Auditing and Assurance Services

A Systematic Approach
Twelfth Edition

Chapter 6
Internal Control in a
Financial Statement
Audit
 Internal Control
Management Responsibility
• Design and maintain controls that provide
reasonable assurance that:
– The entity’s assets and records are properly safeguarded
– The information system generates reliable information
for decision making
• The auditor needs assurance about the reliability
of the data generated by the information system

Auditor Responsibility
• Obtain an understanding of internal control
• Assess control risk
 Controls Relevant to the Audit
Objectives
1) Reliability of Financial Reporting
2) Effectiveness and Efficiency of Operations
3) Compliance with Laws and Regulations

Generally, controls related to objective #1

are the most relevant to an audit
Controls relating to objectives #2 and #3
may be relevant when they relate to data
the auditor uses to apply auditing
procedures
 Potential Benefits and Risks to an
Entity’s Internal Control from IT
Benefits
• Consistent application of predefined business rules, and performance of complex calculations in
processing large volumes of transactions or data.
• Greater timeliness, availability, and accuracy of information.
• Facilitation of data analytics for enhanced internal decision making.
• Greater ability to monitor the entity's activities, policies, and procedures on a timely basis.
• Greater ability to prevent or detect circumvention of controls.
• Enhanced segregation of duties through security controls in applications, databases, and operating
systems.

Risks
• Reliance on systems or programs that, unknown to management, inaccurately process data,
process inaccurate data, or both.
• Unauthorized access to data that may result in destruction of data or improper changes to data,
including the recording of unauthorized or nonexistent transactions or inaccurate recording of
transactions.
• Unauthorized changes to data in master files.
• Unauthorized changes to systems or programs.
• Failure to make necessary changes to systems or programs.
• Inappropriate manual intervention.
• Potential loss of data.

Insurance claim example:

Employee circumvented authorization control by issuing multiple
checks
 Components of Internal Control
Control Environment
• Tone of an organization (i.e. tone at the top)
• Established by the board of directors and senior management

• Though Question:
• Thinking back on the Xerox case, what tone did their management team set
for their respective company?
• Why is the tone of an organization so critical?

The Entity’s Risk Assessment Process

• The risk assessment process identifies and responds to business risks in
relation to achieving business objectives

• Should consider external and internal events and circumstances that may
arise and adversely affect the entity’s ability to initiate, record, process,
and report financial data.
• What are examples of business risks that could affect or impact a company’s
ability to achieve business objectives?
 Components of Internal Control
Control Activities
• Performance Reviews
• Independent checks
• Physical Controls
• Critical for data reliability
• Segregation of Duties
• CAR (Custody, Authorization, Recording)
• Information Processing Controls

Information and Communication

• Identify and record all valid transactions
• Classify transactions properly
• Measure the value of transactions properly
• Record transactions in the proper period
• Properly present transactions and disclosures

Monitoring of Controls
• Process that assesses the quality of internal control performance over time.
 Planning an Audit Strategy
Audit Risk Model
AR = IR × CR × DR

The auditor must assess control risk

Homework Question 6-16:

After obtaining an understanding of an entity’s internal control system, an
auditor may set control risk at high for some assertions because the
auditor
A) Believes the internal controls are unlikely to be effective
B) Determines that the pertinent internal control components are not well
documented.
C) Performs tests of controls to restrict detection risk to an acceptable level.
D) Identifies internal controls that are likely to prevent material
misstatements.
 Substantive vs. Reliance Strategy

After obtaining an understanding of internal

control, an auditor may choose to follow a:

Substantive strategy (set control risk at high)

• Irrelevant
• Ineffective
• Inefficient

Reliance strategy (Set control risk at a lower

level)
– Expected for public companies (SOX)
 Obtain an Understanding of
Internal Control
The auditor should obtain an understanding of each
of the five components of internal control in order to
plan the audit. This knowledge is used to:
1. Identify types of potential misstatement
2. Pinpoint controls meant to mitigate the RMM
3. Design tests of controls and substantive procedures

Procedures used to obtain an understanding of

internal control:
4. Inquiry
5. Inspection
6. Observation
7. Tracing
 The Effect of Entity Size on
Internal Control
While the basic concepts of the five
components should be present in all entities,
they are likely to be less formal in a small or
midsize entity than in a large entity.

Question 6-32
What internal control problems were present?
Would you expect those problems to occur in
bigger companies?
On September 2, 2010, the Securities & Exchange Commission brought an action against
Sujata Sachdeva, vice president of finance, and Koss senior accountant and subordinate, Julie
Mulvaney, who allegedly helped her cover up the fraudulent scheme. The SEC alleged that
Sachdeva and Mulvaney caused Koss to submit false and misleading financial statements.
Sachdeva regularly relied on Mulvaney to reconcile the cash shortfalls and to balance the
books.

Sachdeva and Mulvaney primarily hid the embezzlement by making false entries on the
Company's general journal. For example, the false journal entries disguised the theft by
overstating assets, expenses, and cost of sales, and understating liabilities and sales.
Mulvaney maintained binders that detailed numerous false journal entries that were made to
the Company's accounting books and records. With those entries, Mulvaney reclassified
Company funds—with no supporting documentation and no legitimate explanation. Mulvaney
also maintained a series of folders that included documentation of over 100 fraudulent
transactions that were included in the Company's accounting books and records.

