AUD 3 Internal Control 9 (Review) Flashcards
The mnemonic C_____ reminds management that it would be a crime not to consider all of the internal control elements when designing the system.
The mnemonic CRIME reminds management that it would be a crime not to consider all of the internal control elements when designing the system.
The mnemonic CRIME reminds ma_________t that it would be a crime not to consider all of the internal control elements when designing the system.
The mnemonic CRIME reminds management that it would be a crime not to consider all of the internal control elements when designing the system.
The mnemonic CRIME reminds management that it would be a c____ not to consider all of the internal control elements when designing the system.
The mnemonic CRIME reminds management that it would be a crime not to consider all of the internal control elements when designing the system.
The mnemonic CRIME reminds management that it would be a crime not to consider a__ of the internal control elements when designing the system.
The mnemonic CRIME reminds management that it would be a crime not to consider all of the internal control elements when designing the system.
The mnemonic CRIME reminds management that it would be a crime not to consider all of the in______ control elements when designing the system.
The mnemonic CRIME reminds management that it would be a crime not to consider all of the internal control elements when designing the system.
The mnemonic CRIME reminds management that it would be a crime not to consider all of the internal con____ elements when designing the system.
The mnemonic CRIME reminds management that it would be a crime not to consider all of the internal control elements when designing the system.
The mnemonic CRIME reminds management that it would be a crime not to consider all of the internal control ele____s when designing the system.
The mnemonic CRIME reminds management that it would be a crime not to consider all of the internal control elements when designing the system.
The mnemonic CRIME reminds management that it would be a crime not to consider all of the internal control elements when de____ing the system.
The mnemonic CRIME reminds management that it would be a crime not to consider all of the internal control elements when designing the system.
The mnemonic CRIME reminds management that it would be a crime not to consider all of the internal control elements when designing the sys___.
The mnemonic CRIME reminds management that it would be a crime not to consider all of the internal control elements when designing the system.
Elements of Internal Control: (CRIME)
- Control Environment (CHOPPER)
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
or
5 components of internal control
(CRIME)
- Control activities
- Risk assessment
- Information and communication
- Monitoring
- Control Environment
The mnemonic CRIME reminds management that it would be a crime not to consider all of the internal control elements when designing the system.
Elements of Internal Control: (CRIME)
- Control Environment (CHOPPER)
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
or
5 components of internal control
(CRIME)
- Control activities
- Risk assessment
- Information and communication
- Monitoring
- Control Environment
The mnemonic CRIME reminds management that it would be a crime not to consider all of the internal control elements when designing the system.
Elements of Internal Control: (CRIME)
E = Control Environment
Factors (CHOPPER):
- Commitment to competence
- Human resource policies and practices
- Organizational structure
- Participation of those charged with Governance
- Philosophy of management and mgt operating style
- Ethical values and Integrity
- Responsibility assignment
Elements of Internal Control: (CRIME)
E = Control Environment
Factors (CHOPPER):
- Commitment to competence
- Human resource policies and practices
- Organizational structure
- Participation of those charged with Governance
- Philosophy of management and mgt operating style
- Ethical values and Integrity
- Responsibility assignment
Elements of Internal Control: (CRIME)
E : Control Environment
Factors (CHOPPER)
• C = Commitment to competence
– Effective control requires a sincere interest on the part of the employees in performing good work.
• H = Human resource policies and practices
– A company can minimize the control difficulties created by new employees by sound hiring and training policies for employees.
• O = Organizational structure
– A company that operates all over the world has different internal control problems than one operating entirely within a single building.
• P = Participation of those charged with Governance
– An audit committee of the board of directors that actively monitors the internal audit function produces a more attentive management on such matters.
• P = Philosophy of management and mgt operating style
– The belief (or lack of it) in the importance of internal control by management will affect the seriousness with which it is taken by the rest of the employees. This is especially the case when decision-making in the company is dominated by a single individual.
• E = Ethical values and Integrity
– Honest employees will be less likely to cause internal control difficulties related to fraud and improve the opportunity for those resulting from errors to be effectively detected.
• R = Responsibility assignment
– The manner in which authority, responsibility and accountability is assigned to different employees determines the controls that will be needed. Again, the domination of decision-making by a single individual holds significance, since such power makes it extremely difficult for internal control to be trusted.
Elements of Internal Control: (CRIME)
E : Control Environment
Factors (CHOPPER)
• C = Commitment to competence
– Effective control requires a sincere interest on the part of the employees in performing good work.
• H = Human resource policies and practices
– A company can minimize the control difficulties created by new employees by sound hiring and training policies for employees.
• O = Organizational structure
– A company that operates all over the world has different internal control problems than one operating entirely within a single building.
• P = Participation of those charged with Governance
– An audit committee of the board of directors that actively monitors the internal audit function produces a more attentive management on such matters.
• P = Philosophy of management and mgt operating style
– The belief (or lack of it) in the importance of internal control by management will affect the seriousness with which it is taken by the rest of the employees. This is especially the case when decision-making in the company is dominated by a single individual.
• E = Ethical values and Integrity
– Honest employees will be less likely to cause internal control difficulties related to fraud and improve the opportunity for those resulting from errors to be effectively detected.
• R = Responsibility assignment
– The manner in which authority, responsibility and accountability is assigned to different employees determines the controls that will be needed. Again, the domination of decision-making by a single individual holds significance, since such power makes it extremely difficult for internal control to be trusted.
Elements of Internal Control: (CRIME)
E : Control Environment
5 principles
Management and those charge with governance:
- Demonstrate a commitment to integrity and ethical values;
- Exercise their oversight responsibility;
- Establish structure, authority, and responsibility;
- Demonstrate a commitment to competence; and
- Enforce accountability.
Elements of Internal Control: (CRIME)
E : Control Environment
5 principles
Management and those charge with governance:
- Demonstrate a commitment to integrity and ethical values;
- Exercise their oversight responsibility;
- Establish structure, authority, and responsibility;
- Demonstrate a commitment to competence; and
- Enforce accountability.
Elements of Internal Control: (CRIME)
- R = Risk Assessment
Risks relevant to financial reporting include external and internal factors, such as:
- Changes in the operating environment
- New personnel
- New or revamped information systems
- Rapid growth
- New technology
- New lines of business, products, or activities
- Corporate restructurings
- Foreign operations
- Changes to accounting pronouncements
- Changes to the economic environment
Elements of Internal Control: (CRIME)
- R = Risk Assessment
Risks relevant to financial reporting include external and internal factors, such as:
- Changes in the operating environment
- New personnel
- New or revamped information systems
- Rapid growth
- New technology
- New lines of business, products, or activities
- Corporate restructurings
- Foreign operations
- Changes to accounting pronouncements
- Changes to the economic environment
Elements of Internal Control: (CRIME)
- R = Risk Assessment
4 principles
management and those charged with governance:
- Specify suitable objectives
- Identify and analyze risk
- Assess fraud risk
- Identify and analyze significant change
Elements of Internal Control: (CRIME)
- R = Risk Assessment
4 principles
management and those charged with governance:
- Specify suitable objectives
- Identify and analyze risk
- Assess fraud risk
- Identify and analyze significant change
Elements of Internal Control: (CRIME)
E : Control Environment
5 principles
Management and those charge with governance:
- Demonstrate a commitment to integrity and ethical values;
- Exercise their oversight responsibility;
- Establish structure, authority, and responsibility;
- Demonstrate a commitment to competence; and
- Enforce accountability.
R = Risk Assessment
4 principles
management and those charged with governance:
- Specify suitable objectives
- Identify and analyze risk
- Assess fraud risk
- Identify and analyze significant change
Elements of Internal Control: (CRIME)
E : Control Environment
5 principles
Management and those charge with governance:
- Demonstrate a commitment to integrity and ethical values;
- Exercise their oversight responsibility;
- Establish structure, authority, and responsibility;
- Demonstrate a commitment to competence; and
- Enforce accountability.
R = Risk Assessment
4 principles
management and those charged with governance:
- Specify suitable objectives
- Identify and analyze risk
- Assess fraud risk
- Identify and analyze significant change
Elements of Internal Control: (CRIME)
• C = Control Activities
Control activities are policies and procedures that help ensure that management directives are carried out.
The focus of control activities may be one of the following:
- Performance reviews
- Information processing
- Physical controls
- Segregation of duties
Elements of Internal Control: (CRIME)
• C = Control Activities
Control activities are policies and procedures that help ensure that management directives are carried out.
The focus of control activities may be one of the following:
- Performance reviews
- Information processing
- Physical controls
- Segregation of duties
Elements of Internal Control: (CRIME)
C = Control Activities
• Performance reviews
– Controls involving the evaluation of performance against some criteria such as comparing actual amounts to budgeted amounts, comparing current period results to those of prior years, or evaluating financial data in relation to nonfinancial data.
• Information processing
– Controls that prevent the processing of information unless certain criteria are met, such as the matching of certain documentation before recording a sale.
In an information technology, or IT, environment, there are general controls that relate to the overall operation of the system, including the structure of the organization and access to information; and application controls that relate to specific functions being performed.
• Physical controls
– Controls that limit access to assets.
• Segregation of duties
– Controls that involve assigning different people responsibilities for authorizing transactions, recording transactions, maintaining custody of assets, and performing reconciliations or comparisons.
It is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of their duties (ARCC-S).
o Authorization of transactions
o Recording (posting) of transactions
o Custody of assets
o Comparisons
▪ Segregation of duties
Elements of Internal Control: (CRIME)
C = Control Activities
• Performance reviews
– Controls involving the evaluation of performance against some criteria such as comparing actual amounts to budgeted amounts, comparing current period results to those of prior years, or evaluating financial data in relation to nonfinancial data.
• Information processing
– Controls that prevent the processing of information unless certain criteria are met, such as the matching of certain documentation before recording a sale.
In an information technology, or IT, environment, there are general controls that relate to the overall operation of the system, including the structure of the organization and access to information; and application controls that relate to specific functions being performed.
• Physical controls
– Controls that limit access to assets.
• Segregation of duties
– Controls that involve assigning different people responsibilities for authorizing transactions, recording transactions, maintaining custody of assets, and performing reconciliations or comparisons.
It is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of their duties (ARCC-S).
o Authorization of transactions
o Recording (posting) of transactions
o Custody of assets
o Comparisons
▪ Segregation of duties
Elements of Internal Control: (CRIME)
C = Control Activities
3 principles
management and those charged with governance:
- Select and develop control activities
- Select and develop general controls over technology
- Deploy controls through policies and procedures
Elements of Internal Control: (CRIME)
C = Control Activities
3 principles
management and those charged with governance:
- Select and develop control activities
- Select and develop general controls over technology
- Deploy controls through policies and procedures
Elements of Internal Control: (CRIME)
E : Control Environment
5 principles
Management and those charge with governance:
- Demonstrate a commitment to integrity and ethical values;
- Exercise their oversight responsibility;
- Establish structure, authority, and responsibility;
- Demonstrate a commitment to competence; and
- Enforce accountability.
