Beruflich Dokumente
Kultur Dokumente
Summary
Introduction
9.01 To develop an appropriate audit plan (one that reduces the audit risk to an
appropriate level), the audit team must understand the entity being audited
and the environment in which it operates, including its internal control. The
audit team uses this understanding of internal control to:
identify the types of misstatements that may be present
evaluate the internal control deficiencies that may increase risk of
material misstatement
design internal control testing strategies and substantive audit
procedures
9.05 This chapter focuses on the firm’s policies and procedures for obtaining
and documenting an understanding of the entity’s internal control. Such
understanding is ordinarily gained through:
previous experience with the entity (in continuing client
relationships)
inquiries of appropriate management, supervisory, and other
personnel
tracing transactions through processes and controls (i.e.,
walkthroughs)
inspecting documents and records
observing control activities and operations
9.08 Some legislative and regulatory bodies require an audit report on the
effectiveness of internal control using a framework established through
due process by an appropriate group. The COSO framework is an
acceptable framework for this purpose.
9.10 There is a direct relationship between the objectives, which are what an
entity strives to achieve, and internal control components, which represent
what is needed to achieve the objectives. COSO identified the following
five interrelated internal control components:
control environment – sets the tone of an organization, influencing
the control consciousness of its people; the foundation for all other
components of internal control, providing discipline and structure
risk assessment – the entity's identification and analysis of relevant
risks to achievement of its objectives, forming a basis for
determining how the risks should be managed
control activities – the policies and procedures that help ensure that
management directives are carried out
information and communication systems – support the
identification, capture, and exchange of information in a form and
time frame that enable people to carry out their responsibilities
monitoring – a process that assesses the quality of internal control
performance over time
9.11 Voyager uses the COSO definition of internal control, including these five
interrelated components. Accordingly, Voyager focuses on controls at both
the entity and operations level. In Voyager, entity-level controls are
sometimes referred to as governance controls, and operations-level
controls are referred to as activities-level controls. Each entity and
activities-level control is linked to a COSO component.
Entity-Level Controls
9.12 Governance is the term used to describe the role of persons entrusted
with the supervision, control, and direction of an entity. Those charged
with governance ordinarily are accountable for ensuring that the entity
achieves its objectives and also for the process of financial reporting and
reporting to interested parties. Governance controls are the foundation of
all other controls and are applicable to all entities, regardless of size.
Voyager refers to governance controls as entity-level controls.
Control Environment
9.15 The control environment sets the tone of an organization, influencing the
control consciousness of its people. It is the foundation for effective
internal control, providing discipline and structure. The control
environment primarily includes:
Communication and enforcement of integrity and ethical values –
The effectiveness of controls cannot rise above the integrity and
ethical values of the people who create, administer, and monitor
them. Integrity and ethical values are essential elements of the
control environment which influence the design, administration, and
monitoring of other components. Integrity and ethical behavior is
the product of the entity’s ethical and behavioral standards, how
they are communicated, and how they are reinforced in practice.
They include management’s actions to remove or reduce incentives
and temptations that might prompt people to engage in dishonest,
illegal, or unethical acts. They also include the communication of
entity values and behavioral standards to people through policy
statements and codes of conduct and by example.
Commitment to competence – Competence is the knowledge and
skills necessary to accomplish tasks that define the individual’s job.
Commitment to competence includes management’s consideration
of the competence levels for particular jobs and how those levels
translate into requisite skills and knowledge.
Participation by those charged with governance – An entity’s
control consciousness is influenced significantly by those charged
with governance. Attributes of those charged with governance
include independence from management, their experience and
stature, the extent of their involvement and scrutiny of activities, the
appropriateness of their actions, the information they receive, the
degree to which difficult questions are raised and pursued with
management and their interaction with internal and external audit
teams.
Management’s philosophy and operating style – Management’s
philosophy and operating style encompass a broad range of
characteristics. Such characteristics may include management’s (a)
approach to taking and monitoring business risks, (b) attitudes and
actions toward financial reporting, for example, conservative or
aggressive selection from available alternative accounting
principles and conscientiousness and conservatism with which
accounting estimates are developed, and (c) attitudes toward
information processing and accounting functions and people.
