Module 05

file:///F|/Courses/2010-11/CGA/AU1/06course/m05intro.
htm
Module 5: Internal control

Overview
In this module, you study in detail the concepts of control risk that you learned about in Module 4. You learn how the evaluation, documentation, and testing of the clients procedures and policies for internal control are used to finalize the assessment of control risk. When you complete this module, you should have thorough knowledge of the objectives of internal control. You also apply what you have learned to a scenario involving direction of tests for controls. Assignment reminder: Assignment 1 is due this week (see the Course Schedule). Be sure to allocate time to complete and submit the assignment by the deadline.
Test your knowledge

Begin your work on this module with a set of test-your-knowledge questions designed to help you gauge the depth of study required.
Learning objectives
5.1 Evaluation of internal controls 5.2 Management and auditor responsibility Define internal control, and explain the primary reasons for evaluating internal control. (Level 1) Differentiate between management and auditor responsibility with respect to internal control, and describe their internal control objectives. (Level 1) Identify the components of internal control, and explain the nature of a control environment. (Level 1) Identify the three phases of internal control evaluation. (Level 1) Explain how the auditor uses combined and substantive planning approaches. (Level 1) Identify and describe the seven internal control objectives, explain how they relate to financial statement assertions, and describe effective control procedures. (Level 1) Explain generally accepted auditing standards (GAAS) requirements for documenting internal control, including the use of narratives, internal control questionnaires, flowcharts, and walk-through tests. (Level 1)
5.3 Internal control components and control environment 5.4 Evaluation of internal control 5.5 Combined and substantive planning approaches 5.6 Internal control objectives and control procedures
5.7 Documenting internal controls
5.8 Assessing the risks of material misstatement Explain how an auditor decides whether to assess control risk at maximum or below maximum. (Level 1) 5.9 Testing internal controls Explain the conditions under which an auditor tests controls, describe the nature and extent of tests of controls, and provide examples of tests of controls audit procedures. (Level 1) Explain the rationale for testing controls at an interim date. (Level 1)
5.10 Timing of tests of controls
file:///F|/Courses/2010-11/CGA/AU1/06course/m05intro.htm (1 of 2) [04/10/2010 3:06:35 PM]
file:///F|/Courses/2010-11/CGA/AU1/06course/m05intro.htm
5.11 Internal control in audit strategy 5.12 Audit reports on internal control
Explain how audit strategy is affected by the study and evaluation of internal control. (Level 1) Describe the auditors considerations when issuing an audit report on internal control over the clients financial reporting processes that is integrated with an audit of the clients financial statements. (Level 2)
Module summary Print this module
file:///F|/Courses/2010-11/CGA/AU1/06course/m05t01.htm
5.1 Evaluation of internal controls

Learning objective
Define internal control, and explain the primary reasons for evaluating internal control. (Level 1)
Required reading

Chapter 9, pages 317322 CAS 315.12 (CICA Handbook
, paragraphs 5141.041 and .042)
LEVEL 1
Internal controls
Internal control is the process designed to provide reasonable assurance to achieve the entitys objectives (reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations). As such, these policies and procedures are primarily aimed at achieving management s objectives . Not all these objectives have an audit impact; that is, the auditor is mainly interested in controls that will reduce the risk of material misstatements in the financial statements. GAAS require the auditor to gain sufficient understanding of the clients internal control to plan the audit. However, the auditor conducts internal control evaluation at a level beyond that of just gaining an understanding. The main reasons for this evaluation of internal control are to assess risks of material misstatement, identify types of potential misstatements, and determine the nature, timing, and extent of audit procedures.
file:///F|/Courses/2010-11/CGA/AU1/06course/m05t01.htm [04/10/2010 3:06:37 PM]
5.2 Management and auditor responsibility

Learning objective
Differentiate between management and auditor responsibility with respect to internal control, and describe their internal control objectives. (Level 1)
Required reading

Chapter 9, pages 315317 (up to Reasons for Control Evaluation) and pages 348350 CAS 315.A42.A48 (CICA Handbook, paragraphs 5141.064.066), and CAS 580.A11 paragraph 5141.100) (CICA Handbook,
LEVEL 1
Management is responsible for operating the business in order to achieve short- and long-term goals and objectives. Internal controls are implemented by management to help mitigate the business risks that it faces in achieving these strategic goals. The auditor is concerned with managements internal control objectives as they relate to financial statement preparation, and needs to assess the impact of internal controls on the audit plan and the audit procedures. The auditor is primarily concerned with the reliability of internal controls and whether relying on them is cost-effective from an audit approach standpoint. Internal control relevant to the audit is described in CAS 315.A60.A64 (CICA Handbook, paragraphs 5141.047.053). When considering internal controls, the auditor must be aware of certain situations and limitations regarding the reliance placed on internal control and its assessment. Exhibit 5.2-1 outlines additional considerations for internal control.
Exhibit 5.2-1: Internal control Additional considerations
Situations/Limitations of internal control Internal control slows down data processing and may make the accounting system less efficient, at least from a clients standpoint. In the interest of efficiency, internal control may be modified, ranging from changing procedures to bypassing controls to management override.
Example Management may override a control by ordering an employee to issue a cheque, ignoring the controls stating that every cheque must be supported by adequate documentation.
Impact on the audit How would the auditor discover that the system had broken down? Observation and enquiry of employees would probably suggest that internal control is not working as designed.
Internal control has traditionally been designed to control recurring (routine) transactions.
The auditor should always be aware of the possibility that senior management may override controls. Any evidence that management has overridden the controls during the year under audit should alert the auditor about relying on any controls that management has or might have overridden. Controls may be lacking in The auditor must be particularly transactions involving related party careful that non-routine transactions or mergers. transactions are properly accounted for.
file:///F|/Courses/2010-11/CGA/AU1/06course/m05t02.htm (1 of 2) [04/10/2010 3:06:38 PM]
For a control to be effective, the control must be in place and working for the entire year under audit. This may not always be the case.
The auditor must verify that internal control was in place and working (or not working) during the entire period of reliance (usually the year under audit). The auditor must be careful not to reach an incorrect conclusion about internal control as a consequence of focusing on a limited period and not the entire period covered by the financial statements. (However, the auditor should not conclude that internal control is not working just because tests of controls failed when a key employee was away.) There could be a significant change A company converts from a manual The auditor could treat the year in the accounting system during system to a computerized system as two periods: before and after the year. or from one computerized system conversion. The auditor must also to another. audit the conversion to ensure the balances are carried forward correctly. The auditor should be cautious whenever there is a significant change in the accounting system during the year. A similar approach should be taken if there is a significant change in the quality of internal control during a year (for example, a strong control that existed in the first eight months of the year became non-existent in the remaining four months after a key employee left).
For example, an employee who is an important part of the internal control system may have been on vacation, and her replacement during that time was not as competent. It is likely that internal control, which worked for the rest of the year, did not work as well while the key employee was away, so material misstatements are more likely to have occurred.
After the auditor has completed the evaluation of internal control, he or she can easily identify any deficiencies in internal control. The auditor has a responsibility to report internal control deficiencies to the appropriate level of management. If the auditor identifies deficiencies that create a serious risk of material misstatement, these must be reported in writing to the audit committee or equivalent.
5.3 Internal control components and control environment

Learning objective
Identify the components of internal control, and explain the nature of a control environment. (Level 1)
Required reading

Chapter 7, pages 248254 Chapter 9, pages 328332 and 339345 CAS 315.14.19 and CAS 315.A69.A75 (CICA Handbook CAS 315.A79.A99 (CICA Handbook, Appendix 1 (CICA Handbook,
, paragraphs 5141.043.046), paragraphs 5141.067.089), and CAS 315, section 5141 Appendix B)
LEVEL 1
Internal control
Internal control is subdivided into five components to provide a useful framework for auditors to consider how an entitys internal control may affect the audit. Appendix 1 of CAS 315 (Appendix B of section 5141) provides a description of the various components of internal control.
Control environment
The control environment is the aspect of internal control that allows for the creation and maintenance of effective policies and procedures. The control environment sets the tone at the top of the organization and, as a result, it will affect all other components of internal control. For example, the board of directors of an organization hires managers to run the company and specifies who among the managers is authorized to sign cheques. In this situation, the board of directors is an element of the control environment that enables the organization to have specific policies for cash disbursements.
5.4 Evaluation of internal control

Learning objective
Identify the three phases of internal control evaluation. (Level 1)
Required reading

Chapter 9, pages 326327, 337338, and 345346 (Summary of Phases 1 and 2) CAS 610.7.13, Using the work of internal auditors CAS 330.3.12 (CICA Handbook , paragraphs 5143.01.09), CAS 330.A20.A27 , paragraphs 5143.22.27), CICA (CICA Handbook Handbook, paragraph 5143.47, CAS 330.20.24 and CAS 330.A42.A54 (CICA Handbook, paragraphs 5143.49.56)
LEVEL 1
Internal control evaluation involves three phases:

Phase 1: Understanding the internal control Phase 2: Assessing preliminary control risk (CR) and determining audit approach Phase 3: Performing test of controls audit procedures when assessing CR below maximum
Phase 1
The level of understanding of internal control and assessment of identified risks at the assertion level provide a basis for considering the appropriate audit approach either a combined approach or a substantive approach. In a combined approach, the auditor determines that using both tests of controls and substantive procedures is an efficient approach. In a substantive approach, the auditor determines that performing only substantive procedures is appropriate for specific assertions and thus, excludes the effect of controls from the relevant risk assessment. When an internal audit function exists in the entity under audit, the auditor should obtain an understanding of this function and, to increase efficiency, consider using any relevant work produced by the internal audit function. The major difference between the two approaches is that, under the combined approach, the auditor is required to gain a higher level of understanding and evidence that must include the control systems enhancing the reliability of information.
Phase 2
Internal control evaluation is the preliminary assessment of risk of material misstatement at the assertion level and may include an expectation of the operating effectiveness of controls. The preliminary risk assessment determines the audit approach. The auditor would go on to Phase 3 only if a combined approach is feasible; that is, when internal controls appear to be good based on the auditors understanding and it is efficient to rely on them. If this is the case, then the auditor would develop and perform test of controls (or dual-purpose) procedures for gathering sufficient appropriate audit evidence that the controls are operating effectively. Otherwise, the auditor would assess control risk at maximum and use a substantive approach.
Phase 3
This phase of testing internal controls consists of procedures designed to support the extent to which the auditor plans to rely on the operating effectiveness of the control in the assessment of risk (and thus suitably reduce substantive procedures based on the reliance on such control). While the auditor may determine that the risk of material misstatement may be reduced to an acceptably low level by performing only tests of control, the auditor always performs substantive procedures for each material class of transactions, account balance, and disclosure (CAS 330.20; CICA Handbook , paragraph 5143.50).
Internal control objectives also relate to the validity of the financial statement assertions. In this regard, securities regulations also require the auditor to consider internal controls that relate to financial reporting.
5.5 Combined and substantive planning approaches

Learning objective
Explain how the auditor uses combined and substantive planning approaches. (Level 1)
Required reading

Chapter 9, pages 335337 CAS 330.12, A66A68
LEVEL 1
Combined audit approach

After obtaining an understanding of internal controls, the auditor may wish to rely on the internal controls as evidence. In this case, the auditor must first test whether the internal controls are operating effectively for the entire financial reporting period. If the results of the tests indicate that the controls were operating effectively, the auditor can reduce the number of substantive procedures performed.
Substantive audit approach

