ACCOUNTING AND INTERNAL CONTROL SYSTEMS AND AUDIT RISK ASSESSMENTS

As part of the planning of an audit, an auditor should:
(a) Obtain an understanding of the accounting and internal control systems
sufficient to plan the audit and develop an effective audit approach;
and
(b) Use professional judgement to assess the components of audit risk and
to design audit procedures to ensure it is reduced to an acceptably low
level.
The following definitions are contained in APB Statement of Auditing Standard
300 on ‘Accounting and internal control systems and audit risk assessments’:
‘Audit risk’ means the risk that auditors may give an inappropriate audit
opinion on financial statements. Audit risk has three components: inherent
risk, control risk and detection risk.
‘Inherent risk’ is the susceptibility of an account balance or class of
transactions to material misstatement, either individual or when aggregated
with misstatements in other balances or classes, irrespective of related internal
controls.
‘Control risk’ is the risk that a misstatement could occur in an account balance
or class of transactions and that could be material, either individually or when
aggregated with misstatements in other balances or classes, would not be
prevented, or detected and corrected on a timely basis by the accounting and
internal control systems.
‘Detection risk’ is the risk that auditors’ substantive procedures (tests of
details of transactions and balances or analytical procedures) do not detect a
misstatement that exists in an account balance or class of transactions that
could be material, either individually or when aggregated with misstatements
in other balances or classes.
‘Accounting system’ means the series of tasks and records of an entity by
which transactions are processed as a means of maintaining financial records.
Such systems identify, assemble, analyse, calculate, classify, record,
summarise and report transactions and other events.
Internal control system comprises the control environment and control
procedures. It includes all the policies and procedures (internal controls)
adopted by the directors and management of an entity to assist in achieving
their objective of ensuring, as far as practicable, the orderly and efficient conduct
of its business, including adherence to internal policies, the safeguarding of
assets, the prevention and detection of fraud and error, the accuracy and
completeness of the accounting records, and timely preparation of reliable
financial information.
Internal controls may be incorporated within computerised accounting systems.
However, the internal control system extends beyond those matters which relate
directly to the accounting system.
Control environment means the overall attitude, awareness and actions of
directors and management regarding internal controls and their importance
in the entity.
The control environment encompasses the management style, and corporate
culture and values shared by all employees. It provides the background against
which the various other controls are operated. However, a strong control
environment does not, by itself, ensure the effectiveness of the overall internal
control system. Factors reflected in the control environment include:
(a) The philosophy and operating style of the directors and management;
(b) The entity’s organisational structure and methods of assigning authority
and responsibility (including segregation of duties and supervisory
controls); and
(c) The directors’ methods of imposing control, including the internal audit
function, the functions of the board of directors and personnel policies
and procedures.
Control procedures are those policies and procedures in addition to the control
environment which are established to achieve the entity’s specific objectives.
They include, in particular procedures designed to prevent or to detect and
correct errors. The latter may be a particular focus of high level controls in
small or owner-managed entities. Specific control procedures include:
(a) Approval and control of documents;
(b) Controls over computerised system and the information technology
environment;
(c) Checking the arithmetical accuracy of the records;
(d) Maintaining and reviewing control accounts and trial balances;
(e) Reconciliations;
(f) Comparing the results of cash, security and stock counts with accounting
records;
(g) Comparing internal data with external sources of information; and
(h) Limiting direct physical access to assets and records.
Auditors are only concerned with those policies and procedures within the
accounting and internal control systems that are relevant to the financial
statement assertions. The understanding of relevant aspects of the accounting
and internal control systems, together with the inherent and control risk
assessment enables auditors to:
(a) Assess the adequacy of the accounting system as a basis for preparing
the financial statements;
(b) Identify the types of potential misstatements that could occur in the
financial statements;
(c) Consider factors that affect the risk of misstatements; and
(d) Design appropriate audit procedures” (Chitty, 2004)
At the planning stage of the audit, the auditors should consider:
(a) The likelihood of error in the light of inherent risk; and
(b) The system of internal control (control risk) in order to determine the
extent of work and hence the level of detection risk required; to satisfy
themselves that the risk of error in the financial statements is sufficiently
low.

