@ @@@

Internal controls
@ @

Part 1 Financial Planning, Performance and Control

Planning, budgeting, and forecasting (30%) Performance measurement (25%) Cost management (25%) Internal controls (15%) Professional ethics (5%)

Presented by MR Medaht Heshmat

TEL : 01024485749

@ @@@

Internal controls
@ @

Part 1 Financial Planning, Performance and Control

Section D Internal controls (15%)

Presented by MR Medaht Heshmat

TEL : 01024485749 01024485749

@ @@@

Internal controls
@ @

RISK AND THE CONTROL ENVIRONMENT

1.1 The Assessment and Management of Risk a. Every organization faces risks. Risks take many forms and can originate from within or from .outside the organization b. Risk assessment is the process whereby management identifies the organizations Vulnerabilities .

PASS KEY Risk management is the ongoing process of designing and operating internal controls that mitigate the risks (potential events that may affect the entity) identified in the organization's risk assessment

c. Risk can be quantified as a combination of two factors factors of consequences and the likelihood of occurrence. The expected loss due to a risk exposure can thus be stated numerically a of the two factors Risk can also be assessed in qualitative terms. terms

. d. The audit risk model Audit risk is comprised of the risk that the financial statements are materially misstated (risk of material misstatement, or "RMM") and the risk that the auditor will not detect) such misstatements (detection risk, or "DR") "DR

Presented by MR Medaht Heshmat

TEL : 01024485749 01024485749

@ @@@
AR Audit Risk= Risk= (should be low) RMM Risk of Material Misstatement ( assessed by auditor)

Internal controls
@ @

DR Detection Risk (controlled by auditor)

Risk of Material Misstatement (RMM) The risk of material misstatement can be subdivided into inherent risk ("IR") and control risk ("CR") Inherent Risk ("IR") Inherent risk is the susceptibility of a relevant assertion to a material misstatement, assuming there are no related controls Assertions involving complex calculations, cash Control Risk ("CR") Control risk is the risk that a material rial misstatement that could occur in a relevant assertion will not be prevented or detected on a timely basis by the entity's .internal control. Control risk is a function of the effectiveness of the design and operation of internal control.

PASS KEY
Inherent risk and control risk exist independently of the audit, and the auditor

.generally cannot change these risks

Detection Risk ("DR") Detection risk is the risk that the auditor will not detect a misstatement that exists in a .relevant assertion. a. Detection risk is a function of the effectiveness of audit procedures and of the .manner in which they are applied b. Some amount of detection risk will always exist because the auditor does not examine 100 percent of an account balance or o transaction class, and because the auditor may make mistakes in applying audit procedures or in interpreting .results

Presented by MR Medaht Heshmat

TEL : 01024485749 01024485749

@ @@@
Effect on the Audit

Internal controls
@ @

The auditor's overall judgment about the level of risk in an engagement will affect the staffing, level of supervision, and scope of the audit. While auditors use professional judgment to assess each aspect of audit risk, they can change only the level of detection risk. The auditor uses his or her assessment of the risk of material .misstatement as a basis for determining an appropriate level of detection risk a. Inverse Relationship of RMM to DR When the auditor determines that the risk of material misstatement is high detection risk should be set at a low level. Conversely, when the risk of material misstatement is low, the auditor can justify a higher detection risk b. The Auditor Can Change Detection Risk The auditor can change the level of detection risk by varying the nature, extent and timing of audit procedures. For example, as the acceptable level of detection risk decreases, the assurance provided from substantive ,procedures should increase. The auditor may:1- Change the nature of substantive tests from a less effective to a more effective procedure (e.g., direct test toward independent parties outside the entity rather than toward parties or documentation inside the entity). Becker CPA Review Auditing & Attestation 3 2- .Change the extent of substantive tests (e.g., use a larger sample size) 3- Change the timing of substantive tests (e.g., perform substantive tests at .(year-end rather than at interim

Presented by MR Medaht Heshmat

TEL : 01024485749

@ @@@

Internal controls
@ @

PASS KEY Acceptable Audit Risk (AAR) measure of willing the auditor is to accept that the F/S may be materially misstated after the audit is complete & opinion is issued.