A substantive audit approach is used when the auditor does not rely on internal controls as evidence. In this approach, the auditor is still required to obtain an understanding of the internal controls but will assess control risk at maximum. Since the auditor does not intend to rely on the internal controls, she or he does not test any controls for their operating effectiveness. Substantive testing will be the only type of evidence collected to support the audit opinion. The auditor can choose different approaches for the each transaction cycle as well as for the various transaction or balance related audit objectives. For example, if there are strong controls for the occurrence of sales, the auditor will test the controls for operating effectiveness and reduce the number of substantive audit procedures. If the controls over the completeness of liabilities are weak, the auditor will not test controls and will use substantive procedures to collect evidence.
5.6 Internal control objectives and control procedures

Learning objective
Identify and describe the seven internal control objectives, explain how they relate to financial statement assertions, and describe effective control procedures. (Level 1)
Required reading

Chapter 7, pages 253254 Chapter 9, pages 323325 CAS 315.20.23 and CAS 315.A91.A97 (CICA Handbook 5141.047.053), and CAS 315.A49.A55 (CICA Handbook,
, paragraphs 5141.090.099 and paragraphs 5141.057.063)
LEVEL 1
Control objectives
There are seven objectives of internal control; the auditor seeks reasonable assurance that these objectives are met. Auditors find it useful to classify potential misstatements by the type of assertion affected. Thus, internal control objectives can be viewed in relation to the controls ability to preserve the validity of the financial statement assertions. Although the two are related, each has a different focus. The following exhibit summarizes the differences between internal control objectives and financial statement assertions.
Exhibit 5.6-1 : Internal control objectives and financial statement assertions
Internal control objectives What are they? 1. 2. 3. 4. 5. 6. 7. Validity Completeness Authorization Accuracy Classification Accounting Proper period 1. 2. 3. 4. 5. 6. 7.
Financial statement assertions Existence (occurrence) Completeness Valuation/measurement Rights and obligations Presentation and disclosure Classification Cut-off
What is the focus?
Internal control objectives focus on transactions; that is, internal controls are implemented to ensure that each transaction that forms part of an account balance is correct.
Financial statement assertions focus on account balances and financial statement items, each of which is an aggregate of transactions. (Remember that assertions relate to accounting transactions, account balances, and disclosures. For example, occurrence and measurement are transaction-oriented, and existence and valuation are account-balance-oriented.) Each relevant assertion must be supported by audit evidence.
What audit evidence is required?
Achievement of control objectives needs to be supported by evidence only if the auditor plans to rely on controls. (See Examples 5.6-1 and 5.6-2.)
Example 5.6-1
See Exhibit 9-4 on page 323. The better the internal controls (that is, control objectives are being achieved), the easier it is for the auditor to gather the evidence necessary to support the assertions. An important assertion for accounts receivable is valuation the amount reported as receivables will eventually be collected. If the internal controls are such that the control objective of authorization for each transaction is well achieved, fewer substantive procedures will be needed, because proper authorization implies that credit checks are done for each sale (transaction). The control objective of authorization helps preserve the validity of the valuation assertion.
Example 5.6-2
Exhibit 9-6 on page 325 shows the relative strength of control objectives in supporting the assertions. Suppose internal controls related to accounts receivable are exceptionally good in achieving all control objectives except authorization. The auditor would then have to increase the extent of substantive procedures to support the valuation assertion because the control risk for this assertion may be deemed to be high. This would be the case even though the control risk for all other assertions is low. The control risk for individual assertions largely depends on the achievement of the control objectives.
Control procedures
To meet the control objectives, control procedures must be in place. Good control systems include a combination of the fundamental control policies and procedures, such as: competent, trustworthy personnel; adequate segregation of duties; and proper authorization of transactions.
Activity 5.6-1
With truly competent, trustworthy personnel and clear lines of communication, the internal controls virtually take care of themselves. How does an auditor determine the competence and trustworthiness of client personnel? Solution Small businesses often have special control problems resulting from a lack of segregation of duties and tend to require a more substantive approach to the audit. That is, in small businesses, control risk is frequently assessed at close to maximum with little, if any, reliance on internal control. Many authorization and recordkeeping functions are now done by computer. The general effect of computerized controls is a loss of human review. Consequently, specific computer controls must be built in. The error-checking routines input, processing, and output control procedures are examples of possible computer controls.

Learning objective
Explain generally accepted auditing standards (GAAS) requirements for documenting internal control, including the use of narratives, internal control questionnaires, flowcharts, and walk-through tests. (Level 1)
Required reading

Chapter 9, pages 332337 CAS 315.33 and CAS 315.A127.A130 (CICA Handbook , paragraphs 5141.123.124), paragraph 5143.75) CAS 330.29.31, and CAS 330.A59 (CICA Handbook, Reading 5-1: Memorandum: Canadian Hardware Sales Ltd.: Sales and collection cycle narrative Form A-611: Control environment and systems Form A-612: Control environment Summary
LEVEL 1
Understanding of internal controls is gained by making enquiries and corroborating the responses, inspecting relevant documents, and/or observing relevant activities. To meet the requirements of generally accepted auditing standards, documentation of internal controls should include
a record of the discussion and significant decisions reached among the engagement team regarding the susceptibility of the entitys financial statements to material misstatement results of control environment evaluation descriptions of control systems that collect, record, and process data descriptions of control systems that enhance the reliability of information if relying on internal controls and those that address significant risks the risk assessment procedures
According to a recent CICA study entitled Assurance Engagement Working Papers, the best approach is to combine the following three methods because they each have advantages:

Flowcharts provide an overview of the control systems. Narrative descriptions explain the characteristics of the system. Questionnaires describe the control procedures and weaknesses in the control systems.
Form A-611 is an example of a questionnaire for gathering information regarding the control environment. Exhibit 9-8 on page 333 depicts an internal control questionnaire that can be used to document the control systems for sales transactions. Narratives in the form of an internal control memorandum are the most common forms of documentation. See Reading 5-1 for an illustration of narrative memoranda on internal control for a small business. Regardless of size, the documentation must specify the control risk assessment for each assertion. A walk-through test (or test of one) is a special audit procedure used to verify or update the accuracy of a flowchart or other documentation of internal controls. The auditor literally walks one transaction through the accounting system to check if the controls in the flowchart, internal control questionnaire (ICQ), or narrative are actually in place and being applied. Walkthrough tests are not methods of documenting controls but of verifying that the documentation is accurate.
5.8 Assessing the risks of material misstatement

Learning objective
Explain how an auditor decides whether to assess control risk at maximum or below maximum. (Level 1)
Required reading

Chapter 9, pages 337338 (Begin at Assessing the Control Risk.) CAS 200.A38.A40 (CICA Handbook , paragraphs 5095.14 and .15), CAS 315.5.10 (CICA Handbook, paragraphs 5141.001.005), CAS 315.24.25 and CAS 315.A102. paragraphs 5141.101.108), and CAS 315.30 and CAS 315. A105 (CICA Handbook, A123 (CICA Handbook, paragraph 5141.120)
LEVEL 1
Read CAS 200.A38.A40 (CICA Handbook, paragraphs 5095.14 and .15) to understand the meaning of risks of material misstatements. CAS 315.5.10 (CICA Handbook , paragraphs 5141.001.005) provide an overview of the process involved in assessing the risks of material misstatement in a financial statement audit. CAS 315.24.25 and .A102.A105 (CICA Handbook, paragraphs 5141.101.108) describe in detail how to assess the risks of material misstatement. Control risk (as part of the risk assessment process) is first assessed based on the understanding of internal controls and reassessed during the course of the audit if evidence, such as the result of tests of controls, indicates that the preliminary assessment was incorrect. Control risk is assessed at the financial statement assertion level, and is used to determine the nature and extent of substantive procedures to be performed. The more specific a control procedure, the better it will be at reducing control risk for a given assertion.
Activity 5.8-1
Can control risk be assessed by control objective? Solution
5.9 Testing internal controls

Learning objective
Explain the conditions under which an auditor tests controls, describe the nature and extent of tests of controls, and provide examples of tests of controls audit procedures. (Level 1)
Required reading
Chapter 9, pages 347348 (up to Auditors Responsibility to Detect and Communicate Material Control Weaknesses and Misstatements) CAS 330.6.12 (CICA Handbook , paragraphs 5143.10.34) and CAS 330.A20.A29 (CICA Handbook, paragraphs 5143.46.48) Form B-111: Perform tests of controls (Dual purpose tests) Revenue and receipts cycle
LEVEL 1
Evaluating system design

Before the auditors can rely on controls, they must test the controls to verify that they are operating effectively. Testing of controls will proceed only if the auditor feels that the design of policies and procedures is adequate and the planned reduction in substantive testing will justify the effort involved in testing controls. If testing controls cannot be justified on a cost-benefit basis, the auditor will assess control risk at maximum and proceed directly to substantive testing. It should be noted that in circumstances where the auditor cannot obtain sufficient appropriate evidence on the basis of substantive procedures alone, tests of controls may be required.
Nature and extent of tests of controls

The auditors concerns in performing tests of controls are as follows (refer to CAS 330.10.11; CICA Handbook , paragraph 5143.26):

The control was used as intended. The control was effective. The control was applied throughout the entire period under audit.
The principal procedures used in testing internal controls are outlined in CAS 330.A20.A24 (CICA Handbook, paragraph 5143.10).
Activity 5.9-1
Inspection of documents and reperformance by the auditor provide stronger evidence than enquiry and observation. Why is this so? Solution
Direction of tests for controls

The direction of tests of controls (described on pages 347 and 348) is important because control risk is assessed at the assertion level, and certain controls apply to specific assertions.
Scenario 5.9-1
Suppose you are testing the controls around a computerized inventory system and have assessed as low the preliminary
control risk for the validity (existence) and completeness assertions. To perform your tests, you have access to a computer printout listing all inventory on hand, and you also have access to the inventory room supposedly containing all the items listed on the printout. From which population of items would you select the random sample for tests of controls around validity and for tests of controls around completeness? Solution The amount of substantive testing done will depend on the control risk assessment. Clearly, a control risk assessed as high (but below maximum) will require more testing (that is, a larger sample) than one assessed as low. Also, during substantive testing, the auditor may uncover deviations from controls and reassess the control risk. In such a case, the auditor will likely increase the sample size for tests of controls to ensure the evidence appropriately supports the control risk assessment.

