ACCA F8 (INT) Audit & Assurance - 2010 - Study text - Emile Woolf Publishing
Подождите немного. Документ загружается.
Chapter 7: Introduction to audit evidence
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 155
4.4 Use by the client of service organisations: ISA 402
A client company may use service organisations to assist it in various areas of its
operations, such as:
information processing (for example, payroll processing)
the maintenance of accounting records (for example, keeping the share register
for a company with many shareholders)
the maintenance of the safe custody of assets, such as investments.
The use of service organisations is often referred to as outsourcing.
Impact of outsourcing on the external auditor
ISA 402 Audit considerations relating to an entity using a service organisation states that
the services provided by a service organisation are relevant to the audit when those
services, and the controls over them, are part of the entity’s information system.
Such controls are most likely to relate to financial reporting but other controls could
also be relevant to the audit – such as controls over the safeguarding of assets.
When the client uses the services of a service organisation, the objectives of the
auditor, per ISA 402, are:
to obtain an understanding of the nature and significance of those services and
their effect on his client’s internal controls, sufficient to identify and assess the
risks of material misstatement, and
to design and perform audit procedures in response to the assessed risks.
Obtaining an understanding of the services provided
In obtaining an understanding of the services provided the auditor is applying ISA
315, which was discussed in a previous chapter. The auditor is required to:
understand how his client uses the services provided, and
evaluate the controls at his client which relate to the services provided.
Forexample,aclientmayhaveoutsourceditspayrolltransactions,andhave
establishedcontrolsoverthesubmissionandreceiptofpayrollinformationthat
wouldpreventordetectmaterialmisstatements.Testingthesecontrolsmayenable
theauditortoconcludethatpayrollisnotmateriallymisstated,regardlessofthe
controlsinplaceat
theserviceorganisation.
If the auditor is unable to obtain a sufficient understanding from the client then
he should use one or more of the following procedures:
Obtain a Type 1 or Type 2 report (see below).
Contact the service organisation, via the client, to obtain specific information.
Visit the service organisation and perform appropriate procedures to give the
necessary information.
Use another auditor to perform such procedures.
Paper F8: Audit and assurance (International)
156 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP
Type 1 and Type 2 reports
A Type 1 report comprises:
A description of the service organisation’s system, control objectives and
controls as at a specified date (prepared by the management of the service
organisation), and
A “reasonable assurance” report on the above description and the suitability of
the controls to achieve the specified control objectives (prepared an auditor
instructed by the service organisation).
A Type 2 report is a more detailed report, covering not only the theoretical controls
in place, but also whether, in practice, the controls have achieved their objectives.
The description may now cover a specified period, and may also report on the
operating effectiveness of the controls over that period. The report will now also
give:
the “service auditor’s” opinion on the operating effectiveness of the controls,
and
a description and the results of his tests of controls.
In common with earlier theory in this chapter, before relying on a Type 1 or Type 2
report the “user auditor” must be satisfied as to:
the service auditor’s professional competence and independence from the
service organisation, and
the standards under which the report was issued.
Responding to the assessed risks of material misstatement
In responding to the assessed risks, the auditor is applying ISA 330, which was
discussed in a previous chapter. The auditor is required to:
determine whether sufficient appropriate audit evidence is available from
records held at the client, and, if not
perform further audit procedures to obtain such evidence or use another auditor
to perform those procedures at the service organisation on his behalf.
If the auditor wishes to perform tests of controls he should use one or more of the
following procedures:
Obtain a Type 2 report.
Perform appropriate tests of controls at the service organisation.
Use another auditor to perform such procedures on his behalf.
Other requirements
The auditor should enquire of management as to whether the service organisation
has reported any fraud, non-compliance or uncorrected misstatements to them.
If the auditor is unable to obtain sufficient appropriate audit evidence regarding the
services provided by the service organisation he should express a modified opinion
Chapter 7: Introduction to audit evidence
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 157
in his audit report. (The different types of audit opinions are discussed in a later
chapter.)
