ACCA P7 (INT) Advanced Audit & Assurance - Study Text - 2010 (Emile Woolf Publishing)
Подождите немного. Документ загружается.
Chapter 6: The audit approach
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 115
Before the auditor can rely on the systems and controls that are in place, he must
establish what those systems and controls are, and carry out an evaluation of the
effectiveness of the controls.
3.2 What makes an effective system of internal controls?
ISA 315 identifies five elements which together make up an internal control system.
These are:
the control environment
the entity’s risk assessment process
the information system
control activities (internal controls)
the review and monitoring of controls.
3.3 The control environment
The ‘control environment’ is often referred to as the general ‘attitude’ to internal
control of management and employees in the organisation.
The control environment has been defined by the Institute of Internal Auditors as
follows: ‘the attitude and actions of the board [of directors] and management
regarding the significance of control within the organisation. The control
environment provides the discipline and structure for the achievement of the
primary objectives of the system of internal control. The control environment
includes the following elements:
integrity and ethical values
management’s philosophy and operating style
organisational structure
assignment of authority and responsibility
human resource policies and practice
competence of personnel.’
A strong control environment is typically one where management shows a high
level of commitment to establishing and operating sound controls.
The existence of a strong control environment cannot guarantee that controls are
operating effectively, but it is seen as a positive factor in the auditor’s risk
assessment process. Without a strong control environment, the control system as a
whole is likely to be weak.
Evaluating the control environment
ISA 315 requires auditors to gain an understanding of the control environment. Part
of this understanding involves the auditor evaluating the control environment, and
assessing its effectiveness.
Paper P7: Advanced audit and assurance (International)
116 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP
In evaluating the control environment, the auditor should consider such factors as:
management participation in the control process, including participation by the
board of directors
management’s commitment to a control culture
the existence of an appropriate organisation structure with clear divisions of
authority and responsibility
an organisation culture that expects ethically-acceptable behaviour from its
managers and employees
appropriate human resource policies, covering recruitment, training,
development and motivation, which reflect a commitment to quality and
competence in the organisation.
3.4 The entity’s risk assessment process
Within a strong system of internal control, management should identify, assess and
manage business risks, on a continual basis. Significant business risks are any events
or omissions that may prevent the entity from achieving its objectives.
Identifying risks means recognising the existence of risks or potential risks.
Assessing the risks means deciding whether the risks are significant, and possibly
ranking risks in order of significance. Managing risks means developing and
implementing controls and other measures to deal with those risks.
ISA 315 requires the auditor to gain an understanding of these risk assessment
processes used by the client company’s management, to the extent that those risk
assessment processes may affect the financial reporting process.
The quality of the risk assessment and management process within the client
company can be used by the auditor to assess the overall level of audit risk. If
management has no such process in place, the auditor will need to do more work on
this aspect of the audit planning.
3.5 The information system
ISA 315 requires the auditor to gain an understanding of the business information
systems (including the accounting systems) used by management to the extent that
they may affect the financial reporting process.
This aspect of the auditor’s work will involve identifying and understanding the
following:
the entity’s principal business transactions
how these transactions and other events relevant to the financial reporting
process are ‘captured’ (identified and recorded) by the entity
the processing methods, both manual and electronic, applied to those
transactions
Chapter 6: The audit approach
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 117
the accounting records used, both manual and electronic, to support the figures
appearing in the financial statements
the processes used in the preparation of the financial statements.
The information system therefore consists of:
infrastructure (physical and hardware components) – manual accounting
systems may have little infrastructure.
software (in IT-based accounting systems)
people
procedures
data.
3.6 Control activities
Control activities are the practices and procedures, other than the control
environment, used to ensure that the entity’s objectives are achieved. They are the
application of internal controls.
Control activities are the specific procedures designed:
to prevent errors that may arise in processing information, or
to detect and correct errors that may arise in processing information.
Categories of control activities (internal controls)
Controls include the following types: (In the examination, if you are asked to
suggest suitable internal controls within a given system the items in this list should
provide a useful checklist.)
Authorisation controls. These require that all significant transactions must be
authorised by a manager at an appropriate level in the organisation.
Physical controls over assets. These are controls for safeguarding assets from
unauthorised use, or from theft or damage. An example is limiting access to
inventory areas to a restricted number of authorised personnel.