R = Risk Assessment
4 principles
Management and those charged with governance:
- Specify suitable objectives
- Identify and analyze risk
- Assess fraud risk
- Identify and analyze significant change
C = Control Activities
3 principles
Management and those charged with governance:
- Select and develop control activities
- Select and develop general controls over technology
- Deploy controls through policies and procedures
Elements of Internal Control: (CRIME)
E : Control Environment
5 principles
Management and those charge with governance:
- Demonstrate a commitment to integrity and ethical values;
- Exercise their oversight responsibility;
- Establish structure, authority, and responsibility;
- Demonstrate a commitment to competence; and
- Enforce accountability.
R = Risk Assessment
4 principles
Management and those charged with governance:
- Specify suitable objectives
- Identify and analyze risk
- Assess fraud risk
- Identify and analyze significant change
C = Control Activities
3 principles
Management and those charged with governance:
- Select and develop control activities
- Select and develop general controls over technology
- Deploy controls through policies and procedures
Elements of Internal Control: (CRIME)
I = Information and Communication
The auditor should obtain an understanding related to how:
- Info system consists of the methods and records used to record, process, summarize and report Co.’s transactions and to maintain accountability for the related accounts.
- Communication involves establishing individual duties and responsibilities relating to internal control and making them known to involved personnel.
- Transactions are initiated, authorized, and processed; and how transactions, events, and conditions are reported, including which components are performed manually and which are performed electronically.
- Accountability is maintained for assets, liability, and equity, including the maintenance of records supporting information or specific items in the financial statements.
- The incorrect processing of transactions is identified and resolved.
- Recurring and nonrecurring journal entries, unusual transactions, and other adjustments are identified and prepared.
- System overrides or bypasses to controls are processed and accounted for.
- Information is transferred from the processing systems to the general ledger.
- Events and conditions, other than transactions, that are relevant to financial reporting, including depreciation and amortization of assets and collectibility of receivables, are identified, and how information is captured.
- Financial statements are prepared, including the development of estimates.
- Information that is required to be disclosed is identified, accumulated, recorded, processed, summarized, and properly reported.
Elements of Internal Control: (CRIME)
I = Information and Communication
The auditor should obtain an understanding related to how:
- Info system consists of the methods and records used to record, process, summarize and report Co.’s transactions and to maintain accountability for the related accounts.
- Communication involves establishing individual duties and responsibilities relating to internal control and making them known to involved personnel.
- Transactions are initiated, authorized, and processed; and how transactions, events, and conditions are reported, including which components are performed manually and which are performed electronically.
- Accountability is maintained for assets, liability, and equity, including the maintenance of records supporting information or specific items in the financial statements.
- The incorrect processing of transactions is identified and resolved.
- Recurring and nonrecurring journal entries, unusual transactions, and other adjustments are identified and prepared.
- System overrides or bypasses to controls are processed and accounted for.
- Information is transferred from the processing systems to the general ledger.
- Events and conditions, other than transactions, that are relevant to financial reporting, including depreciation and amortization of assets and collectibility of receivables, are identified, and how information is captured.
- Financial statements are prepared, including the development of estimates.
- Information that is required to be disclosed is identified, accumulated, recorded, processed, summarized, and properly reported.
Elements of Internal Control: (CRIME)
I = Information and Communication
3 principles
Management and those charge with governance:
- Use relevant information
- Communicate internally
- Communicate externally
Elements of Internal Control: (CRIME)
I = Information and Communication
3 principles
Management and those charge with governance:
- Use relevant information
- Communicate internally
- Communicate externally
Elements of Internal Control: (CRIME)
M = Monitoring
2 principles
Management and those charge with governance:
- Conduct ongoing and/or separate evaluations
- Evaluate and communicate deficiencies
Elements of Internal Control: (CRIME)
M = Monitoring
2 principles
Management and those charge with governance:
- Conduct ongoing and/or separate evaluations
- Evaluate and communicate deficiencies
Elements of Internal Control: (CRIME)
I = Information and Communication
3 principles
Management and those charge with governance:
- Use relevant information
- Communicate internally
- Communicate externally
M = Monitoring
2 principles
Management and those charge with governance:
- Conduct ongoing and/or separate evaluations
- Evaluate and communicate deficiencies
Elements of Internal Control: (CRIME)
I = Information and Communication
3 principles
Management and those charge with governance:
- Use relevant information
- Communicate internally
- Communicate externally
M = Monitoring
2 principles
Management and those charge with governance:
- Conduct ongoing and/or separate evaluations
- Evaluate and communicate deficiencies
Elements of Internal Control: (CRIME)
E : Control Environment
5 principles
Management and those charge with governance:
- Demonstrate a commitment to integrity and ethical values;
- Exercise their oversight responsibility;
- Establish structure, authority, and responsibility;
- Demonstrate a commitment to competence; and
- Enforce accountability.
R = Risk Assessment
4 principles
management and those charged with governance:
- Specify suitable objectives
- Identify and analyze risk
- Assess fraud risk
- Identify and analyze significant change
I = Information and Communication
3 principles
Management and those charge with governance:
- Use relevant information
- Communicate internally
- Communicate externally
M = Monitoring
2 principles
Management and those charge with governance:
- Conduct ongoing and/or separate evaluations
- Evaluate and communicate deficiencies
Elements of Internal Control: (CRIME)
E : Control Environment
5 principles
Management and those charge with governance:
- Demonstrate a commitment to integrity and ethical values;
- Exercise their oversight responsibility;
- Establish structure, authority, and responsibility;
- Demonstrate a commitment to competence; and
- Enforce accountability.
R = Risk Assessment
4 principles
management and those charged with governance:
- Specify suitable objectives
- Identify and analyze risk
- Assess fraud risk
- Identify and analyze significant change
I = Information and Communication
3 principles
Management and those charge with governance:
- Use relevant information
- Communicate internally
- Communicate externally
M = Monitoring
2 principles
Management and those charge with governance:
- Conduct ongoing and/or separate evaluations
- Evaluate and communicate deficiencies
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
An auditor performs the following procedures to obtain and apply an understanding of internal control to an audit:
Step 1 – Obtain an understanding of the design of all 5 components of the entity’s internal control (CRIME) through the performance of risk assessment procedures.
Step 2 – Document the understanding of Internal Control.
Step 3 – Assess Risk of Material Misstatement (RMM) which consists of inherent risk (IR) and control risk (CR).
RMM = IR × CR
Step 4 – Develop an audit strategy to either:
o (RELY?)
Perform tests of control (TofC) to determine if CR is below maximum, reducing RMM below the level of IR and allowing for the modification of the nature, timing, and extent of further audit procedures (sub tests): or
o (NOT Rely)
Decide NOT to perform tests of controls, assessing CR at the maximum level as if the control did not exist, and measuring RMM as being equal to IR.
Step 5 – Reassess Risk of Material Misstatement and evaluate results.
o For controls for which tests of controls were performed, evaluate results to reassess RMM and determine if it is appropriate to modify the nature, timing, and extent of further audit procedures.
Step 6 – Document conclusions and determine the effect on the planned substantive procedures. At this point, the audit program needs to be developed or revised for further audit procedures.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
An auditor performs the following procedures to obtain and apply an understanding of internal control to an audit:
Step 1 – Obtain an understanding of the design of all 5 components of the entity’s internal control (CRIME) through the performance of risk assessment procedures.
Step 2 – Document the understanding of Internal Control.
Step 3 – Assess Risk of Material Misstatement (RMM) which consists of inherent risk (IR) and control risk (CR).
RMM = IR × CR
Step 4 – Develop an audit strategy to either:
o (RELY?)
Perform tests of control (TofC) to determine if CR is below maximum, reducing RMM below the level of IR and allowing for the modification of the nature, timing, and extent of further audit procedures (sub tests): or
o (NOT Rely)
Decide NOT to perform tests of controls, assessing CR at the maximum level as if the control did not exist, and measuring RMM as being equal to IR.
Step 5 – Reassess Risk of Material Misstatement and evaluate results.
o For controls for which tests of controls were performed, evaluate results to reassess RMM and determine if it is appropriate to modify the nature, timing, and extent of further audit procedures.
Step 6 – Document conclusions and determine the effect on the planned substantive procedures. At this point, the audit program needs to be developed or revised for further audit procedures.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 1 –
1. Understand the Design of CRIME by performing Risk Assessment Procedures
Risk assessment procedures include:
- Analytical procedures (Using high level data)
- Inquiries of management and others within the entity, including inquiries of internal auditors.
- Inspection (of documents and records)
- Observation (the application of specific controls)
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 1 –
1. Understand the Design of CRIME by performing Risk Assessment Procedures
Risk assessment procedures include:
- Analytical procedures (Using high level data)
- Inquiries of management and others within the entity, including inquiries of internal auditors.
- Inspection (of documents and records)
- Observation (the application of specific controls)
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 1 –
1. Understand the Design of CRIME by performing Risk Assessment Procedures
The knowledge obtained through risk assessment procedures is used to:
- Identify the types of potential misstatements (Errors or Fraud).
- Consider factors that affect the risk of material misstatements.
- Design tests of controls and substantive procedures.
o As part of obtaining an understanding of internal control sufficient to plan the audit, the auditor should evaluate whether the client’s programs and controls that address the identified risks of material misstatement due to fraud have been suitably designed and implemented. o Determine if these have been Implemented (Placed into operation). ▪ Understanding doesn't require evaluating their operating effectiveness.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 1 –
1. Understand the Design of CRIME by performing Risk Assessment Procedures
The knowledge obtained through risk assessment procedures is used to:
- Identify the types of potential misstatements (Errors or Fraud).
- Consider factors that affect the risk of material misstatements.
- Design tests of controls and substantive procedures.
o As part of obtaining an understanding of internal control sufficient to plan the audit, the auditor should evaluate whether the client’s programs and controls that address the identified risks of material misstatement due to fraud have been suitably designed and implemented. o Determine if these have been Implemented (Placed into operation). ▪ Understanding doesn't require evaluating their operating effectiveness.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 1 –
1. Understand the Design of CRIME by performing Risk Assessment Procedures
Walk through involves applying some means other than inquiry, such as
- observing the control being applied,
- performing analytical procedures to determine if the control is producing the appropriate results, or
- inspection of documents or other items that will provide evidence that the control is in place.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 1 –
1. Understand the Design of CRIME by performing Risk Assessment Procedures
Walk through involves applying some means other than inquiry, such as
- observing the control being applied,
- performing analytical procedures to determine if the control is producing the appropriate results, or
- inspection of documents or other items that will provide evidence that the control is in place.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 1 –
1. Understand the Design of CRIME by performing Risk Assessment Procedures
• While performing a walk through provides information about the design and implementation of a control,
it is not sufficient to determine if the control was operating effectively throughout the period being audited or to rely on the control as a basis for modifying the nature, timing, and extent of further audit procedures.
