
Also, risks of material misstatement may relate to, e.g., personnel
who lack the necessary financial reporting competencies,
information systems that fail to accurately capture
business transactions, or financial reporting processes that are
not adequately aligned with the requirements in the applicable
financial reporting framework. Thus, the audit procedures that are
necessary to identify and appropriately assess the risks of
material misstatement include consideration of both external
factors and company-specific factors. This standard discusses the
following risk assessment procedures:
a. Obtaining an understanding of the company and its
environment
b. Obtaining an understanding of internal control over financial
reporting
c. Considering information from the client acceptance and retention
evaluation, audit planning activities, past audits, and other
engagements performed for the company
d. Performing analytical procedures
e. Conducting a discussion among engagement team members regarding
the risks of material misstatement
f. Inquiring of the audit committee, management, and others within
the company about the risks of material misstatement
6. In an integrated audit, the risks of material misstatement of
the financial statements are the same for both the audit of
internal control over financial reporting and the audit of
financial statements. The auditor's risk assessment procedures
should apply to both the audit of internal control over financial
reporting and the audit of financial statements.
Obtaining an Understanding of the Company and Its Environment
7. The auditor should obtain an understanding of the company and
its environment to understand the events, conditions, and company
activities that might reasonably be expected to have a significant
effect on the risks of material misstatement. Obtaining an
understanding of the company includes understanding:
a. Relevant industry, regulatory, and other external factors;
b. The nature of the company;
c. The company's selection and application of accounting
principles, including related disclosures;
d. The company's objectives and strategies and those related
business risks that might reasonably be expected to result in risks
of material misstatement; and
e. The company's measurement and analysis of its financial
performance.
8. In obtaining an understanding of the company, the auditor should
evaluate whether significant changes in the company from prior
periods, including changes in its internal control over financial
reporting, affect the risks of material misstatement
Every audit firm has its approach for understanding a client’s internal control structure. Some firms use...
Every audit firm has its approach for understanding a client’s internal control structure. Some firms use a standardized internal control questionnaire to evaluate controls that are in place whereas other firms do not rely on internal controls at all and plan their audits as if there are no controls in place or consider controls as not effective. Evaluate each of these approaches to assess a client’s internal controls from an external auditor’s perception. Include in your evaluation: What effect, if...
Every firm has its approach for understanding a client’s internal control structure. Some firms use a standardized internal control questionnaire to evaluate controls that are in place whereas other firms do not rely on internal controls at all and plan their audits as if there are no controls in place or consider them as not effective. Assume you are training a new team of auditors for your CPA firm. Prepare a PowerPoint presentation to present the pros and cons of...
Question 1 (12 marks) Public accounting firms perform audits of financial statements. CAS 220, Quality Control for an Audit of Financial Statements addresses the specific responsibilities of the auditor regarding quality control procedures for an audit of financial statements. All firms that perform audits must have standards for audit fieldwork and quality control procedures that must be followed by all staff performing an audit of financial statements. Required: i. Briefly outline the requirements for Quality Control for an Audit of...
3) Role of internal audit function 30 Chapter 1: Auditing and Internal Contrel Management ii External auditor i Internal audit To whom should the Director of Internal Audits report. Explain your answer. Comment on the audit committee member's per- spective as to the committee's current composition. 3. Role of Internal Audit Function Nano Circuits Inc. is a publicly traded company that pro- duces electronic control circuits, which are used in many products. In an effort to comply with SOx, Nano...
DQ1. What is an Audit Work Program (some call it Audit Program)? The audit work program - Email Surveillance Audit Program – What is the structure and contents including various audit steps. Find 1-2 steps in the audit program where the audit software can be used. How can audit software be used to gather evidence?. (the Audit program (Email Surveillance Audit Program details is attached). DQ3. Review the contents of the Audit Manual of Office of University Audits at University...
1. Which of the following matters would an auditor most likely consider to be a significant deficiency to be communicated to the audit committee? A. Management's failure to renegotiate unfavorable long-term purchase commitments.B. Recurring operating losses that may indicate going concern problems.C. Evidence of a lack of objectivity by those responsible for accounting decisions.D. Management's current plans to reduce its ownership equity in the entity. 2. After obtaining an understanding of internal control and arriving at a preliminary assessed level...
The limitations of an audit are NOT caused by ________. A. the nature of financial reporting. B. the nature of audit procedures. C. the need for the audit to be conducted within a reasonable period of time at a reasonable cost. D. a guarantee that the financial statements are free from error 2.5 points QUESTION 4 In an unqualified audit report on the financial statements of a public company, ACC562what does the first statement of the opinion paragraph state? A....
Review the Audit report (found in the 10-K) for the following two companies. Highlight or summarize differences between the reports (other than the name of Company, Audit Firm, Financial statement period covered). Note: 1. Each Company may have two audit reports (one opinion on financial statements and one for audit of internal controls) or the two opinions may be combined into one report. 2. You are not required to review the entire 10-K. Find the audit report in the 10-K...
e. An audit of a U.S. not-for-profit organization. f. An audit of a U.S. private company to be used for a loan from a publicly traded bank. g. An audit of a U.S. public company. h. An audit of a U.S. public company that is a subsidiary of a Japanese company that will be used for reporting by the parent company in Japan. 2-20 (OBJECTIVE 2-7) Ray, the owner of a small company, asked Holmes, a CPA, to conduct an...
Please help assist: View the attached pictures with the lecture on additional disclosures from auditors. Analyze (in fewer than 150 words) these mandatory additional disclosures. You can take the perspective of the investor, auditor, or the company. Logically argue your case. Please Search for, and cite, information sources, and those found in the article. Whenever you can, give real-world examples to support your commentary. The federal regulator that polices accounting firms is proposing a major overhaul of how company...