Inherent risk

APB SAS 300 on ‘Accounting and internal control systems’ states that “in
developing the audit approach and the detailed procedures, auditors should
assess inherent risk in relation to financial statement assertions, about material
account balances and classes of transactions, taking account of factors relevant
both to the entity as a whole and to the specific assertions”.
In the absence of information to assess the inherent risk for a specific account
balance, or class of transactions, the auditors should assume that the inherent
risk is high. However, when an assessment results in the inherent risk not to be
high, the auditors must document the reasons and are able to reduce the work
which would otherwise have been carried out’ (Chitty, 2004).
To assess inherent risk:
(a) Auditors use their professional judgement to evaluate numerous factors
having regard to their experience of the entity from previous audits;
(b) Any controls established by management to compensate for a high level
of inherent risk; and
(c) Their knowledge of any significant changes which have taken place.
Examples of the factors are:
At the entity level
(a) The integrity of directors and management;
(b) Management experience and knowledge and changes in management
during the period;
(c) Unusual pressures on directors or management, such as tight reporting
deadlines, market expectations or other circumstances that might
predispose them to misstate the financial statements;
(d) The nature of the entity’s business;
(e) Factors affecting the industry in which the entity operates.
At the account balance and class of transaction level:
(a) Financial statement accounts likely to be susceptible to misstatements;
(b) The complexity of underlying transactions and other events which might
require the use of the work of an expert;
(c) The degree of judgement involved in determining account balances;
(d) Susceptibility of assets to loss or misappropriation, for example, assets
which are highly desirable and movable such as cash;
(e) The quality of the accounting systems;
(f) The completion of unusual and complex transactions, particularly at or
near period end; and
(g) Transactions not subjected to ordinary processing (Chitty, 2004).

Accounting System and Control Environment

APB SAS 300 on ‘Accounting and internal control systems’ states that “in
planning the audit, auditors should obtain and document an understanding of
the accounting system and control environment sufficient to determine their
audit approach”.
Auditors obtain an understanding of the accounting system sufficient, to enable
them to identify and understand by documenting:
(a) major classes of transactions in the entity’s operations;
(b) how such transactions are initiated;
(c) significant accounting records, supporting documents and accounts in
the financial statements; and
(d) the accounting and financial reporting process, from the initiation of
significant transactions and other events to their inclusion in the financial
statements.
In order to assess the likely effectiveness of control procedures, the auditor
must have an understanding of the control environment.
A strong control environment, for example, one with strong budgetary controls
and an effective internal audit function, increases the effectiveness of control
procedures.
A small entity’s control environment may be strengthened by the close
involvement of the directors, including their review of financial information.
Based on their understanding of the accounting system and control environment:
(i) Auditors can make a preliminary assessment of the adequacy of the
system as a basis for the preparation of the financial statements; and
(ii) The likely mix of tests of control and substantive procedures.
An auditor must obtain an understanding of the accounting system, control
environment and control procedures (i.e. the systems) as one exercise. However,
in order to design and select the appropriate audit tests, it may be necessary
for them to undertake additional work to obtain a more detailed understanding
of specific control procedures.
When seeking an understanding of the accounting systems and control
environment, sufficient to plan the audit the auditors should:
(a) Gain knowledge of the design and operation of the systems;
(b) Understand and assess inherent risks; and
(c) Perform ‘walk-through tests’ that is: tracing one or more transactions
through the accounting system and observing the application of relevant
aspects of the internal control system.
The nature, timing and extent of the procedures performed by auditors to obtain
an understanding of the systems vary, because of:
(a) Materiality considerations;
(b) The size and complexity of the entity;
(c) Their assessment of inherent risk;
(d) The complexity of the entity’s computer systems;
(e) The type of internal controls involved; and
(f) The nature of the entity’s documentation of specific internal controls.
Usually, the auditors’ understanding of the systems is obtained through previous
experience with the entity updated as necessary by:
(a) Enquiries of appropriate supervisory and other personnel at various
organisational levels within the entity, together with reference to
documentation such as procedures manuals, job descriptions and
systems descriptions;
(b) Inspection of relevant documents and records produced by the systems;
and
(c) Observation of the entity’s activities and operations, including the
information technology function’s organisation, personnel performing
control procedures and the nature of transaction processing (Chitty, 2004).