Risk assessment is a process A. Designed to identify potential events that may affect the entity. B. That establishes policies and procedures to accomplish internal control objectives. C. Of identifying and capturing information in a timely fashion. D. That assesses the quality of internal control throughout the year. Answer (A) is correct. correct. Every organization faces risks, that is, unforeseen obstacles to the pursuit of its objectives. Risks take many forms and can originate from within or from outside the organization. Risk assessment is the process whereby management identifies the organizations vulnerabilities. Answer (B) is incorrect because Internal control objectives cannot be formulated until the organization knows what its vulnerabilities vulnerabi are. Answer (C) is incorrect because Identifying and capturing information in a timely fashion is a function of an information system, not of risk assessment. Answer (D) is incorrect because Assessing the quality of internal controls is a portion of the internal control departments ongoing duties; it is not a definition of risk assessment.

Presented by MR Medaht Heshmat

TEL : 01024485749 01024485749

@ @@@

Internal controls
@ @

Some account balances, such as those for pensions or leases, are the results of complex calculations. calculations The susceptibility to material misstatements in these types of accounts is defined as A. Audit risk. B. Detection risk. C. Sampling risk. D. Inherent risk. Answer (A) is incorrect because Audit risk is the risk that the auditor may unknowingly fail to appropriately modify an opinion on financial statements that are materially misstated. Answer (B) is incorrect because Detection risk is the risk that the auditor will not detect a material misstatement that exists in an assertion. Answer (C) is incorrect because Sampling risk is the risk that a particular sample may contain proportionately more or fewer monetary misstatements or deviations from controls than exist in the population as a whole. Answer (D) is correct correct. Inherent risk is the susceptibility of an assertion to a material misstatement in the absence of related controls. This risk is greater for some assertions and related balances or classes than others. For example, complex calculations are more likely to be misstated than simple ones, and cash is more

Audit risk consists of inherent risk, control risk, and detection risk. Which of the following statements is true? A. Cash is more susceptible to theft than an inventory of coal because it has a greater inherent risk. B. The risk that material misstatement will not be prevented or detected on a timely basis by internal control can be reduced to zero by effective controls. C. Detection risk is a function of the efficiency of an auditing procedure. D. The existing levels of inherent risk, control risk, and detection risk can be changed at the discretion of the auditor. Answer (A) is correct correct. Inherent risk is the susceptibility of an assertion to material misstatement in the absence of related controls. Some assertions and related balances or classes of transactions have greater inherent risk. Thus, cash has a greater inherent risk than less liquid assets. Answer (B) is incorrect because Some control risk will always exist. Internal control has inherent limitations. Answer (C) is incorrect because Detection risk is a function of auditing effectiveness (achieving results), not efficiency. Answer (D) is incorrect because The actual levels of inherent risk and control risk are independent of the audit process. Acceptable detection risk is a function of the desired level of overall audit risk and the assessed levels of inherent risk and control risk. Hence, detection risk can be changed at the discretion of the auditor, but inherent risk and control risk cannot. However, the auditors preliminary judgments about inherent risk and control risk may change as the audit

progresses.