Learning objective
Explain the rationale for testing controls at an interim date. (Level 1)
Required reading
CAS 330.11.14 and CAS 330.A32.A39 (CICA Handbook
, paragraphs 5143.35.45)
LEVEL 1
In a large audit, when reliance is placed on tests of controls, chances are that audit work will be performed at an interim date. The auditor will usually obtain an understanding of internal controls at that time. It is also at the interim date that the auditor will perform some or all of the tests required to support a control risk assessment below maximum. CAS 330.11.14 and .A32.A39 (CICA Handbook, issues an auditor needs to consider with respect to timing. paragraphs 5143.35.45) explain the
Changes occurring between the interim period and the year-end period may be such that the internal controls are no longer effective, regardless of the evidence already obtained. For example, the manager of a department may have resigned and has not yet been replaced, or the company may have decided to implement a computerized accounting system to replace a manual one. All these factors would affect the control environment and the control systems ability to provide reliable information. To make sure that the evidence appropriately supports the control risk assessment for the entire period under audit, the auditor needs to determine whether the timing of these tests and any subsequent changes in controls have affected the value of the evidence.
5.11 Internal control in audit strategy

Learning objective
Explain how audit strategy is affected by the study and evaluation of internal control. (Level 1)
Required reading

Chapter 9, page 318, Exhibit 9-2 CAS 330.5 and CAS 330.A1.A3 (CICA Handbook 330.8.9, CAS 330.16.19, and CAS 330.A20.A25 (CICA Handbook, 5143.22.24), and CAS 330.26.28 and CAS 330.A56.A58 (CICA Handbook, paragraphs 5143.68.69)
, paragraphs 5143.05.08), CAS paragraphs
LEVEL 1
The primary reason for conducting an evaluation of a companys internal control and assessing control risk is to give auditors a basis for planning the audit strategy and program. The auditor identifies risks at the financial statement account balances level and at the assertions level, and also assesses the magnitude of the risks and whether they could lead to a material misstatement (CAS 330.5 and .A1.A3; CICA Handbook, paragraphs 5143.05.07). Exhibit 9-2 on page 318 provides a snapshot of the role of internal control in assessing risk of material misstatement. Steps 13 in the exhibit outline the start of the process for assessing client-specific preliminary analytical review findings, materiality, and risk assessments. The role of internal control when the auditor assesses the risk of material misstatement is given in the steps below (refer also to steps 4-10 in Exhibit 9-2): Step 1: Enquire and perform interviews to obtain an understanding of internal controls as required by the examination standards under GAAS. Use questionnaires, narratives, and/or flowcharts as necessary. Step 2: Using questionnaires, narratives, and flowcharts, document the understanding of internal controls including the following: a. b. c. d. control environment the information system, including the related business processes, relevant to financial reporting, and communication the control activities that prevent, detect, and correct material misstatements the entitys risk assessment process and the monitoring of controls
Step 3: Make a preliminary assessment of control risk for specific assertions at the account balance or class of transactions level. The auditor looks at possible misstatements and the controls that exist to prevent or detect such misstatements. The auditor identifies controls related to significant risks that require special audit consideration. Step 4: Document the preliminary assessment of control risk for each relevant assertion and the basis thereof. Step 5: Where the auditor has identified controls which may be effective in addressing risk of material misstatement for a particular assertion, tests of controls are performed to support the preliminary assessment [combined approach (CAS 330.8; CICA Handbook, paragraph 5143.08)]. Step 6: Based on evidence from test of controls, determine the final control risk assessment for each assertion, and develop the nature, extent, and timing of substantive procedures accordingly. In essence, the auditor assesses whether the controls are sufficient to prevent material financial statement misstatement (CAS 330.16.19; CICA Handbook, paragraphs 5143.22.24).
Step 7: Revise risk assessments and audit procedures based on the results of tests conducted. Step 8: Evaluate audit findings and results and form an appropriate audit opinion (CAS 330.26.28 and .A56.A58; CICA Handbook, paragraphs 5143.68.69).
5.12 Audit reports on internal control

Learning objective
Describe the auditors considerations when issuing an audit report on internal control over the clients financial reporting processes that is integrated with an audit of the clients financial statements. (Level 2)
Required reading

Chapter 16, pages 644646 CICA Handbook
Assurance
, section 5925
LEVEL 2
As background information to this topic, read Company officers and internal controls, which explains how the Sarbanes-Oxley Act (SOX) has influenced new regulations for auditors in Canada. Although neither Canadian law nor securities regulations require that managements assertions with respect to internal control be attested to by the entitys auditors, there are a number of circumstances where Canadian auditors might be called upon to provide such an attestation. Examples include
Canadian companies listed on American securities exchanges Canadian subsidiaries of American listed companies Canadian companies whose managers consider that such attestations are best practice with respect to corporate governance, and lenders or others requiring such attestation. , An audit of internal control over
Guidance is provided to Canadian auditors in section 5925 of Assurance the CICA Handbook financial reporting that is integrated with an audit of financial statements.
The audit must be performed by the auditor of the entitys financial statements. The objective of the auditor (set out in paragraph 5925.11) is to express an opinion on the effectiveness of the entitys internal control over financial reporting as at the date on which management has made its assessment of internal control over financial reporting. The form of the report (without reservation) is set out in paragraph 5925.A82 and also in Exhibit 16-15 on page 646 of the text. The opinion paragraph provides both an opinion of managements assertion with respect to the internal control over financial reporting and the auditors opinion on such controls. Where there are one or more material weaknesses, defined as a deficiency or combination of deficiencies in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entitys annual or interim financial statements will not be prevented or detected on a timely basis, the auditor will be unable to conclude that the internal control over financial reporting is effective. It is important to be aware that the auditor, when auditing the financial statements, will be concerned with the effective operation of the controls over the entire period covered by the financial statements. The expression of opinion with respect to the internal controls over financial reporting is at a specified date, not over a period of time. The auditor could conclude that controls were weak in the early part of the year, resulting in increased substantive testing, but if the client introduces effective controls part way through the year, the auditor could conclude that controls were effective as of the date of the report.
Assignment reminder
Assignment 2 in Module 7 is due at the end of Week 7 (see the Course Schedule). You may wish to take a look at it before
working on Module 6 to familiarize yourself with the requirements and to prepare for any work that may be required in advance.
file:///F|/Courses/2010-11/CGA/AU1/06course/m05summary.htm
Module 5 summary
Define internal control, and explain the primary reasons for evaluating internal control.
Internal control is defined as the process designed and effected by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entitys objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations. Auditors understand and evaluate internal control relevant to the audit in order to assess risks of material misstatement, identify types of potential misstatements, and determine the nature, timing, and extent of audit procedures.
Differentiate between management and auditor responsibility with respect to internal control, and describe their internal control objectives.
Managements objectives with respect to internal control are to ensure the orderly and efficient conduct of the entitys business. It is managements responsibility to establish and maintain the entitys controls that provide reasonable assurance that its objectives of reliable financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations will be achieved. The auditor is concerned with managements control objectives as they relate to financial statement preparation in accordance with generally accepted accounting principles and the management of risk that may give rise to a material misstatement in the financial statements. It is the auditors responsibility to gain a sufficient understanding of internal controls to enable the auditor to plan the audit. The objectives that are of interest to both management and the auditor include validity, completeness, authorization, accuracy, classification, accounting, and proper period, as they pertain to the financial statements. The auditor has the responsibility to report internal control deficiencies to the appropriate level of management. If the auditor identifies deficiencies that create a serious risk of material misstatement, the auditor must report these in writing to the audit committee or equivalent.
Identify the components of internal control, and explain the nature of a control environment.
Internal control consists of the following components: r the control environment r the entitys risk assessment process r the information system, including the related business processes, relevant to financial reporting, and communication r control activities r monitoring of controls The control environment is the foundation for effective internal control. It includes the governance, management philosophy, and operating style of an entity and communication of its values and standards. It also includes the attitudes, awareness, and actions of management and those charged with governance relating to the entitys internal control. It sets the tone of an organization influencing the control consciousness of its people through appropriate human resource policies/practices and assignment of authority and responsibility.
Identify the three phases of internal control evaluation.
The three phases of internal control evaluation are 1. gaining an understanding of the internal controls stated to be in effect 2. assessing the preliminary control risk and determining the audit approach to be used 3. testing control audit procedures when assessing control risk below maximum (based on identified specific controls on which risk could be assessed low) Auditors are required to understand internal controls in order to assess the risk of material misstatements. At the planning stage, generally accepted auditing standards require the auditor to understand the controls adequately enough to permit audit planning.
file:///F|/Courses/2010-11/CGA/AU1/06course/m05summary.htm (1 of 4) [04/10/2010 3:06:48 PM]
When using a substantive approach (assessing control risk at maximum), the auditor must understand the control environment and the control systems that collect, record, and process data. The auditor must report the information found. When using a combined approach, the auditor must also understand the control systems that enhance the reliability of data and information. In addition, the auditor must test the controls relied upon to establish that they are operating as intended.
Identify and describe the seven internal control objectives, explain how they relate to financial statement assertions, and describe effective control procedures.
The seven control objectives are as follows: 1. Validity: recorded transactions are ones that should have been recorded, that is, they really exist. 2. Completeness: no valid transactions have been omitted. 3. Authorization: all transactions have been approved prior to being recorded. 4. Accuracy: the dollar amounts have been calculated correctly. 5. Classification: transactions are recorded in the right accounts. 6. Accounting: all transactions are recorded in conformity with GAAP. 7. Proper period: the accounting transactions are in the period in which they occur. The relationships among control objectives and financial statement assertions are identified below: Existence Occurrence X X X X X X X X X Completeness Valuation Rights, Obligations X X X Presentation and Disclosure
Control Objectives Validity Completeness Authorization Accuracy Classification Accounting Proper Period
Good control systems should include the following: r competent and trustworthy personnel r proper authorization of transactions and activities r adequate segregation of duties r design and use of adequate documents and records r controlled access to assets and records r periodic, independent comparison or verification r error-checking routines
Explain generally accepted auditing standards (GAAS) requirements for documenting internal control, including the use of narratives, internal control questionnaires, flowcharts, and walk-through tests.
Documentation of internal controls should include r a record of the discussion and significant decisions reached among the engagement team regarding the susceptibility of the entitys financial statements to material misstatement r records of the results of control environment evaluation r descriptions of control systems that collect, record, and process data r descriptions of control systems that enhance the reliability of information (if relying on internal controls) and those that address significant risks Narrative descriptions are best used to describe the characteristics of the system. Internal control questionnaires can be very useful when identifying weaknesses in control systems. Flowcharts provide an easy way to understand and overview the control systems. Walk-through tests consist of the auditor walking a single transaction through the accounting system to verify if the
documented controls are actually in place and being applied.
Explain how an auditor decides whether to assess control risk at maximum or below maximum.
The auditor should assess control for a specific assertion at maximum if r internal controls do not address that assertion; r internal controls are not effective; or r it is not efficient for the auditor to evaluate the internal controls relating to that specific assertion.
Explain the conditions under which an auditor tests controls, describe the nature and extent of tests of controls, and provide examples of tests of controls audit procedures.
Controls are tested by the auditor only if the auditor intends to rely on the controls to reduce substantive testing. This would only apply when the auditor believes that the design of policies and procedures is adequate. The reduction in substantive testing must also justify the effort involved in testing the controls. In circumstances where the auditor cannot obtain sufficient appropriate evidence on the basis of substantive procedures alone, tests of controls may be required. Tests of controls are designed to establish that the controls were used as intended, used effectively, and used throughout the period. A test of controls might be selecting a sample of paid invoices and matching them to purchase orders and receiving reports, or establishing if controls over validity and authorization were working as intended.
Explain the rationale for testing controls at an interim date.
Controls are usually tested at an interim date so that a control assessment can justify the decision to assess control risk below maximum. Interim testing also reduces sample sizes for substantive testing. Because some substantive testing is carried out at the interim audit, tests of controls should be carried out simultaneously. Use of dual-purpose testing (that is, combined tests of controls and balances) can increase audit efficiency.
Explain how audit strategy is affected by the study and evaluation of internal control.
The auditor will usually want to rely on some internal controls to reduce substantive tests of balances. This requires that the auditor first understand the controls and then test compliance throughout the audit period. For a preliminary evaluation of internal control, the auditor looks at possible misstatements and the controls that exist to prevent or detect such misstatements. If the auditor intends to rely on internal controls as part of gathering sufficient appropriate evidence, tests of control need to be planned and executed. The decision to carry out tests of controls is dependent on the evaluation of the design of the system and the cost-benefit tradeoffs of control testing, if appropriate.
Describe the auditors considerations when issuing an audit report on internal control over the clients financial reporting processes that is integrated with an audit of the clients financial statements.
Although such reports are not required by Canadian law or securities regulations, they may be issued for Canadian companies listed on an American exchange, Canadian subsidiaries of listed American companies, or at the request of the client. The examination must be performed by the public accountants who audit the entitys financial statements. Detailed guidance is provided in section 5925 of the CICA Handbook
Assurance
A standard reporting format is provided in that Handbook section.
Module 5: Internal control

