|
|
|
|
|
|
Lesson#15
|
UNDERSTANDING THE ENTITY AND ITS
ENVIRONMENT-4
|
|
|
|
UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT
AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT
e) Internal Control.
Understanding of Internal Control is used by the auditor
1. to identify types of potential misstatements;
2. to consider factors that affect the risks of material
misstatements; and
3. to design the nature, timing and extent of further audit
procedures.
Definition of Internal Control
Internal control is the process designed and affected by those
charged with governance, management, and
other personnel ………..
to provide reasonable assurance about the achievement of the
entity’s objectives with regard to:
1. Reliability of financial reporting,
2. Effectiveness and efficiency of operations and
3. Compliance with applicable laws and regulations.
It follows that internal control is designed and implemented to
address identified business risks that
threaten the achievement of any of these objectives.
Components of Internal Control
i) The control
environment
ii) The entity’s risk
assessment process
iii) The information
system, including the related business processes relevant to financial
reporting and communication.
iv) Control activities
v) Monitoring of
controls
i) The Control Environment
It encompasses the following elements:
(a) Communication and enforcement of integrity and ethical
values.
(b) Commitment to competence
(c) Participation by those charged with governance
(d) Management’s philosophy and operating style
(e) Organizational structure
(f) Human resource policies and practices
Auditor should evaluate how these components have been
incorporated into the entity’s processes.
ii) The Entity’s Risk Assessment Process
It is the process of identifying and responding to
business risks that affect entity’s
financial reporting.
Such process includes how management:
1. identifies risks that affect entity’s ability to produce
financial statement that give true and
fair view,
2. estimates their significance,
3. estimates likelihood of their occurrence and
4. Decides upon actions to manage them.
Risks relevant to financial reporting include:
– internal events, and
– external events and
circumstance
That may occur and adversely affect an entity’s ability to:
• initiate,
• record,
• process, and
• report the financial
information.
Risks can arise
due to circumstances such as the
following: (internal/external)
page
53
a) Changes in operating environment
b) New personnel
c) New or revamped information systems
d) Rapid growth
e) New technology
f) New business models, product or activities
g) Corporate restructurings
h) Expanded foreign operations
i) New accounting pronouncements
iii) Information system, including the related business
processes, relevant to financial
reporting and communication
The information system consists of:
1. infrastructure (physical and hardware components),
2. software
3. people
4. procedures and
5. data
Infrastructure and software will be absent, or have less
significance, in systems that are exclusively or
primarily manual. Many information systems make extensive use of
IT.
Importance of Information System
Accordingly, an information system encompasses methods and
records that:
• Identify and record all
valid transaction.
• Describe on a timely
basis the transaction in sufficient detail to permit proper classification of
transactions for financial reporting.
• Measure the value of
transactions in a manner that permits recording their proper monetary value
in the financial statements.
• Determine the time
period in which transactions occurred to permit recording of transactions in
the proper accounting period.
• Present properly the
transactions and related disclosures in the financial statements.
Communication
• Communication involves:
– providing an
understanding of individual roles and responsibilities pertaining to internal
control,
– understanding roles of
others and
– doing exception
reporting to higher level management.
• Communication takes such
forms as:
– policy manuals,
– accounting and financial
reporting manuals and memorandum.
• It may also be made
– electronically,
– orally and
– through the actions of
management
iv) Control Activities
Control activities include:
a) Performance reviews
b) Information processing
c) Physical controls
d) Segregations of duties
a) Performance reviews
These control activities include:
– reviews and analyses of
actual performance versus budgets, forecasts, and prior period
performance;
page
54
– relating different sets
of data - operating or financial - to one another, together with
analyses of the relationships and investigative and corrective
actions;
– comparing internal data
with external sources of information; and
– review of functional or
activity performance, such as a bank's Consumer loan manager's
review of reports by branch, region, and loan type for loan
approvals and collections
b) Information processing
A variety of controls are performed to check accuracy,
completeness, and authorization of
transactions.
The two broad groupings of information systems control
activities are:
i. application controls and
ii. general IT controls.
Application controls apply to the processing of individual
applications. These controls help ensure that
transactions occurred, are authorized, and are completely and
accurately recorded and processed.