Arithmetic controls. These are checks on the arithmetical accuracy of
processing. An example is checking invoices from suppliers, to make sure that
the amount payable has been calculated correctly.
Accounting controls. These are controls that are provided within accounting
procedures to ensure the accuracy or completeness of records. An example is the
use of control account reconciliations to check the accuracy of total trade
receivables or total trade payables.
Management controls. These are controls applied by management. They include
supervision by management of the work of subordinates, management review of
performance and control reporting (including management accounting
techniques such as variance analysis).
Segregation of duties. This type of control is explained below.
Paper P7: Advanced audit and assurance (International)
118 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP
Segregation of duties
Segregation of duties means dividing the work to be done between two or more
individuals, so that the work done by one individual acts as a check on the work of
the others. This reduces the risk of error or fraud.
If several individuals are involved in the completion of an overall task, this
increases the likelihood that errors will be detected when they are made.
Individuals can often spot mistakes of other people more easily than they can
identify their own mistakes.
It is more difficult for a person to commit fraud, because a colleague may
identify suspicious transactions by a colleague who is trying to commit a fraud.
3.7 Monitoring of controls
It is important within an internal control system that management should review
and monitor the operation of the controls, on a systematic basis, to satisfy
themselves that the controls remain adequate and that they are being applied
properly. ISA 315 requires the auditor to obtain an understanding of this monitoring
process.
3.8 How the auditor uses internal controls
Most audits are, wherever possible, based on a systems-based approach. The
auditor relies on the accounting systems and the related controls to ensure that
transactions are properly recorded. The audit emphasis is therefore, as much as
possible, on the systems processing the transactions rather than on the transactions
themselves.
Understanding the controls
ISA 315 requires the auditor to:
gain an understanding of each of the five elements of the client’s internal control
system, and
document the relevant features of the control systems.
Once this understanding has been gained, the auditor should confirm that his
understanding is correct by performing ‘walk-through’ tests on each major type of
transaction (for example, sales transactions, purchase transactions, payroll).
Walk-through testing involves the auditor selecting a small sample of transactions
and following them through the various stages in their processing in order to
establish whether his understanding of the process is correct.
If he understands the controls that are in place, the auditor can go on to assess their
effectiveness, and the extent to which he can rely on those controls for the purpose
of the audit.
Chapter 6: The audit approach
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 119
Assessing the effectiveness of controls
The degree of effectiveness of an internal control system will depend on the
following two factors:
The design of the internal control system and the individual internal controls.
Is the control system able to prevent material misstatements, or is it able to
detect and correct material misstatements if they occur? Do the internal controls
appear to be adequate and effective ‘on paper’?
The proper implementation of the controls. Controls are not effective unless
they are implemented properly. So are the controls operated properly by the
client’s management and other employees?
The outcome of this evaluation helps the auditor to assess the control risk. This is
the risk that the internal controls will fail to prevent or detect and correct errors in
the financial statements. This evaluation will allow the auditor to decide on the
extent to which he can take a systems-based approach to the audit.
3.9 The auditor’s evaluation of internal controls
The auditor may judge that the control risk is high, or that the control risk is low
because the internal controls are effective.
If the auditor assesses the control risk as very high, he will probably take the
view that a systems-based audit approach will not be appropriate. He will
therefore move on to detailed testing of transactions and balances (and take a
substantive testing approach to the audit).
Before he can assess the control risk as low, the auditor must be satisfied that the
controls are well-designed and should be effective (in other words, they seem
effective ‘on paper’). Even if the controls appear to be acceptable on paper, the
auditor cannot rely on them and perform a systems-based audit unless he is
confident that the controls are actually working in practice. In this situation, the
next stage in the audit process is to carry out tests of controls.
If the outcome of the tests of control indicates that controls are actually operating
effectively, the audit can use a systems-based approach, with a reduced amount of
substantive testing. Even if the internal control system seems to be effective, the
auditor will never rely 100% on his assessment of the controls. He will always do
some substantive testing before reaching his conclusion about the financial
statements.
This is because of the limitations that are inherent in all control systems. It is
impossible to avoid the risk of control failure that is caused by:
human error (and a failure to apply a control properly)
over-riding of controls by management (which is a deliberate decision to ignore
a control), and
the possibility of collusion and fraud.