Organizational structure – An entity’s organizational structure
provides the framework within which its activities for achieving
entity-wide objectives are planned, executed, controlled, and
reviewed. Authority and responsibility and appropriate lines of
reporting are critical elements of an organizational structure. An
entity develops an organizational structure suited to its needs. The
appropriateness of an entity’s organizational structure depends, in
part, on its size and the nature of its activities.
Assignment of authority and responsibility – This factor includes
how authority and responsibility for operating activities are assigned
and how reporting relationships and authorization hierarchies are
established. It also includes policies relating to appropriate
business practices, knowledge and experience of key people, and
resources provided for carrying out duties. In addition, it includes
policies and communications directed at ensuring that all people
understand the entity’s objectives, know how their individual actions
interrelate and contribute to those objectives, and recognize how
and for what they will be held accountable.
Human resource policies and practices – Human resource policies
and practices relate to recruitment, orientation, training, evaluating,
counseling, promoting, compensating, and remedial actions. For
example, standards for recruiting the most qualified individuals, with
emphasis on educational background, prior work experience, past
accomplishments, and evidence of integrity and ethical behavior,
demonstrate an entity’s commitment to competent and trustworthy
people. Training policies that communicate prospective roles and
responsibilities and include practices such as training schools and
seminars illustrate expected levels of performance and behavior.
Promotions driven by periodic performance appraisals demonstrate
the entity’s commitment to the advancement of qualified people to
higher levels of responsibility.
9.16 An entity’s risk assessment process is its process for identifying and
responding to business risks and the results thereof. An entity’s risk
assessment process includes how management identifies risks relevant to
the preparation of financial statements that give a true and fair view (or are
presented fairly, in all material respects) in accordance with the entity’s
applicable financial reporting framework, estimates their significance,
assesses the likelihood of their occurrence, and decides upon actions to
manage them. For example, the entity’s risk assessment process may
address how the entity considers the possibility of unrecorded transactions
or identifies and analyzes significant estimates recorded in the financial
statements. Risks relevant to reliable financial reporting also relate to
specific events or transactions.
9.17 Risks relevant to financial reporting include external and internal events
and circumstances that may occur and adversely affect an entity’s ability
to initiate, record, process, and report financial data consistent with the
assertions of management in the financial statements. Once risks are
identified, management considers their significance and the likelihood of
their occurrence, and determines how the risks will be managed.
Management may initiate plans, programs, or actions to address specific
risks or they may decide to accept a risk because of cost or other
considerations. Risks can arise or change due to circumstances, such as
the following:
changes in operating environment
new people
new or revamped information systems
rapid growth
new technology
new business models, products, or activities
corporate restructurings
expanded foreign operations
new accounting pronouncements
9.19 Ongoing monitoring activities are built into the normal recurring activities
of an entity and include regular management and supervisory activities.
Managers of sales, purchasing, and production at divisional and corporate
levels are in touch with operations and may question reports that differ
significantly from their knowledge of operations.
Information Technology
Activities-Level Controls
9.32 Activities-level controls are controls (or control activities) performed at the
process level within a transaction cycle (i.e., controls over the origination,
processing, and recording of transactions). Processes are the action steps
that are performed by every entity when conducting their business. In
Voyager, each transaction cycle consists of activities, and each activity
consists of processes. Controls are established over each process to
reduce the possibility of error or fraud.
9.37 The boundary event is the point in a transaction cycle where an entity
interacts with a third-party. There are four types of boundary events:
initiation – transaction is initiated
movement – goods or services are provided
recording - transaction is recorded
consideration – transaction is completed; by receiving or paying the
consideration
In Voyager, all four events are listed as boundary events.
9.38 Discretionary events are economic activities that are initiated internally
and are necessary to allocate revenues, expenses, gains, and losses to
the proper accounts and periods. Discretionary events are judgmental in
nature. Examples of such events include:
adjusting and recording the provision for inventory obsolescence
adjusting and recording inventory balances after a physical count
calculating and recording depreciation charges
calculating and recording the provision for bad debts
9.39 Internal events are intermediate activities that process data and
information between the boundary and ledger events. Examples of internal
events include maintaining the customer master file, entering receiving
information, and recording receipts in a subsystem.
9.40 Finally, ledger events are activities that record transactions in the general
ledger. Examples of such events include recording investments, income,
and receipts in the general ledger.
Processes and Controls
9.41 Processes, whether automated or manual, can introduce errors into the
accounting system. These errors can be intentional or unintentional.