• If the auditor intends to rely on the control as a basis for modifying the nature, timing, and extent of further audit procedures,
the auditor is required to determine if the control was operating effectively throughout the affected period through the performance of tests of controls.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 1 –
1. Understand the Design of CRIME by performing Risk Assessment Procedures
• While performing a walk through provides information about the design and implementation of a control,
it is not sufficient to determine if the control was operating effectively throughout the period being audited or to rely on the control as a basis for modifying the nature, timing, and extent of further audit procedures.
• If the auditor intends to rely on the control as a basis for modifying the nature, timing, and extent of further audit procedures,
the auditor is required to determine if the control was operating effectively throughout the affected period through the performance of tests of controls.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 1 –
1. Understand the Design of CRIME by performing Risk Assessment Procedures
The techniques available to the auditor to gain information about a client’s internal control structure include:
• Prior audits
– Reviewing audit documentation that document the internal control structure of the client in prior years.
• Reperformance
– Applying the control that the client personnel presumably performed to determine if the procedure was performed properly.
• Inquiry
– Asking management and other client personnel to describe the controls that they are currently using.
• Inspection
– Examining documents that are used in internal control, such as authorization forms and procedures manuals.
• Observation
– Watching employees perform their jobs.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 1 –
1. Understand the Design of CRIME by performing Risk Assessment Procedures
The techniques available to the auditor to gain information about a client’s internal control structure include:
• Prior audits
– Reviewing audit documentation that document the internal control structure of the client in prior years.
• Reperformance
– Applying the control that the client personnel presumably performed to determine if the procedure was performed properly.
• Inquiry
– Asking management and other client personnel to describe the controls that they are currently using.
• Inspection
– Examining documents that are used in internal control, such as authorization forms and procedures manuals.
• Observation
– Watching employees perform their jobs.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 1 –
1. Understand the Design of CRIME by performing Risk Assessment Procedures
The performance of risk assessment procedures designed to
provide the auditor with an adequate understanding
to enable the auditor to effectively assess the risk of material misstatement of the financial statements.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 1 –
1. Understand the Design of CRIME by performing Risk Assessment Procedures
The performance of risk assessment procedures designed to
provide the auditor with an adequate understanding
to enable the auditor to effectively assess the risk of material misstatement of the financial statements.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 1 –
1. Understand the Design of CRIME by performing Risk Assessment Procedures
The techniques available to the auditor to gain information about a client’s internal control structure include:
- Prior audits
- Reperformance
- Inquiry
- Inspection
- Observation
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 1 –
1. Understand the Design of CRIME by performing Risk Assessment Procedures
The techniques available to the auditor to gain information about a client’s internal control structure include:
- Prior audits
- Reperformance
- Inquiry
- Inspection
- Observation
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 2 –
2. Document Understanding of Internal Control
There are different techniques that are commonly used for documenting the auditor’s understanding of the internal control structure.
These are (FIND):
- F = Flowchart
- I = Internal Control Questionnaire (ICQ)
- N = Narrative or Memorandum
- D = Decision table/tree
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 2 –
2. Document Understanding of Internal Control
There are different techniques that are commonly used for documenting the auditor’s understanding of the internal control structure.
These are (FIND):
- F = Flowchart
- I = Internal Control Questionnaire (ICQ)
- N = Narrative or Memorandum
- D = Decision table/tree
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 2 –
2. Document Understanding of Internal Control
There are different techniques that are commonly used for documenting the auditor’s understanding of the internal control structure.
These are (FIND):
- F = Flowchart
- I = Internal Control Questionnaire (ICQ)
- N = Narrative or Memorandum
- D = Decision table/tree
- = Advantages
- = Disadvantages
• F = Flowchart
- VISUAL depiction of the internal control structure
- Shows a process from beginning to end
- Indicates which departments or groups of employees are responsible for each function
- Indicates what documents are used and how they are distributed and disposed of
- Indicates the interaction among departments or groups of employees
- **Helpful in determining if there is adequate SEGREGATION of duties
- **Helpful in TRACING documents through the system
- **Giving a sense of the FLOW and sequence of transactions in the client entity
- *Flowcharting requires knowledge of specialized SYMBOLS
• I = Internal Control Questionnaire (ICQ)
- **Easiest to Use
- Questions can be answered with a simple yes or no
- YES answer = Control is properly in place (strength)
- NO answer = Potential weakness
- **Easily identifies potential weaknesses in internal control
- *Difficult to develop a complete and comprehensive questionnaire
- *Difficult to obtain an understanding of the flow of the system
- The most STRUCTURED of the approaches
- **EASIEST for an inexperienced audit staff member to utilize
- Very popular area of testing on the CPA exam
• N = Narrative or Memorandum
- Narrative approach
- DETAILED written description of the internal control structure
- Describes the system with WORDS rather than symbols
- Easier to understand the flow of the system
- Easier to understand the interrelationships among departments and employees
- *NOT clearly indicate whether there is adequate segregation of duties
- *Difficult to visualize the flow of documentation
- *Can be cumbersome
- *Not commonly used
• D = Decision table/tree
- Client employee choose from several alternative actions and documenting such activities
- May best be accomplished by
preparing a decision table that lists each possible condition and the actions that will result from each
- Depicts the logic of an operation or process
- Yes/No questions
- Each answer will direct the user to the next relevant question
- *Limited tool
- *Cannot effectively document the entire structure
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 2 –
2. Document Understanding of Internal Control
There are different techniques that are commonly used for documenting the auditor’s understanding of the internal control structure.
These are (FIND):
- F = Flowchart
- I = Internal Control Questionnaire (ICQ)
- N = Narrative or Memorandum
- D = Decision table/tree
- = Advantages
- = Disadvantages
• F = Flowchart
- VISUAL depiction of the internal control structure
- Shows a process from beginning to end
- Indicates which departments or groups of employees are responsible for each function
- Indicates what documents are used and how they are distributed and disposed of
- Indicates the interaction among departments or groups of employees
- **Helpful in determining if there is adequate SEGREGATION of duties
- **Helpful in TRACING documents through the system
- **Giving a sense of the FLOW and sequence of transactions in the client entity
- *Flowcharting requires knowledge of specialized SYMBOLS
• I = Internal Control Questionnaire (ICQ)
- **Easiest to Use
- Questions can be answered with a simple yes or no
- YES answer = Control is properly in place (strength)
- NO answer = Potential weakness
- **Easily identifies potential weaknesses in internal control
- *Difficult to develop a complete and comprehensive questionnaire
- *Difficult to obtain an understanding of the flow of the system
- The most STRUCTURED of the approaches
- **EASIEST for an inexperienced audit staff member to utilize
- Very popular area of testing on the CPA exam
• N = Narrative or Memorandum
- Narrative approach
- DETAILED written description of the internal control structure
- Describes the system with WORDS rather than symbols
- Easier to understand the flow of the system
- Easier to understand the interrelationships among departments and employees
- *NOT clearly indicate whether there is adequate segregation of duties
- *Difficult to visualize the flow of documentation
- *Can be cumbersome
- *Not commonly used
• D = Decision table/tree
- Client employee choose from several alternative actions and documenting such activities
- May best be accomplished by
preparing a decision table that lists each possible condition and the actions that will result from each
- Depicts the logic of an operation or process
- Yes/No questions
- Each answer will direct the user to the next relevant question
- *Limited tool
- *Cannot effectively document the entire structure
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 3 –
3. Assessing Risk of Material Misstatement (RMM)
The auditor first assesses risk of material misstatement at the financial statement level by evaluating the entity’s ability to prepare financial statements that are fairly presented in accordance with the applicable financial reporting framework.
This will include factors such as
the auditor’s perception of the competency of the entity’s accounting personnel;
an evaluation of the entity’s ability to develop estimates and interpret accounting principles;
whether the auditor considers management aggressive or believes management is under pressure to achieve difficult financial goals;
if the industry or the economy has created particular challenges;
or if the entity is seeking financing or anticipating entering into a substantial transaction.
Any of these or a variety of other factors may increase the risk that the financial statements, taken as a whole, will be materially misstated.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 3 –
3. Assessing Risk of Material Misstatement (RMM)
The auditor first assesses risk of material misstatement at the financial statement level by evaluating the entity’s ability to prepare financial statements that are fairly presented in accordance with the applicable financial reporting framework.
This will include factors such as
the auditor’s perception of the competency of the entity’s accounting personnel;
an evaluation of the entity’s ability to develop estimates and interpret accounting principles;
whether the auditor considers management aggressive or believes management is under pressure to achieve difficult financial goals;
if the industry or the economy has created particular challenges;
or if the entity is seeking financing or anticipating entering into a substantial transaction.
Any of these or a variety of other factors may increase the risk that the financial statements, taken as a whole, will be materially misstated.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 3 –
3. Assessing Risk of Material Misstatement (RMM)
The auditor may use either a substantive approach, in which substantive procedures are emphasized, or a combined approach, in which both tests of controls and substantive procedures are used.
• The auditor needs to
o Identify the risks.
o Relate the identified risks to the types of potential misstatements that could occur at the relevant assertion level.
o Consider whether the risks are so significant that they could result in a material misstatement of the financial statements.
o Consider the likelihood (probability) that the identified risks could result in material misstatements on the financial statements.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 3 –
3. Assessing Risk of Material Misstatement (RMM)
The auditor may use either a substantive approach, in which substantive procedures are emphasized, or a combined approach, in which both tests of controls and substantive procedures are used.
• The auditor needs to
o Identify the risks.
o Relate the identified risks to the types of potential misstatements that could occur at the relevant assertion level.
o Consider whether the risks are so significant that they could result in a material misstatement of the financial statements.
o Consider the likelihood (probability) that the identified risks could result in material misstatements on the financial statements.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 3 –
3. Assessing Risk of Material Misstatement (RMM)
If the risk assessment is based on an expectation that controls are operating effectively, the auditor should test the operating effectiveness of controls (TofC) that have been determined to be suitably designed to prevent or detect material misstatements.
• Intend to Rely?
The risk assessment may NOT include an expectation that controls operate effectively when (Substantive approach):
o Controls appear inadequate / Ineffective/ weak.
o Auditor believes that performing extensive substantive procedures is likely to be more cost effective than performing tests of controls. (Cost/benefit – inefficient).
If the controls appear effective, tests of controls will be performed when (Combined approach):
- The auditor’s risk assessment includes an expectation of operating effectiveness of controls because the likelihood of material misstatement is lower if the control operates effectively (Cost effective) or
- When substantive procedures alone do not provide sufficient audit evidence.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 3 –
3. Assessing Risk of Material Misstatement (RMM)
If the risk assessment is based on an expectation that controls are operating effectively, the auditor should test the operating effectiveness of controls (TofC) that have been determined to be suitably designed to prevent or detect material misstatements.
• Intend to Rely?
