II. Internal Control - Concepts and Standards - Obtaining an Understanding of Internal Control Flashcards
Based on the CLARIFIED STANDARDS: Performance Principle (Previous Lessons)
The auditor obtains an understanding of internal control and the flow of documents related to the entity’s transactions primarily through:
Why?
- Inquiry of appropriate personnel
- Observation of client activities
- Review of documentation—The auditor reviews relevant documentation, including the client’s accounting manuals, prior-year’s audit documentation (working papers), etc.
- To properly plan the audit, more specifically, to determine the nature, the time, the extent of further audit procedures, and recall in addition to these risk assessment procedures (Consist of tests of controls and substantive procedures)
What are some specific “transaction cycles”?
- Revenue/receipts
- Expenditures/disbursements
- Payroll
- Financing/investing activities
- Inventory, especially if inventory is manufactured, rather than purchased
Why must auditor document the understanding of internal control?
and
What are the 3 basic ways to document that understanding?
- Because it is very important to audit planning, it deals with our assessment of the risk of material misstatement and we have to design our audit to our audit procedures to be responsive to those risks.
- Flowcharts - deals with tracing the key flow of documents through the accounting system, from origination of a source doc, all the way to the entries in the general ledger acct
- Internal control questionnaires (ICQs) - a yes and no response.
- Memos/Narrative Write-up (widely use) - to provide a narrative description of who does what.
What is a “walk-through”?
Which of the following most accurately describes the process of a walkthrough?
We would take some small number of transactions and walk them through the system (Hence Walk) and source it all the way to the general ledger just to say okay this is consistent with what we have documented
Its an opportunity if something does not look right we can look back at it and revisit the discussion.
- Following a transaction from its origination until it is reflected in the financial statements
Note: A walkthrough means following a transaction from inception through the entity’s accounting system until the transaction is recorded in the entity’s general ledger.
Purpose: is to provide some degree of feedback to the auditor that the auditor’s understanding of the processes and controls in a particular transaction cycle is consistent with how the entity is, in fact, apparently processing its transactions.
An auditor’s flowchart of a client’s accounting system is a diagrammatic representation that depicts the auditor’s
Understanding of the system.
Note: A flowchart is a pictorial representation that utilizes a standard set of symbols to demonstrate the transaction processing procedures and accompanying data flow in an information system. It enables the auditor to summarize his/her understanding of the system in a clear, concise, and logical manner.
Decision tables differ from program flowcharts in that decision tables emphasize
Logical relationships among conditions and actions.
Note: A decision table presents in tabular form the conditions and alternative actions related to making a particular decision. It emphasizes logical relationships (decision rules) among the conditions and actions.
Which of the following is a management control method that most likely could improve management’s ability to supervise company activities effectively?
Establishing budgets and forecasts to identify variances from expectations.
Note: This will enable management to supervise more effectively than the other controls listed. It provides a means for management to establish expectations, to compare them to actual results, and then to follow up in areas where significant differences appeared.
Monitoring compliance with regulatory requirements, limiting access to assets, and providing adequate support are important to the successful operation of the business but they do not necessarily help management to supervise more effectively.
An auditor’s primary consideration regarding an entity’s internal control structure policies and procedures is whether they
Affect the financial statement assertions.
Note: Specifically, the auditor is interested in the policies and procedures that pertain to an entity’s ability to record, process, summarize, and report financial data consistent with the assertions embodied in the financial statements.
When obtaining an understanding of an entity’s internal control procedures, an auditor should concentrate on the substance of the procedures, rather than their form, because
Management may establish appropriate procedures but not enforce compliance with them.
Note: The auditor is concerned about the effectiveness of the control and its ability to prevent or detect material misstatements in the financial statements. As a result, the auditor must focus on the substance of the control rather than the form.
- If the procedures are operating effectively, even though they are not documented, the auditor’s objectives are served.
- Note, if the controls are not documented, the auditor may be unaware of them.
In planning an audit of certain accounts, an auditor may conclude that specific procedures used to obtain an understanding of an entity’s internal control structure need not be included because of the auditor’s judgments about materiality and assessments of
Inherent risk.
note: If the auditor has concluded that an account is immaterial and that inherent risk is low, the auditor might decide to skip the procedures used to obtain an understanding of the related internal controls because the risk of a material misstatement occurring is low.
Obtaining an understanding of an internal control involves evaluating the design of the control and determining whether the control has been
Implemented
Note: Obtaining an understanding of an entity’s internal controls over financial reporting involves evaluating the design of relevant controls and determining whether they have been implemented (sometimes referred to as “placed into operation”).
Uses the knowledge provided by the understanding of internal control and the assessed level of the risks of material misstatements primarily to
Determine the nature, timing, and further audit procedures.
Auditor would likely to be concerned about internal control as it relates to
Land and buildings.
- may involve a substantial portion of the client’s assets.
Common stock.
- involve a substantial portion of the client’s equity.
Minutes of board of directors’ meetings.
- should be received by the auditor in complete form so that the auditor may be aware of matters of significance.
Note: Shareholder meetings.are ususally publicly available
Computer systems are typically supported by a variety of utility software packages that are important to an auditor. Why?
May enable unauthorized changes to data files if not properly controlled.
Note:
Client’s use of such programs implies that they are useful on his/her computer hardware, and therefore any flexibility is not of immediate relevance to the auditor.
What is most likely to affect the extent of the documentation of the auditor’s understanding of a client’s system of internal controls?
The degree to which information technology is used in the accounting function.