Overview
In this module, you study in detail the concepts of control risk that you learned about in Module 4. You learn how the evaluation, documentation, and testing of the clients procedures and policies for internal control are used to finalize the assessment of control risk. When you complete this module, you should have thorough knowledge of the objectives of internal control. You also apply what you have learned to a scenario involving direction of tests for controls. Assignment reminder: Assignment 1 is due this week (see the Course Schedule). Be sure to allocate time to complete and submit the assignment by the deadline.
Test your knowledge

Begin your work on this module with a set of test-your-knowledge questions designed to help you gauge the depth of study required.
Learning objectives
5.1 Evaluation of internal controls 5.2 Management and auditor responsibility Define internal control, and explain the primary reasons for evaluating internal control. (Level 1) Differentiate between management and auditor responsibility with respect to internal control, and describe their internal control objectives. (Level 1) Identify the components of internal control, and explain the nature of a control environment. (Level 1) Identify the three phases of internal control evaluation. (Level 1) Explain how the auditor uses combined and substantive planning approaches. (Level 1) Identify and describe the seven internal control objectives, explain how they relate to financial statement assertions, and describe effective control procedures. (Level 1) Explain generally accepted auditing standards (GAAS) requirements for documenting internal control, including the use of narratives, internal control questionnaires, flowcharts, and walk-through tests. (Level 1)
5.3 Internal control components and control environment 5.4 Evaluation of internal control 5.5 Combined and substantive planning approaches 5.6 Internal control objectives and control procedures
5.8 Assessing the risks of material misstatement Explain how an auditor decides whether to assess control risk at maximum or below maximum. (Level 1) 5.9 Testing internal controls Explain the conditions under which an auditor tests controls, describe the nature and extent of tests of controls, and provide examples of tests of controls audit procedures. (Level 1) Explain the rationale for testing controls at an interim date. (Level 1)
5.11 Internal control in audit strategy 5.12 Audit reports on internal control
Explain how audit strategy is affected by the study and evaluation of internal control. (Level 1) Describe the auditors considerations when issuing an audit report on internal control over the clients financial reporting processes that is integrated with an audit of the clients financial statements. (Level 2)
Module summary Print this module
5.1 Evaluation of internal controls

Learning objective
Define internal control, and explain the primary reasons for evaluating internal control. (Level 1)
Required reading

Chapter 9, pages 317322 CAS 315.12 (CICA Handbook
, paragraphs 5141.041 and .042)
LEVEL 1
Internal controls
Internal control is the process designed to provide reasonable assurance to achieve the entitys objectives (reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations). As such, these policies and procedures are primarily aimed at achieving management s objectives . Not all these objectives have an audit impact; that is, the auditor is mainly interested in controls that will reduce the risk of material misstatements in the financial statements. GAAS require the auditor to gain sufficient understanding of the clients internal control to plan the audit. However, the auditor conducts internal control evaluation at a level beyond that of just gaining an understanding. The main reasons for this evaluation of internal control are to assess risks of material misstatement, identify types of potential misstatements, and determine the nature, timing, and extent of audit procedures.
5.2 Management and auditor responsibility

Learning objective
Differentiate between management and auditor responsibility with respect to internal control, and describe their internal control objectives. (Level 1)
Required reading

Chapter 9, pages 315317 (up to Reasons for Control Evaluation) and pages 348350 CAS 315.A42.A48 (CICA Handbook, paragraphs 5141.064.066), and CAS 580.A11 paragraph 5141.100) (CICA Handbook,
LEVEL 1
Management is responsible for operating the business in order to achieve short- and long-term goals and objectives. Internal controls are implemented by management to help mitigate the business risks that it faces in achieving these strategic goals. The auditor is concerned with managements internal control objectives as they relate to financial statement preparation, and needs to assess the impact of internal controls on the audit plan and the audit procedures. The auditor is primarily concerned with the reliability of internal controls and whether relying on them is cost-effective from an audit approach standpoint. Internal control relevant to the audit is described in CAS 315.A60.A64 (CICA Handbook, paragraphs 5141.047.053). When considering internal controls, the auditor must be aware of certain situations and limitations regarding the reliance placed on internal control and its assessment. Exhibit 5.2-1 outlines additional considerations for internal control.
Exhibit 5.2-1: Internal control Additional considerations
Situations/Limitations of internal control Internal control slows down data processing and may make the accounting system less efficient, at least from a clients standpoint. In the interest of efficiency, internal control may be modified, ranging from changing procedures to bypassing controls to management override.
Example Management may override a control by ordering an employee to issue a cheque, ignoring the controls stating that every cheque must be supported by adequate documentation.
Impact on the audit How would the auditor discover that the system had broken down? Observation and enquiry of employees would probably suggest that internal control is not working as designed.
Internal control has traditionally been designed to control recurring (routine) transactions.
The auditor should always be aware of the possibility that senior management may override controls. Any evidence that management has overridden the controls during the year under audit should alert the auditor about relying on any controls that management has or might have overridden. Controls may be lacking in The auditor must be particularly transactions involving related party careful that non-routine transactions or mergers. transactions are properly accounted for.
For a control to be effective, the control must be in place and working for the entire year under audit. This may not always be the case.
The auditor must verify that internal control was in place and working (or not working) during the entire period of reliance (usually the year under audit). The auditor must be careful not to reach an incorrect conclusion about internal control as a consequence of focusing on a limited period and not the entire period covered by the financial statements. (However, the auditor should not conclude that internal control is not working just because tests of controls failed when a key employee was away.) There could be a significant change A company converts from a manual The auditor could treat the year in the accounting system during system to a computerized system as two periods: before and after the year. or from one computerized system conversion. The auditor must also to another. audit the conversion to ensure the balances are carried forward correctly. The auditor should be cautious whenever there is a significant change in the accounting system during the year. A similar approach should be taken if there is a significant change in the quality of internal control during a year (for example, a strong control that existed in the first eight months of the year became non-existent in the remaining four months after a key employee left).
For example, an employee who is an important part of the internal control system may have been on vacation, and her replacement during that time was not as competent. It is likely that internal control, which worked for the rest of the year, did not work as well while the key employee was away, so material misstatements are more likely to have occurred.
After the auditor has completed the evaluation of internal control, he or she can easily identify any deficiencies in internal control. The auditor has a responsibility to report internal control deficiencies to the appropriate level of management. If the auditor identifies deficiencies that create a serious risk of material misstatement, these must be reported in writing to the audit committee or equivalent.
5.3 Internal control components and control environment

Learning objective
Identify the components of internal control, and explain the nature of a control environment. (Level 1)
Required reading

Chapter 7, pages 248254 Chapter 9, pages 328332 and 339345 CAS 315.14.19 and CAS 315.A69.A75 (CICA Handbook CAS 315.A79.A99 (CICA Handbook, Appendix 1 (CICA Handbook,
, paragraphs 5141.043.046), paragraphs 5141.067.089), and CAS 315, section 5141 Appendix B)
LEVEL 1
Internal control
Internal control is subdivided into five components to provide a useful framework for auditors to consider how an entitys internal control may affect the audit. Appendix 1 of CAS 315 (Appendix B of section 5141) provides a description of the various components of internal control.
Control environment
The control environment is the aspect of internal control that allows for the creation and maintenance of effective policies and procedures. The control environment sets the tone at the top of the organization and, as a result, it will affect all other components of internal control. For example, the board of directors of an organization hires managers to run the company and specifies who among the managers is authorized to sign cheques. In this situation, the board of directors is an element of the control environment that enables the organization to have specific policies for cash disbursements.
5.4 Evaluation of internal control

Learning objective
Identify the three phases of internal control evaluation. (Level 1)
Required reading

Chapter 9, pages 326327, 337338, and 345346 (Summary of Phases 1 and 2) CAS 610.7.13, Using the work of internal auditors CAS 330.3.12 (CICA Handbook , paragraphs 5143.01.09), CAS 330.A20.A27 , paragraphs 5143.22.27), CICA (CICA Handbook Handbook, paragraph 5143.47, CAS 330.20.24 and CAS 330.A42.A54 (CICA Handbook, paragraphs 5143.49.56)
LEVEL 1
Internal control evaluation involves three phases:

Phase 1: Understanding the internal control Phase 2: Assessing preliminary control risk (CR) and determining audit approach Phase 3: Performing test of controls audit procedures when assessing CR below maximum
Phase 1
The level of understanding of internal control and assessment of identified risks at the assertion level provide a basis for considering the appropriate audit approach either a combined approach or a substantive approach. In a combined approach, the auditor determines that using both tests of controls and substantive procedures is an efficient approach. In a substantive approach, the auditor determines that performing only substantive procedures is appropriate for specific assertions and thus, excludes the effect of controls from the relevant risk assessment. When an internal audit function exists in the entity under audit, the auditor should obtain an understanding of this function and, to increase efficiency, consider using any relevant work produced by the internal audit function. The major difference between the two approaches is that, under the combined approach, the auditor is required to gain a higher level of understanding and evidence that must include the control systems enhancing the reliability of information.
Phase 2
Internal control evaluation is the preliminary assessment of risk of material misstatement at the assertion level and may include an expectation of the operating effectiveness of controls. The preliminary risk assessment determines the audit approach. The auditor would go on to Phase 3 only if a combined approach is feasible; that is, when internal controls appear to be good based on the auditors understanding and it is efficient to rely on them. If this is the case, then the auditor would develop and perform test of controls (or dual-purpose) procedures for gathering sufficient appropriate audit evidence that the controls are operating effectively. Otherwise, the auditor would assess control risk at maximum and use a substantive approach.
Phase 3
This phase of testing internal controls consists of procedures designed to support the extent to which the auditor plans to rely on the operating effectiveness of the control in the assessment of risk (and thus suitably reduce substantive procedures based on the reliance on such control). While the auditor may determine that the risk of material misstatement may be reduced to an acceptably low level by performing only tests of control, the auditor always performs substantive procedures for each material class of transactions, account balance, and disclosure (CAS 330.20; CICA Handbook , paragraph 5143.50).
Internal control objectives also relate to the validity of the financial statement assertions. In this regard, securities regulations also require the auditor to consider internal controls that relate to financial reporting.
5.5 Combined and substantive planning approaches

Learning objective
Explain how the auditor uses combined and substantive planning approaches. (Level 1)
Required reading

Chapter 9, pages 335337 CAS 330.12, A66A68
LEVEL 1
Combined audit approach

After obtaining an understanding of internal controls, the auditor may wish to rely on the internal controls as evidence. In this case, the auditor must first test whether the internal controls are operating effectively for the entire financial reporting period. If the results of the tests indicate that the controls were operating effectively, the auditor can reduce the number of substantive procedures performed.
Substantive audit approach

A substantive audit approach is used when the auditor does not rely on internal controls as evidence. In this approach, the auditor is still required to obtain an understanding of the internal controls but will assess control risk at maximum. Since the auditor does not intend to rely on the internal controls, she or he does not test any controls for their operating effectiveness. Substantive testing will be the only type of evidence collected to support the audit opinion. The auditor can choose different approaches for the each transaction cycle as well as for the various transaction or balance related audit objectives. For example, if there are strong controls for the occurrence of sales, the auditor will test the controls for operating effectiveness and reduce the number of substantive audit procedures. If the controls over the completeness of liabilities are weak, the auditor will not test controls and will use substantive procedures to collect evidence.
5.6 Internal control objectives and control procedures

