Question

Every audit firm has its approach for understanding a client’s internal control structure. Some firms use a standardized internal control questionnaire to evaluate controls that are in place whereas other firms do not rely on internal controls at all and plan their audits as if there are no controls in place or consider controls as not effective. Evaluate each of these approaches to assess a client’s internal controls from an external auditor’s perception. Include in your evaluation: What effect, if any, does the size of the organization have on the decision? What are the auditing standard requirements for obtaining an understanding of internal controls? What are the differences, if any, in understanding internal controls for a public company versus a non-public company? Prepare a report evaluating each approach. Also include your opinion on which approach is better and why. Your report should meet the following criteria: Be 3-4 pages in length, not including the title and references pages. Demonstrate your comprehension of the course material. Use professional business language.

Answer 1

 What are Internal Controls?
Internal controls are policies and procedures put in place by management to ensure that company financial statements represent true & fair position.
Example of Internal Control-BRS: Bank reconciliation statement is key internal control measure used by auditors to check the truthiness of Bank balances in Financials. A bank reconciliation is a document that matches the cash balance on the company’s books to the corresponding amount on its bank statement. Reconciling the two accounts help auditor in getting to know if any fake sales are not booked to inflate sales or any checks are written which are fictitious.
The objective of the auditor is to identify and assess the risk of material misstatement, whether due to fraud or mistakes. It includes understanding the entity and its environment and the entity’s internal controls in order to design the proper audit procedures to achieve the desired level of assurance
Limitations of Internal Controls
Although management puts in place internal controls to ensure that the financial statements are more reliable and less prone to error, there are still limitations, such as corruption of top management. No matter what internal control is in place, if management overrides it and decides to input something else, there is no way to stop the practice. Also, internal controls are designed to address normal transactions and not unusual transactions. And finally, there is the risk of human error due to employees making mistakes during busy periods when transaction volumes are significantly higher.
 ELEMENT OF INTERNAL CONTROL
1. Control Environment
The control environment at the top refers to the attitudes, awareness, and actions of management and those charged with governance towards internal controls. For example, with a less committed and relaxed tone, lower level employees are less likely to properly follow the internal controls in place.
2. Entity Risk Assessment
The entity’s risk assessment relates to how the management evaluate and responds to business risks.
3. Information Systems & Communication
The information systems component refers to how the company captures, processes, reports, and communicates transaction information
4. Control Activities
Control activities refer to the specific detailed level policies and procedures such as review of company performance through variance analysis, physical and logical controls, and segregation of duties.
Segregation of duties is an important internal control that prevents a lot of problems, one of which is fraud.
5. Monitoring
Monitoring controls deal with management’s ongoing and periodic assessment of the quality of the internal controls to determine which controls need modification. Generally Internal auditors manages this task.
 The Auditor’s Role in the Internal Control Process
Once the auditor gains an understanding of the client’s system of internal controls, the auditor must assess control risk. Control risk is the risk that the client’s system of internal controls will fail to prevent or detect and correct an error. If a client’s system of internal controls is assessed below maximum, the auditor must test the internal controls to ensure that they are functioning in accordance with the auditor’s understanding.
Testing of internal controls includes making inquiries to management and employees, inspecting source documents, observing inventory counts, and actually re-performing client procedures. Finally, the auditor will perform more substantive procedures to reach its desired level of overall risk according to the audit strategy.
 Type of Audit Strategies:
1. Combined Audit Approach – Includes tests of controls and substantive testing (this means that control risk is assessed to be below maximum)
2. Purely Substantive Audit Approach – No tests of controls are performed and only substantive tests are done (this means that control risk is assessed to be maximum)
Type-1: Under Combined Audit approach, Auditors do not consider the controls client adequate & perform each & every Test to find the effectiveness of internal controls. They identify the critical areas based on business environment & perform each & every Test of controls.
This audit approach used by auditors to verified the event and transactions in the financial statements by cover the larges volume of them. The principle of substantive audit approach is that when auditors cover the larges volumes with high value of financial transactions and event in financial statements, there is less risks that material misstatements is uncovered. There are two main principles that involved with substantive audit approach. First, auditors review client internal control system that involved with financial reporting system or the areas being audited. For example, internal control on financial reporting, internal control on cash collection, payment to