There are three components of audit risk: inherent risk, control risk, and detection risk. Inherent risk is A.The susceptibility of an assertion to a material misstatement, assuming that there are no related internal control structure policies or procedures. B.The risk that the auditor may unknowingly fail to appropriately modify his or her opinion on financial statements that are materially misstated. C.The risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timely basis by the entitys internal control structure policies or procedures. D. The risk that the auditor will not detect a material misstatement that exists in an assertion. Answer (A) is correct. Inherent risk is the susceptibility of an assertion to a material misstatement, assuming that there are no related internal control structure policies or procedures. The risk of such misstatement is greater for some assertions and related balances or classes than for others. Unlike detection risk, inherent risk and control risk are independent of the audit. Furthermore, inherent risk and control risk are inversely related to detection risk. Thus, the lower the inherent risk, the higher the acceptable detection risk. Answer (B) is incorrect because The risk that the auditor may unknowingly fail to appropriately modify his or her opinion on financial statements that are materially misstated is audit risk. Answer (C) is incorrect because The risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timely basis by the entitys internal control structure policies or procedures is control risk Answer (D) is incorrect because The risk that the auditor will not detect a material misstatement that exists in an assertion is detection risk.

Presented by MR Medaht Heshmat

TEL : 01024485749

@ @@@

Internal controls
@ @

In the performance of an internal audit, audit risk is best defined as the risk that an auditor A. Might not select documents that are in error as part of the examination. B. May not be able to properly evaluate an activity because of its poor internal accounting controls. C. May fail to detect a significant error or weakness during an examination. D. May not have the expertise to adequately audit a specific activity. Answer (A) is incorrect because The risk that an auditor might not select documents that are in error as part of the examination is an aspect of sampling risk. Answer (B) is incorrect because The risk that an auditor may not be able to properly evaluate an activity because of its poor internal accounting controls is an aspect of control risk. Answer (C) is correct. audit risk is the risk that the external auditor may unknowingly fail to modify his/her opinion on financial statements that are materially misstated. Its elements are control risk, inherent risk, and detection risk. For internal auditing, the overall audit risk extends not only to financial statements but also to unwitting failure to uncover material errors or weaknesses in the operations audited. There may be several different reasons for the failure, and these may be in risk categories such as sampling risk, detection risk, or control risk. Answer (D) is incorrect because Lack of competency relates to control risk. It is the failure of a control (internal auditing).

When planning an audit, the auditor needs to evaluate audit risk where the auditor may unknowingly fail to appropriately modify his opinion on financial statements that are materially misstated. Audit risk is composed of

inherent risk, control risk, and detection risk. risk of incorrect rejection, risk of incorrect acceptance, risk of overreliance, and risk of underreliance. tolerable error risk, sampling error risk, and inherent risk. tolerable rate risk, sampling rate risk, and inherent risk.
The correct answer is: inherent risk, control risk, and detection risk. Audit Risk = (Inherent Risk x Control Risk x Detection Risk) Inherent risk is the probability of a misstatement due to an error or fraud. Control risk is the probability that the misstatement gets by the clients internal control system. Detection risk is the probability that the misstatement is not detected by the auditor.

The relationship between inherent risk, planned detection risk, and planned audit evidence is best described as follows. Inherent risk is positively related to planned detection risk and not at all related to planned evidence. Inherent risk is inversely related to planned detection risk and directly related to planned evidence. Inherent risk is inversely related to planned detection risk and planned audit evidence. There is no relationship between inherent risk, planned detection risk, and planned audit evidence. The correct answer is: Inherent risk is inversely related to planned detection risk and directly related to planned evidence. Audit Risk = (Inherent Risk x Control Risk x Detection Risk). Therefore, Detection Risk = (Audit Risk)/(Inherent Risk x Control Risk). Since detection risk is the probability that a misstatement will not be discovered by the auditor, as detection risk decreases, the planned audit evidence required will decrease. The formula for detection risk shows that inherent risk is inversely related to planned detection risk and directly related to planned evidence.

