When obtaining an understanding of internal controls the auditor identifies?

Why do auditors ask so many questions about their clients’ internal controls? Assessing internal controls is part of today’s auditing requirements. It helps identify risk factors — but the requirements can sometimes be unclear. 

The American Institute of Certified Public Accountants (AICPA) uses Technical Questions and Answers (Q&A) to address inquiries from members seeking guidance on certain technical issues. Here’s a set of five common questions, along with answers that the AICPA issued on April 27 to help clarify an auditor’s responsibility for assessing a client’s internal controls.

Are auditors required to obtain an understanding of business processes relevant to financial reporting in every audit engagement?

Yes, the auditing standards require an auditor to understand a client’s information system, including the related business processes and communication relevant to financial reporting. The AICPA reminds auditors that it’s important to distinguish between business processes and control activities. Business processes are the activities designed to:

• Develop, purchase, produce, sell and distribute an entity’s products and services,
• Ensure compliance with laws and regulations, and
• Record information, including accounting and financial reporting information.

The AICPA defines control activities as “steps put in place by the entity to ensure that the financial transactions are correctly recorded and reported.” Auditors are expected to obtain an understanding of only those control activities that are considered relevant to the audit. There are no “cookie cutter” approaches when it comes to understanding business processes and control activities; rather, the requirements differ from audit to audit.

Does an auditor’s understanding of internal controls encompass more than control activities?

Yes, an auditor must understand each component of the client’s financial reporting controls. This includes the control environment, risk assessment process, information system, control activities that relate to the audit, and the client’s monitoring of the controls. (See “Close-up on internal controls.”)

Should the auditor evaluate the design of controls and determine whether they’ve been implemented every year?

Yes, each year auditors must evaluate the design of the financial reporting controls that are related to the audit and determine if they’ve been properly implemented. This requires more than just inquiring with company personnel. Auditors must use additional procedures — such as observations, inspection or tracing transactions through the information system — to obtain an understanding of controls relevant to the audit. The appropriate procedures are a matter of the auditor’s professional judgment.

For existing clients, an auditor may leverage information obtained from his or her previous experience with the entity and the results from audit procedures performed in previous reporting periods. In doing so, the auditor should determine whether changes affecting the control environment have occurred since the previous audit that may affect that information’s relevance to the current audit.

Which control activities are considered relevant in every audit?

Auditors are specifically expected to understand controls that address “significant” risks. These are identified and assessed for risks of material misstatement that, in the auditor’s professional judgment, require special audit consideration. Examples include control activities 1) relevant to the risk of fraud or 2) over journal entries (such as nonrecurring, unusual transactions or adjustments).

Which relevant control activities may vary from audit to audit?

Control activities that are relevant to a given audit may vary, depending on the client’s size, complexity and nature of operations. The AICPA advises auditors to consider such issues as materiality, risk, other components of the internal controls, and legal and regulatory requirements. Again, what’s relevant is a matter of the auditor’s professional judgment.  

© 2017

Down-Round Options: A Divided FASB Approves Updated Guidance

Contact
Bio

In a 4 to 3 vote, the Financial Accounting Standards Board (FASB) agreed to finalize an update to U.S. Generally Accepted Accounting Principles (…

Learn More

The Future of Auditing: Technology Brings Opportunities and Challenges

Contact
Bio

If it seems like your auditor is always trying out new software, technology devices and analytical testing procedures, you’re not imagining it.…

When obtaining an understanding of internal control an auditor should concentrate on the substance of the procedures rather than their form because?

Understanding of Control Environment The auditor should concentrate on the substance of managcmcnt'3 policies, procedures, and related actions controls rather than their form because management controls may be established appropriate policies and procedures but not acted upon.

What are the procedures used to obtain an understanding of internal control?

Audit procedures are the processes and methods auditors use to obtain sufficient, appropriate audit evidence to give their professional judgment about the effectiveness of an organization's internal controls.

What is the auditor's responsibility for obtaining an understanding of internal control quizlet?

To express an opinion on internal controls for a public company, the auditor obtains an understanding of and perform tests of controls for all significant account balances, classes of transactions, and disclosures and related assertions in the financial statements.

What are the methods of understanding internal control for audit?

To understand internal control, the auditor should consider whether the entity has responded adequately to the risks arising from the use of IT (inaccurate processing, unauthorised access and changes, potential loss of data) or manual systems (controls may be bypassed or overridden, simple errors and mistakes may occur ...