Question

You have just gotten a new audit client that had been audited by another firm for many years. In assessing how effective or ineffective the current internal controls are, what factors will you examine?

Answer 1

Internal Control Defined

An entity’s system of internal control consists of policies and procedures designed to provide management with reasonable assurance that the company achieves its objectives and goals including:

• Reliability of financial reporting
• Compliance with applicable laws and regulations
• Effectiveness and efficiency of operations

Process for Understanding Internal Control and Assessing Control Risk

Phase 1: Obtain and Document Understanding of Internal Control: Design and Operation

Three methods commonly used by auditors to obtain and document their understanding of the design of internal control are narratives, flowcharts, and internal control questionnaires

The auditor must also evaluate whether the designed controls are actually placed in operation.

PCAOB Standard 2 requires the auditor to perform at least one walkthrough for each major class of transactions. In a walkthrough, the auditor selects one or a few documents for the initiation of a transaction type and traces them through the entire accounting process.

Phase 2: Assess Control Risk

Two specific assessments must be made to arrive at the preliminary assessment:

The first assessment is whether the entity is auditable. This is determined by considering the integrity of management and the adequacy of the accounting records.

Determine assessed control risk supported by the understanding obtained assuming the controls are being followed.

Phase 3: Design, Perform, and Evaluate Tests of Controls

If the results of tests of controls support the design and operating of controls as expected, the auditor uses the same assessed control risk as the preliminary assessment. Otherwise, assessed control risk must be reconsidered.

If the auditor wants a lower assessed control risk, more extensive tests of controls are applied.

PCAOB Standard 2 requires the auditor to determine whether controls are operating effectively at year end. The auditor may test at an interim date and later determine if changes have occurred.

Phase 4: Decide Planned Detection Risk and Substantive Tests

The greater the control risk (weak internal controls) the lower the detection risk the auditor can accept.

To lower detection risk, the auditor performs more substantive testing

Communications with the Audit Committee and Management

As part of understanding internal control and assessing control risk, the auditor is required to communicate certain matters to the audit committee:

1. Significant deficiencies and material weaknesses must be communicated in writing to the audit committee as a part of every audit. Timely communication may help management in correcting the problem before their year-end report on internal control.
2. Less significant internal-control matters and recommendations for operational improvements may be communicated through a management letter. Although such letters are not required by auditing standards, they are often provided as a value-added service of the audit.