Internal Control and Control Risk(英文版)(ppt 58页).pptx

10-1Internal Controland Control RiskChapter 1010-2COSO ReportnCOSO Report-related to Treadway commission created to look at problems in fraudulent financial reporting.nInternal control designed to provide reasonable assurance of meeting these objectives:nreliability of financial reportingncompliance with laws and regulationsneffectiveness and efficiency of operations10-3Internal Controln An on-going process ran by people that can only provide reasonable assurance of obtaining objectives.nBreakdowns occur in internal controls as a result of:nhuman errorndeliberate circumventionnmanagement overridencollusion10-4Reasonable AssurancenMeans that the cost of the control should not outweigh its benefit.nAuditors provide reasonable assurance that the financial statements are free from material misstatements.10-5Components of Internal ControlnThere are five components of internal control per COSO.nControl EnvironmentnControl Risk AssessmentnControl ActivitiesnMonitoring nCommunication and Informationn Management is responsible for these components.n Internal control is a management process.10-6Control EnvironmentnManagements philosophy and operating stylenManagement and employee integrity and ethicsnCompany organizational structurenCommitment to competence-trainingnFunctioning BOD and audit committeenMethods of assigning authority and responsibilitynHuman resource policies and practices10-7Risk AssessmentIdentify factors affecting risk.Assess significance of risksand likelihood of occurrence.Determine actions necessaryto manage risk.10-8Risk AssessmentnManagements assessment of their control environment and identification of risks in financial reporting.10-9Control Activities1.Adequate separation of duties2.Proper authorization of transactions and activities3.Adequate documents and records4.Physical control over assets and records5.Independent checks on performance10-10Control ActivitiesActivities to mitigate control risks using the concept of reasonable assurancenPerformance reviews-actual to budget and follow-up action on variances.n Information processing-Policies for transaction processing and error correction.Includes authorization,verifications and reconciliation.nPhysical controls to safeguard the assetsnSegregation of duties-prevent someone from stealing and concealing.10-11Adequate Separationof DutiesCustody of assetsAuthorizationof transactionsOperationalresponsibilityIT DutiesAccountingThe custody ofrelated assetsRecord-keepingresponsibilityUser departments10-12Proper Authorization of Transactions and Activities10-13Adequate Documentsand RecordsPrenumbered consecutivelyPrepared at the time of transactionDesigned for multiple usesConstructed to encourage correct preparationSimple enough to ensure understanding10-14Physical Control overAssets and RecordsPhysical precautionsControls related to IT equipment,programs,and data filesPhysicalcontrolsAccesscontrolsBackup andrecoveryprocedures10-15Independent Checkson Performance10-16Information and CommunicationThe purpose of an accounting informationand communication system is toinitiate,record,process,and report thetransactions and to maintain accountabilityfor the related assets.10-17Information and CommunicationAccounting system processing of transactions to produce financial reportsnData identification-source documentsnData entry-inputnProcessingnOutput-report production,distribution and storage10-18MonitoringManagements ongoing and periodic assessmentof the quality of internal control performance to determine whether controls are operatingas intended and modified when needed.10-19Monitoring Activities to ensure controls are working.nCustomer complaintsnVendor complaintsnSupervision of transaction processingnComparing reports to knowledge of business10-20Sales Transaction-Related Audit ObjectivesObjective General Form Related Audit ObjectivesRecorded transactionsexist(existence).Sales are for shipmentsto existing customers.Existing transactions arerecorded(completeness).Existing sales transactionsare recorded.Transactions are statedcorrectly(accuracy).Sales for goods shippedare correctly billed.10-21Sales Transaction-Related Audit ObjectivesObjective General Form Related Audit ObjectivesTransactions are properlyclassified(classification).Sales transactions areproperly classified.Transactions are recordedon correct dates(timing).Sales are recorded on thecorrect dates.Transactions are properlyfiled(posting andsummarization).Sales transactions areproperly included in themaster files.10-22How Frauds HaveBeen DiscoveredNotification by employeeInternal controlsInternal auditorCustomer notificationAccidental discoveryManagement investigation58%51%43%41%37%35%10-23How Frauds HaveBeen DiscoveredAnonymous reportingHot line notificationEmployee investigationGovernment notificationExternal auditorOther sources35%25%21%16%4%20%10-24Audit Trailn Paper trail of transactions as they are processed in the accounting system.n Auditors use the audit trail to gather evidence of transactions.10-25Auditors ResponsibilitiesnUnderstanding the clients internal control system is the second standard of field work.nThe auditor is responsible for evaluating the clients system of internal control and assessing the control risk to make sure that the controls are nproperly designed and specifiednplaced in operationnfunctioning effectively if the auditor is going to rely on the control.10-26Reasons for Sufficiently Understanding Internal ControlSAS 55(as amended by SAS 78 and 594plus AU319)requires the auditor toobtain an understanding of internalcontrol for every audit.Minimum auditplanning matters Auditability Potential materialmisstatements Detection risk Design of test10-27Understanding Internal Control and Assessing Control RiskObtain Understanding of Internal Control:Design and OperationAssess Control RiskTest ControlsDecide Planned Detection Riskand Substantive Tests10-28Procedures to Determine Design and PlacementUpdate and evaluate auditors previousexperience with the entity.Make inquires of client personnel.Read clients policy and systems manuals.Examine documents and records.Observe entity activities and operations.10-29Understanding the Clients Internal ControlsnPrimary purpose for understanding the clients internal controls is to assess the control risk for planning the nature,timing and extent of the audit tests.nThe five components of the clients internal control system are environment,risk assessment,control,monitoring and information and communication10-30Review where we are in audit.nUnderstanding of clientnF/S and analytics as part of planning processnPreliminary assessment of