The University of Sydney Business School

WELCOME
ACCT3014 - Auditing and Assurance
Semester 1, 2013

Week 4 Lecture More on Planning the Audit, and the importance of Internal Controls
Assessing Business Risk Internal Controls and Assessment

Business School Auditing and Assurance

Business Risk
Which of the following best describes Business Risk? a) The risk that the financial errors contain material errors b) The risk that the company will not achieve its objectives c) The risk of the auditor forming the wrong opinion d) Economic factors that may cause cash outflows from the company Which of the following is correct relating to risk? a) Understanding BR is the responsibility of directors only b) Only internal auditors need to understand business risks c) External auditors should concern themselves with audit risk only d) Auditors should identify significant risks to be covered in their audit work

Lecture Outline
Linking of Business Risk to a key general ledger account

What are Assertions and linking the Business Risk to the applicable key account and then the relevant assertion
Internal Controls What are they and why important

Why is the Auditor required to evaluate Internal Controls

Linking Assertions to Internal Controls Do the right internal controls exist, and Test them to determine if the internal controls are effective

Business Risk Approach

Overall BR

External Factors (Industry, regulatory, economic) Internal Factors (Company's Objectives, Nature..) Assess Fraud Risk and Non-compliance with Laws etc Significant business risks may increase the risk of material misstatement and these are the risks that the Auditor needs to address Auditor needs to then understand Internal Controls and evaluate whether they address/minimise the BRs identified as key by the Auditor

Some BR

Internal Controls

The BR Approach is about identifying significant BR and using appropriate audit procedures to plan and conduct the audit.....its an iterative process
4

Business Risk and Audit Risk

Business Risk Risk that an event/ Action could adversely Affect a company's Ability to meet its goals Inherent Risk The chance of misstatements if no internal controls prevent it

Could lead to?

Material Misstatement Risk that the financial Statements have material/significant Errors in them

Control Risk Risk that the Companys Internal Controls will not prevent or detect and correct errors

Inverse relationship Material Misstatement Risk that the financial Statements have material/significant Errors in them

Audit Risk: Risk that the Auditor gives an inappropriate audit opinion On the Financial Statements that contain material misstatements
5

Link BR to Key Account

Indentify the Business Risk

Does the Risk Apply to your Client

If Yes

If No No effect on Audit Plan

An over or an understatement of the $

What is the Key Account that may be misstated?

What key Assertion

6

What Are Assertions

Each Key account has a number of characteristics The assertions assist both Management and the Auditor validate that the $ associated with the key account meets all assertions applicable
For a Balance sheet account the priority of assertions will differ: By example Asset Inventory

Need to validate Existence and Valuation as a priority

Liability Accounts Payable Need to validate Completeness and Valuation as a priority

For An Income Statement some of the assertions change By example Sales Existence becomes Occurrence Valuation becomes accuracy
7

Balance Sheet Assertions

Assertion

Definition

Example

Existence

Do Assets and Liabilities actually exist? Are they real? Important when the Auditor believes that there is a risk of overstatement Have the Assets & Liabilities been accounted for? Are you sure that they have been recorded? Have the Assets, Liabilities and Equity accounts been recorded at their correct amounts? Are the recorded assets owned by the client? Are the recorded liabilities commitments of the client? Risk when the Auditor believes that A/L are not owned by the client.

PPE Inventory

Completeness

Trade Creditors Accruals

Valuation & Allocation

Provisions Intangibles Accounts Receivables Inventory

Rights and Obligations

Income Statement Assertions

Assertion
Occurrence

Definition
Did the revenue or expense transaction actually take place? Auditor concerned with the risk of overstatement where events are recorded but did not actually occur Are you sure that revenues and expenses have been recorded? Risk of understatement often when expenses incurred but not recorded Are the Revenues and Expenses recorded at the correct amounts?

Example
Sales Revenue

Completeness

Revenue Expenses

Accuracy

Complex discount terms Foreign exchange calculations

Cut-Off Classification

Are transactions recorded in the correct accounting period? Auditors tests whether revenue and expenses are recorded in proper accounts

Revenue All items but in particular expenses as high risk incorrectly capitalised
9

Assertions and Internal controls

Given Assertions are important to ensure Managements correct reporting of financial data in the financial statements, it is critical that company rules are in place to achieve this goal. Thus the rules, the Internal controls, are important to both Management (charged with the requirement to safeguard the assets and resources of the operation), and also the Auditor (charged to provide reasonable assurance as to the True and Fairness of Managements financial reports)