Internal Controls and their Inherent Limitations

Internal controls established by the directors relating to the accounting system
are concerned with achieving objectives such as:
(a) Transactions are executed in accordance with proper, general or specific
authorisation;
(b) All transactions and other events are promptly recorded at the correct
amount, in the appropriate accounts and in the proper accounting period,
so as to permit preparation of financial statements in accordance with
the applicable reporting framework (e.g. relevant legislation and
applicable accounting standards);
(c) Access to assets is permitted only in accordance with proper
authorisation; and
(d) Recorded assets are compared with the existing assets at reasonable
intervals and appropriate action is taken with regard to any differences.
An internal control system can only provide the directors with reasonable
confidence that their objectives are reached because of inherent limitations
such as:
(a) The usual requirement that the cost of an internal control is not
disproportionate to the potential loss which may result from its absence;
(b) Most systematic internal controls tend to be directed at routine
transactions rather than non-routine transactions;
(c) The potential for human error due to carelessness, distraction, mistakes
of judgement and the misunderstanding of instruction;
(d) The possibility of circumvention of internal controls through collusion
with parties outside or inside the entity;
(e) The possibility that a person responsible for exercising an internal control
could abuse that responsibility, for example by overriding an internal
control; and
(f) The possibility that procedures may become inadequate due to changes
in conditions or that compliance with procedures may deteriorate over
time (Chitty, 2004).
These factors indicate why auditors cannot obtain all their evidence from tests
of the system of internal control.

Control Risk in the Small Business

Auditors must obtain an appropriate level of audit evidence to support their
audit opinion regardless of the size of the entity.
However, many internal controls relevant to large entities are not practical in
the small business; for example, in small businesses accounting procedures
may be performed by few persons, who may have both operating and custodial
responsibilities and, consequently, segregation of duties may be severely
limited. Inadequate segregation of duties may, in some cases, be offset by other
control procedures and close involvement of an owner or manager in strong
supervisory controls where they have direct personal knowledge of the entity
and involvement in transactions though, this in itself may introduce other risks.
In circumstances where segregation of duties is limited and evidence of
supervisory controls is lacking, the audit evidence necessary to support the
auditors’ opinion on the financial statements may have to be obtained entirely
through the performance of substantive procedures and any audit work carried
out in the course of preparing the financial statements.

Control Risk

If auditors, after obtaining an understanding of the accounting system and
control environment, expect to be able to rely on their assessment of control
risk to reduce the extent of their substantive procedures, they should make a
preliminary assessment of control risk for material financial statement
assertions, and should plan and perform tests of control to support that
assessment.
If, as a result of their work on the accounting system and control environment,
auditors decide it is likely to be inefficient or impossible to rely on any
assessment of control risk to reduce their substantive procedures, no such
assessment is necessary and control risk is assumed to be high. The auditors
may adopt substantive procedures in such cases.

Preliminary Assessment of Control Risk

The preliminary assessment of control risk is the process of evaluating the
likely effectiveness of an entity’s accounting and internal control systems in
preventing and correcting material misstatements. This entails consideration
of the design of the accounting and internal control systems to assess their
likely effectiveness. There is, however, always some control risk because of the
inherent limitations of any internal control system. The more effective the
entity’s accounting and internal control systems are assessed to be, the lower
the auditors’ assessment of control risk.
Where auditors obtain satisfactory audit evidence from tests of control as to the
effectiveness of the accounting and internal control systems, the extent of
substantive procedures may be reduced.
Auditors may conclude that the accounting and internal control systems are
not effective, or they may decide that is likely to be inefficient to adopt an audit
approach which relies on tests of control. In these circumstances they plan the
audit approach on the basis that sufficient and appropriate audit evidence
needs to be obtained entirely from substantive procedures and from any audit
work carried out in the preparation of the financial statements.

Relationship Between the Assessments of Inherent and Control Risks

Management often react to situations where inherent risk is high by designing
accounting and internal control systems to prevent and detect misstatements
and therefore, in many cases, inherent risk and control risk are highly
interrelated. In such situations, the effects of inherent and control risk may be
more appropriately determined by making a combined assessment” (Chitty,
2004).

Documentation of Understanding and Assessment of Control Risk

When control risk is assessed at less than high, auditors should document the
basis for that conclusion in their working paper file.
Different techniques may be used to document information relating to
accounting and internal control systems and the assessment of control risk.
Selection of a particular technique is a matter for the auditors’ judgement.
Common techniques, used alone or in combination, are narrative descriptions,
questionnaires, checklists and flow-charts. The form and extent of this
documentation is influenced by the size and complexity of the entity and the
nature of the entity’s accounting and internal control systems.
Generally, the more complex the entity’s accounting and internal control
systems are, the more extensive the auditors’ procedures, the more extensive
the documentation needs to be.

