overall Flashcards
Control Environment
Control Consciousness of the top management, refers to the tone at top.
Control environment includes following:
Processes and Protocols to attract, develop, and retain human resource
Proper organizational structure with properly designed reporting structures
Measures for Performance Evaluation and Incentives for Performance
Oversight by Board of Directors and Those Charged with Governance
Commitment to Integrity and Ethics
Appropiate Assignment of Authority and Responsibility
Objectives of Internal Control
Accurate and Reliable Financial Reporting
Compliance with applicable laws and regulations
Effective and Efficient Business Operations
Objectives of Internal Control
Accurate and Reliable Financial Reporting
Compliance with applicable laws and regulations
Effective and Efficient Business Operations
Control Activities
Develop controls that contribute to the mitigation of risks to the achievement of objectives to acceptable levels
Ensure appropriate segregation of duties i.e. Authorization, Recordkeeing, Custody and Comparison
Develop controls that contribute to the mitigation of risks to the achievement of objectives to acceptable levels
Ensure appropriate segregation of duties i.e. Authorization, Recordkeeing, Custody and Comparison
Monitoring
Monitoring involves whether each othe five components of Internal Control is present and functioning
Information and Communication
The auditor should obtain an understanding of the information system, including the related business processes relevant to financial reporting
Auditor should obtain an understanding of communication system relevant to financial reporting
Risk Assesment refers to identification, analysis and management of risk
Auditor should evaluate if the risk assesment process is appropriate to the circumstances, including the nature, size, and complexity of the entity.
Monitoring
Monitoring involves whether each othe five components of Internal Control is present and functioning
Information and Communication
The auditor should obtain an understanding of the information system, including the related business processes relevant to financial reporting
Auditor should obtain an understanding of communication system relevant to financial reporting
Inherent limitation of internal controls
Competence
Human judgment in decision making can be faulty and subject to bias
Obsolescense
External events outside the organization’s control may arise and render existing Internal Controls obsolete
Collusion
Employees may circumvent controls through collusion
Override by Management
Cost Constraints
Controls can not be implemented because Cost of Controls is more than benefit of the contr
Audit of Non-Issuers
Auditor expresses an opinion on the client’s financial statements and not on client’s internal control
Auditor is not required to perform test of controls but required to perform test of details
However, Auditor will perform test of controls if auditor wants to assess control risk at less than maxium level such that Auditor can afford a high detection risk and reduce the Nature, Extent and Timing of Substantive Procedures
Auditor is not required to perform test of controls but if auditor comes across significant deficiencies and material weaknesses the auditor must report those to management and those charged with governance.
Audit of Issuers
Auditor expresses an opinion on the client’s financial statements and on client’s internal control over financial reporting
Auditor is required to perform both test of controls and test of details
Auditor tests controls to opine on the effectiveness of ICFR and Auditor audits Financial Statements to provide his opinion on Financial statements, however auditor will conduct both these audits simultaneously such that auditor can leverage the assesed control risk to reduce the scope i.e. Nature, Extent and Timing of Substantive Procedures
Risk Assesment Procedures
Auditor performs risk assesment procedures to identify and assess Inherent Risk and Control Risk i.e. Risk of Material Misstatement at Financial Statement Level and at Assertion Level
Auditor asseses financial statement risk by performing following procedures
Walk-through
Analytical procedures
Inquiries of management, internal auditors, TCWG, others within the entity
Observation
Inspection
Understand the entity & its environment, including its Internal Control
Understand the client entity and it’s business environment and obtain knowledge about:
Objectives & strategies of the entity
Performance of the entity
External & Internal Factors affecting the entity
Structure of the entity
Understand and evaluate the design and implementation of internal control
Evaluate the design of Internal Control to ensure that the design of internal controls is sound enough to prevent and detect errors.
Ensure the controls are implemented and are placed in operation
If improper design/implementation of controls, auditor will assess control risk at maximum level and will move straight to substantive testing without control testing as controls can not be leveraged to reduce the Nature, Extent and Timing of the Audit
If proper design/implementation of controls, auditor will test the operating effectiveness of controls to assess Control risk below maximum level and would use the reduced level of assessed control risk to reduce the Nature, Extent and Timing of the Audit
Auditor may use Top Down Approach to obtain an understanding of Controls
Entity Level Controls
Controls at Transaction, Balance and Disclosure Level
Assertion Level Controls
since entity-level controls are pervasive, it may be more effective and efficient for the auditor to evaluate the design & implementation of entity-level controls before evaluating transactions and assertion level control.
If entity level controls don’t operate, transactions and assertion level control might fail as well
If transactions and assertion level control fail auditor might consider the entity level controls which compensate for the transaction level control
Preventive controls identify misstatements as they occur and prevent them from happening
Detective controls Detect & correct misstatements after they have occurred
Auditor must document the understanding of Internal Controls. Controls can be documented in
Flowchart
Internal Control Questionnaire & Checklists
Narratives
Decision tree
Assesment of Risk of Material Misstatement
Identify Risks
Consider the likelihood of the identified risks
Consider the magnitude of impact of identified risk on Financial Statements
Determine if identified risks are significant risk as they would require special consideration during audit (Example: Fraud Risk)
Based on assessed Risk auditor can perform the audit using the following two approaches
Substantive Approach No Test of Controls Only Test of Details
Improper Design & Implementation of Internal Controls Controls are not effective
Inefficient to perform test of Controls
Combined Approach Test of Controls Test of Details
Proper Design and Implementation of Internal Controls Controls are effective
Substantive tests by itself are not sufficient because of IT environment of the client
Test of Controls
If Auditor decides to take a combined approach, auditor will test the operating effectiveness of controls to ensure that the controls are operating as they have been designed to
Reperformance
Inquiry
Observation
Vouching
Tracing
Auditors might use dual purpose tests for higher efficiency in audit i.e. perform test of controls along with test of details.
Nature of Testing
Extent of Testing
Extent of Testing is less for IT based controls due to automation, consistency and accuracy offered by IT based controls
Timing of Tests of Controls
Interim Testing can be done, but obtain audit evidence about significant changes to those controls subsequent to the interim period
If changes in controls from previous audits, controls to be tested in the current audit.
If there have not been such changes, auditor should test the controls at least once in every third audit
Controls over significant risk should be tested in the current period
Evaluate Results of Test of Controls
Detection Risk Scope
Operating Effectively High Decrease NET
Not Operating Effectively Low Increase NET
Why it is important to plan?
Identify potential problems and solve on a timely basis.
To have an Effective and Efficient Audit
Helps in selecting appropriate resources
Figure out the requirements of component auditors and specialists.
Why it is important to plan?
Identify potential problems and solve on a timely basis.
To have an Effective and Efficient Audit
Helps in selecting appropriate resources
Figure out the requirements of component auditors and specialists.
Factors influencing Planning
Industry and Size of the Entity
Engagement Teams
Matters identified during the audit
Develop Overall Audit Strategy
Set the overall tone of the audit.
Decide on the scope of the audit
Figure out areas where additional time and resources needs to be used