VU VICKY Virtual University Assignment Solution, Past Papers, Handouts and other material

FUNDAMENTALS OF AUDITING ACC311 Lec 15

Lesson 15

UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT

AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT 

e) Internal Control.

 Understanding of Internal Control is used by the auditor  

1.  to identify types of potential misstatements;

2.  to consider factors that affect the risks of material misstatements; and

3.  to design the nature, timing and extent of further audit procedures. 

Definition of Internal Control

Internal control is the process designed and affected by those charged with governance, management, and

other personnel ………..

to provide reasonable assurance about the achievement of the entity’s objectives with regard to: 

1.  Reliability of financial reporting, 

2.  Effectiveness and efficiency of operations and 

3.  Compliance with applicable laws and regulations.  

It follows that internal control is designed and implemented to address identified business risks that

threaten the achievement of any of these objectives.

Components of Internal Control 

i) The control environment

ii) The entity’s risk assessment process

iii) The information system, including the related business processes relevant to financial 

reporting and communication.

iv) Control activities

v) Monitoring of controls 

i) The Control Environment

 It encompasses the following elements: 

(a) Communication and enforcement of integrity and ethical values.

(b) Commitment to competence

(c) Participation by those charged with governance

(d) Management’s philosophy and operating style

(e) Organizational structure

(f) Human resource policies and practices 

Auditor should evaluate how these components have been incorporated into the entity’s processes.

ii) The Entity’s Risk Assessment Process 

It is the process of identifying and responding to business risks

 that affect entity’s financial reporting.  

Such process includes how management:

1. identifies risks that affect entity’s ability to produce financial statement that give true and 

fair view,

2. estimates their significance, 

3. estimates likelihood of their occurrence and 

4. Decides upon actions to manage them. 

Risks relevant to financial reporting

 include:

– internal events, and 

– external events and circumstance  

That may occur and adversely affect an entity’s ability to:

• initiate,  

• record,

• process, and 

• report the financial information.  

Risks can arise due to circumstances such as the following: (internal/external) 

52

  

a) Changes in operating environment

b) New personnel

c) New or revamped information systems

d) Rapid growth

e) New technology

f) New business models, product or activities

g) Corporate restructurings

h) Expanded foreign operations

i) New accounting pronouncements 

iii) Information system, including the related business processes, relevant to financial

reporting and communication 

 The information system consists of:

1. infrastructure (physical and hardware components), 

2. software

3. people

4. procedures and 

5. data 

Infrastructure and software will be absent, or have less significance, in systems that are exclusively or

primarily manual. Many information systems make extensive use of IT.

Importance of Information System

Accordingly, an information system encompasses methods and records that: 

• Identify and record

 all valid transaction.

• Describe on a timely basis

 the transaction in sufficient detail to permit proper classification of 

transactions for financial reporting.

• Measure the value

 of transactions in a manner that permits recording their proper monetary value 

in the financial statements.

• Determine the time period

 in which transactions occurred to permit recording of transactions in 

the proper accounting period.

• Present properly

 the transactions and related disclosures in the financial statements. 

Communication

• Communication involves: 

– providing an understanding of individual roles and responsibilities pertaining to internal

control,  

– understanding roles of others and 

– doing exception reporting to higher level management. 

• Communication takes such forms as:

–  policy manuals, 

– accounting and financial reporting manuals and memorandum.  

• It may also be made  

– electronically, 

– orally and 

– through the actions of management  

iv) Control Activities

Control activities include:

a) Performance reviews

b) Information processing

c) Physical controls

d) Segregations of duties

a) Performance reviews

 These control activities include: 

– reviews and analyses of actual performance

 versus budgets, forecasts, and prior period

performance;  

53

  

– relating different sets of data - operating or financial - to one another, together with

analyses of the relationships and investigative and corrective actions;  

– comparing internal data

 with external sources of information; and 

– review of functional or activity performance

, such as a bank's Consumer loan manager's 

review of reports by branch, region, and loan type for loan approvals and collections

b) Information processing 

 A variety of controls are performed to check accuracy, completeness, and authorization of

 transactions. 

 The two broad groupings of information systems control activities are: 

i. application controls and 

ii. general IT controls.  

Application controls

 apply to the processing of individual applications. These controls help ensure that

transactions occurred, are authorized, and are completely and accurately recorded and processed. 

General IT-controls

 commonly include controls over data center and network operations; system software

acquisition, change and maintenance; access security; and application system acquisition, development, and

maintenance. These controls apply to main-frame, mini-frame and end-user environments. 

c) Physical controls 

 These activities encompass the: 

i. physical security of assets

, including adequate safeguards such as secured facilities access to

assets and records;  

ii. authorization for access

 to computer programs and data files; and 

iii. periodic counting and comparison

 with amounts shown on control records (for example 

comparing the results of cash, security and inventory counts with accounting records). 

d) Segregation of duties

Assigning different people the responsibilities of authorizing transactions, recording transactions, and

maintaining custody of assets is intended to reduce the opportunities to allow any person to be in a position

to both commit and conceal errors or fraud in the normal course of the person's duties. Examples of

segregation of duties include reporting, reviewing and approving reconciliations, and approval and control

of documents.

v) Monitoring of Control 

The auditor should obtain an understanding of the major types of activities that 

i. the entity uses to monitor internal control over financial reporting, and 

ii. how the entity initiates corrective actions to its controls. 