The risk assessment may NOT include an expectation that controls operate effectively when (Substantive approach):
o Controls appear inadequate / Ineffective/ weak.
o Auditor believes that performing extensive substantive procedures is likely to be more cost effective than performing tests of controls. (Cost/benefit – inefficient).
If the controls appear effective, tests of controls will be performed when (Combined approach):
- The auditor’s risk assessment includes an expectation of operating effectiveness of controls because the likelihood of material misstatement is lower if the control operates effectively (Cost effective) or
- When substantive procedures alone do not provide sufficient audit evidence.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 3 –
3. Assessing Risk of Material Misstatement (RMM)
Since tests of controls alone are not normally sufficient upon which to base an audit opinion, the further audit procedures will be composed of a combination of tests of controls and substantive procedures.
Thus, the decision to perform tests of controls will be made when the auditor believes that a combination of tests of controls and a decreased scope of substantive procedures is likely to be more cost effective than performing more extensive substantive procedures.
The overall approach here, as it relates to controls is to
- Identify controls that are relevant to specific assertions that are likely to prevent or detect material misstatements, and
- Perform tests of controls to evaluate the effectiveness of those controls.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 3 –
3. Assessing Risk of Material Misstatement (RMM)
Since tests of controls alone are not normally sufficient upon which to base an audit opinion, the further audit procedures will be composed of a combination of tests of controls and substantive procedures.
Thus, the decision to perform tests of controls will be made when the auditor believes that a combination of tests of controls and a decreased scope of substantive procedures is likely to be more cost effective than performing more extensive substantive procedures.
The overall approach here, as it relates to controls is to
- Identify controls that are relevant to specific assertions that are likely to prevent or detect material misstatements, and
- Perform tests of controls to evaluate the effectiveness of those controls.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 3 –
3. Assessing Risk of Material Misstatement (RMM)
The auditor also assesses risk at the financial statement level by identifying those items that may have a propensity for misstatement.
This may be individual accounts, such as items on the balance sheet; classes of transactions, such as items on the income statement; or disclosures, including footnotes as well as descriptions and notations on the financial statements themselves.
Items will represent a greater risk of misstatement for a variety of reasons. It may be due to error as a result of:
- The difficulty of obtaining information needed to accurately record the transaction; or
- The complexity of the requirements for accounting for an item.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 3 –
3. Assessing Risk of Material Misstatement (RMM)
The auditor also assesses risk at the financial statement level by identifying those items that may have a propensity for misstatement.
This may be individual accounts, such as items on the balance sheet; classes of transactions, such as items on the income statement; or disclosures, including footnotes as well as descriptions and notations on the financial statements themselves.
Items will represent a greater risk of misstatement for a variety of reasons. It may be due to error as a result of:
- The difficulty of obtaining information needed to accurately record the transaction; or
- The complexity of the requirements for accounting for an item.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 3 –
3. Assessing Risk of Material Misstatement (RMM)
An item may be more susceptible to fraud because:
- It is a valuable item that might be misappropriated by employees or others;
- It is an item for which it is easy to conceal a misstatement; or
- A misstatement to the item has the potential of influencing other actions such as the payment of a commission or the earning of a bonus based on performance.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 3 –
3. Assessing Risk of Material Misstatement (RMM)
An item may be more susceptible to fraud because:
- It is a valuable item that might be misappropriated by employees or others;
- It is an item for which it is easy to conceal a misstatement; or
- A misstatement to the item has the potential of influencing other actions such as the payment of a commission or the earning of a bonus based on performance.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 3 –
3. Assessing Risk of Material Misstatement (RMM)
Once items that are susceptible to misstatement are identified, risk of material misstatement is assessed at the relevant assertion level.
The fact that an item is likely to be misstated will generally affect all of the assertions and the risk should be analyzed accordingly.
For example:
• For an entity that might have a tendency to OVERSTATE results because it is competing in the capital markets, sales may be likely to be overstated and the auditor will be concerned about:
o Occurrence, since the entity may record sales that did not occur;
o Cutoff, since the entity may record sales from the next period in the current period;
o Accuracy, since the entity may record sales in amounts greater than the actual transactions; and
o Classification, since the entity may wish to characterize the proceeds from the issuance of debt or from the sale of assets that do not generate revenues into sales.
o The auditor would not be concerned about completeness, however, since an entity wishing to overstate sales would not omit sales.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 3 –
3. Assessing Risk of Material Misstatement (RMM)
Once items that are susceptible to misstatement are identified, risk of material misstatement is assessed at the relevant assertion level.
The fact that an item is likely to be misstated will generally affect all of the assertions and the risk should be analyzed accordingly.
For example:
• For an entity that might have a tendency to OVERSTATE results because it is competing in the capital markets, sales may be likely to be overstated and the auditor will be concerned about:
o Occurrence, since the entity may record sales that did not occur;
o Cutoff, since the entity may record sales from the next period in the current period;
o Accuracy, since the entity may record sales in amounts greater than the actual transactions; and
o Classification, since the entity may wish to characterize the proceeds from the issuance of debt or from the sale of assets that do not generate revenues into sales.
o The auditor would not be concerned about completeness, however, since an entity wishing to overstate sales would not omit sales.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 3 –
3. Assessing Risk of Material Misstatement (RMM)
Once items that are susceptible to misstatement are identified, risk of material misstatement is assessed at the relevant assertion level.
The fact that an item is likely to be misstated will generally affect all of the assertions and the risk should be analyzed accordingly. For example:
• For an entity that might have a tendency to UNDERSTATE results for the purpose of avoiding taxation, sales may be likely to be understated and the auditor will be concerned about:
o Completeness, since the entity may omit sales;
o Cutoff, since the entity may postpone the recognition of sales that occurred this period until the next period; and
o Valuation, since sales may be reported at amounts lower than the actual amounts.
o The auditor would be less concerned about occurrence, since an entity intending to understate sales is not likely to report sales that did not occur; and
o The auditor would be less concerned with classification, since an entity intending to understate sales is not likely to include items that are not properly reported as sales in that category.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 3 –
3. Assessing Risk of Material Misstatement (RMM)
Once items that are susceptible to misstatement are identified, risk of material misstatement is assessed at the relevant assertion level.
The fact that an item is likely to be misstated will generally affect all of the assertions and the risk should be analyzed accordingly. For example:
• For an entity that might have a tendency to UNDERSTATE results for the purpose of avoiding taxation, sales may be likely to be understated and the auditor will be concerned about:
o Completeness, since the entity may omit sales;
o Cutoff, since the entity may postpone the recognition of sales that occurred this period until the next period; and
o Valuation, since sales may be reported at amounts lower than the actual amounts.
o The auditor would be less concerned about occurrence, since an entity intending to understate sales is not likely to report sales that did not occur; and
o The auditor would be less concerned with classification, since an entity intending to understate sales is not likely to include items that are not properly reported as sales in that category.
For an entity that might have a tendency to OVERSTATE results the auditor will be concerned about:
o Occurrence
o Cutoff
o Accuracy
o Classification
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 3 –
3. Assessing Risk of Material Misstatement (RMM)
For an entity that might have a tendency to OVERSTATE results the auditor will be concerned about:
o Occurrence
o Cutoff
o Accuracy
o Classification
For an entity that might have a tendency to UNDERSTATE results for the purpose of avoiding taxation, the auditor will be concerned about:
o Completeness
o Cutoff
o Valuation
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 3 –
3. Assessing Risk of Material Misstatement (RMM)
For an entity that might have a tendency to UNDERSTATE results for the purpose of avoiding taxation, the auditor will be concerned about:
o Completeness
o Cutoff
o Valuation
- Assessing Risk of Material Misstatement (RMM)
Will the auditor reply on internal control?
NO – RMM (high) = Substantive Approach
YES – RMM (low) = Combined Approach
- Assessing Risk of Material Misstatement (RMM)
Will the auditor reply on internal control?
NO – RMM (high) = Substantive Approach
YES – RMM (low) = Combined Approach
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
An auditor performs the following procedures to obtain and apply an understanding of internal control to an audit:
Step 4 – Develop an audit strategy to either:
o (RELY?)
Perform tests of control (TofC) to determine if CR is below maximum,
CR < 100% or CR < 1.0
RMM = IR x CR
reducing RMM below the level of IR
RMM < IR
and allowing for the modification of the nature, timing, and extent of further audit procedures (sub tests):
or
o (NOT Rely)
Decide NOT to perform tests of controls,
assessing CR at the maximum level as if the control did not exist,
CR = 100% or CR = 1.0
RMM = IR x CR
RMM = IR x 1.0
RMM = IR
and measuring RMM as being equal to IR.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
An auditor performs the following procedures to obtain and apply an understanding of internal control to an audit:
Step 4 – Develop an audit strategy to either:
o (RELY?)
Perform tests of control (TofC) to determine if CR is below maximum,
CR < 100% or CR < 1.0
RMM = IR x CR
reducing RMM below the level of IR
RMM < IR
and allowing for the modification of the nature, timing, and extent of further audit procedures (sub tests):
or
o (NOT Rely)
Decide NOT to perform tests of controls,
assessing CR at the maximum level as if the control did not exist,
CR = 100% or CR = 1.0
RMM = IR x CR
RMM = IR x 1.0
RMM = IR
and measuring RMM as being equal to IR.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 4 –
4. Tests of Controls (Develop an Audit Strategy)
Develop an audit strategy to either:
• Perform tests of control to determine if CR is below maximum, reducing RMM below the level of IR and allowing for the modification of the nature, timing, and extent of further audit procedures (sub tests):
or
• Decide not to perform tests of controls, assessing CR at the maximum level as if the control did not exist, and measuring RMM as being equal to IR.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 4 –
4. Tests of Controls (Develop an Audit Strategy)
Develop an audit strategy to either:
• Perform tests of control to determine if CR is below maximum, reducing RMM below the level of IR and allowing for the modification of the nature, timing, and extent of further audit procedures (sub tests):
or
• Decide not to perform tests of controls, assessing CR at the maximum level as if the control did not exist, and measuring RMM as being equal to IR.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 4 –
4. Tests of Controls (Develop an Audit Strategy)
There are 4 Procedures for testing controls (RIIO).
- Reperformance
- Inspection
- Inquiry
- Observation
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 4 –
4. Tests of Controls (Develop an Audit Strategy)
There are 4 Procedures for testing controls (RIIO).
- Reperformance
- Inspection
- Inquiry
- Observation
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 4 –
4. Tests of Controls (Develop an Audit Strategy)
There are 4 Procedures for testing controls (RIIO).
- Reperformance
- Inspection
- Inquiry
- Observation
• Reperformance – The auditor applies the control that the client personnel presumably performed to determine if the procedure was performed properly.
Reperformance, which also includes recalculation, may involve the auditor performing a reconciliation to determine if the result is the same as that derived by the entity or may involve re-footing an invoice to make certain that amounts have been calculated correctly.
• Inspection – The auditor examines controls, documents and reports that provide documentary evidence.
For example, the auditor might examine paid invoices to make certain they have been properly cancelled to avoid paying the same invoice more than once.