materialitynPreliminary assessment of risk,inherent,control and detection risknTo assess risk,the auditor has to have an understanding of the clients internal controlsnCreate audit plan nTest of controls for those relied on nTest of balances,substantive,details 10-31Evidence of getting an understanding of internal controlsTo show that the auditor has followed the second field work standard of obtaining an understanding of the internal control structure to plan the audit the auditor must:nUnderstand the clients financial reporting controlsnDocument that understandingnAssess control risknUse the control risk to plan the audit work10-32Reportable ConditionsnThe secondary reason for evaluating control structure is to identify reportable conditions.nReport condition are significant deficiencies in the design or operation of the internal controls that adversely affect a clients ability to record,process,summarize and report financial data.10-33Reportable Conditions Include:nAbsence of segregation of dutiesnAbsence of approvals on transactionsnEvidence of control failuresnEvidence of management override of controlsnEvidence of willful wrongdoing 10-34Communication of Reportable ConditionsnCommunicated either orally or in writing to the clients management or BOD.nThe auditor is not required to search for reportable conditions but must communicate any that are discovered with the client.nNo communication should be written saying that there are no reportable conditions.10-35Material WeaknessnA reportable condition that is so bad as to allow material misstatements into the F/S is called a material weakness.nBoth are communicated to the client.10-36Primary Reason for Understanding Internal ControlnTo plan our audit.nThe purpose of control activities is to process transactions correctly.n To process a transaction correctly these transaction realted objectives should be met:nAccuracy nCompletenessnClassificationnExistence nPosting and SummarizationnTiming 10-37Definition of Internal Control nPolicies and procedures to detect,prevent and correct errors and fraud in the normal course of employees duties.10-38Good Internal ControlsThe client should have nCapable personnel-qualified,trained,low turnovernSegregation of duties-authorization,recording,custody and reconciliationnControlled access of plant,records and blank formsnPeriodic comparisons of assets to books-count inventory10-39Audit Flow ChartObtaining understanding of control structure-environment,managements risk assessment,control activities,flow of transactions through accounting systemnPrevious experiencenInquiry of clientnInspection of documentsnObservation or walk-through of one or few transactionsnReview of policy manuals.10-40Document understanding by:nFlow charts-easy to use,hard to maintain and developnNarratives-lengthy,good for small items,could forget issuesnQuestionnaires-good to ensure all things covered,bad yes no answers 10-41Relying on ControlsnIf the control objectives are met,they help insure that the F/S assertions have been met.nThe Auditor may decide to rely on the controls to ensure that transactions are processed correctly.nIf relied on,the controls must be tested to ensure that they do work at least as well as the amount of reliance the auditor is placing on them.nIf the control testing meets or exceeds the auditors expectations then less substantive testing is required to support the balance.10-42Controls not relied on:If the control is not to be relied upon to lessen substantive work:nNo control testingnControl risk is set at maximum 100%or 1nDocument in working papers that control risk is set to the maximum for this accountnPlan substantive testing only to gather evidence on this account nAdjust nature,timing and extent of substantive tests10-43Assess Control Risk-PreliminarynEvaluate the understanding of the control environment and determine preliminary control risknEvaluate the strengths and weaknesses of the control structure.nAnalysis and conclusions are written up and become part of the working papers.nThis evaluation is often called a bridge working paper because it connects the internal controls strengths and weaknesses to the audit program.10-44Deciding to rely on controls or not?nDecide whether or not and how much the control will be relied upon(control risk)nTest controls if below maximum or move to substantive testing if not relying on controls.nControl testing might be skipped for two reasons:nPoor controls(maximum)nTesting control not cost effective10-45Assess Control Risk10-46Identify and Evaluate WeaknessesIdentify existing controls.Identify the absence of key controls.Determine misstatements that could result.Consider compensating controls.10-47Test of ControlsnDont test controls we are not relying on.nDetermine required degree of compliance requirednTest the controls nIdentify population to testnPerform procedure to produce evidence of compliancenIf the control meets or beats the required degree of compliance,risk assessment prelim becomes final and proceed with audit plan.nIf it does not meet the requirement,reassess control risk higher and adjust audit plan to perform more tests of balances.10-48Some tests may serve as“dual purpose”tests.nOne test may be used to gather evidence on controls and on balances.nRefer back to how control objectives and assertions interrelate.10-49Internal controls for small companies.nFew written policiesnNot cost effective to separate dutiesnCompensating control-Owner involvement10-50CommunicationReportable conditions letterManagement lettersAudit committee communications10-51Decide Planned Detection Risk and Design Substantive Tests10-52Risks Associated With the Use of Information Technology 10-53Effect of InformationTechnology on Internal ControlInformation TechnologyIT can improvethe effectivenessand efficiency ofinternal controls.IT also enhancesthe timelinessand accuracyof information.10-54Controls over Computerized SystemnSame general controls as above plusnSegregation of technical responsibilities,programmer and operator.nApplication controls in a computer environment nInput controls nProcessing controlsnOutput controls.10-55Input Controlsninput authorization-usually clericalncheck digit or self checking numbernrecord countsnbatch totalsnhash totalsnEdit routines:nValid characternSignnMissing datanSequence testsnReasonableness testsnError correction and resubmission10-56Processing ControlsnRun to run totalsnControl totals reconcilednFile and operator controls-right file right operator commandnLimit/reasonableness tests10-57Output ControlsnControl totals from processing reconcilednMaster file change reportnOutput to authorized persons10-58End of Chapter 10