Internal Control and Control Risk(英文版)(ppt 58页).pptx

《Internal Control and Control Risk(英文版)(ppt 58页).pptx》由会员分享，可在线阅读，更多相关《Internal Control and Control Risk(英文版)(ppt 58页).pptx（58页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、10-1Internal Controland Control RiskChapter 1010-2COSO ReportnCOSO Report-related to Treadway commission created to look at problems in fraudulent financial reporting.nInternal control designed to provide reasonable assurance of meeting these objectives:nreliability of financial reportingncompliance

2、 with laws and regulationsneffectiveness and efficiency of operations10-3Internal Controln An on-going process ran by people that can only provide reasonable assurance of obtaining objectives.nBreakdowns occur in internal controls as a result of:nhuman errorndeliberate circumventionnmanagement overr

3、idencollusion10-4Reasonable AssurancenMeans that the cost of the control should not outweigh its benefit.nAuditors provide reasonable assurance that the financial statements are free from material misstatements.10-5Components of Internal ControlnThere are five components of internal control per COSO

4、.nControl EnvironmentnControl Risk AssessmentnControl ActivitiesnMonitoring nCommunication and Informationn Management is responsible for these components.n Internal control is a management process.10-6Control EnvironmentnManagements philosophy and operating stylenManagement and employee integrity a

5、nd ethicsnCompany organizational structurenCommitment to competence-trainingnFunctioning BOD and audit committeenMethods of assigning authority and responsibilitynHuman resource policies and practices10-7Risk AssessmentIdentify factors affecting risk.Assess significance of risksand likelihood of occ

6、urrence.Determine actions necessaryto manage risk.10-8Risk AssessmentnManagements assessment of their control environment and identification of risks in financial reporting.10-9Control Activities1.Adequate separation of duties2.Proper authorization of transactions and activities3.Adequate documents

7、and records4.Physical control over assets and records5.Independent checks on performance10-10Control ActivitiesActivities to mitigate control risks using the concept of reasonable assurancenPerformance reviews-actual to budget and follow-up action on variances.n Information processing-Policies for t

8、ransaction processing and error correction.Includes authorization,verifications and reconciliation.nPhysical controls to safeguard the assetsnSegregation of duties-prevent someone from stealing and concealing.10-11Adequate Separationof DutiesCustody of assetsAuthorizationof transactionsOperationalre

9、sponsibilityIT DutiesAccountingThe custody ofrelated assetsRecord-keepingresponsibilityUser departments10-12Proper Authorization of Transactions and Activities10-13Adequate Documentsand RecordsPrenumbered consecutivelyPrepared at the time of transactionDesigned for multiple usesConstructed to encour

10、age correct preparationSimple enough to ensure understanding10-14Physical Control overAssets and RecordsPhysical precautionsControls related to IT equipment,programs,and data filesPhysicalcontrolsAccesscontrolsBackup andrecoveryprocedures10-15Independent Checkson Performance10-16Information and Comm

11、unicationThe purpose of an accounting informationand communication system is toinitiate,record,process,and report thetransactions and to maintain accountabilityfor the related assets.10-17Information and CommunicationAccounting system processing of transactions to produce financial reportsnData iden

12、tification-source documentsnData entry-inputnProcessingnOutput-report production,distribution and storage10-18MonitoringManagements ongoing and periodic assessmentof the quality of internal control performance to determine whether controls are operatingas intended and modified when needed.10-19Monit

13、oring Activities to ensure controls are working.nCustomer complaintsnVendor complaintsnSupervision of transaction processingnComparing reports to knowledge of business10-20Sales Transaction-Related Audit ObjectivesObjective General Form Related Audit ObjectivesRecorded transactionsexist(existence).S

14、ales are for shipmentsto existing customers.Existing transactions arerecorded(completeness).Existing sales transactionsare recorded.Transactions are statedcorrectly(accuracy).Sales for goods shippedare correctly billed.10-21Sales Transaction-Related Audit ObjectivesObjective General Form Related Aud

