Professor Adams' Lecture Materials

LO2-08: Risk assessment (part 2)

1. Overview of internal control

Another key component of risk assessment procedures is obtaining an understanding of internal control. Even if an auditor does not test or rely on internal controls, the auditor must obtain an understanding of internal control.

Internal control is a process- effected by those charged with governance, by management, and other personnel- designed to provide reasonable assurance about the achievement of the entity's objectives.

An entity's objectives may be divided into three categories:

1. Reliability of financial reporting

2. Effectiveness and efficiency of operations

3. Compliance with applicable laws and regulations

2. Components of internal control

Internal control consists of five interrelated components. The components represent means used by an entity to help it achieve its objectives.

Control Environment: The overall tone of the organization.
Risk Assessment: Management's identification of risk.
Information and Communication Systems: A means of recording transactions and communicating responsibilities.
Monitoring: Assessment of internal control perfo rmance over time.
Existing Control Activities: Control policies and procedures.

3. Auditor's consideration of internal control

Although the five components of internal control provide a useful framework for identifying and evaluating controls, an auditor should be more concerned with whether and how a specific control prevents, detects, and corrects material misstatements than with the classification of controls into categories.

4. Other audit considerations

4.1. Effect of information technology on internal controls

An entity's use of information technology may affect any of the five components of internal control:

Management's failure to appropriately address IT risks may negatively impact the control environment.
The use of IT may enhance an entity's risk assessment by providing more timely information.
Many information and communication systems make extensive use of IT, and the way in which IT is used often affects an entity's internal control.
Much of the information used in monitoring is provided by IT, and therefore, the accuracy of the IT system is crucial.
The use of IT may affect the way in which existing control activities are implemented. Also, the effectiveness of user controls may depend on the accuracy of information provided to the user by IT systems.

4.2. Small and midsized entities

Small and midsized entities often use less formal means to achieve internal control objectives. For example, while a small or midsized ent ity may not have written or extensive policies and procedures manuals or an independent party charged with governance, its management may be more actively involved in financial reporting, or may establish a co rporate cultu re emphasizing integrity. The auditor must use his or her judgment to apply the components of internal control and to make an overall assessment of control risk.

🧮 Practice Problem: LO2-08-01, MCQ-02374

In obtaining an understanding of the entity and its environment, including its internal control, an auditor is required to obtain knowledge about the:

🧮 Practice Problem: LO2-08-02, MCQ-02348

In planning an audit, the auditor's knowledge about the design of relevant internal controls should be used to:

🧮 Practice Problem: LO2-08-03, MCQ-02372

Which of the following types of evidence would an auditor most likely examine to determine whether internal controls are operating as designed?