• Inquiry – The auditor asks client personnel involved in controls to state how effectively certain controls were enforced.
For example, the auditor might ask the accounting personnel if they handled any cash or signed checks in the course of the year.
• Observation – The auditor watches client personnel performing their regular functions to see if they follow the controls that were designed and implemented.
For example, the auditor might observe the distribution of pay checks to see if appropriate procedures for verifying employees are being followed.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 4 –
4. Tests of Controls (Develop an Audit Strategy)
There are 4 Procedures for testing controls (RIIO).
- Reperformance
- Inspection
- Inquiry
- Observation
• Reperformance – The auditor applies the control that the client personnel presumably performed to determine if the procedure was performed properly.
Reperformance, which also includes recalculation, may involve the auditor performing a reconciliation to determine if the result is the same as that derived by the entity or may involve re-footing an invoice to make certain that amounts have been calculated correctly.
• Inspection – The auditor examines controls, documents and reports that provide documentary evidence.
For example, the auditor might examine paid invoices to make certain they have been properly cancelled to avoid paying the same invoice more than once.
• Inquiry – The auditor asks client personnel involved in controls to state how effectively certain controls were enforced.
For example, the auditor might ask the accounting personnel if they handled any cash or signed checks in the course of the year.
• Observation – The auditor watches client personnel performing their regular functions to see if they follow the controls that were designed and implemented.
For example, the auditor might observe the distribution of pay checks to see if appropriate procedures for verifying employees are being followed.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 4 –
4. Tests of Controls (Develop an Audit Strategy)
There are 4 Procedures for testing controls (RIIO).
- Reperformance
- Inspection
- Inquiry
- Observation
- Reperformance – The auditor applies the control that the client personnel presumably performed to determine if the procedure was performed properly.
- Inspection – The auditor examines controls, documents and reports that provide documentary evidence.
- Inquiry – The auditor asks client personnel involved in controls to state how effectively certain controls were enforced.
- Observation – The auditor watches client personnel performing their regular functions to see if they follow the controls that were designed and implemented.
These different types of tests of controls can be very effective in determining if a system features appropriate segregation of duties.
In general, however, the most effective type of test of control is observation.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 4 –
4. Tests of Controls (Develop an Audit Strategy)
There are 4 Procedures for testing controls (RIIO).
- Reperformance
- Inspection
- Inquiry
- Observation
- Reperformance – The auditor applies the control that the client personnel presumably performed to determine if the procedure was performed properly.
- Inspection – The auditor examines controls, documents and reports that provide documentary evidence.
- Inquiry – The auditor asks client personnel involved in controls to state how effectively certain controls were enforced.
- Observation – The auditor watches client personnel performing their regular functions to see if they follow the controls that were designed and implemented.
These different types of tests of controls can be very effective in determining if a system features appropriate segregation of duties.
In general, however, the most effective type of test of control is observation.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 4 –
4. Tests of Controls (Develop an Audit Strategy)
Items susceptible to misstatement due to error or fraud are generally identified by applying a “What Could Go Wrong” analysis, applied at the assertion level and taking into consideration the auditor’s understanding of the entity’s internal control.
For example,
the auditor may be evaluating the occurrence assertion in relation to sales.
The following may result:
- The auditor determines that, since sales personnel are highly incentivized by a liberal commission system, they may be motivated to overstate sales reported to the company and, as a result, reported by the company.
- The response to the auditor’s question: “What could go wrong?” is that sales personnel may submit paperwork for sales that did not actually occur.
- The auditor will next try to determine if there are controls that would either prevent the recording of sales that did not occur or would cause them to be detected and corrected on a timely basis.o The controls may be built into the system, which the auditor can determine by reviewing the documented understanding.o Otherwise, the auditor will inquire as to whether management has considered the possibility and developed a separate control, of which the auditor is not yet aware, to deal with the issue.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 4 –
4. Tests of Controls (Develop an Audit Strategy)
Items susceptible to misstatement due to error or fraud are generally identified by applying a “What Could Go Wrong” analysis, applied at the assertion level and taking into consideration the auditor’s understanding of the entity’s internal control.
For example,
the auditor may be evaluating the occurrence assertion in relation to sales.
The following may result:
- The auditor determines that, since sales personnel are highly incentivized by a liberal commission system, they may be motivated to overstate sales reported to the company and, as a result, reported by the company.
- The response to the auditor’s question: “What could go wrong?” is that sales personnel may submit paperwork for sales that did not actually occur.
- The auditor will next try to determine if there are controls that would either prevent the recording of sales that did not occur or would cause them to be detected and corrected on a timely basis.o The controls may be built into the system, which the auditor can determine by reviewing the documented understanding.o Otherwise, the auditor will inquire as to whether management has considered the possibility and developed a separate control, of which the auditor is not yet aware, to deal with the issue.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 4 –
4. Tests of Controls (Develop an Audit Strategy)
If there are not controls to deal with the issue that are either built into the system or have been separately developed and implemented, the auditor would likely conclude that a control deficiency has been identified.
The auditor will evaluate the control deficiency, determining if it is a significant deficiency or a material weakness and, if so, make certain to include it in a communication to those charged with governance.
In addition, however, the auditor will evaluate what further audit procedures will provide evidence that recorded sales did actually occur.
- The auditor will develop an audit program with procedures designed to verify that the information reported on the financial statements is correct.
- To test the assertion of occurrence, the auditor will likely select a sample from the population of recorded sales and trace them to supporting documentation to verify that they actually occurred.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 4 –
4. Tests of Controls (Develop an Audit Strategy)
If there are not controls to deal with the issue that are either built into the system or have been separately developed and implemented, the auditor would likely conclude that a control deficiency has been identified.
The auditor will evaluate the control deficiency, determining if it is a significant deficiency or a material weakness and, if so, make certain to include it in a communication to those charged with governance.
In addition, however, the auditor will evaluate what further audit procedures will provide evidence that recorded sales did actually occur.
- The auditor will develop an audit program with procedures designed to verify that the information reported on the financial statements is correct.
- To test the assertion of occurrence, the auditor will likely select a sample from the population of recorded sales and trace them to supporting documentation to verify that they actually occurred.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 4 –
4. Tests of Controls (Develop an Audit Strategy)
The auditor will then determine an audit strategy:
NOT RELY
• The auditor may decide Not to Rely on the controls related to a relevant assertion.
o RMM will be equal to the assertion’s inherent risk under the assumption that there are no relevant controls in place.
o The auditor will develop a program to test the assertion by applying substantive audit procedures that the auditor believes will provide sufficient appropriate audit evidence.
RELY
• The auditor may decide to Rely on the controls related to the relevant assertion.
o RMM will be reduced from IR, taking into account the effect of CR being below the maximum.
o The auditor will perform tests of the controls selecting from a population that covers the entire period during which the auditor is anticipating that the controls were in place.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 4 –
4. Tests of Controls (Develop an Audit Strategy)
The auditor will then determine an audit strategy:
NOT RELY
• The auditor may decide Not to Rely on the controls related to a relevant assertion.
o RMM will be equal to the assertion’s inherent risk under the assumption that there are no relevant controls in place.
o The auditor will develop a program to test the assertion by applying substantive audit procedures that the auditor believes will provide sufficient appropriate audit evidence.
RELY
• The auditor may decide to Rely on the controls related to the relevant assertion.
o RMM will be reduced from IR, taking into account the effect of CR being below the maximum.
o The auditor will perform tests of the controls selecting from a population that covers the entire period during which the auditor is anticipating that the controls were in place.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 5 – Reassess Risk of Material Misstatement and evaluate results.
o For controls for which tests of controls were performed, evaluate results to reassess RMM and determine if it is appropriate to modify the nature, timing, and extent of further audit procedures.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 5 – Reassess Risk of Material Misstatement and evaluate results.
o For controls for which tests of controls were performed, evaluate results to reassess RMM and determine if it is appropriate to modify the nature, timing, and extent of further audit procedures.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 5 –
5. Reassess RMM to Determine DR
Based on the results of the tests of controls the auditor will determine whether it is necessary to modify the scope of substantive procedures.
If tests of control reveal that the system operates as expected, there will generally be no need to change the scope of planned substantive procedures.
Conversely, if the system does not operate as effectively as expected, the scope of substantive procedures for the relevant assertions involved will increase (thereby decreasing detection risk).
• DR tells you how much substantive testing to do
• Must do substantive testing
(adjust Audit Program for Substantive tests)
• AR / (IR × CR) = DR
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 5 –
5. Reassess RMM to Determine DR
Based on the results of the tests of controls the auditor will determine whether it is necessary to modify the scope of substantive procedures.
If tests of control reveal that the system operates as expected, there will generally be no need to change the scope of planned substantive procedures.
Conversely, if the system does not operate as effectively as expected, the scope of substantive procedures for the relevant assertions involved will increase (thereby decreasing detection risk).
• DR tells you how much substantive testing to do
• Must do substantive testing
(adjust Audit Program for Substantive tests)
• AR / (IR × CR) = DR
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 5 –
5. Reassess RMM to Determine DR
When an auditor decides to rely on controls,
tests of controls are performed to determine if the controls were working effectively as they were designed for the period under audit.
If, based on the tests of controls, the auditor concludes that the controls are EFFECTIVE, the nature, timing, and extent of further audit procedures in relation to that assertion will be reduced.
If, however, based on the tests of controls, the auditor canNOT conclude that the controls are effective,
control risk (CR) will be reset to maximum and the auditor will develop an audit program to test the assertion applying substantive audit procedures as if there were NO controls related to the assertion and as if no test of controls had been performed.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 5 –
5. Reassess RMM to Determine DR
When an auditor decides to rely on controls,
tests of controls are performed to determine if the controls were working effectively as they were designed for the period under audit.
If, based on the tests of controls, the auditor concludes that the controls are EFFECTIVE, the nature, timing, and extent of further audit procedures in relation to that assertion will be reduced.
If, however, based on the tests of controls, the auditor canNOT conclude that the controls are effective,
control risk (CR) will be reset to maximum and the auditor will develop an audit program to test the assertion applying substantive audit procedures as if there were NO controls related to the assertion and as if no test of controls had been performed.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 5 –
5. Reassess RMM to Determine DR
Since the most expensive and inefficient alternative is to perform tests of controls, only to determine that the controls are not reliable, the auditor will do a cost/benefit analysis before deciding to perform tests of controls.
In performing the cost/benefit analysis:
- The auditor will estimate the cost of performing a substantive audit without performing tests of controls.
- The auditor will estimate the cost of performing tests of controls.
- The auditor also estimate the cost of the reduced substantive testing that will be performed if the controls prove to be reliable.
- Finally, the auditor will estimate the likelihood that the controls to be tested are likely to be effective.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 5 –
5. Reassess RMM to Determine DR
Since the most expensive and inefficient alternative is to perform tests of controls, only to determine that the controls are not reliable, the auditor will do a cost/benefit analysis before deciding to perform tests of controls.