Learning objective
Identify and describe the seven internal control objectives, explain how they relate to financial statement assertions, and describe effective control procedures. (Level 1)
Required reading

Chapter 7, pages 253254 Chapter 9, pages 323325 CAS 315.20.23 and CAS 315.A91.A97 (CICA Handbook 5141.047.053), and CAS 315.A49.A55 (CICA Handbook,
, paragraphs 5141.090.099 and paragraphs 5141.057.063)
LEVEL 1
Control objectives
There are seven objectives of internal control; the auditor seeks reasonable assurance that these objectives are met. Auditors find it useful to classify potential misstatements by the type of assertion affected. Thus, internal control objectives can be viewed in relation to the controls ability to preserve the validity of the financial statement assertions. Although the two are related, each has a different focus. The following exhibit summarizes the differences between internal control objectives and financial statement assertions.
Exhibit 5.6-1 : Internal control objectives and financial statement assertions
Internal control objectives What are they? 1. 2. 3. 4. 5. 6. 7. Validity Completeness Authorization Accuracy Classification Accounting Proper period 1. 2. 3. 4. 5. 6. 7.
Financial statement assertions Existence (occurrence) Completeness Valuation/measurement Rights and obligations Presentation and disclosure Classification Cut-off
What is the focus?
Internal control objectives focus on transactions; that is, internal controls are implemented to ensure that each transaction that forms part of an account balance is correct.
Financial statement assertions focus on account balances and financial statement items, each of which is an aggregate of transactions. (Remember that assertions relate to accounting transactions, account balances, and disclosures. For example, occurrence and measurement are transaction-oriented, and existence and valuation are account-balance-oriented.) Each relevant assertion must be supported by audit evidence.
What audit evidence is required?
Achievement of control objectives needs to be supported by evidence only if the auditor plans to rely on controls. (See Examples 5.6-1 and 5.6-2.)
Example 5.6-1
See Exhibit 9-4 on page 323. The better the internal controls (that is, control objectives are being achieved), the easier it is for the auditor to gather the evidence necessary to support the assertions. An important assertion for accounts receivable is valuation the amount reported as receivables will eventually be collected. If the internal controls are such that the control objective of authorization for each transaction is well achieved, fewer substantive procedures will be needed, because proper authorization implies that credit checks are done for each sale (transaction). The control objective of authorization helps preserve the validity of the valuation assertion.
Example 5.6-2
Exhibit 9-6 on page 325 shows the relative strength of control objectives in supporting the assertions. Suppose internal controls related to accounts receivable are exceptionally good in achieving all control objectives except authorization. The auditor would then have to increase the extent of substantive procedures to support the valuation assertion because the control risk for this assertion may be deemed to be high. This would be the case even though the control risk for all other assertions is low. The control risk for individual assertions largely depends on the achievement of the control objectives.
Control procedures
To meet the control objectives, control procedures must be in place. Good control systems include a combination of the fundamental control policies and procedures, such as: competent, trustworthy personnel; adequate segregation of duties; and proper authorization of transactions.
Activity 5.6-1
With truly competent, trustworthy personnel and clear lines of communication, the internal controls virtually take care of themselves. How does an auditor determine the competence and trustworthiness of client personnel? Solution Small businesses often have special control problems resulting from a lack of segregation of duties and tend to require a more substantive approach to the audit. That is, in small businesses, control risk is frequently assessed at close to maximum with little, if any, reliance on internal control. Many authorization and recordkeeping functions are now done by computer. The general effect of computerized controls is a loss of human review. Consequently, specific computer controls must be built in. The error-checking routines input, processing, and output control procedures are examples of possible computer controls.

Learning objective
Explain generally accepted auditing standards (GAAS) requirements for documenting internal control, including the use of narratives, internal control questionnaires, flowcharts, and walk-through tests. (Level 1)
Required reading

Chapter 9, pages 332337 CAS 315.33 and CAS 315.A127.A130 (CICA Handbook , paragraphs 5141.123.124), paragraph 5143.75) CAS 330.29.31, and CAS 330.A59 (CICA Handbook, Reading 5-1: Memorandum: Canadian Hardware Sales Ltd.: Sales and collection cycle narrative Form A-611: Control environment and systems Form A-612: Control environment Summary
LEVEL 1
Understanding of internal controls is gained by making enquiries and corroborating the responses, inspecting relevant documents, and/or observing relevant activities. To meet the requirements of generally accepted auditing standards, documentation of internal controls should include
a record of the discussion and significant decisions reached among the engagement team regarding the susceptibility of the entitys financial statements to material misstatement results of control environment evaluation descriptions of control systems that collect, record, and process data descriptions of control systems that enhance the reliability of information if relying on internal controls and those that address significant risks the risk assessment procedures
According to a recent CICA study entitled Assurance Engagement Working Papers, the best approach is to combine the following three methods because they each have advantages:

Flowcharts provide an overview of the control systems. Narrative descriptions explain the characteristics of the system. Questionnaires describe the control procedures and weaknesses in the control systems.
Form A-611 is an example of a questionnaire for gathering information regarding the control environment. Exhibit 9-8 on page 333 depicts an internal control questionnaire that can be used to document the control systems for sales transactions. Narratives in the form of an internal control memorandum are the most common forms of documentation. See Reading 5-1 for an illustration of narrative memoranda on internal control for a small business. Regardless of size, the documentation must specify the control risk assessment for each assertion. A walk-through test (or test of one) is a special audit procedure used to verify or update the accuracy of a flowchart or other documentation of internal controls. The auditor literally walks one transaction through the accounting system to check if the controls in the flowchart, internal control questionnaire (ICQ), or narrative are actually in place and being applied. Walkthrough tests are not methods of documenting controls but of verifying that the documentation is accurate.
5.8 Assessing the risks of material misstatement

Learning objective
Explain how an auditor decides whether to assess control risk at maximum or below maximum. (Level 1)
Required reading

Chapter 9, pages 337338 (Begin at Assessing the Control Risk.) CAS 200.A38.A40 (CICA Handbook , paragraphs 5095.14 and .15), CAS 315.5.10 (CICA Handbook, paragraphs 5141.001.005), CAS 315.24.25 and CAS 315.A102. paragraphs 5141.101.108), and CAS 315.30 and CAS 315. A105 (CICA Handbook, A123 (CICA Handbook, paragraph 5141.120)
LEVEL 1
Read CAS 200.A38.A40 (CICA Handbook, paragraphs 5095.14 and .15) to understand the meaning of risks of material misstatements. CAS 315.5.10 (CICA Handbook , paragraphs 5141.001.005) provide an overview of the process involved in assessing the risks of material misstatement in a financial statement audit. CAS 315.24.25 and .A102.A105 (CICA Handbook, paragraphs 5141.101.108) describe in detail how to assess the risks of material misstatement. Control risk (as part of the risk assessment process) is first assessed based on the understanding of internal controls and reassessed during the course of the audit if evidence, such as the result of tests of controls, indicates that the preliminary assessment was incorrect. Control risk is assessed at the financial statement assertion level, and is used to determine the nature and extent of substantive procedures to be performed. The more specific a control procedure, the better it will be at reducing control risk for a given assertion.
Activity 5.8-1
Can control risk be assessed by control objective? Solution
5.9 Testing internal controls

Learning objective
Explain the conditions under which an auditor tests controls, describe the nature and extent of tests of controls, and provide examples of tests of controls audit procedures. (Level 1)
Required reading
Chapter 9, pages 347348 (up to Auditors Responsibility to Detect and Communicate Material Control Weaknesses and Misstatements) CAS 330.6.12 (CICA Handbook , paragraphs 5143.10.34) and CAS 330.A20.A29 (CICA Handbook, paragraphs 5143.46.48) Form B-111: Perform tests of controls (Dual purpose tests) Revenue and receipts cycle
LEVEL 1
Evaluating system design

Before the auditors can rely on controls, they must test the controls to verify that they are operating effectively. Testing of controls will proceed only if the auditor feels that the design of policies and procedures is adequate and the planned reduction in substantive testing will justify the effort involved in testing controls. If testing controls cannot be justified on a cost-benefit basis, the auditor will assess control risk at maximum and proceed directly to substantive testing. It should be noted that in circumstances where the auditor cannot obtain sufficient appropriate evidence on the basis of substantive procedures alone, tests of controls may be required.
Nature and extent of tests of controls

The auditors concerns in performing tests of controls are as follows (refer to CAS 330.10.11; CICA Handbook , paragraph 5143.26):

The control was used as intended. The control was effective. The control was applied throughout the entire period under audit.
The principal procedures used in testing internal controls are outlined in CAS 330.A20.A24 (CICA Handbook, paragraph 5143.10).
Activity 5.9-1
Inspection of documents and reperformance by the auditor provide stronger evidence than enquiry and observation. Why is this so? Solution
Direction of tests for controls

The direction of tests of controls (described on pages 347 and 348) is important because control risk is assessed at the assertion level, and certain controls apply to specific assertions.
Scenario 5.9-1
Suppose you are testing the controls around a computerized inventory system and have assessed as low the preliminary
control risk for the validity (existence) and completeness assertions. To perform your tests, you have access to a computer printout listing all inventory on hand, and you also have access to the inventory room supposedly containing all the items listed on the printout. From which population of items would you select the random sample for tests of controls around validity and for tests of controls around completeness? Solution The amount of substantive testing done will depend on the control risk assessment. Clearly, a control risk assessed as high (but below maximum) will require more testing (that is, a larger sample) than one assessed as low. Also, during substantive testing, the auditor may uncover deviations from controls and reassess the control risk. In such a case, the auditor will likely increase the sample size for tests of controls to ensure the evidence appropriately supports the control risk assessment.

Learning objective
Explain the rationale for testing controls at an interim date. (Level 1)
Required reading
CAS 330.11.14 and CAS 330.A32.A39 (CICA Handbook
, paragraphs 5143.35.45)
LEVEL 1
In a large audit, when reliance is placed on tests of controls, chances are that audit work will be performed at an interim date. The auditor will usually obtain an understanding of internal controls at that time. It is also at the interim date that the auditor will perform some or all of the tests required to support a control risk assessment below maximum. CAS 330.11.14 and .A32.A39 (CICA Handbook, issues an auditor needs to consider with respect to timing. paragraphs 5143.35.45) explain the
Changes occurring between the interim period and the year-end period may be such that the internal controls are no longer effective, regardless of the evidence already obtained. For example, the manager of a department may have resigned and has not yet been replaced, or the company may have decided to implement a computerized accounting system to replace a manual one. All these factors would affect the control environment and the control systems ability to provide reliable information. To make sure that the evidence appropriately supports the control risk assessment for the entire period under audit, the auditor needs to determine whether the timing of these tests and any subsequent changes in controls have affected the value of the evidence.
5.11 Internal control in audit strategy

Learning objective
Explain how audit strategy is affected by the study and evaluation of internal control. (Level 1)
Required reading