15、it ObjectivesTransactions are properlyclassified(classification).Sales transactions areproperly classified.Transactions are recordedon correct dates(timing).Sales are recorded on thecorrect dates.Transactions are properlyfiled(posting andsummarization).Sales transactions areproperly included in them

16、aster files.10-22How Frauds HaveBeen DiscoveredNotification by employeeInternal controlsInternal auditorCustomer notificationAccidental discoveryManagement investigation58%51%43%41%37%35%10-23How Frauds HaveBeen DiscoveredAnonymous reportingHot line notificationEmployee investigationGovernment notif

17、icationExternal auditorOther sources35%25%21%16%4%20%10-24Audit Trailn Paper trail of transactions as they are processed in the accounting system.n Auditors use the audit trail to gather evidence of transactions.10-25Auditors ResponsibilitiesnUnderstanding the clients internal control system is the

18、second standard of field work.nThe auditor is responsible for evaluating the clients system of internal control and assessing the control risk to make sure that the controls are nproperly designed and specifiednplaced in operationnfunctioning effectively if the auditor is going to rely on the contro

19、l.10-26Reasons for Sufficiently Understanding Internal ControlSAS 55(as amended by SAS 78 and 594plus AU319)requires the auditor toobtain an understanding of internalcontrol for every audit.Minimum auditplanning matters Auditability Potential materialmisstatements Detection risk Design of test10-27U

20、nderstanding Internal Control and Assessing Control RiskObtain Understanding of Internal Control:Design and OperationAssess Control RiskTest ControlsDecide Planned Detection Riskand Substantive Tests10-28Procedures to Determine Design and PlacementUpdate and evaluate auditors previousexperience with

21、 the entity.Make inquires of client personnel.Read clients policy and systems manuals.Examine documents and records.Observe entity activities and operations.10-29Understanding the Clients Internal ControlsnPrimary purpose for understanding the clients internal controls is to assess the control risk

22、for planning the nature,timing and extent of the audit tests.nThe five components of the clients internal control system are environment,risk assessment,control,monitoring and information and communication10-30Review where we are in audit.nUnderstanding of clientnF/S and analytics as part of plannin

23、g processnPreliminary assessment of materialitynPreliminary assessment of risk,inherent,control and detection risknTo assess risk,the auditor has to have an understanding of the clients internal controlsnCreate audit plan nTest of controls for those relied on nTest of balances,substantive,details 10

24、-31Evidence of getting an understanding of internal controlsTo show that the auditor has followed the second field work standard of obtaining an understanding of the internal control structure to plan the audit the auditor must:nUnderstand the clients financial reporting controlsnDocument that under

25、standingnAssess control risknUse the control risk to plan the audit work10-32Reportable ConditionsnThe secondary reason for evaluating control structure is to identify reportable conditions.nReport condition are significant deficiencies in the design or operation of the internal controls that advers

26、ely affect a clients ability to record,process,summarize and report financial data.10-33Reportable Conditions Include:nAbsence of segregation of dutiesnAbsence of approvals on transactionsnEvidence of control failuresnEvidence of management override of controlsnEvidence of willful wrongdoing 10-34Co

27、mmunication of Reportable ConditionsnCommunicated either orally or in writing to the clients management or BOD.nThe auditor is not required to search for reportable conditions but must communicate any that are discovered with the client.nNo communication should be written saying that there are no re

28、portable conditions.10-35Material WeaknessnA reportable condition that is so bad as to allow material misstatements into the F/S is called a material weakness.nBoth are communicated to the client.10-36Primary Reason for Understanding Internal ControlnTo plan our audit.nThe purpose of control activit

29、ies is to process transactions correctly.n To process a transaction correctly these transaction realted objectives should be met:nAccuracy nCompletenessnClassificationnExistence nPosting and SummarizationnTiming 10-37Definition of Internal Control nPolicies and procedures to detect,prevent and corre