Controls, on the other hand, are needed to ensure that all the relevant
economic events are captured and are established over processes to
prevent and detect such errors. For example, most businesses have the
process “collect cash from customers (receive payments)”. Controls
implemented over this process should ensure that all cash collected is
properly recorded and deposited in the entity’s bank account. Such
controls may include segregating the cash collection activity from the
recording activity, performing reconciliations and following up on identified
exceptions.
Control Objectives
9.43 Each activities-level control is assigned to a control objective. Control
objectives are applicable to economic and financial statement events as
follows:
Boundary Internal Discretionary Ledger
Control Objective
Event Event Event Event
Authorization
Completeness and
accuracy
Integrity
Budgetary
Reconciliation
Safeguarding
9.44 Controls that achieve the authorization objective are designed to ensure
that captured transactions are valid and have the approval of
management. This authorization may be based on a broad policy, for
example, when authorization is given to extend credit to any customer up
to a specified limit. This authorization may also be specific, for example,
where further authorization controls are performed for transactions in
excess of the specified limit. Authorization controls occurring during
processing are the same in nature and purpose as those at the boundary;
however, controls at the boundary are normally stronger. For example,
authorization of the extension of credit after the fact is not a very effective
control; it may be useful in detecting potential recoverability problems, but
not in preventing or minimizing them.
9.45 Controls that achieve the completeness and accuracy objective are
designed to ensure that all exchanges with third parties are properly
captured in the accounting system and the data captured is complete and
accurate. “Completeness controls” are designed to prevent or detect
errors in the number of items or transactions processed, to guard against
the possibility that items accepted by the accounting system are omitted
from processing or are processed more than once. “Accuracy controls” are
designed to prevent or detect discrepancies between items of information
and the corresponding economic facts, to guard against the possibility that
incorrect information is processed.
9.46 Controls that achieve the integrity objective are designed to prevent the
alteration of computer data files and programs, to help ensure that all
accepted transactions remain on file for the proper period, and all
captured transactions accurately update the master files. “Integrity
controls” apply to automated components of the accounting system and
include controls such as restricted access to databases. They do not
include controls such as locks restricting access to the computer room.
9.47 Controls that achieve the budgetary objective are designed to aid
management in determining that the entity is operating as expected. For
example, if salaries are a negotiated contract item, management might
expect actual salary expense to match the aggregate contracted amount.
If the actual expense is significantly different, a “budgetary control” may
indicate an error in the accounting system.
9.48 Controls that achieve the reconciliation objective are designed to ensure
that the general ledger account properly reflects the summary of the
events recorded in the accounting system. An example is reconciling a
control account to a subsidiary ledger. Such controls are detective rather
than preventive. In Voyager, the completion of a reconciliation is not a
control in and of itself. For example, if the reconciliation is prepared but
the reconciling items are not examined to determine if they are indicative
of an error, no control is provided by the reconciliation.
9.49 Controls that achieve the safeguarding objective are designed to protect
assets. They include procedures and security measures that restrict
access to assets to authorized personnel. These controls are particularly
important in the case of valuable, easily exchangeable, or portable assets.
Control Attributes
9.50 All controls have distinct attributes. However, any given control can fit a
number of different control attributes. The controls built into Voyager are
pre-assigned to certain attributes. Examples of such attributes are:
COSO component
control objective
foundational, operational, or monitoring
preventive or detective
automated or manual
primary (and sometimes secondary) assertion
9.51 The COSO component and control objective attributes are discussed
above. The other attributes are discussed in the following paragraphs. The
Control Attributes report can be generated to identify the controls within a
process and their pre-assigned attributes.
9.52 In addition to the attributes assigned by Voyager, the audit team should
determine and document in Voyager whether the control is a documented
or undocumented control.
9.55 Monitoring controls ensure that all other controls are operating as
designed. Examples of monitoring controls include review of business
performance metrics, observation of operational controls, and
reperformance of specific controls.
9.57 Preventive controls are usually preferred over detective controls, because
they prevent errors from being introduced into a process, as opposed to
detecting errors already introduced. For example, the entity's control
system would be better if a preventive control (such as an edit) required
authorization of large sales than if a detective control (such as follow-up
on an exception report) identified transactions requiring authorization after
the occurrence of the event.