Monitoring means and includes:

Ensuring that internal controls are operating as intended.

– If monitoring is not done, people may stop performing the functions they are required to

perform.  

– It also involves assessing the quality of internal control performance over times.

– Monitoring may be ongoing activities, separate evaluations or a combination of the two. 

Monitoring includes:

a) Supervisions, functions of managers

b) Internal audit

c) Communication from external parties indicating areas requiring  

3. Assessing the Risk of Material Misstatement

The auditor should identify and assess the risks of material misstatement at the financial statement level, and

at the assertion level for classes of transactions, account balances, and disclosures. For this purpose, the

auditor: 

• Identifies risks throughout the process of obtaining an understanding of the entity and its

environment, including relevant controls that relate to the risks, and by considering the

classes of transactions, account balances, and disclosures in the financial statements. 

• Relates the identified risks to what can go wrong at the assertion level;

• Considers whether the risks are of a magnitude that could result in a material misstatement 

of the financial statements; and 

54

  

• Considers the likelihood that the risks could result in a material misstatement of the

financial statements. 

Significant Risks that require Special Audit Considerations

Significant risks

These relate to: 

• non-routine transactions (unusual)

• judgmental matters (e.g. accounting estimates)

• non-routine transactions arising from matters such as: 

 greater management intervention to specify the accounting treatment

 greater manual intervention for data collection and processing

 complex calculations or accounting principles. 

For significant risks, to the extent the auditor has not already done so, the auditor should evaluate the

design of the entity’s related controls, including relevant control activities, and determine whether they have

been implemented.

If management has not appropriately responded by implementing controls over significant risks and if, as a

result, the auditor judges that there is a material weakness in the entity’s internal control, the auditor

communicates this matter to those charged with governance as required in paragraph 8. In these

circumstances, the auditor also considers the implications for the auditor’s risk assessment.

Risks for which substantive procedures alone do not provide sufficient appropriate audit evidence

As part of the risk assessment as described in the above paragraph, the auditor should evaluate the design

and determine the implementation of the entity’s controls, including relevant control activities, over those

risks for which, in the auditor’s judgment, it is not possible or practicable to reduce the risks of material

misstatement at the assertion level to an acceptably low level with audit evidence obtained only from

substantive procedures.

Examples of situations where the auditor may find it impossible to design effective substantive procedures

that by themselves provide sufficient appropriate audit evidence that certain assertions are not materially

misstated include the following: 

• An entity that conducts its business using IT to initiate orders for the purchase and delivery of

goods based on predetermined rules of what to order and in what quantities and to pay the related

accounts payable based on system-generated decisions initiated upon the confirmed receipt of

goods and terms of payment. No other documentation of orders placed or goods received is

produced or maintained, other than through the IT system. 

• An entity that provides services to customers via electronic media (for example, an Internet service

provider or a telecommunications company) and uses IT to create log of the services provided to

its customers, initiate and process its billings for the services and automatically record such

amounts in electronic accounting records that are part of the system used to produce the entity’s

financial statements. 

Revision of Risk Assessment

While performing tests of controls or substantive procedures auditor finds that controls are not performing

effectively and misstatements found are not in accordance with expectations of misstatements, the auditor

should revise his assessment of risk and modify the further planned audit procedures.

4. Communicating with those Charged with Governance and Management

The auditor should make those charged with governance or management aware, as soon as practicable, and

at an appropriate level of responsibility, of material weaknesses in the design or implementation of internal

control which have come to the auditor’s attention. 

5. Documentation

The auditor should document:

(a) The discussion among the engagement team regarding the susceptibility of the entity’s financial 

statements to material misstatement due to error or fraud, and the significant decisions reached; 

55

  

(b) Key elements of the understanding obtained regarding each of the aspects of the entity and its

environment, including each of the internal control components, to assess the risks of material

misstatement of the financial statements; the sources of information from which the understanding

was obtained; and the risk assessment procedures; 

(c) The identified and assessed risks of material misstatement at the financial statement level and at the

assertion level; and 

(d) The risks identified and related controls evaluated. 

56

  

ASSIGNMENT 

Match each term or phrase on the left with the best description on the right. Descriptions may be used

once, more than once, or not at all.

1. Control environment. (a) Accounting system.

2. Management's philosophy (b) Adequate documents and record.

3. Functioning of the audit committee. (c) Control procedures.

4. Identify and record all valid transactions. (d) Element of the internal control structure.

5. Permit proper classification of transactions. (e) Factor that affect control environment.

6. Segregation of duties. (f) Financial statement assertion.

7. Adequate documents and records. (g) Independent check on performance.

8. Pre-numbered receiving reports (h) internal controls objective.

9. Preparation of reliable financial reports.

10. Reconciliation

ANSWER 

 1. (d)  2. (e) 3. (g) 4. (h) 5. (a)

 6. (c) 7. (a) 8. (c) 9. (h) 10. (c) 

Fill in the blanks by selecting the most appropriate word/phrase: 

1. Members

 can appoint the auditors if they are not appointed by the Directors within 60 days of

incorporation.  

i) SECP, directors, the company, members

ii) Directors, members, SECP, the company 

2. The part of the Statutory

 Report which relates to the Receipt and Payments is required to be

certified by the auditors. 

i) First extraordinary general meeting, statutory report, Annual General Meeting, First AGM

ii) Receipts and Payments, Financial Statements, Balance Sheet, Income Statement