30、ct errors and fraud in the normal course of employees duties.10-38Good Internal ControlsThe client should have nCapable personnel-qualified,trained,low turnovernSegregation of duties-authorization,recording,custody and reconciliationnControlled access of plant,records and blank formsnPeriodic compar

31、isons of assets to books-count inventory10-39Audit Flow ChartObtaining understanding of control structure-environment,managements risk assessment,control activities,flow of transactions through accounting systemnPrevious experiencenInquiry of clientnInspection of documentsnObservation or walk-throug

32、h of one or few transactionsnReview of policy manuals.10-40Document understanding by:nFlow charts-easy to use,hard to maintain and developnNarratives-lengthy,good for small items,could forget issuesnQuestionnaires-good to ensure all things covered,bad yes no answers 10-41Relying on ControlsnIf the c

33、ontrol objectives are met,they help insure that the F/S assertions have been met.nThe Auditor may decide to rely on the controls to ensure that transactions are processed correctly.nIf relied on,the controls must be tested to ensure that they do work at least as well as the amount of reliance the au

34、ditor is placing on them.nIf the control testing meets or exceeds the auditors expectations then less substantive testing is required to support the balance.10-42Controls not relied on:If the control is not to be relied upon to lessen substantive work:nNo control testingnControl risk is set at maxim

35、um 100%or 1nDocument in working papers that control risk is set to the maximum for this accountnPlan substantive testing only to gather evidence on this account nAdjust nature,timing and extent of substantive tests10-43Assess Control Risk-PreliminarynEvaluate the understanding of the control environ

36、ment and determine preliminary control risknEvaluate the strengths and weaknesses of the control structure.nAnalysis and conclusions are written up and become part of the working papers.nThis evaluation is often called a bridge working paper because it connects the internal controls strengths and we

37、aknesses to the audit program.10-44Deciding to rely on controls or not?nDecide whether or not and how much the control will be relied upon(control risk)nTest controls if below maximum or move to substantive testing if not relying on controls.nControl testing might be skipped for two reasons:nPoor co

38、ntrols(maximum)nTesting control not cost effective10-45Assess Control Risk10-46Identify and Evaluate WeaknessesIdentify existing controls.Identify the absence of key controls.Determine misstatements that could result.Consider compensating controls.10-47Test of ControlsnDont test controls we are not

39、relying on.nDetermine required degree of compliance requirednTest the controls nIdentify population to testnPerform procedure to produce evidence of compliancenIf the control meets or beats the required degree of compliance,risk assessment prelim becomes final and proceed with audit plan.nIf it does

40、 not meet the requirement,reassess control risk higher and adjust audit plan to perform more tests of balances.10-48Some tests may serve as“dual purpose”tests.nOne test may be used to gather evidence on controls and on balances.nRefer back to how control objectives and assertions interrelate.10-49In

41、ternal controls for small companies.nFew written policiesnNot cost effective to separate dutiesnCompensating control-Owner involvement10-50CommunicationReportable conditions letterManagement lettersAudit committee communications10-51Decide Planned Detection Risk and Design Substantive Tests10-52Risk

42、s Associated With the Use of Information Technology 10-53Effect of InformationTechnology on Internal ControlInformation TechnologyIT can improvethe effectivenessand efficiency ofinternal controls.IT also enhancesthe timelinessand accuracyof information.10-54Controls over Computerized SystemnSame gen

43、eral controls as above plusnSegregation of technical responsibilities,programmer and operator.nApplication controls in a computer environment nInput controls nProcessing controlsnOutput controls.10-55Input Controlsninput authorization-usually clericalncheck digit or self checking numbernrecord count

44、snbatch totalsnhash totalsnEdit routines:nValid characternSignnMissing datanSequence testsnReasonableness testsnError correction and resubmission10-56Processing ControlsnRun to run totalsnControl totals reconcilednFile and operator controls-right file right operator commandnLimit/reasonableness tests10-57Output ControlsnControl totals from processing reconcilednMaster file change reportnOutput to authorized persons10-58End of Chapter 10