The auditor should not refer in his report to the work of a service auditor unless
that is required by law or regulation. Even then, or if the auditor refers to the
expert’s work in his report because it is relevant to an understanding of a modified
opinion, then he must make it clear that such a reference does not reduce his
responsibility for that opinion in any way.
Paper F8: Audit and assurance (International)
158 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 159
Paper F8 (INT)
Audit and assurance
CHAPTER
8
Internal control: ISA 315
Contents
1 The importance of internal control
2 The elements of internal control
3 Limitations of internal control systems
4 Recording internal control systems
5 Evaluation of controls and audit risk assessment
6 The risks of specialised IT systems
Paper F8: Audit and assurance (International)
160 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP
The importance of internal control
The auditor’s assessment of internal controls
The meaning of internal control
How the auditor uses internal controls
Summary of the audit approach: tests of controls or substantive tests?
1 The importance of internal control
1.1 The auditor’s assessment of internal controls
As seen in previous chapters, the auditor is required by ISA 315 to make an
assessment of risk. This is made at both the financial statement level and at the
assertion level.
The auditor is then required by ISA 330 to respond to those risks. The overall
responses in relation to the financial statement level risks were discussed in a
previous chapter.
The responses at the assertion level involve the auditor selecting appropriate audit
procedures. The choice of audit procedures will depend on the auditor’s assessment
of both:
inherent risk, and
control risk.
This chapter looks at this requirement in detail and considers how the auditor’s
assessment of internal controls will influence his selection of the approach to the
audit.
1.2 The meaning of internal control
Internal control may be defined as the process designed, put in place and
maintained to provide assurance of a reasonable level regarding the achievement of
the objectives of an entity. These objectives relate to the reliability of the financial
reports, the efficiency and effectiveness of operations and adherence to relevant and
applicable laws and regulations
The following points should be noted from this definition:
It is the responsibility of management to ‘design’ and put in place a suitable
system of internal controls.
Internal controls are designed to deal with financial risks, operational risks and
compliance risks.
Since internal controls are established by management, the auditor has to accept
what controls there are. However, he can assess and evaluate the controls, and
will plan his audit on the basis of his assessment.
Chapter 8: Internal control: ISA 315
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 161
1.3 How the auditor uses internal controls
Modern auditing is, wherever possible, based on a ‘systems’ based approach. With
this approach, the auditor relies on the accounting systems and the related controls
to ensure that transactions are properly recorded.
His assumption is that if the systems and the internal controls are adequate, the
transactions should be processed correctly.
The audit emphasis is therefore, as much as possible, on the systems processing
the transactions rather than on the transactions themselves.
Before the auditor can rely on the systems and controls that are in place, he must
establish what those systems and controls are, and carry out an evaluation of the
effectiveness of the controls.
In other words, the systems-based audit approach is based on the premise that
accounting systems and their related internal controls are sufficient to record
transactions properly. However, the auditor should first test the controls, in order to
satisfy himself that this approach to the audit is valid.
The degree of effectiveness of an internal control system will depend on the
following two factors:
The design of the internal control system and the individual internal controls.
Is the control system able to prevent material misstatements, or is it able to
detect and correct material misstatements if they occur?
The proper implementation of the controls. Are the controls operated properly
by the client’s management and other employees?
The outcome of this evaluation helps the auditor to assess control risk – which is
one of the key elements in the audit risk model (described in an earlier chapter).
1.4 Summary of the audit approach: tests of controls or substantive tests?
As far as possible, the auditor will rely on the internal controls that are in operation.
However, all internal control systems have inherent limitations, and controls can
never be ‘perfect’ and 100% certain to be effective. It will therefore never be possible
for the auditor to rely on them completely.
This point is made in the Turnbull Report on Internal Control (in the UK), which
comments that:
‘A sound system of internal control reduces, but cannot eliminate, the possibility of poor
judgement in decision-making; human error; processes being deliberately circumvented by
employees and others; management overriding controls; and the occurrence of unforeseeable
circumstances.’
