2. 6-2
Internal Control
The auditor uses risk assessment procedures to
-obtain an understanding of the entity’s internal control
-identify the types of potential misstatements
-ascertain factors that affect the risk of material
misstatement
-design tests of controls and substantive procedures
The auditor’s understanding of the internal control is a
major factor in determining the overall audit strategy. The
auditor has a responsibility to:
(1) obtain an understanding of internal control and
(2) assess control risk.
LO# 1
6. 6-6
LO# 6
Planning an Audit Strategy
Figure 6-3 Flowchart of the Auditor’s Consideration of Internal Control and Its
Relation to Substantive Procedures
7. 6-7
Obtain an Understanding
of Internal Control
Identify types of
potential
misstatements
Design tests of
controls and
substantive
procedures
Pinpoint the
factors that affect
the risk of material
misstatement
The auditor should obtain an understanding of each of
the five components of internal control in order to plan
the audit. This knowledge is used to:
LO# 7
8. 6-8
Documenting the Understanding
of Internal Control
Procedure Manuals
and Organizational
Charts
Narrative Description
Internal Control
Questionnaires
Flowcharts
LO# 8
9. 6-9
The Limitations of an Entity’s
Internal Control
Management
Override of
Internal
Control
Human Errors
or Mistakes
Collusion
LO# 8
11. 6-11
Interim Audit Procedures
Interim Tests of
Controls
1. Assertion being tested not significant
2. Control has been effective in prior audits
3. Efficient use of staff time
Interim
Substantive
Procedures
1. Assertion probably has low control risk
2. May increase the risk of material
misstatements
3. Still requires some year end testing
LO# 12
12. 6-12
Auditing Accounting Applications
Processed by Service Organizations
In some instances, a client may have some or all of its
accounting transactions processed by an outside service
organization.
Because the client’s
transactions are subjected to
the controls of the service
organization, one of the
auditor’s concerns is the
internal control system in
place at the service
organization.
It is not uncommon for service
organizations to have an auditor
issue one of two types of
reports on their operations.
LO# 13
13. 6-13
Communication of Internal Control-
Related Matters
Significant
Deficiency
Material
Weakness
A Significant deficiency is a deficiency, or a
combination of deficiencies, in internal control
that is less severe than a material weakness, yet
important enough to merit attention by those
charged with governance.
A material weakness is a deficiency, or
combination of deficiencies, in internal control,
such that there is a reasonable possibility that a
material misstatement of the financial
statements will not be prevented, or detected
and corrected.
LO# 14
14. 6-14
Types of Controls in an IT
Environment
General
Controls
1. Data center & network
operations
2. System software
acquisition, change, and
maintenance
3. Access security
4. Application system
acquisition, development,
and maintenance
Application
Controls
1. Data capture controls
2. Data validation controls
3. Processing controls
4. Output controls
5. Error controls
LO# 15