10

2. Planning activities ASA 300/315

2.1 Obtain knowledge of the business ASA 315 (including ASA 250) 2.1.1 Preliminary analytical procedures 2.2 Appraisal of risks, including fraud risk (ASA 240) going concern (ASA 570) ASA 315 2.3 Estimate of materiality 2.4 Review of control components 2.4.1 Preliminary evaluation of control environment 2.5 Develop overall audit plan (i.e. develop an audit strategy) in response to risks ASA 330 2.5.1 Determine reliance on internal controls 2.5.2 Determine extent and nature of testing 2.5.3 Write audit plan 2.6 Assignment of staff

COSO Internal Control Framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the five private sector organisations (USA) dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence... 19/12/2011 New Integrated Framework Released for Public Comments:

Compliments Google Images 28/2/2012

Internal Control=Management Responsibility Management (not the auditor), must establish and maintain the entity's control structure Control structure aids management to ensure:
irregularities are prevented or detected and corrected assets are safeguarded financial records are accurately reflected adherence to management policies operational efficiency is promoted that prevents unnecessary duplication of effort

Because of its inherent limitations, an internal control structure cannot be regarded as completely effective, regardless of the care taken in its design and implementation

Why Auditors Study Entitys Internal Control

Mandated by ASA 315.12:
The auditor shall obtain an understanding of internal control relevant to the audit. The purpose (ASA 315.3) is to identify and assess the risks of material misstatement of the financial report, whether due to fraud or error, thereby providing a basis for designing and implementing responses (i.e. audit strategy in terms of timing, nature and extent of audit procedures) to the assessed significant risks.

Some Key Concepts

1. Each company will have these rules
a) Some rules will be common across companies and some will be linked to specialised activities

2. The rules need to change (updated or amended) as the company activities change.
1. Important if a new business division is started or acquired

2.
3.

IT systems change
If there are restructuring issues (staff sacked impacts segregation of duties)

3. A key rule segregation of duties costs money (more staff). So even if the rule would protect assets or information, Management may decide not to implement the rule based on a cost benefit analysis. 4. Both management and the external auditor need to know if a rule is working. Having a rule but it not operating means the rule does not exist.
15

Internal Control (IC)

IC is designed and implemented to address (minimise) identified significant business risks. ASA 315.14-24 outlines the following specific components of IC:
-

the control environment the entities risk assessment process the information system, including related business processes control activities monitoring of controls

Auditors evaluation of IC must be documented (flow charts, questionnaires, narrative).

Control Environment - the tone at the top(ASA315.14 and A69-A78)

Auditor considers:

communication and enforcement of integrity and ethical values commitment to competence participation by those charged with governance managements philosophy and operating style organisational structure assignment of authority and responsibility human resource policies and practices

If Management do not obey or

override the ICs then staff

will follow this example

Compliments Google Images 28/2/2012

Information System Including Related Business Processes (ASA 315.18 and A81-A87)
Auditor obtains an understanding of:

classes of transactions

procedures (including IT) by which transactions are initiated, recorded, processed, and reported in the financial report related accounting records
how the information system captures events/ conditions other than classes of transactions financial reporting processes used to prepare the financial report controls over journal entries, non-recurring/unusual transactions, adjustments

Control Activities (ASA 315.20-21 and A88-A97)

Authorisation Performance reviews Information processing Physical controls Segregation of duties
Control activities are policies and procedures that help ensure that management directives are carried out to address risks that threaten the achievement of entity objectives

Examples of Basic Types of Internal Control Activities/Procedures

Independent Approval, Review, Checking or Recalculation e.g., - Authorization of Purchase or Sales Invoices - Recompilation of Arithmetic on Vouchers - Subsequent Review of Individual Transactions

Matching of Independently Generated Documents

e.g., - Matching of Sales Invoices and Shipping Documents - Matching of Purchase Invoices and Receiving Reports Prenumbering and Sequence Checking of Key Documents e.g., - Prenumbered Shipping Documents, Sales Invoices, Cheques, Vouchers, etc. Maintenance of Independent Control Totals e.g., - Recording of Cash Receipts Total Before Banking - Use of Batch Controls - Use of Control Accounts

Examples of Basic Types of Internal Control Activities/Procedures

Comparison with Independent 3rd Party Information e.g., - Bank Reconciliations - Reconciling Suppliers Statements

