Audits of Internal Control

and Control Risk

Chapter 10

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 1

 Learning Objective 1

Describe the three primary

objectives of effective
internal control.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 2

 Internal Control Objectives
1. Reliability of financial reporting

2. Efficiency and effectiveness of operations

3. Compliance with laws and regulations

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 3

 Learning Objective 2

Contrast management’s
responsibilities for maintaining
and reporting on internal controls
with the auditor’s responsibilities
for understanding, testing, and
reporting on internal controls.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 4

 Management and Auditor
Responsibilities Related
to Internal Control
 Management’s responsibility
for establishing internal control

 Reasonable assurance

 Inherent limitations

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 5

 Management and Auditor
Responsibilities Related
to Internal Control
 Management’s Section 404
reporting responsibilities

 Design of internal control

 Operating effectiveness of controls

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 6

 Management and Auditor
Responsibilities Related
to Internal Control
 Auditor responsibilities for
understanding internal control

 Controls over the reliability

of financial reporting

 Control over classes of transactions

 Auditor responsibilities for testing

internal control
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 7
 Sales Transaction-related
Audit Objectives
Transaction-related Audit Sales Transaction-related
Objective – General form Audit Objectives
Recorded transactions Sales are for shipments
exist (occurrence) to existing customers
Existing transactions are Existing sales transactions
recorded (completeness) are recorded
Transactions are stated Sales for goods shipped
correctly (accuracy) are correctly billed

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 8

 Sales Transaction-related
Audit Objectives
Transaction-related Audit Sales Transaction-related
Objective – General form Audit Objectives
Transactions are correctly Sales transactions are
filed (posting and correctly included in the
summarization) master files
Transactions are correctly Sales transactions are
classified (classification) correctly classified
Transactions are recorded Sales are recorded on
on correct dates (timing) the correct dates

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 9

 Learning Objective 3

Explain the five components

of the COSO internal
control framework.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 10

 Five Components of Internal
Control

Risk Information and

assessment communication

Control
Monitoring
activities

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 11

 The Control Environment
 Integrity and ethical values

 Commitment to competence

 Board of directors or audit

committee participation

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 12

 The Control Environment
 Management’s philosophy and operating style

 Organizational structure

 Human resource policies and practices

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 13

 Risk Assessment
 Identify factors that may increase risk

 Estimate the significance of the risk

 Assess the likelihood of the risk occurring

 Determine actions necessary to manage the risk

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 14

 Control Activities
1. Adequate separation of duties

2. Proper authorization of transactions and activities

3. Adequate documents and records

4. Physical control over assets and records

5. Independent checks on performance

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 15

 Adequate Separation of Duties
Custody of assets from Accounting

Authorization The custody of

from
of transactions related assets

Operational Record-keeping
from
responsibility responsibility

IT duties from User departments

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 16

 Proper Authorization of
Transactions and Activities
 General authorization

 Specific authorization

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 17

 Adequate Documents and
Records
 Prenumbered consecutively

 Prepared at the time of transaction

 Designed for multiple use

 Constructed to encourage correct preparation

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 18

 Physical Control Over Assets
and Records
The most important type of protective
measure for safeguarding assets and
records is the use of physical precautions.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 19

 Independent Checks on
Performance
The need for independent checks arises
because internal control tends to change
over time unless there is a mechanism
for frequent review.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 20

 Information and
Communication
The purpose of an accounting information
and communication system is to…

initiate, record, process, and report

the entity’s transactions and to maintain
accountability for the related assets.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 21

 Monitoring

Monitoring activities deal with management’s

ongoing and periodic assessment of the
quality of internal control performance…

to determine whether controls are operating

as intended and modified when needed.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 22

 Learning Objective 4

Obtain and document an

understanding of internal control.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 23

 Process for Understanding Internal
Control and Assessing Control Risk
Obtain an
understanding of Design, perform,
Phase 1 internal control: Phase 3 and evaluate tests
design and of controls
operation

Decide planned
Assess control detection risk
Phase 2 risk Phase 4 and substantive
tests

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 24

 Evaluating Internal Control
Operation
 Update and evaluate auditor’s previous
experience with the entity
 Make inquiries of client personnel
 Examine documents and records
 Observe entity activities and operations
 Perform walk-throughs of the accounting system

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 25

 Learning Objective 5

Assess control risk by linking key

controls, significant deficiencies,
and material weaknesses to
transaction-related audit
objectives.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 26

 Assess Control Risk

Assess whether the financial statements

are auditable.

Determine assessed control risk supported

by the understanding obtained assuming
the controls are being followed.

Use of a control risk matrix to assess

control risk.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 27

 Control Risk Matrix

Many auditors use the control risk matrix

to assist in the control risk assessment
process.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 28

 Control Risk Matrix
 Identify audit objectives

 Identify existing controls

 Associate controls with related audit objectives

 Identify and evaluate control deficiencies,

significant deficiencies, and material weaknesses

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 29

 Identify Deficiencies and
Weakness
 Identify existing controls

 Identify the absence of key controls

 Consider the possibility of compensating controls

 Decide whether there is a significant deficiency

or material weakness

 Determine potential misstatements that could result

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 30

 Communications

 Communications to those
charged with governance

 Management letters

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 31

 Learning Objective 6

Describe the process of designing

and performing tests of controls.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 32

 Tests of Controls

The procedures to test effectiveness of controls

in support of a reduced assessed control
risk are called tests of controls.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 33

 Procedures for Tests of
Controls
1. Make inquiries of client personnel

2. Examine documents, records, and reports

3. Observe control-related activities

4. Reperform client procedures

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 34

 Extent of Procedures

 Reliance on evidence from prior year’s audit

 Testing of controls related to significant risks

 Testing less than the entire audit period

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 35

 Decide Planned Detection Risk and
Design Substantive Tests
The auditor uses the results of the control risk
assessment process and tests of controls to
determine the planned detection risk and
related substantive tests.

The auditor links the control risk assessments

to the balance-related audit objectives.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 36

 End of Chapter 10

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 10 - 37