Internal Control

and Control Risk

Chapter 10

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 1
 Learning Objective 1

Contrast management’s need for

internal control with the auditor’s
need to consider internal control
when designing an audit.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 2
 Key Concepts

Management’s
Responsibility
Reasonable
Assurance
Inherent
Limitations

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 3
 Client’s Concerns

Reliability of financial reporting

Efficiency and effectiveness of operations
Compliance with applicable laws
and regulations

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 4
 Auditor Concerns

Controls related to reliability of

financial reporting

Controls over classes of transactions

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 5
 Sales Transaction-Related
Audit Objectives

Objective – General Form Related Audit Objectives

Recorded transactions Sales are for shipments
exist (existence). to existing customers.
Existing transactions are Existing sales transactions
recorded (completeness). are recorded.
Transactions are stated Sales for goods shipped
correctly (accuracy). are correctly billed.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 6
 Sales Transaction-Related
Audit Objectives

Objective – General Form Related Audit Objectives

Transactions are properly Sales transactions are
classified (classification). properly classified.
Transactions are recorded Sales are recorded on the
on correct dates (timing). correct dates.
Transactions are properly Sales transactions are
filed (posting and properly included in the
summarization). master files.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 7
 How Frauds Have
Been Discovered

Notification by employee 58%

Internal controls 51%
Internal auditor 43%
Customer notification 41%
Accidental discovery 37%
Management investigation 35%
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 8
 How Frauds Have
Been Discovered

Anonymous reporting 35%

Hot line notification 25%
Employee investigation 21%
Government notification 16%
External auditor 4%
Other sources 20%
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 9
 Learning Objective 2

Describe how information

technology affects
internal control.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 10
 Effect of Information
Technology on Internal
Control

Information Technology

IT can improve IT also enhances

the effectiveness the timeliness
and efficiency of and accuracy
internal controls. of information.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 11
 Risks Associated With the Use
of Information Technology

Programmed errors

Processing incorrect data

Unauthorized access

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 12
 Learning Objective 3

Explain the five components

of internal control.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 13
 Five Components
of Internal Control

Control Environment

Risk Control Information and

Monitoring
Assessment Activities Communication

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 14
 The Control Environment
Integrity and ethical values

Commitment to competence

Board of directors or audit

committee participation

Management’s philosophy
and operating style
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 15
 The Control Environment

Organizational structure

Assignment of authority
and responsibility

Human resources
policies and practices

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 16
 Risk Assessment

Identify factors affecting risk.

Assess significance of risks
and likelihood of occurrence.
Determine actions necessary
to manage risk.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 17
 Control Activities

1. Adequate separation of duties

2. Proper authorization of transactions and activities
3. Adequate documents and records
4. Physical control over assets and records
5. Independent checks on performance

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 18
 Adequate Separation
of Duties

Custody of assets Accounting

Authorization The custody of
of transactions related assets
Operational Record-keeping
responsibility responsibility
IT Duties User departments

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 19
 Proper Authorization of
Transactions and Activities

General authorization

Specific authorization

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 20
 Adequate Documents
and Records

Prenumbered consecutively
Prepared at the time of transaction
Simple enough to ensure understanding
Designed for multiple uses
Constructed to encourage correct preparation

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 21
 Physical Control over
Assets and Records
Physical precautions

Controls related to IT equipment,

programs, and data files

Backup and
Physical Access
recovery
controls controls
procedures
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 22
 Independent Checks
on Performance

The need for independent checks

arise because internal control tends
to change over time unless there is
a mechanism for frequent review.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 23
 Information and
Communication

The purpose of an accounting information

and communication system is to…
initiate, record, process, and report the
transactions and to maintain accountability
for the related assets.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 24
 Monitoring

Management’s ongoing and periodic assessment

of the quality of internal control performance …
to determine whether controls are operating
as intended and modified when needed.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 25
 Learning Objective 4

Explain methods used to

obtain an understanding
of internal control.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 26
 Understanding Internal Control
and Assessing Control Risk

Obtain Understanding of Internal Control:

Design and Operation

Assess Control Risk Test Controls

Decide Planned Detection Risk

and Substantive Tests
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 27
 Reasons for Sufficiently
Understanding Internal Control
SAS 55 (as amended by SAS 78 and 594
plus AU319) requires the auditor to
obtain an understanding of internal
control for every audit.
• Auditability
• Potential material
Minimum audit
misstatements
planning matters
• Detection risk
• Design of test
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 28
 Procedures to Determine
Design and Placement

Update and evaluate auditor’s previous

experience with the entity.
Make inquires of client personnel.
Read client’s policy and systems manuals.
Examine documents and records.
Observe entity activities and operations.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 29
 Documentation of
the Understanding

Narrative
Narrative

Flowchart
Flowchart
Internal
Internal
control
control
questionnaire
questionnaire

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 30
 Learning Objective 5

Assess control risk by linking

strengths and weaknesses of
internal control to transaction-
related audit objectives.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 31
 Assess Control Risk

Obtain sufficient understanding for planning.

Assess whether the entity is auditable.
Determine assessed control risk.
Assess if a lower control risk could be supported.
Determine the appropriate assessed control risk.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 32
 Assess Control Risk

Identify transaction-related audit objectives.

Identify specific controls.

Identify and evaluate weaknesses.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 33
 Identify and Evaluate
Weaknesses

Identify existing controls.

Identify the absence of key controls.
Determine misstatements that could result.
Consider compensating controls.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 34
 The Control Risk
Matrix

Auditors use the control risk matrix to

identify both controls and weaknesses
and to asses control risk.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 35
 Communication
Reportable conditions letter
Audit committee communications
Management letters

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 36
 Learning Objective 6

Describe the process of designing

and performing tests of controls.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 37
 Tests of
Controls

The procedures to test effectiveness

of controls in support of a reduced
assessed control risk are called
tests of controls.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 38
 Procedures for
Tests of Controls

Make inquiries of client personnel.

Examine documents, records, and reports.
Observe control-related activities.
Reperform client procedures.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 39
 Extent of Procedures

Reliance on evidence from prior year’s audit

Testing less than the entire audit period

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 40
 Relationship of Assessed
Control
Risk and Extend of Procedures
Assessed Control Risk
High Level: Lower Level:
Obtaining an Tests of
Type of Procedure Understanding Only Controls
Inquiry Yes – extensive Yes – some
Documentation Yes – with transaction Yes – using
walk-through sample
Observation Yes – with transaction Yes – multiple
walk-through times
Reperformance No Yes – sampling
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 41
 Decide Planned Detection Risk
and Design Substantive Tests

The auditor uses the results of the control risk

assessment process and tests of controls to
determine the planned detection risk and
related substantive tests.

The auditor links the control risk assessments

to the balance-related audit objectives.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 42
 End of Chapter 10

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 10 - 43