Why?
Documentation of the understanding of a complex information system with a large volume of transactions may include flowcharts, questionnaires, and/or decision tables; documentation for an information system with limited or no use of IT and few transactions may be in the form of a memorandum.
Systems flowcharts
Provide a visual depiction of clients’ activities
Why?
flowcharts provide a visual depiction of clients’ activities which make it possible for auditors to quickly understand the design of the system.
Note:
Flowcharts are suggested as being appropriate for documenting the auditor’s consideration of internal control.
Questionnaire is most closely associated with which of the following?
Documentation.
Note:
May be completed during the auditor’s consideration of internal control to document the auditor’s understanding.
No one particular form of documentation is necessary regarding client internal control, and the extent of documentation may vary.
Auditor should obtain sufficient knowledge of an entity’s information system to understand the
Process used to prepare significant accounting estimates.
Note:
It also states that this knowledge is obtained to help the auditor to understand:
(1) the entity’s classes of transactions,
(2) how transactions are initiated,
(3) the accounting records and support, and
(4) the accounting processing involved from initiation of a transaction to its inclusion in the financial statements
Decision tables differ from program flowcharts in that decision tables emphasize
Logical relationships among conditions and actions.
Typically be a control relied upon during an audit?
Use of the double-entry system.
- aids in more accurate recording of transactions.
An internal audit staff.
- internal audit staff strengthens internal control by determining if controls are functioning effectively.
Competent personnel.
- strengthen internal control because they would be less likely to commit errors in performing their duties.
note:
comparison-shopping staff is not generally relevant to recording, processing, summarizing, and reporting financial data.
What is a walk-through?:
A procedure that involves tracing a transaction from its origination through the company’s information systems until it is reflected in the company’s financial report
What is a major reason for maintaining an audit trail for a computer system?
Deterrent to fraud.
- may deter fraud since the perpetrator may realize that his or her act may be detected.
Monitoring purposes.
- audit trail will help management to monitor the computer system.
Query answering.
- make it much easier to answer queries.
note:
Analytical procedures use the outputs of the system, and therefore the audit trail is of limited importance.
Relevance of various types of controls to a financial audit?
Controls over the reliability of financial reporting are ordinarily most directly relevant to an audit, but other controls may also be relevant.
auditor would most likely be concerned with which of the following controls in a distributed data processing system?
Access controls.
Why?
The requirement is to identify the types of controls with which an auditor would be most likely to be concerned in a distributed data processing system. A distributed data processing system is one in which there is a network of remote computer sites, each having a computer connected to the main computer system, thus allowing access to the computers by various levels of users.
Batch processing of transactions?
It is more likely to result in an easy-to-follow audit trail than is online transaction processing.
Note:
Similar nature of transactions involved with batch processing ordinarily makes it relatively easy to follow the transactions throughout the system.
To obtain an understanding of a continuing client’s business, an auditor most likely would
A review of prior year working papers and the permanent file may provide useful information about the nature of the business, organizational structure, operating characteristics, and transactions that may require special attention.
Walk-throughs provide evidence that helps auditors to
provide evidence to confirm their understanding of the flow of transactions and the design of controls, to evaluate the effectiveness of the design of controls and to confirm whether controls have been implemented.
An auditor obtains knowledge about a new client’s business and its industry to
obtaining a level of knowledge of the client’s business and industry enables the CPA to obtain an understanding of the events, transactions, and practices that, in the CPA’s judgment, may have a significant effect on the financial statements.
What controls would an auditor be likely to review?
Segregation of the asset-handling and recordkeeping functions.
- segregation of asset custody (handling) from recordkeeping and authorization functions is essential.
Company policy regarding credit and collection efforts.
- concerned with credit and collection efforts in testing the adequacy of the allowance for doubtful accounts.
Authorization of additions to plant and equipment.
- additions to plant and equipment are major expenditures which need to be properly controlled.
Independent auditor sometimes uses a flowchart, which can best be described as a
Flowchart prepared during the consideration of internal control is a symbolic representation of a system of sequential processes. It can be used in lieu of the internal control questionnaire which has the same purpose
Note:
flowcharts are prepared as part of the consideration of internal control. The use of structure flowcharts assembles the internal control findings into a comprehensible format.
When obtaining an understanding of an entity’s internal control, an auditor should concentrate on the substance of controls rather than their form because
management may establish appropriate controls but not act on them, thus creating a situation in which the form differs from the substance
What are some typical question asked during a walk-through?
Have you ever been asked to override the process or controls?
What do you do when you find an error?
What kind of errors have you found?
In an audit of financial statements in accordance with generally accepted auditing standards, an auditor is required to
Document the auditor’s understanding of the entity’s internal control.
Note:
the auditor’s understanding of internal control allows him/her to determine the nature, timing, and extent of further audit procedures.
An auditor would most likely be concerned with controls that provide reasonable assurance about the
Entity’s ability to process and summarize financial data.
Niote:
auditor should obtain a sufficient understanding of an entity’s control to assess the risk of material misstatement.
In an audit of financial statements, an auditor’s primary consideration regarding a control is whether the control
Affects management’s financial statement assertions.
Note:
control risk should be assessed in terms of financial statement assertions.
Reconciliation of cash accounts by a competent individual otherwise independent of the cash function might make the likelihood of a significant misstatement due to the control deficiency remote. In this situation, reconciliation may be referred to as what type of control?
Compensating.
supplements a basic underlying control, in this case basic information processing controls related to cash.