In performing the cost/benefit analysis:
- The auditor will estimate the cost of performing a substantive audit without performing tests of controls.
- The auditor will estimate the cost of performing tests of controls.
- The auditor also estimate the cost of the reduced substantive testing that will be performed if the controls prove to be reliable.
- Finally, the auditor will estimate the likelihood that the controls to be tested are likely to be effective.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 5 –
5. Reassess RMM to Determine DR
In performing the cost/benefit analysis:
The auditor will then:
• Add the cost of performing tests of controls to the cost of reduced substantive testing
and multiply the total by the probability that the controls will be effective.
• Add the cost of performing tests of controls to the cost of the unreduced substantive testing
and multiply the total by the probability that controls will not be reliable, which is 100% minus the probability used previously.
• The total of those two amounts will be compared to the cost of performing substantive tests exclusively.
The lower of the two amounts will determine the strategy to be taken.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 5 –
5. Reassess RMM to Determine DR
In performing the cost/benefit analysis:
The auditor will then:
• Add the cost of performing tests of controls to the cost of reduced substantive testing
and multiply the total by the probability that the controls will be effective.
• Add the cost of performing tests of controls to the cost of the unreduced substantive testing
and multiply the total by the probability that controls will not be reliable, which is 100% minus the probability used previously.
• The total of those two amounts will be compared to the cost of performing substantive tests exclusively.
The lower of the two amounts will determine the strategy to be taken.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 5 –
5. Reassess RMM to Determine DR
Tests of controls alone are not normally considered sufficient evidence upon which to base an audit opinion.
As a result, even when tests of controls prove that controls can be relied upon, further audit procedures may be reduced but will not be eliminated.
In many cases, the auditor will use DUAL purpose testing,
which consists of tests that are designed to test the effectiveness of controls while providing evidence as to the fairness or correctness of an element of the financial statements by supporting one of management’s assertions.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 5 –
5. Reassess RMM to Determine DR
Tests of controls alone are not normally considered sufficient evidence upon which to base an audit opinion.
As a result, even when tests of controls prove that controls can be relied upon, further audit procedures may be reduced but will not be eliminated.
In many cases, the auditor will use DUAL purpose testing,
which consists of tests that are designed to test the effectiveness of controls while providing evidence as to the fairness or correctness of an element of the financial statements by supporting one of management’s assertions.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 5 –
5. Reassess RMM to Determine DR
In many cases, the auditor will use DUAL purpose testing.
• When the results are SATISFACTORY,
the auditor will conclude that the control may be relied upon and the evidence obtained is SUFFICIENT to support the assertion, eliminating the need for further testing.
• When the results are NOT satisfactory,
the auditor will conclude that the control may NOT be RELIED upon and will determine the nature, timing, and extent of further audit procedures that will be necessary to support the assertion.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 5 –
5. Reassess RMM to Determine DR
In many cases, the auditor will use DUAL purpose testing.
• When the results are SATISFACTORY,
the auditor will conclude that the control may be relied upon and the evidence obtained is SUFFICIENT to support the assertion, eliminating the need for further testing.
• When the results are NOT satisfactory,
the auditor will conclude that the control may NOT be RELIED upon and will determine the nature, timing, and extent of further audit procedures that will be necessary to support the assertion.
Cost / Benefit Analysis
Choice 1 - Effective Control
• Add the cost of performing tests of controls to the cost of reduced substantive testing and multiply the total by the probability that the controls will be effective.
Choice 1 - Effective Control
= [ (Test of Controls Cost) + (Reduced Substantive Testing Cost) ] x Probability of Effective Control
Choice 2 - Ineffective Control
• Add the cost of performing tests of controls to the cost of the unreduced substantive testing and multiply the total by the probability that controls will not be reliable, which is 100% minus the probability used previously.
Choice 2 - Ineffective Control
= [ (Test of Controls Cost) + (Substantive Testing Cost) ] x Probability of Ineffective Control
or
= [ (Test of Controls Cost) + (Substantive Testing Cost) ] x (100% – Probability of Effective Control)
Choice 3 - Perform Substantive Testing only
• The total of those two amounts will be compared to the cost of performing substantive tests exclusively.
Choice 3 - Perform Substantive Testing only
= Substantive Testing Cost
The lower of the two amounts will determine the strategy to be taken.
Cost / Benefit Analysis
Choice 1 - Effective Control
• Add the cost of performing tests of controls to the cost of reduced substantive testing and multiply the total by the probability that the controls will be effective.
Choice 1 - Effective Control
= [ (Test of Controls Cost) + (Reduced Substantive Testing Cost) ] x Probability of Effective Control
Choice 2 - Ineffective Control
• Add the cost of performing tests of controls to the cost of the unreduced substantive testing and multiply the total by the probability that controls will not be reliable, which is 100% minus the probability used previously.
Choice 2 - Ineffective Control
= [ (Test of Controls Cost) + (Substantive Testing Cost) ] x Probability of Ineffective Control
or
= [ (Test of Controls Cost) + (Substantive Testing Cost) ] x (100% – Probability of Effective Control)
Choice 3 - Perform Substantive Testing only
• The total of those two amounts will be compared to the cost of performing substantive tests exclusively.
Choice 3 - Perform Substantive Testing only
= Substantive Testing Cost
The lower of the two amounts will determine the strategy to be taken.
Cost / Benefit Analysis
Choose lower cost between
Choice 1 - Effective Control
= [ (Test of Controls Cost) + (Reduced Substantive Testing Cost) ] x Probability of Effective Control
and
Choice 2 - Ineffective Control
= [ (Test of Controls Cost) + (Substantive Testing Cost) ] x (100% – Probability of Effective Control)
Then compared the lower cost with
Choice 3 - Perform Substantive Testing only
= Substantive Testing Cost
The lower of the two amounts will determine the strategy to be taken.
Cost / Benefit Analysis
Choose lower cost between
Choice 1 - Effective Control
= [ (Test of Controls Cost) + (Reduced Substantive Testing Cost) ] x Probability of Effective Control
and
Choice 2 - Ineffective Control
= [ (Test of Controls Cost) + (Substantive Testing Cost) ] x (100% – Probability of Effective Control)
Then compared the lower cost with
Choice 3 - Perform Substantive Testing only
= Substantive Testing Cost
The lower of the two amounts will determine the strategy to be taken.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 6 –
6. Document Conclusions and Develop or Revise Audit Programs
The auditor is required to communicate significant deficiencies and material weaknesses to management and those charged with governance.
The basis for risk assessment must always be documented.
The auditor needs to document:
- The assessment of the risks of material misstatement at the financial statement and relevant assertion levels;
- The basis for that assessment;
- Significant risks identified and related controls evaluated; and
- Risks identified that require tests of controls to obtain sufficient audit evidence and the related controls evaluated.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 6 –
6. Document Conclusions and Develop or Revise Audit Programs
The auditor is required to communicate significant deficiencies and material weaknesses to management and those charged with governance.
The basis for risk assessment must always be documented.
The auditor needs to document:
- The assessment of the risks of material misstatement at the financial statement and relevant assertion levels;
- The basis for that assessment;
- Significant risks identified and related controls evaluated; and
- Risks identified that require tests of controls to obtain sufficient audit evidence and the related controls evaluated.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 6 –
6. Document Conclusions and Develop or Revise Audit Programs
The auditor will document the procedures performed and the conclusions reached such that others will understand
what procedures were performed,
what items were tested and how they were selected,
the evidence gathered, and the conclusions drawn.
In addition, the auditor will develop audit programs to indicate the further audit procedures
that the auditor believes are necessary and appropriate in order to draw a conclusion related to a management assertion.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 6 –
6. Document Conclusions and Develop or Revise Audit Programs
The auditor will document the procedures performed and the conclusions reached such that others will understand
what procedures were performed,
what items were tested and how they were selected,
the evidence gathered, and the conclusions drawn.
In addition, the auditor will develop audit programs to indicate the further audit procedures
that the auditor believes are necessary and appropriate in order to draw a conclusion related to a management assertion.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 6 – Document conclusions and determine the effect on the planned substantive procedures.
At this point, the audit program needs to be developed or revised for further audit procedures.
Obtain an Understanding of the Entity’s Internal Control Structure (AU-C 315)
Step 6 – Document conclusions and determine the effect on the planned substantive procedures.
At this point, the audit program needs to be developed or revised for further audit procedures.
Sarbanes - Oxley Act (SOX)
SOX created a variety of regulations and eliminated a significant portion of the accounting profession’s system of self-regulation. Some issues include:
• Section 302 “Corporate Responsibility for Financial Reports” - requires that the principal executive officer and the principal financial officer, or their equivalents, certify as to certain items on each annual or quarterly report:
o The signing officer has reviewed the report
o Based on the signer’s knowledge, the report does not contain a material untrue statement or omit a material fact
o Based on the signer’s knowledge, the financial statements and other information are fairly presented
• In addition, the signing officers certify that:
o They are responsible for establishing and maintaining internal controls
o They have designed those controls to ensure the receipt of all relevant information during those periods in which periodic reports are being prepared
o They have evaluated the effectiveness of internal controls within 90 days prior to the report
o They have presented their conclusions about the effectiveness of internal controls in the report
• Officers are also required to report to auditors and to the audit committee:
o All significant deficiencies that could adversely affect the reporting process and any material weaknesses
o Any fraud (whether material or not) involving management or employees with a role in internal controls
Sarbanes - Oxley Act (SOX)
SOX created a variety of regulations and eliminated a significant portion of the accounting profession’s system of self-regulation. Some issues include:
• Section 302 “Corporate Responsibility for Financial Reports” - requires that the principal executive officer and the principal financial officer, or their equivalents, certify as to certain items on each annual or quarterly report:
o The signing officer has reviewed the report
o Based on the signer’s knowledge, the report does not contain a material untrue statement or omit a material fact
o Based on the signer’s knowledge, the financial statements and other information are fairly presented
• In addition, the signing officers certify that:
o They are responsible for establishing and maintaining internal controls
o They have designed those controls to ensure the receipt of all relevant information during those periods in which periodic reports are being prepared
o They have evaluated the effectiveness of internal controls within 90 days prior to the report
o They have presented their conclusions about the effectiveness of internal controls in the report
• Officers are also required to report to auditors and to the audit committee:
o All significant deficiencies that could adversely affect the reporting process and any material weaknesses
o Any fraud (whether material or not) involving management or employees with a role in internal controls
Basic Concepts and Internal Control Limitations
Regardless of the good intentions of management, even a strong control environment combined with excellent control activities is subject to certain inherent limitations (COCO):
- Collusion
- Override by management
- Competence/Human error
- Obsolescence
- Collusion – Control activities that depend on segregation of duties will not be effective if those engaged in the segregated functions conspire with one another.
- Override by management – Since management designs and implements the system of internal control, it is in a position to override it, so that even an effective internal control structure cannot be expected to prevent intentional misbehavior by management.
