Joanne M. Flood

Wiley Practitioner's Guide to GAAS 2020


Скачать книгу

activities, and

      5 Monitoring.

      (AU-C 315.A57)

      These components may operate at the entity level or the individual transaction level. Obtaining an appropriate understanding of internal control requires the auditor to understand and evaluate the design of all five components of internal control and to determine whether the controls are in use by the client.

      The Five Components of Internal Control – 1. Control Environment

      The auditor should obtain a sufficient knowledge of the control environment to understand management’s and the board of directors’ attitudes, awareness, and actions concerning the environment. (AU-C 315.15) Control environment factors include:

       Communication and enforcement of integrity and ethical values

       Commitment to competence

       Characteristics of those charged with governance

       Management’s philosophy and operating style

       Organizational structure

       Assignment of authority and responsibility

       Human resources policies and practices

      (AU-C 315.A79)

      NOTE: The auditor should concentrate on the substance of controls (established and acted upon), not their form.

      The Five Components of Internal Control – 2. The Entity’s Risk Assessment Process

      The auditor should obtain an understanding of the entity’s procedures for business risk, specifically:

       Identifying the risks

       Estimating significance

       Assessing the likelihood of occurrence

       Deciding on an action plan to address the risk

      (AU-C 315.16)

      Risks can occur because of the following:

       Changes in operating environment

       New personnel

       New or revamped information systems

       Rapid growth

       New technology

       New business models, products, or activities

       Corporate restructurings

       Expanded foreign operations

       New accounting pronouncements

       Changes in economic conditions

      (AU-C 315.A90)

      NOTE: The auditor’s assessment of inherent and control risks is a separate consideration and not part of the entity’s risk assessment.

      The Five Components of Internal Control – 3. The Entity’s Information System

      The auditor should obtain sufficient knowledge of the accounting information system to understand:

       The classes of transactions that are significant to the financial statements

       The procedures, both automated and manual, by which those transactions are initiated, recorded, processed, and reported from their occurrence to inclusion in the financial statements

       The related accounting records, whether electronic or manual, supporting information, and specific accounts involved in initiating, recording, processing, and reporting transactions

       How the information system captures other events and conditions that are significant to the financial statements

       The financial reporting process

       Controls surrounding journal entries, including nonstandard journal entries used to record nonrecurring, unusual transactions, or adjustments

      (AU-C 315.19)

      The auditor should understand the automated and manual procedures used to prepare financial statements and related disclosures, and how misstatements may occur. Such procedures include:

       The procedures used to enter transaction totals into the general ledger

      NOTE: The auditor should be aware that when information technology (IT) is used to automatically transfer information from transaction processing systems to general ledger or financial reporting systems, there may be little or no visible evidence of intervention in the information systems (e.g., an individual may inappropriately override automated processes by changing the amounts being automatically passed to the general ledger or financial reporting system).

       The procedures used to initiate, record, and process standard (e.g., monthly sales and purchase transactions) and nonstandard (e.g., business combinations or disposals, or a nonrecurring accounting estimate) journal entries in the general ledger

       When IT is used to maintain the general ledger and prepare financial statements, such nonstandard entries may exist only in electronic form and may be more difficult to identify through physical inspection of printed documents.

       Financial statement misstatements are often perpetrated by using nonstandard entries to record fictitious transactions or other events and circumstances, particularly near the end of the reporting period.

       Other procedures used to record recurring and nonrecurring adjustments (e.g., consolidating adjustments and reclassifications that are not made by formal journal entries)

      The auditor should also obtain sufficient knowledge of the means the entity uses to communicate financial reporting roles and responsibilities and significant matters about financial reporting. (AU-C 315.20)

      The Five Components of Internal Control – 4. Control Activities

      The auditor should obtain an understanding of those control activities that are relevant to the audit. (AU-C 315.21) Control activities are relevant to the audit if they are related to significant risks, as discussed later in this section. Examples of specific control activities include:

       Authorization

       Performance reviews

       Information processing

       Physical controls

       Segregation of duties (e.g., assigning different people the responsibility for authorizing transactions, recording transactions, and maintaining custody of assets)

      (AU-C 315.A99)

      The auditor should also obtain an understanding of the process of reconciling detail to the general ledger for significant accounts. (AU-C 315.21)

      The Five Components of Internal Control – 5. Monitoring

      The auditor should obtain sufficient knowledge of the major types of activities that the entity uses to monitor internal control over financial reporting, including the internal audit function—how it works, its responsibilities, and how it fits into the organization and sources of information used in the monitoring activities. (AU-C 315.23–.25)

      Step 2. Identification of Significant Risks

      As part of assessing the risks of material misstatement, the auditor should identify significant risks,