Independent 3rd Party Confirmation

e.g., - Sending Statements to Customers - Requests for Confirmation of Recorded Data Cancellation of Documentation

e.g., - Immediate Endorsement of Incoming Cheques

- Defacing Spoiled or Cancelled Cheques Segregation of Personnel, Operations and Assets e.g., - Segregation of Duties Among Transactions Initiation, Approval and Recording - Function Segregation Timeliness of Operation e.g., - Prompt Deposit of Cash Receipts - Prompt Processing of Transactions

Partial Internal Control Questionnaire for Sales What are the controls, and who is involved.
Client_________________________________________________________________Audit Date _________________________ Auditor ______________ Date Completed____________ Reviewed by ___________ Date Completed______________________

Objective (italic) and question Sales A. Recorded sales are for shipments actually made to non-fictitious customers 1. Is the recording of sales supported by authorised shipping documents and approved customer orders? B. Sales transactions are properly authorised. 1. Is the customer's credit approved by a responsible official? 2. Is a prenumbered written shipping order required for any merchandise to leave the premises? 3. Is an authorised price list used? C. Existing sales transactions are recorded. 1. Is a recoed of shipments maintained? 2. Is the shipping document controlled from the office in a manner that helps ensure that all shipments are billed? 3. Are shipping documents prenumbered and accounted for? 4. Are sales invoices prenumbered and accounted for? D. Recorded sales are for the amount of goods ordered and are correctly billed and recorded. 1. Is there independent comparison of the quantity on the shipping document to sales 2. IS there internal verification, extensions, pricing, and footing of sales invoices? 3. Are monthly statements sent to customers? E. Sales transactions are properly classified. 1. Is there independent comparison of dates on shipping documents to dates recorded? F. Sales are recorded on a timely basis. 1. Is there independent comparison of dates on shipping documents to dates recorded? G. Sales transactions are properly included in the subsidiary records and correctly summarised. 1. Are journals independently footed and traced to the general ledger and subsidiary records? 2. Is there a monthly reconciliation of the accounts receivable subsidiary records to the general ledger?

Yes

Answer No N/A

Remarks Pam Dilley examines underlying documentation By Chulick

Prenumbered but not accounted for additional substantive testing required By Pam Dilley, controlled by Chulick By Pam Dilley

All sales are on account and there is only one sales account There is a weakness in the system and additional substantive testing required

22

Monitoring of Controls (ASA 315.22-23 and A98-A104)

Auditor obtains an understanding of:
- major activities the entity uses to monitor internal control over financial reporting,

including corrective actions

Monitoring is the process by which the entity monitors the quality of internal controls over time Involves assessing the design and operation of controls on a timely basis and taking the necessary corrective actions Ongoing monitoring activities could include: - internal audit - continual management review of exception and operation reports - review/response to customer complaints

Internal Control Assessment

(ASA 315.29 and A124-A126

The auditors emphasis is on identifying and obtaining an understanding of control activities that address the areas of significant risk, i.e. areas where the auditor considers that material misstatements are more likely to occur (i.e. IC relevant to the audit as per ASA 315.A89). i.e. mitigating controls

Lecture Discussion Question

For the following general business risks outline an internal control that would address/mitigate the identified significant risk: (i) (ii) inventory being stolen risk of non-collectability of individual customer (debtors/trade receivables) balances

(iii)
(iv)

suppliers are being paid twice

employees are being paid for hours not actually worked?

Lecture Discussion Question

You are about to Audit Woolworths: Woolworths has more than 3,000 stores across Australia, that span food, liquor, petrol, general merchandise, home improvement and hotels. Woolworths is a proud, home-grown Australian business, employer of more than 195,000 people and committed business partner of many thousand local farmers, producers and manufacturers.

In your BR Approach for the following identified risks in Woolworths , Determine a PRACTICAL Internal Control procedure that would mitigate the risk:
Overpayment of overtime to casual employees

Inventory being stolen especially from loading docks and shelves

Payments being made twice to the same supplier (especially diary products) A number of Terminated Full Time Employees are still being paid for a fortnight after they have left Woolworths

What's on Next Week

The Easter Break-Enjoy it!
Next Lecture: Tuesday 9 April, Angela is back Important topics to be covered:

Materiality
Audit Evidence, linking to ASSERTIONS and Procedures! The reliability of audit evidence is influenced by its source and nature. For example, management may use a broker quote to support a fair value measurement; however, when the quote is obtained from the institution that initially sold the instrument, this evidence may be less objective and may need to be supplemented with evidence from one or more other brokers
www.ifac.org/download/staff_audit_practice_alert.pdf
27