customers, and procurement etc. They doing this by documenting all key controls areas, procedures, and related procedures. Once the understanding of internal control is done, auditor need to validate the key control to ensure that all key control areas are working properly and no overrides from managements. At the end of validating key control, audit will then concluded whether those key control ares are reliable or not. If they are reliable, that mean the risks of misstatements that could not detect by control are low. And if the controls are not reliable, then the risks of misstatement that might not detected by internal control over financial reporting are high. The substantive audit testing is really depend on the conclusion of internal control testing. Technically, if the controls are concluded by auditors as strong, then auditors will not do much works on substantive testing. That mean less of samples will be tested and verified. However, in some situation, auditors might not test the client internal control based their knowledge about the clients internal control concluded to be unreliable. In this situation, auditors will decided not to test the key controls and they jump to substantive test. Because control over financial reporting are not reliable, to minimize the risks of material misstatements, auditors need to have a large sample sizes and it could be reach to 100%. No matter how strong internal controls over financial reporting are, auditor could not rely 100% on those internal controls by ignore substantive test. Substantive review still need to be done by auditor.
Type-2: Under Purely substantive Audit approach, Auditors consider that client have mechanism of effective internal controls & they perform substantive checks. Under this approach Auditors generally rely on checklist as per management standards on Internal control, policies & procedures & test the internal controls based on evidences & reviews.
This approach is used by auditors when they have confidence in Internal controls of business. Auditors divides the business into all complete set of activities like sales, purchase,Treasury,planning etc.
And then based on their understanding auditors prepares set of questions for testing of control.
For example: To check the validity of Other receivables in financial, Auditor will check the monthly review mechanism of entity & sign off done by makes & checker. This ensure that entity has control over its balance sheet items & they perform regular review, so there is no risk of mis statment.
 CHOICE OF STARTEGY
There are various factors which affect the auditor’s decision of choosing between different strategies namely size of organization, Management attitude toward internal controls.
Generally if size of organization is larger then these are equipped with Internal control policies & procedure. For example detailed policies on Inventory valuation, reporting of slow moving Inventory, Procurement policies etc. So all the key areas prone to mis statement are backed up by processes. Therefore Auditors prefer Test of Control approach to check the risk of mis statement in Finaical & other reporting areas.But if during the Audit it is observed that controls are not at all effective or not existing then Auditor may change its approach to give his opinion on Internal control.
 AS 2201: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements
Introduction
1. This standard establishes requirements regarding the process of identifying and assessing risks of material misstatement1/ of the financial statements.
2. The objective of the auditor is to identify and appropriately assess the risks of material misstatement, thereby providing a basis for designing and implementing responses to the risks of material misstatement.
Performing Risk Assessment Procedures
2. The auditor should perform risk assessment procedures that are sufficient to provide a reasonable basis for identifying and assessing the risks of material misstatement, whether due to error or fraud,3/ and designing further audit procedures.4/
. Risks of material misstatement can arise from a variety of sources, including external factors, such as conditions in the company's industry and environment, and company-specific factors, such as the nature of the company, its activities, and internal control over financial reporting. For example, external or company-specific factors can affect the judgments involved in determining accounting estimates or create pressures to manipulate the financial statements to achieve certain financial targets. Also, risks of material misstatement may relate to, e.g., personnel who lack the necessary financial reporting competencies, information systems that fail to accurately capture
business transactions, or financial reporting processes that are not adequately aligned with the requirements in the applicable financial reporting framework. Thus, the audit procedures that are necessary to identify and appropriately assess the risks of material misstatement include consideration of both external factors and company-specific factors. This standard discusses the following risk assessment procedures:
a. Obtaining an understanding of the company and its environment
b. Obtaining an understanding of internal control over financial reporting
c. Considering information from the client acceptance and retention evaluation, audit planning activities, past audits, and other engagements performed for the company
d. Performing analytical procedures
e. Conducting a discussion among engagement team members regarding the risks of material misstatement
f. Inquiring of the audit committee, management, and others within the company about the risks of material misstatement
6. In an integrated audit, the risks of material misstatement of the financial statements are the same for both the audit of internal control over financial reporting and the audit of financial statements. The auditor's risk assessment procedures should apply to both the audit of internal control over financial reporting and the audit of financial statements.
Obtaining an Understanding of the Company and Its Environment
7. The auditor should obtain an understanding of the company and its environment to understand the events, conditions, and company activities that might reasonably be expected to have a significant effect on the risks of material misstatement. Obtaining an understanding of the company includes understanding:
a. Relevant industry, regulatory, and other external factors;
b. The nature of the company;
c. The company's selection and application of accounting principles, including related disclosures;
d. The company's objectives and strategies and those related business risks that might reasonably be expected to result in risks of material misstatement; and
e. The company's measurement and analysis of its financial performance.
8. In obtaining an understanding of the company, the auditor should evaluate whether significant changes in the company from prior periods, including changes in its internal control over financial reporting, affect the risks of material misstatement