Chapter 9, page 318, Exhibit 9-2 CAS 330.5 and CAS 330.A1.A3 (CICA Handbook 330.8.9, CAS 330.16.19, and CAS 330.A20.A25 (CICA Handbook, 5143.22.24), and CAS 330.26.28 and CAS 330.A56.A58 (CICA Handbook, paragraphs 5143.68.69)
, paragraphs 5143.05.08), CAS paragraphs
LEVEL 1
The primary reason for conducting an evaluation of a companys internal control and assessing control risk is to give auditors a basis for planning the audit strategy and program. The auditor identifies risks at the financial statement account balances level and at the assertions level, and also assesses the magnitude of the risks and whether they could lead to a material misstatement (CAS 330.5 and .A1.A3; CICA Handbook, paragraphs 5143.05.07). Exhibit 9-2 on page 318 provides a snapshot of the role of internal control in assessing risk of material misstatement. Steps 13 in the exhibit outline the start of the process for assessing client-specific preliminary analytical review findings, materiality, and risk assessments. The role of internal control when the auditor assesses the risk of material misstatement is given in the steps below (refer also to steps 4-10 in Exhibit 9-2): Step 1: Enquire and perform interviews to obtain an understanding of internal controls as required by the examination standards under GAAS. Use questionnaires, narratives, and/or flowcharts as necessary. Step 2: Using questionnaires, narratives, and flowcharts, document the understanding of internal controls including the following: a. b. c. d. control environment the information system, including the related business processes, relevant to financial reporting, and communication the control activities that prevent, detect, and correct material misstatements the entitys risk assessment process and the monitoring of controls
Step 3: Make a preliminary assessment of control risk for specific assertions at the account balance or class of transactions level. The auditor looks at possible misstatements and the controls that exist to prevent or detect such misstatements. The auditor identifies controls related to significant risks that require special audit consideration. Step 4: Document the preliminary assessment of control risk for each relevant assertion and the basis thereof. Step 5: Where the auditor has identified controls which may be effective in addressing risk of material misstatement for a particular assertion, tests of controls are performed to support the preliminary assessment [combined approach (CAS 330.8; CICA Handbook, paragraph 5143.08)]. Step 6: Based on evidence from test of controls, determine the final control risk assessment for each assertion, and develop the nature, extent, and timing of substantive procedures accordingly. In essence, the auditor assesses whether the controls are sufficient to prevent material financial statement misstatement (CAS 330.16.19; CICA Handbook, paragraphs 5143.22.24).
Step 7: Revise risk assessments and audit procedures based on the results of tests conducted. Step 8: Evaluate audit findings and results and form an appropriate audit opinion (CAS 330.26.28 and .A56.A58; CICA Handbook, paragraphs 5143.68.69).
5.12 Audit reports on internal control

Learning objective
Describe the auditors considerations when issuing an audit report on internal control over the clients financial reporting processes that is integrated with an audit of the clients financial statements. (Level 2)
Required reading

Chapter 16, pages 644646 CICA Handbook
Assurance
, section 5925
LEVEL 2
As background information to this topic, read Company officers and internal controls, which explains how the Sarbanes-Oxley Act (SOX) has influenced new regulations for auditors in Canada. Although neither Canadian law nor securities regulations require that managements assertions with respect to internal control be attested to by the entitys auditors, there are a number of circumstances where Canadian auditors might be called upon to provide such an attestation. Examples include
Canadian companies listed on American securities exchanges Canadian subsidiaries of American listed companies Canadian companies whose managers consider that such attestations are best practice with respect to corporate governance, and lenders or others requiring such attestation. , An audit of internal control over
Guidance is provided to Canadian auditors in section 5925 of Assurance the CICA Handbook financial reporting that is integrated with an audit of financial statements.
The audit must be performed by the auditor of the entitys financial statements. The objective of the auditor (set out in paragraph 5925.11) is to express an opinion on the effectiveness of the entitys internal control over financial reporting as at the date on which management has made its assessment of internal control over financial reporting. The form of the report (without reservation) is set out in paragraph 5925.A82 and also in Exhibit 16-15 on page 646 of the text. The opinion paragraph provides both an opinion of managements assertion with respect to the internal control over financial reporting and the auditors opinion on such controls. Where there are one or more material weaknesses, defined as a deficiency or combination of deficiencies in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entitys annual or interim financial statements will not be prevented or detected on a timely basis, the auditor will be unable to conclude that the internal control over financial reporting is effective. It is important to be aware that the auditor, when auditing the financial statements, will be concerned with the effective operation of the controls over the entire period covered by the financial statements. The expression of opinion with respect to the internal controls over financial reporting is at a specified date, not over a period of time. The auditor could conclude that controls were weak in the early part of the year, resulting in increased substantive testing, but if the client introduces effective controls part way through the year, the auditor could conclude that controls were effective as of the date of the report.
Assignment reminder
Assignment 2 in Module 7 is due at the end of Week 7 (see the Course Schedule). You may wish to take a look at it before
working on Module 6 to familiarize yourself with the requirements and to prepare for any work that may be required in advance.
Module 5 summary
Define internal control, and explain the primary reasons for evaluating internal control.
Internal control is defined as the process designed and effected by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entitys objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations. Auditors understand and evaluate internal control relevant to the audit in order to assess risks of material misstatement, identify types of potential misstatements, and determine the nature, timing, and extent of audit procedures.
Differentiate between management and auditor responsibility with respect to internal control, and describe their internal control objectives.
Managements objectives with respect to internal control are to ensure the orderly and efficient conduct of the entitys business. It is managements responsibility to establish and maintain the entitys controls that provide reasonable assurance that its objectives of reliable financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations will be achieved. The auditor is concerned with managements control objectives as they relate to financial statement preparation in accordance with generally accepted accounting principles and the management of risk that may give rise to a material misstatement in the financial statements. It is the auditors responsibility to gain a sufficient understanding of internal controls to enable the auditor to plan the audit. The objectives that are of interest to both management and the auditor include validity, completeness, authorization, accuracy, classification, accounting, and proper period, as they pertain to the financial statements. The auditor has the responsibility to report internal control deficiencies to the appropriate level of management. If the auditor identifies deficiencies that create a serious risk of material misstatement, the auditor must report these in writing to the audit committee or equivalent.
Identify the components of internal control, and explain the nature of a control environment.
Internal control consists of the following components: r the control environment r the entitys risk assessment process r the information system, including the related business processes, relevant to financial reporting, and communication r control activities r monitoring of controls The control environment is the foundation for effective internal control. It includes the governance, management philosophy, and operating style of an entity and communication of its values and standards. It also includes the attitudes, awareness, and actions of management and those charged with governance relating to the entitys internal control. It sets the tone of an organization influencing the control consciousness of its people through appropriate human resource policies/practices and assignment of authority and responsibility.
Identify the three phases of internal control evaluation.
The three phases of internal control evaluation are 1. gaining an understanding of the internal controls stated to be in effect 2. assessing the preliminary control risk and determining the audit approach to be used 3. testing control audit procedures when assessing control risk below maximum (based on identified specific controls on which risk could be assessed low) Auditors are required to understand internal controls in order to assess the risk of material misstatements. At the planning stage, generally accepted auditing standards require the auditor to understand the controls adequately enough to permit audit planning.
When using a substantive approach (assessing control risk at maximum), the auditor must understand the control environment and the control systems that collect, record, and process data. The auditor must report the information found. When using a combined approach, the auditor must also understand the control systems that enhance the reliability of data and information. In addition, the auditor must test the controls relied upon to establish that they are operating as intended.
Identify and describe the seven internal control objectives, explain how they relate to financial statement assertions, and describe effective control procedures.
The seven control objectives are as follows: 1. Validity: recorded transactions are ones that should have been recorded, that is, they really exist. 2. Completeness: no valid transactions have been omitted. 3. Authorization: all transactions have been approved prior to being recorded. 4. Accuracy: the dollar amounts have been calculated correctly. 5. Classification: transactions are recorded in the right accounts. 6. Accounting: all transactions are recorded in conformity with GAAP. 7. Proper period: the accounting transactions are in the period in which they occur. The relationships among control objectives and financial statement assertions are identified below: Existence Occurrence X X X X X X X X X Completeness Valuation Rights, Obligations X X X Presentation and Disclosure
Control Objectives Validity Completeness Authorization Accuracy Classification Accounting Proper Period
Good control systems should include the following: r competent and trustworthy personnel r proper authorization of transactions and activities r adequate segregation of duties r design and use of adequate documents and records r controlled access to assets and records r periodic, independent comparison or verification r error-checking routines
Explain generally accepted auditing standards (GAAS) requirements for documenting internal control, including the use of narratives, internal control questionnaires, flowcharts, and walk-through tests.
Documentation of internal controls should include r a record of the discussion and significant decisions reached among the engagement team regarding the susceptibility of the entitys financial statements to material misstatement r records of the results of control environment evaluation r descriptions of control systems that collect, record, and process data r descriptions of control systems that enhance the reliability of information (if relying on internal controls) and those that address significant risks Narrative descriptions are best used to describe the characteristics of the system. Internal control questionnaires can be very useful when identifying weaknesses in control systems. Flowcharts provide an easy way to understand and overview the control systems. Walk-through tests consist of the auditor walking a single transaction through the accounting system to verify if the
documented controls are actually in place and being applied.
Explain how an auditor decides whether to assess control risk at maximum or below maximum.
The auditor should assess control for a specific assertion at maximum if r internal controls do not address that assertion; r internal controls are not effective; or r it is not efficient for the auditor to evaluate the internal controls relating to that specific assertion.
Explain the conditions under which an auditor tests controls, describe the nature and extent of tests of controls, and provide examples of tests of controls audit procedures.
Controls are tested by the auditor only if the auditor intends to rely on the controls to reduce substantive testing. This would only apply when the auditor believes that the design of policies and procedures is adequate. The reduction in substantive testing must also justify the effort involved in testing the controls. In circumstances where the auditor cannot obtain sufficient appropriate evidence on the basis of substantive procedures alone, tests of controls may be required. Tests of controls are designed to establish that the controls were used as intended, used effectively, and used throughout the period. A test of controls might be selecting a sample of paid invoices and matching them to purchase orders and receiving reports, or establishing if controls over validity and authorization were working as intended.
Explain the rationale for testing controls at an interim date.
Controls are usually tested at an interim date so that a control assessment can justify the decision to assess control risk below maximum. Interim testing also reduces sample sizes for substantive testing. Because some substantive testing is carried out at the interim audit, tests of controls should be carried out simultaneously. Use of dual-purpose testing (that is, combined tests of controls and balances) can increase audit efficiency.
Explain how audit strategy is affected by the study and evaluation of internal control.
The auditor will usually want to rely on some internal controls to reduce substantive tests of balances. This requires that the auditor first understand the controls and then test compliance throughout the audit period. For a preliminary evaluation of internal control, the auditor looks at possible misstatements and the controls that exist to prevent or detect such misstatements. If the auditor intends to rely on internal controls as part of gathering sufficient appropriate evidence, tests of control need to be planned and executed. The decision to carry out tests of controls is dependent on the evaluation of the design of the system and the cost-benefit tradeoffs of control testing, if appropriate.
Describe the auditors considerations when issuing an audit report on internal control over the clients financial reporting processes that is integrated with an audit of the clients financial statements.
Although such reports are not required by Canadian law or securities regulations, they may be issued for Canadian companies listed on an American exchange, Canadian subsidiaries of listed American companies, or at the request of the client. The examination must be performed by the public accountants who audit the entitys financial statements. Detailed guidance is provided in section 5925 of the CICA Handbook
Assurance
A standard reporting format is provided in that Handbook section.
file:///F|/Courses/2010-11/CGA/AU1/06course/m05t06sol.htm
Activity 5.6-1 solution
There are a variety of means. The obvious ones observation and interviews reiterate the importance of having an understanding of the business. In addition, the accuracy and validity of documents affected by the control procedures also provide evidence about competence and trustworthiness.
file:///F|/Courses/2010-11/CGA/AU1/06course/m05t06sol.htm [04/10/2010 2:59:08 PM]
READING 5-1
From Audit Procedures and Techniques Canadian Hardware Sales Ltd.: A Sample Audit File, by Lazareff, Jack W. CGA-Canada, 1993. Reprinted with permission.
2 y Reading 5-1
External Auditing
External Auditing
Reading 5-1 y 3
Control risk may be assessed by control objective as long as there is a strong relationship between the control objective and the financial statement assertion. For example, if a review of internal controls in the acquisition cycle generally reveals a low control risk with respect to the proper period control objective, then the auditor could probably infer that the control risk for completeness of accrued liabilities is also low. This may be possible because good controls regarding proper period ensure that the risk of having unrecorded liabilities is low.
Although the applicability of these procedures will vary from assertion to assertion, it is fair to say that inspection of documents and reperformance by the auditor provide stronger evidence than enquiry and observation. This is because inspection and reperformance are not as susceptible to biases (and are capable of reperformance). Observation of a control being performed may be biased because the personnel involved in performing the control are aware that the auditor is watching. Also, observation only shows that a control is effective and appropriately applied at the time the observation is made. A document produced several months before the audit that clearly shows a control has been performed is more compelling.
file:///F|/Courses/2010-11/CGA/AU1/06course/m05t09sol2.htm
Scenario 5.9-1 solution
To test the controls around validity, you could select a random sample of items from the printout and verify that the items are in stock by physically checking the inventory room. To test the controls around completeness, you would switch the direction of your test and select a sample of items from the inventory room. You would then determine whether the computer printout reflects the details of the items you have chosen.
file:///F|/Courses/2010-11/CGA/AU1/06course/m05t09sol2.htm [04/10/2010 2:59:14 PM]
file:///F|/Courses/2010-11/CGA/AU1/06course/m05t12reading.htm
Company officers and internal controls