Presented by MR Medaht Heshmat

TEL : 01024485749

@ @@@

Internal controls
@ @

A firm is constructing a risk analysis to quantify the exposure of its data center to various types of threats. Which one of the following situations would represent the highest annual loss exposure after adjustment for insurance proceeds ? Frequency of (Occurrence (years) Loss Amount Insurance (coverage %

1 1 $15000 85 11 8 75000 80 111 20 200000 80 iv 100 400000 50000 .A. IV .B. III .C. I .D. II A. The question asks for the highest annual loss exposure after adjustment for insurance proceeds. The way to calculate that is to (1) calculate the loss after insurance reimbursement for each situation by multiplying the loss amount by (1 - insurance coverage rate), and (2) divide each loss after reimbursement by the frequency of occurrence in years to calculate the annual .loss amount for each B. The question asks for the highest annual loss exposure after adjustment for insurance proceeds. The way to calculate that is to (1) calculate the loss after insurance reimbursement for each situation by multiplying the loss amount by (1 - insurance coverage rate), and (2) divide each loss after reimbursement by the frequency of occurrence in years to calculate the annual loss amount for each C. The question asks for the highest annual loss exposure after adjustment for insurance proceeds. The wayto calculate that is to (1) calculate the loss after insurance reimbursement for each situation by multiplying the loss amount by (1 - insurance coverage rate), and (2) divide each loss after reimbursement by the frequency of occurrence in years to calculate the annual loss amount for each, as follows Frequency of Occurrence (years) Loss Amount Loss After .Ins. Reims Annual Loss

Insurance (coverage %

1 1 $15000 85 2250 2250 11 8 75000 80 15000 1875 111 20 200000 80 40000 2000 iv 100 400000 50 200000 2000 .The highest annual loss is I., with an annual loss of $2,250 D. The question asks for the highest annual loss exposure after adjustment for insurance proceeds. The way tocalculate that is to (1) calculate the loss after insurance reimbursement for each situation by multiplying the loss amount by (1 - insurance coverage rate), and (2) divide each loss after reimbursement by the frequency of occurrence in years to calculate the annual loss amount for each

Presented by MR Medaht Heshmat

TEL : 01024485749

@ @@@

Internal controls
@ @

In planning an audit, the auditor considers audit risk. Audit risk is the risk that a material error in an account will not be prevented or detected on a timely basis by the client's internal control system. susceptibility of an account balance to material error assuming the client does not have any related internal control. risk that the auditor's procedures for verifying account balances will not detect a material error when in fact such error exists. risk that the auditor may unknowingly fail to appropriately modify his opinion on financial statements that are materially misstated. The correct answer is: risk that the auditor may unknowingly fail to appropriately modify his opinion on financial statements that are materially misstated. Audit risk is the probability of an audit failure. An audit failure occurs when the auditors opinion states that the financial statements fairly present, in all material respects, in accordance with GAAP (Generally Accepted Accounting Principles) when, in fact, they are materially misstated.

Which one of the following is not the component of the audit risk model commonly used by auditors in deciding how much evidence to accumulate in each cycle? Inherent risk Control risk Engagement risk Planned detection risk The The correct answer is: Engagement risk. Audit Risk = Inherent Risk x Control Risk x Detection Risk. Therefore, Detection Risk = (Audit Risk)/(Inherent Risk x Control Risk). Engagement risk relates to whether the auditor should be associated with the client in the first place, and is not part of the audit risk equation.

Inherent risk is the risk that the business will naturally experience, regardless of internal controls. that internal controls will not be followed. that measures the effectiveness of a firm's internal controls. that an internal audit will not uncover incidents where controls have not been followed. The correct answer is: that the business will naturally experience, regardless of internal controls. Inherent risk is the normal risk of the business, such as the risk of droughts for farmers or the risk of a recession.

Presented by MR Medaht Heshmat

TEL : 01024485749

@ @@@

Internal controls
@ @

Eessay Eessay questions

define inherent risk, control risk, and detection risk ?

1.2 Internal Control Definition and Objectives

internal control is a method, or process, that is carried out by an entitys board of , directors, management and other personnel that is designed to provide reasonable assurance that the companys objectives in the following categories will be achieved :-

1.

