acct3014 lecture04 s12013 unload

8/22/2019 ACCT3014 Lecture04 s12013 Unload

1/27

Business School

Auditing and Assurance

Assessing Business Risk

Internal Controls and Assessment

The University of SydneyBusiness School

WELCOME

ACCT3014 - Auditing and AssuranceSemester 1, 2013

Week 4 LectureMore on Planning the Audit, and the

importance of Internal Controls


2/27

2

Business Risk

Which of the following best describes Business Risk?

a) The risk that the financial errors contain material errorsb) The risk that the company will not achieve its objectivesc) The risk of the auditor forming the wrong opiniond) Economic factors that may cause cash outflows from the company

Which of the following is correct relating to risk?

a) Understanding BR is the responsibility of directors onlyb) Only internal auditors need to understand business risksc) External auditors should concern themselves with audit risk only

d) Auditors should identify significant risks to be covered in their auditwork


3/27

3

Lecture Outline

Linking of Business Risk to a key general ledger account What are Assertions and linking the Business Risk to the

applicable key account and then the relevant assertion

Internal Controls

What are they and why important Why is the Auditor required to evaluate Internal Controls

Linking Assertions to Internal Controls

Do the right internal controls exist, and

Test them to determine if the internal controls are effective


4/27

4

Business Risk Approach

Overall BR

External Factors (Industry, regulatory, economic) Internal Factors (Company's Objectives, Nature..) Assess Fraud Risk and Non-compliance with Laws etc

Some BR

Significant business risks may increase the risk of material

misstatement and these are the risks that the Auditor needsto address

InternalControls

Auditor needs to then understand Internal Controls andevaluate whether they address/minimise the BRs identified

as key by the Auditor

The BR Approach is about identifying significant BR and using appropriateaudit procedures to plan and conduct the audit.....its an iterative process


5/27

5

Business Risk and Audit Risk

Business Risk

Risk that an event/

Action could

adversely

Affect a company's

Ability to meet its

goals

Could lead to?

Material

Misstatement

Risk that the financial

Statements have

material/significant

Errors in them

Inherent Risk

The chance of

misstatements if no

internal controls

prevent it

Control Risk

Risk that the

Companys Internal

Controls will not

prevent or detect andcorrect errors

Material

MisstatementRisk that the financial

Statements have

material/significant

Errors in them

Inverse

relationship

Audit Risk: Risk that the Auditor gives an inappropriate audit opinionOn the Financial Statements that contain material misstatements


6/27

Link BR to Key Account

6

Indentify theBusiness Risk

Does the Risk

Apply to your

Client

If NoNo effect onAudit Plan

If Yes

What is the KeyAccount that may

be misstated?

An over or anunderstatementof the $

What key Assertion


7/27

What Are Assertions

Each Key account has a number of characteristics

The assertions assist both Management and the Auditor validate that the $associated with the key account meets all assertions applicable

For a Balance sheet account the priority of assertions will differ:

By example

Asset Inventory

Need to validate Existence and Valuation as a priority

Liability Accounts Payable

Need to validate Completeness and Valuation as a priority

For An Income Statement some of the assertions change

By example

Sales Existence becomes Occurrence

Valuation becomes accuracy

7


8/278

Balance Sheet Assertions

Assertion Definition Example

Existence Do Assets and Liabilities actuallyexist? Are they real? Importantwhen the Auditor believes that

there is a risk of overstatement

PPEInventory

Completeness Have the Assets & Liabilitiesbeen accounted for? Are yousure that they have beenrecorded?

Trade CreditorsAccruals

Valuation & Allocation Have the Assets, Liabilities and

Equity accounts been recordedat their correct amounts?

Provisions

IntangiblesAccounts Receivables

Rights and Obligations Are the recorded assets ownedby the client? Are the recordedliabilities commitments of theclient? Risk when the Auditorbelieves that A/L are not ownedby the client.

Inventory


9/279

Income Statement Assertions

Assertion Definition Example

Occurrence Did the revenue or expensetransaction actually take place?

Auditor concerned with the risk ofoverstatement where events arerecorded but did not actuallyoccur

Sales Revenue

Completeness Are you sure that revenues andexpenses have been recorded?Risk of understatement oftenwhen expenses incurred but notrecorded

RevenueExpenses

Accuracy Are the Revenues and Expenses

recorded at the correct amounts?

Complex discount terms

Foreign exchange calculations

Cut-Off Are transactions recorded in thecorrect accounting period?

Revenue

Classification Auditors tests whether revenueand expenses are recorded inproper accounts

All items but in particularexpenses as high risk incorrectlycapitalised


10/27

Assertions and Internal controls

Given Assertions are important to ensure Managements correct reportingof financial data in the financial statements, it is critical that company rulesare in place to achieve this goal.

