FUNDAMENTALS OF AUDITING ACC311 Lec 15
Lesson 15
UNDERSTANDING THE ENTITY
AND ITS ENVIRONMENT
AND ASSESSING THE RISKS
OF MATERIAL MISSTATEMENT
e) Internal Control.
Understanding of
Internal Control is used by the auditor
1. to identify types
of potential misstatements;
2. to consider
factors that affect the risks of material misstatements; and
3. to design the
nature, timing and extent of further audit procedures.
Definition of Internal
Control
Internal control is the
process designed and affected by those charged with governance, management, and
other personnel ………..
to provide reasonable
assurance about the achievement of the entity’s objectives with regard
to:
1. Reliability of
financial reporting,
2. Effectiveness
and efficiency of operations and
3. Compliance with
applicable laws and regulations.
It follows that internal
control is designed and implemented to address identified business risks that
threaten the achievement
of any of these objectives.
Components of Internal
Control
i) The control
environment
ii) The entity’s risk
assessment process
iii) The information
system, including the related business processes relevant to financial
reporting and
communication.
iv) Control activities
v) Monitoring of
controls
i) The Control
Environment
It encompasses the
following elements:
(a) Communication and
enforcement of integrity and ethical values.
(b) Commitment to
competence
(c) Participation by
those charged with governance
(d) Management’s
philosophy and operating style
(e) Organizational
structure
(f) Human resource
policies and practices
Auditor should evaluate
how these components have been incorporated into the entity’s processes.
ii) The Entity’s Risk
Assessment Process
It is the process of
identifying and responding to business risks
that affect
entity’s financial reporting.
Such process includes
how management:
1. identifies risks that
affect entity’s ability to produce financial statement that give true and
fair view,
2. estimates their
significance,
3. estimates likelihood
of their occurrence and
4. Decides upon actions
to manage them.
Risks relevant to
financial reporting
include:
– internal events,
and
– external events and
circumstance
That may occur and
adversely affect an entity’s ability to:
• initiate,
• record,
• process, and
• report the financial
information.
Risks can arise due to
circumstances such as the following: (internal/external)
52
a) Changes in operating
environment
b) New personnel
c) New or revamped
information systems
d) Rapid growth
e) New technology
f) New business models,
product or activities
g) Corporate
restructurings
h) Expanded foreign
operations
i) New accounting
pronouncements
iii) Information system,
including the related business processes, relevant to financial
reporting and
communication
The information
system consists of:
1. infrastructure
(physical and hardware components),
2. software
3. people
4. procedures and
5. data
Infrastructure and
software will be absent, or have less significance, in systems that are
exclusively or
primarily manual. Many
information systems make extensive use of IT.
Importance of
Information System
Accordingly, an
information system encompasses methods and records that:
• Identify and record
all valid
transaction.
• Describe on a timely
basis
the transaction in
sufficient detail to permit proper classification of
transactions for
financial reporting.
• Measure the value
of transactions in
a manner that permits recording their proper monetary value
in the financial statements.
• Determine the time
period
in which
transactions occurred to permit recording of transactions in
the proper accounting
period.
• Present properly
the transactions
and related disclosures in the financial statements.
Communication
• Communication
involves:
– providing an
understanding of individual roles and responsibilities pertaining to internal
control,
– understanding roles of
others and
– doing exception
reporting to higher level management.
• Communication takes
such forms as:
– policy
manuals,
– accounting and
financial reporting manuals and memorandum.
• It may also be
made
– electronically,
– orally and
– through the actions of
management
iv) Control Activities
Control activities
include:
a) Performance reviews
b) Information
processing
c) Physical controls
d) Segregations of
duties
a) Performance reviews
These control
activities include:
– reviews and analyses
of actual performance
versus budgets,
forecasts, and prior period
performance;
53
– relating different sets
of data - operating or financial - to one another, together with
analyses of the
relationships and investigative and corrective actions;
– comparing internal
data
with external
sources of information; and
– review of functional
or activity performance
, such as a bank's
Consumer loan manager's
review of reports by
branch, region, and loan type for loan approvals and collections
b) Information
processing
A variety of
controls are performed to check accuracy, completeness, and authorization of
transactions.
The two broad
groupings of information systems control activities are:
i. application controls
and
ii. general IT
controls.
Application controls
apply to the
processing of individual applications. These controls help ensure that
transactions occurred,
are authorized, and are completely and accurately recorded and processed.
General IT-controls
commonly include
controls over data center and network operations; system software
acquisition, change and
maintenance; access security; and application system acquisition, development,
and
maintenance. These
controls apply to main-frame, mini-frame and end-user environments.
c) Physical
controls
These activities
encompass the:
i. physical security of
assets
, including adequate
safeguards such as secured facilities access to
assets and
records;
ii. authorization for
access
to computer
programs and data files; and
iii. periodic counting
and comparison
with amounts shown
on control records (for example
comparing the results of
cash, security and inventory counts with accounting records).
d) Segregation of duties
Assigning different
people the responsibilities of authorizing transactions, recording
transactions, and
maintaining custody of
assets is intended to reduce the opportunities to allow any person to be in a
position
to both commit and
conceal errors or fraud in the normal course of the person's duties. Examples
of
segregation of duties
include reporting, reviewing and approving reconciliations, and approval and
control
of documents.
v) Monitoring of
Control
The auditor should
obtain an understanding of the major types of activities that
i. the entity uses to
monitor internal control over financial reporting, and
ii. how the entity
initiates corrective actions to its controls.
Monitoring means and
includes:
Ensuring that internal
controls are operating as intended.