General IT-controls commonly include controls over data center
and network operations; system software
acquisition, change and maintenance; access security; and
application system acquisition, development, and
maintenance. These controls apply to main-frame, mini-frame and
end-user environments.
c) Physical controls
These activities encompass the:
i. physical security of assets, including adequate safeguards
such as secured facilities access to
assets and records;
ii. authorization for access to computer programs and data
files; and
iii. periodic counting and comparison with amounts shown on
control records (for example
comparing the results of cash, security and inventory counts
with accounting records).
d) Segregation of duties
Assigning different people the responsibilities of authorizing
transactions, recording transactions, and
maintaining custody of assets is intended to reduce the
opportunities to allow any person to be in a position
to both commit and conceal errors or fraud in the normal course
of the person's duties. Examples of
segregation of duties include reporting, reviewing and approving
reconciliations, and approval and control
of documents.
v) Monitoring of Control
The auditor should obtain an understanding of the major types of
activities that
i. the entity uses to monitor internal control over financial
reporting, and
ii. how the entity initiates corrective actions to its controls.
Monitoring means and includes:
Ensuring that internal controls are operating as intended.
– If monitoring is not
done, people may stop performing the functions they are required to
perform.
– It also involves
assessing the quality of internal control performance over times.
– Monitoring may be
ongoing activities, separate evaluations or a combination of the two.
Monitoring includes:
a) Supervisions, functions of managers
b) Internal audit
c) Communication from external parties indicating areas
requiring
3. Assessing the Risk of Material Misstatement
The auditor should identify and assess the risks of material
misstatement at the financial statement level, and
at the assertion level for classes of transactions, account
balances, and disclosures. For this purpose, the
auditor:
• Identifies risks
throughout the process of obtaining an understanding of the entity and its
environment, including relevant controls that relate to the
risks, and by considering the
classes of transactions, account balances, and disclosures in
the financial statements.
• Relates the identified
risks to what can go wrong at the assertion level;
• Considers whether the
risks are of a magnitude that could result in a material misstatement
of the financial statements; and
page
55
• Considers the likelihood
that the risks could result in a material misstatement of the
financial statements.
Significant Risks that require Special Audit Considerations
Significant risks
These relate to:
• non-routine transactions
(unusual)
• judgmental matters (e.g.
accounting estimates)
• non-routine transactions
arising from matters such as:
greater management
intervention to specify the accounting treatment
greater manual
intervention for data collection and processing
complex calculations or
accounting principles.
For significant risks, to the extent the auditor has not already
done so, the auditor should evaluate the
design of the entity’s related controls, including relevant
control activities, and determine whether they have
been implemented.
If management has not appropriately responded by implementing
controls over significant risks and if, as a
result, the auditor judges that there is a material weakness in
the entity’s internal control, the auditor
communicates this matter to those charged with governance as
required in paragraph 8. In these
circumstances, the auditor also considers the implications for
the auditor’s risk assessment.
Risks for which substantive procedures alone do not provide
sufficient appropriate audit evidence
As part of the risk assessment as described in the above
paragraph, the auditor should evaluate the design
and determine the implementation of the entity’s controls,
including relevant control activities, over those
risks for which, in the auditor’s judgment, it is not possible
or practicable to reduce the risks of material
misstatement at the assertion level to an acceptably low level
with audit evidence obtained only from
substantive procedures.
Examples of situations where the auditor may find it impossible
to design effective substantive procedures
that by themselves provide sufficient appropriate audit evidence
that certain assertions are not materially
misstated include the following:
• An entity that conducts
its business using IT to initiate orders for the purchase and delivery of
goods based on predetermined rules of what to order and in what
quantities and to pay the related
accounts payable based on system-generated decisions initiated
upon the confirmed receipt of
goods and terms of payment. No other documentation of orders
placed or goods received is
produced or maintained, other than through the IT system.
• An entity that provides
services to customers via electronic media (for example, an Internet service
provider or a telecommunications company) and uses IT to create
log of the services provided to
its customers, initiate and process its billings for the
services and automatically record such
amounts in electronic accounting records that are part of the
system used to produce the entity’s
financial statements.
Revision of Risk Assessment
While performing tests of controls or substantive procedures
auditor finds that controls are not performing
effectively and misstatements found are not in accordance with
expectations of misstatements, the auditor
should revise his assessment of risk and modify the further
planned audit procedures.
4. Communicating with those Charged with Governance and
Management
The auditor should make those charged with governance or
management aware, as soon as practicable, and
at an appropriate level of responsibility, of material
weaknesses in the design or implementation of internal
control which have come to the auditor’s attention.
5. Documentation
The auditor should document:
(a) The discussion among the engagement team regarding the
susceptibility of the entity’s financial
statements to material misstatement due to error or fraud, and
the significant decisions reached;
page
56
(b) Key elements of the understanding obtained regarding each of
the aspects of the entity and its
environment, including each of the internal control components,
to assess the risks of material
misstatement of the financial statements; the sources of
information from which the understanding
was obtained; and the risk assessment procedures;
(c) The identified and assessed risks of material misstatement
at the financial statement level and at the
assertion level; and
(d) The risks identified and related controls evaluated.
|
|
|
|
|