This is one of the reasons the auditor must establish the integrity of management before accepting the engagement.
It is also important to establish whether employee personnel have ever been asked to override systems of internal control by management.
- Competence/Human error – If control procedures are erroneously applied, they will not be effective. Internal control cannot be expected to prevent mistakes in human judgment (misjudgment).
- Obsolescence – A good internal control structure may cease to be effective due to changes in the company’s operations or size, changes in technology, or other changes affecting the way the entity’s business is transacted.
Basic Concepts and Internal Control Limitations
Regardless of the good intentions of management, even a strong control environment combined with excellent control activities is subject to certain inherent limitations (COCO):
- Collusion
- Override by management
- Competence/Human error
- Obsolescence
- Collusion – Control activities that depend on segregation of duties will not be effective if those engaged in the segregated functions conspire with one another.
- Override by management – Since management designs and implements the system of internal control, it is in a position to override it, so that even an effective internal control structure cannot be expected to prevent intentional misbehavior by management.
This is one of the reasons the auditor must establish the integrity of management before accepting the engagement.
It is also important to establish whether employee personnel have ever been asked to override systems of internal control by management.
- Competence/Human error – If control procedures are erroneously applied, they will not be effective. Internal control cannot be expected to prevent mistakes in human judgment (misjudgment).
- Obsolescence – A good internal control structure may cease to be effective due to changes in the company’s operations or size, changes in technology, or other changes affecting the way the entity’s business is transacted.
Internal Control
It is essential to keep in mind the concept of reasonable assurance as it relates to internal control, taking into account the cost/benefit factor.
Even if it were possible to design a perfect system of internal control, management would not do so, since there are costs involved in any action, and the costs of the internal control structure should not exceed the benefits.
As a result, management may sometimes reasonably refuse to remedy a deficiency in internal control that it knows exists.
Internal Control
It is essential to keep in mind the concept of reasonable assurance as it relates to internal control, taking into account the cost/benefit factor.
Even if it were possible to design a perfect system of internal control, management would not do so, since there are costs involved in any action, and the costs of the internal control structure should not exceed the benefits.
As a result, management may sometimes reasonably refuse to remedy a deficiency in internal control that it knows exists.
Internal Control
The auditor is required to respond to management override of controls
– Because management is often in a position to override controls in order to commit financial-statement fraud,
the standard includes procedures to test for management override of controls on every audit.
It should be noted that even a properly planned and performed audit may not detect a material misstatement resulting from fraud because of
(1) concealment aspects of fraudulent activity, including the fact that fraud often involves collusion or falsified documents, and
(2) the need to apply professional judgment in the identification or evaluation of fraud risk factors and other conditions.
Internal Control
The auditor is required to respond to management override of controls
– Because management is often in a position to override controls in order to commit financial-statement fraud,
the standard includes procedures to test for management override of controls on every audit.
It should be noted that even a properly planned and performed audit may not detect a material misstatement resulting from fraud because of
(1) concealment aspects of fraudulent activity, including the fact that fraud often involves collusion or falsified documents, and
(2) the need to apply professional judgment in the identification or evaluation of fraud risk factors and other conditions.
Operating Cycles and the Flow of Transactions
The auditor will then obtain an understanding of various components and in particular: (SACRED)
• (Start) Initiation • Authorization • Completion or execution • Recording • (Evaluate Defenses) Verifications
It should be easy to remember that a good system of internal control is SACRED to a business.
• (Start) Initiation
– The auditor should determine what event or circumstance initiates a transaction.
Sales transactions, for example, may be initiated when the entity’s sales force make calls to their regular customers or when customers call in orders as they identify their needs.
• Authorization
– Before an entity will commit resources to meet its obligations in a transaction or to respond to an event or circumstance, it will want to determine that the counterparty to the transaction is a legitimate party with the intent and ability to perform or that the event or circumstance is real.
• Completion or execution
– The entity should have policies and procedures to make certain that its obligations in transactions and its responses to recurring events and circumstances are being performed in accordance with management’s directives.
This will include the flow of documents, services, goods, and other resources throughout the system.
• Recording
– The entity should have a system for making certain that all transactions, events, or circumstances that affect operations or financial position are properly captured and reflected in the entity’s financial records.
• (Evaluate Defenses) Verifications
– Each system should have checks and balances to make certain that each function within the system is performed properly and in the appropriate sequence.
This may involve policies such as those requiring the shipping department to compare a customer’s purchase order with an internal sales order and to a list of goods transferred from stores before shipping the goods.
It may also involve accounting for the sequence of pre-numbered documents, checking for authoritative signatures, or periodically reconciling recorded amounts to physical assets.
These verifications may occur throughout a system.
Operating Cycles and the Flow of Transactions
The auditor will then obtain an understanding of various components and in particular: (SACRED)
• (Start) Initiation • Authorization • Completion or execution • Recording • (Evaluate Defenses) Verifications
It should be easy to remember that a good system of internal control is SACRED to a business.
• (Start) Initiation
– The auditor should determine what event or circumstance initiates a transaction.
Sales transactions, for example, may be initiated when the entity’s sales force make calls to their regular customers or when customers call in orders as they identify their needs.
• Authorization
– Before an entity will commit resources to meet its obligations in a transaction or to respond to an event or circumstance, it will want to determine that the counterparty to the transaction is a legitimate party with the intent and ability to perform or that the event or circumstance is real.
• Completion or execution
– The entity should have policies and procedures to make certain that its obligations in transactions and its responses to recurring events and circumstances are being performed in accordance with management’s directives.
This will include the flow of documents, services, goods, and other resources throughout the system.
• Recording
– The entity should have a system for making certain that all transactions, events, or circumstances that affect operations or financial position are properly captured and reflected in the entity’s financial records.
• (Evaluate Defenses) Verifications
– Each system should have checks and balances to make certain that each function within the system is performed properly and in the appropriate sequence.
This may involve policies such as those requiring the shipping department to compare a customer’s purchase order with an internal sales order and to a list of goods transferred from stores before shipping the goods.
It may also involve accounting for the sequence of pre-numbered documents, checking for authoritative signatures, or periodically reconciling recorded amounts to physical assets.
These verifications may occur throughout a system.
Operating Cycles and the Flow of Transactions
An auditor divides the audit down into different cycles that make up the flow of transactions for the entire company.
All related accounts within each cycle are audited together. Within each cycle, the auditor is concerned with what each specific employee does, the documents they handle and how each document relates to the segregation of ARCC’S (Authorization, Recording, Custody and Comparison).
Controls have a function of either Preventing misstatements before they occur (most effective) or Detecting and Correcting misstatements that have already occurred (less expensive to implement, but could detect too late).
Operating Cycles and the Flow of Transactions
An auditor divides the audit down into different cycles that make up the flow of transactions for the entire company.
All related accounts within each cycle are audited together. Within each cycle, the auditor is concerned with what each specific employee does, the documents they handle and how each document relates to the segregation of ARCC’S (Authorization, Recording, Custody and Comparison).
Controls have a function of either Preventing misstatements before they occur (most effective) or Detecting and Correcting misstatements that have already occurred (less expensive to implement, but could detect too late).
Operating Cycles and the Flow of Transactions
When the auditor obtains an understanding of each of the systems applied to recurring transactions, often referred to as cycles, the auditor is concerned with what each specific employee does, the documents they handle, and whether there is appropriate segregation of duties.
The duties to be segregated are the authorization of transactions, the recording of those transactions, custody of the resources that are associated with that transaction, and comparison or reconciliation of the recorded amounts to the physical resources (ARCC).
ARCC = Authorization, Recording, Custody and Comparison
Operating Cycles and the Flow of Transactions
When the auditor obtains an understanding of each of the systems applied to recurring transactions, often referred to as cycles, the auditor is concerned with what each specific employee does, the documents they handle, and whether there is appropriate segregation of duties.
The duties to be segregated are the authorization of transactions, the recording of those transactions, custody of the resources that are associated with that transaction, and comparison or reconciliation of the recorded amounts to the physical resources (ARCC).
ARCC = Authorization, Recording, Custody and Comparison
Operating Cycles and the Flow of Transactions
Some controls are considered preventative, designed to minimize the possibility that misstatements will occur.
Although a preventative approach has the tendency to be the most effective, it is not always feasible to develop controls that will be effective at preventing a misstatement, particularly one that results from fraud,
and in many cases, the cost of developing an effective preventative control will exceed the benefit that can be derived from it.
Other controls are designed to be corrective in that they are designed to identify misstatements that may occur due to errors or fraud and establish a means of correcting them on a timely basis.
These, of course, have their limitations in that they may not be effective for a fraudulent misstatement that is cleverly concealed and may identify a misstatement after a negative impact has already occurred.
Operating Cycles and the Flow of Transactions
Some controls are considered preventative, designed to minimize the possibility that misstatements will occur.
Although a preventative approach has the tendency to be the most effective, it is not always feasible to develop controls that will be effective at preventing a misstatement, particularly one that results from fraud,
and in many cases, the cost of developing an effective preventative control will exceed the benefit that can be derived from it.
Other controls are designed to be corrective in that they are designed to identify misstatements that may occur due to errors or fraud and establish a means of correcting them on a timely basis.
These, of course, have their limitations in that they may not be effective for a fraudulent misstatement that is cleverly concealed and may identify a misstatement after a negative impact has already occurred.
Operating Cycles and the Flow of Transactions
When evaluating the system for a particular cycle, the focus will be on the accounts balances or classes of transactions that are affected.
When evaluating the system for a particular cycle, the focus will be on the accounts balances or classes of transactions that are affected.
The revenue cycle will generally result in a debit to cash or accounts receivable and a credit to sales,
while the purchasing cycle will result in a debit to purchases in a periodic system, or to inventory in a perpetual system, and a credit to accounts payable.
For the account affected, the auditor will evaluate whether or not a step or process within the system supports one or more of management’s assertions.
Operating Cycles and the Flow of Transactions
When evaluating the system for a particular cycle, the focus will be on the accounts balances or classes of transactions that are affected.
When evaluating the system for a particular cycle, the focus will be on the accounts balances or classes of transactions that are affected.
The revenue cycle will generally result in a debit to cash or accounts receivable and a credit to sales,
while the purchasing cycle will result in a debit to purchases in a periodic system, or to inventory in a perpetual system, and a credit to accounts payable.
For the account affected, the auditor will evaluate whether or not a step or process within the system supports one or more of management’s assertions.
Operating Cycles and the Flow of Transactions
For the account affected, the auditor will evaluate whether or not a step or process within the system supports one or more of management’s assertions.
• A requirement
that each recorded sale be supported by an order signed by a customer
supports management’s assertion of occurrence
in that having a signed purchase order provides evidence that a sale did occur.
• A policy
that the accounting clerk notify a supervisor whenever an internally generated sales order is presented out of sequence
supports the assertion of completeness
in that tracing all sales orders to the accounting records will provide evidence that all sales transactions have been recorded.