Reliability of Financial Reporting Management is responsible for preparing financial statements for investors, creditors, and other users. Management has both a legal and professional responsibility to be sure that the information is fairly presented in accordance with reporting requirements such as GAAP. The objective of effective internal control over financial reporting is to fulfill these financial reporting responsibilities. Efficiency and Effectiveness of Operations Controls within an organization are meant to encourage efficient and effective use of its resources to optimize the companys goals. An important objective of these controls is accurate financial and non-financial information about the entitys operations for decision making. Compliance with Laws and Regulations such as environmental protection and civil rights laws. Others are closely related to accounting, such as income tax regulations and fraud. Safeguarding of Assets

2.

3.

4.

Eessay Eessay questions

identify and describe internal control objectives?

Presented by MR Medaht Heshmat

TEL : 01024485749

@ @@@

Internal controls
@ @

Which of the following is responsible for establishing a private companys internal control? a. Management. b. Auditors. c. Management and auditors. d. Committee of Sponsoring Organizations Answer (A) is correct

Which of the following is not one of the three primary objectives of effective internal control? a. Reliability of financial reporting b. Efficiency and effectiveness of operations c. Compliance with laws and regulations d. Assurance of elimination of business risk Answer (D) is correct

Presented by MR Medaht Heshmat

TEL : 01024485749

@ @@@

Internal controls
@ @

One of the financial statement auditor's major concerns is to ascertain whether internal control is designed to provide reasonable assurance that :.A. Profit margins are maximized, and operational efficiency is optimized .B. The chief accounting officer reviews all accounting transactions .C. Corporate morale problems are addressed immediately and effectively .D. Financial reporting is reliable A. While it is important to maximize profits and optimize operational efficiency, this is not one of a financial .statement auditor's major concerns B. It is not necessary that the chief accounting officer review all accounting transactions. Therefore, this is not .one of a financial statement auditor's major concerns .C. Corporate morale problems are not relevant to a financial statement audit
D. Internal control is a method, or process, that is carried out by an entity's board of directors, management and other personnel, and designed to provide reasonable assurance that objectives in the following four categories will be achieved: (1) effectiveness and efficiency of operations; (2) reliability of financial reporting; (3) compliance with applicable laws and regulations; and (4) safeguarding of assets. .The concerns of the financial statement auditor will relate to no. 2, reliability of financial reporting

PASS KEY
Management, not the auditor, must establish and maintain the entitys internal controls. This concept is consistent with the requirement that management, not the auditor, is responsible for the preparation of nancial statements in accordance with applicable accounting frameworks such as GAAP or IFRS. Two key concepts underlie manage- ments design and implementation of internal controlreasonable assurance and

inherent limitations. Reasonable Assurance

A company should develop internal controls that provide reasonable, but not absolute, assurance that the nancial statements are fairly stated. Internal controls are developed by management after considering both the costs and benets of the controls. The concept of reasonable assurance allows for only a remote likelihood that material misstatements will not be prevented or detected on a timely basis by internal control.

Inherent Limitations Internal controls can never be completely effective, regardless of the care followed in their design and implementation. Even if management can design an ideal system, its effectiveness depends on the competency and dependability of the people using it. Assume, for example,
that a carefully developed procedure for counting inventory requires two employees to count independently. If neither of the employees understands the instructions or if both are careless in doing the counts, the inventory count is likely to be wrong. Even if the count is correct, management might override the procedure and instruct an employee to increase the count to improve reported earnings. Similarly, the employees might decide to overstate the counts to intentionally cover up a theft of inventory by one or both of them. An act of two or more employees who conspire to steal assets or misstate records is called collusion.

Presented by MR Medaht Heshmat

TEL : 01024485749

@ @@@
1.3 Components of Internal Control

Internal controls
@ @

According to the COSO report, Internal Control Integrated Framework, five interrelated components comprise internal control. They are: 1) Control Environment 2) Risk Assessment 3) Control Activities 4) Information and Communication 5) Monitoring

Eessay Eessay questions

identify and describe the five major components of COSOs Internal Control Framework ?

Presented by MR Medaht Heshmat

TEL : 01024485749