Question

2. Auditors are required to obtain a sufficient understanding of each of the elements of an entity's internal control (environment, accounting system, control policies and procedures). This understanding is required by the second standard of fieldwork (GAAS).
Required:
a. What are some of the goals (purposes) for conducting an evaluation of an entity's internal control?
b. What audit work is required for an auditor to assess control risk below the "maximum" level?
c. Should auditors always try to obtain enough evidence to assess control risk below the "maximum" level? Explain.

Answer 1

a) Internal control is the process, policy, procedure which is designed, implemented and maintained by management, those charged with governance and other personnel to provide reasonable assurance of entity's achievements such as reliability of financial reporting, efficiency and effectiveness of operations, safeguarding of asset of the entity, compliance with laws and regulations etc.

(1) The main purpose is to reduce the deficiencies in internal control. (2) This will automatically reduce the chances of fraud. (3) A better system of internal control will reduces the risk of fraudulent activities.

Satisfactory control environment is not a absolute deterrent to fraud, but it is a positive factor in assessing risk of material misstatement.

b) Control risk is the risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or aggregated with other misstatements, will not be prevented or detected and corrected, on timely basis by the entity's internal control.

Auditor should design and perform further audit procedures to respond to those risk.

He shall communicate with the management and higher authorities regarding the deficiencies he found at audit.

Auditor shall provide more directions and supervision to them.

Auditor should perform inspection, inquiry, observation and analytical procedures for finding these deficiencies.

If he increases the level of checking automatically control risk will reduce.

He has to detect, prevent or correct the internal control deficiencies on a timely basis.

c) Auditors not always try to obtain enough evidence to assess control risk below the "maximum" level. While his checking if he finds any issue of deficiencies he has to do additional audit procedures. In normal circumstances if he feels everything is fine no additional procedure is required. That is the discretion of auditor. Auditing is not a 100% checking. It is not an investigation. While his normal course of checking if he believes that something is there then only he will investigate deeply.