Test of Control

Tests of control are performed to obtain audit evidence about the effective
operation of the accounting and internal control systems - that is, that properly
designed controls identified in the preliminary assessment exist in fact and
have operated effectively throughout the relevant period. They include tests of
elements of the control environment where strengths in the control environment
are used by auditors to reduce control risk assessments.
In the process of obtaining the understanding of the accounting and internal
control systems, some tests of control on one assertion may provide audit
evidence about the effectiveness of the operation of internal controls relevant
to another assertion and, consequently, serve as tests of control for the other
assertion. For example, “in obtaining the understanding of the accounting and
internal control systems pertaining to cash, auditors may obtain audit evidence
about the effectiveness of the bank reconciliation process, through enquiry and
observation.
In these circumstances, when auditors conclude that procedures performed to
obtain the understanding of the accounting and internal control systems also
provide audit evidence about the operating effectiveness of policies and
procedures relevant to a particular financial statement assertion, they may
use that evidence, on its own or (if not in itself sufficient) with other appropriate
audit evidence, to support a control risk assessment at less than high.
Tests of control may include:
(a) Corroborative enquiries about, and observation of, internal control
functions;
(b) Inspection of documents supporting controls or events to gain audit
evidence that internal controls have operated properly, for example,
verifying that a transaction has been authorised or a reconciliation
approved;
(c) Examination of evidence of management reviews, for example minutes
of management meetings at which financial results are reviewed and
corrective action taken;
(d) Re-performance of control procedures, for example reconciliation of bank
accounts, to ensure they were correctly performed by the entity; and
(e) Testing of the internal controls operating on specific computerised
applications or over the overall information technology function, for
example access or program change controls (Chitty, 2004).
When obtaining evidence about the effective operation of internal controls,
relevant factors for auditors to consider are:
(a) How they were applied;
(b) The consistency with which they were applied during the period; and
(c) By whom they were applied.
The concept of effective operation recognises that some deviations may have
occurred. Deviations from prescribed controls may be caused by such factors
as:
(a) Changes in key personnel;
(b) Significant seasonal fluctuations in volume of transactions; and
(c) Human error; in particular, staff changes in key internal control functions
may increase control risk.
If there have been such changes in the period under review, auditors may need
to modify their tests of control to confirm effective operation during and after
the period of change.
In a computer environment, auditors may find it necessary, or may prefer to
use computer-assisted audit techniques. The use of such techniques, for example
file interrogation tools or audit test data, may be appropriate when the
accounting and internal control systems provide no visible evidence
documenting the performance of internal controls which are programmed into
a computerised accounting system.

Quality and Timeliness of Audit Evidence

Certain types of audit evidence obtained by auditors are more reliable than
others. Usually, auditors’ observations provide more reliable audit evidence
than merely making enquiries. Audit evidence obtained by some tests of control,
such as observation, pertains only to the point in time at which the procedure
was applied.
Auditors may decide to perform some tests of control at an interim audit visit
advance of the period end. However, they cannot rely on the results of such test
without considering the need to obtain further evidence relating to the remainder
of the period. Factors to be considered include:
(a) The results of the interim tests;
(b) The length of the remaining period;
(c) Whether any changes have occurred in the accounting and internal
control systems during the remaining period;
(d) The nature and amount of the transactions and other events and the
balances involved;
(e) The control environment; and
(f) The nature, timing and extent of the substantive procedures which they
plan to undertake (Chitty, 2004).

Final Assessment of Control Risk

Having undertaken tests of control, auditors should evaluate whether the
preliminary assessment of control risk is supported.
Whenever deviations are detected:
(a) Auditors make specific enquiries in order to consider their implications;
or
(b) It may be that, in the circumstances, they can obtain sufficient
appropriate audit evidence to conclude that, despite those deviations,
their preliminary assessment is supported. On the other hand, if they
conclude that the deviation rate is such that the preliminary assessment
is not supported, they amend their assessment of control risk, unless
audit evidence obtained from other tests of control supports that
assessment.
If the evaluation of deviations results in auditors concluding that the assessed
level of control risk needs to be revised, they should modify the nature, timing
and extent of their planned substantive procedures.