Thus the rules, the Internal controls, are important to both Management(charged with the requirement to safeguard the assets and resources ofthe operation), and also the Auditor (charged to provide reasonableassurance as to the True and Fairness of Managements financial reports)

10


11/27

2. Planning activities

ASA 300/315

2.1 Obtain knowledge of the business

ASA 315 (including ASA 250)

2.1.1 Preliminary analytical procedures2.2 Appraisal of risks, includingf raud r isk

(ASA 240) going concern (ASA 570)ASA 315

2.3 Estimate of materiality

2.4 Review of control components2.4.1 Preliminary evaluation of control environment

2.5 Develop overall audit plan (i.e. develop an audit strategy)

in response to risks

ASA 330

2.5.1 Determine reliance on internal controls

2.5.2 Determine extent and nature of testing

2.5.3 Write audit plan2.6 Assignment of staff


12/27

The Committee of Sponsoring Organizations of the Treadway Commission(COSO) is a joint initiative of the five private sector organisations (USA)

dedicated to providing thought leadership through the development of

frameworks and guidance on enterprise risk management, internal control

and fraud deterrence...

19/12/2011 New Integrated Framework Released for Public Comments:

COSO Internal Control Framework

Compliments Google Images 28/2/2012


13/27

Internal Control=Management Responsibility

Management (not the auditor), must establish andmaintain the entity's control structure

Control structure aids management to ensure:

- irregularities are prevented or detected and corrected

- assets are safeguarded- financial records are accurately reflected

- adherence to management policies

- operational efficiency is promoted that preventsunnecessary duplication of effort

Because of its inherent limitations, an internal controlstructure cannot be regarded as completely effective,

regardless of the care taken in its design and

implementation


14/27

Mandated by ASA 315.12:

The auditor shall obtain an understanding of internal control relevant to the

audit.

The purpose (ASA 315.3) is to identify and assess the risks of materialmisstatement of the financial report, whether due to fraud or error, thereby

providing a basis for designing and implementing responses (i.e. audit

strategy in terms of timing, nature and extent of audit procedures) to the

assessed significant risks.

Why Auditors Study Entitys Internal Control


15/27

Some Key Concepts

1. Each company will have these rulesa) Some rules will be common across companies and some will be linked to

specialised activities

2. The rules need to change (updated or amended) as the companyactivities change.

1. Important if a new business division is started or acquired

2. IT systems change

3. If there are restructuring issues (staff sacked impacts segregation of duties)

3. A key rule segregation of duties costs money (more staff). So even if

the rule would protect assets or information, Management may decidenot to implement the rule based on a cost benefit analysis.

4. Both management and the external auditor need to know if a rule isworking. Having a rule but it not operating means the rule does notexist.

15


16/27

Internal Control (IC)

IC is designed and implemented to address (minimise) identifiedsignificant business risks. ASA 315.14-24 outlines the followingspecific components of IC:

- the control environment

- the entities risk assessment process

- the information system, including related business

processes

- control activities

- monitoring of controls

Auditors evaluation of IC must be documented (flow charts,

questionnaires, narrative).


17/27

Auditor considers: communication and enforcement of integrity and ethical values

commitment to competence

participation by those charged with governance

managements philosophy and operating style

organisational structure

assignment ofauthority and responsibility

human resource policies and practices

If Management do not obey or

override the ICs then staff

will follow this example

Control Environment - the tone at thetop(ASA315.14 and A69-A78)

Compliments Google Images 28/2/2012


18/27

Auditor obtains an understanding of:

classes of transactions

procedures (including IT) by which transactions are

initiated, recorded, processed, and reported in the

financial report

related accounting records

how the information system captures events/ conditions

other than classes of transactions

financial reporting processes used to prepare the

financial report

controls over journal entries, non-recurring/unusual

transactions, adjustments

Information System Including Related BusinessProcesses (ASA 315.18 and A81-A87)


19/27

Control Activities (ASA 315.20-21 and A88-A97)

Authorisation

Performance reviews

Information processing

Physical controls

Segregation of duties

Control activities are policies and procedures that help ensurethat management directives are carried out to address risks

that threaten the achievement of entity objectives


20/27

Independent Approval, Review, Checking or Recalculation

e.g., - Authorization of Purchase or Sales Invoices

- Recompilation of Arithmetic on Vouchers

- Subsequent Review of Individual Transactions

Matching of Independently Generated Documents

e.g., - Matching of Sales Invoices and Shipping Documents- Matching of Purchase Invoices and Receiving Reports

Prenumbering and Sequence Checking of Key Documents

e.g., - Prenumbered Shipping Documents, Sales Invoices, Cheques,

Vouchers, etc. Maintenance of Independent Control Totals

e.g., - Recording of Cash Receipts Total Before Banking

- Use of Batch Controls

- Use of Control Accounts

Examples of Basic Types of InternalControl Activities/Procedures


21/27

Comparison with Independent 3rd Party Information

e.g., - Bank Reconciliations

- Reconciling Suppliers Statements

Independent 3rd Party Confirmation

e.g., - Sending Statements to Customers

- Requests for Confirmation of Recorded Data

Cancellation of Documentation

e.g., - Immediate Endorsement of Incoming Cheques

- Defacing Spoiled or Cancelled Cheques

Segregation of Personnel, Operations and Assets

e.g., - Segregation of Duties Among Transactions Initiation, Approval and Recording