Sachdeva and Mulvaney were able to hide the substantial embezzlements in part because the
Company did not adequately maintain internal controls to reasonably assure the accuracy and
reliability of financial reporting. Koss's internal controls policy required Michael Koss to approve
invoices of $5,000 or more for payment. However, Koss allegedly delegated duties typically
done by the CFO to Sachdeva on a regular basis. Koss also had little or no educational
background or experience in accounting or finance. Many of the cashier's checks exceeded
$5,000, and some exceeded $100,000. However, its controls did not prevent Sachdeva and
Mulvaney from processing large wire transfers and cashier's checks outside of the accounts
payable system to pay for Sachdeva's personal purchases without seeking or obtaining
Michael Koss's approval. In addition, many account reconciliations were not prepared,
maintained, or reviewed as part of Koss's accounting records. Koss's computerized accounting
system was almost 30 years old.
 The Limitations of an Entity’s
Internal Control
1. Management Override of Internal
Control
2. Human Errors or Mistakes
3. Collusion

Thought Question
What is meant by the concept of reasonable
assurance? In other words, why don’t we design an
internal control system to eliminate these risks?
Primary Internal Control Weakness
Observed by CFE
 Assessing Control Risk

1. Identify specific controls that will be relied

upon.

2. Perform tests of controls.

3. Conclude on the achieved level of control

risk.
 Performing Tests of Controls

1. Inquiry of appropriate entity personnel

2. Inspection of documents indicating the
performance of the control
3. Observation of the application of the
control
4. Reperformance of the application of the
control by the auditor
 Homework Question 6-19

Which of the following audit techniques would most likely provide an auditor
with the least assurance about the effectiveness of the operation of a
control?

A. Inquiry of entity personnel

B. Reperformance of the control by the auditor
C. Observation of entity personnel
D. Walkthrough
 Timing of Audit Procedures
Interim vs. year end audit procedures

Thought Question:
Why do we perform any amount of audit work at
interim dates?
 Auditing Accounting Applications
Processed by Service Organizations
Entities may have some or all of its accounting
transactions processed by an outside service
organization.
• For example, Tickets R Us (Burlingham Bees Case), ADP
(Payroll)

Transactions are subjected to the controls of the

service organization

Why does an auditor care about the controls in place

at a service organization?
 Auditing Accounting Applications
Processed by Service Organizations
Type 1 Report
• Describes the service organization’s system and
the auditor’s opinion on the suitability of the design
of controls.
Type 2 Report
• Provides assurance on not only the suitability of the
design of the service organization’s controls, but
also on the operating effectiveness of those
controls.

Which report allows the auditor to reduce control risk

below a high level?
 Homework Question 6-21

SOC 1, Type 2 reports by the service organization's auditor

typically
a) Provide reasonable assurance that their financial statements
are free of material misstatements.
b) Ensure that the entity will not have any misstatements in
areas related to the service organization's activities.
c) Ensure that the entity is billed correctly.
d) Assess whether the service organization's controls are
suitably designed and operating effectively.
 Communication of Internal
Control-Related Matters
Control Deficiency
• Exists when the design or operation of a control does not allow
management or employees, in the normal course of performing their
assigned function, to prevent, or detect and correct, misstatements on
a timely basis.

Significant Deficiency
• A deficiency, or a combination of deficiencies, in internal control that
is less severe than a material weakness yet important enough to merit
attention by those charged with governance.

Material Weakness
• A deficiency, or combination of deficiencies, in internal control, such
that there is a reasonable possibility that a material misstatement of
the entity’s financial statements will not be prevented, or detected
and corrected, on a timely basis.
 Types of Controls in an IT
Environment
General Controls – overall information processing
environment
• Data center and network operations
• System software acquisition, change, and maintenance
• Access security
• Application system acquisition, development, and
maintenance

Application Controls – processing of specific

computer application
• Data capture controls
• Data validation controls
• Processing controls
• Output controls
• Error controls
Types of Controls in an IT Environment
Access and Security Controls (critical to maintain data
reliability)
• Physical protection
• Keys or authorization card
• Proper construction of facilities
• Off-site backups (Daily backups)

• Unauthorized access
• Firewalls
• Encryption
• Passwords
 Types of Controls in an IT Environment
Common Data Validation Controls
Data Validation Control Description

Limit test A test to ensure that a numerical value does not exceed some predetermined value.

Range test A check to ensure that the value in a field falls within an allowable range of values.

Sequence check A check to determine if input data are in proper numerical or alphabetical sequence.

A test of an ID number or code by comparison to a file or table containing valid ID

Existence (validity) test
numbers or codes.
A check on a field to ensure that it contains either all numeric or all alphabetic
Field test
characters.
Sign test A check to ensure that the data in a field have the proper arithmetic sign.
A numerical value computed to provide assurance that the original value was not
Check-digit verification
altered.
A process that takes data entered into the system to find and present other related
Closed loop verification information, thus enabling the user to verify the correctness of the original data
entry.

Which data validation control reduces the risk of missing purchase orders?

Which control eliminates the risk of employees processing transactions

above predetermined thresholds?