Detection Risk

APB SAS 300 on ‘Accounting and internal control systems’ states that “auditors
should consider the assessed levels of inherent and control risk in determining
the nature, timing and extent of substantive procedures required to reduce
audit risk to an acceptable level”. In this regard, the auditors should be aware
that the level of detection risk relates to the auditors’ substantive procedures
(tests of details of transactions and balances and analytical procedures). It is
primarily the consequence of the fact that auditors do not, and cannot, examine
all available evidence; auditors seek reasonable confidence and so do not
examine all items, not all evidence concerning any item that is examined.
Moreover, as audit evidence is generally persuasive rather than conclusive,
some detection risk is usually present even if they examine all evidence
available of an account balance or an entire class of transactions.

Audit Opinion

Auditors must obtain sufficient appropriate audit evidence as to whether the
financial statements are free of material misstatement. Internal controls, even
if fairly simple and unsophisticated, may contribute to this evidence.
The auditors’ control risk assessment, together with the inherent risk assessment,
influences the nature, timing and extent of substantive procedures to be
performed to reduce detection risk, and therefore audit risk, to an acceptably
low level.
Regardless of the assessed levels of inherent and control risks, auditors should
perform some substantive procedures for financial statement assertions of
material account balances and transaction classes. Substantive procedures
may comprise only analytical procedures where such procedures provide
sufficient appropriate evidence.
When both inherent and control risks are assessed as high, auditors consider
whether substantive procedures can provide sufficient appropriate audit
evidence to reduce detection risk, and therefore audit risk, to an acceptably
low level. For example, they may not be able to obtain sufficient evidence about
the completeness in income in the absence of some internal controls. When
auditors determine that detection risk regarding a material financial statement
assertion cannot be reduced to an acceptably low level, they consider the
implications for their report (Chitty, 2004).

Communication of Weaknesses

As a result of obtaining an understanding of the accounting and internal control
systems and of performing audit procedures, auditors may become aware of
weaknesses in the systems. This should be communicated to the directors or
management using ‘management reports’.

Risk Assessments and Internal Control

International Standard on Auditing 400 titled ‘Risk assessments and internal
control’ states as follows:
(a) The auditors should obtain an understanding of the accounting system
sufficient to identify and understand:
(i) Major classes of transactions in the entity’s operations;
(ii) How such transactions are initiated;
(iii) Significant accounting records, supporting documents and
accounts in the financial statements; and
(iv) The accounting and financial reporting process, from the initiation
of significant transactions and other events to their inclusion in
the financial statements.
(b) The auditor should obtain an understanding of the control environment
sufficient to assess directors’ and management’s attitudes, awareness
and actions regarding internal controls and their importance in the entity.
(c) The auditor should obtain an understanding of the control procedures
sufficient to develop the audit plan.
(d) The auditor should obtain and document an understanding of the
accounting system and control environment sufficient to determine their
audit approach.
(e) The preliminary assessment of control risk for a financial statement
assertion should be high, unless the auditor:
(i) Is able to identify internal controls relevant to the assertion which
are likely to prevent or detect and correct a material misstatement;
and
(ii) Plans to perform tests of control to support the assessment.
When auditors conclude that they do not wish to rely on tests of control, they
plan the audit approach, on the basis that sufficient appropriate audit evidence,
needs to be obtained entirely from substantive procedures, and from any audit
work carried out in the preparation of the financial statements.
The auditor should document in the audit working papers:
(a) The understanding obtained of the entity’s accounting and internal
control systems; and
(b) The assessment of control risk.
The higher the assessment of inherent and control risk, the more evidence the
auditor should obtain from the performance of substantive procedures.
When the auditor determines that; detection risk regarding a financial statement
assertion for a material account balance or class of transactions cannot be
reduced to an acceptably low level, the auditor should express a qualified
opinion or disclaimer of opinion.
The auditor should make management aware, on a timely basis and at an
appropriate level of responsibility, of material weaknesses in the design or
operation of the accounting and internal control systems, which have come to
the auditor’s attention” (Chitty, 2004).

---

Share : Facebook Twitter Google+ Digg

Jika Anda menyukai Artikel di blog ini, Silahkan klik disini untuk berlangganan gratis via email, Anda akan mendapat kiriman artikel setiap ada artikel yang terbit di Our Akuntansi