In the wake of the financial failures in the United States, it has been argued that the CEOs and/or the CFOs of the failed companies should have done more to prevent the failures. Of course, this complaint assumes that neither the CEO nor the CFO were part of the reason the company failed in the first place!
1 requires In the United States, the Securities Exchange Act companies to maintain disclosure controls and procedures and internal controls over financial reporting. Under the Act, disclosure controls and procedures include, but are not limited to, controls and procedures designed to ensure that information required in reports filed under the Act is recorded, processed, summarized, and reported to management, including the CEO and CFO, so as to allow timely assessment regarding disclosure.
Further, the Act requires the management of U.S. issuers, including the CEO and CFO, to evaluate the effectiveness of disclosure controls and procedures as of the end of each fiscal quarter. Section 302 of SOX states that, among other things, both the CEO and CFO
are required to certify that they are responsible for establishing and maintaining internal controls over financial reporting and that they designed, or caused the design of, those internal controls over financial reporting; have evaluated the effectiveness of the companys disclosure controls and procedures as of the end of the period covered by the report being filed (the Evaluation Date); and have presented in the report their conclusions about the effectiveness of the disclosure controls and procedures based on their evaluation as of the Evaluation Date.
The CEO and CFO must also certify that they have disclosed, based on their most recent evaluation, to the companys auditors and audit committee
all significant deficiencies in the design or operation of internal controls that could adversely affect the companys ability to record, process, summarize, and report financial data, and have identified for the companys auditors any material weaknesses in internal controls; and any fraud, whether or not material, that involves management or other employees who have a significant role in the companys internal controls.
While SOX places a considerable burden on senior management now, it also extends this burden to the auditor. It is not just a case of management assertions; now the auditor must attest to those assertions as well. Section 404 of SOX now requires that the auditor attest to, and report on, managements assessment of the effectiveness of the companys internal controls as well as the companys efforts to develop and maintain the necessary evidence to support managements assessment.
The Canadian accounting environment
In the rush to fix the broken system, Canadian regulators appear to have overlooked the fact that the corporate failures in the United States were a product of the institutional environment in which these businesses operated. It is generally agreed that the Canadian environment is considerably different from that of our southern neighbour. There has been scant evidence that Canadian businesses are ready to follow the practices of their American counterparts. Yet securities regulators have duplicated the strictures implemented in the United States regulations designed to deal with the U.S. corporate environment. The Canadian Securities Administrators (CSA) Multilateral Instrument 52-109 Certification Of Disclosure In Companies Annual And Interim Filings (MLI 52-109) (effective March 30, 2004) adopts both the approach and content of much of section 302 of SOX. Canadian certification2 closely resembles section 302 requirements. As with SOX, the CEO and CFO must certify, among other things, that they are responsible for establishing and maintaining disclosure controls and procedures and internal controls for the issuer, and they have: 1. designed those disclosure controls and procedures, or caused them to be designed under their supervision, and implemented those disclosure controls and procedures, to provide reasonable assurances that material information relating to the issuer, including its consolidated subsidiaries, is made known to the CEO and CFO by others within
file:///F|/Courses/2010-11/CGA/AU1/06course/m05t12reading.htm (1 of 2) [04/10/2010 2:59:15 PM]
those entities, particularly during the period in which the annual filings are being prepared, and that such material information is disclosed within the time periods specified under applicable provincial and territorial securities legislation; 2. designed those internal controls, or caused them to be designed under their supervision, and implemented those internal controls, to provide reasonable assurances that the issuers financial statements are fairly presented in accordance with generally accepted accounting principles; 3. evaluated the effectiveness of the issuers disclosure controls and procedures and internal controls as of the end of the period covered by the annual filings; and 4. disclosed in the annual MD&A their conclusions about the effectiveness of the disclosure controls and procedures and internal controls, in each case based on their evaluation as of the end of the period covered by the annual filings. Then, the CEO and CFO must report to the Audit Committee (as with SOX). The CEO and CFO must certify that they have disclosed, based on their most recent evaluation, to the companys auditors and Audit Committee (or persons performing the equivalent function of the Audit Committee if there isnt one):
all significant deficiencies in the design or operation of internal controls that could adversely affect the companys ability to disclose information required to be disclosed by the issuer under applicable provincial and territorial securities legislation within the time periods specified under applicable provincial and territorial securities legislation; and any fraud, whether or not material, that involves management or other employees who have a significant role in the companys internal controls.
What seems to have been lost in this rush to regulation is that virtually every public company maintains internal financial controls procedures intended to ensure that transactions are accurately recorded and reflected in the companys financial statements. Indeed, the external auditor is required to assess the adequacy of these controls. As is the case in the United States, the Canadian rules do not contain a detailed definition of internal control, nor do they prescribe specific policies or procedures that must make up a companys internal controls. Rather, it will be left to the judgment of the public companys CEO and CFO to ensure that adequate controls are in place and functioning. As a result, such firms will have to decide what control framework and concepts they should adopt. Finally, MLI 52-109 does not require an annual report from management on internal control similar to that required by section 404 of SOX.
1
Rule 13a-15 Issuers Disclosure Controls and Procedures Related to Preparation of Required Reports, Securities Exchange Act of 1934 (as amended), http://www.law.uc.edu/CCL/34ActRls/rule13a-15. html#history MLI 52-109 has separate reports for annual and interim filings and so it specifically refers to the annual filing or the interim filing. For brevity (and for comparison with section 302 of SOX), the term report is used generically.
There are a variety of means. The obvious ones observation and interviews reiterate the importance of having an understanding of the business. In addition, the accuracy and validity of documents affected by the control procedures also provide evidence about competence and trustworthiness.
READING 5-1
From Audit Procedures and Techniques Canadian Hardware Sales Ltd.: A Sample Audit File, by Lazareff, Jack W. CGA-Canada, 1993. Reprinted with permission.
2 y Reading 5-1
External Auditing
External Auditing
Reading 5-1 y 3
Control risk may be assessed by control objective as long as there is a strong relationship between the control objective and the financial statement assertion. For example, if a review of internal controls in the acquisition cycle generally reveals a low control risk with respect to the proper period control objective, then the auditor could probably infer that the control risk for completeness of accrued liabilities is also low. This may be possible because good controls regarding proper period ensure that the risk of having unrecorded liabilities is low.
Although the applicability of these procedures will vary from assertion to assertion, it is fair to say that inspection of documents and reperformance by the auditor provide stronger evidence than enquiry and observation. This is because inspection and reperformance are not as susceptible to biases (and are capable of reperformance). Observation of a control being performed may be biased because the personnel involved in performing the control are aware that the auditor is watching. Also, observation only shows that a control is effective and appropriately applied at the time the observation is made. A document produced several months before the audit that clearly shows a control has been performed is more compelling.
file:///F|/Courses/2010-11/CGA/AU1/06course/m05t09sol2.htm
Scenario 5.9-1 solution
To test the controls around validity, you could select a random sample of items from the printout and verify that the items are in stock by physically checking the inventory room. To test the controls around completeness, you would switch the direction of your test and select a sample of items from the inventory room. You would then determine whether the computer printout reflects the details of the items you have chosen.
file:///F|/Courses/2010-11/CGA/AU1/06course/m05t09sol2.htm [04/10/2010 3:06:59 PM]
Company officers and internal controls