9.61 Documented controls provide written evidence that they are performed
and are often characteristic of manual controls. Undocumented controls
may be effective, but they can only be tested through inquiry and
observation.
9.62 Written evidence, which may take the form of signatures or initials, assists
in the identification of items for testing and only provides indirect evidence
that a control procedure was performed. For example, the person
performing the control procedure might not have performed the procedure
effectively because he or she misunderstood the purpose of the control.
9.63 Application controls are automated controls built into application software
(e.g., payroll, accounts receivable, or general ledger software), which may
vary from application to application. Application controls are designed to
ensure that all transactions recorded are authorized, complete, and
accurate. For example, a customer enters a sales order either through a
telephone call to a salesperson or by using an interactive website.
However, the sales order software will not process the transaction unless
the customer’s accounts receivable balance is below a specified credit
limit.
9.65 Although five basic control objectives have been defined for system
controls over computer processing, there is considerable interdependence
between them. For example, controls to restrict the use of utility programs,
such as file editing tools, are not only relevant to the reliability of
processing, but also to the integrity of data and the integrity of programs.
In fact, since such a utility could be used to falsify a log file, it could be
employed to circumvent controls over system amendments. System
controls over computer processing should not therefore, be considered in
isolation from each other, or from the applications.
Obtaining and Documenting an Understanding of Internal
Control
9.66 The particular design of the entity’s internal control will vary according to
the size and nature of the business. The applicability and importance of
specific elements of the entity’s internal control should be considered in
the context of the entity's:
size
organization and ownership characteristics
nature of business
diversity and complexity of operations
methods of processing data
applicable legal and regulatory requirements
9.67 For example, some companies are organized first by subsidiaries, then by
regions within those subsidiaries. Others are organized first by geographic
region, then by lines of business within those regions. For these types of
engagements, the audit team must determine how the entity’s operations
will be segregated for evaluation purposes.
9.68 The extent of work performed at each location or business unit varies
depending on the entity and the risk of material misstatement. For each
individually important location or business unit, a separate Voyager file
should ordinarily be created and completed. At each location, it is only
necessary to document significant transaction cycles.
9.69 For locations and business units that are not individually important, a
separate Voyager file may not be necessary. However, the audit team
should consider whether an error could occur in one location (or several
locations in the aggregate) that may give rise to a material misstatement
for the entity as a whole. In such cases, controls that prevent or detect
such errors should be understood and documented. For example, if a
business unit has complex revenue transactions that may result in a
material misstatement for the entity as a whole, it is reasonable to expect
controls in this cycle to be documented. In this situation, a separate
Voyager file should be created to document the controls over the revenue
cycle for that unit.
9.75 Through observation and inquiry, the audit team identifies controls. Using
Voyager, the audit team:
places a check next to those controls that are implemented
indicates whether the control is documented
designates the name or function of the person performing the
process and the controls
9.77 The audit team may also choose to document other client information and
their understanding of the entity in Voyager.
Process Importance
9.78 Voyager suggests process importance for all processes in all industries.
The audit team may need to change process importance when the
suggestion is not appropriate for the specific client situation. It is essential
to access process importance correctly as this determination may affect
the nature, timing and extent of other audit procedures. Audit teams
should carefully evaluate the process and consider the relevance of the
process factors. The more factors that are relevant, the more important a
process is likely to be. Voyager requires audit teams to document their
rationale for changing a preset process importance determination.
9.81 The audit team should document controls for the very important and
somewhat important processes. For not important processes,
documentation of the controls is not required.
Assistance of IT Specialists
9.82 Members of the audit team should have sufficient background and
experience to review most electronic systems. However, complex systems
require the assistance of an IT specialist. The application programs and
databases used by an entity often provide the first clue on the complexity
of the system. Examples of software applications commonly found in a
complex IT environment are PeopleSoft and SAP. Examples of relational
databases commonly used in complex IT environment are Oracle and
DB2. The IT Profile tool in Voyager assists teams in determining whether
an IT system is complex.
9.83 The audit team is responsible for capturing the information in the IT Profile
correctly. This includes entering details regarding significant applications
used by the entity to process information related to financial reporting
processes. Once this information is entered, the team evaluates
complexity by considering the applicability of the IT complexity factors for
each application. If any of the applications are complex, the audit team
should then add an IT specialist to the team. The IT specialist then
reviews the IT Profile documentation to appropriately determine the extent
of his or her involvement. In addition, the audit team can include an IT
specialist if they deem necessary even if the applications are not
accessed as complex.