- Function Segregation

Timeliness of Operation

e.g., - Prompt Deposit of Cash Receipts

- Prompt Processing of Transactions

Examples of Basic Types of InternalControl Activities/Procedures


22/27

Client_________________________________________________________________Audit Date _________________________

Auditor ______________ Date Completed____________ Reviewed by ___________ Date Completed______________________

Objective (italic) and question Answer Remarks

Sales Yes No N/A

A. Recorded sales are for shipments actually made to non-fictitiouscustomers1. Is the recording of sales supported by authorised shipping

documents and approved customer orders?

B. Sales transactions are properly authorised.1. Is the customer's credit approved by a responsible official?2. Is a prenumbered written shipping order required for any

merchandise to leave the premises?3. Is an authorised price list used?

C. Existing sales transactions are recorded.1. Is a recoed of shipments maintained?2. Is the shipping document controlled from the office in a manner

that helps ensure that all shipments are billed?3. Are shipping documents prenumbered and accounted for?4. Are sales invoices prenumbered and accounted for?

D. Recorded sales are for the amount of goods ordered and arecorrectly billed and recorded.1. Is there independent comparison of the quantity on the

shipping document to sales2. IS there internal verification, extensions, pricing, and footing of

sales invoices?

3. Are monthly statements sent to customers?

E. Sales transactions are properly classified.1. Is there independent comparison of dates on shipping

documents to dates recorded?

F. Sales are recorded on a timely basis.1. Is there independent comparison of dates on shipping

documents to dates recorded?

G. Sales transactions are properly included in the subsidiary recordsand correctly summarised.1. Are journals independently footed and traced to the general

ledger and subsidiary records?2. Is there a monthly reconciliation of the accounts receivable

subsidiary records to the general ledger?

Pam Dilley examinesunderlying documentation

By Chulick

Prenumbered but not accountedfor additional substantivetesting required

By Pam Dilley, controlled byChulickBy Pam Dilley

All sales are on account andthere is only one sales account

There is a weakness in thesystem and additionalsubstantive testing required

Partial Internal Control Questionnaire for SalesWhat are the controls, and who is involved.

22


23/27

Monitoring of Controls (ASA 315.22-23 and A98-A104)

Auditor obtains an understanding of:- major activities the entity uses to monitor internal control over financial reporting,

including corrective actions

Monitoring is the process by which the entity monitors the

quality of internal controls over time Involves assessing the design and operation of controls on a

timely basis and taking the necessary corrective actions

Ongoing monitoring activities could include:

- internal audit- continual management review of exception and operation

reports

- review/response to customer complaints


24/27

The auditors emphasis is on identifying and

obtaining an understanding of control activities that

address the areas of significant risk, i.e. areas

where the auditor considers that material

misstatements are more likely to occur (i.e. IC

relevant to the audit as per ASA 315.A89).

i.e. mitigating controls

Internal Control Assessment(ASA 315.29 and A124-A126)


25/27

Lecture Discussion Question

For the following general business risks outline an internal control thatwould address/mitigate the identified significant risk:

(i) inventory being stolen

(ii) risk of non-collectability of individual customer (debtors/tradereceivables) balances

(iii) suppliers are being paid twice

(iv) employees are being paid for hours not actually worked?


26/27

Lecture Discussion Question

You are about to Audit Woolworths: Woolworths has more than 3,000 storesacross Australia, that span food, liquor, petrol, general merchandise, homeimprovement and hotels. Woolworths is a proud, home-grown Australianbusiness, employer of more than 195,000 people and committed businesspartner of many thousand local farmers, producers and manufacturers.

In your BR Approach for the following identified risks in Woolworths ,Determine a PRACTICAL Internal Control procedure that would

mitigate the risk:

Overpayment of overtime to casual employees

Inventory being stolen especially from loading docks and shelves

Payments being made twice to the same supplier(especially diary products)

A number of Terminated Full Time Employees are still being paid for afortnight after they have left Woolworths
http://www.woolworths.com.au/wps/wcm/connect/website/woolworths/about+us/contact+us


27/27

What's on Next Week

The Easter Break-Enjoy it!Next Lecture: Tuesday 9 April, Angela is back Important topics to be covered:

Materiality

Audit Evidence, linking to ASSERTIONS and Procedures!

The reliability of audit evidence is influenced by its source and nature.For example, management may use a broker quote to support a fair

value measurement; however, when the quote is obtained from theinstitution that initially sold the instrument, this evidence may be lessobjective and may need to be supplemented with evidence from one

or more other brokers

www.ifac.org/download/staff_audit_practice_alert.pdf