In the wake of the financial failures in the United States, it has been argued that the CEOs and/or the CFOs of the failed companies should have done more to prevent the failures. Of course, this complaint assumes that neither the CEO nor the CFO were part of the reason the company failed in the first place!
1 requires In the United States, the Securities Exchange Act companies to maintain disclosure controls and procedures and internal controls over financial reporting. Under the Act, disclosure controls and procedures include, but are not limited to, controls and procedures designed to ensure that information required in reports filed under the Act is recorded, processed, summarized, and reported to management, including the CEO and CFO, so as to allow timely assessment regarding disclosure.
Further, the Act requires the management of U.S. issuers, including the CEO and CFO, to evaluate the effectiveness of disclosure controls and procedures as of the end of each fiscal quarter. Section 302 of SOX states that, among other things, both the CEO and CFO
are required to certify that they are responsible for establishing and maintaining internal controls over financial reporting and that they designed, or caused the design of, those internal controls over financial reporting; have evaluated the effectiveness of the companys disclosure controls and procedures as of the end of the period covered by the report being filed (the Evaluation Date); and have presented in the report their conclusions about the effectiveness of the disclosure controls and procedures based on their evaluation as of the Evaluation Date.
The CEO and CFO must also certify that they have disclosed, based on their most recent evaluation, to the companys auditors and audit committee
all significant deficiencies in the design or operation of internal controls that could adversely affect the companys ability to record, process, summarize, and report financial data, and have identified for the companys auditors any material weaknesses in internal controls; and any fraud, whether or not material, that involves management or other employees who have a significant role in the companys internal controls.
While SOX places a considerable burden on senior management now, it also extends this burden to the auditor. It is not just a case of management assertions; now the auditor must attest to those assertions as well. Section 404 of SOX now requires that the auditor attest to, and report on, managements assessment of the effectiveness of the companys internal controls as well as the companys efforts to develop and maintain the necessary evidence to support managements assessment.
The Canadian accounting environment
In the rush to fix the broken system, Canadian regulators appear to have overlooked the fact that the corporate failures in the United States were a product of the institutional environment in which these businesses operated. It is generally agreed that the Canadian environment is considerably different from that of our southern neighbour. There has been scant evidence that Canadian businesses are ready to follow the practices of their American counterparts. Yet securities regulators have duplicated the strictures implemented in the United States regulations designed to deal with the U.S. corporate environment. The Canadian Securities Administrators (CSA) Multilateral Instrument 52-109 Certification Of Disclosure In Companies Annual And Interim Filings (MLI 52-109) (effective March 30, 2004) adopts both the approach and content of much of section 302 of SOX. Canadian certification2 closely resembles section 302 requirements. As with SOX, the CEO and CFO must certify, among other things, that they are responsible for establishing and maintaining disclosure controls and procedures and internal controls for the issuer, and they have: 1. designed those disclosure controls and procedures, or caused them to be designed under their supervision, and implemented those disclosure controls and procedures, to provide reasonable assurances that material information relating to the issuer, including its consolidated subsidiaries, is made known to the CEO and CFO by others within
those entities, particularly during the period in which the annual filings are being prepared, and that such material information is disclosed within the time periods specified under applicable provincial and territorial securities legislation; 2. designed those internal controls, or caused them to be designed under their supervision, and implemented those internal controls, to provide reasonable assurances that the issuers financial statements are fairly presented in accordance with generally accepted accounting principles; 3. evaluated the effectiveness of the issuers disclosure controls and procedures and internal controls as of the end of the period covered by the annual filings; and 4. disclosed in the annual MD&A their conclusions about the effectiveness of the disclosure controls and procedures and internal controls, in each case based on their evaluation as of the end of the period covered by the annual filings. Then, the CEO and CFO must report to the Audit Committee (as with SOX). The CEO and CFO must certify that they have disclosed, based on their most recent evaluation, to the companys auditors and Audit Committee (or persons performing the equivalent function of the Audit Committee if there isnt one):
all significant deficiencies in the design or operation of internal controls that could adversely affect the companys ability to disclose information required to be disclosed by the issuer under applicable provincial and territorial securities legislation within the time periods specified under applicable provincial and territorial securities legislation; and any fraud, whether or not material, that involves management or other employees who have a significant role in the companys internal controls.
What seems to have been lost in this rush to regulation is that virtually every public company maintains internal financial controls procedures intended to ensure that transactions are accurately recorded and reflected in the companys financial statements. Indeed, the external auditor is required to assess the adequacy of these controls. As is the case in the United States, the Canadian rules do not contain a detailed definition of internal control, nor do they prescribe specific policies or procedures that must make up a companys internal controls. Rather, it will be left to the judgment of the public companys CEO and CFO to ensure that adequate controls are in place and functioning. As a result, such firms will have to decide what control framework and concepts they should adopt. Finally, MLI 52-109 does not require an annual report from management on internal control similar to that required by section 404 of SOX.
1
Rule 13a-15 Issuers Disclosure Controls and Procedures Related to Preparation of Required Reports, Securities Exchange Act of 1934 (as amended), http://www.law.uc.edu/CCL/34ActRls/rule13a-15. html#history MLI 52-109 has separate reports for annual and interim filings and so it specifically refers to the annual filing or the interim filing. For brevity (and for comparison with section 302 of SOX), the term report is used generically.
file:///F|/Courses/2010-11/CGA/AU1/06course/m05selftest.htm
Module 5 self-test
Question 1
a. Review checkpoint 38, page 337 b. Review checkpoint 39, page 337 c. Review checkpoint 40, page 337 Solution
Question 2
Exercise and Problems DC 6, page 268 Solution
Question 3
Exercise and Problems DC 4, page 363 Note: In the Required, replace the term irregularities with fraudulent acts. Solution
file:///F|/Courses/2010-11/CGA/AU1/06course/m05selftest.htm [04/10/2010 3:29:12 PM]
file:///F|/Courses/2010-11/CGA/AU1/06course/m05selftestsol1.htm
Self-test 5 Solution 1
a. Internal control questionnaires are designed to help the audit team obtain evidence about the control environment and about the accounting and control procedures that are considered good error-checking routines. They are an efficient means of gathering evidence about internal control by guiding the types of questions that should be asked in a formal interview with knowledgeable managers, using a checklist format. b. An internal control narrative is a description of each important control subsystem. Such a narrative would simply describe all the environmental elements, the accounting system, and the control procedures. c. A flowchart is a drawing that presents all relevant information and evidence about the accounting and control procedures in an understandable, visual form. The flowchart differs from a narrative, which is all words, no pictures.
file:///F|/Courses/2010-11/CGA/AU1/06course/m05selftestsol1.htm [04/10/2010 3:29:13 PM]
Martin is not correct in asserting that GAAS requires reviews and tests of control in all audits. Reviews, and obtaining and documenting an understanding, are necessary. Jones may not be suggesting that no work at all be done to become acquainted with the clients control structures. Martin has overlooked the common sense (and GAAS) idea that tests of control need to be performed only on those controls the auditor believes to be strong and that will reduce the initial control risk assessment and where such testing and reliance would be cost effective. Jones appears to be proposing that partners should have the discretion to use a substantive audit approach. Reliance on controls and conducting tests of controls may not be cost efficient for smaller clients. Under GAAS, this is acceptable. This is a common problem in practice. Many small client audits may be accomplished through extensive substantive procedural work, making up for little or no work on control structures. The tradeoff is the time and cost involved in performing test of control work against the reduction in substantive procedure work. If the latter cannot be reduced much under any circumstances, then a lot of work on internal control may be uneconomical. Note, per CAS 330.A25 (CICA Handbook, paragraph 5143.25), if an auditor determines that substantive procedures alone do not provide sufficient appropriate evidence at the assertion level, then the auditor should perform tests of relevant controls to obtain evidence in support of their effectiveness. This may be the case of an entity that conducts its business using IT and no documentation of transactions is produced or maintained, other than through the IT system.
The discussion could take several directions, including some or all of the following points: 1. Material weakness. The facts seem to suggest a condition in which specific control features (few or none are described) or the degree of compliance with them do not reduce to a relatively low level the risk that errors or fraudulent acts in amounts that could be material to the financial statements may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. Gee has authority and influence over too many interrelated activities. Nothing he does seems to be subject to review or supervision. He is even able to exclude the internal auditor. 2. Potential fraudulent acts include: a. Gee can collude with customers to rig low bids and take kickbacks, thereby depriving the company of legitimate revenue. b. Gee can direct purchases to favoured suppliers, pay unnecessarily high prices, and take kickbacks. He might even set up a controlled dummy company to sell overpriced materials to the company. No competitive bidding control prevents these activities. c. Gee, through the control of physical inventory, can (i) remove materials for himself, and (ii) manipulate the inventory accounts to conceal shortages. d. Gee can order truck shipping services for his own purposes and cause the charges to be paid by the company. e. Gee can manipulate the customer billing, similar to (a) above, to deprive the company of legitimate revenue while taking an unauthorized commission or kickback. 3. Almost every desirable characteristic of good internal control has been circumvented: a. Segregation of functional responsibilities: Gee has authorization and custodial responsibilities. b. Authorization, supervision: Gee is apparently subject to no supervision or review. The accounting staff is probably powerless to challenge transactions because of Sus apparent approval of Gees powers. c. Controlled access: The whole situation gives Gee access to necessary papers, records, and assets to carry out his one-man show. d. Periodic comparison: No one else apparently has any access to the materials inventory in order to conduct an actual count for comparison to the book value (recorded accountability) of the inventory.

Module 05

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Module 05

Uploaded by

Copyright:

Available Formats

file:///F|/Courses/2010-11/CGA/AU1/06course/m05intro.

Module 5: Internal control

Test your knowledge

5.7 Documenting internal controls

5.10 Timing of tests of controls

file:///F|/Courses/2010-11/CGA/AU1/06course/m05intro.htm (1 of 2) [04/10/2010 3:06:35 PM]

Module summary Print this module

file:///F|/Courses/2010-11/CGA/AU1/06course/m05intro.htm (2 of 2) [04/10/2010 3:06:35 PM]

5.1 Evaluation of internal controls

Chapter 9, pages 317322 CAS 315.12 (CICA Handbook

, paragraphs 5141.041 and .042)

file:///F|/Courses/2010-11/CGA/AU1/06course/m05t01.htm [04/10/2010 3:06:37 PM]

5.2 Management and auditor responsibility

file:///F|/Courses/2010-11/CGA/AU1/06course/m05t02.htm (1 of 2) [04/10/2010 3:06:38 PM]

file:///F|/Courses/2010-11/CGA/AU1/06course/m05t02.htm (2 of 2) [04/10/2010 3:06:38 PM]

5.3 Internal control components and control environment

file:///F|/Courses/2010-11/CGA/AU1/06course/m05t03.htm [04/10/2010 3:06:39 PM]

5.4 Evaluation of internal control

Identify the three phases of internal control evaluation. (Level 1)

Internal control evaluation involves three phases:

file:///F|/Courses/2010-11/CGA/AU1/06course/m05t04.htm (2 of 2) [04/10/2010 3:06:39 PM]

5.5 Combined and substantive planning approaches

Chapter 9, pages 335337 CAS 330.12, A66A68

Combined audit approach

Substantive audit approach

file:///F|/Courses/2010-11/CGA/AU1/06course/m05t05.htm [04/10/2010 3:06:40 PM]

5.6 Internal control objectives and control procedures

, paragraphs 5141.090.099 and paragraphs 5141.057.063)

What is the focus?

What audit evidence is required?

file:///F|/Courses/2010-11/CGA/AU1/06course/m05t06.htm (1 of 2) [04/10/2010 3:06:41 PM]

file:///F|/Courses/2010-11/CGA/AU1/06course/m05t06.htm (2 of 2) [04/10/2010 3:06:41 PM]

5.7 Documenting internal controls

file:///F|/Courses/2010-11/CGA/AU1/06course/m05t07.htm [04/10/2010 3:06:42 PM]

5.8 Assessing the risks of material misstatement

Can control risk be assessed by control objective? Solution

file:///F|/Courses/2010-11/CGA/AU1/06course/m05t08.htm [04/10/2010 3:06:43 PM]

5.9 Testing internal controls

Evaluating system design

Nature and extent of tests of controls

Direction of tests for controls

file:///F|/Courses/2010-11/CGA/AU1/06course/m05t09.htm (2 of 2) [04/10/2010 3:06:44 PM]

5.10 Timing of tests of controls

Explain the rationale for testing controls at an interim date. (Level 1)

CAS 330.11.14 and CAS 330.A32.A39 (CICA Handbook

file:///F|/Courses/2010-11/CGA/AU1/06course/m05t10.htm [04/10/2010 3:06:45 PM]

5.11 Internal control in audit strategy

, paragraphs 5143.05.08), CAS paragraphs

file:///F|/Courses/2010-11/CGA/AU1/06course/m05t11.htm (1 of 2) [04/10/2010 3:06:46 PM]

file:///F|/Courses/2010-11/CGA/AU1/06course/m05t11.htm (2 of 2) [04/10/2010 3:06:46 PM]

5.12 Audit reports on internal control

Chapter 16, pages 644646 CICA Handbook

file:///F|/Courses/2010-11/CGA/AU1/06course/m05t12.htm (2 of 2) [04/10/2010 3:06:47 PM]

Identify the three phases of internal control evaluation.

file:///F|/Courses/2010-11/CGA/AU1/06course/m05summary.htm (1 of 4) [04/10/2010 3:06:48 PM]

file:///F|/Courses/2010-11/CGA/AU1/06course/m05summary.htm (2 of 4) [04/10/2010 3:06:48 PM]

documented controls are actually in place and being applied.

Explain the rationale for testing controls at an interim date.

file:///F|/Courses/2010-11/CGA/AU1/06course/m05summary.htm (3 of 4) [04/10/2010 3:06:48 PM]

A standard reporting format is provided in that Handbook section.

file:///F|/Courses/2010-11/CGA/AU1/06course/m05summary.htm (4 of 4) [04/10/2010 3:06:48 PM]

Module 5: Internal control

Test your knowledge

5.7 Documenting internal controls