9.84 When an IT specialist is added to the audit team, his or her initial
responsibility is to participate in the risk assessment process, including the
discussion among the audit team members to brainstorm about risks,
including fraud and where things could go wrong. Due to the complex
nature of IT systems, the IT specialist will normally be a partner or
manager who will assist the audit team in identifying IT-related risks.
Based on the specifics of the client and the risks identified, the audit team
and the IT specialist will then determine the extent of the IT specialist’s
further involvement. This includes assigning the appropriate IT specialist
to perform the work and deciding what role he or she will perform in
documenting and testing IT controls for the audit.
9.85 The IT specialist is considered part of the audit team. As such, he or she
should document his or her work using Voyager. In addition, the IT
specialist should adhere to all professional and firm standards.
9.86 The audit team cannot “audit around” the computer, delegate
responsibility for technology risk assessments to others, or delegate
responsibility to as IT specialist to determine the correct audit judgments.
The audit team should have the requisite skills to understand and
complete the IT profile and general IT environment as set out in Voyager.
That is not to say that an IT specialist will not be needed to assist with that
process, but when an IT specialist participates on the audit as a member
of the audit team, it is still incumbent on the rest of the audit team to
understand and concur with the work that the specialist performs.
Performing Walkthroughs
9.91 When there has been a change to the system, for example, a software
upgrade, the audit team may consider selecting transactions occurring
before and after the change to walk through the system, particularly if, in
the software upgrade example, the entity does not have specific system
controls for testing new versions of software before they are implemented.
9.92 Using Voyager, the audit team documents the transactions selected for a
walkthrough, the pertinent accounting system attributes, the controls that
were observed, and describes the responses to inquiries made of client
personnel. Significant or unusual matters coming to our attention during
the walkthrough should be noted.
9.93 The audit team should refer to management’s documentation as they build
the documentation in Voyager. Leveraging the work of others will make
the process of capturing the controls more efficient.
9.98 Small entities may implement the control environment elements differently
than larger entities. For example, small entities might not have a written
code of conduct but, instead, develop a culture that emphasizes the
importance of integrity and ethical behavior through oral communication
and by management example. Similarly, the board of directors or those
charged with governance in small entities may not include an independent
or outside member.
9.99 The basic concepts of the entity’s risk assessment process are usually
present in every entity, regardless of size, but the risk assessment
process is likely to be less formal and less structured in small entities than
in larger ones. All entities have established financial reporting objectives,
but they may be recognized implicitly rather than explicitly in small entities.
Management may be able to learn about risks related to these objectives
through direct personal involvement with employees and outside parties.
9.101 Communication may be less formal and easier to achieve in a small entity
than in a larger entity due to the small entity’s size and fewer levels as well
as management’s greater visibility and availability.
9.103 The concepts underlying control procedures in small entities are likely to
be similar to those in larger entities, but the formality with which they
operate varies. An appropriate segregation of duties often appears to
present difficulties in small entities. However, even companies that have
only a few employees may be able to assign their responsibilities to
segregate those duties that are most essential to protect assets.
9.104 A “very small entity” flag is included in Voyager for entities that meet the
definition below. Selecting this flag turns off all of Voyager’s internal
control evaluation tools, which places the responsibility for evaluating
design effectiveness entirely upon the audit team. The definition of a very
small entity was adopted for the purpose of achieving consistency
throughout the GTI member firms.
9.105 A “very small entity” is one that employs very few people (for example,
less than 10 full time equivalents) in the entire organization. Very small
entities typically have only one or two distinct sources of revenue. The
number of transactions within each revenue source is small. Their
transactions lack complexity.
9.110 When the audit team believes that a client meets the definition of a very
small entity, they should consult with the engagement partner or the office
PSP and obtain his or her approval. Once the approval is obtained, the
audit team can choose the very small entity option.
Exhibit 9.1 – Glossary of IT Security Administration
Controls
IT general controls include the following activities: security administration,
program maintenance, program execution, and new system
implementation. The security administration activity includes the following
processes:
establish effective security environment
manage internal user access
manage remote and third-party access
monitor access to IT systems