The auditor must therefore:
test the underlying internal control systems themselves, using tests of controls,
and, in addition, perform some tests on the transactions and balances in the
financial statements.
Paper F8: Audit and assurance (International)
162 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP
Planning and
risk assessment
Overall review
of financial
statements
Assessment of
internal controls
as weak
Assessment of
internal controls
as strong
Tests of controls
Extensive
substantive
testing
Reduced
substantive
testing
Issue audit
report
As discussed in a previous chapter, these tests on transactions and balances are
referred to as substantive procedures:
Where the auditor concludes that the system of controls is weak, and that the
controls therefore cannot be relied on, he will have to carry out extensive
substantive procedures. When an audit relies heavily on substantive procedures,
the approach to the audit is called a transactions-based approach
If the auditor judges that the internal controls are strong, he will carry out tests
on the controls (in order to verify his opinion about them) and should need a
smaller amount of substantive testing. When an audit is based mainly on a
favourable assessment of the internal controls, the approach to the audit is called
a systems-based approach.
The diagram below summarises the audit approach, which will be considered in
more detail in later sections.
Chapter 8: Internal control: ISA 315
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 163
The elements of internal control
The internal control system and internal controls
The five elements of internal control
The control environment
The entity’s risk assessment process
The information system
Control activities
Internal controls in IT systems: general controls and application controls
Contro l weaknesses and the F8 exam
Monitoring of controls
Understanding the control system: walk-through tests
Specific IT controls
2 The elements of internal control
2.1 The internal control system and internal controls
A distinction should be made between:
an internal control system, and
internal controls.
The Turnbull Report on Internal Control defines an internal control system as
follows:
‘An internal control system encompasses the policies, processes, tasks, behaviours and other
aspects of a company that, taken together:
facilitates its effective and efficient operation by enabling it to respond appropriately to
significant business, operational, financial, compliance and other risks to achieving the
company’s objectives. This includes the safeguarding of assets from inappropriate use or
from loss and fraud, and ensuring that liabilities are identified and managed;
help ensure the quality of internal and external reporting. This requires the maintenance
of proper records and processes that generate a flow of timely, relevant and reliable
information from within and outside the organisation;
help ensure compliance with applicable laws and regulations, and also with internal
policies with respect to the conduct of business.’
Internal controls are a part of the internal control system, but the internal control
system is more than just the internal controls.
Paper F8: Audit and assurance (International)
164 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP
2.2 The five elements of internal control
ISA 315 identifies five elements which together make up the internal control system.
These are:
(1) The control environment
(2) The entity’s risk assessment process
(3) The information system
(4) Control activities (internal controls)
(5) Monitoring of controls
ISA 315 requires the auditor to:
gain an understanding of each of these elements as part of his evaluation of the
control systems operating within an entity
document the relevant features of the control systems together with his
evaluation of their effectiveness.
Once this understanding has been gained, the auditor should confirm that his
understanding is correct by performing ‘walk-through’ tests on each major
transaction type (for example, revenue, purchases, payroll).
Walk-through testing involves the auditor selecting a small sample of transactions
and following them through the various stages in their processing in order to
establish whether his understanding of the process is correct.
2.3 The control environment
The ‘control environment’ is often referred to as the general ‘attitude’ to internal
control of management and employees in the organisation.
The control environment includes the views, awareness and actions of management
regarding an entity’s internal control. It also includes the governance and functions
of management and asserts the premise of an organisation. It is the basis for good
internal control, providing guidance and structure.
The control environment includes the following elements:
Communication and enforcement of integrity and ethical values
Commitment to competence
Participation of management
Management’s philosophy and operating style
Organisational structure
Assignment of authority and responsibility
Human resource policies and practices
A strong control environment is typically one where management shows a high
level of commitment to establishing and operating appropriate controls.