Paper P7: Advanced audit and assurance (International)
120 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP
Auditors will always supplement their work on systems with some substantive
testing. The amount of this testing will depend on the auditor’s evaluation of the
effectiveness of the controls.
3.10 Summary of the approach to reliance on internal controls
The auditor’s use of a systems-based approach to an audit is summarised in the
following flowchart:
Planning and
risk assessment
Assessment of
internal controls
as weak
Extensive
substantive
testing
Overall review
of financial
statements
Assessment of
internal controls
as strong
Tests of controls
Reduced
substantive
testing
Issue audit
report
Good controls
Chapter 6: The audit approach
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 121
The statement of financial position approach
Substantive tests
The statement of financial position approach
Smaller entities
4 The statement of financial position approach
4.1 Substantive tests
When an auditor assesses the control risk as high, he will not be able to adopt a
systems-based approach to the audit. Instead he will carry out extensive substantive
testing.
Substantive tests are audit procedures performed to detect material misstatements
in the figures reported in the financial statements. They are designed to obtain
evidence about the financial statement assertions. They include:
tests of detail on transactions, account balances and disclosures, and
analytical procedures.
4.2 The statement of financial position approach
The statement of financial position approach is also an approach to the audit based
wholly on substantive testing. However, with this approach the auditor
concentrates primarily on:
testing balances, as opposed to
testing balances and transactions.
It is an approach that is often well-suited to small companies and to companies
where assets and liabilities are substantial in relation to transactions (e.g. investment
companies).
This approach is based on the following accounting equation:
Opening net assets + Profit for the year = Closing net assets
The theory is that if the opening and closing statements of financial position are
‘correct’ then the profit for the year must also be correct.
4.3 Smaller entities
ISAsapplytotheauditsofallentities–whatevertheirsize.However,additional
considerationsspecifictoauditsofsmallerentitiesareincludedwithinthe
applicationandotherexplanatorymaterialofaISAs,whereappropriate.These
Paper P7: Advanced audit and assurance (International)
122 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP
additionalconsiderationsassistintheapplicationoftherequirementsoftheISAin
theauditofsuchentities.Theydonot,however,limitorreducetheresponsibilityof
theauditortoapplyandcomplywiththerequirementsoftheISAs.
TheIAASB’sGlossaryoftermsdefinesasmallerentityas
onewhichtypicallypossesses
thefollowingcharacteristics:
Concentration of ownership and management in a small number of individuals
(often a single owner-manager)
One or more of the following:
- Uncomplicated transactions
- Simple record-keeping
- Few lines of business/products
- Few internal controls
- Few levels of management with responsibility for a broad range of controls
- Few personnel, many having a wide range of duties.
Many of the control activities that would typically be found in a large company may
be inappropriate, too costly or impractical for a small entity. Segregation of duties is
an obvious example of this. Smaller entities do not have enough employees for an
‘ideal’ segregation of duties.
Often, control systems in smaller entities are based on a high level of involvement in
day-to-day operations by the directors or owners of the company. Authorisation
controls and review controls, with the owner-manager personally authorising many
transactions, might therefore be a key feature of the control systems in smaller
entities.
Although the active involvement of an owner-manager might mitigate risks arising
for a lack of segregation of duties, the auditor will often see the involvement of an
owner-manager in day-to-day operations as only a partial substitute for ‘normal’
control systems. The following problems may arise:
There may be a lack of evidence as to how systems are supposed to operate. The
auditor will need to rely more on enquiry than on review of documentation.
There may be a lack of evidence of the application of controls in practice (for
example, authorisations may not be documented).
Management may override whatever internal controls are in place.
Management may lack the expertise necessary to control the entity effectively.
There is unlikely to be any independent person within the management team as
there would be within “those charged with governance” in a larger entity.
The attitudes and actions of the owner-manager will be key to the auditor’s risk
assessment. There is unlikely to be a written code of conduct so a culture of integrity
and ethical behaviour, as demonstrated by management example, will be important.
Chapter 6: The audit approach
© EWP Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides 123
The auditor needs to understand and evaluate whatever controls are in place and
plan his audit work accordingly. However, it is likely that a lower level of reliance
will be placed on controls in a smaller entity, which means that a considerable
amount of substantive testing will be needed.
Paper P7: Advanced audit and assurance (International)
124 Go to www.emilewoolfpublishing.com for Q/As, Notes & Study Guides © EWP