Operating Cycles and the Flow of Transactions
For the account affected, the auditor will evaluate whether or not a step or process within the system supports one or more of management’s assertions.
• A requirement
that each recorded sale be supported by an order signed by a customer
supports management’s assertion of occurrence
in that having a signed purchase order provides evidence that a sale did occur.
• A policy
that the accounting clerk notify a supervisor whenever an internally generated sales order is presented out of sequence
supports the assertion of completeness
in that tracing all sales orders to the accounting records will provide evidence that all sales transactions have been recorded.
Revenue Cycle
(Sales Revenue / Accounts Receivable / Cash Receipts)
The revenue cycle of a business consists of sales, billings, and collections.
In order to properly segregate the incompatible functions of authorization, recording, and custody, the activities may include specific employees with each of the following duties.
- Sales clerk – Accepts orders from customers and prepares written sales orders using internal prenumbered, preprinted forms (PPN) (recording).
- Credit manager – Approves customer credit on orders (authorization).
- Warehouse clerk – Holds goods in inventory awaiting requests for shipment (custody).
- Shipping clerk – Removes items from inventory to ship to customer (custody).
- Billing clerk – Prepares sales invoices to send to customers (recording).
- Receivables clerk – Posts sales and collections to individual customer accounts based on sales invoices and remittance advices, respectively (recording).
- General ledger bookkeeper – Posts journal entries for sales and collections (recording).
- Mail room clerk/receptionist – Opens mail containing customer checks (or cash) and remittance advices, prepares a prelist of checks, referred to as a remittance listing, and directs these items to appropriate parties within the system (custody).
- Cashier – Receives checks, prepares deposit slip, and deposits funds at the bank (custody).
- Cash receipts clerk – Receives remittance listing and posts to cash receipts journal (recording).
- Receiving clerk – Receives all goods that are being returned and returns them to inventory (custody).
- Treasurer – Approves credit memos for returns and write-offs of uncollectible accounts (authorization).
- Controller/Internal Audit – Bank reconciliations and analyses of past-due accounts receivable should be performed by individuals independent of cash receipts and disbursements (comparison).
Revenue Cycle
(Sales Revenue / Accounts Receivable / Cash Receipts)
The revenue cycle of a business consists of sales, billings, and collections.
In order to properly segregate the incompatible functions of authorization, recording, and custody, the activities may include specific employees with each of the following duties.
- Sales clerk – Accepts orders from customers and prepares written sales orders using internal prenumbered, preprinted forms (PPN) (recording).
- Credit manager – Approves customer credit on orders (authorization).
- Warehouse clerk – Holds goods in inventory awaiting requests for shipment (custody).
- Shipping clerk – Removes items from inventory to ship to customer (custody).
- Billing clerk – Prepares sales invoices to send to customers (recording).
- Receivables clerk – Posts sales and collections to individual customer accounts based on sales invoices and remittance advices, respectively (recording).
- General ledger bookkeeper – Posts journal entries for sales and collections (recording).
- Mail room clerk/receptionist – Opens mail containing customer checks (or cash) and remittance advices, prepares a prelist of checks, referred to as a remittance listing, and directs these items to appropriate parties within the system (custody).
- Cashier – Receives checks, prepares deposit slip, and deposits funds at the bank (custody).
- Cash receipts clerk – Receives remittance listing and posts to cash receipts journal (recording).
- Receiving clerk – Receives all goods that are being returned and returns them to inventory (custody).
- Treasurer – Approves credit memos for returns and write-offs of uncollectible accounts (authorization).
- Controller/Internal Audit – Bank reconciliations and analyses of past-due accounts receivable should be performed by individuals independent of cash receipts and disbursements (comparison).
Revenue Cycle
This list should be reviewed simply to make sure you are comfortable with the meaning of each job title:
- Sales clerk – (recording)
- Credit manager – (authorization)
- Warehouse clerk – (custody)
- Shipping clerk – (custody)
- Billing clerk – (recording)
- Receivables clerk – (recording)
- General ledger bookkeeper – (recording)
- Mail room clerk/receptionist – (custody)
- Cashier – (custody)
- Cash receipts clerk – (recording)
- Receiving clerk – (custody)
- Treasurer – (authorization)
- Controller/Internal Audit – (comparison)
Revenue Cycle
This list should be reviewed simply to make sure you are comfortable with the meaning of each job title:
- Sales clerk – (recording)
- Credit manager – (authorization)
- Warehouse clerk – (custody)
- Shipping clerk – (custody)
- Billing clerk – (recording)
- Receivables clerk – (recording)
- General ledger bookkeeper – (recording)
- Mail room clerk/receptionist – (custody)
- Cashier – (custody)
- Cash receipts clerk – (recording)
- Receiving clerk – (custody)
- Treasurer – (authorization)
- Controller/Internal Audit – (comparison)
Revenue Cycle
(Sales Revenue / Accounts Receivable / Cash Receipts)
A system may not necessarily include all of the above employees, and sometimes a function may be performed by another employee or one of the above employees identified by a different title.
For example, all of the clerks involved in recording may simply be called bookkeepers.
Also, the system will include periodic reconciliations, such as reconciling the bank account, that may be performed by virtually any employee who is not involved in the preparation of either of the two types of records being compared and does not have custody of resources being compared to recorded amounts.
A key aspect of segregation of duties is that an employee who is responsible for one of the three functions (authorization, recording, custody) should not be involved in either of the other two.
Revenue Cycle
(Sales Revenue / Accounts Receivable / Cash Receipts)
A system may not necessarily include all of the above employees, and sometimes a function may be performed by another employee or one of the above employees identified by a different title.
For example, all of the clerks involved in recording may simply be called bookkeepers.
Also, the system will include periodic reconciliations, such as reconciling the bank account, that may be performed by virtually any employee who is not involved in the preparation of either of the two types of records being compared and does not have custody of resources being compared to recorded amounts.
A key aspect of segregation of duties is that an employee who is responsible for one of the three functions (authorization, recording, custody) should not be involved in either of the other two.
Revenue Cycle
(Sales Revenue / Accounts Receivable / Cash Receipts)
Some of the documents and records that are commonly seen in the revenue cycle include the following.
- Sales order – The list of goods ordered by the customer along with the prices to be charged. Even if a customer has submitted their own purchase order, a sales order will be prepared, since these are prenumbered and make it possible to periodically account for orders to be sure they were processed.
- Bill of lading – The shipping document that is signed by the carrier, often a trucker, accepting goods from the shipping clerk.
- Sales invoice – The bill that is prepared and sent to the customer after shipment to request payment. Before doing so, the billing clerk should compare the sales order and bill of lading to ensure they are in agreement.
- Sales register (journal) – A book in which sales invoice information is posted. Cash register records provide similar information for retail outlets and other cash businesses.
- Subsidiary receivables ledger – A book that lists the outstanding receivables with a separate record for each customer.
- Remittance advice – The document included in an envelope with the check or other form of payment to indicate the purpose of the check.
- Remittance listing – A summary of the money received that day. This may be called a prelist in some cases, and is prepared by the employee first receiving the cash, which is usually the mail room clerk.
- Cash receipts journal – A book in which the remittance listings are posted.
- Deposit slip – The document signed or stamped by the bank to acknowledge receipt of checks and that is periodically reconciled to postings into the cash receipts journal by an independent employee.
- Bank Reconciliation – Comparison of the cash balance according to the entity’s books to the amount indicated by the bank that it is holding on behalf of the entity (book to physical).
The purpose of most other documents and records can be determined by seeing the context in which they are being used on the exam.
Revenue Cycle
(Sales Revenue / Accounts Receivable / Cash Receipts)
Some of the documents and records that are commonly seen in the revenue cycle include the following.
- Sales order – The list of goods ordered by the customer along with the prices to be charged. Even if a customer has submitted their own purchase order, a sales order will be prepared, since these are prenumbered and make it possible to periodically account for orders to be sure they were processed.
- Bill of lading – The shipping document that is signed by the carrier, often a trucker, accepting goods from the shipping clerk.
- Sales invoice – The bill that is prepared and sent to the customer after shipment to request payment. Before doing so, the billing clerk should compare the sales order and bill of lading to ensure they are in agreement.
- Sales register (journal) – A book in which sales invoice information is posted. Cash register records provide similar information for retail outlets and other cash businesses.
- Subsidiary receivables ledger – A book that lists the outstanding receivables with a separate record for each customer.
- Remittance advice – The document included in an envelope with the check or other form of payment to indicate the purpose of the check.
- Remittance listing – A summary of the money received that day. This may be called a prelist in some cases, and is prepared by the employee first receiving the cash, which is usually the mail room clerk.
- Cash receipts journal – A book in which the remittance listings are posted.
- Deposit slip – The document signed or stamped by the bank to acknowledge receipt of checks and that is periodically reconciled to postings into the cash receipts journal by an independent employee.
- Bank Reconciliation – Comparison of the cash balance according to the entity’s books to the amount indicated by the bank that it is holding on behalf of the entity (book to physical).
The purpose of most other documents and records can be determined by seeing the context in which they are being used on the exam.
Revenue Cycle
(Sales Revenue / Accounts Receivable / Cash Receipts)
Some of the documents and records that are commonly seen in the revenue cycle include the following.
- Sales order – The list of goods ordered by the customer along with the prices to be charged.
- Bill of lading – The shipping document that is signed by the carrier, accepting goods from the shipping clerk.
- Sales invoice – The bill that is prepared and sent to the customer after shipment to request payment.
- Sales register (journal) – A book in which sales invoice information is posted.
- Subsidiary receivables ledger – A book that lists the outstanding receivables with a separate record for each customer.
- Remittance advice – The document included in an envelope with the check to indicate the purpose of the payment.
- Remittance listing – A summary of the money received that day. (Prelist)
- Cash receipts journal – A book in which the remittance listings are posted.
- Deposit slip – The document signed or stamped by the bank to acknowledge receipt of checks.
- Bank Reconciliation – Comparison of the cash balance (book to physical).
Revenue Cycle
(Sales Revenue / Accounts Receivable / Cash Receipts)
Some of the documents and records that are commonly seen in the revenue cycle include the following.
- Sales order – The list of goods ordered by the customer along with the prices to be charged.
- Bill of lading – The shipping document that is signed by the carrier, accepting goods from the shipping clerk.
- Sales invoice – The bill that is prepared and sent to the customer after shipment to request payment.
- Sales register (journal) – A book in which sales invoice information is posted.
- Subsidiary receivables ledger – A book that lists the outstanding receivables with a separate record for each customer.
- Remittance advice – The document included in an envelope with the check to indicate the purpose of the payment.
- Remittance listing – A summary of the money received that day. (Prelist)
- Cash receipts journal – A book in which the remittance listings are posted.
- Deposit slip – The document signed or stamped by the bank to acknowledge receipt of checks.
- Bank Reconciliation – Comparison of the cash balance (book to physical).