– If monitoring is not
done, people may stop performing the functions they are required to
perform.
– It also involves
assessing the quality of internal control performance over times.
– Monitoring may be
ongoing activities, separate evaluations or a combination of the two.
Monitoring includes:
a) Supervisions,
functions of managers
b) Internal audit
c) Communication from
external parties indicating areas requiring
3. Assessing the Risk of
Material Misstatement
The auditor should
identify and assess the risks of material misstatement at the financial
statement level, and
at the assertion level
for classes of transactions, account balances, and disclosures. For this purpose,
the
auditor:
• Identifies risks
throughout the process of obtaining an understanding of the entity and its
environment, including
relevant controls that relate to the risks, and by considering the
classes of transactions,
account balances, and disclosures in the financial statements.
• Relates the identified
risks to what can go wrong at the assertion level;
• Considers whether the
risks are of a magnitude that could result in a material misstatement
of the financial
statements; and
54
• Considers the
likelihood that the risks could result in a material misstatement of the
financial
statements.
Significant Risks that
require Special Audit Considerations
Significant risks
These relate to:
• non-routine
transactions (unusual)
• judgmental matters
(e.g. accounting estimates)
• non-routine
transactions arising from matters such as:
greater management
intervention to specify the accounting treatment
greater manual
intervention for data collection and processing
complex
calculations or accounting principles.
For significant risks,
to the extent the auditor has not already done so, the auditor should evaluate
the
design of the entity’s
related controls, including relevant control activities, and determine whether
they have
been implemented.
If management has not
appropriately responded by implementing controls over significant risks and if,
as a
result, the auditor
judges that there is a material weakness in the entity’s internal control, the
auditor
communicates this matter
to those charged with governance as required in paragraph 8. In these
circumstances, the
auditor also considers the implications for the auditor’s risk assessment.
Risks for which
substantive procedures alone do not provide sufficient appropriate audit
evidence
As part of the risk
assessment as described in the above paragraph, the auditor should evaluate the
design
and determine the
implementation of the entity’s controls, including relevant control activities,
over those
risks for which, in the
auditor’s judgment, it is not possible or practicable to reduce the risks of
material
misstatement at the
assertion level to an acceptably low level with audit evidence obtained only
from
substantive procedures.
Examples of situations
where the auditor may find it impossible to design effective substantive
procedures
that by themselves
provide sufficient appropriate audit evidence that certain assertions are not
materially
misstated include the
following:
• An entity that
conducts its business using IT to initiate orders for the purchase and delivery
of
goods based on
predetermined rules of what to order and in what quantities and to pay the
related
accounts payable based
on system-generated decisions initiated upon the confirmed receipt of
goods and terms of
payment. No other documentation of orders placed or goods received is
produced or maintained,
other than through the IT system.
• An entity that
provides services to customers via electronic media (for example, an Internet
service
provider or a
telecommunications company) and uses IT to create log of the services provided
to
its customers, initiate
and process its billings for the services and automatically record such
amounts in electronic
accounting records that are part of the system used to produce the entity’s
financial statements.
Revision of Risk
Assessment
While performing tests
of controls or substantive procedures auditor finds that controls are not
performing
effectively and
misstatements found are not in accordance with expectations of misstatements,
the auditor
should revise his
assessment of risk and modify the further planned audit procedures.
4. Communicating with
those Charged with Governance and Management
The auditor should make
those charged with governance or management aware, as soon as practicable, and
at an appropriate level
of responsibility, of material weaknesses in the design or implementation of
internal
control which have come
to the auditor’s attention.
5. Documentation
The auditor should
document:
(a) The discussion among
the engagement team regarding the susceptibility of the entity’s
financial
statements to material
misstatement due to error or fraud, and the significant decisions
reached;
55
(b) Key elements of the
understanding obtained regarding each of the aspects of the entity and its
environment, including
each of the internal control components, to assess the risks of material
misstatement of the
financial statements; the sources of information from which the understanding
was obtained; and the
risk assessment procedures;
(c) The identified and
assessed risks of material misstatement at the financial statement level and at
the
assertion level;
and
(d) The risks identified
and related controls evaluated.
56
ASSIGNMENT
Match each term or
phrase on the left with the best description on the right. Descriptions may be
used
once, more than once, or
not at all.
1. Control environment.
(a) Accounting system.
2. Management's
philosophy (b) Adequate documents and record.
3. Functioning of the
audit committee. (c) Control procedures.
4. Identify and record
all valid transactions. (d) Element of the internal control structure.
5. Permit proper
classification of transactions. (e) Factor that affect control environment.
6. Segregation of
duties. (f) Financial statement assertion.
7. Adequate documents
and records. (g) Independent check on performance.
8. Pre-numbered
receiving reports (h) internal controls objective.
9. Preparation of
reliable financial reports.
10. Reconciliation
ANSWER
1. (d) 2.
(e) 3. (g) 4. (h) 5. (a)
6. (c) 7. (a) 8.
(c) 9. (h) 10. (c)
Fill in the blanks by
selecting the most appropriate word/phrase:
1. Members
can appoint the
auditors if they are not appointed by the Directors within 60 days of
incorporation.
i) SECP, directors, the
company, members
ii) Directors, members,
SECP, the company
2. The part of the
Statutory
Report which
relates to the Receipt and Payments is required to be
certified by the
auditors.
i) First extraordinary
general meeting, statutory report, Annual General Meeting, First AGM
ii) Receipts and
Payments, Financial Statements, Balance Sheet, Income Statement
Post a Comment
Don't Forget To Join My FB Group VU Vicky
THANK YOU :)